Commit Graph

119 Commits

Author SHA1 Message Date
Damien Miller
83f2fe26cb - djm@cvs.openbsd.org 2013/12/29 02:28:10
[key.c]
     allow ed25519 keys to appear as certificate authorities
2013-12-29 17:48:38 +11:00
Damien Miller
ca570a519c - djm@cvs.openbsd.org 2013/12/07 00:19:15
[key.c]
     set k->cert = NULL after freeing it
2013-12-07 11:29:09 +11:00
Damien Miller
5be9d9e3cb - markus@cvs.openbsd.org 2013/12/06 13:39:49
[authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
     support ed25519 keys (hostkeys and user identities) using the public
     domain ed25519 reference code from SUPERCOP, see
     http://ed25519.cr.yp.to/software.html
     feedback, help & ok djm@
2013-12-07 11:24:01 +11:00
Damien Miller
bcd00abd84 - markus@cvs.openbsd.org 2013/12/06 13:34:54
[authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
     [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
     default; details in PROTOCOL.key; feedback and lots help from djm;
     ok djm@
2013-12-07 10:41:55 +11:00
Damien Miller
f0e9060d23 - markus@cvs.openbsd.org 2013/12/06 13:30:08
[authfd.c key.c key.h ssh-agent.c]
     move private key (de)serialization to key.c; ok djm
2013-12-07 10:40:26 +11:00
Damien Miller
f7e8a8796d - djm@cvs.openbsd.org 2013/12/02 03:09:22
[key.c]
     make key_to_blob() return a NULL blob on failure; part of
     bz#2175 from Loganaden Velvindron @ AfriNIC
2013-12-05 10:25:51 +11:00
Darren Tucker
2c89430119 - (dtucker) [key.c] Check for the correct defines for NID_secp521r1. 2013-11-10 12:38:42 +11:00
Darren Tucker
37bcef51b3 - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
   latter actually works before using it.  Fedora (at least) has NID_secp521r1
   that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
2013-11-09 18:39:25 +11:00
Damien Miller
4a3a9d4bbf - djm@cvs.openbsd.org 2013/10/29 09:42:11
[key.c key.h]
     fix potential stack exhaustion caused by nested certificates;
     report by Mateusz Kocielski; ok dtucker@ markus@
2013-10-30 22:19:47 +11:00
Darren Tucker
0acca3797d - djm@cvs.openbsd.org 2013/05/19 02:42:42
[auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
     Standardise logging of supplemental information during userauth. Keys
     and ruser is now logged in the auth success/failure message alongside
     the local username, remote host/port and protocol in use. Certificates
     contents and CA are logged too.
     Pushing all logging onto a single line simplifies log analysis as it is
     no longer necessary to relate information scattered across multiple log
     entries. "I like it" markus@
2013-06-02 07:41:51 +10:00
Darren Tucker
a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Darren Tucker
caf0010934 - djm@cvs.openbsd.org 2013/05/10 04:08:01
[key.c]
     memleak in cert_free(), wasn't actually freeing the struct;
     bz#2096 from shm AT digitalsun.pl
2013-05-16 20:26:18 +10:00
Damien Miller
ea11119eee - djm@cvs.openbsd.org 2013/04/19 01:06:50
[authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
     [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
     add the ability to query supported ciphers, MACs, key type and KEX
     algorithms to ssh. Includes some refactoring of KEX and key type handling
     to be table-driven; ok markus@
2013-04-23 19:24:32 +10:00
Damien Miller
f3747bf401 - djm@cvs.openbsd.org 2013/01/17 23:00:01
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
     [krl.c krl.h PROTOCOL.krl]
     add support for Key Revocation Lists (KRLs). These are a compact way to
     represent lists of revoked keys and certificates, taking as little as
     a single bit of incremental cost to revoke a certificate by serial number.
     KRLs are loaded via the existing RevokedKeys sshd_config option.
     feedback and ok markus@
2013-01-18 11:44:04 +11:00
Darren Tucker
14a9d2515b - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have
the required functions in libcrypto.
2012-06-30 20:05:02 +10:00
Damien Miller
3bde12aeef - djm@cvs.openbsd.org 2012/05/23 03:28:28
[dns.c dns.h key.c key.h ssh-keygen.c]
     add support for RFC6594 SSHFP DNS records for ECDSA key types.
     patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
2012-06-20 21:51:11 +10:00
Damien Miller
c51a5ab2c6 - djm@cvs.openbsd.org 2011/10/18 04:58:26
[auth-options.c key.c]
     remove explict search for \0 in packet strings, this job is now done
     implicitly by buffer_get_cstring; ok markus
2011-10-18 16:06:14 +11:00
Damien Miller
8f639fe722 - djm@cvs.openbsd.org 2011/05/17 07:13:31
[key.c]
     fatal() if asked to generate a legacy ECDSA cert (these don't exist)
     and fix the regress test that was trying to generate them :)
2011-05-20 19:03:08 +10:00
Damien Miller
0a5f0129a3 - djm@cvs.openbsd.org 2011/02/04 00:44:21
[key.c]
     fix uninitialised nonce variable; reported by Mateusz Kocielski
2011-02-04 11:47:01 +11:00
Damien Miller
4499f4cc20 - djm@cvs.openbsd.org 2010/11/10 01:33:07
[kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c moduli.c]
     use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED.
     these have been around for years by this time. ok markus
2010-11-20 15:15:49 +11:00
Damien Miller
b472a90d4c - djm@cvs.openbsd.org 2010/10/28 11:22:09
[authfile.c key.c key.h ssh-keygen.c]
     fix a possible NULL deref on loading a corrupt ECDH key

