summaryrefslogtreecommitdiff
path: root/ssh-pkcs11.c
Commit message (Collapse)AuthorAgeFilesLines
* upstream: improve error messages for some common PKCS#11 C_Logindjm@openbsd.org2020-03-141-4/+19
| | | | | | | failure cases; based on patch from Jacob Hoffman-Andrews in bz3130; ok dtucker OpenBSD-Commit-ID: b8b849621b4a98e468942efd0a1c519c12ce089e
* upstream: pkcs11_register_provider: return < 0 on error; ok djmmarkus@openbsd.org2020-03-131-1/+3
| | | | OpenBSD-Commit-ID: cfc8321315b787e4d40da4bdb2cbabd4154b0d97
* upstream: expose PKCS#11 key labels/X.509 subjects as commentsdjm@openbsd.org2020-01-251-53/+89
| | | | | | | | | | | | | Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on https://github.com/openssh/openssh-portable/pull/138 by Danielle Church feedback and ok markus@ OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
* upstream: revert unconditional forced login implemented in r1.41 ofdjm@openbsd.org2019-10-011-26/+5
| | | | | | | | | | ssh-pkcs11.c; r1.45 added a forced login as a fallback for cases where the token returns no objects and this is less disruptive for users of tokens directly in ssh (rather than via ssh-agent) and in ssh-keygen bz3006, patch from Jakub Jelen; ok markus OpenBSD-Commit-ID: 33d6df589b072094384631ff93b1030103b3d02e
* upstream: if a PKCS#11 token returns no keys then try to login anddjm@openbsd.org2019-09-051-11/+33
| | | | | | refetch them. Based on patch from Jakub Jelen; bz#2430 ok markus@ OpenBSD-Commit-ID: ab53bd6ddd54dd09e54a8bfbed1a984496f08b43
* upstream: downgrade PKCS#11 "provider returned no slots" warningdjm@openbsd.org2019-09-021-2/+2
| | | | | | | from log level error to debug. This is common when attempting to enumerate keys on smartcard readers with no cards plugged in. bz#3058 ok dtucker@ OpenBSD-Commit-ID: bb8839ddeb77c271390488af1b771041d43e49c6
* Add headers to prevent warnings w/out OpenSSL.Darren Tucker2019-07-231-0/+8
|
* Fix building w/out ECC.Darren Tucker2019-05-171-0/+4
| | | | | Ifdef out ECC specific code so that that it'll build against an OpenSSL configured w/out ECC. With & ok djm@
* Whitespace resync w/OpenBSD.Darren Tucker2019-04-261-9/+9
| | | | Patch from markus at blueflash.cc via openssh-unix-dev.
* upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFLmarkus@openbsd.org2019-03-261-1/+3
| | | | OpenBSD-Commit-ID: febce81cca72b71f70513fbee4ff52ca050f675c
* upstream: fix NULL-deref crash in PKCS#11 code when attemptingdjm@openbsd.org2019-02-051-2/+17
| | | | | | login to a token requiring a PIN; reported by benno@ fix mostly by markus@ OpenBSD-Commit-ID: 438d0b114b1b4ba25a9869733db1921209aa9a31
* upstream: Correct some bugs in PKCS#11 token PIN handling atdjm@openbsd.org2019-01-221-12/+22
| | | | | | | | | initial login, the attempt at reading the PIN could be skipped in some cases especially on devices with integrated PIN readers. based on patch from Daniel Kucera in bz#2652; ok markus@ OpenBSD-Commit-ID: fad70a61c60610afe8bb0db538c90e343e75e58e
* upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE bydjm@openbsd.org2019-01-221-26/+95
| | | | | | | | requring a fresh login after the C_SignInit operation. based on patch from Jakub Jelen in bz#2638; ok markus OpenBSD-Commit-ID: a76e66996ba7c0923b46b74d46d499b811786661
* fix previous testDamien Miller2019-01-211-1/+1
|
* Wrap ECC static globals in EC_KEY_METHOD_NEW too.Darren Tucker2019-01-211-0/+2
|
* upstream: always print the caller's error message in ossl_error(),djm@openbsd.org2019-01-211-2/+3
| | | | | | even when there are no libcrypto errors to report. OpenBSD-Commit-ID: 09ebaa8f706e0eccedd209775baa1eee2ada806a
