djm@openbsd.org
75f7f22a43
upstream: add security key types to list of keys allowed to act as
...
CAs; spotted by Ron Frederick
OpenBSD-Commit-ID: 9bb0dfff927b4f7aa70679f983f84c69d45656c3
2019-12-11 19:11:07 +11:00
djm@openbsd.org
516605f2d5
upstream: when acting as a CA and using a security key as the CA
...
key, remind the user to touch they key to authorise the signature.
OpenBSD-Commit-ID: fe58733edd367362f9766b526a8b56827cc439c1
2019-12-11 19:08:22 +11:00
djm@openbsd.org
c4036fe75e
upstream: chop some unnecessary and confusing verbiage from the
...
security key protocol description; feedback from Ron Frederick
OpenBSD-Commit-ID: 048c9483027fbf9c995e5a51b3ac502989085a42
2019-12-11 19:08:22 +11:00
djm@openbsd.org
59175a350f
upstream: fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set
...
when asking passphrases, only when confirming the use of a key (i.e. for
ssh-agent keys added with "ssh-add -c keyfile")
OpenBSD-Commit-ID: 6643c82960d9427d5972eb702c917b3b838ecf89
2019-12-11 19:08:22 +11:00
djm@openbsd.org
36eaa356d3
upstream: bring the __func__
...
OpenBSD-Commit-ID: 71a3a45b0fe1b8f680ff95cf264aa81f7abbff67
2019-12-11 19:08:22 +11:00
jmc@openbsd.org
483cc723d1
upstream: tweak the Nd lines for a bit of consistency; ok markus
...
OpenBSD-Commit-ID: 876651bdde06bc1e72dd4bd7ad599f42a6ce5a16
2019-12-11 19:08:22 +11:00
Darren Tucker
afffd31036
Check if memmem is declared in system headers.
...
If the system (or one of the dependencies) implements memmem but does
not define the header, we would not declare it either resulting in
compiler warnings. Check for declaration explicitly. bz#3102.
2019-12-11 13:22:06 +11:00
Darren Tucker
ad8cd42079
Sort depends.
2019-12-11 13:13:14 +11:00
Darren Tucker
5e3abff39e
Sort .depend when rebuilding.
...
This makes diffs more stable between makedepend implementations.
2019-12-11 13:12:59 +11:00
Darren Tucker
5df9d1f5c0
Update depend to include sk files.
2019-12-11 13:06:43 +11:00
Darren Tucker
9a967c5bbf
Describe how to build libcrypto as PIC.
...
While there, move the OpenSSL 1.1.0g caveat closer to the other version
information.
2019-12-09 20:25:26 +11:00
Darren Tucker
b66fa5da25
Recommend running LibreSSL or OpenSSL self-tests.
2019-12-09 17:23:22 +11:00
Darren Tucker
fa7924008e
Wrap ECC specific bits in ifdef.
...
Fixes tests when built against an OpenSSL configured with no-ec.
2019-12-06 14:17:26 +11:00
Darren Tucker
2ff822eabd
Wrap sha2.h include in ifdef.
...
Fixes build --without-openssl on at least Fedora.
2019-11-29 20:21:36 +11:00
Damien Miller
443848155f
compile sk-dummy.so with no-PIE version of LDFLAGS
...
This lets it pick up the -L path to libcrypto for example.
2019-11-29 15:10:21 +11:00
Damien Miller
37f5b5346e
includes.h for sk-dummy.c, dummy
2019-11-29 14:48:46 +11:00
Damien Miller
b218055e59
(yet) another x-platform fix for sk-dummy.so
...
Check for -fPIC support from compiler
Compile libopenbsd-compat -fPIC
Don't mix -fPIE and -fPIC when compiling
2019-11-29 12:32:23 +11:00
Damien Miller
0dedb703ad
needs includes.h for WITH_OPENSSL
2019-11-29 11:53:57 +11:00
Damien Miller
ef3853bb94
another attempt at sk-dummy.so working x-platform
...
include a fatal() implementation to satisfy libopenbsd-compat
clean up .lo and .so files
.gitignore .lo and .so files
2019-11-29 11:52:23 +11:00
djm@openbsd.org
d46ac56f1c
upstream: lots of dependencies go away here with ed25519 no longer
...
needing the ssh_digest API.
