summaryrefslogtreecommitdiffstats
path: root/ssh-pkcs11-client.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* upstream: Convert RSA and ECDSA key to the libcrypto EVP_PKEY API.djm@openbsd.org2024-08-151-21/+62
| | | | | | | | | | | | DSA remains unconverted as it will be removed within six months. Based on patches originally from Dmitry Belyavskiy, but significantly reworked based on feedback from Bob Beck, Joel Sing and especially Theo Buehler (apologies to anyone I've missed). ok tb@ OpenBSD-Commit-ID: d098744e89f1dc7e5952a6817bef234eced648b5
* Fix compilation error in ssh-pcks11-client.cRose2024-01-081-0/+2
| | | | | | Compilation fails becaus of an undefined reference to helper_by_ec, because we forgot the preprocessor conditional that excludes that function from being called in unsupported configurations.
* upstream: Make it possible to load certs from PKCS#11 tokensdjm@openbsd.org2023-12-181-1/+55
| | | | | | | | | Adds a protocol extension to allow grafting certificates supplied by ssh-add to keys loaded from PKCS#11 tokens in the agent. feedback/ok markus@ OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
* Handle a couple more OpenSSL no-ecc cases.Darren Tucker2023-07-251-2/+4
| | | | ok djm@
* Bring back OPENSSL_HAS_ECC to ssh-pkcs11-clientDamien Miller2023-07-201-2/+17
|
* upstream: Separate ssh-pkcs11-helpers for each p11 moduledjm@openbsd.org2023-07-191-93/+285
| | | | | | | | | | | | | | | | Make ssh-pkcs11-client start an independent helper for each provider, providing better isolation between modules and reliability if a single module misbehaves. This also implements reference counting of PKCS#11-hosted keys, allowing ssh-pkcs11-helper subprocesses to be automatically reaped when no remaining keys reference them. This fixes some bugs we have that make PKCS11 keys unusable after they have been deleted, e.g. https://bugzilla.mindrot.org/show_bug.cgi?id=3125 ok markus@ OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
* make OPENSSL_HAS_ECC checks more thoroughDamien Miller2021-10-011-8/+8
| | | | ok dtucker
* upstream: use the new variant log macros instead of prependingdjm@openbsd.org2020-10-181-27/+26
| | | | | | __func__ and appending ssh_err(r) manually; ok markus@ OpenBSD-Commit-ID: 1f14b80bcfa85414b2a1a6ff714fb5362687ace8
* upstream: expose PKCS#11 key labels/X.509 subjects as commentsdjm@openbsd.org2020-01-251-3/+11
| | | | | | | | | | | | | Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on https://github.com/openssh/openssh-portable/pull/138 by Danielle Church feedback and ok markus@ OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
* upstream: add "-v" flags to ssh-add and ssh-pkcs11-helper to turn updjm@openbsd.org2019-01-211-5/+10
| | | | | | | | | | | | debug verbosity. Make ssh-agent turn on ssh-pkcs11-helper's verbosity when it is run in debug mode ("ssh-agent -d"), so we get to see errors from the PKCS#11 code. ok markus@ OpenBSD-Commit-ID: 0a798643c6a92a508df6bd121253ba1c8bee659d
* conditionalise ECDSA PKCS#11 supportDamien Miller2019-01-211-1/+9
| | | | | Require EC_KEY_METHOD support in libcrypto, evidenced by presence of EC_KEY_METHOD_new() function.
* upstream: cleanup pkcs#11 client code: use sshkey_new in insteaddjm@openbsd.org2019-01-211-23/+42
| | | | | | | | of stack- allocating a sshkey work by markus@, ok djm@ OpenBSD-Commit-ID: a048eb6ec8aa7fa97330af927022c0da77521f91
* upstream: allow override of the pkcs#11 helper binary viadjm@openbsd.org2019-01-211-5/+7
| | | | | | | | $SSH_PKCS11_HELPER; needed for regress tests. work by markus@, ok me OpenBSD-Commit-ID: f78d8185500bd7c37aeaf7bd27336db62f0f7a83
* upstream: add support for ECDSA keys in PKCS#11 tokensdjm@openbsd.org2019-01-211-11/+92
| | | | | | Work by markus@ and Pedro Martelletto, feedback and ok me@ OpenBSD-Commit-ID: a37d651e221341376636056512bddfc16efb4424
* adapt -portable to OpenSSL 1.1x APIDamien Miller2018-09-131-0/+2
| | | | Polyfill missing API with replacement functions extracted from LibreSSL
* upstream: hold our collective noses and use the openssl-1.1.x API indjm@openbsd.org2018-09-131-5/+7
| | | | | | OpenSSH; feedback and ok tb@ jsing@ markus@ OpenBSD-Commit-ID: cacbcac87ce5da0d3ca7ef1b38a6f7fb349e4417
* upstream: replace cast with call to sshbuf_mutable_ptr(); ok djm@markus@openbsd.org2018-07-101-2/+2
| | | | OpenBSD-Commit-ID: 4dfe9d29fa93d9231645c89084f7217304f7ba29
* upstream: pkcs11: switch to sshbuf API; ok djm@markus@openbsd.org2018-07-101-57/+79
| | | | OpenBSD-Commit-ID: 98cc4e800f1617c51caf59a6cb3006f14492db79
* upstream committb@openbsd.org2018-02-061-2/+3
| | | | | | | | Add a couple of non-negativity checks to avoid close(-1). ok djm OpenBSD-Commit-ID: 4701ce0b37161c891c838d0931305f1d37a50880
* upstream commitmarkus@openbsd.org2017-05-311-3/+3
| | | | | | switch from Key typedef with struct sshkey; ok djm@ Upstream-ID: 3067d33e04efbe5131ce8f70668c47a58e5b7a1f
* upstream commitmmcc@openbsd.org2015-12-111-2/+2
| | | | | | | | | Pass (char *)NULL rather than (char *)0 to execl and execlp. ok dtucker@ Upstream-ID: 56c955106cbddba86c3dd9bbf786ac0d1b361492
* - djm@cvs.openbsd.org 2014/06/24 01:13:21Damien Miller2014-07-021-1/+3
| | | | | | | | | | | | | | | | | | | | | | | [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c [sshconnect2.c sshd.c sshkey.c sshkey.h [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h] New key API: refactor key-related functions to be more library-like, existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago. NB. This commit also removes portable OpenSSH support for OpenSSL <0.9.8e.
* - djm@cvs.openbsd.org 2013/05/17 00:13:13Darren Tucker2013-06-011-5/+5
| | | | | | | | | | | | | | | | | | [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c dns.c packet.c readpass.c authfd.c moduli.c] bye, bye xfree(); ok markus@
* - miod@cvs.openbsd.org 2012/01/16 20:34:09Damien Miller2012-02-101-1/+3
| | | | | | | [ssh-pkcs11-client.c] Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow. While there, be sure to buffer_clear() between send_msg() and recv_msg(). ok markus@
* - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller2010-02-241-0/+1
| | | | [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
* - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller2010-02-121-0/+4
| | | | Use ssh_get_progname to fill __progname
* - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller2010-02-111-1/+5
| | | | Make it compile on OSX
* - markus@cvs.openbsd.org 2010/02/08 10:50:20Damien Miller2010-02-111-0/+229
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev `
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 16:45:26 +0100