jcs.org
jcs's openbsd hax
openbsd
finally remove DSA signature support from OpenSSH.
feedback/ok tb@, ok deraadt@
+37
-657
+5
-6
usr.bin/ssh/PROTOCOL
+5
-6
usr.bin/ssh/PROTOCOL
···
34
34
http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
35
35
36
36
1.3. transport: New public key algorithms "ssh-rsa-cert-v01@openssh.com",
37
-
"ssh-dsa-cert-v01@openssh.com",
38
37
"ecdsa-sha2-nistp256-cert-v01@openssh.com",
39
38
"ecdsa-sha2-nistp384-cert-v01@openssh.com" and
40
39
"ecdsa-sha2-nistp521-cert-v01@openssh.com"
···
765
764
of the public key algorithm name followed by a base64-encoded key blob.
766
765
The public key blob (before base64 encoding) is the same format used for
767
766
the encoding of public keys sent on the wire: as described in RFC4253
768
-
section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys
769
-
and the "New public key formats" section of PROTOCOL.certkeys for the
770
-
OpenSSH certificate formats.
767
+
section 6.6 for RSA keys, RFC5656 section 3.1 for ECDSA keys and
768
+
https://datatracker.ietf.org/doc/draft-miller-ssh-cert/
769
+
for the OpenSSH certificate formats.
771
770
772
771
5.2 Private key format
773
772
774
773
OpenSSH private keys, as generated by ssh-keygen(1) use the format
775
774
described in PROTOCOL.key by default. As a legacy option, PEM format
776
-
(RFC7468) private keys are also supported for RSA, DSA and ECDSA keys
775
+
(RFC7468) private keys are also supported for RSA and ECDSA keys
777
776
and were the default format before OpenSSH 7.8.
778
777
779
778
5.3 KRL format
···
792
791
OpenSSH extends the usual agent protocol. These changes are documented
793
792
in the PROTOCOL.agent file.
794
793
795
-
$OpenBSD: PROTOCOL,v 1.56 2025/05/05 05:51:11 djm Exp $
794
+
$OpenBSD: PROTOCOL,v 1.57 2025/05/06 05:40:56 djm Exp $
+1
-3
usr.bin/ssh/authfd.c
+1
-3
usr.bin/ssh/authfd.c
···
1
-
/* $OpenBSD: authfd.c,v 1.134 2023/12/18 14:46:56 djm Exp $ */
1
+
/* $OpenBSD: authfd.c,v 1.135 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Author: Tatu Ylonen <ylo@cs.hut.fi>
4
4
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
···
600
600
#ifdef WITH_OPENSSL
601
601
case KEY_RSA:
602
602
case KEY_RSA_CERT:
603
-
case KEY_DSA:
604
-
case KEY_DSA_CERT:
605
603
case KEY_ECDSA:
606
604
case KEY_ECDSA_CERT:
607
605
case KEY_ECDSA_SK:
+1
-2
usr.bin/ssh/authfile.c
+1
-2
usr.bin/ssh/authfile.c
···
1
-
/* $OpenBSD: authfile.c,v 1.145 2024/09/22 12:56:21 jsg Exp $ */
1
+
/* $OpenBSD: authfile.c,v 1.146 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
4
4
*
···
323
323
switch (type) {
324
324
#ifdef WITH_OPENSSL
325
325
case KEY_RSA:
326
-
case KEY_DSA:
327
326
case KEY_ECDSA:
328
327
#endif /* WITH_OPENSSL */
329
328
case KEY_ED25519:
+1
-4
usr.bin/ssh/dns.c
+1
-4
usr.bin/ssh/dns.c
···
1
-
/* $OpenBSD: dns.c,v 1.44 2023/03/10 04:06:21 dtucker Exp $ */
1
+
/* $OpenBSD: dns.c,v 1.45 2025/05/06 05:40:56 djm Exp $ */
2
2
3
3
/*
4
4
* Copyright (c) 2003 Wesley Griffin. All rights reserved.
···
85
85
switch (key->type) {
86
86
case KEY_RSA:
87
87
*algorithm = SSHFP_KEY_RSA;
88
-
break;
89
-
case KEY_DSA:
90
-
*algorithm = SSHFP_KEY_DSA;
91
88
break;
92
89
case KEY_ECDSA:
93
90
*algorithm = SSHFP_KEY_ECDSA;
+3
-3
usr.bin/ssh/hostfile.c
+3
-3
usr.bin/ssh/hostfile.c
···
1
-
/* $OpenBSD: hostfile.c,v 1.98 2025/05/05 02:48:07 djm Exp $ */
1
+
/* $OpenBSD: hostfile.c,v 1.99 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Author: Tatu Ylonen <ylo@cs.hut.fi>
4
4
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
···
148
148
}
149
149
150
150
/*
151
-
* Parses an RSA (number of bits, e, n) or DSA key from a string. Moves the
152
-
* pointer over the key. Skips any whitespace at the beginning and at end.
151
+
* Parses an RSA key from a string. Moves the pointer over the key.
152
+
* Skips any whitespace at the beginning and at end.
153
153
*/
154
154
155
155
int
+1
-3
usr.bin/ssh/pathnames.h
+1
-3
usr.bin/ssh/pathnames.h
···
1
-
/* $OpenBSD: pathnames.h,v 1.34 2025/05/05 02:48:06 djm Exp $ */
1
+
/* $OpenBSD: pathnames.h,v 1.35 2025/05/06 05:40:56 djm Exp $ */
2
2
3
3
/*
4
4
* Author: Tatu Ylonen <ylo@cs.hut.fi>
···
30
30
*/
31
31
#define _PATH_SERVER_CONFIG_FILE SSHDIR "/sshd_config"
32
32
#define _PATH_HOST_CONFIG_FILE SSHDIR "/ssh_config"
33
-
#define _PATH_HOST_DSA_KEY_FILE SSHDIR "/ssh_host_dsa_key"
34
33
#define _PATH_HOST_ECDSA_KEY_FILE SSHDIR "/ssh_host_ecdsa_key"
35
34
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
36
35
#define _PATH_HOST_ED25519_KEY_FILE SSHDIR "/ssh_host_ed25519_key"
···
75
74
* Name of the default file containing client-side authentication key. This
76
75
* file should only be readable by the user him/herself.
