search for: evp_md_ctx

Hello All, There seems to be a binary compatibility problem with OpenSSL and OpenSSH 4.2p1. The details can be found at http://www.mail-archive.com/openssl-users at openssl.org/msg41869.html . The discussion is closed with pointing a problem in key.c in OpenSSH and corresponding thread is at http://www.mail-archive.com/openssl-users at openssl.org/msg41878.html I would like to know the

...,7 @@ bool dcrypt_openssl_public_key_id_evp(EVP_PKEY *key, c long len = BIO_get_mem_data(b, &ptr); unsigned int hlen = sizeof(buf); /* then hash it */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX *ctx = EVP_MD_CTX_new(); #else EVP_MD_CTX *ctx = EVP_MD_CTX_create(); @@ -2147,7 +2147,7 @@ bool dcrypt_openssl_public_key_id_evp(EVP_PKEY *key, c buffer_append(result, buf, hlen); res = TRUE; } -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L &...

...ssages don't correspond to those in 8.2p1, but they do match 7.9p1. For example: > "libressl-api-compat.c", line 619.26: 1506-043 (S) The operand of the sizeof operator is not valid. $ head -619 openssh-7.9p1/openbsd-compat/libressl-api-compat.c | tail -1 return calloc(1, sizeof(EVP_MD_CTX)); $ head -619 openssh-8.0p1/openbsd-compat/libressl-api-compat.c | tail -1 #ifndef HAVE_EVP_MD_CTX_NEW $ head -619 openssh-8.2p1/openbsd-compat/libressl-api-compat.c | tail -1 #ifndef HAVE_EVP_MD_CTX_NEW I don't have VAC so I can't reproduce this myself. I have built 8.2p1 with a shared...

...>>>>>> >>>>>>>> HMAC_CTX_new >>>>>>>> HMAC_CTX_free >>>>>>>> EVP_PKEY_get0_EC_KEY >>>>>>>> EVP_PKEY_get0_RSA >>>>>>>> OBJ_length >>>>>>>> EVP_MD_CTX_new >>>>>>>> EVP_MD_CTX_free >>>>>>>> >>>>>>>> The result of calling a non-existent function is a runtime error, >>>>>>>> and we do not want that on production servers. >>>>>>>> &...

Hello, I've updated sources but forgot to recreate configure so I've ended without #define HAVE_EVP_RIPEMD160 1 and ssh client ended with: OpenSSH_6.7p1, OpenSSL 1.0.1h-fips 5 Jun 2014 debug1: Reading configuration data ssh.config main: mux digest failed The problem was that ssh_digest_by_alg() couldn't verify alg with an index bigger than 1 since the line with SSH_DIGEST_RIPEMD160

...e in 8.2p1, but they do match 7.9p1. For > example: > > > "libressl-api-compat.c", line 619.26: 1506-043 (S) The operand of the sizeof > operator is not valid. > > $ head -619 openssh-7.9p1/openbsd-compat/libressl-api-compat.c | tail -1 > return calloc(1, sizeof(EVP_MD_CTX)); $ head -619 openssh-8.0p1/openbsd- > compat/libressl-api-compat.c | tail -1 #ifndef HAVE_EVP_MD_CTX_NEW $ > head -619 openssh-8.2p1/openbsd-compat/libressl-api-compat.c | tail -1 > #ifndef HAVE_EVP_MD_CTX_NEW > > I don't have VAC so I can't reproduce this myself. I have...

..._fingerprint_raw: bad key type %d",k->type); + break; + default: + fatal("key_fingerprint_raw: bad key type %d", k->type); + break; + } + + if (blob != NULL) { + EVP_MD *md = NULL; + EVP_MD_CTX ctx; + + retval = xmalloc(EVP_MAX_MD_SIZE); + + switch (dgst_type) { + case DIGEST_TYPE_MD5: + md = EVP_md5(); + break; + case DIGEST_TYPE_SHA1: +...

OpenSC has taken a different approach to OpenSSL-1.1. Rather then writing a shim for OpenSSL-1.1, the OpenSC code has been converted to the OpenSSL-1.1 API and a sc-ossl-compat.h" file consisting of defines and macros was written to support older versions of OpenSSL and Libressl. https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h The nice part of this approach is

...y difficult to maintain. > According to Kurt's patch, such a compat file for openssh would clock at roughly 500 lines of nearly trivial code (and I insist on this fact: code is quite trivial. The most complicated function would > be this one : > > ?----8<-----? > static int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) > { > ?? > if (ctx == NULL) > ?? > return 1; > ?? > /* > ?? > * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because > ?? > * sometimes only copies of the context are ever finalised. > ?? > */ > ?? > if (ctx-&g...

