path: root/sshkey.c
AgeCommit message (Collapse)Author
2020-08-27upstream: support for user-verified FIDO
FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@ OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
2020-06-26upstream: only call sshkey_xmss_init() once for KEY_XMSS_CERT;
djm OpenBSD-Commit-ID: d0002ffb7f20f538b014d1d0735facd5a81ff096
2020-06-22upstream: Add support for FIDO webauthn (verification only)
webauthn is a standard for using FIDO keys in web browsers. webauthn signatures are a slightly different format to plain FIDO signatures - this support allows verification of these. Feedback and ok markus@ OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
2020-04-11upstream: Refactor private key parsing. Eliminates a fair bit
duplicated code and fixes oss-fuzz#20074 (NULL deref) caused by a missing key type check in the ECDSA_CERT parsing path. feedback and ok markus@ OpenBSD-Commit-ID: 4711981d88afb7196d228f7baad9be1d3b20f9c9
2020-04-08upstream: add sshkey_parse_pubkey_from_private_fileblob_type()
Extracts a public key from the unencrypted envelope of a new-style OpenSSH private key. ok markus@ OpenBSD-Commit-ID: 44d7ab446e5e8c686aee96d5897b26b3939939aa
2020-04-08upstream: simplify sshkey_parse_private_fileblob_type()
Try new format parser for all key types first, fall back to PEM parser only for invalid format errors. ok markus@ OpenBSD-Commit-ID: 0173bbb3a5cface77b0679d4dca0e15eb5600b77
2020-04-08upstream: check private key type against requested key type
new-style private decoding; ok markus@ OpenBSD-Commit-ID: 04d44b3a34ce12ce5187fb6f6e441a88c8c51662
2020-04-08upstream: check that pubkey in private key envelope matches
private key (this public key is currently unusued) ok markus@ OpenBSD-Commit-ID: 634a60b5e135d75f48249ccdf042f3555112049c
2020-04-08upstream: refactor private key parsing a
Split out the base64 decoding and private section decryption steps in to separate functions. This will make the decryption step easier to fuzz as well as making it easier to write a "load public key from new-format private key" function. ok markus@ OpenBSD-Commit-ID: 7de31d80fb9062aa01901ddf040c286b64ff904e
2020-03-13upstream: sshkey_cert_check_authority requires reason to be set;
ok djm OpenBSD-Commit-ID: 6f7a6f19540ed5749763c2f9530c0897c94aa552
2020-03-13upstream: passphrase depends on kdfname, not ciphername (
null-deref); ok djm OpenBSD-Commit-ID: 0d39668edf5e790b5837df4926ee1141cec5471c
2020-02-28upstream: change explicit_bzero();free() to freezero()
While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry. ok deraadt@ djm@ OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a
2020-01-21upstream: fix ssh-keygen not displaying authenticator
prompt; reported by jmc@ OpenBSD-Commit-ID: 04d4f582fc194eb3897ebcbfe286c49958ba2859
2019-12-30upstream: SK API and sk-helper error/PIN
Allow passing a PIN via the SK API (API major crank) and let the ssh-sk-helper API follow. Also enhance the ssh-sk-helper API to support passing back an error code instead of a complete reply. Will be used to signal "wrong PIN", etc. feedback and ok markus@ OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71
2019-12-14remove a bunch of ENABLE_SK #ifdefsDamien Miller
The ssh-sk-helper client API gives us a nice place to disable security key support when it is wasn't enabled at compile time, so we don't need to check everywere. Also, verification of security key signatures can remain enabled all the time - it has no additional dependencies. So sshd can accept security key pubkeys in authorized_keys, etc regardless of the host's support for dlopen, etc.
