upstream: Update/replace the experimental post-quantim hybrid key

exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tiny

upstream: Update/replace the experimental post-quantim hybrid key

exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae

show more ...

upstream: make ssh_free(NULL) a no-op

OpenBSD-Commit-ID: 42cb285d94789cefe6608db89c63040ab0a80fa0

upstream: use the new variant log macros instead of prepending

__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8

upstream: support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
o

upstream: support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15

show more ...

upstream: free kex in ssh_packet_close; ok djm semarie

OpenBSD-Commit-ID: dbc181e90d3d32fd97b10d75e68e374270e070a2

upstream: Refactor signing - use sshkey_sign for everything,

including the new U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign()

upstream: Refactor signing - use sshkey_sign for everything,

including the new U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c

show more ...

upstream: Plug mem leaks on error paths, based in part on github

pr#120 from David Carlier. ok djm@.

OpenBSD-Commit-ID: c57adeb1022a8148fc86e5a88837b3b156dbdb7e

upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@

OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f

upstream: lots of things were relying on libcrypto headers to

transitively include various system headers (mostly stdlib.h); include them
explicitly

OpenBSD-Commit-ID: 5b522f4f2

upstream: lots of things were relying on libcrypto headers to

transitively include various system headers (mostly stdlib.h); include them
explicitly

OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080

show more ...

upstream: rename kex->kem_client_pub -> kex->client_pub now that

KEM has been renamed to kexgen

from markus@ ok djm@

OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8

upstream: rename kex->kem_client_pub -> kex->client_pub now that

KEM has been renamed to kexgen

from markus@ ok djm@

OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8

show more ...

upstream: use KEM API for vanilla ECDH

from markus@ ok djm@

OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c

upstream: use KEM API for vanilla DH KEX

from markus@ ok djm@

OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9

upstream: use KEM API for vanilla c25519 KEX

OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f

upstream: Add support for a PQC KEX/KEM:

sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss.

upstream: Add support for a PQC KEX/KEM:

sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7

show more ...

upstream: remove last references to active_state

with & ok markus@

OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2

upstream: move client/server SSH-* banners to buffers under

ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be mor

upstream: move client/server SSH-* banners to buffers under

ssh->kex and factor out the banner exchange. This eliminates some common code
from the client and server.

Also be more strict about handling \r characters - these should only
be accepted immediately before \n (pointed out by Jann Horn).

Inspired by a patch from Markus Schmidt.
(lots of) feedback and ok markus@

OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b

show more ...

refactor libcrypto initialisation

Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually
supports it.

Move all libcrypto initialisation to a single function, and call t

refactor libcrypto initialisation

Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually
supports it.

Move all libcrypto initialisation to a single function, and call that
from seed_rng() that is called early in each tool's main().

Prompted by patch from Rosen Penev

show more ...

Include openssl compatibility.

Patch from rosenp at gmail.com via openssh-unix-dev.

upstream commit

remove compat20/compat13/compat15 variables

ok markus@

Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c

upstream commit

move SSH_MSG_NONE, so we don't have to include ssh1.h;
ok deraadt@

Upstream-ID: c2f97502efc761a41b18c17ddf460e138ca7994e

upstream commit

add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K

upstream commit

add support for additional fixed DH groups from
draft-ietf-curdle-ssh-kex-sha2-03

diffie-hellman-group14-sha256 (2K group)
diffie-hellman-group16-sha512 (4K group)
diffie-hellman-group18-sha512 (8K group)

based on patch from Mark D. Baushke and Darren Tucker
ok markus@

Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f

show more ...

upstream commit

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt; with & ok djm@

upstream commit

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
(user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309

show more ...

Repair for non-ECC OpenSSL.

Ifdef out the ECC parts when building with an OpenSSL that doesn't have
it.

repair --without-openssl; broken in refactor

upstream commit

Revise hostkeys@openssh.com hostkey learning extension.

The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostke

upstream commit

Revise hostkeys@openssh.com hostkey learning extension.

The client will not ask the server to prove ownership of the private
halves of any hitherto-unseen hostkeys it offers to the client.

Allow UpdateHostKeys option to take an 'ask' argument to let the
user manually review keys offered.

ok markus@

show more ...