Convert RSA and ECDSA key to the libcrypto EVP_PKEY API. DSA remains
unconverted as it will be removed within six months.

Based on patches originally from Dmitry Belyavskiy, but significantly
rework

Convert RSA and ECDSA key to the libcrypto EVP_PKEY API. DSA remains
unconverted as it will be removed within six months.

Based on patches originally from Dmitry Belyavskiy, but significantly
reworked based on feedback from Bob Beck, Joel Sing and especially
Theo Buehler (apologies to anyone I've missed).

ok tb@

show more ...

Remove unused compat.h includes. We've previously removed a lot
of the really old compatibility code, and with it went the need to
include compat.h in most of the files that have it.

put sshkey_check_rsa_length() back in sshkey.c to unbreak
OPENSSL=no builds

refactor sshkey_private_deserialize

feedback/ok markus@

refactor sshkey_private_serialize_opt()

feedback/ok markus@

refactor sshkey_sign() and sshkey_verify()

feedback/ok markus@

refactor sshkey_from_blob_internal()

feedback/ok markus@

refactor sshkey_from_private()

feedback/ok markus@

factor out key generation

feedback/ok markus@

factor out public key serialization

feedback/ok markus@

factor out sshkey_equal_public()

feedback/ok markus@

begin big refactor of sshkey

Move keytype data and some of the type-specific code (allocation,
cleanup, etc) out into each key type's implementation. Subsequent
commits will move more, with the goal

begin big refactor of sshkey

Move keytype data and some of the type-specific code (allocation,
cleanup, etc) out into each key type's implementation. Subsequent
commits will move more, with the goal of having each key-*.c file
owning as much of its keytype's implementation as possible.

lots of feedback + ok markus@

show more ...

hold our collective noses and use the openssl-1.1.x API in OpenSSH;
feedback and ok tb@ jsing@ markus@

Improve strictness and control over RSA-SHA2 signature types:

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ens

Improve strictness and control over RSA-SHA2 signature types:

In ssh, when an agent fails to return a RSA-SHA2 signature when
requested and falls back to RSA-SHA1 instead, retry the signature to
ensure that the public key algorithm sent in the SSH_MSG_USERAUTH
matches the one in the signature itself.

In sshd, strictly enforce that the public key algorithm sent in the
SSH_MSG_USERAUTH message matches what appears in the signature.

Make the sshd_config PubkeyAcceptedKeyTypes and
HostbasedAcceptedKeyTypes options control accepted signature algorithms
(previously they selected supported key types). This allows these
options to ban RSA-SHA1 in favour of RSA-SHA2.

Add new signature algorithms "rsa-sha2-256-cert-v01@openssh.com" and
"rsa-sha2-512-cert-v01@openssh.com" to force use of RSA-SHA2 signatures
with certificate keys.

feedback and ok markus@

show more ...

Ensure that D mod (P-1) and D mod (Q-1) are calculated in constant time.

This avoids a potential side channel timing leak.

ok djm@ markus@

Convert some explicit_bzero()/free() calls to freezero().

ok deraadt@ dtucker@

log mismatched RSA signature types; ok markus@

pass negotiated signing algorithm though to sshkey_verify() and
check that the negotiated algorithm matches the type in the
signature (only matters for RSA SHA1/SHA2 sigs). ok markus@

remove post-SSHv1 removal dead code from rsa.c and merge the
remaining bit that it still used into ssh-rsa.c; ok markus

Refuse RSA keys <1024 bits in length. Improve reporting for keys that
do not meet this requirement. ok markus@

handle certs in rsa_hash_alg_from_ident(), saving an unnecessary
special case elsewhere.

make argument == NULL tests more consistent

Remove NULL-checks before sshbuf_free().

ok djm@

Remove NULL-checks before free().

ok dtucker@

stricter encoding type checks for ssh-rsa; ok djm@