Add support for aes256-gcm@openssh.com and aes128-gcm@openssh.com
ciphers, which are the OpenSSH implementations of AES-GCM cryptography.
It is similar to RFC5647 but has changes to the MAC protocol
negotiation. These are implemented for recent versions of OpenSSL only.
The ciphers work differently than most previous ones in two big areas:
the cipher includes its own integrated MAC, and the packet length field
in the SSH frame is left unencrypted. The code changes necessary are
gated by flags in the LIBSSH2_CRYPT_METHOD configuration structure.
These differences mean that both the first and last parts of a block
require special handling during encryption. The first part is where the
packet length field is, which must be kept out of the encryption path
but in the authenticated part (as AAD). The last part is where the
Authentication Tag is found, which is calculated and appended during
encryption or removed and validated on decryption. As encryption/
decryption is performed on each packet in a loop, one block at a time,
flags indicating when the first and last blocks are being processed are
passed down to the encryption layers.
The strict block-by-block encryption that occurs with other protocols is
inappropriate for AES-GCM, since the packet length shifts the first
encrypted byte 4 bytes into the block. Additionally, the final part of
the block must contain the AES-GCM's Authentication Tag, so it must be
presented to the lower encryption layer whole. These requirements mean
added code to consolidate blocks as they are passed down.
When AES-GCM is negotiated as the cipher, its built-in MAC is
automatically used as the SSH MAC so further MAC negotiation is not
necessary. The SSH negotiation is skipped when _libssh2_mac_override()
indicates that such a cipher is in use. The virtual MAC configuration
block mac_method_hmac_aesgcm is then used as the MAC placeholder.
This work was sponsored by Anders Borum.
Integration-patches-by: Viktor Szakats
* fix checksrc errors
* fix openssl.c warning
* fix transport.c warnings
* switch to `LIBSSH2_MIN/MAX()` from `MIN()`/`MAX()`
* fix indent
* fix libgcrypt unused warning
* fix mbedtls unused warning
* fix wincng unused warning
* fix old openssl unused variable warnings
* delete blank lines
* updates to help merging with the ETM patch
- fix indentation errors.
- reformat `cmake/FindmbedTLS.cmake`
- replace a macro with a variable in `example/sftp_RW_nonblock.c`.
- delete macOS macro `_DARWIN_USE_64_BIT_INODE` from the
OS/400 config header, `os400/libssh2_config.h`.
- fix other minor nits.
Closes#983
* os400: support QADRT development files in a non-standard directory
This enables the possibility to compile libssh2 even if the ascii
runtime development files are not installed system-wide.
* userauth_kbd_packet: fix a pointer target type mismatch.
A temporary variable matching the parameter type is used before copying
to the real target and checking for overflow (that should not occur!).
* os400qc3: move and fix big number procedures
A bug added by a previous code style cleaning is fixed.
_libssh2_random() now checks and return the success status.
* os400qc3: fix cipher definition block lengths
They were wrongly set to the key size.
* Diffie-Hellman min/max modulus sizes are dependent of crypto-backend
In particular, os400qc3 limits the maximum group size to 2048-bits.
Move definitions of these parameters to crypto backend header files.
* kex: return an error if Diffie-Hellman key pair generation fails
* os400: add an ascii assert.h header file
* os400qc3: implement RSA SHA2 256/512
Implement picky warnings with clang in autotools. Extend picky gcc
warnings, sync them between build tools and compilers and greatly
speed up detection in CMake.
- autotools: enable clang compiler warnings with `--enable-debug`.
- autotools: enable more gcc compiler warnings with `--enable-debug`.
- autotools/cmake: sync compiler warning options between gcc and clang.
- sync compiler warning options between autotools and cmake.
- cmake: reduce option-checks to speed up the detection phase.
Bring them down to 3 (from 35). Leaving some checks to keep the
CMake logic alive and for an easy way to add new options.
clang 3.0 (2011-11-29) and gcc 2.95 (1999-07-31) now required.
