summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/ssh-rsa.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* hold our collective noses and use the openssl-1.1.x API in OpenSSH;djm2018-09-131-14/+35
| | | | feedback and ok tb@ jsing@ markus@
* Improve strictness and control over RSA-SHA2 signature types:djm2018-07-031-15/+45
| | | | | | | | | | | | | | | | | | | | | In ssh, when an agent fails to return a RSA-SHA2 signature when requested and falls back to RSA-SHA1 instead, retry the signature to ensure that the public key algorithm sent in the SSH_MSG_USERAUTH matches the one in the signature itself. In sshd, strictly enforce that the public key algorithm sent in the SSH_MSG_USERAUTH message matches what appears in the signature. Make the sshd_config PubkeyAcceptedKeyTypes and HostbasedAcceptedKeyTypes options control accepted signature algorithms (previously they selected supported key types). This allows these options to ban RSA-SHA1 in favour of RSA-SHA2. Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures with certificate keys. feedback and ok markus@
* Ensure that D mod (P-1) and D mod (Q-1) are calculated in constant time.jsing2018-02-141-8/+10
| | | | | | This avoids a potential side channel timing leak. ok djm@ markus@
* Convert some explicit_bzero()/free() calls to freezero().jsing2018-02-071-15/+6
| | | | ok deraadt@ dtucker@
* log mismatched RSA signature types; ok markus@djm2017-12-181-1/+4
|
* pass negotiated signing algorithm though to sshkey_verify() anddjm2017-12-181-6/+13
| | | | | check that the negotiated algorithm matches the type in the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@
* remove post-SSHv1 removal dead code from rsa.c and merge thedjm2017-07-011-1/+36
| | | | remaining bit that it still used into ssh-rsa.c; ok markus
* Refuse RSA keys <1024 bits in length. Improve reporting for keys thatdjm2017-05-071-4/+6
| | | | do not meet this requirement. ok markus@
* handle certs in rsa_hash_alg_from_ident(), saving an unnecessarydjm2016-09-121-4/+4
| | | | special case elsewhere.
* make argument == NULL tests more consistentdjm2016-04-211-2/+3
|
* Remove NULL-checks before sshbuf_free().mmcc2015-12-111-5/+3
| | | | ok djm@
* Remove NULL-checks before free().mmcc2015-12-101-3/+2
| | | | ok dtucker@
* stricter encoding type checks for ssh-rsa; ok djm@markus2015-12-071-6/+6
|
* implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)markus2015-12-041-23/+113
| | | | | based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt; with & ok djm@
* openssh_RSA_verify return type is int, so don't make it size_t withindjm2015-09-091-3/+3
| | | | | the function itself with only negative numbers or zero assigned to it. bz#2460
* return failure on RSA signature error; reported by Albert Sdjm2015-06-151-2/+2
|
* New key API: refactor key-related functions to be more library-like,djm2014-06-241-127/+133
| | | | | | | | | existing API is offered as a set of wrappers. with and ok markus@ Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew Dempsky and Ron Bowes for a detailed review a few months ago.
* convert memset of potentially-private data to explicit_bzero()djm2014-02-021-7/+7
|
* Introduce digest API and use it to perform all hashing operationsdjm2014-01-091-24/+30
| | | | | | rather than calling OpenSSL EVP_Digest* directly. Will make it easier to build a reduced-feature OpenSSH without OpenSSL in future; feedback, ok markus@
* refuse RSA keys from old proprietary clients/servers that use thedjm2013-12-301-20/+3
| | | | | | obsolete RSA+MD5 signature scheme. it will still be possible to connect with these clients/servers but only DSA keys will be accepted, and we'll deprecate them entirely in a future release. ok markus@
* correct commentdjm2013-12-271-3/+3
|
* make the original RSA and DSA signing/verification code look more likedjm2013-12-271-18/+21
| | | | | | the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type rather than tediously listing all variants, use __func__ for debug/ error messages
* bye, bye xfree(); ok markus@djm2013-05-171-12/+11
|
* Add buffer_get_cstring() and related functions that verify that thedjm2010-08-311-2/+2
| | | | | | | | | | | | | string extracted from the buffer contains no embedded \0 characters* This prevents random (possibly malicious) crap from being appended to strings where it would not be noticed if the string is used with a string(3) function. Use the new API in a few sensitive places. * actually, we allow a single one at the end of the string for now because we don't know how many deployed implementations get this wrong, but don't count on this to remain indefinitely.
