#
2c71cec0 |
| 28-Dec-2020 |
djm@openbsd.org |
upstream: Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tiny
upstream: Update/replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519). The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per the authors, sntrup4591761 was replaced almost two years ago by sntrup761. The sntrup761 implementaion, like sntrup4591761 before it, is public domain code extracted from the SUPERCOP cryptography benchmark suite (https://bench.cr.yp.to/supercop.html). Thanks for Daniel J Bernstein for guidance on algorithm selection. Patch from Tobias Heider; feedback & ok markus@ and myself (note this both the updated method and the one that it replaced are disabled by default) OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae
show more ...
|
#
ace12dc6 |
| 03-Dec-2020 |
djm@openbsd.org |
upstream: make ssh_free(NULL) a no-op OpenBSD-Commit-ID: 42cb285d94789cefe6608db89c63040ab0a80fa0
|
#
816036f1 |
| 18-Oct-2020 |
djm@openbsd.org |
upstream: use the new variant log macros instead of prepending __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
|
Revision tags: V_8_4_P1 |
|
#
9b8ad938 |
| 26-Aug-2020 |
djm@openbsd.org |
upstream: support for user-verified FIDO keys FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular o
upstream: support for user-verified FIDO keys FIDO2 supports a notion of "user verification" where the user is required to demonstrate their identity to the token before particular operations (e.g. signing). Typically this is done by authenticating themselves using a PIN that has been set on the token. This adds support for generating and using user verified keys where the verification happens via PIN (other options might be added in the future, but none are in common use now). Practically, this adds another key generation option "verify-required" that yields a key that requires a PIN before each authentication. feedback markus@ and Pedro Martelletto; ok markus@ OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
show more ...
|
#
55ef3e9c |
| 01-Jul-2020 |
markus@openbsd.org |
upstream: free kex in ssh_packet_close; ok djm semarie OpenBSD-Commit-ID: dbc181e90d3d32fd97b10d75e68e374270e070a2
|
Revision tags: V_8_3_P1, V_8_2_P1 |
|
#
9a14c64c |
| 31-Oct-2019 |
djm@openbsd.org |
upstream: Refactor signing - use sshkey_sign for everything, including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign()
upstream: Refactor signing - use sshkey_sign for everything, including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@ OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
show more ...
|
Revision tags: V_8_1_P1 |
|
#
b36ee3fc |
| 13-Sep-2019 |
dtucker@openbsd.org |
upstream: Plug mem leaks on error paths, based in part on github pr#120 from David Carlier. ok djm@. OpenBSD-Commit-ID: c57adeb1022a8148fc86e5a88837b3b156dbdb7e
|
#
670104b9 |
| 06-Sep-2019 |
djm@openbsd.org |
upstream: fixes for !WITH_OPENSSL compilation; ok dtucker@ OpenBSD-Commit-ID: 7fd68eaa9e0f7482b5d4c7e8d740aed4770a839f
|
#
be02d7cb |
| 06-Sep-2019 |
djm@openbsd.org |
upstream: lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly OpenBSD-Commit-ID: 5b522f4f2
upstream: lots of things were relying on libcrypto headers to transitively include various system headers (mostly stdlib.h); include them explicitly OpenBSD-Commit-ID: 5b522f4f2d844f78bf1cc4f3f4cc392e177b2080
show more ...
|
Revision tags: V_8_0_P1 |
|
#
aaca72d6 |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen from markus@ ok djm@ OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8
upstream: rename kex->kem_client_pub -> kex->client_pub now that KEM has been renamed to kexgen from markus@ ok djm@ OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
show more ...
|
#
92dda34e |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: use KEM API for vanilla ECDH from markus@ ok djm@ OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
|
#
9c9c97e1 |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: use KEM API for vanilla DH KEX from markus@ ok djm@ OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
|
#
2f6a9ddb |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: use KEM API for vanilla c25519 KEX OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
|
#
dfd59161 |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss.
upstream: Add support for a PQC KEX/KEM: sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime 4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not enabled by default. introduce KEM API; a simplified framework for DH-ish KEX methods. from markus@ feedback & ok djm@ OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
show more ...
|
#
04c091fc |
| 19-Jan-2019 |
djm@openbsd.org |
upstream: remove last references to active_state with & ok markus@ OpenBSD-Commit-ID: 78619a50ea7e4ca2f3b54d4658b3227277490ba2
|
#
0a843d9a |
| 26-Dec-2018 |
djm@openbsd.org |
upstream: move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server. Also be mor
upstream: move client/server SSH-* banners to buffers under ssh->kex and factor out the banner exchange. This eliminates some common code from the client and server. Also be more strict about handling \r characters - these should only be accepted immediately before \n (pointed out by Jann Horn). Inspired by a patch from Markus Schmidt. (lots of) feedback and ok markus@ OpenBSD-Commit-ID: 1cc7885487a6754f63641d7d3279b0941890275b
show more ...
|
#
42c5ec4b |
| 22-Nov-2018 |
Damien Miller |
refactor libcrypto initialisation Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually supports it. Move all libcrypto initialisation to a single function, and call t
refactor libcrypto initialisation Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually supports it. Move all libcrypto initialisation to a single function, and call that from seed_rng() that is called early in each tool's main(). Prompted by patch from Rosen Penev
show more ...
|
#
31b49525 |
| 22-Oct-2018 |
Darren Tucker |
Include openssl compatibility. Patch from rosenp at gmail.com via openssh-unix-dev.
|
Revision tags: V_7_9_P1, V_7_8_P1, V_7_7_P1, V_7_6_P1 |
|
#
97f4d308 |
| 30-Apr-2017 |
djm@openbsd.org |
upstream commit remove compat20/compat13/compat15 variables ok markus@ Upstream-ID: 43802c035ceb3fef6c50c400e4ecabf12354691c
|
Revision tags: V_7_5_P1, V_7_4_P1, V_7_3_P1 |
|
#
05164541 |
| 04-May-2016 |
markus@openbsd.org |
upstream commit move SSH_MSG_NONE, so we don't have to include ssh1.h; ok deraadt@ Upstream-ID: c2f97502efc761a41b18c17ddf460e138ca7994e
|
#
0e8eeec8 |
| 02-May-2016 |
djm@openbsd.org |
upstream commit add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K
upstream commit add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@ Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f
show more ...
|
Revision tags: V_7_2_P2, V_7_2_P1, V_7_1_P2 |
|
#
76c9fbbe |
| 04-Dec-2015 |
markus@openbsd.org |
upstream commit implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
upstream commit implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@ Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
show more ...
|
Revision tags: V_7_1_P1, V_7_0_P1, V_6_9_P1, V_6_8_P1 |
|
#
f2004cd1 |
| 22-Feb-2015 |
Darren Tucker |
Repair for non-ECC OpenSSL. Ifdef out the ECC parts when building with an OpenSSL that doesn't have it.
|
#
773dda25 |
| 30-Jan-2015 |
Damien Miller |
repair --without-openssl; broken in refactor
|
#
523463a3 |
| 16-Feb-2015 |
djm@openbsd.org |
upstream commit Revise hostkeys@openssh.com hostkey learning extension. The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostke
upstream commit Revise hostkeys@openssh.com hostkey learning extension. The client will not ask the server to prove ownership of the private halves of any hitherto-unseen hostkeys it offers to the client. Allow UpdateHostKeys option to take an 'ask' argument to let the user manually review keys offered. ok markus@
show more ...
|