| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | when loading PKCS#11 keys, include the key fingerprints and provider/slot |   djm | 2020-11-22 | 1 | -3/+22 |
| | | | | | information in debug output. | ||||
| * | use the new variant log macros instead of prepending __func__ and | djm | 2020-10-18 | 1 | -42/+35 |
| | | | | | appending ssh_err(r) manually; ok markus@ | ||||
| * | fix compilation on !HAVE_DLOPEN platforms; stub function was not | djm | 2020-05-29 | 1 | -2/+3 |
| | | | | | updated to match API change. From Dale Rahn via beck@ ok markus@ | ||||
| * | improve error messages for some common PKCS#11 C_Login failure cases; | djm | 2020-03-13 | 1 | -4/+19 |
| | | | | | based on patch from Jacob Hoffman-Andrews in bz3130; ok dtucker | ||||
| * | pkcs11_register_provider: return < 0 on error; ok djm |   markus | 2020-03-06 | 1 | -1/+3 |
| | | |||||
| * | expose PKCS#11 key labels/X.509 subjects as comments | djm | 2020-01-25 | 1 | -53/+89 |
| | | | | | | | | | | | | Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on https://github.com/openssh/openssh-portable/pull/138 by Danielle Church feedback and ok markus@ | ||||
| * | revert unconditional forced login implemented in r1.41 of ssh-pkcs11.c; | djm | 2019-10-01 | 1 | -26/+5 |
| | | | | | | | | | r1.45 added a forced login as a fallback for cases where the token returns no objects and this is less disruptive for users of tokens directly in ssh (rather than via ssh-agent) and in ssh-keygen bz3006, patch from Jakub Jelen; ok markus | ||||
| * | if a PKCS#11 token returns no keys then try to login and refetch | djm | 2019-09-05 | 1 | -11/+33 |
| | | | | | them. Based on patch from Jakub Jelen; bz#2430 ok markus@ | ||||
| * | downgrade PKCS#11 "provider returned no slots" warning from log level | djm | 2019-09-02 | 1 | -2/+2 |
| | | | | | | error to debug. This is common when attempting to enumerate keys on smartcard readers with no cards plugged in. bz#3058 ok dtucker@ | ||||
| * | fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL | markus | 2019-03-08 | 1 | -1/+3 |
| | | |||||
| * | fix NULL-deref crash in PKCS#11 code when attempting login to a token | djm | 2019-02-04 | 1 | -2/+17 |
| | | | | | requiring a PIN; reported by benno@ fix mostly by markus@ | ||||
| * | Correct some bugs in PKCS#11 token PIN handling at initial login, | djm | 2019-01-22 | 1 | -12/+22 |
| | | | | | | | | the attempt at reading the PIN could be skipped in some cases especially on devices with integrated PIN readers. based on patch from Daniel Kucera in bz#2652; ok markus@ | ||||
| * | Support keys that set the CKA_ALWAYS_AUTHENTICATE by requring a | djm | 2019-01-22 | 1 | -26/+95 |
| | | | | | | | fresh login after the C_SignInit operation. based on patch from Jakub Jelen in bz#2638; ok markus | ||||
| * | always print the caller's error message in ossl_error(), even when there | djm | 2019-01-21 | 1 | -2/+3 |
| | | | | | are no libcrypto errors to report. | ||||
| * | get the ex_data (pkcs11_key object) back from the keys at the | djm | 2019-01-21 | 1 | -9/+8 |
| | | | | | index at which it was inserted, rather than assuming index 0 | ||||
| * | use ECDSA_SIG_set0() instead of poking signature values into | djm | 2019-01-21 | 1 | -3/+14 |
| | | | | | | structure directly; the latter works on LibreSSL but not on OpenSSL. From portable. | ||||
| * | we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD now, so there | djm | 2019-01-20 | 1 | -7/+3 |
| | | | | | | | is no need to keep a copy of each in the pkcs11_key object. work by markus@, ok djm@ | ||||
| * | KNF previous; from markus@ | djm | 2019-01-20 | 1 | -6/+6 |
| | | |||||
| * | use OpenSSL's RSA reference counting hooks to implicitly clean up | djm | 2019-01-20 | 1 | -35/+21 |
| | | | | | | | | | pkcs11_key objects when their owning RSA object's reference count drops to zero. Simplifies the cleanup path and makes it more like ECDSA's work by markus@, ok djm@ | ||||
| * | make the PKCS#11 RSA code more like the new PKCS#11 ECDSA code: | djm | 2019-01-20 | 1 | -16/+29 |
| | | | | | | | | use a single custom RSA_METHOD instead of a method per key suggested by me, but markus@ did all the work. ok djm@ | ||||
| * | fix leak of ECDSA pkcs11_key objects | djm | 2019-01-20 | 1 | -2/+21 |
| | | | | | work by markus, ok djm@ | ||||
| * | use EVP_PKEY_get0_EC_KEY() instead of direct access of EC_KEY internals | djm | 2019-01-20 | 1 | -4/+3 |
| | | | | | | | as that won't work on OpenSSL work by markus@, feedback and ok djm@ | ||||
| * | cleanup PKCS#11 ECDSA pubkey loading: the returned object should never | djm | 2019-01-20 | 1 | -10/+14 |
| | | | | | | | have a DER header work by markus; feedback and ok djm@ | ||||
