https://bugzilla.mindrot.org/show_bug.cgi?id=3005
Damien Miller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Damien Miller <[email protected]> --- I'm not certain of the benefit of doing this, but deleting the custom verification code removes a security mitigation that has saved us from >10 bugs since Markus added it. Many (most?) versions of OpenSSL invoke a full ASN.1 parser in the RSA signature verification path. Our implementation avoids that massive attack surface for something much smaller and easy to audit. We won't delete this code until after we've dropped support for the last version of OpenSSL that does RSA signature verification with the ASN.1 parser. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