77
76
*/
78
-
#define _PATH_SSH_CLIENT_ID_DSA _PATH_SSH_USER_DIR "/id_dsa"
79
77
#define _PATH_SSH_CLIENT_ID_ECDSA _PATH_SSH_USER_DIR "/id_ecdsa"
80
78
#define _PATH_SSH_CLIENT_ID_RSA _PATH_SSH_USER_DIR "/id_rsa"
81
79
#define _PATH_SSH_CLIENT_ID_ED25519 _PATH_SSH_USER_DIR "/id_ed25519"
+1
-4
usr.bin/ssh/readconf.c
+1
-4
usr.bin/ssh/readconf.c
···
1
-
/* $OpenBSD: readconf.c,v 1.398 2025/03/18 04:53:14 djm Exp $ */
1
+
/* $OpenBSD: readconf.c,v 1.399 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Author: Tatu Ylonen <ylo@cs.hut.fi>
4
4
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
···
2844
2844
add_identity_file(options, "~/",
2845
2845
_PATH_SSH_CLIENT_ID_ED25519_SK, 0);
2846
2846
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_XMSS, 0);
2847
-
#ifdef WITH_DSA
2848
-
add_identity_file(options, "~/", _PATH_SSH_CLIENT_ID_DSA, 0);
2849
-
#endif
2850
2847
}
2851
2848
if (options->escape_char == -1)
2852
2849
options->escape_char = '~';
+1
-4
usr.bin/ssh/ssh-add.c
+1
-4
usr.bin/ssh/ssh-add.c
···
1
-
/* $OpenBSD: ssh-add.c,v 1.173 2024/09/06 02:30:44 djm Exp $ */
1
+
/* $OpenBSD: ssh-add.c,v 1.174 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Author: Tatu Ylonen <ylo@cs.hut.fi>
4
4
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
···
78
78
_PATH_SSH_CLIENT_ID_ED25519,
79
79
_PATH_SSH_CLIENT_ID_ED25519_SK,
80
80
_PATH_SSH_CLIENT_ID_XMSS,
81
-
#ifdef WITH_DSA
82
-
_PATH_SSH_CLIENT_ID_DSA,
83
-
#endif
84
81
NULL
85
82
};
86
83
-451
usr.bin/ssh/ssh-dss.c
-451
usr.bin/ssh/ssh-dss.c
···
1
-
/* $OpenBSD: ssh-dss.c,v 1.50 2024/01/11 01:45:36 djm Exp $ */
2
-
/*
3
-
* Copyright (c) 2000 Markus Friedl. All rights reserved.
4
-
*
5
-
* Redistribution and use in source and binary forms, with or without
6
-
* modification, are permitted provided that the following conditions
7
-
* are met:
8
-
* 1. Redistributions of source code must retain the above copyright
9
-
* notice, this list of conditions and the following disclaimer.
10
-
* 2. Redistributions in binary form must reproduce the above copyright
11
-
* notice, this list of conditions and the following disclaimer in the
12
-
* documentation and/or other materials provided with the distribution.
13
-
*
14
-
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15
-
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16
-
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17
-
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18
-
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19
-
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20
-
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21
-
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22
-
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23
-
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24
-
*/
25
-
26
-
#include <sys/types.h>
27
-
28
-
#include <openssl/bn.h>
29
-
#include <openssl/evp.h>
30
-
31
-
#include <string.h>
32
-
33
-
#include "sshbuf.h"
34
-
#include "ssherr.h"
35
-
#include "digest.h"
36
-
#define SSHKEY_INTERNAL
37
-
#include "sshkey.h"
38
-
39
-
#ifdef WITH_DSA
40
-
41
-
#define INTBLOB_LEN 20
42
-
#define SIGBLOB_LEN (2*INTBLOB_LEN)
43
-
44
-
static u_int
45
-
ssh_dss_size(const struct sshkey *key)
46
-
{
47
-
const BIGNUM *dsa_p;
48
-
49
-
if (key->dsa == NULL)
50
-
return 0;
51
-
DSA_get0_pqg(key->dsa, &dsa_p, NULL, NULL);
52
-
return BN_num_bits(dsa_p);
53
-
}
54
-
55
-
static int
56
-
ssh_dss_alloc(struct sshkey *k)
57
-
{
58
-
if ((k->dsa = DSA_new()) == NULL)
59
-
return SSH_ERR_ALLOC_FAIL;
60
-
return 0;
61
-
}
62
-
63
-
static void
64
-
ssh_dss_cleanup(struct sshkey *k)
65
-
{
66
-
DSA_free(k->dsa);
67
-
k->dsa = NULL;
68
-
}
69
-
70
-
static int
71
-
ssh_dss_equal(const struct sshkey *a, const struct sshkey *b)
72
-
{
73
-
const BIGNUM *dsa_p_a, *dsa_q_a, *dsa_g_a, *dsa_pub_key_a;
74
-
const BIGNUM *dsa_p_b, *dsa_q_b, *dsa_g_b, *dsa_pub_key_b;
75
-
76
-
if (a->dsa == NULL || b->dsa == NULL)
77
-
return 0;
78
-
DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a);
79
-
DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b);
80
-
DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL);
81
-
DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL);
82
-
if (dsa_p_a == NULL || dsa_p_b == NULL ||
83
-
dsa_q_a == NULL || dsa_q_b == NULL ||
84
-
dsa_g_a == NULL || dsa_g_b == NULL ||
85
-
dsa_pub_key_a == NULL || dsa_pub_key_b == NULL)
86
-
return 0;
87
-
if (BN_cmp(dsa_p_a, dsa_p_b) != 0)
88
-
return 0;
89
-
if (BN_cmp(dsa_q_a, dsa_q_b) != 0)
90
-
return 0;
91
-
if (BN_cmp(dsa_g_a, dsa_g_b) != 0)
92
-
return 0;
93
-
if (BN_cmp(dsa_pub_key_a, dsa_pub_key_b) != 0)
94
-
return 0;
95
-
return 1;
96
-
}
97
-
98
-
static int
99
-
