Commit Graph

29 Commits

Author SHA1 Message Date
jsing@openbsd.org 7cd31632e3 upstream commit
Remove all guards for calls to OpenSSL free functions -
all of these functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

OpenBSD-Commit-ID: 954f1c51b94297d0ae1f749271e184141e0cadae
2018-02-08 09:26:27 +11:00
deraadt@openbsd.org 9e509d4ec9 upstream commit
Switch to recallocarray() for a few operations.  Both
growth and shrinkage are handled safely, and there also is no need for
preallocation dances. Future changes in this area will be less error prone.
Review and one bug found by markus

Upstream-ID: 822d664d6a5a1d10eccb23acdd53578a679d5065
2017-06-01 14:55:22 +10:00
markus@openbsd.org ff7371afd0 upstream commit
sshkey_new() might return NULL (pkcs#11 code only); ok
djm@

Upstream-ID: de9f2ad4a42c0b430caaa7d08dea7bac943075dd
2017-05-31 10:47:31 +10:00
djm@openbsd.org efb494e81d upstream commit
Improve pkcs11_add_provider() logging: demote some
excessively verbose error()s to debug()s, include PKCS#11 provider name and
slot in log messages where possible. bz#2610, based on patch from Jakub Jelen

Upstream-ID: 3223ef693cfcbff9079edfc7e89f55bf63e1973d
2016-11-06 16:47:43 +11:00
djm@openbsd.org d2d772f55b upstream commit
avoid fatal() for PKCS11 tokens that present empty key IDs
 bz#1773, ok markus@

Upstream-ID: 044a764fee526f2c4a9d530bd10695422d01fc54
2016-02-12 11:23:05 +11:00
djm@openbsd.org 63ebcd0005 upstream commit
don't ignore PKCS#11 hosted keys that return empty
 CKA_ID; patch by Jakub Jelen via bz#2429; ok markus

Upstream-ID: 2f7c94744eb0342f8ee8bf97b2351d4e00116485
2015-07-20 10:32:25 +10:00
djm@openbsd.org b15fd989c8 upstream commit
skip uninitialised PKCS#11 slots; patch from Jakub Jelen
 in bz#2427 ok markus@

Upstream-ID: 744c1e7796e237ad32992d0d02148e8a18f27d29
2015-07-20 10:32:25 +10:00
djm@openbsd.org a71ba58adf upstream commit
support PKCS#11 devices with external PIN entry devices
 bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@

Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
2015-05-27 15:16:59 +10:00
deraadt@openbsd.org 657a5fbc0d upstream commit
rename xrealloc() to xreallocarray() since it follows
 that form. ok djm
2015-04-29 18:15:23 +10:00
deraadt@openbsd.org ce4f59b240 upstream commit
missing ; djm and mlarkin really having great
 interactions recently
2015-02-05 07:43:00 +11:00
djm@openbsd.org cb3bde373e upstream commit
handle PKCS#11 C_Login returning
 CKR_USER_ALREADY_LOGGED_IN; based on patch from Yuri Samoilenko; ok markus@
2015-02-03 11:06:16 +11:00
djm@openbsd.org 1129dcfc5a upstream commit
sync ssh-keysign, ssh-keygen and some dependencies to the
 new buffer/key API; mostly mechanical, ok markus@
2015-01-15 21:39:14 +11:00
Damien Miller 8668706d0f - djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.

     with and ok markus@

     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.

     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
2014-07-02 15:28:02 +10:00
Damien Miller 686c7d9ee6 - djm@cvs.openbsd.org 2014/05/02 03:27:54
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
     [misc.h poly1305.h ssh-pkcs11.c defines.h]
     revert __bounded change; it causes way more problems for portable than
     it solves; pointed out by dtucker@
2014-05-15 14:37:03 +10:00
Damien Miller 4f40209aa4 - djm@cvs.openbsd.org 2014/03/26 04:55:35
[chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
     [misc.h poly1305.h ssh-pkcs11.c]
     use __bounded(...) attribute recently added to sys/cdefs.h instead of
     longform __attribute__(__bounded(...));

     for brevity and a warning free compilation with llvm/clang
2014-04-20 13:21:22 +10:00
Damien Miller 867e6934be - markus@cvs.openbsd.org 2013/11/13 13:48:20
[ssh-pkcs11.c]
     add missing braces found by pedro
2013-11-21 13:56:06 +11:00
Damien Miller c8908aabff - djm@cvs.openbsd.org 2013/11/06 23:05:59
[ssh-pkcs11.c]
     from portable: s/true/true_val/ to avoid name collisions on dump platforms
     RCSID sync only
2013-11-07 13:38:35 +11:00
Damien Miller 61c5c2319e - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)
that got lost in recent merge.
2013-11-07 11:34:14 +11:00
Damien Miller d2252c7919 - markus@cvs.openbsd.org 2013/11/02 20:03:54
[ssh-pkcs11.c]
     support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
     fixes bz#1908; based on patch from Laurent Barbe; ok djm
2013-11-04 07:41:48 +11:00
Damien Miller 746d1a6c52 - djm@cvs.openbsd.org 2013/07/12 00:20:00
[sftp.c ssh-keygen.c ssh-pkcs11.c]
     fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
2013-07-18 16:13:02 +10:00
Darren Tucker a627d42e51 - djm@cvs.openbsd.org 2013/05/17 00:13:13
[xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
     dns.c packet.c readpass.c authfd.c moduli.c]
     bye, bye xfree(); ok markus@
2013-06-02 07:31:17 +10:00
Darren Tucker 0dd24e02ec - (dtucker) [ssh-keygen.c ssh-pkcs11.c] Bug #1929: add null implementations
ofsh-pkcs11.cpkcs_init and pkcs_terminate for building without dlopen support.
2011-09-04 19:59:26 +10:00
Damien Miller 4fe686d35f - markus@cvs.openbsd.org 2010/06/08 21:32:19
[ssh-pkcs11.c]
     check length of value returned  C_GetAttributValue for != 0
     from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@
2010-06-26 09:36:10 +10:00
Damien Miller 031c9100df - markus@cvs.openbsd.org 2010/04/15 20:32:55
[ssh-pkcs11.c]
     retry lookup for private key if there's no matching key with CKA_SIGN
     attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736)
     ok djm@
2010-04-16 15:54:44 +10:00
Tim Rice 179eee081a - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
compilers. OK djm@
2010-03-04 12:48:05 -08:00
Damien Miller 05abd2c968 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
2010-02-24 17:16:08 +11:00
Damien Miller dfa4156dbd - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
Use ssh_get_progname to fill __progname
2010-02-12 10:06:28 +11:00
Damien Miller 8ad0fbd98e - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
Make it compile on OSX
2010-02-12 09:49:06 +11:00
Damien Miller 7ea845e48d - markus@cvs.openbsd.org 2010/02/08 10:50:20
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
     [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
     replace our obsolete smartcard code with PKCS#11.
        ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
     ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
     provider (shared library) while ssh-agent(1) delegates PKCS#11 to
     a forked a ssh-pkcs11-helper process.
     PKCS#11 is currently a compile time option.
     feedback and ok djm@; inspired by patches from Alon Bar-Lev
`
2010-02-12 09:21:02 +11:00