summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/key.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* delete support for legacy v00 certificates; "sure" markus@ dtucker@djm2015-07-031-3/+3
|
* update to new API (key_fingerprint => sshkey_fingerprint)djm2015-01-281-18/+1
| | | | | check sshkey_fingerprint return values; ok markus
* Reduce use of <sys/param.h> and transition to <limits.h> throughout.deraadt2015-01-201-2/+2
| | | | ok djm markus
* deprecate key_load_private_pem() and sshkey_load_private_pem()djm2015-01-081-23/+2
| | | | | | | | | | | | | | | interfaces. Refactor the generic key loading API to not require pathnames to be specified (they weren't really used). Fixes a few other things en passant: Makes ed25519 keys work for hostbased authentication (ssh-keysign previously used the PEM-only routines). Fixes key comment regression bz#2306: key pathnames were being lost as comment fields. ok markus@
* Add FingerprintHash option to control algorithm used for keydjm2014-12-211-4/+3
| | | | | | | fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
* key_in_file() wrapper is no longer useddjm2014-12-041-15/+1
|
* Prevent spam from key_load_private_pem during hostbased auth. ok djm@dtucker2014-07-221-2/+5
|
* silence "incorrect passphrase" error spam; reported and ok dtucker@djm2014-07-171-3/+5
|
* downgrade more error() to debug() to better match what old authfile.cdjm2014-07-091-6/+11
| | | | did; suppresses spurious errors with hostbased authentication enabled
* suppress spurious error message when loading key with a passphrase;djm2014-06-301-2/+3
| | | | reported by kettenis@ ok markus@
* New key API: refactor key-related functions to be more library-like,djm2014-06-241-2437/+289
| | | | | | | | | existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
* make compiling against OpenSSL optional (make OPENSSL=no);markus2014-04-291-23/+97
| | | | | reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
* convert memset of potentially-private data to explicit_bzero()djm2014-02-021-6/+6
|
* Introduce digest API and use it to perform all hashing operationsdjm2014-01-091-20/+20
| | | | | | rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
* to make sure we don't omit any key types as valid CA keys again,djm2013-12-291-7/+17
| | | | | factor the valid key type check into a key_type_is_valid_ca() function
* correct comment for key_drop_cert()djm2013-12-291-2/+2
|
* correct comment for key_to_certified()djm2013-12-291-2/+2
|
* allow ed25519 keys to appear as certificate authoritiesdjm2013-12-291-2/+3
|
* set k->cert = NULL after freeing itdjm2013-12-071-1/+2
|
* support ed25519 keys (hostkeys and user identities) using the public domainmarkus2013-12-061-25/+169
| | | | | ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html feedback, help & ok djm@
* new private key format, bcrypt as KDF by default; details in PROTOCOL.key;markus2013-12-061-1/+2
| | | | feedback and lots help from djm; ok djm@
* move private key (de)serialization to key.c; ok djmmarkus2013-12-061-1/+184
|
* make key_to_blob() return a NULL blob on failure; part ofdjm2013-12-021-1/+5
| | | | bz#2175 from Loganaden Velvindron @ AfriNIC
* fix potential stack exhaustion caused by nested certificates;djm2013-10-291-16/+29
| | | | report by Mateusz Kocielski; ok dtucker@ markus@
* Standardise logging of supplemental information during userauth. Keysdjm2013-05-191-2/+2
| | | | | | | | | | and ruser is now logged in the auth success/failure message alongside the local username, remote host/port and protocol in use. Certificates contents and CA are logged too. Pushing all logging onto a single line simplifies log analysis as it is no longer necessary to relate information scattered across multiple log entries. "I like it" markus@
* bye, bye xfree(); ok markus@djm2013-05-171-33/+24
|
* memleak in cert_free(), wasn't actually freeing the struct;djm2013-05-101-1/+2
| | | | bz#2096 from shm AT digitalsun.pl
* add the ability to query supported ciphers, MACs, key type and KEXdjm2013-04-191-116/+97
| | | | | algorithms to ssh. Includes some refactoring of KEX and key type handling to be table-driven; ok markus@
* add support for Key Revocation Lists (KRLs). These are a compact way todjm2013-01-171-15/+25
| | | | | | | | represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@
* add support for RFC6594 SSHFP DNS records for ECDSA key types.djm2012-05-231-1/+4
| | | | patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
* remove explict search for \0 in packet strings, this job is now donedjm2011-10-181-6/+1
| | | | implicitly by buffer_get_cstring; ok markus
* fatal() if asked to generate a legacy ECDSA cert (these don't exist)djm2011-05-171-1/+4
| | | | and fix the regress test that was trying to generate them :)
* fix uninitialised nonce variable; reported by Mateusz Kocielskidjm2011-02-041-4/+3
|
* use only libcrypto APIs that are retained with OPENSSL_NO_DEPRECATED.djm2010-11-101-9/+17
| | | | these have been around for years by this time. ok markus
* fix a possible NULL deref on loading a corrupt ECDH keydjm2010-10-281-9/+22
| | | | | | | store ECDH group information in private keys files as "named groups" rather than as a set of explicit group parameters (by setting the OPENSSL_EC_NAMED_CURVE flag). This makes for shorter key files and retrieves the group's OpenSSL NID that we need for various things.