ssh_dss_serialize_public(const struct sshkey *key, struct sshbuf *b,
100
-
enum sshkey_serialize_rep opts)
101
-
{
102
-
int r;
103
-
const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
104
-
105
-
if (key->dsa == NULL)
106
-
return SSH_ERR_INVALID_ARGUMENT;
107
-
DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
108
-
DSA_get0_key(key->dsa, &dsa_pub_key, NULL);
109
-
if (dsa_p == NULL || dsa_q == NULL ||
110
-
dsa_g == NULL || dsa_pub_key == NULL)
111
-
return SSH_ERR_INTERNAL_ERROR;
112
-
if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 ||
113
-
(r = sshbuf_put_bignum2(b, dsa_q)) != 0 ||
114
-
(r = sshbuf_put_bignum2(b, dsa_g)) != 0 ||
115
-
(r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0)
116
-
return r;
117
-
118
-
return 0;
119
-
}
120
-
121
-
static int
122
-
ssh_dss_serialize_private(const struct sshkey *key, struct sshbuf *b,
123
-
enum sshkey_serialize_rep opts)
124
-
{
125
-
int r;
126
-
const BIGNUM *dsa_priv_key;
127
-
128
-
DSA_get0_key(key->dsa, NULL, &dsa_priv_key);
129
-
if (!sshkey_is_cert(key)) {
130
-
if ((r = ssh_dss_serialize_public(key, b, opts)) != 0)
131
-
return r;
132
-
}
133
-
if ((r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
134
-
return r;
135
-
136
-
return 0;
137
-
}
138
-
139
-
static int
140
-
ssh_dss_generate(struct sshkey *k, int bits)
141
-
{
142
-
DSA *private;
143
-
144
-
if (bits != 1024)
145
-
return SSH_ERR_KEY_LENGTH;
146
-
if ((private = DSA_new()) == NULL)
147
-
return SSH_ERR_ALLOC_FAIL;
148
-
if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
149
-
NULL, NULL) || !DSA_generate_key(private)) {
150
-
DSA_free(private);
151
-
return SSH_ERR_LIBCRYPTO_ERROR;
152
-
}
153
-
k->dsa = private;
154
-
return 0;
155
-
}
156
-
157
-
static int
158
-
ssh_dss_copy_public(const struct sshkey *from, struct sshkey *to)
159
-
{
160
-
const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
161
-
BIGNUM *dsa_p_dup = NULL, *dsa_q_dup = NULL, *dsa_g_dup = NULL;
162
-
BIGNUM *dsa_pub_key_dup = NULL;
163
-
int r = SSH_ERR_INTERNAL_ERROR;
164
-
165
-
DSA_get0_pqg(from->dsa, &dsa_p, &dsa_q, &dsa_g);
166
-
DSA_get0_key(from->dsa, &dsa_pub_key, NULL);
167
-
if ((dsa_p_dup = BN_dup(dsa_p)) == NULL ||
168
-
(dsa_q_dup = BN_dup(dsa_q)) == NULL ||
169
-
(dsa_g_dup = BN_dup(dsa_g)) == NULL ||
170
-
(dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL) {
171
-
r = SSH_ERR_ALLOC_FAIL;
172
-
goto out;
173
-
}
174
-
if (!DSA_set0_pqg(to->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) {
175
-
r = SSH_ERR_LIBCRYPTO_ERROR;
176
-
goto out;
177
-
}
178
-
dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL; /* transferred */
179
-
if (!DSA_set0_key(to->dsa, dsa_pub_key_dup, NULL)) {
180
-
r = SSH_ERR_LIBCRYPTO_ERROR;
181
-
goto out;
182
-
}
183
-
dsa_pub_key_dup = NULL; /* transferred */
184
-
/* success */
185
-
r = 0;
186
-
out:
187
-
BN_clear_free(dsa_p_dup);
188
-
BN_clear_free(dsa_q_dup);
189
-
BN_clear_free(dsa_g_dup);
190
-
BN_clear_free(dsa_pub_key_dup);
191
-
return r;
192
-
}
193
-
194
-
static int
195
-
ssh_dss_deserialize_public(const char *ktype, struct sshbuf *b,
196
-
struct sshkey *key)
197
-
{
198
-
int ret = SSH_ERR_INTERNAL_ERROR;
199
-
BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL, *dsa_pub_key = NULL;
200
-
201
-
if (sshbuf_get_bignum2(b, &dsa_p) != 0 ||
202
-
sshbuf_get_bignum2(b, &dsa_q) != 0 ||
203
-
sshbuf_get_bignum2(b, &dsa_g) != 0 ||
204
-
sshbuf_get_bignum2(b, &dsa_pub_key) != 0) {
205
-
ret = SSH_ERR_INVALID_FORMAT;
206
-
goto out;
207
-
}
208
-
if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) {
209
-
ret = SSH_ERR_LIBCRYPTO_ERROR;
210
-
goto out;
211
-
}
212
-
dsa_p = dsa_q = dsa_g = NULL; /* transferred */
213
-
if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL)) {
214
-
ret = SSH_ERR_LIBCRYPTO_ERROR;
215
-
goto out;
216
-
}
217
-
dsa_pub_key = NULL; /* transferred */
218
-
#ifdef DEBUG_PK
219
-
DSA_print_fp(stderr, key->dsa, 8);
220
-
#endif
221
-
/* success */
222
-
ret = 0;
223
-
out:
224
-
BN_clear_free(dsa_p);
225
-
BN_clear_free(dsa_q);
226
-
BN_clear_free(dsa_g);
227
-
BN_clear_free(dsa_pub_key);
228
-
return ret;
229
-
}
230
-
231
-
static int
232
-
ssh_dss_deserialize_private(const char *ktype, struct sshbuf *b,
233
-
struct sshkey *key)
234
-
{
235
-
int r;
236
-
BIGNUM *dsa_priv_key = NULL;
237
-
238
-
if (!sshkey_is_cert(key)) {
239
-
if ((r = ssh_dss_deserialize_public(ktype, b, key)) != 0)
240
-
return r;
241
-
}
242
-
243
-
if ((r = sshbuf_get_bignum2(b, &dsa_priv_key)) != 0)
244
-
return r;
245
-
if (!DSA_set0_key(key->dsa, NULL, dsa_priv_key)) {
246
-
BN_clear_free(dsa_priv_key);
247
-
return SSH_ERR_LIBCRYPTO_ERROR;
248
-
}
249
-
return 0;
250
-
}
251
-
252
-
