Attachment #3404 for bug #3174

View | Details | Raw Unified | Return to bug 3174
Collapse All | Expand All




	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
	oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
	oSecurityKeyProvider,
	oRSAMinimumModulusSize,
	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;


	{ "ignoreunknown", oIgnoreUnknown },
	{ "proxyjump", oProxyJump },
	{ "securitykeyprovider", oSecurityKeyProvider },
	{ "rsaminimummodulussize", oRSAMinimumModulusSize },

	{ NULL, oBadOption }
};

			*log_level_ptr = (LogLevel) value;
		break;

	case oRSAMinimumModulusSize:
		intptr = &SSH_RSA_MINIMUM_MODULUS_SIZE;
		arg = strdelim(&s);
		if ((errstr = atoi_err(arg, &value)) != NULL)
			fatal("%s line %d: integer value %s.",
			    filename, linenum, errstr);
                if (value < SSH_RSA_MINIMUM_MODULUS_SIZE_HARD) {
                    fatal("%s line %d: RSAMinimumModulusSize unacceptably small: %d",
                          filename, linenum, value);
                    
                }
                SSH_RSA_MINIMUM_MODULUS_SIZE = value;
		break;

	case oLogFacility:
		log_facility_ptr = &options->log_facility;
		arg = strdelim(&s);

	dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);
	dump_cfg_int(oServerAliveCountMax, o->server_alive_count_max);
	dump_cfg_int(oServerAliveInterval, o->server_alive_interval);
	dump_cfg_int(oRSAMinimumModulusSize, SSH_RSA_MINIMUM_MODULUS_SIZE);

	/* String options */
	dump_cfg_string(oBindAddress, o->bind_address);

Lines 210-216 type_bits_valid(int type, const char name, u_int32_t bitsp) Link Here

(-)a/ssh-keygen.c (-1 / +1 lines)
210	fatal("Invalid DSA key length: must be 1024 bits");	210	fatal("Invalid DSA key length: must be 1024 bits");
211	break;	211	break;
212	case KEY_RSA:	212	case KEY_RSA:
213	if (*bitsp < SSH_RSA_MINIMUM_MODULUS_SIZE)	213	if (*bitsp < (u_int)SSH_RSA_MINIMUM_MODULUS_SIZE)
214	fatal("Invalid RSA key length: minimum is %d bits",	214	fatal("Invalid RSA key length: minimum is %d bits",
215	SSH_RSA_MINIMUM_MODULUS_SIZE);	215	SSH_RSA_MINIMUM_MODULUS_SIZE);
216	else if (*bitsp > OPENSSL_RSA_MAX_MODULUS_BITS)	216	else if (*bitsp > OPENSSL_RSA_MAX_MODULUS_BITS)

Lines 542-547 For full details of the options listed below, and their possible values, see Link Here

(-)a/ssh.1 (+1 lines)
542	.It RemoteCommand	542	.It RemoteCommand
543	.It RemoteForward	543	.It RemoteForward
544	.It RequestTTY	544	.It RequestTTY
		545	.It RSAMinimumModulusSize
545	.It SendEnv	546	.It SendEnv
546	.It ServerAliveInterval	547	.It ServerAliveInterval
547	.It ServerAliveCountMax	548	.It ServerAliveCountMax

Lines 1486-1491 an OpenSSH Key Revocation List (KRL) as generated by Link Here

(-)a/ssh_config.5 (+6 lines)
1486	.Xr ssh-keygen 1 .	1486	.Xr ssh-keygen 1 .
1487	For more information on KRLs, see the KEY REVOCATION LISTS section in	1487	For more information on KRLs, see the KEY REVOCATION LISTS section in
1488	.Xr ssh-keygen 1 .	1488	.Xr ssh-keygen 1 .
		1489	.It Cm RSAMinimumModulusSize
		1490	Specifies the minimum accepted RSA modulus size in different
		1491	contexts. This is only be used with older SSH servers when it is
		1492	impossible to have or generate longer keys for them. This should not
		1493	be used in any other purposes except perhaps testing. There is still
		1494	hard limit, 512. To use shorter RSA keys than that, OpenSSH must be recompiled.
1489	.It Cm SecurityKeyProvider	1495	.It Cm SecurityKeyProvider
1490	Specifies a path to a library that will be used when loading any	1496	Specifies a path to a library that will be used when loading any
1491	FIDO authenticator-hosted keys, overriding the default of using	1497	FIDO authenticator-hosted keys, overriding the default of using

