Commit Graph

64 Commits

Author SHA1 Message Date
djm@openbsd.org 19af04e223 upstream: when loading PKCS#11 keys, include the key fingerprints
and provider/slot information in debug output.

OpenBSD-Commit-ID: 969a089575d0166a9a364a9901bb6a8d9b8a1431
2020-11-27 11:50:30 +11:00
djm@openbsd.org 816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org 4c60724405 upstream: fix compilation on !HAVE_DLOPEN platforms; stub function
was not updated to match API change. From Dale Rahn via beck@ ok markus@

OpenBSD-Commit-ID: 2b8d054afe34c9ac85e417dae702ef981917b836
2020-05-29 13:28:47 +10:00
djm@openbsd.org 1d89232a4a upstream: improve error messages for some common PKCS#11 C_Login
failure cases; based on patch from Jacob Hoffman-Andrews in bz3130; ok
dtucker

OpenBSD-Commit-ID: b8b849621b4a98e468942efd0a1c519c12ce089e
2020-03-14 19:39:30 +11:00
markus@openbsd.org 31c860a021 upstream: pkcs11_register_provider: return < 0 on error; ok djm
OpenBSD-Commit-ID: cfc8321315b787e4d40da4bdb2cbabd4154b0d97
2020-03-13 13:13:30 +11:00
djm@openbsd.org 89a8d4525e upstream: expose PKCS#11 key labels/X.509 subjects as comments
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.

based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church

feedback and ok markus@

OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
2020-01-25 11:35:55 +11:00
djm@openbsd.org 084682786d upstream: revert unconditional forced login implemented in r1.41 of
ssh-pkcs11.c; r1.45 added a forced login as a fallback for cases where the
token returns no objects and this is less disruptive for users of tokens
directly in ssh (rather than via ssh-agent) and in ssh-keygen

bz3006, patch from Jakub Jelen; ok markus

OpenBSD-Commit-ID: 33d6df589b072094384631ff93b1030103b3d02e
2019-10-01 20:24:07 +10:00
djm@openbsd.org 7d6034bd02 upstream: if a PKCS#11 token returns no keys then try to login and
refetch them. Based on patch from Jakub Jelen; bz#2430 ok markus@

OpenBSD-Commit-ID: ab53bd6ddd54dd09e54a8bfbed1a984496f08b43
2019-09-05 20:07:12 +10:00
djm@openbsd.org b52c0c2e64 upstream: downgrade PKCS#11 "provider returned no slots" warning
from log level error to debug. This is common when attempting to enumerate
keys on smartcard readers with no cards plugged in. bz#3058 ok dtucker@

OpenBSD-Commit-ID: bb8839ddeb77c271390488af1b771041d43e49c6
2019-09-02 10:32:43 +10:00
Darren Tucker 9634ffbf29 Add headers to prevent warnings w/out OpenSSL. 2019-07-23 22:26:20 +10:00
Darren Tucker 97370f6c2c Fix building w/out ECC.
Ifdef out ECC specific code so that that it'll build against an OpenSSL
configured w/out ECC.  With & ok djm@
2019-05-17 10:54:51 +10:00
Darren Tucker 5590f53f99 Whitespace resync w/OpenBSD.
Patch from markus at blueflash.cc via openssh-unix-dev.
2019-04-26 18:22:10 +10:00
markus@openbsd.org 2aee9a49f6 upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL
OpenBSD-Commit-ID: febce81cca72b71f70513fbee4ff52ca050f675c
2019-03-26 10:20:22 +11:00
djm@openbsd.org 7a7fdca78d upstream: fix NULL-deref crash in PKCS#11 code when attempting
login to a token requiring a PIN; reported by benno@ fix mostly by markus@

OpenBSD-Commit-ID: 438d0b114b1b4ba25a9869733db1921209aa9a31
2019-02-05 11:45:38 +11:00
djm@openbsd.org 41923ce06a upstream: Correct some bugs in PKCS#11 token PIN handling at
initial login, the attempt at reading the PIN could be skipped in some cases
especially on devices with integrated PIN readers.

