[openssh-commits] [openssh] branch master updated (259c66aeb -> 1641ab874)

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Jul 25 09:23:26 AEST 2025 

This is an automated email from the git hooks/post-receive script.

djm pushed a change to branch master
in repository openssh.

    from 259c66aeb Remove DEBUG_ACTIONS variable.
     new a8c0e5c87 upstream: Help OpenSSH's PKCS#11 support kick its meth habit.
     new 1641ab874 upstream: factor out encoding of a raw ed25519 signature into its

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Detailed log of new commits:

commit 1641ab8744f500f55f12155d03f1a3116aaea374
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Jul 24 06:12:08 2025 +0000

    upstream: factor out encoding of a raw ed25519 signature into its
    
    ssh form into a separate function
    
    OpenBSD-Commit-ID: 3711c6d6b52dde0bd1f17884da5cddb8716f1b64

commit a8c0e5c871c0c7ee5ae93e353b1499a53c09c71d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Thu Jul 24 05:44:55 2025 +0000

    upstream: Help OpenSSH's PKCS#11 support kick its meth habit.
    
    The PKCS#11 code in OpenSSH used the libcrypto public key method API
    (e.g. the delightfully named RSA_meth_free()) to delegate signing
    operations to external keys. This had one advantage - that it was
    basically transparent to callers, but also had a big disadvantage -
    that we'd manually have to track the method implementations, their
    state and their relationships to the underlying PKCS#11 objects.
    
    This rips this out and replaces it with explicit delegation to
    PKCS#11 code for externally hosted keys via the ssh-pkcs11-helper
    subprocess. This is very similar to how we handle FIDO keys in
    OpenSSH (i.e. via ssh-sk-helper). All we need to track now is a
    much simpler mapping of public key -> helper subprocess.
    
    Kicking our libcrypto meth dependency also makes it much easier
    to support Ed25519 keys in PKCS#11, which will happen in a subsequent
    commit.
    
    feedback / ok tb@
    
    OpenBSD-Commit-ID: a5a1eaf57971cf15e0cdc5a513e313541c8a35f0

Summary of changes:
 .depend             |  10 +-
 Makefile.in         |  22 +-
 ssh-ecdsa.c         |  35 ++-
 ssh-ed25519.c       |  37 +++-
 ssh-pkcs11-client.c | 510 +++++++++++++------------------------------
 ssh-pkcs11-helper.c | 215 ++++--------------
 ssh-pkcs11.c        | 615 +++++++++++++++++++++++++++++++++-------------------
 ssh-pkcs11.h        |  12 +-
 ssh-rsa.c           |  46 +++-
 ssh-sk-helper.c     |  19 +-
 sshbuf-misc.c       |  16 +-
 sshbuf.h            |  11 +-
 sshkey.c            |  29 ++-
 sshkey.h            |  11 +-
 14 files changed, 786 insertions(+), 802 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list