summaryrefslogtreecommitdiff
path: root/ssh-rsa.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-12-31 12:25:40 +1100
committerDamien Miller <djm@mindrot.org>2013-12-31 12:25:40 +1100
commit324541e5264e1489ca0babfaf2b39612eb80dfb3 (patch)
tree3adbfd162c3704e6aeb36f30ca09e4c04fbd25e2 /ssh-rsa.c
parent9f4c8e797ea002a883307ca906f1f1f815010e78 (diff)
- djm@cvs.openbsd.org 2013/12/30 23:52:28
[auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c] [sshconnect.c sshconnect2.c sshd.c] refuse RSA keys from old proprietary clients/servers that use the obsolete RSA+MD5 signature scheme. it will still be possible to connect with these clients/servers but only DSA keys will be accepted, and we'll deprecate them entirely in a future release. ok markus@
Diffstat (limited to 'ssh-rsa.c')
-rw-r--r--ssh-rsa.c23
1 files changed, 3 insertions, 20 deletions
diff --git a/ssh-rsa.c b/ssh-rsa.c
index 6e28bb4a..b1ac50b3 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-rsa.c,v 1.48 2013/12/27 22:37:18 djm Exp $ */
+/* $OpenBSD: ssh-rsa.c,v 1.49 2013/12/30 23:52:27 djm Exp $ */
/*
* Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
*
@@ -53,7 +53,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
return -1;
}
- nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
+ nid = NID_sha1;
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
error("%s: EVP_get_digestbynid %d failed", __func__, nid);
return -1;
@@ -161,7 +161,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
memset(sigblob, 0, diff);
len = modlen;
}
- nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
+ nid = NID_sha1;
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
error("%s: EVP_get_digestbynid %d failed", __func__, nid);
free(sigblob);
@@ -196,18 +196,6 @@ static const u_char id_sha1[] = {
0x05, 0x00, /* NULL */
0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
};
-/*
- * id-md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
- * rsadsi(113549) digestAlgorithm(2) 5 }
- */
-static const u_char id_md5[] = {
- 0x30, 0x20, /* type Sequence, length 0x20 (32) */
- 0x30, 0x0c, /* type Sequence, length 0x0c (12) */
- 0x06, 0x08, /* type OID, length 0x08 */
- 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* id-md5 */
- 0x05, 0x00, /* NULL */
- 0x04, 0x10 /* Octet string, length 0x10 (16), followed by md5 hash */
-};
static int
openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
@@ -225,11 +213,6 @@ openssh_RSA_verify(int type, u_char *hash, u_int hashlen,
oidlen = sizeof(id_sha1);
hlen = 20;
break;
- case NID_md5:
- oid = id_md5;
- oidlen = sizeof(id_md5);
- hlen = 16;
- break;
default:
goto done;
}