diff options
| author | Damien Miller <djm@mindrot.org> | 2011-08-06 06:17:30 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2011-08-06 06:17:30 +1000 |
| commit | 20bd4535c01f4a47f535d6e4dc84420a6c5425a5 (patch) | |
| tree | 286fecc890f7799e26b68c08d9f2436b448bbc55 | |
| parent | adb467fb692600c569d8129dfd96371b481d2653 (diff) | |
- djm@cvs.openbsd.org 2011/08/02 01:22:11
[mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5]
Add new SHA256 and SHA512 based HMAC modes from
http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt
Patch from mdb AT juniper.net; feedback and ok markus@
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | mac.c | 6 | ||||
| -rw-r--r-- | myproposal.h | 15 | ||||
| -rw-r--r-- | ssh.1 | 8 | ||||
| -rw-r--r-- | ssh_config.5 | 8 | ||||
| -rw-r--r-- | sshd.8 | 7 | ||||
| -rw-r--r-- | sshd_config.5 | 8 |
7 files changed, 41 insertions, 16 deletions
@@ -17,6 +17,11 @@ [gss-serv.c] prevent post-auth resource exhaustion (int overflow leading to 4GB malloc); report Adam Zabrock; ok djm@, deraadt@ + - djm@cvs.openbsd.org 2011/08/02 01:22:11 + [mac.c myproposal.h ssh.1 ssh_config.5 sshd.8 sshd_config.5] + Add new SHA256 and SHA512 based HMAC modes from + http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt + Patch from mdb AT juniper.net; feedback and ok markus@ 20110624 - (djm) [configure.ac Makefile.in sandbox-darwin.c] Add a sandbox for @@ -1,4 +1,4 @@ -/* $OpenBSD: mac.c,v 1.15 2008/06/13 00:51:47 dtucker Exp $ */ +/* $OpenBSD: mac.c,v 1.16 2011/08/02 01:22:11 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -57,6 +57,10 @@ struct { } macs[] = { { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, + { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, -1, -1 }, + { "hmac-sha2-256-96", SSH_EVP, EVP_sha256, 96, -1, -1 }, + { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, -1, -1 }, + { "hmac-sha2-512-96", SSH_EVP, EVP_sha512, 96, -1, -1 }, { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 }, { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 }, diff --git a/myproposal.h b/myproposal.h index 2c43607a..aeb5201d 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.27 2010/09/01 22:42:13 djm Exp $ */ +/* $OpenBSD: myproposal.h,v 1.28 2011/08/02 01:22:11 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -76,9 +76,18 @@ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" #define KEX_DEFAULT_MAC \ - "hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160," \ + "hmac-md5," \ + "hmac-sha1," \ + "umac-64@openssh.com," \ + "hmac-sha2-256," \ + "hmac-sha2-256-96," \ + "hmac-sha2-512," \ + "hmac-sha2-512-96," \ + "hmac-ripemd160," \ "hmac-ripemd160@openssh.com," \ - "hmac-sha1-96,hmac-md5-96" + "hmac-sha1-96," \ + "hmac-md5-96" + #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_LANG "" @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.319 2011/05/07 23:20:25 jmc Exp $ -.Dd $Mdocdate: May 7 2011 $ +.\" $OpenBSD: ssh.1,v 1.320 2011/08/02 01:22:11 djm Exp $ +.Dd $Mdocdate: August 2 2011 $ .Dt SSH 1 .Os .Sh NAME @@ -667,7 +667,9 @@ Both protocols support similar authentication methods, but protocol 2 is the default since it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) -and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). +and integrity (hmac-md5, hmac-sha1, +hmac-sha2-256, hmac-sha2-512, +umac-64, hmac-ripemd160). Protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. .Pp diff --git a/ssh_config.5 b/ssh_config.5 index 694ff814..a782d6f4 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.152 2011/06/04 00:10:26 djm Exp $ -.Dd $Mdocdate: June 4 2011 $ +.\" $OpenBSD: ssh_config.5,v 1.153 2011/08/02 01:22:11 djm Exp $ +.Dd $Mdocdate: August 2 2011 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -793,7 +793,9 @@ Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, -hmac-ripemd160,hmac-sha1-96,hmac-md5-96 +hmac-ripemd160,hmac-sha1-96,hmac-md5-96, +hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512, +hmac-sha2-512-96 .Ed .It Cm NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across machines. @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.262 2011/05/23 07:10:21 jmc Exp $ -.Dd $Mdocdate: May 23 2011 $ +.\" $OpenBSD: sshd.8,v 1.263 2011/08/02 01:22:11 djm Exp $ +.Dd $Mdocdate: August 2 2011 $ .Dt SSHD 8 .Os .Sh NAME @@ -314,7 +314,8 @@ The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided through a cryptographic message authentication code -(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160). +(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160, +hmac-sha2-256 or hmac-sha2-512). .Pp Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using diff --git a/sshd_config.5 b/sshd_config.5 index f78452c8..a6c37879 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.134 2011/06/22 21:57:01 djm Exp $ -.Dd $Mdocdate: June 22 2011 $ +.\" $OpenBSD: sshd_config.5,v 1.135 2011/08/02 01:22:11 djm Exp $ +.Dd $Mdocdate: August 2 2011 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -655,7 +655,9 @@ Multiple algorithms must be comma-separated. The default is: .Bd -literal -offset indent hmac-md5,hmac-sha1,umac-64@openssh.com, -hmac-ripemd160,hmac-sha1-96,hmac-md5-96 +hmac-ripemd160,hmac-sha1-96,hmac-md5-96, +hmac-sha2-256,hmac-sha256-96,hmac-sha2-512, +hmac-sha2-512-96 .Ed .It Cm Match Introduces a conditional block. |