| #
96bd895a |
| 06-Feb-2020 |
djm@openbsd.org |
upstream: When using HostkeyAlgorithms to merely append or remove
algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the
default behaviour of preferring those algori
upstream: When using HostkeyAlgorithms to merely append or remove
algorithms from the default set (i.e. HostkeyAlgorithms=+/-...), retain the
default behaviour of preferring those algorithms that have existing keys in
known_hosts; ok markus
OpenBSD-Commit-ID: 040e7fcc38ea00146b5d224ce31ce7a1795ee6ed
show more ...
|
| #
a47f6a6c |
| 06-Feb-2020 |
naddy@openbsd.org |
upstream: Replace "security key" with "authenticator" in program
messages.
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator"
upstream: Replace "security key" with "authenticator" in program
messages.
This replaces "security key" in error/usage/verbose messages and
distinguishes between "authenticator" and "authenticator-hosted key".
ok djm@
OpenBSD-Commit-ID: 7c63800e9c340c59440a054cde9790a78f18592e
show more ...
|
| #
7f8e66fe |
| 23-Jan-2020 |
dtucker@openbsd.org |
upstream: Make zlib optional. This adds a "ZLIB" build time option
that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@
Ope
upstream: Make zlib optional. This adds a "ZLIB" build time option
that allows building without zlib compression and associated options. With
feedback from markus@, ok djm@
OpenBSD-Commit-ID: 44c6e1133a90fd15a3aa865bdedc53bab28b7910
show more ...
|
| #
3bf2a6ac |
| 23-Jan-2020 |
dtucker@openbsd.org |
upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTA
upstream: Replace all calls to signal(2) with a wrapper around
sigaction(2). This wrapper blocks all other signals during the handler
preventing races between handlers, and sets SA_RESTART which should reduce
the potential for short read/write operations.
OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519
show more ...
|
| #
c4b3a128 |
| 22-Jan-2020 |
dtucker@openbsd.org |
upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portabl
upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
show more ...
|
| #
881aded0 |
| 21-Jan-2020 |
djm@openbsd.org |
upstream: a little more verbosity in sign_and_send_pubkey() debug
messages
OpenBSD-Commit-ID: 6da47a0e6373f6683006f49bc2a516d197655508
|
| #
49dc9fa9 |
| 14-Nov-2019 |
djm@openbsd.org |
upstream: close the "touch your security key" notifier on the error
path too
OpenBSD-Commit-ID: c7628bf80505c1aefbb1de7abc8bb5ee51826829
|
| #
72687c8e |
| 12-Nov-2019 |
deraadt@openbsd.org |
upstream: stdarg.h required more broadly; ok djm
OpenBSD-Commit-ID: b5b15674cde1b54d6dbbae8faf30d47e6e5d6513
|
| #
e44bb618 |
| 12-Nov-2019 |
djm@openbsd.org |
upstream: security keys typically need to be tapped/touched in
order to perform a signature operation. Notify the user when this is expected
via the TTY (if available) or $SSH_ASKPASS if
upstream: security keys typically need to be tapped/touched in
order to perform a signature operation. Notify the user when this is expected
via the TTY (if available) or $SSH_ASKPASS if we can.
ok markus@
OpenBSD-Commit-ID: 0ef90a99a85d4a2a07217a58efb4df8444818609
show more ...
|
| #
2c55744a |
| 12-Nov-2019 |
markus@openbsd.org |
upstream: enable ed25519 support; ok djm
OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e
|
| #
9a14c64c |
| 31-Oct-2019 |
djm@openbsd.org |
upstream: Refactor signing - use sshkey_sign for everything,
including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign()
upstream: Refactor signing - use sshkey_sign for everything,
including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.
Suggested by / ok markus@
OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
show more ...
|
| #
884416bd |
| 31-Oct-2019 |
djm@openbsd.org |
upstream: ssh client support for U2F/FIDO keys
OpenBSD-Commit-ID: eb2cfa6cf7419a1895e06e398ea6d41516c5b0bc
|
|
Revision tags: V_8_1_P1 |
|
| #
6b39a7b4 |
| 05-Aug-2019 |
dtucker@openbsd.org |
upstream: Remove now-redundant perm_ok arg since
sshkey_load_private_type will now return SSH_ERR_KEY_BAD_PERMISSIONS in that
case. Patch from jitendra.sharma at intel.com, ok djm@
upstream: Remove now-redundant perm_ok arg since
sshkey_load_private_type will now return SSH_ERR_KEY_BAD_PERMISSIONS in that
case. Patch from jitendra.sharma at intel.com, ok djm@
OpenBSD-Commit-ID: 07916a17ed0a252591b71e7fb4be2599cb5b0c77
show more ...
|
| #
696fb429 |
| 06-Jul-2019 |
dtucker@openbsd.org |
upstream: Remove some set but never used variables. ok daraadt@
OpenBSD-Commit-ID: 824baf9c59afc66a4637017e397b9b74a41684e7
|
| #
4d28fa78 |
| 28-Jun-2019 |
deraadt@openbsd.org |
upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this be
upstream: When system calls indicate an error they return -1, not
some arbitrary value < 0. errno is only updated in this case. Change all
(most?) callers of syscalls to follow this better, and let's see if this
strictness helps us in the future.
