summaryrefslogtreecommitdiff
path: root/key.c
Commit message (Collapse)AuthorAgeFilesLines
* upstream commitdjm@openbsd.org2017-12-191-16/+1
| | | | | | | | pass negotiated signing algorithm though to sshkey_verify() and check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@ OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
* upstream commitmarkus@openbsd.org2017-05-311-176/+1
| | | | | | remove unused wrapper functions from key.[ch]; ok djm@ Upstream-ID: ea0f4016666a6817fc11f439dd4be06bab69707e
* upstream commitdjm@openbsd.org2016-05-021-2/+2
| | | | | | | support SHA256 and SHA512 RSA signatures in certificates; ok markus@ Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
* upstream commitmarkus@openbsd.org2015-12-071-3/+3
| | | | | | | | implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@ Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
* upstream commitdjm@openbsd.org2015-07-151-3/+3
| | | | | | | delete support for legacy v00 certificates; "sure" markus@ dtucker@ Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
* upstream commitdjm@openbsd.org2015-01-291-18/+1
| | | | | update to new API (key_fingerprint => sshkey_fingerprint) check sshkey_fingerprint return values; ok markus
* upstream commitderaadt@openbsd.org2015-01-261-2/+2
| | | | | Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
* upstream commitdjm@openbsd.org2015-01-091-23/+2
| | | | | | | | | | | | | | | | deprecate key_load_private_pem() and sshkey_load_private_pem() interfaces. Refactor the generic key loading API to not require pathnames to be specified (they weren't really used). Fixes a few other things en passant: Makes ed25519 keys work for hostbased authentication (ssh-keysign previously used the PEM-only routines). Fixes key comment regression bz#2306: key pathnames were being lost as comment fields. ok markus@
* upstream commitdjm@openbsd.org2014-12-221-4/+3
| | | | | | | | Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
* upstream commitdjm@openbsd.org2014-12-051-15/+1
| | | | key_in_file() wrapper is no longer used
* - dtucker@cvs.openbsd.org 2014/07/22 01:18:50Darren Tucker2014-07-231-2/+5
| | | | | [key.c] Prevent spam from key_load_private_pem during hostbased auth. ok djm@
* - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC.Darren Tucker2014-07-191-1/+1
|
* - djm@cvs.openbsd.org 2014/07/17 00:12:03Damien Miller2014-07-181-3/+5
| | | | | [key.c] silence "incorrect passphrase" error spam; reported and ok dtucker@
* - djm@cvs.openbsd.org 2014/07/09 03:02:15Damien Miller2014-07-091-6/+11
| | | | | | [key.c] downgrade more error() to debug() to better match what old authfile.c did; suppresses spurious errors with hostbased authentication enabled
* - djm@cvs.openbsd.org 2014/06/24 01:13:21Damien Miller2014-07-021-2514/+289
| | | | | | | | | | | | | | | | | | | | | | | [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e.
* - markus@cvs.openbsd.org 2014/04/29 18:01:49Damien Miller2014-05-151-23/+92
| | | | | | | | | | [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
* - djm@cvs.openbsd.org 2014/02/02 03:44:32Damien Miller2014-02-041-6/+6
| | | | | | | | | | | [auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c] [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c] [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c] [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c] [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c] [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c] [sshd.c] convert memset of potentially-private data to explicit_bzero()
* - djm@cvs.openbsd.org 2014/01/09 23:20:00Damien Miller2014-01-101-22/+20
| | | | | | | | | | | [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c] [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c] [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c] [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c] Introduce digest API and use it to perform all hashing operations rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
* - djm@cvs.openbsd.org 2013/12/29 04:20:04Damien Miller2013-12-291-7/+17
| | | | | | | [key.c] to make sure we don't omit any key types as valid CA keys again, factor the valid key type check into a key_type_is_valid_ca() function
* - djm@cvs.openbsd.org 2013/12/29 02:49:52Damien Miller2013-12-291-2/+2
| | | | | [key.c] correct comment for key_drop_cert()
* - djm@cvs.openbsd.org 2013/12/29 02:37:04Damien Miller2013-12-291-2/+2
| | | | | [key.c] correct comment for key_to_certified()
* - djm@cvs.openbsd.org 2013/12/29 02:28:10Damien Miller2013-12-291-2/+3
| | | | | [key.c] allow ed25519 keys to appear as certificate authorities
* - djm@cvs.openbsd.org 2013/12/07 00:19:15Damien Miller2013-12-071-1/+2
| | | | | [key.c] set k->cert = NULL after freeing it
* - markus@cvs.openbsd.org 2013/12/06 13:39:49Damien Miller2013-12-071-24/+169
| | | | | | | | | | | | [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c] [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c] [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c] [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c] [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c] support ed25519 keys (hostkeys and user identities) using the public domain ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
* - markus@cvs.openbsd.org 2013/12/06 13:34:54Damien Miller2013-12-071-1/+2
| | | | | | | [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c] [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by default; details in PROTOCOL.key; feedback and lots help from djm; ok djm@
* - markus@cvs.openbsd.org 2013/12/06 13:30:08Damien Miller2013-12-071-1/+192
| | | | | [authfd.c key.c key.h ssh-agent.c] move private key (de)serialization to key.c; ok djm
