v0.61.0

Changes

• 32fd46f: Reduce russh write-path copies with direct Bytes sends (#695) (Mika Cohen) #695

  • New APIs allow zero-copy writes into channels:
    • Channel::data_bytes
    • Channel::extended_data_bytes
    • ChannelWriteHalf::data_bytes
    • ChannelWriteHalf::extended_data_bytes

• deps: migrate to stable versions pkcs5 / pkcs8 / ed25519 and loosen prerelease pins (extends #697) (#702) #702 (escapecode)

• 72b250a: migrate to upstream ssh-key crate and update RustCrypto crates (#709) (Eugene) #709

Security fixes

Part of the hardening efforts by @mjc

GHSA-hpv4-5h6f-wqr3

• When a client changed their username between authentication requests, russh server implementation would not correctly reset its internal state (allowed methods and "partial success" state), which could lead to incorrect responses to the client.
  • Note that you still need to handle the case where the client sends a subsequent authentication request with a different username and reset any accumulated authentication state your application might have

GHSA-g9g7-5cgw-6v28

• When a client sent a keyboard-interactive authentication request, the prompt counter was used to directly allocate memory without verifying it, which can lead to denial of service.

GHSA-76r6-x97p-67vr

• russh server did not enfore the SSH protocol header validation strictly enough, allowing a client to hold the connection open indefinitely, wasting resources.

GHSA-4r3c-5hpg-58qr

• "Name list" fields such as algorithm lists were only bounded by the packet size. While the SSH protocol does not impose a limit, in practice it could allow a client to waste resources by spamming huge KEXINIT messages via multiple connections.

Fixes

• 4186cf2: Refactor block-cipher packet-length probing to avoid unsafe state duplication (#706) (Mika Cohen) #706
• reject trailing KEX and channel-open payloads (Mika Cohen)
• reject trailing encrypted message payloads (Mika Cohen)