changeset | eadd023fde4d |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Support RSA OpenSSH new format in dropbearconvert Added support for reading and writing. PEM writing support has been removed. OpenSSH file format routines have been moved to signkey_ossh.c |
files |
changeset | fc4c9ef61856 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Split CPPFLAGS and CFLAGS more carefully This has no change to the build, but makes it easier to try other build tools that only want CPPFLAGS |
files |
changeset | 35d504d59c05 |
---|---|
branch | |
bookmark | |
tag | |
user | egor-duda <egor-duda@users.noreply.github.com> |
description | Implement server-side support for sk-ecdsa U2F-backed keys (#142) * Implement server-side support for sk-ecdsa U2F-backed keys * Fix out-of-bounds read on normal ecdsa-sha2-[identifier] keys * Fix one more potential out-of-bounds read * Check if nistp256 curve is used in sk-ecdsa-sha2- key It's the only allowed curve per PROTOCOL.u2f specification * Implement server-side support for sk-ed25519 FIDO2-backed keys * Keys with type sk-* make no sense as host keys, so they should be disabled * fix typo * Make sk-ecdsa call buf_ecdsa_verify This reduces code duplication, the SK code just handles the different message format. * Reduce sk specific code The application id can be stored in signkey, then we don't need to call sk-specific functions from svr-authpubkey * Remove debugging output, which causes compilation errors with DEBUG_TRACE disabled * Proper cleanup of sk_app Co-authored-by: Matt Johnston <matt@codeconstruct.com.au> |
files |
changeset | ce17be95a42a |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@codeconstruct.com.au> |
description | Rename "make test" to "make check". Also run lint |
files |
changeset | df7bfd2f7d45 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@codeconstruct.com.au> |
description | Add "make test" target to run pytest This will create a virtualenv if required. There is a bit of churn here reverting to autoconf 2.59 in generated config.h.in and configure |
files |
changeset | 918e49decafa |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | fuzz: skip custom mutators with -fsanitize=memory |
files |
changeset | 97ad26e397a5 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Add server postauth fuzzer, wrap connect_remote() |
files |
changeset | 8179eabe16c9 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | fuzzing - fix some wrong types and -lcrypt on macos |
files |
changeset | af9ed0815818 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Use SSH packet mutator for preauth too Get rid of separate client mutator. Have 0.1% chance of llvm random mutation Add comments |
files |
changeset | 3e1e1f82eba6 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Preallocate memory for sshpacketmutator. Add fuzzer-client_mutator_nomaths |
files |
changeset | b688c884dad7 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Fix fuzz-sshpacketmutator to work |
files |
changeset | 2406a9987810 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Add first try at fuzzing custom mutator |
files |
changeset | d5680e12ac33 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Move fuzzing code to fuzz/ subdirectory, improve Makefile.in |
files |
changeset | 7cb8bc5ce8b9 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Don't sort objects, it breaks -lcrypt ordering |
files |
changeset | 6e71440b1e47 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Add fuzzer-client_nomaths, fix client fuzzer |
files |
changeset | d1b279aa5ed1 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Get client fuzzer building and starting (fails straight away) |
files |
changeset | d529a52b2f7c |
---|---|
branch | coverity |
bookmark | coverity |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge coverity from main |
files |
changeset | 72bb7fb1fced |
---|---|
branch | |
bookmark | |
tag | |
user | Gabor Z. Papp <gzp@papp.hu> |
description | Fix "make install" for manpages in out-of-tree builds |
files |
changeset | 41bf8f216644 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge rsa-sha256 |
files |
changeset | 90fffce0ee99 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Add linter for #ifdef |
files |
changeset | 3a97f14c0235 |
---|---|
branch | |
bookmark | |
tag | |
user | Vladislav Grishenko <themiron@users.noreply.github.com> |
description | Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93) * Add Chacha20-Poly1305 authenticated encryption * Add general AEAD approach. * Add chacha20-poly1305@openssh.com algo using LibTomCrypt chacha and poly1305 routines. Chacha20-Poly1305 is generally faster than AES256 on CPU w/o dedicated AES instructions, having the same key size. Compiling in will add ~5,5kB to binary size on x86-64. function old new delta chacha_crypt - 1397 +1397 _poly1305_block - 608 +608 poly1305_done - 595 +595 dropbear_chachapoly_crypt - 457 +457 .rodata 26976 27392 +416 poly1305_process - 290 +290 poly1305_init - 221 +221 chacha_setup - 218 +218 encrypt_packet 1068 1270 +202 dropbear_chachapoly_getlength - 147 +147 decrypt_packet 756 897 +141 chacha_ivctr64 - 137 +137 read_packet 543 