upstream commit

remove KEY_RSA1 ok markus@ Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-04-30 23:18:44 +00:00 · 2017-04-30 23:18:44 +00:00 · 873d3e7d9a
parent 788ac799a6
commit 873d3e7d9a
14 changed files with 72 additions and 183 deletions
--- a/clientloop.c
+++ b/clientloop.c
@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.292 2017/04/30 23:13:25 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.293 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1831,8 +1831,7 @@ hostkeys_find(struct hostkey_foreach_line *l, void *_ctx)
 	size_t i;
 	struct sshkey **tmp;

-	if (l->status != HKF_STATUS_MATCHED || l->key == NULL ||
-	    l->key->type == KEY_RSA1)
+	if (l->status != HKF_STATUS_MATCHED || l->key == NULL)
 		return 0;

 	/* Mark off keys we've already seen for this host */
--- a/hostfile.c
+++ b/hostfile.c
@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.69 2017/04/30 23:10:43 djm Exp $ */
+/* $OpenBSD: hostfile.c,v 1.70 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -346,16 +346,11 @@ check_hostkeys_by_key_or_type(struct hostkeys *hostkeys,
 	HostStatus end_return = HOST_NEW;
 	int want_cert = sshkey_is_cert(k);
 	HostkeyMarker want_marker = want_cert ? MRK_CA : MRK_NONE;
-	int proto = (k ? k->type : keytype) == KEY_RSA1 ? 1 : 2;

 	if (found != NULL)
 		*found = NULL;

 	for (i = 0; i < hostkeys->num_entries; i++) {
-		if (proto == 1 && hostkeys->entries[i].key->type != KEY_RSA1)
-			continue;
-		if (proto == 2 && hostkeys->entries[i].key->type == KEY_RSA1)
-			continue;
 		if (hostkeys->entries[i].marker != want_marker)
 			continue;
 		if (k == NULL) {
@ -490,13 +485,6 @@ host_delete(struct hostkey_foreach_line *l, void *_ctx)
 			return 0;
 		}

-		/* XXX might need a knob for this later */
-		/* Don't remove RSA1 keys */
-		if (l->key->type == KEY_RSA1) {
-			fprintf(ctx->out, "%s\n", l->line);
-			return 0;
-		}
-
 		/*
 		 * If this line contains one of the keys that we will be
 		 * adding later, then don't change it and mark the key for
@ -804,12 +792,12 @@ hostkeys_foreach(const char *path, hostkeys_foreach_fn *callback, void *ctx,
 			lineinfo.keytype = sshkey_type_from_name(ktype);

 			/*
-			 * Assume RSA1 if the first component is a short
+			 * Assume legacy RSA1 if the first component is a short
 			 * decimal number.
 			 */
 			if (lineinfo.keytype == KEY_UNSPEC && l < 8 &&
 			    strspn(ktype, "0123456789") == l)
-				lineinfo.keytype = KEY_RSA1;
+				goto bad;

 			/*
 			 * Check that something other than whitespace follows
--- a/ssh-agent.c
+++ b/ssh-agent.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.219 2017/04/30 23:10:43 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.220 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -247,6 +247,8 @@ process_request_identities(SocketEntry *e, int version)
 	Identity *id;
 	struct sshbuf *msg;
 	int r;
+	u_char *blob;
+	size_t blen;

