Commit Graph

24 Commits

Author SHA1 Message Date
djm@openbsd.org
04c7e28f83 upstream commit
pass negotiated signing algorithm though to
sshkey_verify() and check that the negotiated algorithm matches the type in
the signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

OpenBSD-Commit-ID: 735fb15bf4adc060d3bee9d047a4bcaaa81b1af9
2017-12-19 15:21:37 +11:00
djm@openbsd.org
931c78dfd7 upstream commit
sshkey_sigtype() function to return the type of a
signature; ok markus@

OpenBSD-Commit-ID: d3772b065ad6eed97285589bfb544befed9032e8
2017-12-19 15:20:44 +11:00
djm@openbsd.org
83fa3a0448 upstream commit
remove post-SSHv1 removal dead code from rsa.c and merge
the remaining bit that it still used into ssh-rsa.c; ok markus

Upstream-ID: ac8a048d24dcd89594b0052ea5e3404b473bfa2f
2017-07-21 14:17:32 +10:00
djm@openbsd.org
a98339edbc upstream commit
Allow ssh-keygen to use a key held in ssh-agent as a CA when
signing certificates. bz#2377 ok markus

Upstream-ID: fb42e920b592edcbb5b50465739a867c09329c8f
2017-06-28 11:13:19 +10:00
djm@openbsd.org
6026f48dfc upstream commit
missing prototype.

Upstream-ID: f443d2be9910fd2165a0667956d03343c46f66c9
2017-06-13 22:15:08 +10:00
djm@openbsd.org
bd636f4091 upstream commit
Refuse RSA keys <1024 bits in length. Improve reporting
for keys that do not meet this requirement. ok markus@

Upstream-ID: b385e2a7b13b1484792ee681daaf79e1e203df6c
2017-05-08 09:21:22 +10:00
naddy@openbsd.org
768405fddf upstream commit
remove miscellaneous SSH1 leftovers; ok markus@

Upstream-ID: af23696022ae4d45a1abc2fb8b490d8d9dd63b7c
2017-05-08 09:18:27 +10:00
djm@openbsd.org
873d3e7d9a upstream commit
remove KEY_RSA1

ok markus@

Upstream-ID: 7408517b077c892a86b581e19f82a163069bf133
2017-05-01 10:05:01 +10:00
djm@openbsd.org
183ba55aaa upstream commit
fix regression in 7.4 server-sig-algs, where we were
accidentally excluding SHA2 RSA signature methods. bz#2680, patch from Nuno
Goncalves; ok dtucker@

Upstream-ID: 81ac8bfb30960447740b9b8f6a214dcf322f12e8
2017-03-10 15:35:39 +11:00
djm@openbsd.org
130f5df4fa upstream commit
list all supported signature algorithms in the
server-sig-algs Reported by mb AT smartftp.com in bz#2547 and (independantly)
Ron Frederick; ok markus@

Upstream-ID: ddf702d721f54646b11ef2cee6d916666cb685cd
2016-09-13 09:33:24 +10:00
djm@openbsd.org
57464e3934 upstream commit
support SHA256 and SHA512 RSA signatures in certificates;
 ok markus@

Upstream-ID: b45be2f2ce8cacd794dc5730edaabc90e5eb434a
2016-05-02 20:35:05 +10:00
markus@openbsd.org
76c9fbbe35 upstream commit
implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures
 (user and host auth) based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt; with & ok djm@

Upstream-ID: cf82ce532b2733e5c4b34bb7b7c94835632db309
2015-12-07 12:38:58 +11:00
djm@openbsd.org
499cf36fec upstream commit
move the certificate validity formatting code to
 sshkey.[ch]

Upstream-ID: f05f7c78fab20d02ff1d5ceeda533ef52e8fe523
2015-11-19 12:11:37 +11:00
tim@openbsd.org
3c019a936b upstream commit
- Fix error message: passphrase needs to be at least 5
 characters, not 4. - Remove unused function argument. - Remove two
 unnecessary variables.

OK djm@

Upstream-ID: 13010c05bfa8b523da1c0dc19e81dd180662bc30
2015-09-16 17:52:09 +10:00
djm@openbsd.org
57e8e229ba upstream commit
backout SSH_RSA_MINIMUM_MODULUS_SIZE increase for this
 release; problems spotted by sthen@ ok deraadt@ markus@

Upstream-ID: d0bd60dde9e8c3cd7030007680371894c1499822
2015-08-05 10:08:39 +10:00
djm@openbsd.org
c65a7aa6c4 upstream commit
another SSH_RSA_MINIMUM_MODULUS_SIZE that needed
 cranking

Upstream-ID: 9d8826cafe96aab4ae8e2f6fd22800874b7ffef1
2015-07-15 15:36:21 +10:00
djm@openbsd.org
c28fc62d78 upstream commit
delete support for legacy v00 certificates; "sure"
 markus@ dtucker@

Upstream-ID: b5b9bb5f9202d09e88f912989d74928601b6636f
2015-07-15 15:35:09 +10:00
djm@openbsd.org
d80fbe41a5 upstream commit
refactor: split base64 encoding of pubkey into its own
 sshkey_to_base64() function and out of sshkey_write(); ok markus@

Upstream-ID: 54fc38f5832e9b91028900819bda46c3959a0c1a
2015-05-21 15:06:06 +10:00
djm@openbsd.org
60b1825262 upstream commit
small refactor and add some convenience functions; ok
 markus
2015-01-27 00:00:36 +11:00
djm@openbsd.org
1f729f0614 upstream commit
add sshd_config HostbasedAcceptedKeyTypes and
 PubkeyAcceptedKeyTypes options to allow sshd to control what public key types
 will be accepted. Currently defaults to all. Feedback & ok markus@
2015-01-13 19:27:18 +11:00
djm@openbsd.org
1195f4cb07 upstream commit
deprecate key_load_private_pem() and
 sshkey_load_private_pem() interfaces. Refactor the generic key loading API to
 not require pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@
2015-01-09 00:17:12 +11:00
djm@openbsd.org
56d1c83cdd upstream commit
Add FingerprintHash option to control algorithm used for
 key fingerprints. Default changes from MD5 to SHA256 and format from hex to
 base64.

Feedback and ok naddy@ markus@
2014-12-22 09:32:29 +11:00
Damien Miller
f0935698f0 - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC 2014-08-20 11:06:50 +10:00
Damien Miller
8668706d0f - djm@cvs.openbsd.org 2014/06/24 01:13:21
[Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
     [sshconnect2.c sshd.c sshkey.c sshkey.h
     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
     New key API: refactor key-related functions to be more library-like,
     existing API is offered as a set of wrappers.

     with and ok markus@

     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
     Dempsky and Ron Bowes for a detailed review a few months ago.

     NB. This commit also removes portable OpenSSH support for OpenSSL
     <0.9.8e.
2014-07-02 15:28:02 +10:00