[openssh-commits] [openssh] branch master updated (de37ca90 -> d70d0618)

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Sep 12 16:52:11 AEST 2018


This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

      from  de37ca90  upstream: Add FALLTHROUGH comments where appropriate. Patch from
       new  50e2687e  upstream: log certificate fingerprint in authentication
       new  9405c621  upstream: allow key revocation by SHA256 hash and allow ssh-keygen
       new  357128ac  upstream: Add "ssh -Q sig" to allow listing supported signature
       new  a70fd4ad  upstream: add cert->signature_type field and keep it in sync with
       new  ba9e7883  upstream: add sshkey_check_cert_sigtype() that checks a
       new  4cc259ba  upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of
       new  f0fcd7e6  upstream: fix edit mistake; spotted by jmc@
       new  41c115a5  delete the correct thing; kexfuzz binary
       new  2de78bc7  upstream: s/sshkey_demote/sshkey_from_private/g
       new  f803b268  upstream: test revocation by explicit hash and by fingerprint
       new  d70d0618  upstream: Include certs with multiple RSA signature variants in

The 11 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit d70d061828730a56636ab6f1f24fe4a8ccefcfc1
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:36:45 2018 +0000

    upstream: Include certs with multiple RSA signature variants in
    
    test data Ensure that cert->signature_key is populated correctly
    
    OpenBSD-Regress-ID: 56e68f70fe46cb3a193ca207385bdb301fd6603a

commit f803b2682992cfededd40c91818b653b5d923ef5
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:23:48 2018 +0000

    upstream: test revocation by explicit hash and by fingerprint
    
    OpenBSD-Regress-ID: 079c18a9ab9663f4af419327c759fc1e2bc78fd8

commit 2de78bc7da70e1338b32feeefcc6045cf49efcd4
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:22:43 2018 +0000

    upstream: s/sshkey_demote/sshkey_from_private/g
    
    OpenBSD-Regress-ID: 782bde7407d94a87aa8d1db7c23750e09d4443c4

commit 41c115a5ea1cb79a6a3182773c58a23f760e8076
Author: Damien Miller <djm at mindrot.org>
Date:   Wed Sep 12 16:50:01 2018 +1000

    delete the correct thing; kexfuzz binary

commit f0fcd7e65087db8c2496f13ed39d772f8e38b088
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 06:18:59 2018 +0000

    upstream: fix edit mistake; spotted by jmc@
    
    OpenBSD-Commit-ID: dd724e1c52c9d6084f4cd260ec7e1b2b138261c6

commit 4cc259bac699f4d2a5c52b92230f9e488c88a223
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:34:02 2018 +0000

    upstream: add SSH_ALLOWED_CA_SIGALGS - the default list of
    
    signature algorithms that are allowed for CA signatures. Notably excludes
    ssh-dsa.
    
    ok markus@
    
    OpenBSD-Commit-ID: 1628e4181dc8ab71909378eafe5d06159a22deb4

commit ba9e788315b1f6a350f910cb2a9e95b2ce584e89
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:32:54 2018 +0000

    upstream: add sshkey_check_cert_sigtype() that checks a
    
    cert->signature_type against a supplied whitelist; ok markus
    
    OpenBSD-Commit-ID: caadb8073292ed7a9535e5adc067d11d356d9302

commit a70fd4ad7bd9f2ed223ff635a3d41e483057f23b
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:31:30 2018 +0000

    upstream: add cert->signature_type field and keep it in sync with
    
    certificate signature wrt loading and certification operations; ok markus@
    
    OpenBSD-Commit-ID: e8b8b9f76b66707a0cd926109c4383db8f664df3

commit 357128ac48630a9970e3af0e6ff820300a28da47
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:30:10 2018 +0000

    upstream: Add "ssh -Q sig" to allow listing supported signature
    
    algorithms ok markus@
    
    OpenBSD-Commit-ID: 7a8c6eb6c249dc37823ba5081fce64876d10fe2b

commit 9405c6214f667be604a820c6823b27d0ea77937d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:21:34 2018 +0000

    upstream: allow key revocation by SHA256 hash and allow ssh-keygen
    
    to create KRLs using SHA256/base64 key fingerprints; ok markus@
    
    OpenBSD-Commit-ID: a0590fd34e7f1141f2873ab3acc57442560e6a94

commit 50e2687ee0941c0ea216d6ffea370ffd2c1f14b9
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Sep 12 01:19:12 2018 +0000

    upstream: log certificate fingerprint in authentication
    
    success/failure message (previously we logged only key ID and CA key
    fingerprint).
    
    ok markus@
    
    OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d

Summary of changes:
 Makefile.in                                        |   2 +-
 PROTOCOL.krl                                       |  16 +--
 auth.c                                             |  22 ++--
 krl.c                                              | 126 ++++++++++++++++-----
 krl.h                                              |   6 +-
 myproposal.h                                       |  14 ++-
 regress/krl.sh                                     |  49 +++++---
 regress/unittests/sshkey/test_sshkey.c             |  10 +-
 .../sshkey/testdata/{rsa_1 => rsa_1_sha1}          |   0
 .../unittests/sshkey/testdata/rsa_1_sha1-cert.pub  |   1 +
 .../sshkey/testdata/{rsa_1.pub => rsa_1_sha1.pub}  |   0
 .../sshkey/testdata/{rsa_1 => rsa_1_sha512}        |   0
 .../sshkey/testdata/rsa_1_sha512-cert.pub          |   1 +
 .../testdata/{rsa_1.pub => rsa_1_sha512.pub}       |   0
 ssh-keygen.1                                       |  19 +++-
 ssh-keygen.c                                       |  75 ++++++++++--
 ssh.1                                              |  14 ++-
 ssh.c                                              |  11 +-
 sshkey.c                                           | 114 ++++++++++++++-----
 sshkey.h                                           |   4 +-
 20 files changed, 371 insertions(+), 113 deletions(-)
 copy regress/unittests/sshkey/testdata/{rsa_1 => rsa_1_sha1} (100%)
 create mode 100644 regress/unittests/sshkey/testdata/rsa_1_sha1-cert.pub
 copy regress/unittests/sshkey/testdata/{rsa_1.pub => rsa_1_sha1.pub} (100%)
 copy regress/unittests/sshkey/testdata/{rsa_1 => rsa_1_sha512} (100%)
 create mode 100644 regress/unittests/sshkey/testdata/rsa_1_sha512-cert.pub
 copy regress/unittests/sshkey/testdata/{rsa_1.pub => rsa_1_sha512.pub} (100%)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list