- autotools logic copied from curl, with these differences:
- delete `-Wimplicit-fallthrough=4` due to a false positive.
- reduce `-Wformat-truncation=2` to `1` due to a false positive.
- simplify MinGW detection for `-Wno-pedantic-ms-format`.
- cmake: show enabled picky compiler options (like autotools).
- cmake: do compile `tests/simple.c` and `tests/ssh2.c`.
- fix new compiler warnings.
- `tests/CMakeLists.txt`: fix indentation.
Original source of autotools logic:
- a8fbdb461c/acinclude.m4
- a8fbdb461c/m4/curl-compilers.m4
Notice that the autotools implementation considers Apple clang as
legacy clang 3.7. CMake detection works more accurately, at the same
time more error-prone and difficult to update due to the sparsely
documented nature of Apple clang option evolution.
Closes#952
Update from:
5fec927374/scripts/checksrc.pl
- suppress these new checks:
- EQUALSNULL: 320 warnings
- NOTEQUALSZERO: 142 warnings
- TYPEDEFSTRUCT: 16 warnings
We can enabled them in the future.
- fix all other new ones.
- also fix whitespace in two `NMakefile` files.
libssh2 supports an "old" style KEX message
`SSH2_MSG_KEX_DH_GEX_REQUEST_OLD`, as an off-by-default build option.
OpenSSH deprecated/disabled this feature in v6.9 (2015-07-01):
https://www.openssh.com/releasenotes.html#6.9
This patch deletes this obsolete feature from libssh2, with no option
to enable it.
Added to libssh2 in: cf8ca63ea0 (2004-12-31)
RFC: https://datatracker.ietf.org/doc/html/rfc4419 (2006-03)
Apply type changes to avoid casts and warnings. In most cases this
means changing to a larger type, usually `size_t` or `ssize_t`.
Change signedness in a few places.
Also introduce new variables to avoid reusing them for multiple
purposes, to avoid casts and warnings.
- add FIXME for public `libssh2_sftp_readdir_ex()` return type.
- fix `_libssh2_mbedtls_rsa_sha2_verify()` to verify if `sig_len`
is large enough.
- fix `_libssh2_dh_key_pair()` in `wincng.c` to return error if
`group_order` input is negative.
Maybe we should also reject zero?
- bump `_libssh2_random()` size type `int` -> `size_t`. Add checks
for WinCNG and OpenSSL to return error if requested more than they
support (`ULONG_MAX`, `INT_MAX` respectively).
- change `_libssh2_ntohu32()` return value `unsigned int` -> `uint32_t`.
- fix `_libssh2_mbedtls_bignum_random()` to check for a negative `top`
input.
- size down `_libssh2_wincng_key_sha_verify()` `hashlen` to match
Windows'.
- fix `session_disconnect()` to limit length of `lang_len`
(to 256 bytes).
- fix bad syntax in an `assert()`.
- add a few `const` to casts.
- `while(1)` -> `for(;;)`.
- add casts that didn't fit into #876.
- update `docs/HACKING-CRYPTO` with new sizes.
May need review for OS400QC3: /cc @monnerat @jonrumsey
See warning details in the PR's individual commits.
Cherry-picked from #846Closes#879
Most of the changes aim to silence warnings by adding casts.
An assortment of other issues, mainly compiler warnings, resolved:
- unreachable code fixed by using `goto` in
`publickey_response_success()` in `publickey.c`.
- potentially uninitialized variable in `sftp_open()`.
- MSVS-specific bogus warnings with `nid_type` in `kex.c`.
- check result of `kex_session_ecdh_curve_type()`.
- add missing function declarations.