 	if ((msg = sshbuf_new()) == NULL)
 		fatal("%s: sshbuf_new failed", __func__);
@ -256,21 +258,15 @@ process_request_identities(SocketEntry *e, int version)
 	    (r = sshbuf_put_u32(msg, tab->nentries)) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 	TAILQ_FOREACH(id, &tab->idlist, next) {
-		if (id->key->type == KEY_RSA1) {
-		} else {
-			u_char *blob;
-			size_t blen;
-
-			if ((r = sshkey_to_blob(id->key, &blob, &blen)) != 0) {
-				error("%s: sshkey_to_blob: %s", __func__,
-				    ssh_err(r));
-				continue;
-			}
-			if ((r = sshbuf_put_string(msg, blob, blen)) != 0)
-				fatal("%s: buffer error: %s",
-				    __func__, ssh_err(r));
-			free(blob);
+		if ((r = sshkey_to_blob(id->key, &blob, &blen)) != 0) {
+			error("%s: sshkey_to_blob: %s", __func__,
+			    ssh_err(r));
+			continue;
 		}
+		if ((r = sshbuf_put_string(msg, blob, blen)) != 0)
+			fatal("%s: buffer error: %s",
+			    __func__, ssh_err(r));
+		free(blob);
 		if ((r = sshbuf_put_cstring(msg, id->comment)) != 0)
 			fatal("%s: buffer error: %s", __func__, ssh_err(r));
 	}
@ -639,7 +635,7 @@ process_add_smartcard_key(SocketEntry *e)
 	count = pkcs11_add_provider(canonical_provider, pin, &keys);
 	for (i = 0; i < count; i++) {
 		k = keys[i];
-		version = k->type == KEY_RSA1 ? 1 : 2;
+		version = 2;
 		tab = idtab_lookup(version);
 		if (lookup_identity(k, version) == NULL) {
 			id = xcalloc(1, sizeof(Identity));
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.135 2017/04/29 06:06:01 jmc Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.136 2017/04/30 23:18:44 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2017 $
+.Dd $Mdocdate: April 30 2017 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@ -207,7 +207,7 @@ There is no way to recover a lost passphrase.
 If the passphrase is lost or forgotten, a new key must be generated
 and the corresponding public key copied to other machines.
 .Pp
-For RSA1 keys and keys stored in the newer OpenSSH format,
+For keys stored in the newer OpenSSH format,
 there is also a comment field in the key file that is only for
 convenience to the user to help identify the key.
 The comment can tell what the key is for, or whatever is useful.
@ -264,7 +264,7 @@ flag will be ignored.
 Provides a new comment.
 .It Fl c
 Requests changing the comment in the private and public key files.
-This operation is only supported for RSA1 keys and keys stored in the
+This operation is only supported for keys stored in the
 newer OpenSSH format.
 The program will prompt for the file containing the private keys, for
 the passphrase if the key has one, and for the new comment.
@ -384,7 +384,6 @@ section.
 Prints the contents of one or more certificates.
 .It Fl l
 Show fingerprint of specified public key file.
-Private RSA1 keys are also supported.
 For RSA and DSA keys
 .Nm
 tries to find the matching public key file and prints its fingerprint.
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.301 2017/04/30 23:10:43 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.302 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -246,9 +246,6 @@ ask_filename(struct passwd *pw, const char *prompt)
 		name = _PATH_SSH_CLIENT_ID_RSA;
 	else {
 		switch (sshkey_type_from_name(key_type_name)) {
-		case KEY_RSA1:
-			name = _PATH_SSH_CLIENT_IDENTITY;
-			break;
 		case KEY_DSA_CERT:
 		case KEY_DSA:
 			name = _PATH_SSH_CLIENT_ID_DSA;
@ -320,8 +317,6 @@ do_convert_to_ssh2(struct passwd *pw, struct sshkey *k)
 	char comment[61];
 	int r;

-	if (k->type == KEY_RSA1)
-		fatal("version 1 keys are not supported");
 	if ((r = sshkey_to_blob(k, &blob, &len)) != 0)
 		fatal("key_to_blob failed: %s", ssh_err(r));
 	/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */
@ -343,7 +338,6 @@ static void
 do_convert_to_pkcs8(struct sshkey *k)
 {
 	switch (sshkey_type_plain(k->type)) {
-	case KEY_RSA1:
 	case KEY_RSA:
 		if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))
 			fatal("PEM_write_RSA_PUBKEY failed");
@ -368,7 +362,6 @@ static void
 do_convert_to_pem(struct sshkey *k)
 {
 	switch (sshkey_type_plain(k->type)) {
-	case KEY_RSA1:
 	case KEY_RSA:
 		if (!PEM_write_RSAPublicKey(stdout, k->rsa))
 			fatal("PEM_write_RSAPublicKey failed");
@ -825,13 +818,6 @@ try_read_key(char **cpp)
 	struct sshkey *ret;
 	int r;

