History log of /openssh-portable/sshkey.c (Results 1 - 25 of 192)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# e3fa6249 24-Jun-2020 markus@openbsd.org

upstream: only call sshkey_xmss_init() once for KEY_XMSS_CERT; ok

djm

OpenBSD-Commit-ID: d0002ffb7f20f538b014d1d0735facd5a81ff096


# bb52e70f 22-Jun-2020 djm@openbsd.org

upstream: Add support for FIDO webauthn (verification only).

webauthn is a standard for using FIDO keys in web browsers. webauthn
signatures are a slightly different format to plain FIDO

upstream: Add support for FIDO webauthn (verification only).

webauthn is a standard for using FIDO keys in web browsers. webauthn
signatures are a slightly different format to plain FIDO signatures - this
support allows verification of these. Feedback and ok markus@

OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad

show more ...


Revision tags: V_8_3_P1
# 3779b50e 11-Apr-2020 djm@openbsd.org

upstream: Refactor private key parsing. Eliminates a fair bit of

duplicated code and fixes oss-fuzz#20074 (NULL deref) caused by a missing key
type check in the ECDSA_CERT parsing path.

upstream: Refactor private key parsing. Eliminates a fair bit of

duplicated code and fixes oss-fuzz#20074 (NULL deref) caused by a missing key
type check in the ECDSA_CERT parsing path.

feedback and ok markus@

OpenBSD-Commit-ID: 4711981d88afb7196d228f7baad9be1d3b20f9c9

show more ...


# f290ab08 07-Apr-2020 djm@openbsd.org

upstream: add sshkey_parse_pubkey_from_private_fileblob_type()

Extracts a public key from the unencrypted envelope of a new-style
OpenSSH private key.

ok markus@

OpenBS

upstream: add sshkey_parse_pubkey_from_private_fileblob_type()

Extracts a public key from the unencrypted envelope of a new-style
OpenSSH private key.

ok markus@

OpenBSD-Commit-ID: 44d7ab446e5e8c686aee96d5897b26b3939939aa

show more ...


# 8d514eea 07-Apr-2020 djm@openbsd.org

upstream: simplify sshkey_parse_private_fileblob_type()

Try new format parser for all key types first, fall back to PEM
parser only for invalid format errors.

ok markus@

upstream: simplify sshkey_parse_private_fileblob_type()

Try new format parser for all key types first, fall back to PEM
parser only for invalid format errors.

ok markus@

OpenBSD-Commit-ID: 0173bbb3a5cface77b0679d4dca0e15eb5600b77

show more ...


# 421169d0 07-Apr-2020 djm@openbsd.org

upstream: check private key type against requested key type in

new-style private decoding; ok markus@

OpenBSD-Commit-ID: 04d44b3a34ce12ce5187fb6f6e441a88c8c51662


# 6aabfb6d 07-Apr-2020 djm@openbsd.org

upstream: check that pubkey in private key envelope matches actual

private key

(this public key is currently unusued)

ok markus@

OpenBSD-Commit-ID: 634a60b5e135d75

upstream: check that pubkey in private key envelope matches actual

private key

(this public key is currently unusued)

ok markus@

OpenBSD-Commit-ID: 634a60b5e135d75f48249ccdf042f3555112049c

show more ...


# c0f5b229 07-Apr-2020 djm@openbsd.org

upstream: refactor private key parsing a little

Split out the base64 decoding and private section decryption steps in
to separate functions. This will make the decryption step easier to

upstream: refactor private key parsing a little

Split out the base64 decoding and private section decryption steps in
to separate functions. This will make the decryption step easier to fuzz
as well as making it easier to write a "load public key from new-format
private key" function.

ok markus@

OpenBSD-Commit-ID: 7de31d80fb9062aa01901ddf040c286b64ff904e

show more ...


# 7b4f70dd 06-Mar-2020 markus@openbsd.org

upstream: sshkey_cert_check_authority requires reason to be set;

ok djm

OpenBSD-Commit-ID: 6f7a6f19540ed5749763c2f9530c0897c94aa552


# 05efe270 06-Mar-2020 markus@openbsd.org

upstream: passphrase depends on kdfname, not ciphername (possible

null-deref); ok djm

OpenBSD-Commit-ID: 0d39668edf5e790b5837df4926ee1141cec5471c


# d5ba1c03 26-Feb-2020 jsg@openbsd.org

upstream: change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an

upstream: change explicit_bzero();free() to freezero()

While freezero() returns early if the pointer is NULL the tests for
NULL in callers are left to avoid warnings about passing an
uninitialised size argument across a function boundry.

ok deraadt@ djm@

OpenBSD-Commit-ID: 2660fa334fcc7cd05ec74dd99cb036f9ade6384a

show more ...


Revision tags: V_8_2_P1
# 4a05d789 21-Jan-2020 djm@openbsd.org

upstream: fix ssh-keygen not displaying authenticator touch

prompt; reported by jmc@

OpenBSD-Commit-ID: 04d4f582fc194eb3897ebcbfe286c49958ba2859


# c54cd189 30-Dec-2019 djm@openbsd.org

upstream: SK API and sk-helper error/PIN passing

Allow passing a PIN via the SK API (API major crank) and let the
ssh-sk-helper API follow.