based on patch from Daniel Kucera in bz#2652; ok markus@

OpenBSD-Commit-ID: fad70a61c60610afe8bb0db538c90e343e75e58e
2019-01-22 23:04:54 +11:00
djm@openbsd.org 2162171ad5 upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE by
requring a fresh login after the C_SignInit operation.

based on patch from Jakub Jelen in bz#2638; ok markus

OpenBSD-Commit-ID: a76e66996ba7c0923b46b74d46d499b811786661
2019-01-22 23:04:54 +11:00
Damien Miller 23490a6c97 fix previous test 2019-01-21 15:05:43 +11:00
Darren Tucker b6dd3277f2 Wrap ECC static globals in EC_KEY_METHOD_NEW too. 2019-01-21 13:50:17 +11:00
djm@openbsd.org 662be40c62 upstream: always print the caller's error message in ossl_error(),
even when there are no libcrypto errors to report.

OpenBSD-Commit-ID: 09ebaa8f706e0eccedd209775baa1eee2ada806a
2019-01-21 13:07:04 +11:00
djm@openbsd.org ce46c3a077 upstream: get the ex_data (pkcs11_key object) back from the keys at
the index at which it was inserted, rather than assuming index 0

OpenBSD-Commit-ID: 1f3a6ce0346c8014e895e50423bef16401510aa8
2019-01-21 13:06:58 +11:00
Damien Miller 2efcf812b4 Fix -Wunused when compiling PKCS#11 without ECDSA 2019-01-21 11:57:21 +11:00
djm@openbsd.org 632976418d upstream: use ECDSA_SIG_set0() instead of poking signature values into
structure directly; the latter works on LibreSSL but not on OpenSSL. From
portable.

OpenBSD-Commit-ID: 5b22a1919d9cee907d3f8a029167f70a481891c6
2019-01-21 11:48:45 +11:00
Damien Miller 5de6ac2bad remove HAVE_DLOPEN that snuck in
portable doesn't use this
2019-01-21 11:45:16 +11:00
Damien Miller e2cb445d78 conditionalise ECDSA PKCS#11 support
Require EC_KEY_METHOD support in libcrypto, evidenced by presence
of EC_KEY_METHOD_new() function.
2019-01-21 11:32:28 +11:00
djm@openbsd.org fcb1b09371 upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD
now, so there is no need to keep a copy of each in the pkcs11_key object.

work by markus@, ok djm@

OpenBSD-Commit-ID: 43b4856516e45c0595f17a8e95b2daee05f12faa
2019-01-21 10:57:03 +11:00
djm@openbsd.org 6529409e85 upstream: KNF previous; from markus@
OpenBSD-Commit-ID: 3dfe35e25b310c3968b1e4e53a0cb1d03bda5395
2019-01-21 10:57:03 +11:00
djm@openbsd.org 58622a8c82 upstream: use OpenSSL's RSA reference counting hooks to
implicitly clean up pkcs11_key objects when their owning RSA object's
reference count drops to zero. Simplifies the cleanup path and makes it more
like ECDSA's

work by markus@, ok djm@

OpenBSD-Commit-ID: 74b9c98f405cd78f7148e9e4a4982336cd3df25c
2019-01-21 10:57:03 +11:00
djm@openbsd.org f118542fc8 upstream: make the PKCS#11 RSA code more like the new PKCS#11
ECDSA code: use a single custom RSA_METHOD instead of a method per key

suggested by me, but markus@ did all the work.
ok djm@

OpenBSD-Commit-ID: 8aafcebe923dc742fc5537a995cee549d07e4b2e
2019-01-21 10:54:37 +11:00
djm@openbsd.org 445cfce49d upstream: fix leak of ECDSA pkcs11_key objects
work by markus, ok djm@

OpenBSD-Commit-ID: 9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1
2019-01-21 10:54:37 +11:00
djm@openbsd.org 8a2467583f upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of
EC_KEY internals as that won't work on OpenSSL

work by markus@, feedback and ok djm@

OpenBSD-Commit-ID: 4a99cdb89fbd6f5155ef8c521c99dc66e2612700
2019-01-21 10:54:37 +11:00
djm@openbsd.org 24757c1ae3 upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
object should never have a DER header

work by markus; feedback and ok djm@

OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
2019-01-21 10:54:37 +11:00
djm@openbsd.org 749aef3032 upstream: cleanup unnecessary code in ECDSA pkcs#11 signature
work by markus@, feedback and ok djm@

