Commit Graph

77 Commits

Author SHA1 Message Date
jsg@openbsd.org a35f543d3a
upstream: remove unneeded semicolons; checked by millert@
OpenBSD-Commit-ID: 3fb621a58e04b759a875ad6a33f35bb57ca80231
2024-09-24 12:09:35 +10:00
djm@openbsd.org 7bdfc20516
upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.
DSA remains unconverted as it will be removed within six months.

Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).

ok tb@

OpenBSD-Commit-ID: d098744e89f1dc7e5952a6817bef234eced648b5
2024-08-15 12:07:59 +10:00
deraadt@openbsd.org 54343a260e
upstream: Oops, incorrect hex conversion spotted by claudio.
While here try to improve how it reads a bit better.  Surprising the
regression tests didn't spot this error, maybe it fails to roundtrip the
values.

OpenBSD-Commit-ID: 866cfcc1955aef8f3fc32da0b70c353a1b859f2e
2024-04-30 12:16:54 +10:00
claudio@openbsd.org 8673137f78
upstream: Remove unused ptr[3] char array in pkcs11_decode_hex.
OK deraadt@

OpenBSD-Commit-ID: 3d14433e39fd558f662d3b0431c4c555ef920481
2024-04-30 12:16:51 +10:00
deraadt@openbsd.org c7fec708f3
upstream: Replace non-idiomatic strtoul(, 16) to parse a region
of 2-character hex sequences with a low-level replacement designed just for
the task. ok djm

OpenBSD-Commit-ID: 67bab8b8a4329a19a0add5085eacd6f4cc215e85
2024-04-30 12:16:51 +10:00
djm@openbsd.org 6958f00acf
upstream: don't incorrectly truncate logged strings retrieved from
PKCS#11 modules; based on GHPR406 by Jakub Jelen; ok markus

OpenBSD-Commit-ID: 7ed1082f23a13b38c373008f856fd301d50012f9
2023-07-28 08:31:01 +10:00
djm@openbsd.org 29ef8a0486
upstream: Ensure FIDO/PKCS11 libraries contain expected symbols
This checks via nlist(3) that candidate provider libraries contain one
of the symbols that we will require prior to dlopen(), which can cause
a number of side effects, including execution of constructors.

Feedback deraadt; ok markus

OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe
2023-07-20 00:21:31 +10:00
djm@openbsd.org 892506b136
upstream: terminate process if requested to load a PKCS#11 provider
that isn't a PKCS#11 provider; from / ok markus@

OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c
2023-07-20 00:18:26 +10:00
tb@openbsd.org dfb9b736e1
upstream: ssh-pkcs11: synchronize error messages with errors
A handful of error messages contained incorrect function names or
otherwise inaccurate descriptions. Fix them to match reality.

input/ok djm

OpenBSD-Commit-ID: 165a15db52f75b31e1804b043480c36af09f3411
2023-03-08 17:26:57 +11:00
djm@openbsd.org 97f9b6e613 upstream: avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we
already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries
that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364

OpenBSD-Commit-ID: 054d4dc1d6a99a2e6f8eebc48207b534057c154d
2021-11-19 08:12:57 +11:00
Damien Miller dee22129bb make OPENSSL_HAS_ECC checks more thorough
ok dtucker
2021-10-01 16:36:24 +10:00
djm@openbsd.org b5aa27b69a upstream: remove a bunch of %p in format strings; leftovers of
debuggings past. prompted by Michael Forney, ok dtucker@

OpenBSD-Commit-ID: 4853a0d6c9cecaba9ecfcc19066e52d3a8dcb2ac
2021-08-11 18:37:30 +10:00
djm@openbsd.org d443006c0d upstream: fix decoding of X.509 subject name; from Leif Thuresson
via bz3327 ok markus@

OpenBSD-Commit-ID: 0ea2e28f39750dd388b7e317bc43dd997a217ae8
2021-06-25 16:32:34 +10:00
djm@openbsd.org 19af04e223 upstream: when loading PKCS#11 keys, include the key fingerprints
and provider/slot information in debug output.

