summaryrefslogtreecommitdiff
path: root/sshkey.c
AgeCommit message (Collapse)Author
2019-06-28upstream: fix NULL deference (bzero) on errdjm@openbsd.org
=?UTF-8?q?or=20path=20added=20in=20last=20commit;=20spotted=20by=20Reynir?= =?UTF-8?q?=20Bj=C3=B6rnsson?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ok deraadt@ markus@ tb@ OpenBSD-Commit-ID: b11b084bcc551b2c630560eb08618dd501027bbd
2019-06-23upstream: fix mismatch proto/decl from key shielding change; spotteddjm@openbsd.org
via oss-fuzz OpenBSD-Commit-ID: 1ea0ba05ded2c5557507bd844cd446e5c8b5b3b7
2019-06-21upstream: Add protection for private keys at rest in RAM againstdjm@openbsd.org
speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and Rambleed. This change encrypts private keys when they are not in use with a symmetic key that is derived from a relatively large "prekey" consisting of random data (currently 16KB). Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely. Implementation-wise, keys are encrypted "shielded" when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised. Hopefully we can remove this in a few years time when computer architecture has become less unsafe. been in snaps for a bit already; thanks deraadt@ ok dtucker@ deraadt@ OpenBSD-Commit-ID: 19767213c312e46f94b303a512ef8e9218a39bd4
2019-05-20upstream: When signing certificates with an RSA key, default todjm@openbsd.org
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH < 7.2 unless the default is overridden. Document the ability of the ssh-keygen -t flag to override the signature algorithm when signing certificates, and the new default. ok deraadt@ OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
2019-05-08upstream: Wrap XMSS including in ifdef. Patch from markus atdtucker@openbsd.org
blueflash.cc, ok djm OpenBSD-Commit-ID: e3b34fc35cf12d33bde91ac03633210a3bc0f8b5
2019-01-21upstream: Make sshpkt_get_bignum2() allocate the bignum it isdjm@openbsd.org
parsing rather than make the caller do it. Saves a lot of boilerplate code. from markus@ ok djm@ OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
2018-10-11some more duplicated key algorithm linesDamien Miller
From Adam Eijdenberg
2018-10-11fix duplicated algorithm specification linesDamien Miller
Spotted by Adam Eijdenberg
2018-10-11upstream: typo in plain RSA algorithm counterpart names fordjm@openbsd.org
certificates; spotted by Adam Eijdenberg; ok dtucker@ OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
2018-10-11supply callback to PEM_read_bio_PrivateKeyDamien Miller
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs, so that empty passphrases are interpreted differently. This probabalistically breaks loading some keys, because the PEM format is terrible and doesn't include a proper MAC. Avoid this by providing a basic callback to avoid passing empty passphrases to OpenSSL in cases where one is required. Based on patch from Jakub Jelen in bz#2913; ok dtucker@
2018-10-09upstream: Treat all PEM_read_bio_PrivateKey() errors when a passphrasedjm@openbsd.org
is specified as "incorrect passphrase" instead of trying to choose between that and "invalid format". libcrypto can return ASN1 parsing errors rather than the expected decrypt error in certain infrequent cases when trying to decrypt/parse PEM private keys when supplied with an invalid passphrase. Report and repro recipe from Thomas Deutschmann in bz#2901 ok markus@ OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
2018-09-15Fix openssl-1.1 fallout for --without-openssl.Darren Tucker
ok djm@
2018-09-14upstream: garbage-collect moribund ssh_new_private() API.djm@openbsd.org
OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c
2018-09-13adapt -portable to OpenSSL 1.1x APIDamien Miller
Polyfill missing API with replacement functions extracted from LibreSSL
2018-09-13upstream: hold our collective noses and use the openssl-1.1.x API indjm@openbsd.org
OpenSSH; feedback and ok tb@ jsing@ markus@ OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
2018-09-12upstream: add sshkey_check_cert_sigtype() that checks adjm@openbsd.org
cert->signature_type against a supplied whitelist; ok markus OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302
2018-09-12upstream: add cert->signature_type field and keep it in sync withdjm@openbsd.org
certificate signature wrt loading and certification operations; ok markus@ OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3
2018-07-03upstream: some finesse to fix RSA-SHA2 certificate authenticationdjm@openbsd.org
for certs hosted in ssh-agent OpenBSD-Commit-ID: e5fd5edd726137dda2d020e1cdebc464110a010f
2018-07-03upstream: Improve strictness and control over RSA-SHA2 signaturedjm@openbsd.org
In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@ OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde
2018-03-23upstream: ssh/xmss: fix deserialize for certs; ok djm@markus@openbsd.org
OpenBSD-Commit-ID: f44c41636c16ec83502039828beaf521c057dddc
2018-03-02upstream: refactor sshkey_read() to make it a little more, err,djm@openbsd.org
readable. ok markus OpenBSD-Commit-ID: 2e9247b5762fdac3b6335dc606d3822121714c28
2018-02-26upstream: Add experimental support for PQC XMSS keys (Extendedmarkus@openbsd.org
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok djm@ OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
2018-02-16upstream: Some obvious freezero() conversions.jsing@openbsd.org
This also zeros an ed25519_pk when it was not being zeroed previously. ok djm@ dtucker@ OpenBSD-Commit-ID: 5c196a3c85c23ac0bd9b11bcadaedd90b7a2ce82