637 +94 dropbear_chachapoly_start - 94 +94 read_kex_algos 792 880 +88 chacha_keystream - 69 +69 dropbear_mode_chachapoly - 48 +48 sshciphers 280 320 +40 dropbear_mode_none 24 48 +24 dropbear_mode_ctr 24 48 +24 dropbear_mode_cbc 24 48 +24 dropbear_chachapoly_mac - 24 +24 dropbear_chachapoly - 24 +24 gen_new_keys 848 854 +6 ------------------------------------------------------------------------------ (add/remove: 14/0 grow/shrink: 10/0 up/down: 5388/0) Total: 5388 bytes * Add AES128-GCM and AES256-GCM authenticated encryption * Add general AES-GCM mode. * Add aes128-gcm@openssh.com and aes256-gcm@openssh.com algo using LibTomCrypt gcm routines. AES-GCM is combination of AES CTR mode and GHASH, slower than AES-CTR on CPU w/o dedicated AES/GHASH instructions therefore disabled by default. Compiling in will add ~6kB to binary size on x86-64. function old new delta gcm_process - 1060 +1060 .rodata 26976 27808 +832 gcm_gf_mult - 820 +820 gcm_add_aad - 660 +660 gcm_shift_table - 512 +512 gcm_done - 471 +471 gcm_add_iv - 384 +384 gcm_init - 347 +347 dropbear_gcm_crypt - 309 +309 encrypt_packet 1068 1270 +202 decrypt_packet 756 897 +141 gcm_reset - 118 +118 read_packet 543 637 +94 read_kex_algos 792 880 +88 sshciphers 280 360 +80 gcm_mult_h - 80 +80 dropbear_gcm_start - 62 +62 dropbear_mode_gcm - 48 +48 dropbear_mode_none 24 48 +24 dropbear_mode_ctr 24 48 +24 dropbear_mode_cbc 24 48 +24 dropbear_ghash - 24 +24 dropbear_gcm_getlength - 24 +24 gen_new_keys 848 854 +6 ------------------------------------------------------------------------------ (add/remove: 14/0 grow/shrink: 10/0 up/down: 6434/0) Total: 6434 bytes |
files |
changeset | d32bcb5c557d |
---|---|
branch | |
bookmark | |
tag | |
user | Vladislav Grishenko <themiron@users.noreply.github.com> |
description | Add Ed25519 support (#91) * Add support for Ed25519 as a public key type Ed25519 is a elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance. It may be used for both user and host keys. OpenSSH key import and fuzzer are not supported yet. Initially inspired by Peter Szabo. * Add curve25519 and ed25519 fuzzers * Add import and export of Ed25519 keys |
files |
changeset | f52919ffd3b1 |
---|---|
branch | |
bookmark | |
tag | |
user | Steffen Jaeckel <s_jaeckel@gmx.de> |
description | update ltm to 1.1.0 and enable FIPS 186.4 compliant key-generation (#79) * make key-generation compliant to FIPS 186.4 * fix includes in tommath_class.h * update fuzzcorpus instead of error-out * fixup fuzzing make-targets * update Makefile.in * apply necessary patches to ltm sources * clean-up not required ltm files * update to vanilla ltm 1.1.0 this already only contains the required files * remove set/get double |
files |
changeset | cc0fc5131c5c |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Rename EPKA -> Plugin |
files |
changeset | 76189c9ffea2 |
---|---|
branch | |
bookmark | |
tag | |
user | fabriziobertocci <fabriziobertocci@gmail.com> |
description | External Public-Key Authentication API (#72) * Implemented dynamic loading of an external plug-in shared library to delegate public key authentication * Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled * Added tags file to the ignore list * Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them * Added -rdynamic to the linker flags when EPKA is enabled * Changed the API to pass a previously created session to the checkPubKey function (created during preauth) * Added documentation to the API * Added parameter addrstring to plugin creation function * Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session) * Changed option string to be a simple char * instead of unsigned char * |
files |
changeset | b59623a64678 |
---|---|
branch | coverity |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | try for coverity |
files |
changeset | b794d277c6da |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | fix some links |
files |
changeset | 35af85194268 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Add kexdh and kexecdh fuzzers |
files |
changeset | 68abf717328d |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | set up CXX for fuzzing build |
files |
changeset | b66fc351f7e8 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | add cryptlib for all targets in fuzz build |
files |
changeset | 92c93b4a3646 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Fix to be able to compile normal(ish) binaries with --enable-fuzz |
files |
changeset | 61a793b6e471 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge from main |
files |
changeset | 5212630893ab |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | only clean libtom when using bundled libraries |
files |
changeset | bb8eaa26bc93 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge from main |
files |
changeset | 198e2ee0f4b1 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | - Fix dependencies and remove old default_options.h from version control - Rename default_options.h.in -> default_options.h, and default_options.h -> default_options_guard.h - Fix newlines in default_options.h |
files |
changeset | 5916af64acd4 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge from main |
files |
