not enabled by default.
1) Add all hostkey types in the "multiple hostkeys" subtest.
Previously known_hosts was accidentally clobbered, causing
only the last added hostkey type to be used.
2) Explicitly enable the hostkey types under test via
HostKeyAlgorithms
- Fix the active pane colour when only two panes and scrollbars enabled.
- Clip left and right scrollbars the same for floating panes.
- Do not subtract scrollbar width twice when working out width of status
line.
- Check if a character is inside a visible range correctly (do not
include the next position outside the range).
With the introduction of a secondary key share, we fail to ensure that the
HelloRetryRequest does not specify the group that was used for the
secondary key share. We also fail to free the secondary key share early in
this case, meaning that it lingers in memory until the SSL is reset or
freed. Fix both of these issues.
ok tb@
While we currently correctly handle the no-shared-group case, it currently
fails late when we try to create the key share. Improve detection and
handling so that we fail sooner and send an alert to the client when
processing client key shares.
While here rename preferred_group_found to shared_group_found - we look for
the client preferred group, but any group that we select will always be in
the client list (even if it's the last one).
Reported by the tlspuffin team.
ok tb@
Be more RFC compliant and send illegal parameter alerts when the client
receives a HelloRetryRequest that requests a group that we did not offer
or a group that we sent a key share for in the ClientHello. These were
annotated as missing, but not previously implemented.
Prompted by a report from the tlspuffin team.
ok tb@
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is now a no-op, tidy up
SSL_OP_LEGACY_SERVER_CONNECT and reflect the current state of SSL_OP_ALL
Delete the entire "SECURE RENEGOTIATION" section that contained ancient
ramblings.
ok beck@ tb@
Remove SSL_OP_LEGACY_SERVER_CONNECT from the default SSL options and the
SSL_OP_ALL define. This means that we will now refuse to connect to a
TLSv1.2 server if it does not support the Renegotiation Indication (RI)
extension. This prevents a class of attacks against TLS clients that are
talking to TLSv1.2-only servers that permit client initiated renegotiation.
Raised by Lucca Hirschi et al from Inria.
ok beck@ tb@
Borrowed from smtpd. Without draining we just log "RSA_meth_dup failed"
and lose the actual reason.
Wire ssl_error() into ca_engine_init(), which also kills a dead
RSA_meth_free() on a NULL pointer there, and into ssl_load_key()s fail
path.
Tweaks and OK tb
Drop the local get_string() and read variable-length string and binary
payloads through the ibuf getters instead of the raw imsg->data pointer.
ibuf_get_string() no longer trims the input at the first non-printable
byte like the old get_string() did; the payloads come from the parent
over privsep imsg.
idea and ok claudio
Use imsg_get_data() for the fixed-size messages and imsg_get_ibuf() for
the variable-length IMSG_CTL_RELOAD path, taking the config name from
the ibuf via ibuf_data()/ibuf_size().
Remove IMSG_SIZE_CHECK and IMSG_DATA_SIZE, no consumer left.
OK claudio
The IMSG_CA_PRIVENC/PRIVDEC messages carry a ctl_keyop header followed
by cko_flen (request) or cko_tlen (response) trailing bytes, so the
exact-size imsg_get_data() cannot be used. Read the header with
imsg_get_ibuf() + ibuf_get() and take the payload from the same ibuf
via ibuf_data()/ibuf_size().
Tweaks (in a different commit) and OK claudio
Convert the config_get* handlers from IMSG_SIZE_CHECK() + memcpy() to
the new imsg API. Fixed-size payloads use imsg_get_data(). Functions
with a fixed header followed by variable-length data use imsg_get_ibuf()
+ ibuf_get() and read the remainder from the same ibuf cursor, since
imsg_get_data() requires the payload to match the requested size
exactly.
Feedback and OK claudio
Rework control_imsg_forward() to forward the message unaltered via
imsg_forward() instead of rebuilding it with imsg_compose_event().
read the type via imsg_get_type(), dropping the manual header-length
Switch to use read the payload with imsg_get_data() and checks and the
memcpy() that wrote the data back into the imsg before forwarding.
OK claudio
Replace IMSG_SIZE_CHECK() + memcpy()/bcopy() with imsg_get_data(),
which does the length check and copy in one call, and read the message
type via imsg_get_type() instead of imsg->hdr.type.
OK claudio
Replace IMSG_SIZE_CHECK() + memcpy() with imsg_get_data(), which does
the length check and copy in one call. Use the imsg accessors
(imsg_get_*) instead of touching imsg.hdr directly and
imsgbuf_get()/imsgbuf_read() instead of imsg_get().
Rewrite proc_forward_imsg() to use imsg_forward() per target imsgbuf
instead of re-composing via proc_compose_imsg(); arm the write event
with imsg_event_add() after each forward.
proc_forward_imsg() never forwarded an fd, and imsg_forward() rewinds
the buffer internally, so multiple forwards per message keep working.
Drop the now-unused n parameter (all callers passed -1).
ok claudio@
scheme that combines ML-DSA 44 and Ed25519 using the construction
specified in draft-ietf-lamps-pq-composite-sigs. There's also an
early draft documenting use of the integration of this scheme into
SSH as draft-miller-sshm-mldsa44-ed25519-composite-sigs
This scheme is not enabled by default. To you use, you'll need
to add it to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc.
Keys may be generated using "ssh-keygen -t mldsa44-ed25519".
The ML-DSA implementation comes from libcrux. Thanks to
Jonas Schneider-Bensch and Jonathan Protzenko for their work to
make this available.
Consensus is that it's time to get this in to allow people to
experiment with it.
feedback markus@ tb@ logan@ deraadt@
(top-left, bottom-right). Get rid of the not-so-useful default { and }
swap-pane bindings and use the keys instead for moving to top-left,
top-right and add M-{ and M-} for bottom-left, bottom-right.
djm