OpenBSD-Regress-ID: 785847ec78cb580d141e29abce351a436d6b5d49
2019-11-29 11:19:48 +11:00
djm@openbsd.org
7404b81f25
upstream: perform hashing directly in crypto_hash_sha512() using
...
libcrypto or libc SHA512 functions rather than calling ssh_digest_memory();
avoids many dependencies on ssh code that complicate standalone use of
ed25519, as we want to do in sk-dummy.so
OpenBSD-Commit-ID: 5a3c37593d3ba7add037b587cec44aaea088496d
2019-11-29 11:17:39 +11:00
jmc@openbsd.org
d39a865b7a
upstream: improve the text for -A a little; input from naddy and
...
djm
OpenBSD-Commit-ID: f9cdfb1d6dbb9887c4bf3bb25f9c7a94294c988d
2019-11-29 11:17:39 +11:00
jmc@openbsd.org
9a0e01bd0c
upstream: reshuffle the text to read better; input from naddy,
...
djmc, and dtucker
OpenBSD-Commit-ID: a0b2aca2b67614dda3d6618ea097bf0610c35013
2019-11-29 11:17:39 +11:00
Damien Miller
5ca52c0f2e
$< doesn't work as` I thought; explicily list objs
2019-11-28 18:10:37 +11:00
djm@openbsd.org
18e84bfdc5
upstream: tweak wording
...
OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
2019-11-28 17:54:42 +11:00
Damien Miller
8ef5bf9d03
missing .SUFFIXES line makes make sad
2019-11-28 13:12:30 +11:00
Damien Miller
323da82b8e
(hopefully) fix out of tree builds of sk-dummy.so
2019-11-28 09:53:42 +11:00
djm@openbsd.org
d8b2838c5d
upstream: remove stray semicolon after closing brace of function;
...
from Michael Forney
OpenBSD-Commit-ID: fda95acb799bb160d15e205ee126117cf33da3a7
2019-11-28 09:38:11 +11:00
dtucker@openbsd.org
6e1d1bbf5a
upstream: Revert previous commit. The channels code still uses int
...
in many places for channel ids so the INT_MAX check still makes sense.
OpenBSD-Commit-ID: 532e4b644791b826956c3c61d6ac6da39bac84bf
2019-11-28 09:38:11 +11:00
Damien Miller
4898924465
wire sk-dummy.so into test suite
2019-11-27 16:03:27 +11:00
djm@openbsd.org
f79364baca
upstream: use error()+_exit() instead of fatal() to avoid running
...
cleanup handlers in child process; spotted via weird regress failures in
portable
OpenBSD-Commit-ID: 6902a9bb3987c7d347774444f7979b8a9ba7f412
2019-11-27 16:02:46 +11:00
dtucker@openbsd.org
70ec5e5e26
upstream: Make channel_id u_int32_t and remove unnecessary check
...
and cast that were left over from the type conversion. Noted by
t-hashida@amiya.co.jp in bz#3098, ok markus@ djm@
OpenBSD-Commit-ID: 3ad105b6a905284e780b1fd7ff118e1c346e90b5
2019-11-27 16:02:46 +11:00
djm@openbsd.org
ad44ca81be
upstream: test FIDO2/U2F key types; ok markus@
...
OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474
2019-11-27 11:02:49 +11:00
djm@openbsd.org
c6efa8a91a
upstream: add dummy security key middleware based on work by
...
markus@
This will allow us to test U2F/FIDO2 support in OpenSSH without
requiring real hardware.
ok markus@
OpenBSD-Regress-ID: 88b309464b8850c320cf7513f26d97ee1fdf9aae
2019-11-27 10:47:28 +11:00
jmc@openbsd.org
8635afa1cd
upstream: tweak previous;
...