     store ECDH group information in private keys files as "named groups"
     rather than as a set of explicit group parameters (by setting
     the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and
     retrieves the group's OpenSSL NID that we need for various things.
2010-11-05 10:19:49 +11:00
Darren Tucker
8ccb7392e7 - (dtucker) [kex.h key.c packet.h ssh-agent.c ssh.c] A few more ECC ifdefs
for missing headers and compiler warnings.
2010-09-10 12:28:24 +10:00
Damien Miller
6af914a15c - (djm) [authfd.c authfile.c bufec.c buffer.h configure.ac kex.h kexecdh.c]
[kexecdhc.c kexecdhs.c key.c key.h myproposal.h packet.c readconf.c]
   [ssh-agent.c ssh-ecdsa.c ssh-keygen.c ssh.c] Disable ECDH and ECDSA on
   platforms that don't have the requisite OpenSSL support. ok dtucker@
2010-09-10 11:39:26 +10:00
Damien Miller
041ab7c1e7 - djm@cvs.openbsd.org 2010/09/09 10:45:45
[kex.c kex.h kexecdh.c key.c key.h monitor.c ssh-ecdsa.c]
     ECDH/ECDSA compliance fix: these methods vary the hash function they use
     (SHA256/384/512) depending on the length of the curve in use. The previous
     code incorrectly used SHA256 in all cases.

     This fix will cause authentication failure when using 384 or 521-bit curve
     keys if one peer hasn't been upgraded and the other has. (256-bit curve
     keys work ok). In particular you may need to specify HostkeyAlgorithms
     when connecting to a server that has not been upgraded from an upgraded
     client.

     ok naddy@
2010-09-10 11:23:34 +10:00
Damien Miller
eb8b60e320 - djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c]
     [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c]
     [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c]
     [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c]
     [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h]
     [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5]
     [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c]
     Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and
     host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer
     better performance than plain DH and DSA at the same equivalent symmetric
     key length, as well as much shorter keys.

     Only the mandatory sections of RFC5656 are implemented, specifically the
     three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and
     ECDSA. Point compression (optional in RFC5656 is NOT implemented).

     Certificate host and user keys using the new ECDSA key types are supported.

     Note that this code has not been tested for interoperability and may be
     subject to change.

     feedback and ok markus@
2010-08-31 22:41:14 +10:00
Damien Miller
da108ece68 - djm@cvs.openbsd.org 2010/08/31 09:58:37
[auth-options.c auth1.c auth2.c bufaux.c buffer.h kex.c key.c packet.c]
     [packet.h ssh-dss.c ssh-rsa.c]
     Add buffer_get_cstring() and related functions that verify that the
     string extracted from the buffer contains no embedded \0 characters*
     This prevents random (possibly malicious) crap from being appended to
     strings where it would not be noticed if the string is used with
     a string(3) function.

     Use the new API in a few sensitive places.