2019-12-14upstream: use ssh-sk-helper for all security key signing
This extracts and refactors the client interface for ssh-sk-helper from ssh-agent and generalises it for use by the other programs. This means that most OpenSSH tools no longer need to link against libfido2 or directly interact with /dev/uhid* requested by, feedback and ok markus@ OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f
2019-11-25upstream: Add new structure for signature
This is populated during signature verification with additional fields that are present in and covered by the signature. At the moment, it is only used to record security key-specific options, especially the flags field. with and ok markus@ OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
2019-11-18upstream: fix a bug that prevented serialisation of ed25519-sk
OpenBSD-Commit-ID: 066682b79333159cac04fcbe03ebd9c8dcc152a9
2019-11-18upstream: fix bug that prevented certification of ed25519-sk
OpenBSD-Commit-ID: 64c8cc6f5de2cdd0ee3a81c3a9dee8d862645996
2019-11-18Move ifdef OPENSSL_HAS_ECC.Darren Tucker
Found by -Wimplicit-fallthrough: one ECC case was not inside the ifdef. ok djm@
2019-11-17upstream: remove most uses of
We weren't following the rules re BN_CTX_start/BN_CTX_end and the places we were using it didn't benefit from its use anyway. ok dtucker@ OpenBSD-Commit-ID: ea9ba6c0d2e6f6adfe00b309a8f41842fe12fc7a
2019-11-15upstream: in order to be able to figure out the number
signatures left on a shielded key, we need to transfer the number of signatures left from the private to the public key. ok djm@ OpenBSD-Commit-ID: 8a5d0d260aeace47d372695fdae383ce9b962574
2019-11-15upstream: fix shield/unshield for xmss keys: - in ssh-agent we
to delay the call to shield until we have received key specific options. - when serializing xmss keys for shield we need to deal with all optional components (e.g. state might not be loaded). ok djm@ OpenBSD-Commit-ID: cc2db82524b209468eb176d6b4d6b9486422f41f
2019-11-14Put sshsk_sign call inside ifdef ENABLE_SK.Darren Tucker
Fixes build against OpenSSL configured without ECC.
2019-11-13upstream: enable ed25519 support; ok
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
2019-11-13upstream: implement sshsk_ed25519_inner_sig(); ok
OpenBSD-Commit-ID: f422d0052c6d948fe0e4b04bc961f37fdffa0910
2019-11-13upstream: rename sshsk_ecdsa_sign() to sshsk_sign(); ok
OpenBSD-Commit-ID: 1524042e09d81e54c4470d7bfcc0194c5b46fe19
2019-11-13upstream: implement ssh-ed25519-sk verification; ok
OpenBSD-Commit-ID: 37906d93948a1e3d237c20e713d6ca8fbf7d13f6
2019-11-01conditionalise SK sign/verify on ENABLE_SKDamien Miller
Spotted by Darren and his faux-Vax
2019-11-01upstream: Refactor signing - use sshkey_sign for everything,
including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@ OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
2019-11-01upstream: Initial infrastructure for U2F/FIDO
Key library support: including allocation, marshalling public/private keys and certificates, signature validation. feedback & ok markus@ OpenBSD-Commit-ID: a17615ba15e0f7932ac4360cb18fc9a9544e68c7
2019-10-09upstream: fix an unreachable integer overflow similar to the
case, and some other NULL dereferences found by fuzzing. fix with and ok markus@ OpenBSD-Commit-ID: 0f81adbb95ef887ce586953e1cb225fa45c7a47b
2019-09-08needs time.h for --without-opensslDamien Miller
2019-09-06upstream: fixes for !WITH_OPENSSL compilation; ok
OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
2019-09-03upstream: make get_sigtype public as sshkey_get_sigtype();
markus@ OpenBSD-Commit-ID: 01f8cdbec63350490d2249f41112c5780d1cfbb8
2019-07-16upstream: remove mostly vestigal uuencode.[ch]; moving the only
functionality there (wrapping of base64-encoded data) to sshbuf functions; feedback and ok markus@ OpenBSD-Commit-ID: 4dba6735d88c57232f6fccec8a08bdcfea44ac4c