...17:29:14.920563605 -0800 @@ -101,7 +101,7 @@ SCHNORR_DEBUG_BN((h, "%s: h = ", __func__)); out: buffer_free(&b); - bzero(digest, digest_len); + memset(digest, 0, digest_len); xfree(digest); digest_len = 0; if (success == 0) @@ -477,7 +477,7 @@ success = 0; out: EVP_MD_CTX_cleanup(&evp_md_ctx); - bzero(digest, sizeof(digest)); + memset(digest, 0, sizeof(digest)); digest_len = 0; return success; } @@ -570,7 +570,7 @@ BN_clear_free(grp->p); if (grp->q != NULL) BN_clear_free(grp->q); - bzero(grp, sizeof(*grp)); + memset(grp, 0, size...

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

...TH %s", a->name, b->name); + if (a->type == KEY_NAME_PAT) + return match_pattern(b->name, a->name); + else + return match_pattern(a->name, b->name); +} + static u_char* key_fingerprint_raw(Key *k, enum fp_type dgst_type, size_t *dgst_raw_length) @@ -161,7 +226,7 @@ EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; - int len = 0; + u_int len = 0; int nlen, elen; *dgst_raw_length = 0; @@ -364,11 +429,12 @@ { Key *k; int success = -1; - char *cp, *space; + char *cp, *space, *name_type; int len, n, type; u_int bits; - u_char *blob; + u_char *blo...

...h %s WITH %s", a->name, b->name); + if (a->type == KEY_NAME_PAT) + return match_pattern(b->name, a->name); + else + return match_pattern(a->name, b->name); +} + u_char* key_fingerprint_raw(Key *k, enum fp_type dgst_type, size_t *dgst_raw_length) @@ -160,7 +229,7 @@ EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; - int len = 0; + u_int len = 0; int nlen, elen; *dgst_raw_length = 0; @@ -363,11 +432,12 @@ { Key *k; int success = -1; - char *cp, *space; + char *cp, *space, *name_type; int len, n, type; u_int bits; - u_char *blob; + u_char *blo...

...e/md5.h b/src/libFLAC/include/private/md5.h index e5f675a..5b42a27 100644 --- a/src/libFLAC/include/private/md5.h +++ b/src/libFLAC/include/private/md5.h @@ -28,6 +28,11 @@ #include "FLAC/ordinals.h" +#if defined(HAVE_OPENSSL) +#include <openssl/evp.h> +#define FLAC__MD5Context EVP_MD_CTX +#else +#define EVP_MAX_MD_SIZE 16 typedef struct { FLAC__uint32 in[16]; FLAC__uint32 buf[4]; @@ -37,7 +42,8 @@ typedef struct { } FLAC__MD5Context; void FLAC__MD5Init(FLAC__MD5Context *context); -void FLAC__MD5Final(FLAC__byte digest[16], FLAC__MD5Context *context); +void FLAC__MD5Final(F...

...SCHNORR_DEBUG_BN((h, "%s: h = ", __func__)); out: buffer_free(&b); - bzero(digest, digest_len); + memset(digest, 0, digest_len); xfree(digest); digest_len = 0; if (success == 0) @@ -477,7 +477,7 @@ success = 0; out: EVP_MD_CTX_cleanup(&evp_md_ctx); - bzero(digest, sizeof(digest)); + memset(digest, 0, sizeof(digest)); digest_len = 0; return success; } @@ -570,7 +570,7 @@ BN_clear_free(grp->p); if (grp->q != NULL) BN_clear_free(grp->q); -...

...+ char *skexinit, int skexinitlen, + u_char *serverhostkeyblob, int sbloblen, + const unsigned char client_dh_pub[CURVE25519_PUBKEY_SIZE], + const unsigned char server_dh_pub[CURVE25519_PUBKEY_SIZE], + const BIGNUM *shared_secret, + u_char **hash, u_int *hashlen) +{ + Buffer b; + EVP_MD_CTX md; + static u_char digest[EVP_MAX_MD_SIZE]; + + buffer_init(&b); + buffer_put_cstring(&b, client_version_string); + buffer_put_cstring(&b, server_version_string); + + /* kexinit messages: fake header: len+SSH2_MSG_KEXINIT */ + buffer_put_int(&b, ckexinitlen+1); + buffer_put_char(&a...

...ine CSUM_CHUNK 64 @@ -19,8 +20,80 @@ void mdfour_result(md_context *md, uchar digest[MD4_DIGEST_LEN]); void get_mdfour(uchar digest[MD4_DIGEST_LEN], const uchar *in, int length); +#ifdef HAVE_OPENSSL +#include <openssl/crypto.h> +#include <openssl/evp.h> + +#define MDLIB_MD_CTX EVP_MD_CTX + +#define mdlib_initialize() OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); + +#define mdlib_new_ctx() EVP_MD_CTX_new() +#define mdlib_free_ctx(_ctx) EVP_MD_CTX_free(_ctx) + +#define mdlib_init_md5(_ctx) EVP_DigestInit_ex(_ctx, EVP_md5(), NULL) +#define mdlib_init_sha1(_ctx) EVP_Di...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |