History log of /openssh-portable/authfd.c (Results 1 – 25 of 124)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
Revision tags: V_8_6_P1, V_8_5_P1
# cb7b22ea 25-Jan-2021 djm@openbsd.org

upstream: factor out common code in the agent client

Add a ssh_request_reply_decode() function that sends a message to
the agent, reads and parses a success/failure reply.
Use it for all requests th

upstream: factor out common code in the agent client

Add a ssh_request_reply_decode() function that sends a message to
the agent, reads and parses a success/failure reply.
Use it for all requests that only expect success/failure

ok markus@

OpenBSD-Commit-ID: e0c1f4d5e6cfa525d62581e2b8de93be0cb85adb

show more ...


# 1a14c131 28-Oct-2020 djm@openbsd.org

upstream: whitespace; no code change

OpenBSD-Commit-ID: efefc1c47e880887bdee8cd2127ca93177eaad79


# eab2888c 19-Oct-2020 dtucker@openbsd.org

upstream: Adapt XMSS to new logging infrastructure. With markus@, ok

djm@.

OpenBSD-Commit-ID: 9c35ec3aa0f710e4e3325187ceff4fa3791686de


Revision tags: V_8_4_P1
# a3e0c376 26-Jun-2020 djm@openbsd.org

upstream: constify a few things; ok dtucker (as part of another

diff)

OpenBSD-Commit-ID: 7c17fc987085994d752304bd20b1ae267a9bcdf6


Revision tags: V_8_3_P1
# bc30b446 06-Mar-2020 markus@openbsd.org

upstream: ssh_fetch_identitylist() returns the return value from

ssh_request_reply() so we should also check against != 0 ok djm

OpenBSD-Commit-ID: 28d0028769d03e665688c61bb5fd943e18614952


# d5ba1c03 26-Feb-2020 jsg@openbsd.org

upstream: change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised s

upstream: change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a

show more ...


Revision tags: V_8_2_P1
# 40be78f5 20-Dec-2019 djm@openbsd.org

upstream: Allow forwarding a different agent socket to the path

specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment

upstream: Allow forwarding a different agent socket to the path

specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent option to
accepting an explicit path or the name of an environment variable in addition
to yes/no.

Patch by Eric Chiang, manpage by me; ok markus@

OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265

show more ...


# 72687c8e 12-Nov-2019 deraadt@openbsd.org

upstream: stdarg.h required more broadly; ok djm

OpenBSD-Commit-ID: b5b15674cde1b54d6dbbae8faf30d47e6e5d6513


# 2c55744a 12-Nov-2019 markus@openbsd.org

upstream: enable ed25519 support; ok djm

OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e


# b9dd14d3 31-Oct-2019 djm@openbsd.org

upstream: add new agent key constraint for U2F/FIDO provider

feedback & ok markus@

OpenBSD-Commit-ID: d880c380170704280b4003860a1744d286c7a172


Revision tags: V_8_1_P1
# 06af3583 03-Sep-2019 djm@openbsd.org

upstream: authfd: add function to check if key is in agent

This commit adds a helper function which allows the caller to
check if a given public key is present in ssh-agent.

work by Sebastian Kinne

upstream: authfd: add function to check if key is in agent

This commit adds a helper function which allows the caller to
check if a given public key is present in ssh-agent.

work by Sebastian Kinne; ok markus@

OpenBSD-Commit-ID: d43c5826353e1fdc1af71eb42961b30782c7bd13

show more ...


# 2ab5a846 03-Sep-2019 djm@openbsd.org

upstream: fix memleak in ssh_free_identitylist(); ok markus@

OpenBSD-Commit-ID: aa51f77ae2c5330a1f61b2d22933f24a443f9abf


# 4d28fa78 28-Jun-2019 deraadt@openbsd.org

upstream: When system calls indicate an error they return -1, not

some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this better, and le

upstream: When system calls indicate an error they return -1, not

some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.

OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075

show more ...


# 4f7a56d5 21-Jun-2019 djm@openbsd.org

upstream: Add protection for private keys at rest in RAM against

speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer
and Rambleed. This change encrypts private keys when the

upstream: Add protection for private keys at rest in RAM against

speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer
and Rambleed. This change encrypts private keys when they are not in use with
a symmetic key that is derived from a relatively large "prekey" consisting of
random data (currently 16KB).