| * | cleanup unnecessary code in ECDSA pkcs#11 signature support: the | djm | 2019-01-20 | 1 | -25/+16 |
| | | | | | | | sign operation does not return DER, but a concatenation of r|s work by markus@, feedback and ok djm@ | ||||
| * | add support for ECDSA keys in PKCS#11 tokens | djm | 2019-01-20 | 1 | -204/+1149 |
| | | | | | Work by markus@ and Pedro Martelletto, feedback and ok me@ | ||||
| * | hold our collective noses and use the openssl-1.1.x API in OpenSSH; | djm | 2018-09-13 | 1 | -16/+41 |
| | | | | | feedback and ok tb@ jsing@ markus@ | ||||
| * | Remove all guards for calls to OpenSSL free functions - all of these |   jsing | 2018-02-07 | 1 | -3/+2 |
| | | | | | | | | | | functions handle NULL, from at least OpenSSL 1.0.1g onwards. Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github. ok deraadt@ dtucker@ | ||||
| * | Switch to recallocarray() for a few operations. Both growth and shrinkage |   deraadt | 2017-05-31 | 1 | -3/+3 |
| | | | | | | | are handled safely, and there also is no need for preallocation dances. Future changes in this area will be less error prone. Review and one bug found by markus | ||||
| * | sshkey_new() might return NULL (pkcs#11 code only); ok djm@ | markus | 2017-05-30 | 1 | -2/+3 |
| | | |||||
| * | Improve pkcs11_add_provider() logging: demote some excessively | djm | 2016-10-28 | 1 | -15/+26 |
| | | | | | | | verbose error()s to debug()s, include PKCS#11 provider name and slot in log messages where possible. bz#2610, based on patch from Jakub Jelen | ||||
| * | avoid fatal() for PKCS11 tokens that present empty key IDs | djm | 2016-02-12 | 1 | -3/+5 |
| | | | | | bz#1773, ok markus@ | ||||
| * | don't ignore PKCS#11 hosted keys that return empty CKA_ID; | djm | 2015-07-18 | 1 | -6/+14 |
| | | | | | patch by Jakub Jelen via bz#2429; ok markus | ||||
| * | skip uninitialised PKCS#11 slots; patch from Jakub Jelen in bz#2427 | djm | 2015-07-18 | 1 | -1/+6 |
| | | | | | ok markus@ | ||||
| * | support PKCS#11 devices with external PIN entry devices | djm | 2015-05-27 | 1 | -12/+20 |
| | | | | | | bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@ | ||||
| * | rename xrealloc() to xreallocarray() since it follows that form. | deraadt | 2015-04-24 | 1 | -2/+2 |
| | | | | | ok djm | ||||
| * | missing ; | deraadt | 2015-02-03 | 1 | -2/+2 |
| | | | | | djm and mlarkin really having great interactions recently | ||||
| * | handle PKCS#11 C_Login returning CKR_USER_ALREADY_LOGGED_IN; | djm | 2015-02-02 | 1 | -5/+7 |
| | | | | | based on patch from Yuri Samoilenko; ok markus@ | ||||
| * | sync ssh-keysign, ssh-keygen and some dependencies to the new | djm | 2015-01-15 | 1 | -13/+13 |
| | | | | | buffer/key API; mostly mechanical, ok markus@ | ||||
| * | New key API: refactor key-related functions to be more library-like, | djm | 2014-06-24 | 1 | -2/+2 |
| | | | | | | | | | | existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. | ||||
| * | revert __bounded change; it causes way more problems for portable than | djm | 2014-05-02 | 1 | -2/+2 |
| | | | | | it solves; pointed out by dtucker@ | ||||
| * | use __bounded(...) attribute recently added to sys/cdefs.h instead of | djm | 2014-03-26 | 1 | -2/+2 |
| | | | | | | | longform __attribute__(__bounded(...)); for brevity and a warning free compilation with llvm/clan | ||||
| * | add missing braces found by pedro | markus | 2013-11-13 | 1 | -2/+2 |
| | | |||||
| * | from portable: s/true/true_val/ to avoid name collisions on dump platforms | djm | 2013-11-06 | 1 | -3/+3 |
| | | |||||
| * | support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys; | markus | 2013-11-02 | 1 | -28/+98 |
| | | | | | fixes bz#1908; based on patch from Laurent Barbe; ok djm | ||||
| * | fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@ | djm | 2013-07-12 | 1 | -6/+6 |
| | | |||||
| * | bye, bye xfree(); ok markus@ | djm | 2013-05-17 | 1 | -15/+12 |
| | | |||||
| * | check length of value returned C_GetAttributValue for != 0 | markus | 2010-06-08 | 1 | -2/+8 |
| | | | | | from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@ | ||||
| * | retry lookup for private key if there's no matching key with CKA_SIGN | markus | 2010-04-15 | 1 | -11/+34 |
| | | | | | | attribute enabled; this fixes fixes MuscleCard support (bugzilla #1736) ok djm@ | ||||
| * | Add $OpenBSD$ tags in comments, our portable-syncing scripts use these | djm | 2010-02-24 | 1 | -0/+1 |
| | | |||||
| * | dlclose() call should also be #ifdef HAVE_DLOPEN | deraadt | 2010-02-21 | 1 | -0/+2 |
| | | |||||
 |
index : wireguard-openbsd | |
| WireGuard implementation for the OpenBSD kernel | Matt Dunwoodie |
| summaryrefslogtreecommitdiffstats |