* upstream: get the ex_data (pkcs11_key object) back from the keys atdjm@openbsd.org2019-01-211-9/+8
| | | | | | the index at which it was inserted, rather than assuming index 0 OpenBSD-Commit-ID: 1f3a6ce0346c8014e895e50423bef16401510aa8
* Fix -Wunused when compiling PKCS#11 without ECDSADamien Miller2019-01-211-0/+2
|
* upstream: use ECDSA_SIG_set0() instead of poking signature values intodjm@openbsd.org2019-01-211-3/+14
| | | | | | | structure directly; the latter works on LibreSSL but not on OpenSSL. From portable. OpenBSD-Commit-ID: 5b22a1919d9cee907d3f8a029167f70a481891c6
* remove HAVE_DLOPEN that snuck inDamien Miller2019-01-211-4/+2
| | | | portable doesn't use this
* conditionalise ECDSA PKCS#11 supportDamien Miller2019-01-211-0/+10
| | | | | Require EC_KEY_METHOD support in libcrypto, evidenced by presence of EC_KEY_METHOD_new() function.
* upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHODdjm@openbsd.org2019-01-211-7/+3
| | | | | | | | now, so there is no need to keep a copy of each in the pkcs11_key object. work by markus@, ok djm@ OpenBSD-Commit-ID: 43b4856516e45c0595f17a8e95b2daee05f12faa
* upstream: KNF previous; from markus@djm@openbsd.org2019-01-211-6/+6
| | | | OpenBSD-Commit-ID: 3dfe35e25b310c3968b1e4e53a0cb1d03bda5395
* upstream: use OpenSSL's RSA reference counting hooks todjm@openbsd.org2019-01-211-35/+21
| | | | | | | | | | implicitly clean up pkcs11_key objects when their owning RSA object's reference count drops to zero. Simplifies the cleanup path and makes it more like ECDSA's work by markus@, ok djm@ OpenBSD-Commit-ID: 74b9c98f405cd78f7148e9e4a4982336cd3df25c
* upstream: make the PKCS#11 RSA code more like the new PKCS#11djm@openbsd.org2019-01-211-16/+29
| | | | | | | | | ECDSA code: use a single custom RSA_METHOD instead of a method per key suggested by me, but markus@ did all the work. ok djm@ OpenBSD-Commit-ID: 8aafcebe923dc742fc5537a995cee549d07e4b2e
* upstream: fix leak of ECDSA pkcs11_key objectsdjm@openbsd.org2019-01-211-2/+21
| | | | | | work by markus, ok djm@ OpenBSD-Commit-ID: 9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1
* upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access ofdjm@openbsd.org2019-01-211-4/+3
| | | | | | | | EC_KEY internals as that won't work on OpenSSL work by markus@, feedback and ok djm@ OpenBSD-Commit-ID: 4a99cdb89fbd6f5155ef8c521c99dc66e2612700
* upstream: cleanup PKCS#11 ECDSA pubkey loading: the returneddjm@openbsd.org2019-01-211-10/+14
| | | | | | | | object should never have a DER header work by markus; feedback and ok djm@ OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
* upstream: cleanup unnecessary code in ECDSA pkcs#11 signaturedjm@openbsd.org2019-01-211-25/+16
| | | | | | work by markus@, feedback and ok djm@ OpenBSD-Commit-ID: affa5ca7d58d59fbd16169f77771dcdbd2b0306d
* upstream: add support for ECDSA keys in PKCS#11 tokensdjm@openbsd.org2019-01-211-213/+1161
| | | | | | Work by markus@ and Pedro Martelletto, feedback and ok me@ OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
* adapt -portable to OpenSSL 1.1x APIDamien Miller2018-09-131-0/+1
| | | | Polyfill missing API with replacement functions extracted from LibreSSL
* upstream: hold our collective noses and use the openssl-1.1.x API indjm@openbsd.org2018-09-131-15/+40
| | | | | | OpenSSH; feedback and ok tb@ jsing@ markus@ OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
* upstream commitjsing@openbsd.org2018-02-081-3/+2
| | | | | | | | | | | | Remove all guards for calls to OpenSSL free functions - all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards. Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github. ok deraadt@ dtucker@ OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
