Commit Graph

63 Commits

Author SHA1 Message Date
djm@openbsd.org
05c08e5f62
upstream: return SSH_ERR_KRL_BAD_MAGIC when a KRL doesn't contain a
valid magic number and not SSH_ERR_MESSAGE_INCOMPLETE; the former is needed
to fall back to text revocation lists in some cases; fixes t-cert-hostkey.

OpenBSD-Commit-ID: 5c670a6c0f027e99b7774ef29f18ba088549c7e1
2023-07-17 15:22:36 +10:00
djm@openbsd.org
beec17bb31
upstream: remove vestigal support for KRL signatures
When the KRL format was originally defined, it included support for
signing of KRL objects. However, the code to sign KRLs and verify KRL
signatues was never completed in OpenSSH.

Now, some years later, we have SSHSIG support in ssh-keygen that is
more general, well tested and actually works. So this removes the
semi-finished KRL signing/verification support from OpenSSH and
refactors the remaining code to realise the benefit - primarily, we
no longer need to perform multiple parsing passes over KRL objects.

ok markus@

OpenBSD-Commit-ID: 517437bab3d8180f695c775410c052340e038804
2023-07-17 14:52:35 +10:00
djm@openbsd.org
449566f64c
upstream: Support for KRL extensions.
This defines wire formats for optional KRL extensions and implements
parsing of the new submessages. No actual extensions are supported at
this point.

ok markus

OpenBSD-Commit-ID: ae2fcde9a22a9ba7f765bd4f36b3f5901d8c3fa7
2023-07-17 14:52:20 +10:00
dtucker@openbsd.org
6fd4daafb9
upstream: Free KRL ptr in addition to its contents.
From Coverity CID 291841, ok djm@

OpenBSD-Commit-ID: f146ba08b1b43af4e0d7ad8c4dae3748b4fa31b6
2023-03-14 18:35:50 +11:00
djm@openbsd.org
e055220080 upstream: avoid printing hash algorithm twice; from lucas AT sexy.is
OpenBSD-Commit-ID: 9d24671e10a84141b7c504396cabad600e47a941
2022-04-28 13:55:12 +10:00
djm@openbsd.org
e760691918 upstream: The RB_GENERATE_STATIC(3) macro expands to a series of
function definitions and not a statement, so there should be no semicolon
following them. Patch from Michael Forney

OpenBSD-Commit-ID: c975dd180580f0bdc0a4d5b7d41ab1f5e9b7bedd
2021-06-04 16:20:28 +10:00
djm@openbsd.org
816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org
9b8ad93824 upstream: support for user-verified FIDO keys
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
2020-08-27 11:28:36 +10:00
djm@openbsd.org
338ccee1e7 upstream: avoid another compiler warning spotted in -portable
OpenBSD-Commit-ID: 1d29c51ac844b287c4c8bcaf04c63c7d9ba3b8c7
2020-04-03 16:53:50 +11:00
djm@openbsd.org
de34a44027 upstream: fix format string (use %llu for uint64, not %lld). spotted by
Darren and his tinderbox tests

OpenBSD-Commit-ID: 3b4587c3d9d46a7be9bdf028704201943fba96c2
2020-04-03 15:45:12 +11:00
djm@openbsd.org
6ec7457171 upstream: give ssh-keygen the ability to dump the contents of a
binary key revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker

OpenBSD-Commit-ID: b76afc4e3b74ab735dbde4e5f0cfa1f02356033b
2020-04-03 13:33:25 +11:00
djm@openbsd.org
99aa803555 upstream: factor out reading/writing sshbufs to dedicated
functions; feedback and ok markus@

OpenBSD-Commit-ID: dc09e5f1950b7acc91b8fdf8015347782d2ecd3d
2020-01-26 10:18:42 +11:00
djm@openbsd.org
b7e74ea072 upstream: Add new structure for signature options
This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.

