src - OpenBSD base system

Age	Commit message (Collapse)	Author
2021-11-18	avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this	Damien Miller
	for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib"; bz#3364
2021-08-11	remove a bunch of %p in format strings; leftovers of debuggings	Damien Miller
	past. prompted by Michael Forney, ok dtucker@
2021-06-25	fix decoding of X.509 subject name; from Leif Thuresson via bz3327	Damien Miller
	ok markus@
2020-11-22	when loading PKCS#11 keys, include the key fingerprints and provider/slot	Damien Miller
	information in debug output.
2020-10-18	use the new variant log macros instead of prepending __func__ and	Damien Miller
	appending ssh_err(r) manually; ok markus@
2020-05-29	fix compilation on !HAVE_DLOPEN platforms; stub function was not	Damien Miller
	updated to match API change. From Dale Rahn via beck@ ok markus@
2020-03-13	improve error messages for some common PKCS#11 C_Login failure cases;	Damien Miller
	based on patch from Jacob Hoffman-Andrews in bz3130; ok dtucker
2020-03-06	pkcs11_register_provider: return < 0 on error; ok djm	Markus Friedl

2020-01-25	expose PKCS#11 key labels/X.509 subjects as comments	Damien Miller
	Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on https://github.com/openssh/openssh-portable/pull/138 by Danielle Church feedback and ok markus@
2019-10-01	revert unconditional forced login implemented in r1.41 of ssh-pkcs11.c;	Damien Miller
	r1.45 added a forced login as a fallback for cases where the token returns no objects and this is less disruptive for users of tokens directly in ssh (rather than via ssh-agent) and in ssh-keygen bz3006, patch from Jakub Jelen; ok markus
2019-09-05	if a PKCS#11 token returns no keys then try to login and refetch	Damien Miller
	them. Based on patch from Jakub Jelen; bz#2430 ok markus@
2019-09-02	downgrade PKCS#11 "provider returned no slots" warning from log level	Damien Miller
	error to debug. This is common when attempting to enumerate keys on smartcard readers with no cards plugged in. bz#3058 ok dtucker@
2019-03-08	fix use-after-free in ssh-pkcs11; found by hshoexer w/AFL	Markus Friedl

2019-02-04	fix NULL-deref crash in PKCS#11 code when attempting login to a token	Damien Miller
	requiring a PIN; reported by benno@ fix mostly by markus@
2019-01-22	Correct some bugs in PKCS#11 token PIN handling at initial login,	Damien Miller
	the attempt at reading the PIN could be skipped in some cases especially on devices with integrated PIN readers. based on patch from Daniel Kucera in bz#2652; ok markus@
2019-01-22	Support keys that set the CKA_ALWAYS_AUTHENTICATE by requring a	Damien Miller
	fresh login after the C_SignInit operation. based on patch from Jakub Jelen in bz#2638; ok markus
2019-01-21	always print the caller's error message in ossl_error(), even when there	Damien Miller
	are no libcrypto errors to report.
2019-01-21	get the ex_data (pkcs11_key object) back from the keys at the	Damien Miller
	index at which it was inserted, rather than assuming index 0
2019-01-21	use ECDSA_SIG_set0() instead of poking signature values into	Damien Miller
	structure directly; the latter works on LibreSSL but not on OpenSSL. From portable.
2019-01-20	we use singleton pkcs#11 RSA_METHOD and EC_KEY_METHOD now, so there	Damien Miller
	is no need to keep a copy of each in the pkcs11_key object. work by markus@, ok djm@
2019-01-20	KNF previous; from markus@	Damien Miller

