summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--clientloop.c5
-rw-r--r--hostfile.c18
-rw-r--r--ssh-agent.c28
-rw-r--r--ssh-keygen.19
-rw-r--r--ssh-keygen.c27
-rw-r--r--ssh-keyscan.19
-rw-r--r--ssh-keyscan.c64
-rw-r--r--ssh.c5
-rw-r--r--ssh.h4
-rw-r--r--sshconnect.c3
-rw-r--r--sshconnect2.c7
-rw-r--r--sshd.c10
-rw-r--r--sshkey.c63
-rw-r--r--sshkey.h3
14 files changed, 72 insertions, 183 deletions
diff --git a/clientloop.c b/clientloop.c
index 469a2f00a..018688a81 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.c,v 1.292 2017/04/30 23:13:25 djm Exp $ */ 1/* $OpenBSD: clientloop.c,v 1.293 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1831,8 +1831,7 @@ hostkeys_find(struct hostkey_foreach_line *l, void *_ctx)
1831 size_t i; 1831 size_t i;
1832 struct sshkey **tmp; 1832 struct sshkey **tmp;
1833 1833
1834 if (l->status != HKF_STATUS_MATCHED || l->key == NULL || 1834 if (l->status != HKF_STATUS_MATCHED || l->key == NULL)
1835 l->key->type == KEY_RSA1)
1836 return 0; 1835 return 0;
1837 1836
1838 /* Mark off keys we've already seen for this host */ 1837 /* Mark off keys we've already seen for this host */
diff --git a/hostfile.c b/hostfile.c
index b8f9cd143..1804cff99 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: hostfile.c,v 1.69 2017/04/30 23:10:43 djm Exp $ */ 1/* $OpenBSD: hostfile.c,v 1.70 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -346,16 +346,11 @@ check_hostkeys_by_key_or_type(struct hostkeys *hostkeys,
346 HostStatus end_return = HOST_NEW; 346 HostStatus end_return = HOST_NEW;
347 int want_cert = sshkey_is_cert(k); 347 int want_cert = sshkey_is_cert(k);
348 HostkeyMarker want_marker = want_cert ? MRK_CA : MRK_NONE; 348 HostkeyMarker want_marker = want_cert ? MRK_CA : MRK_NONE;
349 int proto = (k ? k->type : keytype) == KEY_RSA1 ? 1 : 2;
350 349
351 if (found != NULL) 350 if (found != NULL)
352 *found = NULL; 351 *found = NULL;
353 352
354 for (i = 0; i < hostkeys->num_entries; i++) { 353 for (i = 0; i < hostkeys->num_entries; i++) {
355 if (proto == 1 && hostkeys->entries[i].key->type != KEY_RSA1)
356 continue;
357 if (proto == 2 && hostkeys->entries[i].key->type == KEY_RSA1)
358 continue;
359 if (hostkeys->entries[i].marker != want_marker) 354 if (hostkeys->entries[i].marker != want_marker)
360 continue; 355 continue;
361 if (k == NULL) { 356 if (k == NULL) {
@@ -490,13 +485,6 @@ host_delete(struct hostkey_foreach_line *l, void *_ctx)
490 return 0; 485 return 0;
491 } 486 }
492 487
493 /* XXX might need a knob for this later */
494 /* Don't remove RSA1 keys */
495 if (l->key->type == KEY_RSA1) {
496 fprintf(ctx->out, "%s\n", l->line);
497 return 0;
498 }
499
500 /* 488 /*
501 * If this line contains one of the keys that we will be 489 * If this line contains one of the keys that we will be
502 * adding later, then don't change it and mark the key for 490 * adding later, then don't change it and mark the key for
@@ -804,12 +792,12 @@ hostkeys_foreach(const char *path, hostkeys_foreach_fn *callback, void *ctx,
804 lineinfo.keytype = sshkey_type_from_name(ktype); 792 lineinfo.keytype = sshkey_type_from_name(ktype);
805 793
806 /* 794 /*
807 * Assume RSA1 if the first component is a short 795 * Assume legacy RSA1 if the first component is a short
808 * decimal number. 796 * decimal number.