with and ok markus@

OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
2019-11-25 12:23:33 +11:00
djm@openbsd.org
9a14c64c38 upstream: Refactor signing - use sshkey_sign for everything,
including the new U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
2019-11-01 09:46:10 +11:00
Damien Miller
edd1d3a626 remove duplicate #includes
Prompted by Jakub Jelen
2019-10-02 10:54:28 +10:00
djm@openbsd.org
be02d7cbde upstream: lots of things were relying on libcrypto headers to
transitively include various system headers (mostly stdlib.h); include them
explicitly

OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080
2019-09-06 17:54:21 +10:00
Darren Tucker
2ea60312e1 Include stdlib.h for free() and calloc(). 2019-07-23 22:11:50 +10:00
djm@openbsd.org
4f7a56d5e0 upstream: Add protection for private keys at rest in RAM against
speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer
and Rambleed. This change encrypts private keys when they are not in use with
a symmetic key that is derived from a relatively large "prekey" consisting of
random data (currently 16KB).

Attackers must recover the entire prekey with high accuracy before
they can attempt to decrypt the shielded private key, but the current
generation of attacks have bit error rates that, when applied
cumulatively to the entire prekey, make this unlikely.

Implementation-wise, keys are encrypted "shielded" when loaded and then
automatically and transparently unshielded when used for signatures or
when being saved/serialised.

Hopefully we can remove this in a few years time when computer
architecture has become less unsafe.

been in snaps for a bit already; thanks deraadt@

ok dtucker@ deraadt@

OpenBSD-Commit-ID: 19767213c312e46f94b303a512ef8e9218a39bd4
2019-06-21 14:24:35 +10:00
djm@openbsd.org
9405c6214f upstream: allow key revocation by SHA256 hash and allow ssh-keygen
to create KRLs using SHA256/base64 key fingerprints; ok markus@

OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
2018-09-12 16:49:21 +10:00
djm@openbsd.org
04c7e28f83 upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19 15:21:37 +11:00
deraadt@openbsd.org
9e509d4ec9 upstream commit
Switch to recallocarray() for a few operations.  Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus

Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
2017-06-01 14:55:22 +10:00
dtucker@openbsd.org
ef653dd5bd upstream commit
krl.c

Upstream-ID: fc5e695d5d107d730182e2da7b23f00b489e0ee1
2017-03-12 10:50:18 +11:00
deraadt@openbsd.org
9136ec134c upstream commit
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then
use those definitions rather than pulling <sys/param.h> and unknown namespace
pollution. ok djm markus dtucker

Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-09-12 13:46:29 +10:00
djm@openbsd.org
422d1b3ee9 upstream commit
fix three bugs in KRL code related to (unused) signature
 support: verification length was being incorrectly calculated, multiple
 signatures were being incorrectly processed and a NULL dereference that
 occurred when signatures were verified. Reported by Carl Jackson

Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
2016-01-07 20:13:33 +11:00
mmcc@openbsd.org
52d7078421 upstream commit
Remove NULL-checks before sshbuf_free().

ok djm@

Upstream-ID: 5ebed00ed5f9f03b119a345085e8774565466917
2015-12-18 14:50:48 +11:00
markus@openbsd.org
76c9fbbe35 upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-12-07 12:38:58 +11:00
jsg@openbsd.org
f3a3ea180a upstream commit
Fix occurrences of "r = func() != 0" which result in the
 wrong error codes being returned due to != having higher precedence than =.

ok deraadt@ markus@

Upstream-ID: 5fc35c9fc0319cc6fca243632662d2f06b5fd840
2015-09-03 10:44:41 +10:00
djm@openbsd.org
c28fc62d78 upstream commit
delete support for legacy v00 certificates; "sure"
 markus@ dtucker@

Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
2015-07-15 15:35:09 +10:00
djm@openbsd.org
9d27fb73b4 upstream commit
correct test to sshkey_sign(); spotted by Albert S.

Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
2015-06-25 09:50:30 +10:00
djm@openbsd.org
669aee9943 upstream commit
permit KRLs that revoke certificates by serial number or
 key ID without scoping to a particular CA; ok markus@
2015-01-30 12:17:07 +11:00
djm@openbsd.org
60b1825262 upstream commit
small refactor and add some convenience functions; ok
 markus
2015-01-27 00:00:36 +11:00
deraadt@openbsd.org
087266ec33 upstream commit
Reduce use of <sys/param.h> and transition to <limits.h>
 throughout. ok djm markus
2015-01-26 23:58:53 +11:00
djm@openbsd.org
4e62cc68ce upstream commit
fix format strings in (disabled) debugging
2015-01-20 08:33:01 +11:00
deraadt@openbsd.org
f101d8291d upstream commit
string truncation due to sizeof(size) ok djm markus
2015-01-20 00:20:17 +11:00
Damien Miller
b03ebe2c22 more --without-openssl
fix some regressions caused by upstream merges

enable KRLs now that they no longer require BIGNUMs
2015-01-15 03:08:58 +11:00
Damien Miller
72ef7c148c support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.

Considered highly experimental for now.
2015-01-15 02:28:36 +11:00
djm@openbsd.org
a165bab605 upstream commit
avoid BIGNUM in KRL code by using a simple bitmap;
 feedback and ok markus
2015-01-15 02:22:18 +11:00
djm@openbsd.org
e7fd952f4e upstream commit
sync changes from libopenssh; prepared by markus@ mostly
 debug output tweaks, a couple of error return value changes and some other
 minor stuff
2015-01-14 20:32:42 +11:00
markus@openbsd.org
0097565f84 upstream commit
missing error assigment on sshbuf_put_string()
2015-01-13 19:26:12 +11:00
markus@openbsd.org
905fe30fca upstream commit
free->sshkey_free; ok djm@
2015-01-13 19:25:52 +11:00
djm@openbsd.org
1195f4cb07 upstream commit
deprecate key_load_private_pem() and
 sshkey_load_private_pem() interfaces. Refactor the generic key loading API to
 not require pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@
2015-01-09 00:17:12 +11:00
djm@openbsd.org
56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
djm@openbsd.org
74de254bb9 upstream commit
convert KRL code to new buffer API

ok markus@
2014-12-05 09:29:46 +11:00
djm@openbsd.org
b6de5ac9ed upstream commit
fix NULL pointer dereference crash on invalid timestamp

found using Michal Zalewski's afl fuzzer
2014-11-24 10:15:47 +11:00
djm@openbsd.org
9f9fad0191 upstream commit
fix KRL generation when multiple CAs are in use

We would generate an invalid KRL when revoking certs by serial
number for multiple CA keys due to a section being written out
twice.

Also extend the regress test to catch this case by having it
produce a multi-CA KRL.

Reported by peter AT pean.org
2014-11-17 11:20:39 +11:00
Damien Miller
8668706d0f - djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.

     with and ok markus@

     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.

     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
2014-07-02 15:28:02 +10:00
Damien Miller
2cd7929250 - djm@cvs.openbsd.org 2014/06/24 00:52:02
[krl.c]
     fix bug in KRL generation: multiple consecutive revoked certificate
     serial number ranges could be serialised to an invalid format.

     Readers of a broken KRL caused by this bug will fail closed, so no
     should-have-been-revoked key will be accepted.
2014-07-02 12:48:30 +10:00
Damien Miller
633de33b19 - djm@cvs.openbsd.org 2014/04/28 03:09:18
[authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
     [ssh-keygen.c]
     buffer_get_string_ptr's return should be const to remind
     callers that futzing with it will futz with the actual buffer
     contents
2014-05-15 13:48:26 +10:00
Damien Miller
1d2c456426 - tedu@cvs.openbsd.org 2014/01/31 16:39:19
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
     replace most bzero with explicit_bzero, except a few that cna be memset
     ok djm dtucker
2014-02-04 11:18:20 +11:00
Damien Miller
c8669a8cd2 - djm@cvs.openbsd.org 2013/07/20 22:20:42
[krl.c]
     fix verification error in (as-yet usused) KRL signature checking path
2013-07-25 11:52:48 +10:00