- type changes to fit values without casts:
- `cmd_len` in `scp_recv()` and `scp_send()`: `int` -> `size_t`
- `Blowfish_expandstate()`, `Blowfish_expand0state()` loop counters:
`uint16_t` -> `int`
- `RECV_SEND_ALL()`: `int` -> `ssize_t`
- `shell_quotearg()` -> `unsigned` -> `size_t`
- `sig_len` in `_libssh2_mbedtls_rsa_sha2_sign()`:
`unsigned` -> `size_t`
- `prefs_len` in `libssh2_session_method_pref()`: `int` -> `size_t`
- `firstsec` in `_libssh2_debug_low()`: `int` -> `long`
- `method_len` in `libssh2_session_method_pref()`: `int` -> `size_t`
- simplify `_libssh2_ntohu64()`.
- fix `LIBSSH2_INT64_T_FORMAT` for MinGW.
- fix gcc warning by not using a bit field for
`burn_optimistic_kexinit`.
- fix unused variable warning in `_libssh2_cipher_crypt()` in
`libgcrypt.c`.
- fix unused variables with `HAVE_DISABLED_NONBLOCKING`.
- avoid const stripping with `BIO_new_mem_buf()` and OpenSSL 1.0.2 and
newer.
- add a missing const in `wincng.h`.
- FIXME added for public:
- `libssh2_channel_window_read_ex()` `read_avail` argument type.
- `libssh2_base64_decode()` `datalen` argument type.
- fix possible overflow in `sftp_read()`.
Ref: 4552c73cd5
- formatting in `wincng.h`.
See warning details in the PR's individual commits.
Cherry-picked from #846Closes#876
Before this patch, with debug logging disabled, libssh2 code used a
variadic macro to catch `_libssh2_debug()` calls, and convert them to
no-ops. In certain conditions, it used an empty inline function instead.
Variadic macro is a C99 feature. It means that depending on compiler,
and build settings, it littered the build log with warnings about this.
The new solution uses the trick of passing the variable arg list as a
single argument and pass that down to the debug function with a regular
macro. When disabled, another regular C89-compatible macro converts it
to a no-op.
This makes inlining, C99 variadic macros and maintaining the conditions
for each unnecessary and also makes the codebase compile more
consistently, e.g. with forced C standards and/or picky warnings.
TL;DR: It makes this feature C89-compliant.
- in `hostkey.c` check the result of `libssh2_sha256_init()` and
`libssh2_sha512_init()` calls. This avoid the warning that we're
ignoring the return values.
- fix code using `int` (or `SOCKET`) for sockets. Use libssh2's
dedicated `libssh2_socket_t` and `LIBSSH2_INVALID_SOCKET` instead.
- fix compiler warnings due to `STATUS_*` macro redefinitions between
`ntstatus.h` / `winnt.h`. Solve it by manually defining the single
`STATUS` value we need from `ntstatus.h` and stop including the whole
header.
Fixes#733
- improve Windows UWP/WinRT builds by detecting it with code copied
from the curl project. Then excluding problematic libssh2 parts
according to PR by Dmitry Kostjučenko.
Fixes#734
- always use `SecureZeroMemory()` on Windows.
We can tweak this if not found or not inlined by a C compiler which
we otherwise support. Same if it causes issues with UWP apps.
Ref: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa366877(v=vs.85)
Ref: https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlsecurezeromemory
- always enable `LIBSSH2_CLEAR_MEMORY` on Windows. CMake and
curl-for-win builds already did that. Delete `SecureZeroMemory()`
detection from autotools' WinCNG backend logic, that this
setting used to depend on.
TODO: Enable it for all platforms in a separate PR.
TODO: For clearing buffers in WinCNG, call `_libssh2_explicit_zero()`,
insead of a local function or explicit `SecureZeroMemory()`.
- Makefile.inc: move `os400qc3.h` to `HEADERS`. This fixes
compilation on non-unixy platforms. Recent regression.
- `libssh2.rc`: replace copyright with plain ASCII, as in curl.
Ref: curl/curl@1ca62bb
Ref: curl/curl#7765
Ref: curl/curl#7776
- CMake fixes and improvements:
- enable warnings with llvm/clang.
- enable more comprehensive warnings with gcc and llvm/clang.