809 */ 797 */
810 if (lineinfo.keytype == KEY_UNSPEC && l < 8 && 798 if (lineinfo.keytype == KEY_UNSPEC && l < 8 &&
811 strspn(ktype, "0123456789") == l) 799 strspn(ktype, "0123456789") == l)
812 lineinfo.keytype = KEY_RSA1; 800 goto bad;
813 801
814 /* 802 /*
815 * Check that something other than whitespace follows 803 * Check that something other than whitespace follows
diff --git a/ssh-agent.c b/ssh-agent.c
index 6788287b7..cc3bffad8 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-agent.c,v 1.219 2017/04/30 23:10:43 djm Exp $ */ 1/* $OpenBSD: ssh-agent.c,v 1.220 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -247,6 +247,8 @@ process_request_identities(SocketEntry *e, int version)
247 Identity *id; 247 Identity *id;
248 struct sshbuf *msg; 248 struct sshbuf *msg;
249 int r; 249 int r;
250 u_char *blob;
251 size_t blen;
250 252
251 if ((msg = sshbuf_new()) == NULL) 253 if ((msg = sshbuf_new()) == NULL)
252 fatal("%s: sshbuf_new failed", __func__); 254 fatal("%s: sshbuf_new failed", __func__);
@@ -256,21 +258,15 @@ process_request_identities(SocketEntry *e, int version)
256 (r = sshbuf_put_u32(msg, tab->nentries)) != 0) 258 (r = sshbuf_put_u32(msg, tab->nentries)) != 0)
257 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 259 fatal("%s: buffer error: %s", __func__, ssh_err(r));
258 TAILQ_FOREACH(id, &tab->idlist, next) { 260 TAILQ_FOREACH(id, &tab->idlist, next) {
259 if (id->key->type == KEY_RSA1) { 261 if ((r = sshkey_to_blob(id->key, &blob, &blen)) != 0) {
260 } else { 262 error("%s: sshkey_to_blob: %s", __func__,
261 u_char *blob; 263 ssh_err(r));
262 size_t blen; 264 continue;
263
264 if ((r = sshkey_to_blob(id->key, &blob, &blen)) != 0) {
265 error("%s: sshkey_to_blob: %s", __func__,
266 ssh_err(r));
267 continue;
268 }
269 if ((r = sshbuf_put_string(msg, blob, blen)) != 0)
270 fatal("%s: buffer error: %s",
271 __func__, ssh_err(r));
272 free(blob);
273 } 265 }
266 if ((r = sshbuf_put_string(msg, blob, blen)) != 0)
267 fatal("%s: buffer error: %s",
268 __func__, ssh_err(r));
269 free(blob);
274 if ((r = sshbuf_put_cstring(msg, id->comment)) != 0) 270 if ((r = sshbuf_put_cstring(msg, id->comment)) != 0)
275 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 271 fatal("%s: buffer error: %s", __func__, ssh_err(r));
276 } 272 }
@@ -639,7 +635,7 @@ process_add_smartcard_key(SocketEntry *e)
639 count = pkcs11_add_provider(canonical_provider, pin, &keys); 635 count = pkcs11_add_provider(canonical_provider, pin, &keys);
640 for (i = 0; i < count; i++) { 636 for (i = 0; i < count; i++) {
641 k = keys[i]; 637 k = keys[i];
642 version = k->type == KEY_RSA1 ? 1 : 2; 638 version = 2;
643 tab = idtab_lookup(version); 639 tab = idtab_lookup(version);
644 if (lookup_identity(k, version) == NULL) { 640 if (lookup_identity(k, version) == NULL) {
645 id = xcalloc(1, sizeof(Identity)); 641 id = xcalloc(1, sizeof(Identity));
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index a83388a9f..be1a169f4 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.135 2017/04/29 06:06:01 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.136 2017/04/30 23:18:44 djm Exp $
2.\" 2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\" 37.\"
38.Dd $Mdocdate: April 29 2017 $ 38.Dd $Mdocdate: April 30 2017 $
39.Dt SSH-KEYGEN 1 39.Dt SSH-KEYGEN 1
40.Os 40.Os
41.Sh NAME 41.Sh NAME
@@ -207,7 +207,7 @@ There is no way to recover a lost passphrase.
207If the passphrase is lost or forgotten, a new key must be generated 207If the passphrase is lost or forgotten, a new key must be generated
208and the corresponding public key copied to other machines. 208and the corresponding public key copied to other machines.
209.Pp 209.Pp
210For RSA1 keys and keys stored in the newer OpenSSH format, 210For keys stored in the newer OpenSSH format,
211there is also a comment field in the key file that is only for 211there is also a comment field in the key file that is only for
212convenience to the user to help identify the key. 212convenience to the user to help identify the key.
213The comment can tell what the key is for, or whatever is useful. 213The comment can tell what the key is for, or whatever is useful.
@@ -264,7 +264,7 @@ flag will be ignored.
264Provides a new comment. 264Provides a new comment.
265.It Fl c 265.It Fl c
266Requests changing the comment in the private and public key files. 266Requests changing the comment in the private and public key files.
267This operation is only supported for RSA1 keys and keys stored in the 267This operation is only supported for keys stored in the
268newer OpenSSH format. 268newer OpenSSH format.
269The program will prompt for the file containing the private keys, for 269The program will prompt for the file containing the private keys, for
270the passphrase if the key has one, and for the new comment. 270the passphrase if the key has one, and for the new comment.
@@ -384,7 +384,6 @@ section.
384Prints the contents of one or more certificates. 384Prints the contents of one or more certificates.