OpenBSD-Commit-ID: 48081f00db7518e3b712a49dca06efc2a5428075
show more ...
|
| #
c586d2d3 |
| 30-May-2019 |
djm@openbsd.org |
upstream: fix ssh-keysign fd handling problem introduced in r1.304
caused by a typo (STDIN_FILENO vs STDERR_FILENO)
OpenBSD-Commit-ID: 57a0b4be7bef23963afe24150e24bf014fdd9cb0
|
| #
a1d29cc3 |
| 15-May-2019 |
deraadt@openbsd.org |
upstream: When doing the fork+exec'ing for ssh-keysign, rearrange
the socket into fd3, so as to not mistakenly leak other fd forward
accidentally. ok djm
OpenBSD-Commit-ID: 24cc
upstream: When doing the fork+exec'ing for ssh-keysign, rearrange
the socket into fd3, so as to not mistakenly leak other fd forward
accidentally. ok djm
OpenBSD-Commit-ID: 24cc753f5aa2c6a7d0fbf62766adbc75cd785296
show more ...
|
|
Revision tags: V_8_0_P1 |
|
| #
38e83e4f |
| 12-Feb-2019 |
djm@openbsd.org |
upstream: fix regression in r1.302 reported by naddy@ - only the first
public key from the agent was being attempted for use.
OpenBSD-Commit-ID: 07116aea521a04888718b2157f1ca723b2f4
upstream: fix regression in r1.302 reported by naddy@ - only the first
public key from the agent was being attempted for use.
OpenBSD-Commit-ID: 07116aea521a04888718b2157f1ca723b2f46c8d
show more ...
|
| #
5c68ea8d |
| 11-Feb-2019 |
djm@openbsd.org |
upstream: cleanup GSSAPI authentication context after completion of the
authmethod. Move function-static GSSAPI state to the client Authctxt
structure. Make static a bunch of functions t
upstream: cleanup GSSAPI authentication context after completion of the
authmethod. Move function-static GSSAPI state to the client Authctxt
structure. Make static a bunch of functions that aren't used outside this
file.
Based on patch from Markus Schmidt <markus@blueflash.cc>; ok markus@
OpenBSD-Commit-ID: 497fb792c0ddb4f1ba631b6eed526861f115dbe5
show more ...
|
| #
aaca72d6 |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: rename kex->kem_client_pub -> kex->client_pub now that
KEM has been renamed to kexgen
from markus@ ok djm@
OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8
upstream: rename kex->kem_client_pub -> kex->client_pub now that
KEM has been renamed to kexgen
from markus@ ok djm@
OpenBSD-Commit-ID: fac6da5dc63530ad0da537db022a9a4cfbe8bed8
show more ...
|
| #
92dda34e |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: use KEM API for vanilla ECDH
from markus@ ok djm@
OpenBSD-Commit-ID: 6fbff96339a929835536b5730585d1d6057a352c
|
| #
9c9c97e1 |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: use KEM API for vanilla DH KEX
from markus@ ok djm@
OpenBSD-Commit-ID: af56466426b08a8be275412ae2743319e3d277c9
|
| #
2f6a9ddb |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: use KEM API for vanilla c25519 KEX
OpenBSD-Commit-ID: 38d937b85ff770886379dd66a8f32ab0c1c35c1f
|
| #
dfd59161 |
| 21-Jan-2019 |
djm@openbsd.org |
upstream: Add support for a PQC KEX/KEM:
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss.
upstream: Add support for a PQC KEX/KEM:
sntrup4591761x25519-sha512@tinyssh.org using the Streamlined NTRU Prime
4591^761 implementation from SUPERCOP coupled with X25519 as a stop-loss. Not
enabled by default.
introduce KEM API; a simplified framework for DH-ish KEX methods.
from markus@ feedback & ok djm@
OpenBSD-Commit-ID: d687f76cffd3561dd73eb302d17a1c3bf321d1a7
show more ...
|
| #
0a5f2ea3 |
| 20-Jan-2019 |
djm@openbsd.org |
upstream: GSSAPI code got missed when converting to new packet API
OpenBSD-Commit-ID: 37e4f06ab4a0f4214430ff462ba91acba28b7851
|