changeset | 2d450c1056e3 |
---|---|
branch | |
bookmark | |
tag | |
user | Michael Witten <mfwitten@gmail.com> |
description | options: Complete the transition to numeric toggles (`#if') For the sake of review, this commit alters only the code; the affiliated comments within the source files also need to be updated, but doing so now would obscure the operational changes that have been made here. * All on/off options have been switched to the numeric `#if' variant; that is the only way to make this `default_options.h.in' thing work in a reasonable manner. * There is now some very minor compile-time checking of the user's choice of options. * NO_FAST_EXPTMOD doesn't seem to be used, so it has been removed. * ENABLE_USER_ALGO_LIST was supposed to be renamed DROPBEAR_USER_ALGO_LIST, and this commit completes that work. * DROPBEAR_FUZZ seems to be a relatively new, as-yet undocumented option, which was added by the following commit: commit 6e0b539e9ca0b5628c6c5a3d118ad6a2e79e8039 Author: Matt Johnston <matt@ucc.asn.au> Date: Tue May 23 22:29:21 2017 +0800 split out checkpubkey_line() separately It has now been added to `sysoptions.h' and defined as `0' by default. * The configuration option `DROPBEAR_PASSWORD_ENV' is no longer listed in `default_options.h.in'; it is no longer meant to be set by the user, and is instead left to be defined in `sysoptions.h' (where it was already being defined) as merely the name of the environment variable in question: DROPBEAR_PASSWORD To enable or disable use of that environment variable, the user must now toggle `DROPBEAR_USE_DROPBEAR_PASSWORD'. * The sFTP support is now toggled by setting `DROPBEAR_SFTPSERVER', and the path of the sFTP server program is set independently through the usual SFTPSERVER_PATH. |
files |
changeset | bd46cf0e245a |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | update some dependencies |
files |
changeset | 9b87cbe931e3 |
---|---|
branch | |
bookmark | |
tag | |
user | Michael Witten <mfwitten@gmail.com> |
description | build: Remove unused constructs: `space' and `AC_PROG_MAKE_SET' The makefile variable `space' is never used. The autoconf output variable `SET_MAKE' is never used, so the autoconf macro `AC_PROG_MAKE_SET' has been removed. |
files |
changeset | abbdeca6f1bd |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Fix building default_options.h |
files |
changeset | a90fdd2d2ed8 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | add fuzzer-preauth_nomaths |
files |
changeset | 4afde04f0607 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge up to date |
files |
changeset | 7dddc4dd7063 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | EXEEXT for a few more targets, dropbearmulti in particular for Cygwin From William K. Foster. |
files |
changeset | 8f88f4290b22 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | document --enable-static in place of STATIC=1 |
files |
changeset | b8764eee6bdb |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | add --enable-static configure argument. disable conflicting harden flags |
files |
changeset | d201105df2ed |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | add fuzzer-verify |
files |
changeset | dd5d7b7141b9 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | create fuzzer .options files |
files |
changeset | ddfcadca3c4c |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | fuzzer-pubkey |
files |
changeset | f9f930e1a516 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | add dbmalloc epoch cleanup |
files |
changeset | 3677a510f545 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | add wrapfd. improve fuzzer in makefile |
files |
changeset | 3fdd8c5a0195 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge main to fuzz |
files |
changeset | 66c1cfd5e100 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | rename fuzzer -> fuzz-target, add list-fuzz-targets |
files |
changeset | 68e0e396af80 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Use CXX to link fuzzer, also link with $FUZZLIB |
files |
changeset | 5c2899e35b63 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | fuzz harness |
files |
changeset | b28624698130 |
---|---|
branch | fuzz |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | copy over some fuzzing code from AFL branch |
files |
changeset | 5abbecdecba4 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Add generated header default_options.h to version control. This is a workaround since I cannot figure how to get dependencies to work properly with "make -j" |
files |
changeset | 750ec4ec4cbe |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Convert #ifdef to #if, other build changes |
files |
changeset | 3017bc7d6238 |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | move m_burn and function attributes to dbhelpers use m_burn for libtomcrypt zeromem() too |
files |
changeset | 82e2037d34ea |
---|---|
branch | |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | Move dh group constants to a separate file |
files |
changeset | 01eea88963f3 |
---|---|
branch | fastopen |
bookmark | |
tag | |
user | Matt Johnston <matt@ucc.asn.au> |
description | merge from default |
files |