     * actually, we allow a single one at the end of the string for now because
     we don't know how many deployed implementations get this wrong, but don't
     count on this to remain indefinitely.
2010-08-31 22:36:39 +10:00
Damien Miller
ea1651c98e - djm@cvs.openbsd.org 2010/07/13 23:13:16
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c packet.c]
     [ssh-rsa.c]
     s/timing_safe_cmp/timingsafe_bcmp/g
2010-07-16 13:58:37 +10:00
Damien Miller
8a0268f1b3 - djm@cvs.openbsd.org 2010/07/13 11:52:06
[auth-rsa.c channels.c jpake.c key.c misc.c misc.h monitor.c]
     [packet.c ssh-rsa.c]
     implement a timing_safe_cmp() function to compare memory without leaking
     timing information by short-circuiting like memcmp() and use it for
     some of the more sensitive comparisons (though nothing high-value was
     readily attackable anyway); "looks ok" markus@
2010-07-16 13:57:51 +10:00
Damien Miller
30da3447d2 - djm@cvs.openbsd.org 2010/05/07 11:30:30
[auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c]
     [key.c servconf.c servconf.h sshd.8 sshd_config.5]
     add some optional indirection to matching of principal names listed
     in certificates. Currently, a certificate must include the a user's name
     to be accepted for authentication. This change adds the ability to
     specify a list of certificate principal names that are acceptable.

     When authenticating using a CA trusted through ~/.ssh/authorized_keys,
     this adds a new principals="name1[,name2,...]" key option.

     For CAs listed through sshd_config's TrustedCAKeys option, a new config
     option "AuthorizedPrincipalsFile" specifies a per-user file containing
     the list of acceptable names.

     If either option is absent, the current behaviour of requiring the
     username to appear in principals continues to apply.

     These options are useful for role accounts, disjoint account namespaces
     and "user@realm"-style naming policies in certificates.

     feedback and ok markus@
2010-05-10 11:58:03 +10:00
Damien Miller
4e270b05dd - djm@cvs.openbsd.org 2010/04/16 01:47:26
[PROTOCOL.certkeys auth-options.c auth-options.h auth-rsa.c]
     [auth2-pubkey.c authfd.c key.c key.h myproposal.h ssh-add.c]
     [ssh-agent.c ssh-dss.c ssh-keygen.1 ssh-keygen.c ssh-rsa.c]
     [sshconnect.c sshconnect2.c sshd.c]
     revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
     following changes:

     move the nonce field to the beginning of the certificate where it can
     better protect against chosen-prefix attacks on the signature hash

     Rename "constraints" field to "critical options"

     Add a new non-critical "extensions" field

     Add a serial number

     The older format is still support for authentication and cert generation
     (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)

     ok markus@
2010-04-16 15:56:21 +10:00
Damien Miller
1cfbfaf4a0 - stevesk@cvs.openbsd.org 2010/03/15 19:40:02
[key.c key.h ssh-keygen.c]
     also print certificate type (user or host) for ssh-keygen -L
     ok djm kettenis
2010-03-22 05:58:24 +11:00
Damien Miller
2befbad9b3 - djm@cvs.openbsd.org 2010/03/04 01:44:57
[key.c]
     use buffer_get_string_ptr_ret() where we are checking the return
     value explicitly instead of the fatal()-causing buffer_get_string_ptr()
2010-03-04 21:52:18 +11:00
Damien Miller
41396573af - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/03 01:44:36
     [auth-options.c key.c]
     reject strings with embedded ASCII nul chars in certificate key IDs,
     principal names and constraints
2010-03-04 21:51:11 +11:00
Damien Miller
0a80ca190a - OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.

     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.

     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as sh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.

     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.

     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.