OpenBSD-Commit-ID: affa5ca7d58d59fbd16169f77771dcdbd2b0306d
2019-01-21 10:54:37 +11:00
djm@openbsd.org 93f02107f4 upstream: add support for ECDSA keys in PKCS#11 tokens
Work by markus@ and Pedro Martelletto, feedback and ok me@

OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
2019-01-21 10:54:37 +11:00
Damien Miller 48f54b9d12 adapt -portable to OpenSSL 1.1x API
Polyfill missing API with replacement functions extracted from LibreSSL
2018-09-13 12:13:50 +10:00
djm@openbsd.org 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x API in
OpenSSH; feedback and ok tb@ jsing@ markus@

OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
2018-09-13 12:12:33 +10:00
jsing@openbsd.org 7cd31632e3 upstream commit
Remove all guards for calls to OpenSSL free functions -
all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2018-02-08 09:26:27 +11:00
deraadt@openbsd.org 9e509d4ec9 upstream commit
Switch to recallocarray() for a few operations.  Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus

Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
2017-06-01 14:55:22 +10:00
markus@openbsd.org ff7371afd0 upstream commit
sshkey_new() might return NULL (pkcs#11 code only); ok
djm@

Upstream-ID: de9f2ad4a42c0b430caaa7d08dea7bac943075dd
2017-05-31 10:47:31 +10:00
djm@openbsd.org efb494e81d upstream commit
Improve pkcs11_add_provider() logging: demote some
excessively verbose error()s to debug()s, include PKCS#11 provider name and
slot in log messages where possible. bz#2610, based on patch from Jakub Jelen

Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
2016-11-06 16:47:43 +11:00
djm@openbsd.org d2d772f55b upstream commit
avoid fatal() for PKCS11 tokens that present empty key IDs
 bz#1773, ok markus@

Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
2016-02-12 11:23:05 +11:00
djm@openbsd.org 63ebcd0005 upstream commit
don't ignore PKCS#11 hosted keys that return empty
 CKA_ID; patch by Jakub Jelen via bz#2429; ok markus

Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
2015-07-20 10:32:25 +10:00
djm@openbsd.org b15fd989c8 upstream commit
skip uninitialised PKCS#11 slots; patch from Jakub Jelen
 in bz#2427 ok markus@

Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
2015-07-20 10:32:25 +10:00
djm@openbsd.org a71ba58adf upstream commit
support PKCS#11 devices with external PIN entry devices
 bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@

Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
2015-05-27 15:16:59 +10:00
deraadt@openbsd.org 657a5fbc0d upstream commit
rename xrealloc() to xreallocarray() since it follows
 that form. ok djm
2015-04-29 18:15:23 +10:00
deraadt@openbsd.org ce4f59b240 upstream commit
missing ; djm and mlarkin really having great
 interactions recently
2015-02-05 07:43:00 +11:00
djm@openbsd.org cb3bde373e upstream commit
handle PKCS#11 C_Login returning
 CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@
2015-02-03 11:06:16 +11:00
djm@openbsd.org 1129dcfc5a upstream commit
sync ssh-keysign, ssh-keygen and some dependencies to the
 new buffer/key API; mostly mechanical, ok markus@
2015-01-15 21:39:14 +11:00
Damien Miller 8668706d0f - djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.

     with and ok markus@

     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.

     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
2014-07-02 15:28:02 +10:00
Damien Miller 686c7d9ee6 - djm@cvs.openbsd.org 2014/05/02 03:27:54
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
     [misc.h poly1305.h ssh-pkcs11.c defines.h]
     revert __bounded change; it causes way more problems for portable than
     it solves; pointed out by dtucker@
2014-05-15 14:37:03 +10:00
Damien Miller 4f40209aa4 - djm@cvs.openbsd.org 2014/03/26 04:55:35
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
     [misc.h poly1305.h ssh-pkcs11.c]
     use __bounded(...) attribute recently added to sys/cdefs.h instead of
     longform __attribute__(__bounded(...));

     for brevity and a warning free compilation with llvm/clang
2014-04-20 13:21:22 +10:00