385.It Fl l 385.It Fl l
386Show fingerprint of specified public key file. 386Show fingerprint of specified public key file.
387Private RSA1 keys are also supported.
388For RSA and DSA keys 387For RSA and DSA keys
389.Nm 388.Nm
390tries to find the matching public key file and prints its fingerprint. 389tries to find the matching public key file and prints its fingerprint.
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 70d421844..51c24bc55 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.301 2017/04/30 23:10:43 djm Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.302 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -246,9 +246,6 @@ ask_filename(struct passwd *pw, const char *prompt)
246 name = _PATH_SSH_CLIENT_ID_RSA; 246 name = _PATH_SSH_CLIENT_ID_RSA;
247 else { 247 else {
248 switch (sshkey_type_from_name(key_type_name)) { 248 switch (sshkey_type_from_name(key_type_name)) {
249 case KEY_RSA1:
250 name = _PATH_SSH_CLIENT_IDENTITY;
251 break;
252 case KEY_DSA_CERT: 249 case KEY_DSA_CERT:
253 case KEY_DSA: 250 case KEY_DSA:
254 name = _PATH_SSH_CLIENT_ID_DSA; 251 name = _PATH_SSH_CLIENT_ID_DSA;
@@ -320,8 +317,6 @@ do_convert_to_ssh2(struct passwd *pw, struct sshkey *k)
320 char comment[61]; 317 char comment[61];
321 int r; 318 int r;
322 319
323 if (k->type == KEY_RSA1)
324 fatal("version 1 keys are not supported");
325 if ((r = sshkey_to_blob(k, &blob, &len)) != 0) 320 if ((r = sshkey_to_blob(k, &blob, &len)) != 0)
326 fatal("key_to_blob failed: %s", ssh_err(r)); 321 fatal("key_to_blob failed: %s", ssh_err(r));
327 /* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */ 322 /* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */
@@ -343,7 +338,6 @@ static void
343do_convert_to_pkcs8(struct sshkey *k) 338do_convert_to_pkcs8(struct sshkey *k)
344{ 339{
345 switch (sshkey_type_plain(k->type)) { 340 switch (sshkey_type_plain(k->type)) {
346 case KEY_RSA1:
347 case KEY_RSA: 341 case KEY_RSA:
348 if (!PEM_write_RSA_PUBKEY(stdout, k->rsa)) 342 if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))
349 fatal("PEM_write_RSA_PUBKEY failed"); 343 fatal("PEM_write_RSA_PUBKEY failed");
@@ -368,7 +362,6 @@ static void
368do_convert_to_pem(struct sshkey *k) 362do_convert_to_pem(struct sshkey *k)
369{ 363{
370 switch (sshkey_type_plain(k->type)) { 364 switch (sshkey_type_plain(k->type)) {
371 case KEY_RSA1:
372 case KEY_RSA: 365 case KEY_RSA:
373 if (!PEM_write_RSAPublicKey(stdout, k->rsa)) 366 if (!PEM_write_RSAPublicKey(stdout, k->rsa))
374 fatal("PEM_write_RSAPublicKey failed"); 367 fatal("PEM_write_RSAPublicKey failed");
@@ -825,13 +818,6 @@ try_read_key(char **cpp)
825 struct sshkey *ret; 818 struct sshkey *ret;
826 int r; 819 int r;
827 820
828 if ((ret = sshkey_new(KEY_RSA1)) == NULL)
829 fatal("sshkey_new failed");
830 /* Try RSA1 */
831 if ((r = sshkey_read(ret, cpp)) == 0)
832 return ret;
833 /* Try modern */
834 sshkey_free(ret);
835 if ((ret = sshkey_new(KEY_UNSPEC)) == NULL) 821 if ((ret = sshkey_new(KEY_UNSPEC)) == NULL)
836 fatal("sshkey_new failed"); 822 fatal("sshkey_new failed");
837 if ((r = sshkey_read(ret, cpp)) == 0) 823 if ((r = sshkey_read(ret, cpp)) == 0)
@@ -1442,9 +1428,8 @@ do_change_comment(struct passwd *pw)
1442 } 1428 }
1443 } 1429 }
1444 1430
1445 if (private->type != KEY_RSA1 && private->type != KEY_ED25519 && 1431 if (private->type != KEY_ED25519 && !use_new_format) {
1446 !use_new_format) { 1432 error("Comments are only supported for keys stored in "
1447 error("Comments are only supported for RSA1 or keys stored in "
1448 "the new format (-o)."); 1433 "the new format (-o).");
1449 explicit_bzero(passphrase, strlen(passphrase)); 1434 explicit_bzero(passphrase, strlen(passphrase));
1450 sshkey_free(private); 1435 sshkey_free(private);
@@ -2241,13 +2226,11 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
2241 exit(ret); 2226 exit(ret);
2242} 2227}
2243 2228
2244# define RSA1_USAGE ""
2245
2246static void 2229static void
2247usage(void) 2230usage(void)
2248{ 2231{