-	if ((ret = sshkey_new(KEY_RSA1)) == NULL)
-		fatal("sshkey_new failed");
-	/* Try RSA1 */
-	if ((r = sshkey_read(ret, cpp)) == 0)
-		return ret;
-	/* Try modern */
-	sshkey_free(ret);
 	if ((ret = sshkey_new(KEY_UNSPEC)) == NULL)
 		fatal("sshkey_new failed");
 	if ((r = sshkey_read(ret, cpp)) == 0)
@ -1442,9 +1428,8 @@ do_change_comment(struct passwd *pw)
 		}
 	}

-	if (private->type != KEY_RSA1 && private->type != KEY_ED25519 &&
-	    !use_new_format) {
-		error("Comments are only supported for RSA1 or keys stored in "
+	if (private->type != KEY_ED25519 && !use_new_format) {
+		error("Comments are only supported for keys stored in "
 		    "the new format (-o).");
 		explicit_bzero(passphrase, strlen(passphrase));
 		sshkey_free(private);
@ -2241,13 +2226,11 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
 	exit(ret);
 }

-# define RSA1_USAGE ""
-
 static void
 usage(void)
 {
 	fprintf(stderr,
-	    "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa%s]\n"
+	    "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n"
 	    "                  [-N new_passphrase] [-C comment] [-f output_keyfile]\n"
 	    "       ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"
 	    "       ssh-keygen -i [-m key_format] [-f input_keyfile]\n"
@ -2255,7 +2238,7 @@ usage(void)
 	    "       ssh-keygen -y [-f input_keyfile]\n"
 	    "       ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
 	    "       ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n"
-	    "       ssh-keygen -B [-f input_keyfile]\n", RSA1_USAGE);
+	    "       ssh-keygen -B [-f input_keyfile]\n");
 #ifdef ENABLE_PKCS11
 	fprintf(stderr,
 	    "       ssh-keygen -D pkcs11\n");
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.38 2015/11/08 23:24:03 jmc Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.39 2017/04/30 23:18:44 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: November 8 2015 $
+.Dd $Mdocdate: April 30 2017 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@ -127,11 +127,6 @@ Input format:
 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
 .Ed
 .Pp
-Output format for RSA1 keys:
-.Bd -literal
-host-or-namelist bits exponent modulus
-.Ed
-.Pp
 Output format for RSA, DSA, ECDSA, and Ed25519 keys:
 .Bd -literal
 host-or-namelist keytype base64-encoded-key
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.111 2017/04/30 23:13:25 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.112 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 *
@ -54,11 +54,13 @@ int IPv4or6 = AF_UNSPEC;

 int ssh_port = SSH_DEFAULT_PORT;

-#define KT_RSA1		1
-#define KT_DSA		2
-#define KT_RSA		4
-#define KT_ECDSA	8
-#define KT_ED25519	16
+#define KT_DSA		(1)
+#define KT_RSA		(1<<1)
+#define KT_ECDSA	(1<<2)
+#define KT_ED25519	(1<<3)
+
+#define KT_MIN		KT_DSA
+#define KT_MAX		KT_ED25519

 int get_cert = 0;
 int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
@ -94,7 +96,7 @@ typedef struct Connection {
 	int c_plen;		/* Packet length field for ssh packet */
 	int c_len;		/* Total bytes which must be read. */
 	int c_off;		/* Length of data read so far. */
-	int c_keytype;		/* Only one of KT_RSA1, KT_DSA, or KT_RSA */
+	int c_keytype;		/* Only one of KT_* */
 	sig_atomic_t c_done;	/* SSH2 done */
 	char *c_namebase;	/* Address to free for c_name and c_namelist */
 	char *c_name;		/* Hostname of connection for errors */
@ -435,6 +437,20 @@ congreet(int s)
 	size_t bufsiz;
 	con *c = &fdcon[s];

