make DSA key support compile-time optional, defaulting to on

ok markus@

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

refactor sshkey_private_deserialize

feedback/ok markus@

refactor sshkey_private_serialize_opt()

feedback/ok markus@

refactor sshkey_sign() and sshkey_verify()

feedback/ok markus@

refactor sshkey_from_blob_internal()

feedback/ok markus@

refactor sshkey_from_private()

feedback/ok markus@

factor out key generation

feedback/ok markus@

factor out public key serialization

feedback/ok markus@

factor out sshkey_equal_public()

feedback/ok markus@

begin big refactor of sshkey

Move keytype data and some of the type-specific code (allocation,
cleanup, etc) out into each key type's implementation. Subsequent
commits will move more, with the goal

begin big refactor of sshkey

Move keytype data and some of the type-specific code (allocation,
cleanup, etc) out into each key type's implementation. Subsequent
commits will move more, with the goal of having each key-*.c file
owning as much of its keytype's implementation as possible.

lots of feedback + ok markus@

show more ...

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argume

change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

show more ...

hold our collective noses and use the openssl-1.1.x API in OpenSSH;
feedback and ok tb@ jsing@ markus@

Remove all guards for calls to OpenSSL free functions - all of these
functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when lookin

Remove all guards for calls to OpenSSL free functions - all of these
functions handle NULL, from at least OpenSSL 1.0.1g onwards.

Prompted by dtucker@ asking about guards for RSA_free(), when looking at
openssh-portable pr#84 on github.

ok deraadt@ dtucker@

show more ...

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hack

Drop compatibility hacks for some ancient SSH implementations, including
ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

show more ...

make argument == NULL tests more consistent

Remove NULL-checks before sshbuf_free().

ok djm@

Remove NULL-checks before free().

ok dtucker@

New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.

with and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matt

New key API: refactor key-related functions to be more library-like,
existing API is offered as a set of wrappers.

with and ok markus@

Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
Dempsky and Ron Bowes for a detailed review a few months ago.

show more ...

convert memset of potentially-private data to explicit_bzero()

Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
f

Introduce digest API and use it to perform all hashing operations
rather than calling OpenSSL EVP_Digest* directly. Will make it easier
to build a reduced-feature OpenSSH without OpenSSL in future;
feedback, ok markus@

show more ...

make the original RSA and DSA signing/verification code look more like
the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
rather than tediously listing all variants, use __func__

make the original RSA and DSA signing/verification code look more like
the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
rather than tediously listing all variants, use __func__ for debug/
error messages

show more ...

bye, bye xfree(); ok markus@

Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appe

Add buffer_get_cstring() and related functions that verify that the
string extracted from the buffer contains no embedded \0 characters*
This prevents random (possibly malicious) crap from being appended to
strings where it would not be noticed if the string is used with
a string(3) function.

Use the new API in a few sensitive places.

* actually, we allow a single one at the end of the string for now because
we don't know how many deployed implementations get this wrong, but don't
count on this to remain indefinitely.

show more ...

revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:

move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix a

revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with the
following changes:

move the nonce field to the beginning of the certificate where it can
better protect against chosen-prefix attacks on the signature hash

Rename "constraints" field to "critical options"

Add a new non-critical "extensions" field

Add a serial number

The older format is still support for authentication and cert generation
(use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate)

ok markus@

show more ...