RepoMirrors/openssh
1
0
Fork 0
mirror of git://anongit.mindrot.org/openssh.git synced 2024-12-31 23:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
9,671 Commits 69 Branches 157 Tags 27 MiB
9444d82678
Commit Graph

9671 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Damien Miller
4dc06bd579 depend 2019-01-21 23:14:04 +11:00
djm@openbsd.org
70edd73edc upstream: fix reversed arguments to kex_load_hostkey(); manifested as 
errors in cert-hostkey.sh regress failures.

OpenBSD-Commit-ID: 12dab63850b844f84d5a67e86d9e21a42fba93ba
 2019-01-21 23:13:53 +11:00
djm@openbsd.org
f1185abbf0 upstream: forgot to cvs add this file in previous series of commits; 
grrr

OpenBSD-Commit-ID: bcff316c3e7da8fd15333e05d244442c3aaa66b0
 2019-01-21 23:13:53 +11:00
djm@openbsd.org
7bef390b62 upstream: nothing shall escape this purge 
OpenBSD-Commit-ID: 4795b0ff142b45448f7e15f3c2f77a947191b217
 2019-01-21 23:13:03 +11:00
djm@openbsd.org
aaca72d6f1 upstream: rename kex->kem_client_pub -> kex->client_pub now that 
KEM has been renamed to kexgen

from markus@ ok djm@

OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
 2019-01-21 23:13:03 +11:00
djm@openbsd.org
70867e1ca2 upstream: merge kexkem[cs] into kexgen 
from markus@ ok djm@

OpenBSD-Commit-ID: 87d886b7f1812ff9355fda1435f6ea9b71a0ac89
 2019-01-21 23:13:03 +11:00
djm@openbsd.org
71e67fff94 upstream: pass values used in KEX hash computation as sshbuf 
rather than pointer+len

suggested by me; implemented by markus@ ok me

OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0
 2019-01-21 23:13:03 +11:00
djm@openbsd.org
4b83e2a2cc upstream: remove kex_derive_keys_bn wrapper; no unused since the 
DH-like KEX methods have moved to KEM

from markus@ ok djm@

OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
 2019-01-21 23:13:03 +11:00
djm@openbsd.org
92dda34e37 upstream: use KEM API for vanilla ECDH 
from markus@ ok djm@

OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
 2019-01-21 23:13:02 +11:00
Damien Miller
b72357217c fixup missing ssherr.h 2019-01-21 23:13:02 +11:00
djm@openbsd.org
9c9c97e14f upstream: use KEM API for vanilla DH KEX 
from markus@ ok djm@

OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
 2019-01-21 22:08:47 +11:00
djm@openbsd.org
2f6a9ddbbf upstream: use KEM API for vanilla c25519 KEX 
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
 2019-01-21 22:08:04 +11:00
djm@openbsd.org
dfd591618c upstream: Add support for a PQC KEX/KEM: 
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.

introduce KEM API; a simplified framework for DH-ish KEX methods.

from markus@ feedback & ok djm@

OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
 2019-01-21 22:07:02 +11:00
djm@openbsd.org
b1b2ff4ed5 upstream: factor out kex_verify_hostkey() - again, duplicated 
almost exactly across client and server for several KEX methods.

from markus@ ok djm@

OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
 2019-01-21 21:47:28 +11:00
djm@openbsd.org
bb39bafb6d upstream: factor out kex_load_hostkey() - this is duplicated in 
both the client and server implementations for most KEX methods.

from markus@ ok djm@

OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
 2019-01-21 21:47:28 +11:00
djm@openbsd.org
dec5e9d338 upstream: factor out kex_dh_compute_key() - it's shared between 
plain DH KEX and DH GEX in both the client and server implementations

from markus@ ok djm@

OpenBSD-Commit-ID: 12186e18791fffcd4642c82e7e0cfdd7ea37e2ec
 2019-01-21 21:47:28 +11:00
djm@openbsd.org
e93bd98eab upstream: factor out DH keygen; it's identical between the client 
and the server

from markus@ ok djm@

OpenBSD-Commit-ID: 2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9
 2019-01-21 21:47:28 +11:00
djm@openbsd.org
5ae3f6d314 upstream: save the derived session id in kex_derive_keys() rather 
than making each kex method implementation do it.

