summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-12-14remove a bunch of ENABLE_SK #ifdefsDamien Miller
The ssh-sk-helper client API gives us a nice place to disable security key support when it is wasn't enabled at compile time, so we don't need to check everywere. Also, verification of security key signatures can remain enabled all the time - it has no additional dependencies. So sshd can accept security key pubkeys in authorized_keys, etc regardless of the host's support for dlopen, etc.
2019-12-14ssh-sk-client.c needs includes.hDamien Miller
2019-12-14only link ssh-sk-helper against libfido2Damien Miller
2019-12-14adapt Makefile to ssh-sk-client everywhereDamien Miller
2019-12-14fixupDamien Miller
2019-12-14upstream: actually commit the ssh-sk-helper client code; ok markusdjm@openbsd.org
OpenBSD-Commit-ID: fd2ea776a5bbbf4d452989d3c3054cf25a5e0589
2019-12-14upstream: perform security key enrollment via ssh-sk-helper too.djm@openbsd.org
This means that ssh-keygen no longer needs to link against ssh-sk-helper, and only ssh-sk-helper needs libfido2 and /dev/uhid* access; feedback & ok markus@ OpenBSD-Commit-ID: 9464233fab95708d2ff059f8bee29c0d1f270800
2019-12-14upstream: allow sshbuf_put_stringb(buf, NULL); ok markus@djm@openbsd.org
OpenBSD-Commit-ID: 91482c1ada9adb283165d48dafbb88ae91c657bd
2019-12-14upstream: use ssh-sk-helper for all security key signing operationsdjm@openbsd.org
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid* requested by, feedback and ok markus@ OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
2019-12-14upstream: add a note about the 'extensions' field in the signeddjm@openbsd.org
object OpenBSD-Commit-ID: 67c01e0565b258e0818c1ccfe1f1aeaf9a0d4c7b
2019-12-11upstream: some more corrections for documentation problems spotteddjm@openbsd.org
by Ron Frederick document certifiate private key format correct flags type for sk-ssh-ed25519@openssh.com keys OpenBSD-Commit-ID: fc4e9a1ed7f9f7f9dd83e2e2c59327912e933e74
2019-12-11upstream: loading security keys into ssh-agent used the extensiondjm@openbsd.org
constraint "sk-provider@openssh.com", not "sk@openssh.com"; spotted by Ron Frederick OpenBSD-Commit-ID: dbfba09edbe023abadd5f59c1492df9073b0e51d
2019-12-11upstream: add security key types to list of keys allowed to act asdjm@openbsd.org
CAs; spotted by Ron Frederick OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3
2019-12-11upstream: when acting as a CA and using a security key as the CAdjm@openbsd.org
key, remind the user to touch they key to authorise the signature. OpenBSD-Commit-ID: fe58733edd367362f9766b526a8b56827cc439c1
2019-12-11upstream: chop some unnecessary and confusing verbiage from thedjm@openbsd.org
security key protocol description; feedback from Ron Frederick OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
2019-12-11upstream: fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be setdjm@openbsd.org
when asking passphrases, only when confirming the use of a key (i.e. for ssh-agent keys added with "ssh-add -c keyfile") OpenBSD-Commit-ID: 6643c82960d9427d5972eb702c917b3b838ecf89
2019-12-11upstream: bring the __func__djm@openbsd.org
OpenBSD-Commit-ID: 71a3a45b0fe1b8f680ff95cf264aa81f7abbff67
2019-12-11upstream: tweak the Nd lines for a bit of consistency; ok markusjmc@openbsd.org
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11Check if memmem is declared in system headers.Darren Tucker
If the system (or one of the dependencies) implements memmem but does not define the header, we would not declare it either resulting in compiler warnings. Check for declaration explicitly. bz#3102.
2019-12-11Sort depends.Darren Tucker
2019-12-11Sort .depend when rebuilding.Darren Tucker
This makes diffs more stable between makedepend implementations.
2019-12-11Update depend to include sk files.Darren Tucker
2019-12-09Describe how to build libcrypto as PIC.Darren Tucker
While there, move the OpenSSL 1.1.0g caveat closer to the other version information.
2019-12-09Recommend running LibreSSL or OpenSSL self-tests.Darren Tucker
2019-12-06Wrap ECC specific bits in ifdef.Darren Tucker
Fixes tests when built against an OpenSSL configured with no-ec.