2249 fprintf(stderr, 2232 fprintf(stderr,
2250 "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa%s]\n" 2233 "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n"
2251 " [-N new_passphrase] [-C comment] [-f output_keyfile]\n" 2234 " [-N new_passphrase] [-C comment] [-f output_keyfile]\n"
2252 " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" 2235 " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"
2253 " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" 2236 " ssh-keygen -i [-m key_format] [-f input_keyfile]\n"
@@ -2255,7 +2238,7 @@ usage(void)
2255 " ssh-keygen -y [-f input_keyfile]\n" 2238 " ssh-keygen -y [-f input_keyfile]\n"
2256 " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" 2239 " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
2257 " ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n" 2240 " ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n"
2258 " ssh-keygen -B [-f input_keyfile]\n", RSA1_USAGE); 2241 " ssh-keygen -B [-f input_keyfile]\n");
2259#ifdef ENABLE_PKCS11 2242#ifdef ENABLE_PKCS11
2260 fprintf(stderr, 2243 fprintf(stderr,
2261 " ssh-keygen -D pkcs11\n"); 2244 " ssh-keygen -D pkcs11\n");
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index d29d9d906..82bcb5d01 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.38 2015/11/08 23:24:03 jmc Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.39 2017/04/30 23:18:44 djm Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -6,7 +6,7 @@
6.\" permitted provided that due credit is given to the author and the 6.\" permitted provided that due credit is given to the author and the
7.\" OpenBSD project by leaving this copyright notice intact. 7.\" OpenBSD project by leaving this copyright notice intact.
8.\" 8.\"
9.Dd $Mdocdate: November 8 2015 $ 9.Dd $Mdocdate: April 30 2017 $
10.Dt SSH-KEYSCAN 1 10.Dt SSH-KEYSCAN 1
11.Os 11.Os
12.Sh NAME 12.Sh NAME
@@ -127,11 +127,6 @@ Input format:
1271.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 1271.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
128.Ed 128.Ed
129.Pp 129.Pp
130Output format for RSA1 keys:
131.Bd -literal
132host-or-namelist bits exponent modulus
133.Ed
134.Pp
135Output format for RSA, DSA, ECDSA, and Ed25519 keys: 130Output format for RSA, DSA, ECDSA, and Ed25519 keys:
136.Bd -literal 131.Bd -literal
137host-or-namelist keytype base64-encoded-key 132host-or-namelist keytype base64-encoded-key
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 6a9292487..d49d79ad7 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keyscan.c,v 1.111 2017/04/30 23:13:25 djm Exp $ */ 1/* $OpenBSD: ssh-keyscan.c,v 1.112 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4 * 4 *
@@ -54,11 +54,13 @@ int IPv4or6 = AF_UNSPEC;
54 54
55int ssh_port = SSH_DEFAULT_PORT; 55int ssh_port = SSH_DEFAULT_PORT;
56 56
57#define KT_RSA1 1 57#define KT_DSA (1)
58#define KT_DSA 2 58#define KT_RSA (1<<1)
59#define KT_RSA 4 59#define KT_ECDSA (1<<2)
60#define KT_ECDSA 8 60#define KT_ED25519 (1<<3)
61#define KT_ED25519 16 61
62#define KT_MIN KT_DSA
63#define KT_MAX KT_ED25519
62 64
63int get_cert = 0; 65int get_cert = 0;
64int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519; 66int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
@@ -94,7 +96,7 @@ typedef struct Connection {
94 int c_plen; /* Packet length field for ssh packet */ 96 int c_plen; /* Packet length field for ssh packet */
95 int c_len; /* Total bytes which must be read. */ 97 int c_len; /* Total bytes which must be read. */
96 int c_off; /* Length of data read so far. */ 98 int c_off; /* Length of data read so far. */
97 int c_keytype; /* Only one of KT_RSA1, KT_DSA, or KT_RSA */ 99 int c_keytype; /* Only one of KT_* */
98 sig_atomic_t c_done; /* SSH2 done */ 100 sig_atomic_t c_done; /* SSH2 done */
99 char *c_namebase; /* Address to free for c_name and c_namelist */ 101 char *c_namebase; /* Address to free for c_name and c_namelist */
100 char *c_name; /* Hostname of connection for errors */ 102 char *c_name; /* Hostname of connection for errors */
