djm@openbsd.org
18e84bfdc5
upstream: tweak wording
...
OpenBSD-Commit-ID: bd002ca1599b71331faca735ff5f6de29e32222e
2019-11-28 17:54:42 +11:00
Damien Miller
8ef5bf9d03
missing .SUFFIXES line makes make sad
2019-11-28 13:12:30 +11:00
Damien Miller
323da82b8e
(hopefully) fix out of tree builds of sk-dummy.so
2019-11-28 09:53:42 +11:00
djm@openbsd.org
d8b2838c5d
upstream: remove stray semicolon after closing brace of function;
...
from Michael Forney
OpenBSD-Commit-ID: fda95acb799bb160d15e205ee126117cf33da3a7
2019-11-28 09:38:11 +11:00
dtucker@openbsd.org
6e1d1bbf5a
upstream: Revert previous commit. The channels code still uses int
...
in many places for channel ids so the INT_MAX check still makes sense.
OpenBSD-Commit-ID: 532e4b644791b826956c3c61d6ac6da39bac84bf
2019-11-28 09:38:11 +11:00
Damien Miller
4898924465
wire sk-dummy.so into test suite
2019-11-27 16:03:27 +11:00
djm@openbsd.org
f79364baca
upstream: use error()+_exit() instead of fatal() to avoid running
...
cleanup handlers in child process; spotted via weird regress failures in
portable
OpenBSD-Commit-ID: 6902a9bb3987c7d347774444f7979b8a9ba7f412
2019-11-27 16:02:46 +11:00
dtucker@openbsd.org
70ec5e5e26
upstream: Make channel_id u_int32_t and remove unnecessary check
...
and cast that were left over from the type conversion. Noted by
t-hashida@amiya.co.jp in bz#3098, ok markus@ djm@
OpenBSD-Commit-ID: 3ad105b6a905284e780b1fd7ff118e1c346e90b5
2019-11-27 16:02:46 +11:00
djm@openbsd.org
ad44ca81be
upstream: test FIDO2/U2F key types; ok markus@
...
OpenBSD-Regress-ID: 367e06d5a260407619b4b113ea0bd7004a435474
2019-11-27 11:02:49 +11:00
djm@openbsd.org
c6efa8a91a
upstream: add dummy security key middleware based on work by
...
markus@
This will allow us to test U2F/FIDO2 support in OpenSSH without
requiring real hardware.
ok markus@
OpenBSD-Regress-ID: 88b309464b8850c320cf7513f26d97ee1fdf9aae
2019-11-27 10:47:28 +11:00
jmc@openbsd.org
8635afa1cd
upstream: tweak previous;
...
OpenBSD-Commit-ID: a4c097364c75da320f1b291568db830fb1ee4883
2019-11-27 10:44:29 +11:00
djm@openbsd.org
e0d38ae9bc
upstream: more debugging; behind DEBUG_SK
...
OpenBSD-Commit-ID: a978896227118557505999ddefc1f4c839818b60
2019-11-27 10:44:29 +11:00
Damien Miller
9281d4311b
unbreak fuzzers for recent security key changes
2019-11-25 21:47:49 +11:00
djm@openbsd.org
c5f1cc9935
upstream: unbreak tests for recent security key changes
...
OpenBSD-Regress-ID: 2cdf2fcae9962ca4d711338f3ceec3c1391bdf95
2019-11-25 21:34:20 +11:00
djm@openbsd.org
6498826682
upstream: unbreak after security key support landed
...
OpenBSD-Regress-ID: 3ab578b0dbeb2aa6d9969b54a9c1bad329c0dcba
2019-11-25 21:34:20 +11:00
tb@openbsd.org
e65e25c81e
upstream: Remove workaround for broken 'openssl rsa -text' output
...
that was fixed in libcrypto/rsa/rsa_ameth.c r1.24.
ok dtucker inoguchi
OpenBSD-Regress-ID: c260edfac177daa8fcce90141587cf04a95c4f5f
2019-11-25 21:34:20 +11:00
djm@openbsd.org
21377ec2a9
upstream: redundant test
...
OpenBSD-Commit-ID: 38fa7806c528a590d91ae560e67bd8b246c2d7a3
2019-11-25 21:33:58 +11:00
djm@openbsd.org
664deef95a
upstream: document the "no-touch-required" certificate extension;
...
ok markus, feedback deraadt
OpenBSD-Commit-ID: 47640122b13f825e9c404ea99803b2372246579d
2019-11-25 12:25:53 +11:00
djm@openbsd.org
26cb128b31
upstream: Print a key touch reminder when generating a security
...
key. Most keys require a touch to authorize the operation.
