Age | Commit message (Collapse) | Author |
|
malloc_options. Prepares for changes in the way malloc is initialized. ok
guenther@ dtucker@
OpenBSD-Commit-ID: 154f4e3e174f614b09f792d4d06575e08de58a6b
|
|
changing a key pair's comments (using -c and -C) more applicable to both
methods. ok and suggestions djm@ dtucker@
OpenBSD-Commit-ID: b379338118109eb36e14a65bc0a12735205b3de6
|
|
sizes. "seems worthwhile" deraadt.
OpenBSD-Commit-ID: 72e5c0983d7da1fb72f191870f36cb58263a2456
|
|
the estimates from NIST Special Publication 800-57, 3k bits provides security
equivalent to 128 bits which is the smallest symmetric cipher we enable by
default. ok markus@ deraadt@
OpenBSD-Commit-ID: 461dd32ebe808f88f4fc3ec74749b0e6bef2276b
|
|
interactive, so it can ask for the smartcards PIN. ok markus@
OpenBSD-Commit-ID: 1be7ccf88f1876e0fc4d7c9b3f96019ac5655bab
|
|
signed in a single commandline.
OpenBSD-Commit-ID: 39881087641efb8cd83c7ec13b9c98280633f45b
|
|
rest static
OpenBSD-Commit-ID: fa431d92584e81fe99f95882f4c56b43fe3242dc
|
|
OpenBSD-Commit-ID: bca476a5236e8f94210290b3e6a507af0434613e
|
|
Don't call OpenSSL_add_all_algorithms() unless OpenSSL actually
supports it.
Move all libcrypto initialisation to a single function, and call that
from seed_rng() that is called early in each tool's main().
Prompted by patch from Rosen Penev
|
|
Correct error message when OpenSSL doesn't support certain ECDSA key
lengths.
|
|
/path/certificate", include the algorithm that the CA used to sign the cert.
OpenBSD-Commit-ID: 1ea20b5048a851a7a0758dcb9777a211a2c0dddd
|
|
OpenBSD-Commit-ID: 7c05bf13b094093dfa01848a9306c82eb6e95f6c
|
|
OpenSSH; feedback and ok tb@ jsing@ markus@
OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
|
|
to create KRLs using SHA256/base64 key fingerprints; ok markus@
OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94
|
|
suported by OpenSSH >= 6.5 (released January 2014), so it should be supported
by most OpenSSH versions in active use.
It is possible to convert new-format private keys to the older
format using "ssh-keygen -f /path/key -pm PEM".
ok deraadt dtucker
OpenBSD-Commit-ID: e3bd4f2509a2103bfa2f710733426af3ad6d8ab8
|
|
|
|
OpenBSD-Commit-ID: 4dfe9d29fa93d9231645c89084f7217304f7ba29
|
|
static limits noted by gerhard@; ok dtucker@, djm@
OpenBSD-Commit-ID: 6d702eabef0fa12e5a1d75c334a8c8b325298b5c
|
|
OpenBSD-Commit-ID: e5edb5e843ddc9b73a8e46518899be41d5709add
|
|
known_hosts entries in a single operation (ssh-keygen -HF hostname); bz2772
Report and fix from Anton Kremenetsky
OpenBSD-Commit-ID: ac10ca13eb9bb0bc50fcd42ad11c56c317437b58
|
|
simple way of giving a key an expiry date. ok markus@
OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
|
|
Hash-Based Signatures) The code is not compiled in by default (see WITH_XMSS
in Makefile.inc) Joint work with stefan-lukas_gazdag at genua.eu See
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 ok
djm@
OpenBSD-Commit-ID: ef3eccb96762a5d6f135d7daeef608df7776a7ac
|
|
Refuse to create a certificate with an unusable number of
principals; Prompted by gdestuynder via github
OpenBSD-Commit-ID: 8cfae2451e8f07810e3e2546dfdcce66984cbd29
|
|
fatal if we're unable to write all the public key; previously
we would silently ignore errors writing the comment and terminating newline.