* ECDH/ECDSA compliance fix: these methods vary the hash function they usedjm2010-09-091-12/+35
| | | | | | | | | | | | | (SHA256/384/512) depending on the length of the curve in use. The previous code incorrectly used SHA256 in all cases. This fix will cause authentication failure when using 384 or 521-bit curve keys if one peer hasn't been upgraded and the other has. (256-bit curve keys work ok). In particular you may need to specify HostkeyAlgorithms when connecting to a server that has not been upgraded from an upgraded client. ok naddy@
* Implement Elliptic Curve Cryptography modes for key exchange (ECDH) anddjm2010-08-311-15/+526
| | | | | | | | | | | | | | | | | host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
* Add buffer_get_cstring() and related functions that verify that thedjm2010-08-311-9/+4
| | | | | | | | | | | | | string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
* s/timing_safe_cmp/timingsafe_bcmp/gdjm2010-07-131-2/+2
|
* implement a timing_safe_cmp() function to compare memory without leakingdjm2010-07-131-2/+3
| | | | | | timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
* add some optional indirection to matching of principal names listeddjm2010-05-071-2/+2
| | | | | | | | | | | | | | | | | | | | | in certificates. Currently, a certificate must include the a user's name to be accepted for authentication. This change adds the ability to specify a list of certificate principal names that are acceptable. When authenticating using a CA trusted through ~/.ssh/authorized_keys, this adds a new principals="name1[,name2,...]" key option. For CAs listed through sshd_config's TrustedCAKeys option, a new config option "AuthorizedPrincipalsFile" specifies a per-user file containing the list of acceptable names. If either option is absent, the current behaviour of requiring the username to appear in principals continues to apply. These options are useful for role accounts, disjoint account namespaces and "user@realm"-style naming policies in certificates. feedback and ok markus@
* revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with thedjm2010-04-161-31/+146
| | | | | | | | | | | | | | | | | | following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
* also print certificate type (user or host) for ssh-keygen -Lstevesk2010-03-151-1/+14
| | | | ok djm kettenis
* use buffer_get_string_ptr_ret() where we are checking the returndjm2010-03-041-3/+3
| | | | value explicitly instead of the fatal()-causing buffer_get_string_ptr()
* reject strings with embedded ASCII nul chars in certificate key IDs,djm2010-03-031-13/+23
| | | | principal names and constraints
* Add support for certificate key types for users and hosts.djm2010-02-261-34/+561
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* Ignore and log any Protocol 1 keys where the claimed size is not equal todtucker2010-01-131-1/+7
| | | | the actual size. Noted by Derek Martin, ok djm@
* switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537markus2009-12-111-2/+2
| | | | for the RSA public exponent; discussed with provos; ok djm@
* typo in error message; ok djm@stevesk2008-10-101-2/+2
|
* In random art visualization, make sure to use the end marker only at thegrunk2008-07-251-2/+3
| | | | end. Initial diff by Dirk Loss, tweaks and ok djm@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.