* more timing paranoia - compare all parts of the expected decrypteddjm2010-07-161-4/+6
| | | | | data before returning. AFAIK not exploitable in the SSH protocol. "groovy" deraadt@
* s/timing_safe_cmp/timingsafe_bcmp/gdjm2010-07-131-3/+3
|
* implement a timing_safe_cmp() function to compare memory without leakingdjm2010-07-131-3/+4
| | | | | | timing information by short-circuiting like memcmp() and use it for some of the more sensitive comparisons (though nothing high-value was readily attackable anyway); "looks ok" markus@
* revised certificate format ssh-{dss,rsa}-cert-v01@openssh.com with thedjm2010-04-161-7/+5
| | | | | | | | | | | | | | | | | | following changes: move the nonce field to the beginning of the certificate where it can better protect against chosen-prefix attacks on the signature hash Rename "constraints" field to "critical options" Add a new non-critical "extensions" field Add a serial number The older format is still support for authentication and cert generation (use "ssh-keygen -t v00 -s ca_key ..." to generate a v00 certificate) ok markus@
* Add support for certificate key types for users and hosts.djm2010-02-261-3/+7
| | | | | | | | | | | | | | | | | | | | | | | | OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as trusted in ~/.ssh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
* almost entirely get rid of the culture of ".h files that include .h files"deraadt2006-08-031-3/+3
| | | | | ok djm, sort of ok stevesk makes the pain stop in one easy step
* move #include <string.h> out of includes.hstevesk2006-07-221-1/+3
|
* Put $OpenBSD$ tags back (as comments) to replace the RCSID()s thatdjm2006-03-251-0/+1
| | | | Theo nuked - our scripts to sync -portable need them in the files
* change OpenSSH's xrealloc() function from being xrealloc(p, new_size) todjm2006-03-251-1/+1
| | | | | | | | xrealloc(p, new_nmemb, new_itemsize). realloc is particularly prone to integer overflows because it is almost always allocating "n * size" bytes, so this is a far safer API; ok deraadt@
* annoying spacing fixes getting in the way of real diffsderaadt2006-03-201-0/+1
|
* in a switch (), break after return or goto is stupidderaadt2006-03-201-1/+0
|
* RCSID() can diederaadt2006-03-191-1/+0
|
* make this -Wsign-compare clean; ok avsm@ markus@djm2005-06-171-2/+2
|
* constify. ok markus@ & djm@jakob2003-11-101-5/+5
|
* backout last change, since it violates pkcs#1markus2003-06-181-23/+14
| | | | switch to share/misc/license.template
* make sure the signature has at least the expected length (don'tmarkus2003-06-161-3/+3
| | | | | insist on len == hlen + oidlen, since this breaks some smartcards) bugzilla #592; ok djm@
* merge ssh-dss.h ssh-rsa.h into key.h; ok deraadt@markus2003-02-121-2/+1
|
* KNFderaadt2002-11-211-2/+2
|
* RSA_public_decrypt() returns -1 on error so len must be signed; ok markus@stevesk2002-08-271-2/+3
|
* replace RSA_verify with our own version and avoid the OpenSSL ASN.1 parsermarkus2002-08-021-7/+93
| | | | for authentication; ok deraadt/djm
* diff is u_int (2x); ok deraadt/provosmarkus2002-08-021-3/+3
|
* don't allocate, copy, and discard if there is not interested in the data; ok deraadt@markus2002-07-041-10/+8
|
* patch memory leaks; grendel@zeitbombe.orgderaadt2002-07-041-1/+3
|
* various KNF and %d for unsignedderaadt2002-06-231-13/+11
|
* display minimum RSA modulus in error(); ok markus@stevesk2002-06-101-3/+3
|
* pad received signature with leading zeros, because RSA_verify expectsmarkus2002-05-311-2/+17
| | | | | a signature of RSA_size. the drafts says the signature is transmitted unpadded (e.g. putty does not pad), reported by anakin@pobox.com
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.