* upstream commitderaadt@openbsd.org2017-06-011-3/+3
| | | | | | | | | Switch to recallocarray() for a few operations. Both growth and shrinkage are handled safely, and there also is no need for preallocation dances. Future changes in this area will be less error prone. Review and one bug found by markus Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
* upstream commitmarkus@openbsd.org2017-05-311-2/+3
| | | | | | | sshkey_new() might return NULL (pkcs#11 code only); ok djm@ Upstream-ID: de9f2ad4a42c0b430caaa7d08dea7bac943075dd
* upstream commitdjm@openbsd.org2016-11-061-15/+26
| | | | | | | | Improve pkcs11_add_provider() logging: demote some excessively verbose error()s to debug()s, include PKCS#11 provider name and slot in log messages where possible. bz#2610, based on patch from Jakub Jelen Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
* upstream commitdjm@openbsd.org2016-02-121-3/+5
| | | | | | | avoid fatal() for PKCS11 tokens that present empty key IDs bz#1773, ok markus@ Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
* upstream commitdjm@openbsd.org2015-07-201-6/+14
| | | | | | | don't ignore PKCS#11 hosted keys that return empty CKA_ID; patch by Jakub Jelen via bz#2429; ok markus Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
* upstream commitdjm@openbsd.org2015-07-201-1/+6
| | | | | | | skip uninitialised PKCS#11 slots; patch from Jakub Jelen in bz#2427 ok markus@ Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
* upstream commitdjm@openbsd.org2015-05-271-12/+20
| | | | | | | support PKCS#11 devices with external PIN entry devices bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@ Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
* upstream commitderaadt@openbsd.org2015-04-291-2/+2
| | | | | rename xrealloc() to xreallocarray() since it follows that form. ok djm
* upstream commitderaadt@openbsd.org2015-02-051-2/+2
| | | | | missing ; djm and mlarkin really having great interactions recently
* upstream commitdjm@openbsd.org2015-02-031-5/+7
| | | | | handle PKCS#11 C_Login returning CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@
* upstream commitdjm@openbsd.org2015-01-151-12/+12
| | | | | sync ssh-keysign, ssh-keygen and some dependencies to the new buffer/key API; mostly mechanical, ok markus@
* - djm@cvs.openbsd.org 2014/06/24 01:13:21Damien Miller2014-07-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | | [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e.
* - djm@cvs.openbsd.org 2014/05/02 03:27:54Damien Miller2014-05-151-2/+2
| | | | | | | [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c] [misc.h poly1305.h ssh-pkcs11.c defines.h] revert __bounded change; it causes way more problems for portable than it solves; pointed out by dtucker@
* - djm@cvs.openbsd.org 2014/03/26 04:55:35Damien Miller2014-04-201-2/+2
| | | | | | | | | [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c [misc.h poly1305.h ssh-pkcs11.c] use __bounded(...) attribute recently added to sys/cdefs.h instead of longform __attribute__(__bounded(...)); for brevity and a warning free compilation with llvm/clang
* - markus@cvs.openbsd.org 2013/11/13 13:48:20Damien Miller2013-11-211-2/+2
| | | | | [ssh-pkcs11.c] add missing braces found by pedro
* - djm@cvs.openbsd.org 2013/11/06 23:05:59Damien Miller2013-11-071-1/+1
| | | | | | [ssh-pkcs11.c] from portable: s/true/true_val/ to avoid name collisions on dump platforms RCSID sync only
* - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)Damien Miller2013-11-071-4/+9
| | | | that got lost in recent merge.