static int
253
-
ssh_dss_sign(struct sshkey *key,
254
-
u_char **sigp, size_t *lenp,
255
-
const u_char *data, size_t datalen,
256
-
const char *alg, const char *sk_provider, const char *sk_pin, u_int compat)
257
-
{
258
-
DSA_SIG *sig = NULL;
259
-
const BIGNUM *sig_r, *sig_s;
260
-
u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
261
-
size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
262
-
struct sshbuf *b = NULL;
263
-
int ret = SSH_ERR_INVALID_ARGUMENT;
264
-
265
-
if (lenp != NULL)
266
-
*lenp = 0;
267
-
if (sigp != NULL)
268
-
*sigp = NULL;
269
-
270
-
if (key == NULL || key->dsa == NULL ||
271
-
sshkey_type_plain(key->type) != KEY_DSA)
272
-
return SSH_ERR_INVALID_ARGUMENT;
273
-
if (dlen == 0)
274
-
return SSH_ERR_INTERNAL_ERROR;
275
-
276
-
if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
277
-
digest, sizeof(digest))) != 0)
278
-
goto out;
279
-
280
-
if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
281
-
ret = SSH_ERR_LIBCRYPTO_ERROR;
282
-
goto out;
283
-
}
284
-
285
-
DSA_SIG_get0(sig, &sig_r, &sig_s);
286
-
rlen = BN_num_bytes(sig_r);
287
-
slen = BN_num_bytes(sig_s);
288
-
if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
289
-
ret = SSH_ERR_INTERNAL_ERROR;
290
-
goto out;
291
-
}
292
-
explicit_bzero(sigblob, SIGBLOB_LEN);
293
-
BN_bn2bin(sig_r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen);
294
-
BN_bn2bin(sig_s, sigblob + SIGBLOB_LEN - slen);
295
-
296
-
if ((b = sshbuf_new()) == NULL) {
297
-
ret = SSH_ERR_ALLOC_FAIL;
298
-
goto out;
299
-
}
300
-
if ((ret = sshbuf_put_cstring(b, "ssh-dss")) != 0 ||
301
-
(ret = sshbuf_put_string(b, sigblob, SIGBLOB_LEN)) != 0)
302
-
goto out;
303
-
304
-
len = sshbuf_len(b);
305
-
if (sigp != NULL) {
306
-
if ((*sigp = malloc(len)) == NULL) {
307
-
ret = SSH_ERR_ALLOC_FAIL;
308
-
goto out;
309
-
}
310
-
memcpy(*sigp, sshbuf_ptr(b), len);
311
-
}
312
-
if (lenp != NULL)
313
-
*lenp = len;
314
-
ret = 0;
315
-
out:
316
-
explicit_bzero(digest, sizeof(digest));
317
-
DSA_SIG_free(sig);
318
-
sshbuf_free(b);
319
-
return ret;
320
-
}
321
-
322
-
static int
323
-
ssh_dss_verify(const struct sshkey *key,
324
-
const u_char *sig, size_t siglen,
325
-
const u_char *data, size_t dlen, const char *alg, u_int compat,
326
-
struct sshkey_sig_details **detailsp)
327
-
{
328
-
DSA_SIG *dsig = NULL;
329
-
BIGNUM *sig_r = NULL, *sig_s = NULL;
330
-
u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
331
-
size_t len, hlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
332
-
int ret = SSH_ERR_INTERNAL_ERROR;
333
-
struct sshbuf *b = NULL;
334
-
char *ktype = NULL;
335
-
336
-
if (key == NULL || key->dsa == NULL ||
337
-
sshkey_type_plain(key->type) != KEY_DSA ||
338
-
sig == NULL || siglen == 0)
339
-
return SSH_ERR_INVALID_ARGUMENT;
340
-
if (hlen == 0)
341
-
return SSH_ERR_INTERNAL_ERROR;
342
-
343
-
/* fetch signature */
344
-
if ((b = sshbuf_from(sig, siglen)) == NULL)
345
-
return SSH_ERR_ALLOC_FAIL;
346
-
if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
347
-
sshbuf_get_string(b, &sigblob, &len) != 0) {
348
-
ret = SSH_ERR_INVALID_FORMAT;
349
-
goto out;
350
-
}
351
-
if (strcmp("ssh-dss", ktype) != 0) {
352
-
ret = SSH_ERR_KEY_TYPE_MISMATCH;
353
-
goto out;
354
-
}
355
-
if (sshbuf_len(b) != 0) {
356
-
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
357
-
goto out;
358
-
}
359
-
360
-
if (len != SIGBLOB_LEN) {
361
-
ret = SSH_ERR_INVALID_FORMAT;
362
-
goto out;
363
-
}
364
-
365
-
/* parse signature */
366
-
if ((dsig = DSA_SIG_new()) == NULL ||
367
-
(sig_r = BN_new()) == NULL ||
368
-
(sig_s = BN_new()) == NULL) {
369
-
ret = SSH_ERR_ALLOC_FAIL;
370
-
goto out;
371
-
}
372
-
if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig_r) == NULL) ||
373
-
(BN_bin2bn(sigblob + INTBLOB_LEN, INTBLOB_LEN, sig_s) == NULL)) {
374
-
ret = SSH_ERR_LIBCRYPTO_ERROR;
375
-
goto out;
376
-
}
377
-
if (!DSA_SIG_set0(dsig, sig_r, sig_s)) {
378
-
ret = SSH_ERR_LIBCRYPTO_ERROR;
379
-
goto out;
380
-
}
381
-
sig_r = sig_s = NULL; /* transferred */
382
-
383
-
/* sha1 the data */
384
-
if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, dlen,
385
-
digest, sizeof(digest))) != 0)
386
-
goto out;
387
-
388
-
switch (DSA_do_verify(digest, hlen, dsig, key->dsa)) {
389
-
case 1:
390
-
ret = 0;
391
-
break;
392
-
case 0:
393
-
ret = SSH_ERR_SIGNATURE_INVALID;
394
-
goto out;
395
-
default:
396
-
ret = SSH_ERR_LIBCRYPTO_ERROR;
397
-
goto out;
398
-
}
399
-
400
-
out:
401
-
explicit_bzero(digest, sizeof(digest));
402
-
DSA_SIG_free(dsig);
403
-
BN_clear_free(sig_r);
404
-
BN_clear_free(sig_s);
405
-
sshbuf_free(b);
406
-
free(ktype);
407
-
if (sigblob != NULL)
408
-
freezero(sigblob, len);
409
-
return ret;
410
-
}
411
