djm@openbsd.org
35ecc53a83
upstream: adapt to changes in KEX API and file removals
...
OpenBSD-Regress-ID: 92cad022d3b0d11e08f3e0055d6a14b8f994c0d7
2019-01-21 23:41:21 +11:00
djm@openbsd.org
7d69aae64c
upstream: adapt to bignum1 API removal and bignum2 API change
...
OpenBSD-Regress-ID: cea6ff270f3d560de86b355a87a2c95b55a5ca63
2019-01-21 23:38:30 +11:00
djm@openbsd.org
beab553f0a
upstream: remove hack to use non-system libcrypto
...
OpenBSD-Regress-ID: ce72487327eee4dfae1ab0212a1f33871fe0809f
2019-01-21 23:38:10 +11:00
Damien Miller
4dc06bd579
depend
2019-01-21 23:14:04 +11:00
djm@openbsd.org
70edd73edc
upstream: fix reversed arguments to kex_load_hostkey(); manifested as
...
errors in cert-hostkey.sh regress failures.
OpenBSD-Commit-ID: 12dab63850b844f84d5a67e86d9e21a42fba93ba
2019-01-21 23:13:53 +11:00
djm@openbsd.org
f1185abbf0
upstream: forgot to cvs add this file in previous series of commits;
...
grrr
OpenBSD-Commit-ID: bcff316c3e7da8fd15333e05d244442c3aaa66b0
2019-01-21 23:13:53 +11:00
djm@openbsd.org
7bef390b62
upstream: nothing shall escape this purge
...
OpenBSD-Commit-ID: 4795b0ff142b45448f7e15f3c2f77a947191b217
2019-01-21 23:13:03 +11:00
djm@openbsd.org
aaca72d6f1
upstream: rename kex->kem_client_pub -> kex->client_pub now that
...
KEM has been renamed to kexgen
from markus@ ok djm@
OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
2019-01-21 23:13:03 +11:00
djm@openbsd.org
70867e1ca2
upstream: merge kexkem[cs] into kexgen
...
from markus@ ok djm@
OpenBSD-Commit-ID: 87d886b7f1812ff9355fda1435f6ea9b71a0ac89
2019-01-21 23:13:03 +11:00
djm@openbsd.org
71e67fff94
upstream: pass values used in KEX hash computation as sshbuf
...
rather than pointer+len
suggested by me; implemented by markus@ ok me
OpenBSD-Commit-ID: 994f33c464f4a9e0f1d21909fa3e379f5a0910f0
2019-01-21 23:13:03 +11:00
djm@openbsd.org
4b83e2a2cc
upstream: remove kex_derive_keys_bn wrapper; no unused since the
...
DH-like KEX methods have moved to KEM
from markus@ ok djm@
OpenBSD-Commit-ID: bde9809103832f349545e4f5bb733d316db9a060
2019-01-21 23:13:03 +11:00
djm@openbsd.org
92dda34e37
upstream: use KEM API for vanilla ECDH
...
from markus@ ok djm@
OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
2019-01-21 23:13:02 +11:00
Damien Miller
b72357217c
fixup missing ssherr.h
2019-01-21 23:13:02 +11:00
djm@openbsd.org
9c9c97e14f
upstream: use KEM API for vanilla DH KEX
...
from markus@ ok djm@
OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
2019-01-21 22:08:47 +11:00
djm@openbsd.org
2f6a9ddbbf
upstream: use KEM API for vanilla c25519 KEX
...
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
2019-01-21 22:08:04 +11:00
djm@openbsd.org
dfd591618c
upstream: Add support for a PQC KEX/KEM:
...
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
2019-01-21 22:07:02 +11:00
djm@openbsd.org
b1b2ff4ed5
upstream: factor out kex_verify_hostkey() - again, duplicated
...
almost exactly across client and server for several KEX methods.
from markus@ ok djm@
OpenBSD-Commit-ID: 4e4a16d949dadde002a0aacf6d280a684e20829c
2019-01-21 21:47:28 +11:00
djm@openbsd.org
bb39bafb6d
upstream: factor out kex_load_hostkey() - this is duplicated in
...
both the client and server implementations for most KEX methods.
from markus@ ok djm@
OpenBSD-Commit-ID: 8232fa7c21fbfbcaf838313b0c166dc6c8762f3c
2019-01-21 21:47:28 +11:00
djm@openbsd.org
dec5e9d338
upstream: factor out kex_dh_compute_key() - it's shared between
...