@@ -435,6 +437,20 @@ congreet(int s)
435 size_t bufsiz; 437 size_t bufsiz;
436 con *c = &fdcon[s]; 438 con *c = &fdcon[s];
437 439
440 /* send client banner */
441 n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
442 PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2);
443 if (n < 0 || (size_t)n >= sizeof(buf)) {
444 error("snprintf: buffer too small");
445 confree(s);
446 return;
447 }
448 if (atomicio(vwrite, s, buf, n) != (size_t)n) {
449 error("write (%s): %s", c->c_name, strerror(errno));
450 confree(s);
451 return;
452 }
453
438 for (;;) { 454 for (;;) {
439 memset(buf, '\0', sizeof(buf)); 455 memset(buf, '\0', sizeof(buf));
440 bufsiz = sizeof(buf); 456 bufsiz = sizeof(buf);
@@ -477,38 +493,14 @@ congreet(int s)
477 c->c_ssh->compat = compat_datafellows(remote_version); 493 c->c_ssh->compat = compat_datafellows(remote_version);
478 else 494 else
479 c->c_ssh->compat = 0; 495 c->c_ssh->compat = 0;
480 if (c->c_keytype != KT_RSA1) { 496 if (!ssh2_capable(remote_major, remote_minor)) {
481 if (!ssh2_capable(remote_major, remote_minor)) { 497 debug("%s doesn't support ssh2", c->c_name);
482 debug("%s doesn't support ssh2", c->c_name);
483 confree(s);
484 return;
485 }
486 } else if (remote_major != 1) {
487 debug("%s doesn't support ssh1", c->c_name);
488 confree(s); 498 confree(s);
489 return; 499 return;
490 } 500 }
491 fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf)); 501 fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf));
492 n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", 502 keygrab_ssh2(c);
493 c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, 503 confree(s);
494 c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2);
495 if (n < 0 || (size_t)n >= sizeof(buf)) {
496 error("snprintf: buffer too small");
497 confree(s);
498 return;
499 }
500 if (atomicio(vwrite, s, buf, n) != (size_t)n) {
501 error("write (%s): %s", c->c_name, strerror(errno));
502 confree(s);
503 return;
504 }
505 if (c->c_keytype != KT_RSA1) {
506 keygrab_ssh2(c);
507 confree(s);
508 return;
509 }
510 c->c_status = CS_SIZE;
511 contouch(s);
512} 504}
513 505
514static void 506static void
@@ -606,7 +598,7 @@ do_host(char *host)
606 598
607 if (name == NULL) 599 if (name == NULL)
608 return; 600 return;
609 for (j = KT_RSA1; j <= KT_ED25519; j *= 2) { 601 for (j = KT_MIN; j <= KT_MAX; j *= 2) {
610 if (get_keytypes & j) { 602 if (get_keytypes & j) {
611 while (ncon >= MAXCON) 603 while (ncon >= MAXCON)
612 conloop(); 604 conloop();
diff --git a/ssh.c b/ssh.c
index c1316f44c..ea394b0c2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh.c,v 1.456 2017/04/30 23:15:04 djm Exp $ */ 1/* $OpenBSD: ssh.c,v 1.457 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1276,8 +1276,7 @@ main(int ac, char **av)
1276 sensitive_data.nkeys = 0; 1276 sensitive_data.nkeys = 0;
1277 sensitive_data.keys = NULL; 1277 sensitive_data.keys = NULL;
1278 sensitive_data.external_keysign = 0; 1278 sensitive_data.external_keysign = 0;
1279 if (options.rhosts_rsa_authentication || 1279 if (options.hostbased_authentication) {
1280 options.hostbased_authentication) {
1281 sensitive_data.nkeys = 9; 1280 sensitive_data.nkeys = 9;
1282 sensitive_data.keys = xcalloc(sensitive_data.nkeys, 1281 sensitive_data.keys = xcalloc(sensitive_data.nkeys,
1283 sizeof(Key)); 1282 sizeof(Key));
diff --git a/ssh.h b/ssh.h
index 50467a792..6e27672df 100644
--- a/ssh.h
+++ b/ssh.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh.h,v 1.83 2015/12/11 03:19:09 djm Exp $ */ 1/* $OpenBSD: ssh.h,v 1.84 2017/04/30 23:18:44 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -32,7 +32,7 @@
32 32
33/* 33/*
34 * Maximum length of lines in authorized_keys file. 34 * Maximum length of lines in authorized_keys file.
35 * Current value permits 16kbit RSA and RSA1 keys and 8kbit DSA keys, with 35 * Current value permits 16kbit RSA keys and 8kbit DSA keys, with
36 * some room for options and comments. 36 * some room for options and comments.