-
412
-
static const struct sshkey_impl_funcs sshkey_dss_funcs = {
413
-
/* .size = */ ssh_dss_size,
414
-
/* .alloc = */ ssh_dss_alloc,
415
-
/* .cleanup = */ ssh_dss_cleanup,
416
-
/* .equal = */ ssh_dss_equal,
417
-
/* .ssh_serialize_public = */ ssh_dss_serialize_public,
418
-
/* .ssh_deserialize_public = */ ssh_dss_deserialize_public,
419
-
/* .ssh_serialize_private = */ ssh_dss_serialize_private,
420
-
/* .ssh_deserialize_private = */ ssh_dss_deserialize_private,
421
-
/* .generate = */ ssh_dss_generate,
422
-
/* .copy_public = */ ssh_dss_copy_public,
423
-
/* .sign = */ ssh_dss_sign,
424
-
/* .verify = */ ssh_dss_verify,
425
-
};
426
-
427
-
const struct sshkey_impl sshkey_dss_impl = {
428
-
/* .name = */ "ssh-dss",
429
-
/* .shortname = */ "DSA",
430
-
/* .sigalg = */ NULL,
431
-
/* .type = */ KEY_DSA,
432
-
/* .nid = */ 0,
433
-
/* .cert = */ 0,
434
-
/* .sigonly = */ 0,
435
-
/* .keybits = */ 0,
436
-
/* .funcs = */ &sshkey_dss_funcs,
437
-
};
438
-
439
-
const struct sshkey_impl sshkey_dsa_cert_impl = {
440
-
/* .name = */ "ssh-dss-cert-v01@openssh.com",
441
-
/* .shortname = */ "DSA-CERT",
442
-
/* .sigalg = */ NULL,
443
-
/* .type = */ KEY_DSA_CERT,
444
-
/* .nid = */ 0,
445
-
/* .cert = */ 1,
446
-
/* .sigonly = */ 0,
447
-
/* .keybits = */ 0,
448
-
/* .funcs = */ &sshkey_dss_funcs,
449
-
};
450
-
451
-
#endif /* WITH_DSA */
+6
-83
usr.bin/ssh/ssh-keygen.c
+6
-83
usr.bin/ssh/ssh-keygen.c
···
1
-
/* $OpenBSD: ssh-keygen.c,v 1.477 2024/12/04 14:24:20 djm Exp $ */
1
+
/* $OpenBSD: ssh-keygen.c,v 1.478 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Author: Tatu Ylonen <ylo@cs.hut.fi>
4
4
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
···
64
64
#define DEFAULT_KEY_TYPE_NAME "ed25519"
65
65
66
66
/*
67
-
* Default number of bits in the RSA, DSA and ECDSA keys. These value can be
67
+
* Default number of bits in the RSA and ECDSA keys. These value can be
68
68
* overridden on the command line.
69
69
*
70
-
* These values, with the exception of DSA, provide security equivalent to at
71
-
* least 128 bits of security according to NIST Special Publication 800-57:
72
-
* Recommendation for Key Management Part 1 rev 4 section 5.6.1.
73
-
* For DSA it (and FIPS-186-4 section 4.2) specifies that the only size for
74
-
* which a 160bit hash is acceptable is 1kbit, and since ssh-dss specifies only
75
-
* SHA1 we limit the DSA key size 1k bits.
70
+
* These values provide security equivalent to at least 128 bits of security
71
+
* according to NIST Special Publication 800-57: Recommendation for Key
72
+
* Management Part 1 rev 4 section 5.6.1.
76
73
*/
77
74
#define DEFAULT_BITS 3072
78
-
#define DEFAULT_BITS_DSA 1024
79
75
#define DEFAULT_BITS_ECDSA 256
80
76
81
77
static int quiet = 0;
···
179
175
int nid;
180
176
181
177
switch(type) {
182
-
case KEY_DSA:
183
-
*bitsp = DEFAULT_BITS_DSA;
184
-
break;
185
178
case KEY_ECDSA:
186
179
if (name != NULL &&
187
180
(nid = sshkey_ecdsa_nid_from_name(name)) > 0)
···
197
190
}
198
191
#ifdef WITH_OPENSSL
199
192
switch (type) {
200
-
case KEY_DSA:
201
-
if (*bitsp != 1024)
202
-
fatal("Invalid DSA key length: must be 1024 bits");
203
-
break;
204
193
case KEY_RSA:
205
194
if (*bitsp < SSH_RSA_MINIMUM_MODULUS_SIZE)
206
195
fatal("Invalid RSA key length: minimum is %d bits",
···
251
240
name = _PATH_SSH_CLIENT_ID_ED25519;
252
241
else {
253
242
switch (sshkey_type_from_shortname(key_type_name)) {
254
-
#ifdef WITH_DSA
255
-
case KEY_DSA_CERT:
256
-
case KEY_DSA:
257
-
name = _PATH_SSH_CLIENT_ID_DSA;
258
-
break;
259
-
#endif
260
243
case KEY_ECDSA_CERT:
261
244
case KEY_ECDSA:
262
245
name = _PATH_SSH_CLIENT_ID_ECDSA;
···
369
352
EVP_PKEY_get0_RSA(k->pkey)))
370
353
fatal("PEM_write_RSA_PUBKEY failed");
371
354
break;
372
-
#ifdef WITH_DSA
373
-
case KEY_DSA:
374
-
if (!PEM_write_DSA_PUBKEY(stdout, k->dsa))
375
-
fatal("PEM_write_DSA_PUBKEY failed");
376
-
break;
377
-
#endif
378
355
case KEY_ECDSA:
379
356
if (!PEM_write_EC_PUBKEY(stdout,
380
357
EVP_PKEY_get0_EC_KEY(k->pkey)))
···
395
372
EVP_PKEY_get0_RSA(k->pkey)))
396
373
fatal("PEM_write_RSAPublicKey failed");
397
374
break;
398
-
#ifdef WITH_DSA
399
-
case KEY_DSA:
400
-
if (!PEM_write_DSA_PUBKEY(stdout, k->dsa))
401
-
fatal("PEM_write_DSA_PUBKEY failed");
402
-
break;
403
-
#endif
404
375
case KEY_ECDSA:
405
376
if (!PEM_write_EC_PUBKEY(stdout,
406
377
EVP_PKEY_get0_EC_KEY(k->pkey)))
···
474
445
u_int magic, i1, i2, i3, i4;
475
446
size_t slen;
476
447
u_long e;
477
-
#ifdef WITH_DSA
478
-
BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
479
-
BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
480
-
#endif
481
448
BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
482
449
BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL;
483
450
BIGNUM *rsa_dmp1 = NULL, *rsa_dmq1 = NULL;
···
509
476
510
477
if (strstr(type, "rsa")) {
511
478
ktype = KEY_RSA;
512
-
#ifdef WITH_DSA
513
-
} else if (strstr(type, "dsa")) {
514
-
ktype = KEY_DSA;
515
-
#endif
516
479
} else {
517
480
free(type);
518
481
return NULL;
···
522
485
free(type);
523
486
524
487
switch (key->type) {
525
-
#ifdef WITH_DSA
526
-
case KEY_DSA:
527
-
if ((dsa_p = BN_new()) == NULL ||
528
-
(dsa_q = BN_new()) == NULL ||
529
-
(dsa_g = BN_new()) == NULL ||
530
-
(dsa_pub_key = BN_new()) == NULL ||
531
-
(dsa_priv_key = BN_new()) == NULL)
532
-
fatal_f("BN_new");
533
-
buffer_get_bignum_bits(b, dsa_p);
534
-
buffer_get_bignum_bits(b, dsa_g);
535
-
buffer_get_bignum_bits(b, dsa_q);
536
-
buffer_get_bignum_bits(b, dsa_pub_key);
537
-
buffer_get_bignum_bits(b, dsa_priv_key);
538
-
if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g))
539
-
fatal_f("DSA_set0_pqg failed");
540
-
dsa_p = dsa_q = dsa_g = NULL; /* transferred */
541
-
if (!DSA_set0_key(key->dsa, dsa_pub_key, dsa_priv_key))
542
-
fatal_f("DSA_set0_key failed");
543
-
dsa_pub_key = dsa_priv_key = NULL; /* transferred */
544
-
break;
545
-
#endif
546
488
case KEY_RSA:
547
489
if ((r = sshbuf_get_u8(b, &e1)) != 0 ||
548
490
(e1 < 30 && (r = sshbuf_get_u8(b, &e2)) != 0) ||
···
717
659
(*k)->pkey = pubkey;
718
660
pubkey = NULL;
719
661
break;
720
-
#ifdef WITH_DSA
721
-
case EVP_PKEY_DSA:
722
-
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
723
-
fatal("sshkey_new failed");
724
-
(*k)->type = KEY_DSA;
725
-
(*k)->dsa = EVP_PKEY_get1_DSA(pubkey);
726
-
break;
727
-
#endif
728
662
case EVP_PKEY_EC:
729
663
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
730
664
fatal("sshkey_new failed");
···
798
732
fprintf(stdout, "\n");
799
733
} else {
800
734
switch (k->type) {
801
-
#ifdef WITH_DSA
802
-
case KEY_DSA:
803
-
ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,
804
-
NULL, 0, NULL, NULL);
805
-
break;
806
-
#endif
807
735
case KEY_ECDSA:
808
736
ok = PEM_write_ECPrivateKey(stdout,
809
737
EVP_PKEY_get0_EC_KEY(k->pkey), NULL, NULL, 0,
···
3306
3234
fprintf(stderr,
3307
3235
"usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]\n"
3308
3236
" [-m format] [-N new_passphrase] [-O option]\n"
3309
-
" [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n"
3237
+
" [-t ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n"
3310
3238
" [-w provider] [-Z cipher]\n"
3311
3239
" ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]\n"
3312
3240
" [-P old_passphrase] [-Z cipher]\n"
···
3779
3707
n += do_print_resource_record(pw,
3780
3708
_PATH_HOST_RSA_KEY_FILE, rr_hostname,
3781
3709
print_generic, opts, nopts);
3782
-
#ifdef WITH_DSA
3783
-
n += do_print_resource_record(pw,
3784
-
_PATH_HOST_DSA_KEY_FILE, rr_hostname,
3785
-
print_generic, opts, nopts);
3786
-
#endif
3787
3710
n += do_print_resource_record(pw,
3788
3711
_PATH_HOST_ECDSA_KEY_FILE, rr_hostname,
3789
3712
print_generic, opts, nopts);
+8
-18
usr.bin/ssh/ssh-keyscan.c
+8
-18
usr.bin/ssh/ssh-keyscan.c
···
1
-
/* $OpenBSD: ssh-keyscan.c,v 1.165 2024/12/06 15:17:15 djm Exp $ */
1
+
/* $OpenBSD: ssh-keyscan.c,v 1.166 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4
4
*
···
54
54
55
55
int ssh_port = SSH_DEFAULT_PORT;
56
56
57
-
#define KT_DSA (1)
58
-
#define KT_RSA (1<<1)
59
-
#define KT_ECDSA (1<<2)
60
-
#define KT_ED25519 (1<<3)
61
-
#define KT_XMSS (1<<4)
62
-
#define KT_ECDSA_SK (1<<5)
63
-
#define KT_ED25519_SK (1<<6)
57
+
#define KT_RSA (1)
58
+
#define KT_ECDSA (1<<1)
59
+
#define KT_ED25519 (1<<2)
60
+
#define KT_XMSS (1<<3)
61
+
#define KT_ECDSA_SK (1<<4)
62
+
#define KT_ED25519_SK (1<<5)
64
63
65
-
#define KT_MIN KT_DSA
64
+
#define KT_MIN KT_RSA
66
65
#define KT_MAX KT_ED25519_SK
67
66
68
67
int get_cert = 0;
···
216
215
int r;
217
216
218
217
switch (c->c_keytype) {
219
-
case KT_DSA:
220
-
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
221
-
"ssh-dss-cert-v01@openssh.com" : "ssh-dss";
222
-
break;
223
218
case KT_RSA:
224
219
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
225
220
"rsa-sha2-512-cert-v01@openssh.com,"
···
715
710
int type = sshkey_type_from_shortname(tname);
716
711
717
712
switch (type) {
718
-
#ifdef WITH_DSA
719
-
case KEY_DSA:
720
-
get_keytypes |= KT_DSA;
721
-
break;
722
-
#endif
723
713
case KEY_ECDSA:
724
714
get_keytypes |= KT_ECDSA;
725
715
break;
+1
-4
usr.bin/ssh/ssh-keysign.c
+1
-4
usr.bin/ssh/ssh-keysign.c
···
1
-
/* $OpenBSD: ssh-keysign.c,v 1.75 2025/02/15 01:48:30 djm Exp $ */
1
+
/* $OpenBSD: ssh-keysign.c,v 1.76 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Copyright (c) 2002 Markus Friedl. All rights reserved.
4
4
*
···
195
195
196
196
i = 0;
197
197
/* XXX This really needs to read sshd_config for the paths */
198
-
#ifdef WITH_DSA
199
-
key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
200
-
#endif
201
198
key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
202
199
key_fd[i++] = open(_PATH_HOST_ED25519_KEY_FILE, O_RDONLY);
203
200
key_fd[i++] = open(_PATH_HOST_XMSS_KEY_FILE, O_RDONLY);
+1
-7
usr.bin/ssh/ssh.c
+1
-7
usr.bin/ssh/ssh.c
···
1
-
/* $OpenBSD: ssh.c,v 1.612 2025/04/09 01:24:40 djm Exp $ */
1
+
/* $OpenBSD: ssh.c,v 1.613 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Author: Tatu Ylonen <ylo@cs.hut.fi>
4
4
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
···
1725
1725
L_CERT(_PATH_HOST_ECDSA_KEY_FILE, 0);
1726
1726
L_CERT(_PATH_HOST_ED25519_KEY_FILE, 1);
1727
1727
L_CERT(_PATH_HOST_RSA_KEY_FILE, 2);
1728
-
#ifdef WITH_DSA
1729
-
L_CERT(_PATH_HOST_DSA_KEY_FILE, 3);
1730
-
#endif
1731
1728
L_PUBKEY(_PATH_HOST_ECDSA_KEY_FILE, 4);
1732
1729
L_PUBKEY(_PATH_HOST_ED25519_KEY_FILE, 5);
1733
1730
L_PUBKEY(_PATH_HOST_RSA_KEY_FILE, 6);
1734
-
#ifdef WITH_DSA
1735
-
L_PUBKEY(_PATH_HOST_DSA_KEY_FILE, 7);
1736
-
#endif
1737
1731
L_CERT(_PATH_HOST_XMSS_KEY_FILE, 8);
1738
1732
L_PUBKEY(_PATH_HOST_XMSS_KEY_FILE, 9);
1739
1733
if (loaded == 0)
+1
-2
usr.bin/ssh/ssh_config
+1
-2
usr.bin/ssh/ssh_config
···
1
-
# $OpenBSD: ssh_config,v 1.36 2023/08/02 23:04:38 djm Exp $
1
+
# $OpenBSD: ssh_config,v 1.37 2025/05/06 05:40:56 djm Exp $
2
2
3
3
# This is the ssh client system-wide configuration file. See
4
4
# ssh_config(5) for more information. This file provides defaults for
···
28
28
# ConnectTimeout 0
29
29
# StrictHostKeyChecking ask
30
30
# IdentityFile ~/.ssh/id_rsa
31
-
# IdentityFile ~/.ssh/id_dsa
32
31
# IdentityFile ~/.ssh/id_ecdsa
33
32
# IdentityFile ~/.ssh/id_ed25519
34
33
# Port 22
+1
-4
usr.bin/ssh/sshconnect.c
+1
-4
usr.bin/ssh/sshconnect.c
···
1
-
/* $OpenBSD: sshconnect.c,v 1.369 2024/12/06 16:21:48 djm Exp $ */
1
+
/* $OpenBSD: sshconnect.c,v 1.370 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Author: Tatu Ylonen <ylo@cs.hut.fi>
4
4
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
···
1588
1588
{
1589
1589
int type[] = {
1590
1590
KEY_RSA,
1591
-
#ifdef WITH_DSA
1592
-
KEY_DSA,
1593
-
#endif
1594
1591
KEY_ECDSA,
1595
1592
KEY_ED25519,
1596
1593
KEY_XMSS,
+1
-4
usr.bin/ssh/sshd-auth.c
+1
-4
usr.bin/ssh/sshd-auth.c
···
1
-
/* $OpenBSD: sshd-auth.c,v 1.3 2025/01/16 06:37:10 dtucker Exp $ */
1
+
/* $OpenBSD: sshd-auth.c,v 1.4 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* SSH2 implementation:
4
4
* Privilege Separation:
···
233
233
append_hostkey_type(b, "rsa-sha2-512");
234
234
append_hostkey_type(b, "rsa-sha2-256");
235
235
/* FALLTHROUGH */
236
-
case KEY_DSA:
237
236
case KEY_ECDSA:
238
237
case KEY_ED25519:
239
238
case KEY_ECDSA_SK:
···
254
253
append_hostkey_type(b,
255
254
"rsa-sha2-256-cert-v01@openssh.com");
256
255
/* FALLTHROUGH */
257
-
case KEY_DSA_CERT:
258
256
case KEY_ECDSA_CERT:
259
257
case KEY_ED25519_CERT:
260
258
case KEY_ECDSA_SK_CERT:
···
280
278
for (i = 0; i < options.num_host_key_files; i++) {
281
279
switch (type) {
282
280
case KEY_RSA_CERT:
283
-
case KEY_DSA_CERT:
284
281
case KEY_ECDSA_CERT:
285
282
case KEY_ED25519_CERT:
286
283
case KEY_ECDSA_SK_CERT:
+1
-2
usr.bin/ssh/sshd-session.c
+1
-2
usr.bin/ssh/sshd-session.c
···
1
-
/* $OpenBSD: sshd-session.c,v 1.12 2025/03/12 22:43:44 djm Exp $ */
1
+
/* $OpenBSD: sshd-session.c,v 1.13 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* SSH2 implementation:
4
4
* Privilege Separation:
···
422
422
for (i = 0; i < options.num_host_key_files; i++) {
423
423
switch (type) {
424
424
case KEY_RSA_CERT:
425
-
case KEY_DSA_CERT:
426
425
case KEY_ECDSA_CERT:
427
426
case KEY_ED25519_CERT:
428
427
case KEY_ECDSA_SK_CERT:
+1
-2
usr.bin/ssh/sshd.c
+1
-2
usr.bin/ssh/sshd.c
···
1
-
/* $OpenBSD: sshd.c,v 1.617 2025/04/07 08:12:22 dtucker Exp $ */
1
+
/* $OpenBSD: sshd.c,v 1.618 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved.
4
4
* Copyright (c) 2002 Niels Provos. All rights reserved.
