search for: ec_key

Hi list, I have no idea if Damien Miller had the time to work on that. I have an initial patch to authenticate using PKCS#11 and ECDSA keys. This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the required interfaces to override the signature function pointer for ECDSA. The only limitation is that the OpenSSL API misses some cleanup function (finish, for instance), hence I have yet

...rs. I have tested it with P-256 keys. P-384 and P-521 should work out-of-the box. The code is ready for non-FIPS curves (named or explicit), but OpenSSH currently limits ECDSA to those 3 curves. At high level it works like the support for RSA, but because of differences in OpenSSL between RSA and EC_KEY, implementation has a few differences. The RSA and RSA_METHOD structures are exposed and the existing ssh-pkcs11 code uses that to create an RSA_METHOD object for each key. Because of APIs (in addition to ECDSA support) needed by the patch this currently works with: - LibreSSL >= 2.2.2: until...

We tried these rights: [root at mail44 dovecot]# ls -la ????? 80 drwxr-xr-x 8 root root 4096 ??? 13 13:17 . drwxr-xr-x 98 root root 12288 ??? 11 11:47 .. drwxrwxrwx 2 root root 4096 ??? 10 15:58 eckey drwxr-xr-x 2 root root 4096 ??? 13 12:42 eckey2 drwxr-xr-x 2 vmail vmail 4096 ??? 11 09:14 RSAkey [root at mail44 dovecot]# cd eckey2 [root at mail44 eckey2]# ls -la ????? 16

...urn xnames; +} + +static void +ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx, + const struct master_service_ssl_settings *set) +{ +#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L + EC_KEY *ecdh; + int nid; + const char *curve_name; +#endif if (SSL_CTX_need_tmp_RSA(ssl_ctx)) SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key); SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_tmp_dh_callback); - return xnames; +#if !defined(OPENSSL_NO_ECDH) + /* In the non-recommended situation wher...

...rneechev at altlinux.org> > ????: "dovecot" <dovecot at dovecot.org> > ????????????: ???????, 17 ?????? 2017 ? 17:32:38 > ????: Re: Plugin "mail_crypt" does not work > Hi, guys. Also, currently a problem (with > http://wiki2.dovecot.org/Plugins/MailCrypt#EC_key): > > # dovecot mailbox cryptokey generate -u name at example.com -UR > doveadm(name at example.com): Error: > mail_crypt_user_get_public_key(name at example.com) failed: > mailbox_attribute_get(INBOX, > /shared/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/pvt/crypt/act...

...rs. I have tested it with P-256 keys. P-384 and P-521 should work out-of-the box. The code is ready for non-FIPS curves (named or explicit), but OpenSSH currently limits ECDSA to those 3 curves. At high level it works like the support for RSA, but because of differences in OpenSSL between RSA and EC_KEY, implementation has a few differences. The RSA and RSA_METHOD structures are exposed and the existing ssh-pkcs11 code uses that to create an RSA_METHOD object for each key. Because of APIs (in addition to ECDSA support) needed by the patch this currently works with: - LibreSSL >= 2.2.2: until...

Hi, guys. Also, currently a problem (with http://wiki2.dovecot.org/Plugins/MailCrypt#EC_key): # dovecot mailbox cryptokey generate -u name at example.com -UR doveadm(name at example.com): Error: mail_crypt_user_get_public_key(name at example.com) failed: mailbox_attribute_get(INBOX, /shared/vendor/vendor.dovecot/pvt/server/vendor/vendor.dovecot/pvt/crypt/active) failed: Mailbox attribu...

...gt; > ????: "dovecot" <dovecot at dovecot.org> > > ????????????: ???????, 17 ?????? 2017 ? 17:32:38 > > ????: Re: Plugin "mail_crypt" does not work > > > Hi, guys. Also, currently a problem (with > > http://wiki2.dovecot.org/Plugins/MailCrypt#EC_key): > > > > # dovecot mailbox cryptokey generate -u name at example.com -UR > > doveadm(name at example.com): Error: > > mail_crypt_user_get_public_key(name at example.com) failed: > > mailbox_attribute_get(INBOX, > > /shared/vendor/vendor.dovecot/pvt/server/vendo...