+	/* send client banner */
+	n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2);
+	if (n < 0 || (size_t)n >= sizeof(buf)) {
+		error("snprintf: buffer too small");
+		confree(s);
+		return;
+	}
+	if (atomicio(vwrite, s, buf, n) != (size_t)n) {
+		error("write (%s): %s", c->c_name, strerror(errno));
+		confree(s);
+		return;
+	}
+
 	for (;;) {
 		memset(buf, '\0', sizeof(buf));
 		bufsiz = sizeof(buf);
@ -477,38 +493,14 @@ congreet(int s)
 		c->c_ssh->compat = compat_datafellows(remote_version);
 	else
 		c->c_ssh->compat = 0;
-	if (c->c_keytype != KT_RSA1) {
-		if (!ssh2_capable(remote_major, remote_minor)) {
-			debug("%s doesn't support ssh2", c->c_name);
-			confree(s);
-			return;
-		}
-	} else if (remote_major != 1) {
-		debug("%s doesn't support ssh1", c->c_name);
+	if (!ssh2_capable(remote_major, remote_minor)) {
+		debug("%s doesn't support ssh2", c->c_name);
 		confree(s);
 		return;
 	}
 	fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf));
-	n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
-	    c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2,
-	    c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2);
-	if (n < 0 || (size_t)n >= sizeof(buf)) {
-		error("snprintf: buffer too small");
-		confree(s);
-		return;
-	}
-	if (atomicio(vwrite, s, buf, n) != (size_t)n) {
-		error("write (%s): %s", c->c_name, strerror(errno));
-		confree(s);
-		return;
-	}
-	if (c->c_keytype != KT_RSA1) {
-		keygrab_ssh2(c);
-		confree(s);
-		return;
-	}
-	c->c_status = CS_SIZE;
-	contouch(s);
+	keygrab_ssh2(c);
+	confree(s);
 }

 static void
@ -606,7 +598,7 @@ do_host(char *host)

 	if (name == NULL)
 		return;
-	for (j = KT_RSA1; j <= KT_ED25519; j *= 2) {
+	for (j = KT_MIN; j <= KT_MAX; j *= 2) {
 		if (get_keytypes & j) {
 			while (ncon >= MAXCON)
 				conloop();
--- a/ssh.c
+++ b/ssh.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.456 2017/04/30 23:15:04 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.457 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1276,8 +1276,7 @@ main(int ac, char **av)
 	sensitive_data.nkeys = 0;
 	sensitive_data.keys = NULL;
 	sensitive_data.external_keysign = 0;
-	if (options.rhosts_rsa_authentication ||
-	    options.hostbased_authentication) {
+	if (options.hostbased_authentication) {
 		sensitive_data.nkeys = 9;
 		sensitive_data.keys = xcalloc(sensitive_data.nkeys,
 		    sizeof(Key));
--- a/ssh.h
+++ b/ssh.h
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.h,v 1.83 2015/12/11 03:19:09 djm Exp $ */
+/* $OpenBSD: ssh.h,v 1.84 2017/04/30 23:18:44 djm Exp $ */

 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -32,7 +32,7 @@

 /*
 * Maximum length of lines in authorized_keys file.
- * Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with
+ * Current value permits 16kbit RSA keys and 8kbit DSA keys, with
 * some room for options and comments.
 */
 #define SSH_MAX_PUBKEY_BYTES		16384
--- a/sshconnect.c
+++ b/sshconnect.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.276 2017/04/30 23:13:25 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.277 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1367,7 +1367,6 @@ static int
 show_other_keys(struct hostkeys *hostkeys, Key *key)
 {
 	int type[] = {
-		KEY_RSA1,
 		KEY_RSA,
 		KEY_DSA,
 		KEY_ECDSA,
--- a/sshconnect2.c
+++ b/sshconnect2.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.256 2017/04/28 03:24:53 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.257 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 * Copyright (c) 2008 Damien Miller.  All rights reserved.
@ -1317,8 +1317,6 @@ pubkey_prepare(Authctxt *authctxt)
 	/* list of keys stored in the filesystem and PKCS#11 */
 	for (i = 0; i < options.num_identity_files; i++) {
 		key = options.identity_keys[i];
-		if (key && key->type == KEY_RSA1)
-			continue;
 		if (key && key->cert && key->cert->type != SSH2_CERT_TYPE_USER)
 			continue;
 		options.identity_keys[i] = NULL;
@ -1471,7 +1469,7 @@ try_identity(Identity *id)
 		    key_type(id->key), id->filename);
 		return (0);
 	}
-	return (id->key->type != KEY_RSA1);
+	return 1;
 }

