Up to [local] / src / usr.bin / ssh
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.10 / (download) - annotate - [select for diffs], Mon Jul 17 04:01:10 2023 UTC (10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.9: +3 -5 lines
Diff to previous 1.9 (colored)
remove vestigal support for KRL signatures When the KRL format was originally defined, it included support for signing of KRL objects. However, the code to sign KRLs and verify KRL signatues was never completed in OpenSSH. Now, some years later, we have SSHSIG support in ssh-keygen that is more general, well tested and actually works. So this removes the semi-finished KRL signing/verification support from OpenSSH and refactors the remaining code to realise the benefit - primarily, we no longer need to perform multiple parsing passes over KRL objects. ok markus@
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jul 17 03:57:21 2023 UTC (10 months ago) by djm
Branch: MAIN
Changes since 1.8: +3 -1 lines
Diff to previous 1.8 (colored)
Support for KRL extensions. This defines wire formats for optional KRL extensions and implements parsing of the new submessages. No actual extensions are supported at this point. ok markus
Revision 1.8 / (download) - annotate - [select for diffs], Fri Apr 3 02:26:56 2020 UTC (4 years, 1 month ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1,
OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.7: +2 -1 lines
Diff to previous 1.7 (colored)
give ssh-keygen the ability to dump the contents of a binary key revocation list: ssh-keygen -lQf /path bz#3132; ok dtucker
Revision 1.7 / (download) - annotate - [select for diffs], Fri Jun 21 04:21:04 2019 UTC (4 years, 10 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
Add protection for private keys at rest in RAM against speculation and memory sidechannel attacks like Spectre, Meltdown, Rowhammer and Rambleed. This change encrypts private keys when they are not in use with a symmetic key that is derived from a relatively large "prekey" consisting of random data (currently 16KB). Attackers must recover the entire prekey with high accuracy before they can attempt to decrypt the shielded private key, but the current generation of attacks have bit error rates that, when applied cumulatively to the entire prekey, make this unlikely. Implementation-wise, keys are encrypted "shielded" when loaded and then automatically and transparently unshielded when used for signatures or when being saved/serialised. Hopefully we can remove this in a few years time when computer architecture has become less unsafe. been in snaps for a bit already; thanks deraadt@ ok dtucker@ deraadt@
Revision 1.6 / (download) - annotate - [select for diffs], Wed Sep 12 01:21:34 2018 UTC (5 years, 8 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.5: +4 -2 lines
Diff to previous 1.5 (colored)
allow key revocation by SHA256 hash and allow ssh-keygen to create KRLs using SHA256/base64 key fingerprints; ok markus@
Revision 1.5 / (download) - annotate - [select for diffs], Wed Dec 30 23:46:14 2015 UTC (8 years, 4 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1,
OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.4: +1 -2 lines
Diff to previous 1.4 (colored)
unused prototype
Revision 1.4 / (download) - annotate - [select for diffs], Tue Jan 13 19:06:49 2015 UTC (9 years, 4 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8,
OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.3: +2 -2 lines
Diff to previous 1.3 (colored)
sync changes from libopenssh; prepared by markus@ mostly debug output tweaks, a couple of error return value changes and some other minor stuff
Revision 1.3 / (download) - annotate - [select for diffs], Thu Dec 4 01:49:59 2014 UTC (9 years, 5 months ago) by djm
Branch: MAIN
Changes since 1.2: +20 -18 lines
Diff to previous 1.2 (colored)
convert KRL code to new buffer API ok markus@
Revision 1.2 / (download) - annotate - [select for diffs], Fri Jan 18 00:24:58 2013 UTC (11 years, 4 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6,
OPENBSD_5_5_BASE,
OPENBSD_5_5,
OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.1: +2 -0 lines
Diff to previous 1.1 (colored)
RCD IDs help us keep portable in synch
Revision 1.1 / (download) - annotate - [select for diffs], Thu Jan 17 23:00:01 2013 UTC (11 years, 4 months ago) by djm
Branch: MAIN
add support for Key Revocation Lists (KRLs). These are a compact way to represent lists of revoked keys and certificates, taking as little as a single bit of incremental cost to revoke a certificate by serial number. KRLs are loaded via the existing RevokedKeys sshd_config option. feedback and ok markus@