2018-02-08upstream commitjsing@openbsd.org
Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards. Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github. ok deraadt@ dtucker@ OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2017-12-19upstream commitdjm@openbsd.org
pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@ OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19upstream commitdjm@openbsd.org
sshkey_sigtype() function to return the type of a signature; ok markus@ OpenBSD-Commit-ID: d3772b065ad6eed97285589bfb544befed9032e8
2017-10-20upstream commitdjm@openbsd.org
BIO_get_mem_data() is supposed to take a char* as pointer argument, so don't pass it a const char* Upstream-ID: 1ccd91eb7f4dd4f0fa812d4f956987cd00b5f6ec
2017-08-12upstream commitdjm@openbsd.org
Switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. The latter having the advantage of being supported for no-OpenSSL builds; bz#2754 ok markus@ Upstream-ID: 54179a2afd28f93470471030567ac40431e56909
2017-07-21upstream commitmarkus@openbsd.org
fix support for unknown key types; ok djm@ Upstream-ID: 53fb29394ed04d616d65b3748dee5aa06b07ab48
2017-07-21upstream commitdjm@openbsd.org
remove post-SSHv1 removal dead code from rsa.c and merge the remaining bit that it still used into ssh-rsa.c; ok markus Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
2017-06-28upstream commitdjm@openbsd.org
Allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. bz#2377 ok markus Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
2017-06-10upstream commitdjm@openbsd.org
better translate libcrypto errors by looking deeper in the accursed error stack for codes that indicate the wrong passphrase was supplied for a PEM key. bz#2699 ok dtucker@ Upstream-ID: 4da4286326d570f4f0489459bb71f6297e54b681
2017-06-01upstream commitderaadt@openbsd.org
Switch to recallocarray() for a few operations. Both growth and shrinkage are handled safely, and there also is no need for preallocation dances. Future changes in this area will be less error prone. Review and one bug found by markus Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
2017-05-10upstream commitdjm@openbsd.org
make requesting bad ECDSA bits yield the same error (SSH_ERR_KEY_LENGTH) as the same mistake for RSA/DSA Upstream-ID: bf40d3fee567c271e33f05ef8e4e0fa0b6f0ece6
2017-05-08upstream commitdjm@openbsd.org
Refuse RSA keys <1024 bits in length. Improve reporting for keys that do not meet this requirement. ok markus@ Upstream-ID: b385e2a7b13b1484792ee681daaf79e1e203df6c
2017-05-01upstream commitdjm@openbsd.org
remove KEY_RSA1 ok markus@ Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-05-01upstream commitdjm@openbsd.org
remove SSHv1 ciphers; ok markus@ Upstream-ID: e5ebc5e540d7f23a8c1266db1839794d4d177890
2017-05-01upstream commitdjm@openbsd.org
unifdef WITH_SSH1 ok markus@ Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
2017-03-29Remove compat code for OpenSSL < 0.9.7.Darren Tucker
Resyncs that code with OpenBSD upstream.
2017-03-10upstream commitdjm@openbsd.org
fix regression in 7.4 server-sig-algs, where we were accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno Goncalves; ok dtucker@ Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
2017-03-10upstream commitdtucker@openbsd.org
Check for NULL argument to sshkey_read. Patch from jjelen at redhat.com via bz#2687, ok djm@ Upstream-ID: c2d00c2ea50c4861d271d0a586f925cc64a87e0e
2017-02-17upstream commitdtucker@openbsd.org
ifdef out "rsa1" from the list of supported keytypes when compiled without SSH1 support. Found by kdunlop at guralp.com, ok djm@ Upstream-ID: cea93a26433d235bb1d64b1d990f19a9c160a70f
2017-02-12ifdef out EVP_R_PRIVATE_KEY_DECODE_ERRORDarren Tucker
EVP_R_PRIVATE_KEY_DECODE_ERROR was added in OpenSSL 1.0.0 so ifdef out for the benefit of OpenSSL versions prior to that.
2017-02-10upstream commitdjm@openbsd.org
bring back r1.34 that was backed out for problems loading public keys: translate OpenSSL error codes to something more meaninful; bz#2522 reported by Jakub Jelen, ok dtucker@ with additional fix from Jakub Jelen to solve the backout. bz#2525 bz#2523 re-ok dtucker@ Upstream-ID: a9d5bc0306f4473d9b4f4484f880e95f3c1cc031
2016-10-26upstream commitdtucker@openbsd.org
Remove dead breaks, found via opencoverage.net. ok deraadt@ Upstream-ID: ad9cc655829d67fad219762810770787ba913069
2016-10-06upstream commitdjm@openbsd.org
add a comment about implicitly-expected checks to sshkey_ec_validate_public() Upstream-ID: 74a7f71c28f7c13a50f89fc78e7863b9cd61713f
2016-09-29upstream commitdjm@openbsd.org
Avoid a theoretical signed integer overflow should BN_num_bytes() ever violate its manpage and return a negative value. Improve order of tests to avoid confusing increasingly pedantic compilers. Reported by Guido Vranken from stack (css.csail.mit.edu/stack) unstable optimisation analyser output. ok deraadt@ Upstream-ID: f8508c830c86d8f36c113985e52bf8eedae23505
2016-09-13upstream commitdjm@openbsd.org
list all supported signature algorithms in the server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly) Ron Frederick; ok markus@ Upstream-ID: ddf702d721f54646b11ef2cee6d916666cb685cd
2016-09-12upstream commitderaadt@openbsd.org
Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker Upstream-ID: 712cafa816c9f012a61628b66b9fbd5687223fb8
2016-08-09upstream commitdjm@openbsd.org
small refactor of cipher.c: make ciphercontext opaque to callers feedback and ok markus@ Upstream-ID: 094849f8be68c3bdad2c0f3dee551ecf7be87f6f