Attackers must recover the entire prekey with high accuracy before
they can attempt to decrypt the shielded private key, but the current
generation of attacks have bit error rates that, when applied
cumulatively to the entire prekey, make this unlikely.

Implementation-wise, keys are encrypted "shielded" when loaded and then
automatically and transparently unshielded when used for signatures or
when being saved/serialised.

Hopefully we can remove this in a few years time when computer
architecture has become less unsafe.

been in snaps for a bit already; thanks deraadt@

ok dtucker@ deraadt@

OpenBSD-Commit-ID: 19767213c312e46f94b303a512ef8e9218a39bd4

show more ...


Revision tags: V_8_0_P1
# 007a88b4 27-Dec-2018 djm@openbsd.org

upstream: Request RSA-SHA2 signatures for

rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@

OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033


# 87d6cf1c 29-Nov-2018 djm@openbsd.org

upstream: don't attempt to connect to empty SSH_AUTH_SOCK; bz#293

OpenBSD-Commit-ID: 0e8fc8f19f14b21adef7109e0faa583d87c0e929


Revision tags: V_7_9_P1, V_7_8_P1
# 49f47e65 09-Jul-2018 markus@openbsd.org

upstream: replace cast with call to sshbuf_mutable_ptr(); ok djm@

OpenBSD-Commit-ID: 4dfe9d29fa93d9231645c89084f7217304f7ba29


# 4ba0d547 03-Jul-2018 djm@openbsd.org

upstream: Improve strictness and control over RSA-SHA2 signature

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to

upstream: Improve strictness and control over RSA-SHA2 signature

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

OpenBSD-Commit-ID: c6e9f6d45eed8962ad502d315d7eaef32c419dde

show more ...


# 001aa554 09-Apr-2018 djm@openbsd.org

upstream: lots of typos in comments/docs. Patch from Karsten Weiss

after checking with codespell tool
(https://github.com/lucasdemarchi/codespell)

OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60b

upstream: lots of typos in comments/docs. Patch from Karsten Weiss

after checking with codespell tool
(https://github.com/lucasdemarchi/codespell)

OpenBSD-Commit-ID: 373222f12d7ab606598a2d36840c60be93568528

show more ...


Revision tags: V_7_7_P1
# 1b11ea7c 23-Feb-2018 markus@openbsd.org

upstream: Add experimental support for PQC XMSS keys (Extended

Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at ge

upstream: Add experimental support for PQC XMSS keys (Extended

Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@

OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac

show more ...


# d9e5cf07 10-Feb-2018 djm@openbsd.org

upstream commit

constify some private key-related functions; based on
https://github.com/openssh/openssh-portable/pull/56 by Vincent Brillault

OpenBSD-Commit-ID: dcb94a41834a15f4d00275cb5051616fdc4

upstream commit

constify some private key-related functions; based on
https://github.com/openssh/openssh-portable/pull/56 by Vincent Brillault

OpenBSD-Commit-ID: dcb94a41834a15f4d00275cb5051616fdc4c988c

show more ...


# 14b5c635 23-Jan-2018 djm@openbsd.org

upstream commit

Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final S

upstream commit

Drop compatibility hacks for some ancient SSH
implementations, including ssh.com <=2.* and OpenSSH <= 3.*.

These versions were all released in or before 2001 and predate the
final SSH RFCs. The hacks in question aren't necessary for RFC-
compliant SSH implementations.

ok markus@

OpenBSD-Commit-ID: 4be81c67db57647f907f4e881fb9341448606138

show more ...


Revision tags: V_7_6_P1
# 83fa3a04 01-Jul-2017 djm@openbsd.org

upstream commit

remove post-SSHv1 removal dead code from rsa.c and merge
the remaining bit that it still used into ssh-rsa.c; ok markus

Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f


# a98339ed 27-Jun-2017 djm@openbsd.org

upstream commit

Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus

Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f


# 3e371bd2 05-May-2017 naddy@openbsd.org

upstream commit

more simplification and removal of SSHv1-related code;
ok djm@

Upstream-ID: d2f041aa0b79c0ebd98c68a01e5a0bfab2cf3b55


12345