     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys

     feedback and ok markus@
2010-02-27 07:55:05 +11:00
Darren Tucker
561724f38d - dtucker@cvs.openbsd.org 2010/01/13 01:10:56
[key.c]
     Ignore and log any Protocol 1 keys where the claimed size is not equal to
     the actual size.  Noted by Derek Martin, ok djm@
2010-01-13 22:43:05 +11:00
Darren Tucker
57e0d01260 - markus@cvs.openbsd.org 2009/12/11 18:16:33
[key.c]
     switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537
     for the RSA public exponent; discussed with provos; ok djm@
2010-01-08 18:52:27 +11:00
Damien Miller
2f54adabbb - stevesk@cvs.openbsd.org 2008/10/10 05:00:12
[key.c]
     typo in error message; ok djm@
2008-11-03 19:24:16 +11:00
Damien Miller
c6aadd994d - grunk@cvs.openbsd.org 2008/07/25 07:05:16
[key.c]
     In random art visualization, make sure to use the end marker only at the
     end.  Initial diff by Dirk Loss, tweaks and ok djm@
2008-11-03 19:16:20 +11:00
Damien Miller
87dd5f2804 - stevesk@cvs.openbsd.org 2008/07/07 23:32:51
[key.c]
     /*NOTREACHED*/ for lint warning:
       warning: function key_equal falls off bottom without returning value
     ok djm@
2008-07-11 17:35:09 +10:00
Damien Miller
007132a7c9 - otto@cvs.openbsd.org 2008/06/25 11:13:43
[key.c]
     add key length to visual fingerprint; zap magical constants;
     ok grunk@ djm@
2008-06-29 22:45:37 +10:00
Darren Tucker
0f0ef0ab1f - grunk@cvs.openbsd.org 2008/06/12 22:03:36
[key.c]
     add my copyright, ok djm@
2008-06-13 08:58:05 +10:00
Darren Tucker
4b3b9773ec - grunk@cvs.openbsd.org 2008/06/12 06:32:59
[key.c]
     We already mark the start of the worm, now also mark the end of the worm
     in our random art drawings.
     ok djm@
2008-06-13 04:55:10 +10:00
Darren Tucker
987ac84a17 - grunk@cvs.openbsd.org 2008/06/12 05:42:46
[key.c]
     supply the key type (rsa1, rsa, dsa) as a caption in the frame of the
     random art.  while there, stress the fact that the field base should at
     least be 8 characters for the pictures to make sense.
     comment and ok djm@
2008-06-13 04:54:40 +10:00
Darren Tucker
267e28bb75 - otto@cvs.openbsd.org 2008/06/12 00:13:13
[key.c]
     use an odd number of rows and columns and a separate start marker, looks
     better; ok grunk@
2008-06-13 04:48:11 +10:00
Darren Tucker
d32b28a307 - grunk@cvs.openbsd.org 2008/06/11 23:51:57
[key.c]
     #define statements that are not atoms need braces around them, else they
     will cause trouble in some cases.
     Also do a computation of -1 once, and not in a loop several times.
     spotted by otto@
2008-06-13 04:45:50 +10:00
Darren Tucker
014d76fa72 - otto@cvs.openbsd.org 2008/06/11 23:02:22
[key.c]
     simpler way of computing the augmentations; ok grunk@
2008-06-13 04:43:51 +10:00
Darren Tucker
9c16ac9263 - grunk@cvs.openbsd.org 2008/06/11 21:01:35
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
      sshconnect.c]
     Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
     graphical hash visualization schemes known as "random art", and by
     Dan Kaminsky's musings on the subject during a BlackOp talk at the
     23C3 in Berlin.
     Scientific publication (original paper):
     "Hash Visualization: a New Technique to improve Real-World Security",
     Perrig A. and Song D., 1999, International Workshop on Cryptographic
     Techniques and E-Commerce (CrypTEC '99)
     http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
     The algorithm used here is a worm crawling over a discrete plane,
     leaving a trace (augmenting the field) everywhere it goes.
     Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
     makes the respective movement vector be ignored for this turn,
     thus switching to the other color of the chessboard.
     Graphs are not unambiguous for now, because circles in graphs can be
     walked in either direction.
     discussions with several people,
     help, corrections and ok markus@ djm@
2008-06-13 04:40:35 +10:00
Darren Tucker
3d295a6cf0 - (dtucker) [key.c defines.h openbsd-compat/openssl-compat.h] Move old OpenSSL
compat glue into openssl-compat.h.
2008-02-28 19:22:04 +11:00
Damien Miller
932040285f - ray@cvs.openbsd.org 2007/07/12 05:48:05
[key.c]
     Delint: remove some unreachable statements, from Bret Lambert.
     OK markus@ and dtucker@.
2007-08-08 14:28:26 +10:00
Darren Tucker
0bc85579a9 - markus@cvs.openbsd.org 2006/11/06 21:25:28
[auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
     ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
     add missing checks for openssl return codes; with & ok djm@
2006-11-07 23:14:41 +11:00