wireguard-openbsd/usr.bin/ssh/sshkey.c, branch jd/queueboosts

wireguard-openbsd/usr.bin/ssh/sshkey.c, branch jd/queueboosts WireGuard implementation for the OpenBSD kernel https://git.zx2c4.com/wireguard-openbsd/atom/usr.bin/ssh/sshkey.c?h=jd%2Fqueueboosts 2020-06-22T05:58:35Z Add support for FIDO webauthn (verification only). webauthn is a 2020-06-22T05:58:35Z djm djm@openbsd.org 2020-06-22T05:58:35Z urn:sha1:c25c45ac5c037f909a29d0baed332c4fbcf1043b standard for using FIDO keys in web browsers. webauthn signatures are a slightly different format to plain FIDO signatures - this support allows verification of these. Feedback and ok markus@ Refactor private key parsing. Eliminates a fair bit of duplicated 2020-04-11T10:16:11Z djm djm@openbsd.org 2020-04-11T10:16:11Z urn:sha1:dd305755ddbc31845ba45e3768a8aff5c4131e19 code and fixes oss-fuzz#20074 (NULL deref) caused by a missing key type check in the ECDSA_CERT parsing path. feedback and ok markus@ add sshkey_parse_pubkey_from_private_fileblob_type() 2020-04-08T00:08:46Z djm djm@openbsd.org 2020-04-08T00:08:46Z urn:sha1:117d161305dbc0ba38d37c60247e1b5986b573ba Extracts a public key from the unencrypted envelope of a new-style OpenSSH private key. ok markus@ simplify sshkey_parse_private_fileblob_type() 2020-04-08T00:07:19Z djm djm@openbsd.org 2020-04-08T00:07:19Z urn:sha1:d49d52ce0b870694111f336c8da3abf48a204838 Try new format parser for all key types first, fall back to PEM parser only for invalid format errors. ok markus@ check private key type against requested key type in new-style private 2020-04-08T00:05:59Z djm djm@openbsd.org 2020-04-08T00:05:59Z urn:sha1:c96249d0056a164595cb300a97af930ec4a59426 decoding; ok markus@ check that pubkey in private key envelope matches actual private key 2020-04-08T00:04:32Z djm djm@openbsd.org 2020-04-08T00:04:32Z urn:sha1:c3be6246a4bdc210e0c63b83f53e944cb6c1ca88 (this public key is currently unusued) ok markus@ refactor private key parsing a little 2020-04-08T00:01:52Z djm djm@openbsd.org 2020-04-08T00:01:52Z urn:sha1:a8b002979ef949acff340a1ce1645a99a9058771 Split out the base64 decoding and private section decryption steps in to separate functions. This will make the decryption step easier to fuzz as well as making it easier to write a "load public key from new-format private key" function. ok markus@ sshkey_cert_check_authority requires reason to be set; ok djm 2020-03-06T18:23:17Z markus markus@openbsd.org 2020-03-06T18:23:17Z urn:sha1:4e349e12d39cd6783e16a83a9eca668ebcdedc95 passphrase depends on kdfname, not ciphername (possible null-deref); 2020-03-06T18:21:28Z markus markus@openbsd.org 2020-03-06T18:21:28Z urn:sha1:5496609a6eb9be0f51a03cd4cd0e67b8974b029a ok djm change explicit_bzero();free() to freezero() 2020-02-26T13:40:09Z jsg jsg@openbsd.org 2020-02-26T13:40:09Z urn:sha1:c9831b39c7f05cf54db0775dea423b6be448db6e While freezero() returns early if the pointer is NULL the tests for NULL in callers are left to avoid warnings about passing an uninitialised size argument across a function boundry. ok deraadt@ djm@