37 */ 37 */
38#define SSH_MAX_PUBKEY_BYTES 16384 38#define SSH_MAX_PUBKEY_BYTES 16384
diff --git a/sshconnect.c b/sshconnect.c
index d01d2c82d..28fd62104 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect.c,v 1.276 2017/04/30 23:13:25 djm Exp $ */ 1/* $OpenBSD: sshconnect.c,v 1.277 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1367,7 +1367,6 @@ static int
1367show_other_keys(struct hostkeys *hostkeys, Key *key) 1367show_other_keys(struct hostkeys *hostkeys, Key *key)
1368{ 1368{
1369 int type[] = { 1369 int type[] = {
1370 KEY_RSA1,
1371 KEY_RSA, 1370 KEY_RSA,
1372 KEY_DSA, 1371 KEY_DSA,
1373 KEY_ECDSA, 1372 KEY_ECDSA,
diff --git a/sshconnect2.c b/sshconnect2.c
index 7e4cde151..393353db5 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshconnect2.c,v 1.256 2017/04/28 03:24:53 djm Exp $ */ 1/* $OpenBSD: sshconnect2.c,v 1.257 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Damien Miller. All rights reserved. 4 * Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -1317,8 +1317,6 @@ pubkey_prepare(Authctxt *authctxt)
1317 /* list of keys stored in the filesystem and PKCS#11 */ 1317 /* list of keys stored in the filesystem and PKCS#11 */
1318 for (i = 0; i < options.num_identity_files; i++) { 1318 for (i = 0; i < options.num_identity_files; i++) {
1319 key = options.identity_keys[i]; 1319 key = options.identity_keys[i];
1320 if (key && key->type == KEY_RSA1)
1321 continue;
1322 if (key && key->cert && key->cert->type != SSH2_CERT_TYPE_USER) 1320 if (key && key->cert && key->cert->type != SSH2_CERT_TYPE_USER)
1323 continue; 1321 continue;
1324 options.identity_keys[i] = NULL; 1322 options.identity_keys[i] = NULL;
@@ -1471,7 +1469,7 @@ try_identity(Identity *id)
1471 key_type(id->key), id->filename); 1469 key_type(id->key), id->filename);
1472 return (0); 1470 return (0);
1473 } 1471 }
1474 return (id->key->type != KEY_RSA1); 1472 return 1;
1475} 1473}
1476 1474
1477int 1475int
@@ -1764,7 +1762,6 @@ userauth_hostbased(Authctxt *authctxt)
1764 private = NULL; 1762 private = NULL;
1765 for (i = 0; i < authctxt->sensitive->nkeys; i++) { 1763 for (i = 0; i < authctxt->sensitive->nkeys; i++) {
1766 if (authctxt->sensitive->keys[i] == NULL || 1764 if (authctxt->sensitive->keys[i] == NULL ||
1767 authctxt->sensitive->keys[i]->type == KEY_RSA1 ||
1768 authctxt->sensitive->keys[i]->type == KEY_UNSPEC) 1765 authctxt->sensitive->keys[i]->type == KEY_UNSPEC)
1769 continue; 1766 continue;
1770 if (match_pattern_list( 1767 if (match_pattern_list(
diff --git a/sshd.c b/sshd.c
index d18da6bdf..f128912b5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshd.c,v 1.486 2017/04/30 23:13:25 djm Exp $ */ 1/* $OpenBSD: sshd.c,v 1.487 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1676,14 +1676,6 @@ main(int ac, char **av)
1676 key = key_load_private(options.host_key_files[i], "", NULL); 1676 key = key_load_private(options.host_key_files[i], "", NULL);
1677 pubkey = key_load_public(options.host_key_files[i], NULL); 1677 pubkey = key_load_public(options.host_key_files[i], NULL);
1678 1678
1679 if ((pubkey != NULL && pubkey->type == KEY_RSA1) ||
1680 (key != NULL && key->type == KEY_RSA1)) {
1681 verbose("Ignoring RSA1 key %s",
1682 options.host_key_files[i]);
1683 key_free(key);
1684 key_free(pubkey);
1685 continue;
1686 }
1687 if (pubkey == NULL && key != NULL) 1679 if (pubkey == NULL && key != NULL)
1688 pubkey = key_demote(key); 1680 pubkey = key_demote(key);
1689 sensitive_data.host_keys[i] = key; 1681 sensitive_data.host_keys[i] = key;
diff --git a/sshkey.c b/sshkey.c
index 1741d9b19..0f6468197 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.c,v 1.47 2017/04/30 23:15:04 djm Exp $ */ 1/* $OpenBSD: sshkey.c,v 1.48 2017/04/30 23:18:44 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved. 4 * Copyright (c) 2008 Alexander von Gernler. All rights reserved.
@@ -235,10 +235,6 @@ sshkey_names_valid2(const char *names, int allow_wildcard)
235 for ((p = strsep(&cp, ",")); p && *p != '\0'; 235 for ((p = strsep(&cp, ",")); p && *p != '\0';
236 (p = strsep(&cp, ","))) { 236 (p = strsep(&cp, ","))) {
237 type = sshkey_type_from_name(p); 237 type = sshkey_type_from_name(p);
238 if (type == KEY_RSA1) {
239 free(s);
240 return 0;
241 }
242 if (type == KEY_UNSPEC) { 238 if (type == KEY_UNSPEC) {
243 if (allow_wildcard) { 239 if (allow_wildcard) {
244 /* 240 /*
@@ -247,8 +243,6 @@ sshkey_names_valid2(const char *names, int allow_wildcard)
247 * the component is accepted. 243 * the component is accepted.