OpenBSD-Commit-ID: 7fe8b23edbf33e1bb81741b9f25e9a63be5f6b68
2019-11-25 12:25:53 +11:00
djm@openbsd.org
daeaf41369
upstream: allow "ssh-keygen -x no-touch-required" when generating a
...
security key keypair to request one that does not require a touch for each
authentication attempt. The default remains to require touch.
feedback deraadt; ok markus@
OpenBSD-Commit-ID: 887e7084b2e89c0c62d1598ac378aad8e434bcbd
2019-11-25 12:25:30 +11:00
djm@openbsd.org
2e71263b80
upstream: add a "no-touch-required" option for authorized_keys and
...
a similar extension for certificates. This option disables the default
requirement that security key signatures attest that the user touched their
key to authorize them.
feedback deraadt, ok markus
OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e
2019-11-25 12:23:40 +11:00
djm@openbsd.org
0fddf2967a
upstream: Add a sshd_config PubkeyAuthOptions directive
...
This directive has a single valid option "no-touch-required" that
causes sshd to skip checking whether user presence was tested before
a security key signature was made (usually by the user touching the
key).
ok markus@
OpenBSD-Commit-ID: 46e434a49802d4ed82bc0aa38cb985c198c407de
2019-11-25 12:23:40 +11:00
djm@openbsd.org
b7e74ea072
upstream: Add new structure for signature options
...
This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.
with and ok markus@
OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49
2019-11-25 12:23:33 +11:00
djm@openbsd.org
d2b0f88178
upstream: memleak in error path
...
OpenBSD-Commit-ID: 93488431bf02dde85a854429362695d2d43d9112
2019-11-25 12:22:43 +11:00
dtucker@openbsd.org
e2c0a21ade
upstream: Wait for FD to be readable or writeable during a nonblocking
...
connect, not just readable. Prevents a timeout when the server doesn't
immediately send a banner (eg multiplexers like sslh) but is also slightly
quicker for other connections since, unlike ssh1, ssh2 doesn't specify
that the client should parse the server banner before sending its own.
Patch from mnissler@chromium.org , ok djm@
OpenBSD-Commit-ID: aba9cd8480d1d9dd31d0ca0422ea155c26c5df1d
2019-11-22 18:38:14 +11:00
Darren Tucker
2f95d43dc2
Include openssl compat header.
...
Fixes warning for ECDSA_SIG_set0 on OpenSSL versions prior to 1.1.
2019-11-20 16:34:11 +11:00
djm@openbsd.org
a70d92f236
upstream: adjust on-wire signature encoding for ecdsa-sk keys to
...
better match ec25519-sk keys. Discussed with markus@ and Sebastian Kinne
NB. if you are depending on security keys (already?) then make sure you
update both your clients and servers.
OpenBSD-Commit-ID: 53d88d8211f0dd02a7954d3af72017b1a79c0679
2019-11-20 09:27:29 +11:00
djm@openbsd.org
26369a5f7d
upstream: a little more information from the monitor when signature
...
verification fails.
OpenBSD-Commit-ID: e6a30071e0518cac512f9e10be3dc3500e2003f3
2019-11-20 09:27:29 +11:00
jmc@openbsd.org
4402d6c9b5
upstream: revert previous: naddy pointed out what's meant to
...
happen. rethink needed...
OpenBSD-Commit-ID: fb0fede8123ea7f725fd65e00d49241c40bd3421
2019-11-20 09:27:29 +11:00
jmc@openbsd.org
88056f8813
upstream: -c and -s do not make sense with -k; reshuffle -k into
...
the main synopsis/usage; ok djm
OpenBSD-Commit-ID: f881ba253da015398ae8758d973e3390754869bc
2019-11-20 09:27:29 +11:00
naddy@openbsd.org
2cf262c21f
upstream: document '$' environment variable expansion for
...
SecurityKeyProvider; ok djm@
OpenBSD-Commit-ID: 76db507ebd336a573e1cd4146cc40019332c5799
2019-11-20 09:27:29 +11:00
naddy@openbsd.org
f0edda81c5
upstream: more missing mentions of ed25519-sk; ok djm@
...
OpenBSD-Commit-ID: f242e53366f61697dffd53af881bc5daf78230ff
2019-11-20 09:27:29 +11:00
naddy@openbsd.org
189550f5bc
upstream: additional missing stdarg.h includes when built without
...
WITH_OPENSSL; ok djm@
OpenBSD-Commit-ID: 881f9a2c4e2239849cee8bbf4faec9bab128f55b
2019-11-20 09:27:29 +11:00
naddy@openbsd.org
723a536986
upstream: add the missing WITH_OPENSSL ifdefs after the ED25519-SK
...
addition; ok djm@
OpenBSD-Commit-ID: a9545e1c273e506cf70e328cbb9d0129b6d62474
2019-11-20 09:26:59 +11:00
Damien Miller
478f4f98e4
remove all EC algs from proposals, no just sk ones
...
ok dtucker@
2019-11-19 08:52:24 +11:00
Damien Miller
6a7ef310da
filter PUBKEY_DEFAULT_PK_ALG for ECC algorithms
...