Also enhance the ssh-sk-helper API to

upstream: SK API and sk-helper error/PIN passing

Allow passing a PIN via the SK API (API major crank) and let the
ssh-sk-helper API follow.

Also enhance the ssh-sk-helper API to support passing back an error
code instead of a complete reply. Will be used to signal "wrong PIN",
etc.

feedback and ok markus@

OpenBSD-Commit-ID: a1bd6b0a2421646919a0c139b8183ad76d28fb71

show more ...


# 9244990e 13-Dec-2019 Damien Miller

remove a bunch of ENABLE_SK #ifdefs

The ssh-sk-helper client API gives us a nice place to disable
security key support when it is wasn't enabled at compile time,
so we don't need to

remove a bunch of ENABLE_SK #ifdefs

The ssh-sk-helper client API gives us a nice place to disable
security key support when it is wasn't enabled at compile time,
so we don't need to check everywere.

Also, verification of security key signatures can remain enabled
all the time - it has no additional dependencies. So sshd can
accept security key pubkeys in authorized_keys, etc regardless of
the host's support for dlopen, etc.

show more ...


# b52ec0ba 13-Dec-2019 djm@openbsd.org

upstream: use ssh-sk-helper for all security key signing operations

This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the ot

upstream: use ssh-sk-helper for all security key signing operations

This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*

requested by, feedback and ok markus@

OpenBSD-Commit-ID: 1abcd3aea9a7460eccfbf8ca154cdfa62f1dc93f

show more ...


# b7e74ea0 24-Nov-2019 djm@openbsd.org

upstream: Add new structure for signature options

This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment,

upstream: Add new structure for signature options

This is populated during signature verification with additional fields
that are present in and covered by the signature. At the moment, it is
only used to record security key-specific options, especially the flags
field.

with and ok markus@

OpenBSD-Commit-ID: 338a1f0e04904008836130bedb9ece4faafd4e49

show more ...


# 4bfc0503 18-Nov-2019 djm@openbsd.org

upstream: fix a bug that prevented serialisation of ed25519-sk keys

OpenBSD-Commit-ID: 066682b79333159cac04fcbe03ebd9c8dcc152a9


# 740c4bc9 18-Nov-2019 djm@openbsd.org

upstream: fix bug that prevented certification of ed25519-sk keys

OpenBSD-Commit-ID: 64c8cc6f5de2cdd0ee3a81c3a9dee8d862645996


# 857f49e9 17-Nov-2019 Darren Tucker

Move ifdef OPENSSL_HAS_ECC.

Found by -Wimplicit-fallthrough: one ECC case was not inside the ifdef.
ok djm@


# fd1a9649 15-Nov-2019 djm@openbsd.org

upstream: remove most uses of BN_CTX

We weren't following the rules re BN_CTX_start/BN_CTX_end and the places
we were using it didn't benefit from its use anyway. ok dtucker@

Op

upstream: remove most uses of BN_CTX

We weren't following the rules re BN_CTX_start/BN_CTX_end and the places
we were using it didn't benefit from its use anyway. ok dtucker@

OpenBSD-Commit-ID: ea9ba6c0d2e6f6adfe00b309a8f41842fe12fc7a

show more ...


# 4f5e331c 13-Nov-2019 markus@openbsd.org

upstream: in order to be able to figure out the number of

signatures left on a shielded key, we need to transfer the number of
signatures left from the private to the public key. ok djm@

upstream: in order to be able to figure out the number of

signatures left on a shielded key, we need to transfer the number of
signatures left from the private to the public key. ok djm@

OpenBSD-Commit-ID: 8a5d0d260aeace47d372695fdae383ce9b962574

show more ...


# bf219920 13-Nov-2019 markus@openbsd.org

upstream: fix shield/unshield for xmss keys: - in ssh-agent we need

to delay the call to shield until we have received key specific options. -
when serializing xmss keys for shield we

upstream: fix shield/unshield for xmss keys: - in ssh-agent we need

to delay the call to shield until we have received key specific options. -
when serializing xmss keys for shield we need to deal with all optional
components (e.g. state might not be loaded). ok djm@

OpenBSD-Commit-ID: cc2db82524b209468eb176d6b4d6b9486422f41f

show more ...


# 1e0b248d 14-Nov-2019 Darren Tucker

Put sshsk_sign call inside ifdef ENABLE_SK.

Fixes build against OpenSSL configured without ECC.


# 2c55744a 12-Nov-2019 markus@openbsd.org

upstream: enable ed25519 support; ok djm

OpenBSD-Commit-ID: 1a399c5b3ef15bd8efb916110cf5a9e0b554ab7e


# fe05a36d 12-Nov-2019 markus@openbsd.org

upstream: implement sshsk_ed25519_inner_sig(); ok djm

OpenBSD-Commit-ID: f422d0052c6d948fe0e4b04bc961f37fdffa0910


12345678