2019-07-15upstream: support PKCS8 as an optional format for storage
private keys, enabled via "ssh-keygen -m PKCS8" on operations that save private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less terrible KDF (IIRC PEM uses a single round of MD5 as a KDF). adapted from patch by Jakub Jelen via bz3013; ok markus OpenBSD-Commit-ID: 027824e3bc0b1c243dc5188504526d73a55accb1
2019-07-08upstream: Remove some set but never used variables. ok
OpenBSD-Commit-ID: 824baf9c59afc66a4637017e397b9b74a41684e7
2019-06-28upstream: fix NULL deference (bzero) on
=?UTF-8?q?or=20path=20added=20in=20last=20commit;=20spotted=20by=20Reynir?= =?UTF-8?q?=20Bj=C3=B6rnsson?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ok deraadt@ markus@ tb@ OpenBSD-Commit-ID: b11b084bcc551b2c630560eb08618dd501027bbd
2019-06-23upstream: fix mismatch proto/decl from key shielding change;
via oss-fuzz OpenBSD-Commit-ID: 1ea0ba05ded2c5557507bd844cd446e5c8b5b3b7
2019-06-21upstream: Add protection for private keys at rest in RAM
speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and Rambleed. This change encrypts private keys when they are not in use with a symmetic key that is derived from a relatively large "prekey" consisting of random data (currently 16KB). Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely. Implementation-wise, keys are encrypted "shielded" when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised. Hopefully we can remove this in a few years time when computer architecture has become less unsafe. been in snaps for a bit already; thanks deraadt@ ok dtucker@ deraadt@ OpenBSD-Commit-ID: 19767213c312e46f94b303a512ef8e9218a39bd4
2019-05-20upstream: When signing certificates with an RSA key, default
using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH < 7.2 unless the default is overridden. Document the ability of the ssh-keygen -t flag to override the signature algorithm when signing certificates, and the new default. ok deraadt@ OpenBSD-Commit-ID: 400c9c15013978204c2cb80f294b03ae4cfc8b95
2019-05-08upstream: Wrap XMSS including in ifdef. Patch from markus, ok djm OpenBSD-Commit-ID: e3b34fc35cf12d33bde91ac03633210a3bc0f8b5
2019-01-21upstream: Make sshpkt_get_bignum2() allocate the bignum it
parsing rather than make the caller do it. Saves a lot of boilerplate code. from markus@ ok djm@ OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
2018-10-11some more duplicated key algorithm linesDamien Miller
From Adam Eijdenberg
2018-10-11fix duplicated algorithm specification linesDamien Miller
Spotted by Adam Eijdenberg
2018-10-11upstream: typo in plain RSA algorithm counterpart names
certificates; spotted by Adam Eijdenberg; ok dtucker@ OpenBSD-Commit-ID: bfcdeb6f4fc9e7607f5096574c8f118f2e709e00
2018-10-11supply callback to PEM_read_bio_PrivateKeyDamien Miller
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs, so that empty passphrases are interpreted differently. This probabalistically breaks loading some keys, because the PEM format is terrible and doesn't include a proper MAC. Avoid this by providing a basic callback to avoid passing empty passphrases to OpenSSL in cases where one is required. Based on patch from Jakub Jelen in bz#2913; ok dtucker@
2018-10-09upstream: Treat all PEM_read_bio_PrivateKey() errors when a
is specified as "incorrect passphrase" instead of trying to choose between that and "invalid format". libcrypto can return ASN1 parsing errors rather than the expected decrypt error in certain infrequent cases when trying to decrypt/parse PEM private keys when supplied with an invalid passphrase. Report and repro recipe from Thomas Deutschmann in bz#2901 ok markus@ OpenBSD-Commit-ID: b1d4cd92395f9743f81c0d23aab2524109580870
2018-09-15Fix openssl-1.1 fallout for --without-openssl.Darren Tucker
ok djm@