2019-11-29Wrap sha2.h include in ifdef.Darren Tucker
Fixes build --without-openssl on at least Fedora.
2019-11-29compile sk-dummy.so with no-PIE version of LDFLAGSDamien Miller
This lets it pick up the -L path to libcrypto for example.
2019-11-29includes.h for sk-dummy.c, dummyDamien Miller
2019-11-29(yet) another x-platform fix for sk-dummy.soDamien Miller
Check for -fPIC support from compiler Compile libopenbsd-compat -fPIC Don't mix -fPIE and -fPIC when compiling
2019-11-29needs includes.h for WITH_OPENSSLDamien Miller
2019-11-29another attempt at sk-dummy.so working x-platformDamien Miller
include a fatal() implementation to satisfy libopenbsd-compat clean up .lo and .so files .gitignore .lo and .so files
2019-11-29upstream: lots of dependencies go away here with ed25519 no longerdjm@openbsd.org
needing the ssh_digest API. OpenBSD-Regress-ID: 785847ec78cb580d141e29abce351a436d6b5d49
2019-11-29upstream: perform hashing directly in crypto_hash_sha512() usingdjm@openbsd.org
libcrypto or libc SHA512 functions rather than calling ssh_digest_memory(); avoids many dependencies on ssh code that complicate standalone use of ed25519, as we want to do in sk-dummy.so OpenBSD-Commit-ID: 5a3c37593d3ba7add037b587cec44aaea088496d
2019-11-29upstream: improve the text for -A a little; input from naddy andjmc@openbsd.org
djm OpenBSD-Commit-ID: f9cdfb1d6dbb9887c4bf3bb25f9c7a94294c988d
2019-11-29upstream: reshuffle the text to read better; input from naddy,jmc@openbsd.org
djmc, and dtucker OpenBSD-Commit-ID: a0b2aca2b67614dda3d6618ea097bf0610c35013
2019-11-28$< doesn't work as` I thought; explicily list objsDamien Miller
2019-11-28upstream: tweak wordingdjm@openbsd.org
OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
2019-11-28missing .SUFFIXES line makes make sadDamien Miller
2019-11-28(hopefully) fix out of tree builds of sk-dummy.soDamien Miller
2019-11-28upstream: remove stray semicolon after closing brace of function;djm@openbsd.org
from Michael Forney OpenBSD-Commit-ID: fda95acb799bb160d15e205ee126117cf33da3a7
2019-11-28upstream: Revert previous commit. The channels code still uses intdtucker@openbsd.org
in many places for channel ids so the INT_MAX check still makes sense. OpenBSD-Commit-ID: 532e4b644791b826956c3c61d6ac6da39bac84bf
2019-11-27wire sk-dummy.so into test suiteDamien Miller
2019-11-27upstream: use error()+_exit() instead of fatal() to avoid runningdjm@openbsd.org
cleanup handlers in child process; spotted via weird regress failures in portable OpenBSD-Commit-ID: 6902a9bb3987c7d347774444f7979b8a9ba7f412
2019-11-27upstream: Make channel_id u_int32_t and remove unnecessary checkdtucker@openbsd.org
and cast that were left over from the type conversion. Noted by t-hashida@amiya.co.jp in bz#3098, ok markus@ djm@ OpenBSD-Commit-ID: 3ad105b6a905284e780b1fd7ff118e1c346e90b5
2019-11-27upstream: test FIDO2/U2F key types; ok markus@djm@openbsd.org
OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474
2019-11-27upstream: add dummy security key middleware based on work bydjm@openbsd.org
markus@ This will allow us to test U2F/FIDO2 support in OpenSSH without requiring real hardware. ok markus@ OpenBSD-Regress-ID: 88b309464b8850c320cf7513f26d97ee1fdf9aae
2019-11-27upstream: tweak previous;jmc@openbsd.org
OpenBSD-Commit-ID: a4c097364c75da320f1b291568db830fb1ee4883
2019-11-27upstream: more debugging; behind DEBUG_SKdjm@openbsd.org
OpenBSD-Commit-ID: a978896227118557505999ddefc1f4c839818b60
2019-11-25unbreak fuzzers for recent security key changesDamien Miller
2019-11-25upstream: unbreak tests for recent security key changesdjm@openbsd.org
OpenBSD-Regress-ID: 2cdf2fcae9962ca4d711338f3ceec3c1391bdf95