factor out reading/writing sshbufs to dedicated functions;
feedback and ok markus@

perform security key enrollment via ssh-sk-helper too. This means
that ssh-keygen no longer needs to link against ssh-sk-helper,
and only ssh-sk-helper needs libfido2 and /dev/uhid* access;

feedback

perform security key enrollment via ssh-sk-helper too. This means
that ssh-keygen no longer needs to link against ssh-sk-helper,
and only ssh-sk-helper needs libfido2 and /dev/uhid* access;

feedback & ok markus@

show more ...

use ssh-sk-helper for all security key signing operations

This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This mea

use ssh-sk-helper for all security key signing operations

This extracts and refactors the client interface for ssh-sk-helper
from ssh-agent and generalises it for use by the other programs.
This means that most OpenSSH tools no longer need to link against
libfido2 or directly interact with /dev/uhid*

requested by, feedback and ok markus@

show more ...

directly support U2F/FIDO2 security keys in OpenSSH by linking
against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for
Bluetooth

directly support U2F/FIDO2 security keys in OpenSSH by linking
against the (previously external) USB HID middleware. The dlopen()
capability still exists for alternate middlewares, e.g. for
Bluetooth, NFC and test/debugging.

show more ...

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature opera

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

show more ...

ssh-keygen support for generating U2F/FIDO keys

avoid compiling certain files that deeply depend on libcrypto when
WITH_OPENSSL isn't set

sshsig: lightweight signature and verification ability for OpenSSH

This adds a simple manual signature scheme to OpenSSH.
Signatures can be made and verified using ssh-keygen -Y sign|verify

Signatu

sshsig: lightweight signature and verification ability for OpenSSH

This adds a simple manual signature scheme to OpenSSH.
Signatures can be made and verified using ssh-keygen -Y sign|verify

Signatures embed the key used to make them. At verification time, this
is matched via principal name against an authorized_keys-like list
of allowed signers.

Mostly by Sebastian Kinne w/ some tweaks by me

ok markus@

show more ...

remove mostly vestigal uuencode.[ch]; moving the only unique
functionality there (wrapping of base64-encoded data) to sshbuf
functions; feedback and ok markus@

still compile uuencode.c, unbreaks build

add a local implementation of BSD realpath() for sftp-server use
ahead of OpenBSD's realpath changing to match POSIX;

ok deraadt@ (thanks for snaps testing)

Don't redefine Makefile choices which come correct from bsd.*.mk
ok markus

group shared source files (e.g. SRCS_KEX) and allow compilation w/o OPENSSL
ok djm@

Replace ED25519's private SHA-512 implementation with a call to the
regular digest code. This speeds up compilation considerably.
ok markus@

ssh/lib hasn't worked towards our code-sharing goals for a quit while,
perhaps it is too verbose? Change each */Makefile to specifying exactly
what sources that program requires, compiling it sepera

ssh/lib hasn't worked towards our code-sharing goals for a quit while,
perhaps it is too verbose? Change each */Makefile to specifying exactly
what sources that program requires, compiling it seperate. Maybe we'll
iterate by sorting those into seperatable chunks, splitting up files
which contain common code + server/client specific code, or whatnot. But
this isn't one step, or we'd have done it a long time ago..
ok dtucker markus djm

show more ...

zap redundant Makefile variables.
okay djm@

Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen.
Based on code from Phil Karn, William Allen Simpson and Niels Provos.
ok markus@, thanks jmc@

move -lsectok to Makefile.inc for now

add smartcard support to the makefiles (commented out);
the smartcard support is based on work by itoi@eecs.umich.edu

unbreak

more smartcard support.

don't link unused libs

log*.c -> log.c

$OpenBSD$

no longer needed; good riddance for static archs