from markus@ ok djm@

OpenBSD-Commit-ID: d61ade9c8d1e13f665f8663c552abff8c8a30673
 2019-01-21 21:47:28 +11:00
djm@openbsd.org
7be8572b32 upstream: Make sshpkt_get_bignum2() allocate the bignum it is 
parsing rather than make the caller do it. Saves a lot of boilerplate code.

from markus@ ok djm@

OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
 2019-01-21 21:47:28 +11:00
djm@openbsd.org
803178bd5d upstream: remove obsolete (SSH v.1) sshbuf_get/put_bignum1 
functions

from markus@ ok djm@

OpenBSD-Commit-ID: 0380b1b2d9de063de3c5a097481a622e6a04943e
 2019-01-21 21:46:57 +11:00
djm@openbsd.org
f3ebaffd87 upstream: fix all-zero check in kexc25519_shared_key 
from markus@ ok djm@

OpenBSD-Commit-ID: 60b1d364e0d9d34d1d1ef1620cb92e36cf06712d
 2019-01-21 21:46:05 +11:00
jmc@openbsd.org
9d1a9771d0 upstream: - -T was added to the first synopsis by mistake - since 
"..." denotes optional, no need to surround it in []

ok djm

OpenBSD-Commit-ID: 918f6d8eed4e0d8d9ef5eadae1b8983d796f0e25
 2019-01-21 21:46:05 +11:00
Darren Tucker
2f0bad2bf8 Make --with-rpath take a flag instead of yes/no. 
Linkers need various flags for -rpath and similar, so make --with-rpath
take an optional flag argument which is passed to the linker.  ok djm@
 2019-01-21 21:28:27 +11:00
Damien Miller
23490a6c97 fix previous test 2019-01-21 15:05:43 +11:00
Darren Tucker
b6dd3277f2 Wrap ECC static globals in EC_KEY_METHOD_NEW too. 2019-01-21 13:50:17 +11:00
Damien Miller
b2eb9db35b pass TEST_SSH_SSHPKCS11HELPER to regress tests 2019-01-21 13:09:23 +11:00
Damien Miller
ba58a529f4 make agent-pkcs11 search harder for softhsm2.so 2019-01-21 13:09:23 +11:00
djm@openbsd.org
662be40c62 upstream: always print the caller's error message in ossl_error(), 
even when there are no libcrypto errors to report.

OpenBSD-Commit-ID: 09ebaa8f706e0eccedd209775baa1eee2ada806a
 2019-01-21 13:07:04 +11:00
djm@openbsd.org
ce46c3a077 upstream: get the ex_data (pkcs11_key object) back from the keys at 
the index at which it was inserted, rather than assuming index 0

OpenBSD-Commit-ID: 1f3a6ce0346c8014e895e50423bef16401510aa8
 2019-01-21 13:06:58 +11:00
djm@openbsd.org
0a5f2ea356 upstream: GSSAPI code got missed when converting to new packet API 
OpenBSD-Commit-ID: 37e4f06ab4a0f4214430ff462ba91acba28b7851
 2019-01-21 12:05:49 +11:00
Damien Miller
2efcf812b4 Fix -Wunused when compiling PKCS#11 without ECDSA 2019-01-21 11:57:21 +11:00
djm@openbsd.org
3c0c657ed7 upstream: allow override of ssh-pkcs11-helper binary via 
$TEST_SSH_SSHPKCS11HELPER from markus@

OpenBSD-Regress-ID: 7382a3d76746f5a792d106912a5819fd5e49e469
 2019-01-21 11:51:54 +11:00
djm@openbsd.org
760ae37b45 upstream: adapt agent-pkcs11.sh test to softhsm2 and add support 
for ECDSA keys

work by markus@, ok djm@

OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe
 2019-01-21 11:51:54 +11:00
djm@openbsd.org
b2ce8b31a1 upstream: add "extra:" target to run some extra tests that are not 
enabled by default (currently includes agent-pkcs11.sh); from markus@

OpenBSD-Regress-ID: 9a969e1adcd117fea174d368dcb9c61eb50a2a3c
 2019-01-21 11:51:54 +11:00
djm@openbsd.org
632976418d upstream: use ECDSA_SIG_set0() instead of poking signature values into 
structure directly; the latter works on LibreSSL but not on OpenSSL. From
portable.

OpenBSD-Commit-ID: 5b22a1919d9cee907d3f8a029167f70a481891c6
 2019-01-21 11:48:45 +11:00
Damien Miller
5de6ac2bad remove HAVE_DLOPEN that snuck in 
portable doesn't use this
 2019-01-21 11:45:16 +11:00
Damien Miller
e2cb445d78 conditionalise ECDSA PKCS#11 support 
Require EC_KEY_METHOD support in libcrypto, evidenced by presence
of EC_KEY_METHOD_new() function.
 2019-01-21 11:32:28 +11:00
djm@openbsd.org
fcb1b09371 upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD 
now, so there is no need to keep a copy of each in the pkcs11_key object.

work by markus@, ok djm@

OpenBSD-Commit-ID: 43b4856516e45c0595f17a8e95b2daee05f12faa
 2019-01-21 10:57:03 +11:00
djm@openbsd.org
6529409e85 upstream: KNF previous; from markus@ 
OpenBSD-Commit-ID: 3dfe35e25b310c3968b1e4e53a0cb1d03bda5395
 2019-01-21 10:57:03 +11:00
djm@openbsd.org
58622a8c82 upstream: use OpenSSL's RSA reference counting hooks to 
implicitly clean up pkcs11_key objects when their owning RSA object's
reference count drops to zero. Simplifies the cleanup path and makes it more
like ECDSA's

work by markus@, ok djm@

OpenBSD-Commit-ID: 74b9c98f405cd78f7148e9e4a4982336cd3df25c
 2019-01-21 10:57:03 +11:00
djm@openbsd.org
f118542fc8 upstream: make the PKCS#11 RSA code more like the new PKCS#11 
ECDSA code: use a single custom RSA_METHOD instead of a method per key

suggested by me, but markus@ did all the work.
ok djm@

OpenBSD-Commit-ID: 8aafcebe923dc742fc5537a995cee549d07e4b2e
 2019-01-21 10:54:37 +11:00
djm@openbsd.org
445cfce49d upstream: fix leak of ECDSA pkcs11_key objects 
work by markus, ok djm@

OpenBSD-Commit-ID: 9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1
 2019-01-21 10:54:37 +11:00
djm@openbsd.org
8a2467583f upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of 
EC_KEY internals as that won't work on OpenSSL

work by markus@, feedback and ok djm@

OpenBSD-Commit-ID: 4a99cdb89fbd6f5155ef8c521c99dc66e2612700
 2019-01-21 10:54:37 +11:00
djm@openbsd.org
24757c1ae3 upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned 
object should never have a DER header

work by markus; feedback and ok djm@

OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
 2019-01-21 10:54:37 +11:00
djm@openbsd.org
749aef3032 upstream: cleanup unnecessary code in ECDSA pkcs#11 signature 
work by markus@, feedback and ok djm@

OpenBSD-Commit-ID: affa5ca7d58d59fbd16169f77771dcdbd2b0306d
 2019-01-21 10:54:37 +11:00
djm@openbsd.org
0c50992af4 upstream: cleanup pkcs#11 client code: use sshkey_new in instead 
of stack- allocating a sshkey

work by markus@, ok djm@

OpenBSD-Commit-ID: a048eb6ec8aa7fa97330af927022c0da77521f91
 2019-01-21 10:54:37 +11:00
djm@openbsd.org
854bd8674e upstream: allow override of the pkcs#11 helper binary via 
$SSH_PKCS11_HELPER; needed for regress tests.

work by markus@, ok me

OpenBSD-Commit-ID: f78d8185500bd7c37aeaf7bd27336db62f0f7a83
 2019-01-21 10:54:37 +11:00
djm@openbsd.org
93f02107f4 upstream: add support for ECDSA keys in PKCS#11 tokens 
Work by markus@ and Pedro Martelletto, feedback and ok me@

OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
 2019-01-21 10:54:37 +11:00
djm@openbsd.org
aa22c20e0c upstream: add option to test whether keys in an agent are usable, 
by performing a signature and a verification using each key "ssh-add -T
pubkey [...]"

work by markus@, ok djm@

OpenBSD-Commit-ID: 931b888a600b6a883f65375bd5f73a4776c6d19b
 2019-01-21 10:46:04 +11:00
tb@openbsd.org
a36b0b14a1 upstream: Fix BN_is_prime_* calls in SSH, the API returns -1 on 
error.

Found thanks to BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd
by David Benjamin.

ok djm, dtucker

OpenBSD-Commit-ID: 1ee832be3c44b1337f76b8562ec6d203f3b072f8
 2019-01-21 10:46:04 +11:00