[Bug 3005] Use high-level EVP PKEY API instead of low-level algorithm specific calls + separate digesting in the every backend

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Jan 25 23:28:35 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3005

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
The most recent patch still introduces OpenSSL ASN.1 parsing in the
pre-authentication signature verification path. This is a huge attack
surface that we're simply not prepared to accept. IMO the history of
vulnerabilities that we've avoided by doing so speaks for itself.

Sorry, but we won't be adopting this approach.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list