Commit Graph

109 Commits

Author SHA1 Message Date
djm@openbsd.org
4bfc0503ad upstream: fix a bug that prevented serialisation of ed25519-sk keys
OpenBSD-Commit-ID: 066682b79333159cac04fcbe03ebd9c8dcc152a9
2019-11-18 17:59:43 +11:00
djm@openbsd.org
740c4bc987 upstream: fix bug that prevented certification of ed25519-sk keys
OpenBSD-Commit-ID: 64c8cc6f5de2cdd0ee3a81c3a9dee8d862645996
2019-11-18 17:42:11 +11:00
Darren Tucker
857f49e91e Move ifdef OPENSSL_HAS_ECC.
Found by -Wimplicit-fallthrough: one ECC case was not inside the ifdef.
ok djm@
2019-11-18 14:15:26 +11:00
djm@openbsd.org
fd1a96490c upstream: remove most uses of BN_CTX
We weren't following the rules re BN_CTX_start/BN_CTX_end and the places
we were using it didn't benefit from its use anyway. ok dtucker@

OpenBSD-Commit-ID: ea9ba6c0d2e6f6adfe00b309a8f41842fe12fc7a
2019-11-17 09:44:43 +11:00
markus@openbsd.org
4f5e331cb8 upstream: in order to be able to figure out the number of
signatures left on a shielded key, we need to transfer the number of
signatures left from the private to the public key. ok djm@

OpenBSD-Commit-ID: 8a5d0d260aeace47d372695fdae383ce9b962574
2019-11-15 08:50:10 +11:00
markus@openbsd.org
bf219920b7 upstream: fix shield/unshield for xmss keys: - in ssh-agent we need
to delay the call to shield   until we have received key specific options. -
when serializing xmss keys for shield we need to deal with   all optional
components (e.g. state might not be loaded). ok djm@

OpenBSD-Commit-ID: cc2db82524b209468eb176d6b4d6b9486422f41f
2019-11-15 08:50:10 +11:00
Darren Tucker
1e0b248d47 Put sshsk_sign call inside ifdef ENABLE_SK.
Fixes build against OpenSSL configured without ECC.
2019-11-14 16:08:17 +11:00
markus@openbsd.org
2c55744a56 upstream: enable ed25519 support; ok djm
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-13 08:54:09 +11:00
markus@openbsd.org
fe05a36dc0 upstream: implement sshsk_ed25519_inner_sig(); ok djm
OpenBSD-Commit-ID: f422d0052c6d948fe0e4b04bc961f37fdffa0910
2019-11-13 08:49:52 +11:00
markus@openbsd.org
e03a29e655 upstream: rename sshsk_ecdsa_sign() to sshsk_sign(); ok djm
OpenBSD-Commit-ID: 1524042e09d81e54c4470d7bfcc0194c5b46fe19
2019-11-13 08:49:52 +11:00
markus@openbsd.org
7c096c456f upstream: implement ssh-ed25519-sk verification; ok djm@
OpenBSD-Commit-ID: 37906d93948a1e3d237c20e713d6ca8fbf7d13f6
2019-11-13 08:48:48 +11:00
Damien Miller
03f9205f0f conditionalise SK sign/verify on ENABLE_SK
Spotted by Darren and his faux-Vax
2019-11-01 14:49:55 +11:00
djm@openbsd.org
9a14c64c38 upstream: Refactor signing - use sshkey_sign for everything,
including the new U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
2019-11-01 09:46:10 +11:00
djm@openbsd.org
02bb0768a9 upstream: Initial infrastructure for U2F/FIDO support
Key library support: including allocation, marshalling public/private
keys and certificates, signature validation.

feedback & ok markus@

OpenBSD-Commit-ID: a17615ba15e0f7932ac4360cb18fc9a9544e68c7
2019-11-01 09:46:08 +11:00
djm@openbsd.org
29e0ecd9b4 upstream: fix an unreachable integer overflow similar to the XMSS
case, and some other NULL dereferences found by fuzzing.

fix with and ok markus@

OpenBSD-Commit-ID: 0f81adbb95ef887ce586953e1cb225fa45c7a47b
2019-10-09 11:11:41 +11:00
Damien Miller
6a710d3e06 needs time.h for --without-openssl 2019-09-08 14:48:11 +10:00
djm@openbsd.org
670104b923 upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@
OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
2019-09-06 17:54:21 +10:00
djm@openbsd.org
f8df0413f0 upstream: make get_sigtype public as sshkey_get_sigtype(); ok
markus@

OpenBSD-Commit-ID: 01f8cdbec63350490d2249f41112c5780d1cfbb8
2019-09-03 18:39:31 +10:00
djm@openbsd.org
16dd8b2c78 upstream: remove mostly vestigal uuencode.[ch]; moving the only unique
functionality there (wrapping of base64-encoded data) to sshbuf functions;
feedback and ok markus@

OpenBSD-Commit-ID: 4dba6735d88c57232f6fccec8a08bdcfea44ac4c
2019-07-16 23:23:05 +10:00
djm@openbsd.org
eb0d8e708a upstream: support PKCS8 as an optional format for storage of
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save
private keys to disk.

The OpenSSH native key format remains the default, but PKCS8 is a
superior format to PEM if interoperability with non-OpenSSH software
is required, as it may use a less terrible KDF (IIRC PEM uses a single
round of MD5 as a KDF).

adapted from patch by Jakub Jelen via bz3013; ok markus

OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
2019-07-15 23:21:18 +10:00
dtucker@openbsd.org
696fb4298e upstream: Remove some set but never used variables. ok daraadt@
OpenBSD-Commit-ID: 824baf9c59afc66a4637017e397b9b74a41684e7
2019-07-08 11:45:51 +10:00
djm@openbsd.org
b2e3e57be4 upstream: fix NULL deference (bzero) on err
=?UTF-8?q?or=20path=20added=20in=20last=20commit;=20spotted=20by=20Reynir?=
=?UTF-8?q?=20Bj=C3=B6rnsson?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ok deraadt@ markus@ tb@

OpenBSD-Commit-ID: b11b084bcc551b2c630560eb08618dd501027bbd
2019-06-28 11:30:18 +10:00
djm@openbsd.org
8de52eb224 upstream: fix mismatch proto/decl from key shielding change; spotted
via oss-fuzz

OpenBSD-Commit-ID: 1ea0ba05ded2c5557507bd844cd446e5c8b5b3b7
2019-06-23 22:22:42 +10:00
djm@openbsd.org
4f7a56d5e0 upstream: Add protection for private keys at rest in RAM against
speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer
and Rambleed. This change encrypts private keys when they are not in use with
a symmetic key that is derived from a relatively large "prekey" consisting of
random data (currently 16KB).

Attackers must recover the entire prekey with high accuracy before
they can attempt to decrypt the shielded private key, but the current
generation of attacks have bit error rates that, when applied
cumulatively to the entire prekey, make this unlikely.

Implementation-wise, keys are encrypted "shielded" when loaded and then
automatically and transparently unshielded when used for signatures or
when being saved/serialised.

Hopefully we can remove this in a few years time when computer
architecture has become less unsafe.

been in snaps for a bit already; thanks deraadt@

ok dtucker@ deraadt@

OpenBSD-Commit-ID: 19767213c312e46f94b303a512ef8e9218a39bd4
2019-06-21 14:24:35 +10:00
djm@openbsd.org
476e3551b2 upstream: When signing certificates with an RSA key, default to
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys
will therefore be incompatible with OpenSSH < 7.2 unless the default is
overridden.

Document the ability of the ssh-keygen -t flag to override the
signature algorithm when signing certificates, and the new default.

ok deraadt@

OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
2019-05-20 10:21:58 +10:00
dtucker@openbsd.org
99043bd64e upstream: Wrap XMSS including in ifdef. Patch from markus at
blueflash.cc, ok djm

OpenBSD-Commit-ID: e3b34fc35cf12d33bde91ac03633210a3bc0f8b5
2019-05-08 18:42:43 +10:00
djm@openbsd.org
7be8572b32 upstream: Make sshpkt_get_bignum2() allocate the bignum it is
parsing rather than make the caller do it. Saves a lot of boilerplate code.

from markus@ ok djm@

OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
2019-01-21 21:47:28 +11:00
Damien Miller
26841ac265 some more duplicated key algorithm lines
From Adam Eijdenberg
2018-10-11 13:02:11 +11:00
Damien Miller
5d9d17603b fix duplicated algorithm specification lines
Spotted by Adam Eijdenberg
2018-10-11 11:56:36 +11:00
djm@openbsd.org
ebfafd9c7a upstream: typo in plain RSA algorithm counterpart names for
certificates; spotted by Adam Eijdenberg; ok dtucker@

OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
2018-10-11 11:55:57 +11:00
Damien Miller
12731158c7 supply callback to PEM_read_bio_PrivateKey
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs,
so that empty passphrases are interpreted differently. This
probabalistically breaks loading some keys, because the PEM format
is terrible and doesn't include a proper MAC.

