mirror of
https://github.com/opnsense/src.git
synced 2026-02-18 18:20:26 -05:00
ff2fd01609
Highlights from the release notes are reproduced below. Some security and bug fixes were previously merged into FreeBSD and have been elided. See the upstream release notes for full details (https://www.openssh.com/releasenotes.html). --- Future deprecation notice ========================= OpenSSH plans to remove support for the DSA signature algorithm in early 2025. Potentially-incompatible changes -------------------------------- * sshd(8): the server will now block client addresses that repeatedly fail authentication, repeatedly connect without ever completing authentication or that crash the server. See the discussion of PerSourcePenalties below for more information. Operators of servers that accept connections from many users, or servers that accept connections from addresses behind NAT or proxies may need to consider these settings. * sshd(8): the server has been split into a listener binary, sshd(8), and a per-session binary "sshd-session". This allows for a much smaller listener binary, as it no longer needs to support the SSH protocol. As part of this work, support for disabling privilege separation (which previously required code changes to disable) and disabling re-execution of sshd(8) has been removed. Further separation of sshd-session into additional, minimal binaries is planned for the future. * sshd(8): several log messages have changed. In particular, some log messages will be tagged with as originating from a process named "sshd-session" rather than "sshd". * ssh-keyscan(1): this tool previously emitted comment lines containing the hostname and SSH protocol banner to standard error. This release now emits them to standard output, but adds a new "-q" flag to silence them altogether. * sshd(8): (portable OpenSSH only) sshd will no longer use argv[0] as the PAM service name. A new "PAMServiceName" sshd_config(5) directive allows selecting the service name at runtime. This defaults to "sshd". bz2101 New features ------------ * sshd(8): sshd(8) will now penalise client addresses that, for various reasons, do not successfully complete authentication. This feature is controlled by a new sshd_config(5) PerSourcePenalties option and is on by default. * ssh(8): allow the HostkeyAlgorithms directive to disable the implicit fallback from certificate host key to plain host keys. Portability ----------- * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules unconditionally. The previous behaviour was to expose it only when particular authentication methods were in use. * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY environment variable to enable SSH_ASKPASS, similarly to the X11 DISPLAY environment variable. GHPR479 --- Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D48914 (cherry picked from commit 0fdf8fae8b569bf9fff3b5171e669dcd7cf9c79e) (cherry picked from commit b4bb480ae9294d7e4b375f0ead9ae57517c79ef3) (cherry picked from commit e95979047aec384852102cf8bb1d55278ea77eeb) (cherry picked from commit dcb4ae528d357f34e4a4b4882c2757c67c98e395) Approved by: re (accelerated MFC)
222 lines
7.5 KiB
C
222 lines
7.5 KiB
C
/* $OpenBSD: packet.h,v 1.98 2024/05/17 06:42:04 jsg Exp $ */
|
|
|
|
/*
|
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
* All rights reserved
|
|
* Interface for the packet protocol functions.
|
|
*
|
|
* As far as I am concerned, the code I have written for this software
|
|
* can be used freely for any purpose. Any derived versions of this
|
|
* software must be clearly marked as such, and if the derived work is
|
|
* incompatible with the protocol description in the RFC file, it must be
|
|
* called by a name other than "ssh" or "Secure Shell".