OpenBSD-Commit-ID: 969a089575d0166a9a364a9901bb6a8d9b8a1431
2020-11-27 11:50:30 +11:00
djm@openbsd.org 816036f142 upstream: use the new variant log macros instead of prepending
__func__ and appending ssh_err(r) manually; ok markus@

OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
2020-10-18 23:46:29 +11:00
djm@openbsd.org 4c60724405 upstream: fix compilation on !HAVE_DLOPEN platforms; stub function
was not updated to match API change. From Dale Rahn via beck@ ok markus@

OpenBSD-Commit-ID: 2b8d054afe34c9ac85e417dae702ef981917b836
2020-05-29 13:28:47 +10:00
djm@openbsd.org 1d89232a4a upstream: improve error messages for some common PKCS#11 C_Login
failure cases; based on patch from Jacob Hoffman-Andrews in bz3130; ok
dtucker

OpenBSD-Commit-ID: b8b849621b4a98e468942efd0a1c519c12ce089e
2020-03-14 19:39:30 +11:00
markus@openbsd.org 31c860a021 upstream: pkcs11_register_provider: return < 0 on error; ok djm
OpenBSD-Commit-ID: cfc8321315b787e4d40da4bdb2cbabd4154b0d97
2020-03-13 13:13:30 +11:00
djm@openbsd.org 89a8d4525e upstream: expose PKCS#11 key labels/X.509 subjects as comments
Extract the key label or X.509 subject string when PKCS#11 keys
are retrieved from the token and plumb this through to places where
it may be used as a comment.

based on https://github.com/openssh/openssh-portable/pull/138
by Danielle Church

feedback and ok markus@

OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
2020-01-25 11:35:55 +11:00
djm@openbsd.org 084682786d upstream: revert unconditional forced login implemented in r1.41 of
ssh-pkcs11.c; r1.45 added a forced login as a fallback for cases where the
token returns no objects and this is less disruptive for users of tokens
directly in ssh (rather than via ssh-agent) and in ssh-keygen

bz3006, patch from Jakub Jelen; ok markus

OpenBSD-Commit-ID: 33d6df589b072094384631ff93b1030103b3d02e
2019-10-01 20:24:07 +10:00
djm@openbsd.org 7d6034bd02 upstream: if a PKCS#11 token returns no keys then try to login and
refetch them. Based on patch from Jakub Jelen; bz#2430 ok markus@

OpenBSD-Commit-ID: ab53bd6ddd54dd09e54a8bfbed1a984496f08b43
2019-09-05 20:07:12 +10:00
djm@openbsd.org b52c0c2e64 upstream: downgrade PKCS#11 "provider returned no slots" warning
from log level error to debug. This is common when attempting to enumerate
keys on smartcard readers with no cards plugged in. bz#3058 ok dtucker@

OpenBSD-Commit-ID: bb8839ddeb77c271390488af1b771041d43e49c6
2019-09-02 10:32:43 +10:00
Darren Tucker 9634ffbf29 Add headers to prevent warnings w/out OpenSSL. 2019-07-23 22:26:20 +10:00
Darren Tucker 97370f6c2c Fix building w/out ECC.
Ifdef out ECC specific code so that that it'll build against an OpenSSL
configured w/out ECC.  With & ok djm@
2019-05-17 10:54:51 +10:00
Darren Tucker 5590f53f99 Whitespace resync w/OpenBSD.
Patch from markus at blueflash.cc via openssh-unix-dev.
2019-04-26 18:22:10 +10:00
markus@openbsd.org 2aee9a49f6 upstream: fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL
OpenBSD-Commit-ID: febce81cca72b71f70513fbee4ff52ca050f675c
2019-03-26 10:20:22 +11:00
djm@openbsd.org 7a7fdca78d upstream: fix NULL-deref crash in PKCS#11 code when attempting
login to a token requiring a PIN; reported by benno@ fix mostly by markus@

OpenBSD-Commit-ID: 438d0b114b1b4ba25a9869733db1921209aa9a31
2019-02-05 11:45:38 +11:00
djm@openbsd.org 41923ce06a upstream: Correct some bugs in PKCS#11 token PIN handling at
initial login, the attempt at reading the PIN could be skipped in some cases
especially on devices with integrated PIN readers.

based on patch from Daniel Kucera in bz#2652; ok markus@

OpenBSD-Commit-ID: fad70a61c60610afe8bb0db538c90e343e75e58e
2019-01-22 23:04:54 +11:00
djm@openbsd.org 2162171ad5 upstream: Support keys that set the CKA_ALWAYS_AUTHENTICATE by
requring a fresh login after the C_SignInit operation.

based on patch from Jakub Jelen in bz#2638; ok markus

OpenBSD-Commit-ID: a76e66996ba7c0923b46b74d46d499b811786661
2019-01-22 23:04:54 +11:00
Damien Miller 23490a6c97 fix previous test 2019-01-21 15:05:43 +11:00
Darren Tucker b6dd3277f2 Wrap ECC static globals in EC_KEY_METHOD_NEW too. 2019-01-21 13:50:17 +11:00
djm@openbsd.org 662be40c62 upstream: always print the caller's error message in ossl_error(),
even when there are no libcrypto errors to report.

