19261079b7
Some notable changes, from upstream's release notes: - sshd(8): Remove support for obsolete "host/port" syntax. - ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". - ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. - ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa" (RSA/SHA1) algorithm from those accepted for certificate signatures. - ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). - ssh(1): this release enables UpdateHostkeys by default subject to some conservative preconditions. - scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. - scp(1): experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. Additional integration work is needed to support FIDO/U2F in the base system. Deprecation Notice ------------------ OpenSSH will disable the ssh-rsa signature scheme by default in the next release. Reviewed by: imp MFC after: 1 month Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29985
68 lines
2.7 KiB
C
68 lines
2.7 KiB
C
/*
|
|
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
/* $OpenBSD: krl.h,v 1.8 2020/04/03 02:26:56 djm Exp $ */
|
|
|
|
#ifndef _KRL_H
|
|
#define _KRL_H
|
|
|
|
/* Functions to manage key revocation lists */
|
|
|
|
#define KRL_MAGIC "SSHKRL\n\0"
|
|
#define KRL_FORMAT_VERSION 1
|
|
|
|
/* KRL section types */
|
|
#define KRL_SECTION_CERTIFICATES 1
|
|
#define KRL_SECTION_EXPLICIT_KEY 2
|
|
#define KRL_SECTION_FINGERPRINT_SHA1 3
|
|
#define KRL_SECTION_SIGNATURE 4
|
|
#define KRL_SECTION_FINGERPRINT_SHA256 5
|
|
|
|
/* KRL_SECTION_CERTIFICATES subsection types */
|
|
#define KRL_SECTION_CERT_SERIAL_LIST 0x20
|
|
#define KRL_SECTION_CERT_SERIAL_RANGE 0x21
|
|
#define KRL_SECTION_CERT_SERIAL_BITMAP 0x22
|
|
#define KRL_SECTION_CERT_KEY_ID 0x23
|
|
|
|
struct sshkey;
|
|
struct sshbuf;
|
|
struct ssh_krl;
|
|
|
|
struct ssh_krl *ssh_krl_init(void);
|
|
void ssh_krl_free(struct ssh_krl *krl);
|
|
void ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version);
|
|
int ssh_krl_set_comment(struct ssh_krl *krl, const char *comment);
|
|
int ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl,
|
|
const struct sshkey *ca_key, u_int64_t serial);
|
|
int ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl,
|
|
const struct sshkey *ca_key, u_int64_t lo, u_int64_t hi);
|
|
int ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl,
|
|
const struct sshkey *ca_key, const char *key_id);
|
|
int ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const struct sshkey *key);
|
|
int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const u_char *p, size_t len);
|
|
int ssh_krl_revoke_key_sha256(struct ssh_krl *krl, const u_char *p, size_t len);
|
|
int ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key);
|
|
int ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
|
|
struct sshkey **sign_keys, u_int nsign_keys);
|
|
int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
|
|
const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);
|
|
int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key);
|
|
int ssh_krl_file_contains_key(const char *path, const struct sshkey *key);
|
|
int krl_dump(struct ssh_krl *krl, FILE *f);
|
|
|
|
#endif /* _KRL_H */
|
|
|