summaryrefslogtreecommitdiff
path: root/krl.c
AgeCommit message (Collapse)Author
2015-06-25upstream commitdjm@openbsd.org
correct test to sshkey_sign(); spotted by Albert S. Upstream-ID: 5f7347f40f0ca6abdaca2edb3bd62f4776518933
2015-01-30upstream commitdjm@openbsd.org
permit KRLs that revoke certificates by serial number or key ID without scoping to a particular CA; ok markus@
2015-01-27upstream commitdjm@openbsd.org
small refactor and add some convenience functions; ok markus
2015-01-26upstream commitderaadt@openbsd.org
Reduce use of <sys/param.h> and transition to <limits.h> throughout. ok djm markus
2015-01-20upstream commitdjm@openbsd.org
fix format strings in (disabled) debugging
2015-01-20upstream commitderaadt@openbsd.org
string truncation due to sizeof(size) ok djm markus
2015-01-15more --without-opensslDamien Miller
fix some regressions caused by upstream merges enable KRLs now that they no longer require BIGNUMs
2015-01-15support --without-openssl at configure timeDamien Miller
Disables and removes dependency on OpenSSL. Many features don't work and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now.
2015-01-15upstream commitdjm@openbsd.org
avoid BIGNUM in KRL code by using a simple bitmap; feedback and ok markus
2015-01-14upstream commitdjm@openbsd.org
sync changes from libopenssh; prepared by markus@ mostly debug output tweaks, a couple of error return value changes and some other minor stuff
2015-01-13upstream commitmarkus@openbsd.org
missing error assigment on sshbuf_put_string()
2015-01-13upstream commitmarkus@openbsd.org
free->sshkey_free; ok djm@
2015-01-09upstream commitdjm@openbsd.org
deprecate key_load_private_pem() and sshkey_load_private_pem() interfaces. Refactor the generic key loading API to not require pathnames to be specified (they weren't really used). Fixes a few other things en passant: Makes ed25519 keys work for hostbased authentication (ssh-keysign previously used the PEM-only routines). Fixes key comment regression bz#2306: key pathnames were being lost as comment fields. ok markus@
2014-12-22upstream commitdjm@openbsd.org
Add FingerprintHash option to control algorithm used for key fingerprints. Default changes from MD5 to SHA256 and format from hex to base64. Feedback and ok naddy@ markus@
2014-12-05upstream commitdjm@openbsd.org
convert KRL code to new buffer API ok markus@
2014-11-24upstream commitdjm@openbsd.org
fix NULL pointer dereference crash on invalid timestamp found using Michal Zalewski's afl fuzzer
2014-11-17upstream commitdjm@openbsd.org
fix KRL generation when multiple CAs are in use We would generate an invalid KRL when revoking certs by serial number for multiple CA keys due to a section being written out twice. Also extend the regress test to catch this case by having it produce a multi-CA KRL. Reported by peter AT pean.org
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 01:13:21Damien Miller
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e.
2014-07-02 - djm@cvs.openbsd.org 2014/06/24 00:52:02Damien Miller
[krl.c] fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted.
2014-05-15 - djm@cvs.openbsd.org 2014/04/28 03:09:18Damien Miller
[authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h] [ssh-keygen.c] buffer_get_string_ptr's return should be const to remind callers that futzing with it will futz with the actual buffer contents
2014-02-04 - tedu@cvs.openbsd.org 2014/01/31 16:39:19Damien Miller
[auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c] [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c] [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c] [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c] [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h] replace most bzero with explicit_bzero, except a few that cna be memset ok djm dtucker
2013-07-25 - djm@cvs.openbsd.org 2013/07/20 22:20:42Damien Miller
[krl.c] fix verification error in (as-yet usused) KRL signature checking path
2013-07-18 - markus@cvs.openbsd.org 2013/06/20 19:15:06Damien Miller
[krl.c] don't leak the rdata blob on errors; ok djm@
2013-04-23 - djm@cvs.openbsd.org 2013/04/05 00:14:00Damien Miller
[auth2-gss.c krl.c sshconnect2.c] hush some {unused, printf type} warnings
2013-04-05 - dtucker@cvs.openbsd.org 2013/02/19 02:12:47Darren Tucker
[krl.c] Remove bogus include. ok djm (id sync only)
2013-02-19 - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneededTim Rice
err.h include from krl.c. Additional portability fixes for modpipe. OK djm
2013-02-12 - djm@cvs.openbsd.org 2013/01/27 10:06:12Damien Miller
[krl.c] actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
2013-02-12 - djm@cvs.openbsd.org 2013/01/25 10:22:19Damien Miller
[krl.c] redo last commit without the vi-vomit that snuck in: skip serial lookup when cert's serial number is zero (now with 100% better comment)
2013-02-12 - krw@cvs.openbsd.org 2013/01/25 05:00:27Damien Miller
[krl.c] Revert last. Breaks due to likely typo. Let djm@ fix later. ok djm@ via dlg@
2013-02-12 - djm@cvs.openbsd.org 2013/01/24 22:08:56Damien Miller
[krl.c] skip serial lookup when cert's serial number is zero
2013-02-12 - (djm) OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2013/01/24 21:45:37 [krl.c] fix handling of (unused) KRL signatures; skip string in correct buffer
2013-01-20 - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newerDamien Miller
version.
2013-01-20 - markus@cvs.openbsd.org 2013/01/19 12:34:55Damien Miller
[krl.c] RB_INSERT does not remove existing elments; ok djm@
2013-01-18 - djm@cvs.openbsd.org 2013/01/18 03:00:32Damien Miller
[krl.c] fix KRL generation bug for list sections
2013-01-18 - djm@cvs.openbsd.org 2013/01/17 23:00:01Damien Miller
[auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5] [krl.c krl.h PROTOCOL.krl] add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@