than a constant (this makes no difference in practice because the length is
always the same); reported by martin AT nmkd.net
OpenBSD-Commit-ID: 4aecce232c2fe9b16e9217ff6bcb3c848d853e7e
allocated using mmap(3) with MAP_CONCEAL set. This prevents exposure of the
key material in coredumps, etc (this is in addition to other measures we take
in this area).
ok deraadt@
OpenBSD-Commit-ID: cbbae59f337a00c9858d6358bc65f74e62261369
DSA remains unconverted as it will be removed within six months.
Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).
ok tb@
OpenBSD-Commit-ID: d098744e89f1dc7e5952a6817bef234eced648b5
sshd_config.
Previously this directive would accept certificate algorithm names, but
these were unusable in practice as OpenSSH does not support CA chains.
part of bz3577; ok dtucker@
OpenBSD-Commit-ID: a992d410c8a78ec982701bc3f91043dbdb359912
Move keytype data and some of the type-specific code (allocation,
cleanup, etc) out into each key type's implementation. Subsequent
commits will move more, with the goal of having each key-*.c file
owning as much of its keytype's implementation as possible.
lots of feedback + ok markus@
OpenBSD-Commit-ID: 0f2b4334f73914344e9e5b3d33522d41762a57ec
the code in private2_check_padding(). Pull private2_check_padding() up so the
code can be reused. From Martin Vahlensieck, ok deraadt@
OpenBSD-Commit-ID: 876884c3f0e62e8fd8d1594bab06900f971c9c85
signature algorithms. RSA keys can make signatures with multiple algorithms,
so some special handling is required. ok markus@
OpenBSD-Commit-ID: 03b41b2bda06fa4cd9c84cef6095033b9e49b6ff
signatures support key lifetimes, and allow the verification mode to specify
a signature time to check at. This is intended for use by git to support
signing objects using ssh keys. ok dtucker@
OpenBSD-Commit-ID: 3e2c67b7dcd94f0610194d1e8e4907829a40cf31
consistency between redundant fields in private key certificate and private
key body; ok markus@
OpenBSD-Commit-ID: dec344e414d47f0a7adc13aecf3760fe58101240
warnings from compilers not smart enough to know the strftime calls won't
ever fully fill "to" and "from". ok djm@
OpenBSD-Commit-ID: 83733f1b01b82da88b9dd1769475952aff10bdd7
FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.
This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.
feedback markus@ and Pedro Martelletto; ok markus@
OpenBSD-Commit-ID: 57fd461e4366f87c47502c5614ec08573e6d6a15
webauthn is a standard for using FIDO keys in web browsers. webauthn
signatures are a slightly different format to plain FIDO signatures - this
support allows verification of these. Feedback and ok markus@
OpenBSD-Commit-ID: ab7e3a9fb5782d99d574f408614d833379e564ad
duplicated code and fixes oss-fuzz#20074 (NULL deref) caused by a missing key
type check in the ECDSA_CERT parsing path.
feedback and ok markus@
OpenBSD-Commit-ID: 4711981d88afb7196d228f7baad9be1d3b20f9c9
Extracts a public key from the unencrypted envelope of a new-style
OpenSSH private key.
ok markus@
OpenBSD-Commit-ID: 44d7ab446e5e8c686aee96d5897b26b3939939aa
Try new format parser for all key types first, fall back to PEM
parser only for invalid format errors.
ok markus@
OpenBSD-Commit-ID: 0173bbb3a5cface77b0679d4dca0e15eb5600b77
Split out the base64 decoding and private section decryption steps in
to separate functions. This will make the decryption step easier to fuzz
as well as making it easier to write a "load public key from new-format
private key" function.
ok markus@
OpenBSD-Commit-ID: 7de31d80fb9062aa01901ddf040c286b64ff904e