Lines 93-98 int sshkey_private_serialize_opt(struct sshkey *key, Link Here

(-)a/sshkey.c (-1 / +3 lines)
93	static int sshkey_from_blob_internal(struct sshbuf *buf,	93	static int sshkey_from_blob_internal(struct sshbuf *buf,
94	struct sshkey **keyp, int allow_cert);	94	struct sshkey **keyp, int allow_cert);
95		95
		96	int SSH_RSA_MINIMUM_MODULUS_SIZE = SSH_RSA_MINIMUM_MODULUS_SIZE_DEFAULT;
		97
96	/* Supported key types */	98	/* Supported key types */
97	struct keytype {	99	struct keytype {
98	const char *name;	100	const char *name;
Lines 1583-1589 rsa_generate_private_key(u_int bits, RSA **rsap) Link Here
1583		1585
1584	if (rsap == NULL)	1586	if (rsap == NULL)
1585	return SSH_ERR_INVALID_ARGUMENT;	1587	return SSH_ERR_INVALID_ARGUMENT;
1586	if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE \|\|	1588	if (bits < (u_int)SSH_RSA_MINIMUM_MODULUS_SIZE \|\|
1587	bits > SSHBUF_MAX_BIGNUM * 8)	1589	bits > SSHBUF_MAX_BIGNUM * 8)
1588	return SSH_ERR_KEY_LENGTH;	1590	return SSH_ERR_KEY_LENGTH;
1589	*rsap = NULL;	1591	*rsap = NULL;

Lines 48-54 Link Here

(-)a/sshkey.h (-1 / +4 lines)
48	# define EC_POINT void	48	# define EC_POINT void
49	#endif /* WITH_OPENSSL */	49	#endif /* WITH_OPENSSL */
50		50
51	#define SSH_RSA_MINIMUM_MODULUS_SIZE 1024	51	extern int SSH_RSA_MINIMUM_MODULUS_SIZE;
		52
		53	#define SSH_RSA_MINIMUM_MODULUS_SIZE_DEFAULT 1024
		54	#define SSH_RSA_MINIMUM_MODULUS_SIZE_HARD 512 /* This is the hard limit for -o RSAMinimumModulusSize */
52	#define SSH_KEY_MAX_SIGN_DATA_SIZE (1 << 20)	55	#define SSH_KEY_MAX_SIGN_DATA_SIZE (1 << 20)
53		56
54	struct sshbuf;	57	struct sshbuf;

Return to bug 3174

Lines 173-178 typedef enum { Link Here

(-)a/readconf.c (+17 lines)
173	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,	173	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
174	oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,	174	oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
175	oSecurityKeyProvider,	175	oSecurityKeyProvider,
		176	oRSAMinimumModulusSize,
176	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported	177	oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
177	} OpCodes;	178	} OpCodes;
178		179
Lines 310-315 static struct { Link Here
310	{ "ignoreunknown", oIgnoreUnknown },	311	{ "ignoreunknown", oIgnoreUnknown },
311	{ "proxyjump", oProxyJump },	312	{ "proxyjump", oProxyJump },
312	{ "securitykeyprovider", oSecurityKeyProvider },	313	{ "securitykeyprovider", oSecurityKeyProvider },
		314	{ "rsaminimummodulussize", oRSAMinimumModulusSize },
313		315
314	{ NULL, oBadOption }	316	{ NULL, oBadOption }
315	};	317	};
Lines 1339-1344 process_config_line_depth(Options options, struct passwd pw, const char *host, Link Here
1339	*log_level_ptr = (LogLevel) value;	1341	*log_level_ptr = (LogLevel) value;
1340	break;	1342	break;
1341		1343
		1344	case oRSAMinimumModulusSize:
		1345	intptr = &SSH_RSA_MINIMUM_MODULUS_SIZE;
		1346	arg = strdelim(&s);
		1347	if ((errstr = atoi_err(arg, &value)) != NULL)
		1348	fatal("%s line %d: integer value %s.",
		1349	filename, linenum, errstr);
		1350	if (value < SSH_RSA_MINIMUM_MODULUS_SIZE_HARD) {
		1351	fatal("%s line %d: RSAMinimumModulusSize unacceptably small: %d",
		1352	filename, linenum, value);
		1353
		1354	}
		1355	SSH_RSA_MINIMUM_MODULUS_SIZE = value;
		1356	break;
		1357
1342	case oLogFacility:	1358	case oLogFacility:
1343	log_facility_ptr = &options->log_facility;	1359	log_facility_ptr = &options->log_facility;
1344	arg = strdelim(&s);	1360	arg = strdelim(&s);
Lines 2770-2775 dump_client_config(Options o, const char host) Link Here
2770	dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);	2786	dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts);
2771	dump_cfg_int(oServerAliveCountMax, o->server_alive_count_max);	2787	dump_cfg_int(oServerAliveCountMax, o->server_alive_count_max);
2772	dump_cfg_int(oServerAliveInterval, o->server_alive_interval);	2788	dump_cfg_int(oServerAliveInterval, o->server_alive_interval);
		2789	dump_cfg_int(oRSAMinimumModulusSize, SSH_RSA_MINIMUM_MODULUS_SIZE);
2773		2790
2774	/* String options */	2791	/* String options */
2775	dump_cfg_string(oBindAddress, o->bind_address);	2792	dump_cfg_string(oBindAddress, o->bind_address);