plain DH KEX and DH GEX in both the client and server implementations
from markus@ ok djm@
OpenBSD-Commit-ID: 12186e18791fffcd4642c82e7e0cfdd7ea37e2ec
2019-01-21 21:47:28 +11:00
djm@openbsd.org
e93bd98eab
upstream: factor out DH keygen; it's identical between the client
...
and the server
from markus@ ok djm@
OpenBSD-Commit-ID: 2be57f6a0d44f1ab2c8de2b1b5d6f530c387fae9
2019-01-21 21:47:28 +11:00
djm@openbsd.org
5ae3f6d314
upstream: save the derived session id in kex_derive_keys() rather
...
than making each kex method implementation do it.
from markus@ ok djm@
OpenBSD-Commit-ID: d61ade9c8d1e13f665f8663c552abff8c8a30673
2019-01-21 21:47:28 +11:00
djm@openbsd.org
7be8572b32
upstream: Make sshpkt_get_bignum2() allocate the bignum it is
...
parsing rather than make the caller do it. Saves a lot of boilerplate code.
from markus@ ok djm@
OpenBSD-Commit-ID: 576bf784f9a240f5a1401f7005364e59aed3bce9
2019-01-21 21:47:28 +11:00
djm@openbsd.org
803178bd5d
upstream: remove obsolete (SSH v.1) sshbuf_get/put_bignum1
...
functions
from markus@ ok djm@
OpenBSD-Commit-ID: 0380b1b2d9de063de3c5a097481a622e6a04943e
2019-01-21 21:46:57 +11:00
djm@openbsd.org
f3ebaffd87
upstream: fix all-zero check in kexc25519_shared_key
...
from markus@ ok djm@
OpenBSD-Commit-ID: 60b1d364e0d9d34d1d1ef1620cb92e36cf06712d
2019-01-21 21:46:05 +11:00
jmc@openbsd.org
9d1a9771d0
upstream: - -T was added to the first synopsis by mistake - since
...
"..." denotes optional, no need to surround it in []
ok djm
OpenBSD-Commit-ID: 918f6d8eed4e0d8d9ef5eadae1b8983d796f0e25
2019-01-21 21:46:05 +11:00
Darren Tucker
2f0bad2bf8
Make --with-rpath take a flag instead of yes/no.
...
Linkers need various flags for -rpath and similar, so make --with-rpath
take an optional flag argument which is passed to the linker. ok djm@
2019-01-21 21:28:27 +11:00
Damien Miller
23490a6c97
fix previous test
2019-01-21 15:05:43 +11:00
Darren Tucker
b6dd3277f2
Wrap ECC static globals in EC_KEY_METHOD_NEW too.
2019-01-21 13:50:17 +11:00
Damien Miller
b2eb9db35b
pass TEST_SSH_SSHPKCS11HELPER to regress tests
2019-01-21 13:09:23 +11:00
Damien Miller
ba58a529f4
make agent-pkcs11 search harder for softhsm2.so
2019-01-21 13:09:23 +11:00
djm@openbsd.org
662be40c62
upstream: always print the caller's error message in ossl_error(),
...
even when there are no libcrypto errors to report.
OpenBSD-Commit-ID: 09ebaa8f706e0eccedd209775baa1eee2ada806a
2019-01-21 13:07:04 +11:00
djm@openbsd.org
ce46c3a077
upstream: get the ex_data (pkcs11_key object) back from the keys at
...
the index at which it was inserted, rather than assuming index 0
OpenBSD-Commit-ID: 1f3a6ce0346c8014e895e50423bef16401510aa8
2019-01-21 13:06:58 +11:00
djm@openbsd.org
0a5f2ea356
upstream: GSSAPI code got missed when converting to new packet API
...
OpenBSD-Commit-ID: 37e4f06ab4a0f4214430ff462ba91acba28b7851
2019-01-21 12:05:49 +11:00
Damien Miller
2efcf812b4
Fix -Wunused when compiling PKCS#11 without ECDSA
2019-01-21 11:57:21 +11:00
djm@openbsd.org
3c0c657ed7
upstream: allow override of ssh-pkcs11-helper binary via
...
$TEST_SSH_SSHPKCS11HELPER from markus@
OpenBSD-Regress-ID: 7382a3d76746f5a792d106912a5819fd5e49e469
2019-01-21 11:51:54 +11:00
djm@openbsd.org
760ae37b45
upstream: adapt agent-pkcs11.sh test to softhsm2 and add support
...
for ECDSA keys
work by markus@, ok djm@
OpenBSD-Regress-ID: 1ebc2be0e88eff1b6d8be2f9c00cdc60723509fe
2019-01-21 11:51:54 +11:00
djm@openbsd.org
b2ce8b31a1
upstream: add "extra:" target to run some extra tests that are not
...
enabled by default (currently includes agent-pkcs11.sh); from markus@
OpenBSD-Regress-ID: 9a969e1adcd117fea174d368dcb9c61eb50a2a3c
2019-01-21 11:51:54 +11:00
djm@openbsd.org
632976418d
upstream: use ECDSA_SIG_set0() instead of poking signature values into
...
structure directly; the latter works on LibreSSL but not on OpenSSL. From
portable.
OpenBSD-Commit-ID: 5b22a1919d9cee907d3f8a029167f70a481891c6
2019-01-21 11:48:45 +11:00
Damien Miller
5de6ac2bad
remove HAVE_DLOPEN that snuck in
...
portable doesn't use this
2019-01-21 11:45:16 +11:00
Damien Miller
e2cb445d78
conditionalise ECDSA PKCS#11 support
...
Require EC_KEY_METHOD support in libcrypto, evidenced by presence
of EC_KEY_METHOD_new() function.
2019-01-21 11:32:28 +11:00
djm@openbsd.org
fcb1b09371
upstream: we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD
...
now, so there is no need to keep a copy of each in the pkcs11_key object.
work by markus@, ok djm@
OpenBSD-Commit-ID: 43b4856516e45c0595f17a8e95b2daee05f12faa
2019-01-21 10:57:03 +11:00
djm@openbsd.org
6529409e85
upstream: KNF previous; from markus@
...
OpenBSD-Commit-ID: 3dfe35e25b310c3968b1e4e53a0cb1d03bda5395
2019-01-21 10:57:03 +11:00
djm@openbsd.org
58622a8c82
upstream: use OpenSSL's RSA reference counting hooks to
...
implicitly clean up pkcs11_key objects when their owning RSA object's
reference count drops to zero. Simplifies the cleanup path and makes it more
like ECDSA's
work by markus@, ok djm@
OpenBSD-Commit-ID: 74b9c98f405cd78f7148e9e4a4982336cd3df25c
2019-01-21 10:57:03 +11:00
djm@openbsd.org
f118542fc8
upstream: make the PKCS#11 RSA code more like the new PKCS#11
...
ECDSA code: use a single custom RSA_METHOD instead of a method per key
suggested by me, but markus@ did all the work.
ok djm@
OpenBSD-Commit-ID: 8aafcebe923dc742fc5537a995cee549d07e4b2e
2019-01-21 10:54:37 +11:00
djm@openbsd.org
445cfce49d
upstream: fix leak of ECDSA pkcs11_key objects
...
work by markus, ok djm@
OpenBSD-Commit-ID: 9fc0c4f1d640aaa5f19b8d70f37ea19b8ad284a1
2019-01-21 10:54:37 +11:00
djm@openbsd.org
8a2467583f
upstream: use EVP_PKEY_get0_EC_KEY() instead of direct access of
...
EC_KEY internals as that won't work on OpenSSL
work by markus@, feedback and ok djm@
OpenBSD-Commit-ID: 4a99cdb89fbd6f5155ef8c521c99dc66e2612700
2019-01-21 10:54:37 +11:00
djm@openbsd.org
24757c1ae3
upstream: cleanup PKCS#11 ECDSA pubkey loading: the returned
...
object should never have a DER header
work by markus; feedback and ok djm@
OpenBSD-Commit-ID: b617fa585eddbbf0b1245b58b7a3c4b8d613db17
2019-01-21 10:54:37 +11:00
djm@openbsd.org
749aef3032
upstream: cleanup unnecessary code in ECDSA pkcs#11 signature
...
work by markus@, feedback and ok djm@
OpenBSD-Commit-ID: affa5ca7d58d59fbd16169f77771dcdbd2b0306d
2019-01-21 10:54:37 +11:00
djm@openbsd.org
0c50992af4
upstream: cleanup pkcs#11 client code: use sshkey_new in instead
...
of stack- allocating a sshkey
work by markus@, ok djm@
OpenBSD-Commit-ID: a048eb6ec8aa7fa97330af927022c0da77521f91
2019-01-21 10:54:37 +11:00
djm@openbsd.org
854bd8674e
upstream: allow override of the pkcs#11 helper binary via
...
$SSH_PKCS11_HELPER; needed for regress tests.
work by markus@, ok me
OpenBSD-Commit-ID: f78d8185500bd7c37aeaf7bd27336db62f0f7a83
2019-01-21 10:54:37 +11:00