OpenBSD-Commit-ID: 09ebaa8f706e0eccedd209775baa1eee2ada806a
2019-01-21 13:07:04 +11:00
djm@openbsd.org ce46c3a077 upstream: get the ex_data (pkcs11_key object) back from the keys at
the index at which it was inserted, rather than assuming index 0

OpenBSD-Commit-ID: 1f3a6ce0346c8014e895e50423bef16401510aa8
2019-01-21 13:06:58 +11:00
Damien Miller 2efcf812b4 Fix -Wunused when compiling PKCS#11 without ECDSA 2019-01-21 11:57:21 +11:00
djm@openbsd.org 632976418d upstream: use ECDSA_SIG_set0() instead of poking signature values into
structure directly; the latter works on LibreSSL but not on OpenSSL. From
portable.

OpenBSD-Commit-ID: 5b22a1919d9cee907d3f8a029167f70a481891c6
2019-01-21 11:48:45 +11:00
Damien Miller 5de6ac2bad remove HAVE_DLOPEN that snuck in
portable doesn't use this
2019-01-21 11:45:16 +11:00
Damien Miller e2cb445d78 conditionalise ECDSA PKCS#11 support
Require EC_KEY_METHOD support in libcrypto, evidenced by presence
of EC_KEY_METHOD_new() function.
2019-01-21 11:32:28 +11:00
djm@openbsd.org fcb1b09371 upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD
now, so there is no need to keep a copy of each in the pkcs11_key object.

work by markus@, ok djm@

OpenBSD-Commit-ID: 43b4856516e45c0595f17a8e95b2daee05f12faa
2019-01-21 10:57:03 +11:00
djm@openbsd.org 6529409e85 upstream: KNF previous; from markus@
OpenBSD-Commit-ID: 3dfe35e25b310c3968b1e4e53a0cb1d03bda5395
2019-01-21 10:57:03 +11:00
djm@openbsd.org 58622a8c82 upstream: use OpenSSL's RSA reference counting hooks to
implicitly clean up pkcs11_key objects when their owning RSA object's
reference count drops to zero. Simplifies the cleanup path and makes it more
like ECDSA's

work by markus@, ok djm@

OpenBSD-Commit-ID: 74b9c98f405cd78f7148e9e4a4982336cd3df25c
2019-01-21 10:57:03 +11:00
djm@openbsd.org f118542fc8 upstream: make the PKCS#11 RSA code more like the new PKCS#11
ECDSA code: use a single custom RSA_METHOD instead of a method per key

suggested by me, but markus@ did all the work.
ok djm@

OpenBSD-Commit-ID: 8aafcebe923dc742fc5537a995cee549d07e4b2e
2019-01-21 10:54:37 +11:00
djm@openbsd.org 445cfce49d upstream: fix leak of ECDSA pkcs11_key objects
work by markus, ok djm@

OpenBSD-Commit-ID: 9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1
2019-01-21 10:54:37 +11:00
djm@openbsd.org 8a2467583f upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of
EC_KEY internals as that won't work on OpenSSL

work by markus@, feedback and ok djm@

OpenBSD-Commit-ID: 4a99cdb89fbd6f5155ef8c521c99dc66e2612700
2019-01-21 10:54:37 +11:00
djm@openbsd.org 24757c1ae3 upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
object should never have a DER header

work by markus; feedback and ok djm@

OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
2019-01-21 10:54:37 +11:00
djm@openbsd.org 749aef3032 upstream: cleanup unnecessary code in ECDSA pkcs#11 signature
work by markus@, feedback and ok djm@

OpenBSD-Commit-ID: affa5ca7d58d59fbd16169f77771dcdbd2b0306d
2019-01-21 10:54:37 +11:00
djm@openbsd.org 93f02107f4 upstream: add support for ECDSA keys in PKCS#11 tokens
Work by markus@ and Pedro Martelletto, feedback and ok me@

OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
2019-01-21 10:54:37 +11:00
Damien Miller 48f54b9d12 adapt -portable to OpenSSL 1.1x API
Polyfill missing API with replacement functions extracted from LibreSSL
2018-09-13 12:13:50 +10:00
djm@openbsd.org 482d23bcac upstream: hold our collective noses and use the openssl-1.1.x API in
OpenSSH; feedback and ok tb@ jsing@ markus@

OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
2018-09-13 12:12:33 +10:00
jsing@openbsd.org 7cd31632e3 upstream commit
Remove all guards for calls to OpenSSL free functions -
all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2018-02-08 09:26:27 +11:00
deraadt@openbsd.org 9e509d4ec9 upstream commit
Switch to recallocarray() for a few operations.  Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus

Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
2017-06-01 14:55:22 +10:00