|
|
*/
|
|
|
|
#ifndef PACKET_H
|
|
#define PACKET_H
|
|
|
|
#include <termios.h>
|
|
|
|
#ifdef WITH_OPENSSL
|
|
# include <openssl/bn.h>
|
|
# ifdef OPENSSL_HAS_ECC
|
|
# include <openssl/ec.h>
|
|
# else /* OPENSSL_HAS_ECC */
|
|
# define EC_KEY void
|
|
# define EC_GROUP void
|
|
# define EC_POINT void
|
|
# endif /* OPENSSL_HAS_ECC */
|
|
#else /* WITH_OPENSSL */
|
|
# define BIGNUM void
|
|
# define EC_KEY void
|
|
# define EC_GROUP void
|
|
# define EC_POINT void
|
|
#endif /* WITH_OPENSSL */
|
|
|
|
#include <signal.h>
|
|
#include "openbsd-compat/sys-queue.h"
|
|
|
|
struct kex;
|
|
struct sshkey;
|
|
struct sshbuf;
|
|
struct session_state; /* private session data */
|
|
|
|
#include "dispatch.h" /* typedef, DISPATCH_MAX */
|
|
|
|
struct key_entry {
|
|
TAILQ_ENTRY(key_entry) next;
|
|
struct sshkey *key;
|
|
};
|
|
|
|
struct ssh {
|
|
/* Session state */
|
|
struct session_state *state;
|
|
|
|
/* Key exchange */
|
|
struct kex *kex;
|
|
|
|
/* cached local and remote ip addresses and ports */
|
|
char *remote_ipaddr;
|
|
int remote_port;
|
|
char *local_ipaddr;
|
|
int local_port;
|
|
char *rdomain_in;
|
|
|
|
/* Optional preamble for log messages (e.g. username) */
|
|
char *log_preamble;
|
|
|
|
/* Dispatcher table */
|
|
dispatch_fn *dispatch[DISPATCH_MAX];
|
|
/* number of packets to ignore in the dispatcher */
|
|
int dispatch_skip_packets;
|
|
|
|
/* datafellows */
|
|
int compat;
|
|
|
|
/* Lists for private and public keys */
|
|
TAILQ_HEAD(, key_entry) private_keys;
|
|
TAILQ_HEAD(, key_entry) public_keys;
|
|
|
|
/* Client/Server authentication context */
|
|
void *authctxt;
|
|
|
|
/* Channels context */
|
|
struct ssh_channels *chanctxt;
|
|
|
|
/* APP data */
|
|
void *app_data;
|
|
};
|
|
|
|
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
|
|
u_char *, void *);
|
|
|
|
struct ssh *ssh_alloc_session_state(void);
|
|
struct ssh *ssh_packet_set_connection(struct ssh *, int, int);
|
|
void ssh_packet_set_timeout(struct ssh *, int, int);
|
|
int ssh_packet_stop_discard(struct ssh *);
|
|
int ssh_packet_connection_af(struct ssh *);
|
|
void ssh_packet_set_nonblocking(struct ssh *);
|
|
int ssh_packet_get_connection_in(struct ssh *);
|
|
int ssh_packet_get_connection_out(struct ssh *);
|
|
void ssh_packet_close(struct ssh *);
|
|
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
|
|
void ssh_packet_clear_keys(struct ssh *);
|
|
void ssh_clear_newkeys(struct ssh *, int);
|
|
|
|
int ssh_packet_is_rekeying(struct ssh *);
|
|
int ssh_packet_check_rekey(struct ssh *);
|
|
void ssh_packet_set_protocol_flags(struct ssh *, u_int);
|
|
u_int ssh_packet_get_protocol_flags(struct ssh *);
|
|
void ssh_packet_set_tos(struct ssh *, int);
|
|
void ssh_packet_set_interactive(struct ssh *, int, int, int);
|
|
int ssh_packet_is_interactive(struct ssh *);
|
|
void ssh_packet_set_server(struct ssh *);
|
|
void ssh_packet_set_authenticated(struct ssh *);
|
|
void ssh_packet_set_mux(struct ssh *);
|
|
int ssh_packet_get_mux(struct ssh *);
|
|
int ssh_packet_set_log_preamble(struct ssh *, const char *, ...)
|
|
__attribute__((format(printf, 2, 3)));
|
|
|
|
int ssh_packet_log_type(u_char);
|
|
|
|
int ssh_packet_send2_wrapped(struct ssh *);
|
|
int ssh_packet_send2(struct ssh *);
|
|
|
|
int ssh_packet_read(struct ssh *);
|
|
int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
|
int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
|
|
int ssh_packet_process_read(struct ssh *, int);
|
|
int ssh_packet_read_seqnr(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
|
int ssh_packet_read_poll_seqnr(struct ssh *, u_char *, u_int32_t *seqnr_p);
|
|
|
|
void ssh_packet_disconnect(struct ssh *, const char *fmt, ...)