 int
@ -1764,7 +1762,6 @@ userauth_hostbased(Authctxt *authctxt)
 		private = NULL;
 		for (i = 0; i < authctxt->sensitive->nkeys; i++) {
 			if (authctxt->sensitive->keys[i] == NULL ||
-			    authctxt->sensitive->keys[i]->type == KEY_RSA1 ||
 			    authctxt->sensitive->keys[i]->type == KEY_UNSPEC)
 				continue;
 			if (match_pattern_list(
--- a/sshd.c
+++ b/sshd.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.486 2017/04/30 23:13:25 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.487 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -1676,14 +1676,6 @@ main(int ac, char **av)
 		key = key_load_private(options.host_key_files[i], "", NULL);
 		pubkey = key_load_public(options.host_key_files[i], NULL);

-		if ((pubkey != NULL && pubkey->type == KEY_RSA1) ||
-		    (key != NULL && key->type == KEY_RSA1)) {
-			verbose("Ignoring RSA1 key %s",
-			    options.host_key_files[i]);
-			key_free(key);
-			key_free(pubkey);
-			continue;
-		}
 		if (pubkey == NULL && key != NULL)
 			pubkey = key_demote(key);
 		sensitive_data.host_keys[i] = key;
--- a/sshkey.c
+++ b/sshkey.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.47 2017/04/30 23:15:04 djm Exp $ */
+/* $OpenBSD: sshkey.c,v 1.48 2017/04/30 23:18:44 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
 * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@ -235,10 +235,6 @@ sshkey_names_valid2(const char *names, int allow_wildcard)
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
 		type = sshkey_type_from_name(p);
-		if (type == KEY_RSA1) {
-			free(s);
-			return 0;
-		}
 		if (type == KEY_UNSPEC) {
 			if (allow_wildcard) {
 				/*
@ -247,8 +243,6 @@ sshkey_names_valid2(const char *names, int allow_wildcard)
 				 * the component is accepted.
 				 */
 				for (kt = keytypes; kt->type != -1; kt++) {
-					if (kt->type == KEY_RSA1)
-						continue;
 					if (match_pattern_list(kt->name,
 					    p, 0) != 0)
 						break;
@ -269,7 +263,6 @@ sshkey_size(const struct sshkey *k)
 {
 	switch (k->type) {
 #ifdef WITH_OPENSSL
-	case KEY_RSA1:
 	case KEY_RSA:
 	case KEY_RSA_CERT:
 		return BN_num_bits(k->rsa->n);
@ -472,7 +465,6 @@ sshkey_new(int type)
 	k->ed25519_pk = NULL;
 	switch (k->type) {
 #ifdef WITH_OPENSSL
-	case KEY_RSA1:
 	case KEY_RSA:
 	case KEY_RSA_CERT:
 		if ((rsa = RSA_new()) == NULL ||
@ -530,7 +522,6 @@ sshkey_add_private(struct sshkey *k)
 {
 	switch (k->type) {
 #ifdef WITH_OPENSSL
-	case KEY_RSA1:
 	case KEY_RSA:
 	case KEY_RSA_CERT:
 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
@ -586,7 +577,6 @@ sshkey_free(struct sshkey *k)
 		return;
 	switch (k->type) {
 #ifdef WITH_OPENSSL
-	case KEY_RSA1:
 	case KEY_RSA:
 	case KEY_RSA_CERT:
 		if (k->rsa != NULL)
@ -664,7 +654,6 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)