Remove ECC algorithms from the PUBKEY_DEFAULT_PK_ALG list when
compiling without ECC support in libcrypto.
2019-11-18 22:23:05 +11:00
dtucker@openbsd.org
64f56f1d1a
upstream: LibreSSL change the format for openssl rsa -text output from
...
"publicExponent" to "Exponent" so accept either. with djm.
OpenBSD-Regress-ID: b7e6c4bf700029a31c98be14600d4472fe0467e6
2019-11-18 20:54:05 +11:00
djm@openbsd.org
4bfc0503ad
upstream: fix a bug that prevented serialisation of ed25519-sk keys
...
OpenBSD-Commit-ID: 066682b79333159cac04fcbe03ebd9c8dcc152a9
2019-11-18 17:59:43 +11:00
djm@openbsd.org
d882054170
upstream: Fix incorrect error message when key certification fails
...
OpenBSD-Commit-ID: 7771bd77ee73f7116df37c734c41192943a73cee
2019-11-18 17:42:11 +11:00
djm@openbsd.org
740c4bc987
upstream: fix bug that prevented certification of ed25519-sk keys
...
OpenBSD-Commit-ID: 64c8cc6f5de2cdd0ee3a81c3a9dee8d862645996
2019-11-18 17:42:11 +11:00
djm@openbsd.org
85409cbb50
upstream: allow *-sk key types to be turned into certificates
...
OpenBSD-Commit-ID: cd365ee343934862286d0b011aa77fa739d2a945
2019-11-18 17:25:26 +11:00
djm@openbsd.org
e2e1283404
upstream: mention ed25519-sk key/cert types here too; prompted by
...
jmc@
OpenBSD-Commit-ID: e281977e4a4f121f3470517cbd5e483eee37b818
2019-11-18 15:57:18 +11:00
djm@openbsd.org
97dc5d1d82
upstream: mention ed25519-sk in places where it is accepted;
...
prompted by jmc@
OpenBSD-Commit-ID: 076d386739ebe7336c2137e583bc7a5c9538a442
2019-11-18 15:57:17 +11:00
djm@openbsd.org
1306643448
upstream: document ed25519-sk pubkey, private key and certificate
...
formats
OpenBSD-Commit-ID: 795a7c1c80315412e701bef90e31e376ea2f3c88
2019-11-18 15:57:17 +11:00
djm@openbsd.org
71856e1142
upstream: correct order or ecdsa-sk private key fields
...
OpenBSD-Commit-ID: 4d4a0c13226a79f0080ce6cbe74f73b03ed8092e
2019-11-18 15:57:17 +11:00
djm@openbsd.org
93fa2a6649
upstream: correct description of fields in pub/private keys (was
...
missing curve name); spotted by Sebastian Kinne
OpenBSD-Commit-ID: 2a11340dc7ed16200342d384fb45ecd4fcce26e7
2019-11-18 15:57:17 +11:00
Damien Miller
b497e920b4
Teach the GTK2/3 ssh-askpass the new prompt hints
...
ssh/ssh-agent now sets a hint environment variable $SSH_ASKPASS_PROMPT
when running the askpass program. This is intended to allow the
askpass to vary its UI across the three cases it supports: asking for
a passphrase, confirming the use of a key and (recently) reminding
a user to touch their security key.
This adapts the gnome-ssh-askpass[23] to use these hints. Specifically,
for SSH_ASKPASS_PROMPT=confirm it will skip the text input box and show
only "yes"/"no" buttons. For SSH_ASKPASS_PROMPT=none (used to remind
users to tap their security key), it shows only a "close" button.
Help wanted: adapt the other askpass programs in active use, including
x11-ssh-askpass, lxqt-openssh-askpass, etc.
2019-11-18 15:22:40 +11:00
Darren Tucker
857f49e91e
Move ifdef OPENSSL_HAS_ECC.
...
Found by -Wimplicit-fallthrough: one ECC case was not inside the ifdef.
ok djm@
2019-11-18 14:15:26 +11:00
Darren Tucker
6cf1c40096
Enable -Wimplicit-fallthrough if supported
...
Suggested by djm.
2019-11-18 14:14:18 +11:00
djm@openbsd.org
103c51fd5f
upstream: missing break in getopt switch; spotted by Sebastian Kinne
...
OpenBSD-Commit-ID: f002dbf14dba5586e8407e90f0141148ade8e8fc
2019-11-18 13:00:43 +11:00