Avoid this by providing a basic callback to avoid passing empty
passphrases to OpenSSL in cases where one is required.

Based on patch from Jakub Jelen in bz#2913; ok dtucker@
2018-10-11 10:29:29 +11:00
djm@openbsd.org
edbb6febcc upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrase
is specified as "incorrect passphrase" instead of trying to choose between
that and "invalid format".

libcrypto can return ASN1 parsing errors rather than the expected
decrypt error in certain infrequent cases when trying to decrypt/parse
PEM private keys when supplied with an invalid passphrase.

Report and repro recipe from Thomas Deutschmann in bz#2901

ok markus@

OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
2018-10-09 16:45:45 +11:00
Darren Tucker
cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl.
ok djm@
2018-09-15 19:44:06 +10:00
djm@openbsd.org
6da046f9c3 upstream: garbage-collect moribund ssh_new_private() API.
OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c
2018-09-14 14:19:06 +10:00
Damien Miller
48f54b9d12 adapt -portable to OpenSSL 1.1x API
Polyfill missing API with replacement functions extracted from LibreSSL
2018-09-13 12:13:50 +10:00
djm@openbsd.org
482d23bcac upstream: hold our collective noses and use the openssl-1.1.x API in
OpenSSH; feedback and ok tb@ jsing@ markus@

OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
2018-09-13 12:12:33 +10:00
djm@openbsd.org
ba9e788315 upstream: add sshkey_check_cert_sigtype() that checks a
cert->signature_type against a supplied whitelist; ok markus

OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
2018-09-12 16:49:21 +10:00
djm@openbsd.org
a70fd4ad7b upstream: add cert->signature_type field and keep it in sync with
certificate signature wrt loading and certification operations; ok markus@

OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3
2018-09-12 16:49:21 +10:00
djm@openbsd.org
b4d4eda633 upstream: some finesse to fix RSA-SHA2 certificate authentication
for certs hosted in ssh-agent

OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
2018-07-03 23:26:47 +10:00
djm@openbsd.org
4ba0d54794 upstream: Improve strictness and control over RSA-SHA2 signature
In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-07-03 23:26:36 +10:00
markus@openbsd.org
27979da9e4 upstream: ssh/xmss: fix deserialize for certs; ok djm@
OpenBSD-Commit-ID: f44c41636c16ec83502039828beaf521c057dddc
2018-03-23 11:05:39 +11:00
djm@openbsd.org
94b4e2d29a upstream: refactor sshkey_read() to make it a little more, err,
readable. ok markus

OpenBSD-Commit-ID: 2e9247b5762fdac3b6335dc606d3822121714c28
2018-03-02 14:39:16 +11:00
markus@openbsd.org
1b11ea7c58 upstream: Add experimental support for PQC XMSS keys (Extended
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@

OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
2018-02-26 11:40:41 +11:00
jsing@openbsd.org
4270efad70 upstream: Some obvious freezero() conversions.
This also zeros an ed25519_pk when it was not being zeroed previously.

ok djm@ dtucker@

OpenBSD-Commit-ID: 5c196a3c85c23ac0bd9b11bcadaedd90b7a2ce82
2018-02-16 13:35:28 +11:00
jsing@openbsd.org
7cd31632e3 upstream commit
Remove all guards for calls to OpenSSL free functions -
all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2018-02-08 09:26:27 +11:00
djm@openbsd.org
04c7e28f83 upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19 15:21:37 +11:00
djm@openbsd.org
931c78dfd7 upstream commit
sshkey_sigtype() function to return the type of a
signature; ok markus@

OpenBSD-Commit-ID: d3772b065ad6eed97285589bfb544befed9032e8
2017-12-19 15:20:44 +11:00
djm@openbsd.org
224f193d6a upstream commit
BIO_get_mem_data() is supposed to take a char* as pointer
argument, so don't pass it a const char*

Upstream-ID: 1ccd91eb7f4dd4f0fa812d4f956987cd00b5f6ec
2017-10-20 12:01:03 +11:00
djm@openbsd.org
0f3455356b upstream commit
Switch from aes256-cbc to aes256-ctr for encrypting
new-style private keys. The latter having the advantage of being supported
for no-OpenSSL builds; bz#2754 ok markus@

Upstream-ID: 54179a2afd28f93470471030567ac40431e56909
2017-08-12 16:47:10 +10:00
markus@openbsd.org
dc2bd30876 upstream commit
fix support for unknown key types; ok djm@

Upstream-ID: 53fb29394ed04d616d65b3748dee5aa06b07ab48
2017-07-21 14:17:33 +10:00