summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh-rsa.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* openssh_RSA_verify return type is int, so don't make it size_t withindjm2015-09-091-3/+3
| | | | | the function itself with only negative numbers or zero assigned to it. bz#2460
* return failure on RSA signature error; reported by Albert Sdjm2015-06-151-2/+2
|
* New key API: refactor key-related functions to be more library-like,djm2014-06-241-127/+133
| | | | | | | | | existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
* convert memset of potentially-private data to explicit_bzero()djm2014-02-021-7/+7
|
* Introduce digest API and use it to perform all hashing operationsdjm2014-01-091-24/+30
| | | | | | rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
* refuse RSA keys from old proprietary clients/servers that use thedjm2013-12-301-20/+3
| | | | | | obsolete RSA+MD5 signature scheme. it will still be possible to connect with these clients/servers but only DSA keys will be accepted, and we'll deprecate them entirely in a future release. ok markus@
* correct commentdjm2013-12-271-3/+3
|
* make the original RSA and DSA signing/verification code look more likedjm2013-12-271-18/+21
| | | | | | the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type rather than tediously listing all variants, use __func__ for debug/ error messages
* bye, bye xfree(); ok markus@djm2013-05-171-12/+11
|
* Add buffer_get_cstring() and related functions that verify that thedjm2010-08-311-2/+2
| | | | | | | | | | | | | string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
* more timing paranoia - compare all parts of the expected decrypteddjm2010-07-161-4/+6
| | | | | data before returning. AFAIK not exploitable in the SSH protocol. "groovy" deraadt@
* s/timing_safe_cmp/timingsafe_bcmp/gdjm2010-07-131-3/+3
|
* implement a timing_safe_cmp() function to compare memory without leakingdjm2010-07-131-3/+4
| | | | | | timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
* revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with thedjm2010-04-161-7/+5
| | | | | | | | | | | | | | | | | | following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
* Add support for certificate key types for users and hosts.djm2010-02-261-3/+7
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* almost entirely get rid of the culture of ".h files that include .h files"deraadt2006-08-031-3/+3
| | | | | ok djm, sort of ok stevesk makes the pain stop in one easy step
* move #include <string.h> out of includes.hstevesk2006-07-221-1/+3
|
* Put $OpenBSD$ tags back (as comments) to replace the RCSID()s thatdjm2006-03-251-0/+1
| | | | Theo nuked - our scripts to sync -portable need them in the files
* change OpenSSH's xrealloc() function from being xrealloc(p, new_size) todjm2006-03-251-1/+1
| | | | | | | | xrealloc(p, new_nmemb, new_itemsize). realloc is particularly prone to integer overflows because it is almost always allocating "n * size" bytes, so this is a far safer API; ok deraadt@
* annoying spacing fixes getting in the way of real diffsderaadt2006-03-201-0/+1
|
* in a switch (), break after return or goto is stupidderaadt2006-03-201-1/+0
|
* RCSID() can diederaadt2006-03-191-1/+0
|
* make this -Wsign-compare clean; ok avsm@ markus@djm2005-06-171-2/+2
|
* constify. ok markus@ & djm@jakob2003-11-101-5/+5
|
* backout last change, since it violates pkcs#1markus2003-06-181-23/+14
| | | | switch to share/misc/license.template
* make sure the signature has at least the expected length (don'tmarkus2003-06-161-3/+3
| | | | | insist on len == hlen + oidlen, since this breaks some smartcards) bugzilla #592; ok djm@
* merge ssh-dss.h ssh-rsa.h into key.h; ok deraadt@markus2003-02-121-2/+1
|
* KNFderaadt2002-11-211-2/+2
|
* RSA_public_decrypt() returns -1 on error so len must be signed; ok markus@stevesk2002-08-271-2/+3
|
* replace RSA_verify with our own version and avoid the OpenSSL ASN.1 parsermarkus2002-08-021-7/+93
| | | | for authentication; ok deraadt/djm
* diff is u_int (2x); ok deraadt/provosmarkus2002-08-021-3/+3
|
* don't allocate, copy, and discard if there is not interested in the data; ok deraadt@markus2002-07-041-10/+8
|
* patch memory leaks; grendel@zeitbombe.orgderaadt2002-07-041-1/+3
|
* various KNF and %d for unsignedderaadt2002-06-231-13/+11
|
* display minimum RSA modulus in error(); ok markus@stevesk2002-06-101-3/+3
|
* pad received signature with leading zeros, because RSA_verify expectsmarkus2002-05-311-2/+17
| | | | | a signature of RSA_size. the drafts says the signature is transmitted unpadded (e.g. putty does not pad), reported by anakin@pobox.com
* ignore SSH_BUG_SIGBLOB for ssh-rsa; #187markus2002-04-021-9/+1
|
* make RSA modulus minimum #define; ok markus@stevesk2002-03-291-2/+3
|
* signed vs. unsigned: make size arguments u_int, ok stevesk@markus2002-02-241-5/+5
|
* use static EVP_MAX_MD_SIZE buffers for EVP_DigestFinal; ok stevesk@markus2002-01-251-13/+7
| | | | don't use evp_md->md_size, it's not public.
* minor KNFderaadt2001-12-051-2/+2
|
* KNF (unexpand)markus2001-11-101-3/+3
|
* missing free and sync dss/rsa code.markus2001-11-071-3/+3
|
* ssh_rsa_sign/verify: SSH_BUG_SIGBLOB not supportedmarkus2001-11-071-1/+9
|
* u_char*/char* cleanup; ok markus@stevesk2001-09-171-3/+3
|
* cleanup, remove old codemarkus2001-06-061-2/+1
|
* some older systems use NID_md5 instead of NID_sha1 for RSASSA-PKCS1-v1_5markus2001-03-271-3/+4
| | | | signatures in SSH protocol 2, ok djm@
* use EVP_get_digestbynid, reorder some calls and fix missing free.markus2001-03-271-12/+22
|
* sync with netbsd tree changes.itojun2001-02-081-1/+2
| | | | | | - more strict prototypes, include necessary headers - use paths.h/pathnames.h decls - size_t typecase to int -> u_long
* split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.markus2001-01-211-8/+5
| | | | rename util.[ch] -> misc.[ch]
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.