* - djm@cvs.openbsd.org 2013/12/02 03:09:22Damien Miller2013-12-051-1/+5
| | | | | | [key.c] make key_to_blob() return a NULL blob on failure; part of bz#2175 from Loganaden Velvindron @ AfriNIC
* - (dtucker) [key.c] Check for the correct defines for NID_secp521r1.Darren Tucker2013-11-101-2/+2
|
* - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence ofDarren Tucker2013-11-091-0/+14
| | | | | | NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the latter actually works before using it. Fedora (at least) has NID_secp521r1 that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
* - djm@cvs.openbsd.org 2013/10/29 09:42:11Damien Miller2013-10-301-16/+29
| | | | | | [key.c key.h] fix potential stack exhaustion caused by nested certificates; report by Mateusz Kocielski; ok dtucker@ markus@
* - djm@cvs.openbsd.org 2013/05/19 02:42:42Darren Tucker2013-06-021-2/+2
| | | | | | | | | | | [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h] Standardise logging of supplemental information during userauth. Keys and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too. Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
* - djm@cvs.openbsd.org 2013/05/17 00:13:13Darren Tucker2013-06-021-33/+24
| | | | | | | | | | | | | | | | | | [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@
* - djm@cvs.openbsd.org 2013/05/10 04:08:01Darren Tucker2013-05-161-1/+2
| | | | | | [key.c] memleak in cert_free(), wasn't actually freeing the struct; bz#2096 from shm AT digitalsun.pl
* - djm@cvs.openbsd.org 2013/04/19 01:06:50Damien Miller2013-04-231-129/+101
| | | | | | | | [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c] [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c] add the ability to query supported ciphers, MACs, key type and KEX algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
* - djm@cvs.openbsd.org 2013/01/17 23:00:01Damien Miller2013-01-181-15/+25
| | | | | | | | | | [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] [krl.c krl.h PROTOCOL.krl] add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
* - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't haveDarren Tucker2012-06-301-0/+2
| | | | the required functions in libcrypto.
* - djm@cvs.openbsd.org 2012/05/23 03:28:28Damien Miller2012-06-201-1/+4
| | | | | | [dns.c dns.h key.c key.h ssh-keygen.c] add support for RFC6594 SSHFP DNS records for ECDSA key types. patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
* - djm@cvs.openbsd.org 2011/10/18 04:58:26Damien Miller2011-10-181-6/+1
| | | | | | [auth-options.c key.c] remove explict search for \0 in packet strings, this job is now done implicitly by buffer_get_cstring; ok markus
* - djm@cvs.openbsd.org 2011/05/17 07:13:31Damien Miller2011-05-201-1/+4
| | | | | | [key.c] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :)
* - djm@cvs.openbsd.org 2011/02/04 00:44:21Damien Miller2011-02-041-4/+3
| | | | | [key.c] fix uninitialised nonce variable; reported by Mateusz Kocielski
* - djm@cvs.openbsd.org 2010/11/10 01:33:07Damien Miller2010-11-201-9/+17
| | | | | | [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c moduli.c] use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED. these have been around for years by this time. ok markus
* - djm@cvs.openbsd.org 2010/10/28 11:22:09Damien Miller2010-11-051-9/+22
| | | | | | | | | | [authfile.c key.c key.h ssh-keygen.c] fix a possible NULL deref on loading a corrupt ECDH key store ECDH group information in private keys files as "named groups" rather than as a set of explicit group parameters (by setting the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and retrieves the group's OpenSSL NID that we need for various things.
* - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefsDarren Tucker2010-09-101-2/+8
| | | | for missing headers and compiler warnings.
* - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]Damien Miller2010-09-101-3/+64
| | | | | | [kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c] [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on platforms that don't have the requisite OpenSSL support. ok dtucker@
* - djm@cvs.openbsd.org 2010/09/09 10:45:45Damien Miller2010-09-101-12/+35
| | | | | | | | | | | | | | | [kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c] ECDH/ECDSA compliance fix: these methods vary the hash function they use (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases. This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client. ok naddy@
* - djm@cvs.openbsd.org 2010/08/31 11:54:45Damien Miller2010-08-311-15/+526
| | | | | | | | | | | | | | | | | | | | | | | | | [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
* - djm@cvs.openbsd.org 2010/08/31 09:58:37Damien Miller2010-08-311-9/+4
| | | | | | | | | | | | | | | | [auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c] [packet.h ssh-dss.c ssh-rsa.c] Add buffer_get_cstring() and related functions that verify that the string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
* - djm@cvs.openbsd.org 2010/07/13 23:13:16Damien Miller2010-07-161-2/+2
| | | | | | [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c] [ssh-rsa.c] s/timing_safe_cmp/timingsafe_bcmp/g
* - djm@cvs.openbsd.org 2010/07/13 11:52:06Damien Miller2010-07-161-2/+3
| | | | | | | | | [auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c] [packet.c ssh-rsa.c] implement a timing_safe_cmp() function to compare memory without leaking timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
* - djm@cvs.openbsd.org 2010/05/07 11:30:30Damien Miller2010-05-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c] [key.c servconf.c servconf.h sshd.8 sshd_config.5] add some optional indirection to matching of principal names listed in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@