 	switch (a->type) {
 #ifdef WITH_OPENSSL
-	case KEY_RSA1:
 	case KEY_RSA_CERT:
 	case KEY_RSA:
 		return a->rsa != NULL && b->rsa != NULL &&
@ -881,25 +870,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
 		r = SSH_ERR_INVALID_ARGUMENT;
 		goto out;
 	}
-
-	if (k->type == KEY_RSA1) {
-#ifdef WITH_OPENSSL
-		int nlen = BN_num_bytes(k->rsa->n);
-		int elen = BN_num_bytes(k->rsa->e);
-
-		if (nlen < 0 || elen < 0 || nlen >= INT_MAX - elen) {
-			r = SSH_ERR_INVALID_FORMAT;
-			goto out;
-		}
-		blob_len = nlen + elen;
-		if ((blob = malloc(blob_len)) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto out;
-		}
-		BN_bn2bin(k->rsa->n, blob);
-		BN_bn2bin(k->rsa->e, blob + nlen);
-#endif /* WITH_OPENSSL */
-	} else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0)
+	if ((r = to_blob(k, &blob, &blob_len, 1)) != 0)
 		goto out;
 	if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
@ -1208,8 +1179,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
 	cp = *cpp;

 	switch (ret->type) {
-	case KEY_RSA1:
-		break;
 	case KEY_UNSPEC:
 	case KEY_RSA:
 	case KEY_DSA:
@ -1362,31 +1331,17 @@ sshkey_to_base64(const struct sshkey *key, char **b64p)
 	return r;
 }

-static int
-sshkey_format_rsa1(const struct sshkey *key, struct sshbuf *b)
-{
-	int r = SSH_ERR_INTERNAL_ERROR;
-
-	return r;
-}
-
 static int
 sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
 {
 	int r = SSH_ERR_INTERNAL_ERROR;
 	char *uu = NULL;

-	if (key->type == KEY_RSA1) {
-		if ((r = sshkey_format_rsa1(key, b)) != 0)
-			goto out;
-	} else {
-		/* Unsupported key types handled in sshkey_to_base64() */
-		if ((r = sshkey_to_base64(key, &uu)) != 0)
-			goto out;
-		if ((r = sshbuf_putf(b, "%s %s",
-		    sshkey_ssh_name(key), uu)) != 0)
-			goto out;
-	}
+	if ((r = sshkey_to_base64(key, &uu)) != 0)
+		goto out;
+	if ((r = sshbuf_putf(b, "%s %s",
+	    sshkey_ssh_name(key), uu)) != 0)
+		goto out;
 	r = 0;
 out:
 	free(uu);
@ -1602,7 +1557,6 @@ sshkey_generate(int type, u_int bits, struct sshkey **keyp)
 		break;
 # endif /* OPENSSL_HAS_ECC */
 	case KEY_RSA:
-	case KEY_RSA1:
 		ret = rsa_generate_private_key(bits, &k->rsa);
 		break;
 #endif /* WITH_OPENSSL */
@ -1713,7 +1667,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
 		break;
 # endif /* OPENSSL_HAS_ECC */
 	case KEY_RSA:
-	case KEY_RSA1:
 	case KEY_RSA_CERT:
 		if ((n = sshkey_new(k->type)) == NULL)
 			return SSH_ERR_ALLOC_FAIL;
@ -2183,7 +2136,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
 		if ((ret = sshkey_cert_copy(k, pk)) != 0)
 			goto fail;
 		/* FALLTHROUGH */
-	case KEY_RSA1:
 	case KEY_RSA:
 		if ((pk->rsa = RSA_new()) == NULL ||
 		    (pk->rsa->e = BN_dup(k->rsa->e)) == NULL ||
@ -2742,7 +2694,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
 	switch (k->type) {
 	case KEY_RSA:
 	case KEY_RSA_CERT:
-	case KEY_RSA1:
 		if (RSA_blinding_on(k->rsa, NULL) != 1) {
 			r = SSH_ERR_LIBCRYPTO_ERROR;
 			goto out;
--- a/sshkey.h
+++ b/sshkey.h
@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.15 2017/03/10 04:07:20 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.16 2017/04/30 23:18:44 djm Exp $ */

 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@ -53,7 +53,6 @@ struct sshbuf;

 /* Key types */
 enum sshkey_types {
-	KEY_RSA1,
 	KEY_RSA,
 	KEY_DSA,
 	KEY_ECDSA,