2019-01-20	use OpenSSL's RSA reference counting hooks to implicitly clean up	Damien Miller
	pkcs11_key objects when their owning RSA object's reference count drops to zero. Simplifies the cleanup path and makes it more like ECDSA's work by markus@, ok djm@
2019-01-20	make the PKCS#11 RSA code more like the new PKCS#11 ECDSA code:	Damien Miller
	use a single custom RSA_METHOD instead of a method per key suggested by me, but markus@ did all the work. ok djm@
2019-01-20	fix leak of ECDSA pkcs11_key objects	Damien Miller
	work by markus, ok djm@
2019-01-20	use EVP_PKEY_get0_EC_KEY() instead of direct access of EC_KEY internals	Damien Miller
	as that won't work on OpenSSL work by markus@, feedback and ok djm@
2019-01-20	cleanup PKCS#11 ECDSA pubkey loading: the returned object should never	Damien Miller
	have a DER header work by markus; feedback and ok djm@
2019-01-20	cleanup unnecessary code in ECDSA pkcs#11 signature support: the	Damien Miller
	sign operation does not return DER, but a concatenation of r\|s work by markus@, feedback and ok djm@
2019-01-20	add support for ECDSA keys in PKCS#11 tokens	Damien Miller
	Work by markus@ and Pedro Martelletto, feedback and ok me@
2018-09-13	hold our collective noses and use the openssl-1.1.x API in OpenSSH;	Damien Miller
	feedback and ok tb@ jsing@ markus@
2018-02-07	Remove all guards for calls to OpenSSL free functions - all of these	Joel Sing
	functions handle NULL, from at least OpenSSL 1.0.1g onwards. Prompted by dtucker@ asking about guards for RSA_free(), when looking at openssh-portable pr#84 on github. ok deraadt@ dtucker@
2017-05-31	Switch to recallocarray() for a few operations. Both growth and shrinkage	Theo de Raadt
	are handled safely, and there also is no need for preallocation dances. Future changes in this area will be less error prone. Review and one bug found by markus
2017-05-30	sshkey_new() might return NULL (pkcs#11 code only); ok djm@	Markus Friedl

2016-10-28	Improve pkcs11_add_provider() logging: demote some excessively	Damien Miller
	verbose error()s to debug()s, include PKCS#11 provider name and slot in log messages where possible. bz#2610, based on patch from Jakub Jelen
2016-02-12	avoid fatal() for PKCS11 tokens that present empty key IDs	Damien Miller
	bz#1773, ok markus@
2015-07-18	don't ignore PKCS#11 hosted keys that return empty CKA_ID;	Damien Miller
	patch by Jakub Jelen via bz#2429; ok markus
2015-07-18	skip uninitialised PKCS#11 slots; patch from Jakub Jelen in bz#2427	Damien Miller
	ok markus@
2015-05-27	support PKCS#11 devices with external PIN entry devices	Damien Miller
	bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@
2015-04-24	rename xrealloc() to xreallocarray() since it follows that form.	Theo de Raadt
	ok djm
2015-02-03	missing ;	Theo de Raadt
	djm and mlarkin really having great interactions recently
2015-02-02	handle PKCS#11 C_Login returning CKR_USER_ALREADY_LOGGED_IN;	Damien Miller
	based on patch from Yuri Samoilenko; ok markus@
2015-01-15	sync ssh-keysign, ssh-keygen and some dependencies to the new	Damien Miller
	buffer/key API; mostly mechanical, ok markus@
2014-06-24	New key API: refactor key-related functions to be more library-like,	Damien Miller
	existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
2014-05-02	revert __bounded change; it causes way more problems for portable than	Damien Miller
	it solves; pointed out by dtucker@
2014-03-26	use __bounded(...) attribute recently added to sys/cdefs.h instead of	Damien Miller
	longform __attribute__(__bounded(...)); for brevity and a warning free compilation with llvm/clan
2013-11-13	add missing braces found by pedro	Markus Friedl

2013-11-06	from portable: s/true/true_val/ to avoid name collisions on dump platforms	Damien Miller

2013-11-02	support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;	Markus Friedl
	fixes bz#1908; based on patch from Laurent Barbe; ok djm
2013-07-12	fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@	Damien Miller

2013-05-17	bye, bye xfree(); ok markus@	Damien Miller

2010-06-08	check length of value returned C_GetAttributValue for != 0	Markus Friedl
	from mdrtbugzilla@codefive.co.uk; bugzilla #1773; ok dtucker@