Prompted by github PR from WillerZ; ok dtucker
OpenBSD-Commit-ID: 18fbfcfd4e8c6adbc84820039b64d70906e49831
|
|
Remove some #ifdef notyet code from OpenSSL 0.9.8 days.
These functions have never appeared in OpenSSL and are likely never to do
so.
"kill it with fire" djm@
OpenBSD-Commit-ID: fee9560e283fd836efc2631ef381658cc673d23e
|
|
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
|
|
allow certificate validity intervals that specify only a
start or stop time (we already support specifying both or neither)
OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
|
|
When generating all hostkeys (ssh-keygen -A), clobber
existing keys if they exist but are zero length. zero-length keys could
previously be made if ssh-keygen failed part way through generating them, so
avoid that case too. bz#2561 reported by Krzysztof Cieplucha; ok dtucker@
Upstream-ID: f662201c28ab8e1f086b5d43c59cddab5ade4044
|
|
remove post-SSHv1 removal dead code from rsa.c and merge
the remaining bit that it still used into ssh-rsa.c; ok markus
Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
|
|
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus
Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
|
|
remove unused wrapper functions from key.[ch]; ok djm@
Upstream-ID: ea0f4016666a6817fc11f439dd4be06bab69707e
|
|
Refuse RSA keys <1024 bits in length. Improve reporting
for keys that do not meet this requirement. ok markus@
Upstream-ID: b385e2a7b13b1484792ee681daaf79e1e203df6c
|
|
remove KEY_RSA1
ok markus@
Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
|
|
unifdef WITH_SSH1 ok markus@
Upstream-ID: 9716e62a883ef8826c57f4d33b4a81a9cc7755c7
|
|
allow ssh-keygen to include arbitrary string or flag
certificate extensions and critical options. ok markus@ dtucker@
Upstream-ID: 2cf28dd6c5489eb9fc136e0b667ac3ea10241646
|
|
ensure hostname is lower-case before hashing it;
bz#2591 reported by Griff Miller II; ok dtucker@
Upstream-ID: c3b8b93804f376bd00d859b8bcd9fc0d86b4db17
|
|
Check l->hosts before dereferencing; fixes potential null
pointer deref. ok djm@
Upstream-ID: 81c0327c6ec361da794b5c680601195cc23d1301
|
|
linenum is unsigned long so use %lu in log formats. ok
deraadt@
Upstream-ID: 9dc582d9bb887ebe0164e030d619fc20b1a4ea08
|
|
fix ssh-keygen -H accidentally corrupting known_hosts that
contained already-hashed entries. HKF_MATCH_HOST_HASHED is only set by
hostkeys_foreach() when hostname matching is in use, so we need to look for
the hash marker explicitly.
Upstream-ID: da82ad653b93e8a753580d3cf5cd448bc2520528
|
|
Do not show rsa1 key type in usage when compiled without
SSH1 support.
Upstream-ID: 068b5c41357a02f319957746fa4e84ea73960f57
|
|
Sanitise escape sequences in key comments sent to printf
but preserve valid UTF-8 when the locale supports it; bz#2520 ok dtucker@
Upstream-ID: e8eed28712ba7b22d49be534237eed019875bd1e
|
|
Avoid printf %s NULL. From semarie@, OK djm@
Upstream-ID: 06beef7344da0208efa9275d504d60d2a5b9266c
|
|
|
|
|
|
|
|
|
|
Spaces->tabs.
Upstream-ID: f4829dfc3f36318273f6082b379ac562eead70b7
|
|
Style whitespace fix. Also happens to remove a no-op
diff with portable.
Upstream-ID: 45d90f9a62ad56340913a433a9453eb30ceb8bf3
|
|
These were incorrectly removed in the 1d9a2e28 sync commit.
|
|
support SHA256 and SHA512 RSA signatures in certificates;
ok markus@
Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
|