Logic copied from curl:
233810bb5f/CMakeLists.txt (L131-L148)
- fix `Policy CMP0080` CMake warning by deleting that reference.
- add `ENABLE_WERROR` (default: `OFF`) option. Ported from curl.
- add `PICKY_COMPILER` (default: `ON`) option, as known from curl.
It controls both the newly added picky warnings for llvm/clang and
gcc, and also the pre-existing ones for MSVC.
- `win32/GNUmakefile` fixes and improvements:
- delete `_AMD64_` and add missing `-m64` for x64 builds under test.
- add support for `ARCH=custom`.
It disables hardcoded Intel 64-bit and Intel 32-bit options,
allowing ARM64 builds.
- add support for `LIBSSH2_RCFLAG_EXTRAS`.
To pass custom options to windres, e.g. in ARM64 builds.
- add support for `LIBSSH2_RC`. To override `windres`.
- delete support for Metrowerks C. Last released in 2004.
- `win32/libssh2_config.h`: delete unnecessary socket #includes
`src/libssh2_priv.h` includes `winsock2.h` and `ws2tcpip.h` further
down the line, triggered by `HAVE_WINSOCK2_H`.
`mswsock.h` does not seem to be necessary anymore.
Double-including these (before `windows.h`) caused compiler failures
when building against BoringSSL and warnings with LibreSSL. We could
work this around by passing `-DNOCRYPT`. Deleting the duplicates
fixes these issues.
Timeline:
2013: c910cd382d deleted `mswsock.h` from `src/libssh2_priv.h`
2008: 8c43bc52b1 added `winsock2.h` and `ws2tcpip.h` to `src/libssh2_priv.h`
2005: dc4bb1af96 added the now deleted #includes
- delete or replace `LIBSSH2_WIN32` with `WIN32`.
- replace hand-rolled `HAVE_WINDOWS_H` macro with `WIN32`. Also delete
its detections/definitions.
- delete unused `LIBSSH2_DARWIN` macro.
- delete unused `writev()` Windows implementation
There is no reference to `writev()` since 2007-02-02, commit
9d55db6501.
- fix a bunch of MSVC / llvm/clang / gcc compiler warnings:
- `warning C4100: '...': unreferenced formal parameter`
- using value of undefined PP macro `LIBSSH2DEBUG`
- missing void from function definition
- `if()` block missing in non-debug builds
- unreferenced variable in non-debug builds
- `warning: must specify at least one argument for '...' parameter of variadic macro [-Wgnu-zero-variadic-macro-arguments]`
in `_libssh2_debug()`
- `warning C4295: 'ciphertext' : array is too small to include a terminating null character`
- `warning C4706: assignment within conditional expression`
- `warning C4996: 'inet_addr': Use inet_pton() or InetPton() instead or
define _WINSOCK_DEPRECATED_NO_WARNINGS to disable deprecated API warnings`
By suppressning it. Would be best to use inet_pton() as suggested.
On Windows this needs Vista though.
- `warning C4152: nonstandard extension, function/data pointer conversion in expression`
(silenced locally)
- `warning C4068: unknown pragma`
Ref: https://ci.appveyor.com/project/libssh2org/libssh2/builds/46354480/job/j7d0m34qgq8rag5wCloses#808
Notes:
* Host Key RSA 256/512 support #536
* Client side key hash upgrading for RFC 8332
* Support for server-sig-algs, ext-info-c server messages
* Customizing preferred server-sig-algs via the preference LIBSSH2_METHOD_SIGN_ALGO
Credit: Anders Borum, Will Cosgrove
Fix these categories of warning:
- in `wincng.c` disagreement in signed/unsigned char when passing around
the passphrase string:
`warning: pointer targets in passing argument [...] differ in signedness [-Wpointer-sign]`
Fixed by using `const unsigned char *` in all static functions and
applying/updating casts as necessary.
- in each use of `libssh2_*_init()` macros where the result is not used:
`warning: value computed is not used [-Wunused-value]`
Fixed by using `(void)` casts.