|
|
__attribute__((format(printf, 2, 3)))
|
|
__attribute__((noreturn));
|
|
void ssh_packet_send_debug(struct ssh *, const char *fmt, ...) __attribute__((format(printf, 2, 3)));
|
|
|
|
int ssh_set_newkeys(struct ssh *, int mode);
|
|
void ssh_packet_get_bytes(struct ssh *, u_int64_t *, u_int64_t *);
|
|
|
|
int ssh_packet_write_poll(struct ssh *);
|
|
int ssh_packet_write_wait(struct ssh *);
|
|
int ssh_packet_have_data_to_write(struct ssh *);
|
|
int ssh_packet_not_very_much_data_to_write(struct ssh *);
|
|
int ssh_packet_interactive_data_to_write(struct ssh *);
|
|
|
|
int ssh_packet_connection_is_on_socket(struct ssh *);
|
|
int ssh_packet_remaining(struct ssh *);
|
|
|
|
void ssh_tty_make_modes(struct ssh *, int, struct termios *);
|
|
void ssh_tty_parse_modes(struct ssh *, int);
|
|
|
|
void ssh_packet_set_alive_timeouts(struct ssh *, int);
|
|
int ssh_packet_inc_alive_timeouts(struct ssh *);
|
|
int ssh_packet_set_maxsize(struct ssh *, u_int);
|
|
u_int ssh_packet_get_maxsize(struct ssh *);
|
|
|
|
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
|
|
int ssh_packet_set_state(struct ssh *, struct sshbuf *);
|
|
|
|
const char *ssh_remote_ipaddr(struct ssh *);
|
|
int ssh_remote_port(struct ssh *);
|
|
const char *ssh_local_ipaddr(struct ssh *);
|
|
int ssh_local_port(struct ssh *);
|
|
const char *ssh_packet_rdomain_in(struct ssh *);
|
|
char *ssh_remote_hostname(struct ssh *);
|
|
|
|
void ssh_packet_set_rekey_limits(struct ssh *, u_int64_t, u_int32_t);
|
|
time_t ssh_packet_get_rekey_timeout(struct ssh *);
|
|
|
|
void *ssh_packet_get_input(struct ssh *);
|
|
void *ssh_packet_get_output(struct ssh *);
|
|
|
|
/* new API */
|
|
int sshpkt_start(struct ssh *ssh, u_char type);
|
|
int sshpkt_send(struct ssh *ssh);
|
|
int sshpkt_disconnect(struct ssh *, const char *fmt, ...)
|
|
__attribute__((format(printf, 2, 3)));
|
|
int sshpkt_add_padding(struct ssh *, u_char);
|
|
void sshpkt_fatal(struct ssh *ssh, int r, const char *fmt, ...)
|
|
__attribute__((format(printf, 3, 4)))
|
|
__attribute__((noreturn));
|
|
int sshpkt_msg_ignore(struct ssh *, u_int);
|
|
|
|
int sshpkt_put(struct ssh *ssh, const void *v, size_t len);
|
|
int sshpkt_putb(struct ssh *ssh, const struct sshbuf *b);
|
|
int sshpkt_put_u8(struct ssh *ssh, u_char val);
|
|
int sshpkt_put_u32(struct ssh *ssh, u_int32_t val);
|
|
int sshpkt_put_u64(struct ssh *ssh, u_int64_t val);
|
|
int sshpkt_put_string(struct ssh *ssh, const void *v, size_t len);
|
|
int sshpkt_put_cstring(struct ssh *ssh, const void *v);
|
|
int sshpkt_put_stringb(struct ssh *ssh, const struct sshbuf *v);
|
|
int sshpkt_put_ec(struct ssh *ssh, const EC_POINT *v, const EC_GROUP *g);
|
|
int sshpkt_put_bignum2(struct ssh *ssh, const BIGNUM *v);
|
|
|
|
int sshpkt_get(struct ssh *ssh, void *valp, size_t len);
|
|
int sshpkt_get_u8(struct ssh *ssh, u_char *valp);
|
|
int sshpkt_get_u32(struct ssh *ssh, u_int32_t *valp);
|
|
int sshpkt_get_u64(struct ssh *ssh, u_int64_t *valp);
|
|
int sshpkt_get_string(struct ssh *ssh, u_char **valp, size_t *lenp);
|
|
int sshpkt_get_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp);
|
|
int sshpkt_peek_string_direct(struct ssh *ssh, const u_char **valp, size_t *lenp);
|
|
int sshpkt_get_cstring(struct ssh *ssh, char **valp, size_t *lenp);
|
|
int sshpkt_getb_froms(struct ssh *ssh, struct sshbuf **valp);
|
|
int sshpkt_get_ec(struct ssh *ssh, EC_POINT *v, const EC_GROUP *g);
|
|
int sshpkt_get_bignum2(struct ssh *ssh, BIGNUM **valp);
|
|
int sshpkt_get_end(struct ssh *ssh);
|
|
void sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l);
|
|
const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
|
|
|
#if !defined(WITH_OPENSSL)
|
|
# undef BIGNUM
|
|
# undef EC_KEY
|
|
# undef EC_GROUP
|
|
# undef EC_POINT
|
|
#elif !defined(OPENSSL_HAS_ECC)
|
|
# undef EC_KEY
|
|
# undef EC_GROUP
|
|
# undef EC_POINT
|
|
#endif
|
|
|
|
#endif /* PACKET_H */
|