OpenBSD-Commit-ID: a4c097364c75da320f1b291568db830fb1ee4883
2019-11-27 10:44:29 +11:00
djm@openbsd.org
e0d38ae9bc
upstream: more debugging; behind DEBUG_SK
...
OpenBSD-Commit-ID: a978896227118557505999ddefc1f4c839818b60
2019-11-27 10:44:29 +11:00
Damien Miller
9281d4311b
unbreak fuzzers for recent security key changes
2019-11-25 21:47:49 +11:00
djm@openbsd.org
c5f1cc9935
upstream: unbreak tests for recent security key changes
...
OpenBSD-Regress-ID: 2cdf2fcae9962ca4d711338f3ceec3c1391bdf95
2019-11-25 21:34:20 +11:00
djm@openbsd.org
6498826682
upstream: unbreak after security key support landed
...
OpenBSD-Regress-ID: 3ab578b0dbeb2aa6d9969b54a9c1bad329c0dcba
2019-11-25 21:34:20 +11:00
tb@openbsd.org
e65e25c81e
upstream: Remove workaround for broken 'openssl rsa -text' output
...
that was fixed in libcrypto/rsa/rsa_ameth.c r1.24.
ok dtucker inoguchi
OpenBSD-Regress-ID: c260edfac177daa8fcce90141587cf04a95c4f5f
2019-11-25 21:34:20 +11:00
djm@openbsd.org
21377ec2a9
upstream: redundant test
...
OpenBSD-Commit-ID: 38fa7806c528a590d91ae560e67bd8b246c2d7a3
2019-11-25 21:33:58 +11:00
djm@openbsd.org
664deef95a
upstream: document the "no-touch-required" certificate extension;
...
ok markus, feedback deraadt
OpenBSD-Commit-ID: 47640122b13f825e9c404ea99803b2372246579d
2019-11-25 12:25:53 +11:00
djm@openbsd.org
26cb128b31
upstream: Print a key touch reminder when generating a security
...
key. Most keys require a touch to authorize the operation.
OpenBSD-Commit-ID: 7fe8b23edbf33e1bb81741b9f25e9a63be5f6b68
2019-11-25 12:25:53 +11:00
djm@openbsd.org
daeaf41369
upstream: allow "ssh-keygen -x no-touch-required" when generating a
...
security key keypair to request one that does not require a touch for each
authentication attempt. The default remains to require touch.
feedback deraadt; ok markus@
OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
2019-11-25 12:25:30 +11:00
djm@openbsd.org
2e71263b80
upstream: add a "no-touch-required" option for authorized_keys and
...
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.
feedback deraadt, ok markus
OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-25 12:23:40 +11:00
djm@openbsd.org
0fddf2967a
upstream: Add a sshd_config PubkeyAuthOptions directive
...
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
2019-11-25 12:23:40 +11:00
djm@openbsd.org
b7e74ea072
upstream: Add new structure for signature options
...
This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.
with and ok markus@
OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
2019-11-25 12:23:33 +11:00
djm@openbsd.org
d2b0f88178
upstream: memleak in error path
...
OpenBSD-Commit-ID: 93488431bf02dde85a854429362695d2d43d9112
2019-11-25 12:22:43 +11:00
dtucker@openbsd.org
e2c0a21ade
upstream: Wait for FD to be readable or writeable during a nonblocking
...
connect, not just readable. Prevents a timeout when the server doesn't
immediately send a banner (eg multiplexers like sslh) but is also slightly
quicker for other connections since, unlike ssh1, ssh2 doesn't specify
that the client should parse the server banner before sending its own.
Patch from mnissler@chromium.org , ok djm@
OpenBSD-Commit-ID: aba9cd8480d1d9dd31d0ca0422ea155c26c5df1d
2019-11-22 18:38:14 +11:00
Darren Tucker
2f95d43dc2
Include openssl compat header.
...
Fixes warning for ECDSA_SIG_set0 on OpenSSL versions prior to 1.1.
2019-11-20 16:34:11 +11:00