- `channel.c:1171:7: warning: 'rc' may be used uninitialized in this function [-Wmaybe-uninitialized]`
Fixed by initializing this variable with `LIBSSH2_ERROR_CHANNEL_UNKNOWN`.
While there I replaced a few 0 literals with `LIBSSH2_ERROR_NONE`.
- in `sftp.c`, several of these two warnings:
`warning: 'data' may be used uninitialized in this function [-Wmaybe-uninitialized]`
`warning: 'data_len' may be used uninitialized in this function [-Wmaybe-uninitialized]`
Fixed by initializing these variables with NULL and 0 respectively.
- Also removed the exec attribute from `wincng.h`.
Notes:
- There are many pre-existing checksrc issues.
- The `sftp.c` and `channel.c` warnings may apply to other platforms as well.
Closes#628
Notes:
* Make _libssh2_random return code consistent
Previously, _libssh2_random was advertized in HACKING.CRYPTO as
returning `void` (and was implemented that way in os400qc3.c), but that
was in other crypto backends a lie; _libssh2_random is (a macro
expanding) to an int-value expression or function.
Moreover, that returned code was:
— 0 or success, -1 on error for the MbedTLS & WinCNG crypto backends
But also:
— 1 on success, -1 or 0 on error for the OpenSSL backend!
– 1 on success, error cannot happen for libgcrypt!
This commit makes explicit that _libssh2_random can fail (because most of
the underlying crypto functions can indeed fail!), and it makes its result
code consistent: 0 on success, -1 on error.
This is related to issue #519https://github.com/libssh2/libssh2/issues/519
It fixes the first half of it.
* Don't silent errors of _libssh2_random
Make sure to check the returned code of _libssh2_random(), and
propagates any failure.
A new LIBSSH_ERROR_RANDGEN constant is added to libssh2.h
None of the existing error constants seemed fit.
This commit is related to d74285b684
and to https://github.com/libssh2/libssh2/issues/519 (see the issue
for more info.) It closes#519.
Credit:
Paul Capron
* kex.c: kex_agree_instr() improve string reading
file: kex.c
notes: if haystack isn't null terminated we should use memchr() not strchar(). We should also make sure we don't walk off the end of the buffer.
credit:
Will Cosgrove, reviewed by Michael Buckley
File: kex.c
Notes:
Moved the macro LIBSSH2_KEX_METHOD_EC_SHA_HASH_CREATE_VERIFY outside of the LIBSSH2_ECDSA since it's also now used by the ED25519 code.
Sha 256, 384 and 512 need to be defined for all backends now even if they aren't used directly. I believe this is already the case, but just a heads up.
Credit:
Stefan-Ghinea
Files: kex.c
Notes:
Added key exchange group16-sha512 and group18-sha512. As a result did the following:
Abstracted diffie_hellman_sha256() to diffie_hellman_sha_algo() which is now algorithm agnostic and takes the algorithm as a parameter since we needed sha512 support. Unfortunately it required some helper functions but they are simple.
Deleted diffie_hellman_sha1()
Deleted diffie_hellman_sha1 specific macro
Cleaned up some formatting
Defined sha384 in os400 and wincng backends
Defined LIBSSH2_DH_MAX_MODULUS_BITS to abort the connection if we receive too large of p from the server doing sha1 key exchange.
Reorder the default key exchange list to match OpenSSH and improve security
Credit:
Will Cosgrove
File: openssl.c, openssl.h, crypto.h, kex.c
Notes:
This cleans up a few things in the curve25519 implementation:
- There is no need to create X509_PUBKEYs or PKCS8_PRIV_KEY_INFOs to
extract key material. EVP_PKEY_get_raw_private_key and
EVP_PKEY_get_raw_public_key work fine.
- libssh2_x25519_ctx was never used (and occasionally mis-typedefed to
libssh2_ed25519_ctx). Remove it. The _libssh2_curve25519_new and
_libssh2_curve25519_gen_k interfaces use the bytes. Note, if it needs
to be added back, there is no need to roundtrip through
EVP_PKEY_new_raw_private_key. EVP_PKEY_keygen already generated an
EVP_PKEY.