···
1589
1589
1590
1590
switch (keytype) {
1591
1591
case KEY_RSA:
1592
-
case KEY_DSA:
1593
1592
case KEY_ECDSA:
1594
1593
case KEY_ED25519:
1595
1594
case KEY_ECDSA_SK:
+1
-41
usr.bin/ssh/sshkey.c
+1
-41
usr.bin/ssh/sshkey.c
···
1
-
/* $OpenBSD: sshkey.c,v 1.148 2024/12/03 15:53:51 tb Exp $ */
1
+
/* $OpenBSD: sshkey.c,v 1.149 2025/05/06 05:40:56 djm Exp $ */
2
2
/*
3
3
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4
4
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
···
106
106
extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl;
107
107
extern const struct sshkey_impl sshkey_rsa_sha512_impl;
108
108
extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl;
109
-
# ifdef WITH_DSA
110
-
extern const struct sshkey_impl sshkey_dss_impl;
111
-
extern const struct sshkey_impl sshkey_dsa_cert_impl;
112
-
# endif
113
109
#endif /* WITH_OPENSSL */
114
110
#ifdef WITH_XMSS
115
111
extern const struct sshkey_impl sshkey_xmss_impl;
···
131
127
&sshkey_ecdsa_sk_impl,
132
128
&sshkey_ecdsa_sk_cert_impl,
133
129
&sshkey_ecdsa_sk_webauthn_impl,
134
-
# ifdef WITH_DSA
135
-
&sshkey_dss_impl,
136
-
&sshkey_dsa_cert_impl,
137
-
# endif
138
130
&sshkey_rsa_impl,
139
131
&sshkey_rsa_cert_impl,
140
132
&sshkey_rsa_sha256_impl,
···
430
422
switch (type) {
431
423
case KEY_RSA_CERT:
432
424
return KEY_RSA;
433
-
case KEY_DSA_CERT:
434
-
return KEY_DSA;
435
425
case KEY_ECDSA_CERT:
436
426
return KEY_ECDSA;
437
427
case KEY_ECDSA_SK_CERT:
···
454
444
switch (type) {
455
445
case KEY_RSA:
456
446
return KEY_RSA_CERT;
457
-
case KEY_DSA:
458
-
return KEY_DSA_CERT;
459
447
case KEY_ECDSA:
460
448
return KEY_ECDSA_CERT;
461
449
case KEY_ECDSA_SK:
···
3282
3270
goto out;
3283
3271
3284
3272
switch (key->type) {
3285
-
#ifdef WITH_DSA
3286
-
case KEY_DSA:
3287
-
if (format == SSHKEY_PRIVATE_PEM) {
3288
-
success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
3289
-
cipher, passphrase, len, NULL, NULL);
3290
-
} else {
3291
-
if ((pkey = EVP_PKEY_new()) == NULL) {
3292
-
r = SSH_ERR_ALLOC_FAIL;
3293
-
goto out;
3294
-
}
3295
-
success = EVP_PKEY_set1_DSA(pkey, key->dsa);
3296
-
}
3297
-
break;
3298
-
#endif
3299
3273
case KEY_ECDSA:
3300
3274
if (format == SSHKEY_PRIVATE_PEM) {
3301
3275
success = PEM_write_bio_ECPrivateKey(bio,
···
3361
3335
{
3362
3336
switch (key->type) {
3363
3337
#ifdef WITH_OPENSSL
3364
-
case KEY_DSA:
3365
3338
case KEY_ECDSA:
3366
3339
case KEY_RSA:
3367
3340
break; /* see below */
···
3516
3489
prv->pkey = pk;
3517
3490
if ((r = sshkey_check_rsa_length(prv, 0)) != 0)
3518
3491
goto out;
3519
-
#ifdef WITH_DSA
3520
-
} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA &&
3521
-
(type == KEY_UNSPEC || type == KEY_DSA)) {
3522
-
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
3523
-
r = SSH_ERR_ALLOC_FAIL;
3524
-
goto out;
3525
-
}
3526
-
prv->dsa = EVP_PKEY_get1_DSA(pk);
3527
-
prv->type = KEY_DSA;
3528
-
#ifdef DEBUG_PK
3529
-
DSA_print_fp(stderr, prv->dsa, 8);
3530
-
#endif
3531
-
#endif
3532
3492
} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC &&
3533
3493
(type == KEY_UNSPEC || type == KEY_ECDSA)) {
3534
3494
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
+1
-10
usr.bin/ssh/sshkey.h
+1
-10
usr.bin/ssh/sshkey.h
···
1
-
/* $OpenBSD: sshkey.h,v 1.66 2025/04/02 04:28:03 tb Exp $ */
1
+
/* $OpenBSD: sshkey.h,v 1.67 2025/05/06 05:40:56 djm Exp $ */
2
2
3
3
/*
4
4
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
···
30
30
31
31
#ifdef WITH_OPENSSL
32
32
#include <openssl/rsa.h>
33
-
#ifdef WITH_DSA
34
-
#include <openssl/dsa.h>
35
-
#endif
36
33
#include <openssl/ec.h>
37
34
#include <openssl/ecdsa.h>
38
35
#include <openssl/evp.h>
···
40
37
#else /* OPENSSL */
41
38
#define BIGNUM void
42
39
#define RSA void
43
-
#define DSA void
44
40
#define EC_KEY void
45
41
#define EC_GROUP void
46
42
#define EC_POINT void
···
56
52
/* Key types */
57
53
enum sshkey_types {
58
54
KEY_RSA,
59
-
KEY_DSA,
60
55
KEY_ECDSA,
61
56
KEY_ED25519,
62
57
KEY_RSA_CERT,
63
-
KEY_DSA_CERT,
64
58
KEY_ECDSA_CERT,
65
59
KEY_ED25519_CERT,
66
60
KEY_XMSS,
···
123
117
struct sshkey {
124
118
int type;
125
119
int flags;
126
-
/* KEY_DSA */
127
-
DSA *dsa;
128
120
/* KEY_ECDSA and KEY_ECDSA_SK */
129
121
int ecdsa_nid; /* NID of curve */
130
122
/* libcrypto-backed keys */
···
347
339
348
340
#ifndef WITH_OPENSSL
349
341
#undef RSA
350
-
#undef DSA
351
342
#undef EC_KEY
352
343
#undef EC_GROUP
353
344
#undef EC_POINT