...ecot: ......... lda(mail at example.com): Error: User initialization failed: mail_crypt_plugin: mail_crypt_global_public_key: Couldn't parse public key: Unknown key format ......... Try RSA and EC: https://wiki2.dovecot.org/Plugins/MailCrypt#RSA_key https://wiki2.dovecot.org/Plugins/MailCrypt#EC_key Why "Unknown key format"? RSA pubkey: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4hfgRDlMJtN9rcV2VGa8gOF1g xiXHwokRkKmKfr64ZbqAhXzLzP8fSLo8ZEtRzfS3f/EyLRvYL9LHxlxYuSnq2LTW lbvSj8jcg3ucpA431Pbnq/OVI8WsXhXhZdipGcBDyzWHZw5Dp3I/am+FB96VlfPW maHO/oKGphXXhXSOXwIDAQAB --...

...s != 1024) + if (bits != 1024) { + fprintf(stderr, "%s bits %d expected %d\n", __func__, bits, 1024); return SSH_ERR_KEY_LENGTH; + } if ((private = DSA_new()) == NULL) { ret = SSH_ERR_ALLOC_FAIL; goto out; @@ -1505,8 +1510,10 @@ ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap) if (nid == NULL || ecdsap == NULL) return SSH_ERR_INVALID_ARGUMENT; - if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) + if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1) { + fprintf(stderr, "%s bits %d\n", __func__, bits); return SSH_ERR_KEY_LENGTH; + } *ecdsap...

I am assuming this is a user error (and the bug, if any is in configure not telling me how to activate it). I regularly see a message: Could not load host key: /etc/ssh/ssh_host_ecdsa_key And, obviously, I have never made the key before. I tried the following: ./ssh-keygen -t ecdsa -fssh_host_esdsa_key -N "" unknown key type ecdsa However, the syntax says it is a known type root at

Hi, I'm doing some test with a pkcs11 token that can only sign short messages. When connecting to one server, that reports pkalg rsa-sha2-512 blen 151, it fails to sign the pubkey because it is 83 bytes long. (sshd: OpenSSH_7.3p1) A older server that reports pkalg ssh-rsa blen 151, works perfectly as the pubkey signature required is only 35 bytes long. (sshd: OpenSSH_6.7p1) I am not sure

...(!sigonly_also && kt->sigonly) continue; if ((certs_only && !kt->cert) || (plain_only && kt->cert)) continue; diff --git a/sshkey.h b/sshkey.h index f393638..6a3ff2f 100644 --- a/sshkey.h +++ b/sshkey.h @@ -156,7 +156,7 @@ int sshkey_ec_validate_private(const EC_KEY *); const char *sshkey_ssh_name(const struct sshkey *); const char *sshkey_ssh_name_plain(const struct sshkey *); int sshkey_names_valid2(const char *, int); -char *sshkey_alg_list(int, int, char); +char *sshkey_alg_list(int, int, int, char); int sshkey_from_blob(const u_char *, size_t, struct...

.../test_sshbuf_getput_fuzz.c +++ b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c @@ -32,7 +32,9 @@ static void attempt_parse_blob(u_char *blob, size_t len) { struct sshbuf *p1; +#ifdef WITH_OPENSSL BIGNUM *bn; +#endif #if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) EC_KEY *eck; #endif @@ -54,12 +56,14 @@ attempt_parse_blob(u_char *blob, size_t len) bzero(s, l); free(s); } +#ifdef WITH_OPENSSL bn = BN_new(); sshbuf_get_bignum1(p1, bn); BN_clear_free(bn); bn = BN_new(); sshbuf_get_bignum2(p1, bn); BN_clear_free(bn); +#endif #if defined(OPENSSL_HA...

Hi, OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

Hi, OpenSSH 6.9 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains some substantial new features and a number of bugfixes. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is