- Add some missing error checks.
Credit:
David Benjamin
Files : kex.c, misc.c, misc.h
Notes :
Fixed possible out of bounds memory access when reading malformed data in diffie_hellman_sha1() and diffie_hellman_sha256().
Added _libssh2_copy_string() to misc.c to return an allocated and filled char buffer from a string_buf offset. Removed no longer needed s var in kmdhgGPshakex_state_t.
Files : misc.c, hostkey.c, kex.c, misc.h, openssl.c, sftp.c
Notes :
* updated _libssh2_get_bignum_bytes and _libssh2_get_string. Now pass in length as an argument instead of returning it to keep signedness correct. Now returns -1 for failure, 0 for success.
_libssh2_check_length now returns 0 on success and -1 on failure to match the other string_buf functions. Added comment to _libssh2_check_length.
Credit : Will Cosgrove
OpenSSH Key and ED25519 support #39
Added _libssh2_explicit_zero() to explicitly zero sensitive data in memory #120
* ED25519 Key file support - Requires OpenSSL 1.1.1 or later
* OpenSSH Key format reading support - Supports RSA/DSA/ECDSA/ED25519 types
* New string buffer reading functions - These add build-in bounds checking and convenance methods. Used for OpenSSL PEM file reading.
* Added new tests for OpenSSH formatted Keys
Use checksrc.pl from the curl project, with (for now)
suppressed long line warnings and indentation set to
4 spaces. Fixes are whitespace for the most part.
Warning count went down from 2704 to 12.
Also fix codespell typos, two non-ANSI C89 comments
and a stray tab in include/libssh2.h.
Ref: https://github.com/libssh2/libssh2/pull/235
This commit lands full ECDSA key support when using the OpenSSL
backend. Which includes:
New KEX methods:
ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
Can now read OpenSSL formatted ECDSA key files.
Now supports known host keys of type ecdsa-sha2-nistp256.
New curve types:
NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1
Default host key preferred ordering is now nistp256, nistp384,
nistp521, rsa, dss.
Ref: https://github.com/libssh2/libssh2/issues/41
Closes https://github.com/libssh2/libssh2/pull/206
Fixes a segfault using ssh-agent on Windows
This commit fixes a segfault seen dereferencing a null pointer on
Windows when using ssh-agent. The problem ended up being that errors
weren't being communicated all the way through, causing null pointers to
be used when functions should have bailed out sooner.
The `_libssh2_dh_key_pair` function for WinCNG was modified to propagate
errors, and then the two callsites in kex.c of
`diffie_hellman_sha{1,256}` were updated to recognize this error and
bail out.
Fixes#162Closes#163
Not all backends feature the low level API needed to compute a Diffie-Hellman
secret, but some of them directly implement Diffie-Hellman support with opaque
private data. The later approach is now generalized and backends are
responsible for all Diffie Hellman computations.
As a side effect, procedures/macros _libssh2_bn_rand and _libssh2_bn_mod_exp
are no longer needed outside the backends.
* os400: minimum supported OS version is now V6R1.
Do not log compiler informational messages.
* Implement crypto backend specific Diffie-Hellman computation.
This feature is now needed on os400 because the QC3 library does not
implement bn_mod_exp() natively. Up to now, this function was emulated using
an RSA encryption, but commits ca5222ea81 and
7934c9ce2a (CVE-2016-0787) broke the emulation
because QC3 only supports RSA exponents up to 512 bits.
Happily, QC3 supports a native API for Diffie-Hellman computation, with
opaque random value: this commit implements the use of this API and, as a
side effect, enables support of this feature for any other crypto backend that
would use it.
A "generic" Diffie-Hellman computation internal API supports crypto backends
not implementing their own: this generic API uses the same functions as before.
* Fix typos in docs/HACKING.CRYPTO.