248 */ 244 */
249 for (kt = keytypes; kt->type != -1; kt++) { 245 for (kt = keytypes; kt->type != -1; kt++) {
250 if (kt->type == KEY_RSA1)
251 continue;
252 if (match_pattern_list(kt->name, 246 if (match_pattern_list(kt->name,
253 p, 0) != 0) 247 p, 0) != 0)
254 break; 248 break;
@@ -269,7 +263,6 @@ sshkey_size(const struct sshkey *k)
269{ 263{
270 switch (k->type) { 264 switch (k->type) {
271#ifdef WITH_OPENSSL 265#ifdef WITH_OPENSSL
272 case KEY_RSA1:
273 case KEY_RSA: 266 case KEY_RSA:
274 case KEY_RSA_CERT: 267 case KEY_RSA_CERT:
275 return BN_num_bits(k->rsa->n); 268 return BN_num_bits(k->rsa->n);
@@ -472,7 +465,6 @@ sshkey_new(int type)
472 k->ed25519_pk = NULL; 465 k->ed25519_pk = NULL;
473 switch (k->type) { 466 switch (k->type) {
474#ifdef WITH_OPENSSL 467#ifdef WITH_OPENSSL
475 case KEY_RSA1:
476 case KEY_RSA: 468 case KEY_RSA:
477 case KEY_RSA_CERT: 469 case KEY_RSA_CERT:
478 if ((rsa = RSA_new()) == NULL || 470 if ((rsa = RSA_new()) == NULL ||
@@ -530,7 +522,6 @@ sshkey_add_private(struct sshkey *k)
530{ 522{
531 switch (k->type) { 523 switch (k->type) {
532#ifdef WITH_OPENSSL 524#ifdef WITH_OPENSSL
533 case KEY_RSA1:
534 case KEY_RSA: 525 case KEY_RSA:
535 case KEY_RSA_CERT: 526 case KEY_RSA_CERT:
536#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) 527#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
@@ -586,7 +577,6 @@ sshkey_free(struct sshkey *k)
586 return; 577 return;
587 switch (k->type) { 578 switch (k->type) {
588#ifdef WITH_OPENSSL 579#ifdef WITH_OPENSSL
589 case KEY_RSA1:
590 case KEY_RSA: 580 case KEY_RSA:
591 case KEY_RSA_CERT: 581 case KEY_RSA_CERT:
592 if (k->rsa != NULL) 582 if (k->rsa != NULL)
@@ -664,7 +654,6 @@ sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
664 654
665 switch (a->type) { 655 switch (a->type) {
666#ifdef WITH_OPENSSL 656#ifdef WITH_OPENSSL
667 case KEY_RSA1:
668 case KEY_RSA_CERT: 657 case KEY_RSA_CERT:
669 case KEY_RSA: 658 case KEY_RSA:
670 return a->rsa != NULL && b->rsa != NULL && 659 return a->rsa != NULL && b->rsa != NULL &&
@@ -881,25 +870,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
881 r = SSH_ERR_INVALID_ARGUMENT; 870 r = SSH_ERR_INVALID_ARGUMENT;
882 goto out; 871 goto out;
883 } 872 }
884 873 if ((r = to_blob(k, &blob, &blob_len, 1)) != 0)
885 if (k->type == KEY_RSA1) {
886#ifdef WITH_OPENSSL
887 int nlen = BN_num_bytes(k->rsa->n);
888 int elen = BN_num_bytes(k->rsa->e);
889
890 if (nlen < 0 || elen < 0 || nlen >= INT_MAX - elen) {
891 r = SSH_ERR_INVALID_FORMAT;
892 goto out;
893 }
894 blob_len = nlen + elen;
895 if ((blob = malloc(blob_len)) == NULL) {
896 r = SSH_ERR_ALLOC_FAIL;
897 goto out;
898 }
899 BN_bn2bin(k->rsa->n, blob);
900 BN_bn2bin(k->rsa->e, blob + nlen);
901#endif /* WITH_OPENSSL */
902 } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0)
903 goto out; 874 goto out;
904 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) { 875 if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
905 r = SSH_ERR_ALLOC_FAIL; 876 r = SSH_ERR_ALLOC_FAIL;
@@ -1208,8 +1179,6 @@ sshkey_read(struct sshkey *ret, char **cpp)
1208 cp = *cpp; 1179 cp = *cpp;
1209 1180
1210 switch (ret->type) { 1181 switch (ret->type) {
1211 case KEY_RSA1:
1212 break;
1213 case KEY_UNSPEC: 1182 case KEY_UNSPEC:
1214 case KEY_RSA: 1183 case KEY_RSA:
1215 case KEY_DSA: 1184 case KEY_DSA:
@@ -1363,30 +1332,16 @@ sshkey_to_base64(const struct sshkey *key, char **b64p)
1363} 1332}
1364 1333
1365static int 1334static int
1366sshkey_format_rsa1(const struct sshkey *key, struct sshbuf *b)
1367{
1368 int r = SSH_ERR_INTERNAL_ERROR;
1369
1370 return r;
1371}
1372
1373static int
1374sshkey_format_text(const struct sshkey *key, struct sshbuf *b) 1335sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
1375{ 1336{
1376 int r = SSH_ERR_INTERNAL_ERROR; 1337 int r = SSH_ERR_INTERNAL_ERROR;
1377 char *uu = NULL; 1338 char *uu = NULL;
1378 1339
1379 if (key->type == KEY_RSA1) { 1340 if ((r = sshkey_to_base64(key, &uu)) != 0)
1380 if ((r = sshkey_format_rsa1(key, b)) != 0) 1341 goto out;
1381 goto out; 1342 if ((r = sshbuf_putf(b, "%s %s",
1382 } else { 1343 sshkey_ssh_name(key), uu)) != 0)
1383 /* Unsupported key types handled in sshkey_to_base64() */ 1344 goto out;
1384 if ((r = sshkey_to_base64(key, &uu)) != 0)
1385 goto out;
1386 if ((r = sshbuf_putf(b, "%s %s",
1387 sshkey_ssh_name(key), uu)) != 0)
1388 goto out;
1389 }
1390 r = 0; 1345 r = 0;
1391 out: 1346 out:
1392 free(uu); 1347 free(uu);
@@ -1602,7 +1557,6 @@ sshkey_generate(int type, u_int bits, struct sshkey **keyp)
1602 break; 1557 break;
1603# endif /* OPENSSL_HAS_ECC */ 1558# endif /* OPENSSL_HAS_ECC */
1604 case KEY_RSA: 1559 case KEY_RSA:
1605 case KEY_RSA1:
1606 ret = rsa_generate_private_key(bits, &k->rsa); 1560 ret = rsa_generate_private_key(bits, &k->rsa);
1607 break; 1561 break;
1608#endif /* WITH_OPENSSL */ 1562#endif /* WITH_OPENSSL */
@@ -1713,7 +1667,6 @@ sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1713 break; 1667 break;
1714# endif /* OPENSSL_HAS_ECC */ 1668# endif /* OPENSSL_HAS_ECC */
1715 case KEY_RSA: 1669 case KEY_RSA:
1716 case KEY_RSA1:
1717 case KEY_RSA_CERT: 1670 case KEY_RSA_CERT:
1718 if ((n = sshkey_new(k->type)) == NULL) 1671 if ((n = sshkey_new(k->type)) == NULL)
1719 return SSH_ERR_ALLOC_FAIL; 1672 return SSH_ERR_ALLOC_FAIL;
@@ -2183,7 +2136,6 @@ sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2183 if ((ret = sshkey_cert_copy(k, pk)) != 0) 2136 if ((ret = sshkey_cert_copy(k, pk)) != 0)
2184 goto fail; 2137 goto fail;
2185 /* FALLTHROUGH */ 2138 /* FALLTHROUGH */
2186 case KEY_RSA1:
2187 case KEY_RSA: 2139 case KEY_RSA:
2188 if ((pk->rsa = RSA_new()) == NULL || 2140 if ((pk->rsa = RSA_new()) == NULL ||
2189 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL || 2141 (pk->rsa->e = BN_dup(k->rsa->e)) == NULL ||
@@ -2742,7 +2694,6 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2742 switch (k->type) { 2694 switch (k->type) {
2743 case KEY_RSA: 2695 case KEY_RSA:
2744 case KEY_RSA_CERT: 2696 case KEY_RSA_CERT:
2745 case KEY_RSA1:
2746 if (RSA_blinding_on(k->rsa, NULL) != 1) { 2697 if (RSA_blinding_on(k->rsa, NULL) != 1) {
2747 r = SSH_ERR_LIBCRYPTO_ERROR; 2698 r = SSH_ERR_LIBCRYPTO_ERROR;
2748 goto out; 2699 goto out;
diff --git a/sshkey.h b/sshkey.h
index 1b9e42f45..0012f885d 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: sshkey.h,v 1.15 2017/03/10 04:07:20 djm Exp $ */ 1/* $OpenBSD: sshkey.h,v 1.16 2017/04/30 23:18:44 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -53,7 +53,6 @@ struct sshbuf;
53 53
54/* Key types */ 54/* Key types */
55enum sshkey_types { 55enum sshkey_types {
56 KEY_RSA1,
57 KEY_RSA, 56 KEY_RSA,
58 KEY_DSA, 57 KEY_DSA,
59 KEY_ECDSA, 58 KEY_ECDSA,