Displaying 20 results from an estimated 24 matches for "evp_pkey".
2023 Apr 19
3
FIPS compliance efforts in Fedora and RHEL
...ouldn't have the
> luxury of being able to use OpenSSL code to do it (as we did last time)
> as the license has changed to one that we don't want to accept in the
> OpenSSH codebase.
I think it's doable if libressl has 1.1.1-style EVP API. It is
possible to assign RSA/EC/DH to EVP_PKEY object and use EVP API
afterwards in 1.1.1 and use the OSSL_PARAM_BLD for 3.0
--
Dmitry Belyavskiy
2023 Apr 18
3
FIPS compliance efforts in Fedora and RHEL
...Critical cryptographic operations should
be changed to the new EVP API to ensure FIPS compatibility. The affected
operations are: key generation, signatures creation and Diffie-Hellman style
shared secret calculation.
To achieve that, the key structures needed to be changed from RSA, EC, DH to
EVP_PKEY, but this change would be very costly as a lot of code should
have been rewritten to align the function calls using these structures.
Therefore a different approach was implemented: keep the old key structures
and wrap the affected operations with EVP_PKEY API (importing the
key to EVP_PKEY fro...
2020 Jun 09
3
[PATCH v2 0/2] Add openssl engine keys with provider upgrade path
...engine
code and the iteration over engines can be eliminated because the
provider API will take care of doing all that internally. The only
piece which will survive is the transmission of keys to the agent by
URI.
The way the patch is structured is to first make public an internal
API to convert EVP_PKEY to sslkey. All openssl keys need this type of
conversion so it's useful for engine keys as well and means we don't
need a different sshkey type for engine keys (they key off the
SSHKEY_FLAG_EXT instead).
James
---
James Bottomley (2):
sshkey: expose openssl EVP_PKEY to sshkey conversi...
2002 Jan 31
7
x509 for hostkeys.
...==================
RCS file: /home/markus/cvs/ssh/authfile.c,v
retrieving revision 1.45
diff -u -r1.45 authfile.c
--- authfile.c 29 Dec 2001 21:56:01 -0000 1.45
+++ authfile.c 31 Jan 2002 10:50:53 -0000
@@ -460,6 +460,24 @@
error("PEM_read_PrivateKey: mismatch or "
"unknown EVP_PKEY save_type %d", pk->save_type);
}
+ if (prv != NULL) {
+ /* try to get a certificate if we have the private key */
+ prv->x509 = PEM_read_X509(fp, NULL, NULL, (char *)passphrase);
+ if (prv->x509 != NULL) {
+ debug("PEM_read_X509");
+#ifdef DEBUG_X509
+ X509_print_fp...
2017 Feb 03
2
compilation errors on master
...()) == NULL ||
^~
sshkey.c:490:11: error: dereferencing pointer to incomplete type ?DSA {aka struct dsa_st}?
(dsa->p = BN_new()) == NULL ||
^~
sshkey.c: In function ?sshkey_parse_private_pem_fileblob?:
sshkey.c:3792:8: error: dereferencing pointer to incomplete type ?EVP_PKEY {aka struct evp_pkey_st}?
if (pk->type == EVP_PKEY_RSA &&
^~
Cheers,
--
Cristian
2016 Nov 02
0
v2.2.26.0 released
...b>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id
**/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec
#define EVP_PKEY_get0_RSA(x) x->pkey.rsa
#define OBJ_length(o) ((o)->length)
@@ -90,7 +90,7 @@ struct dcrypt_context_symmetric {
struct dcrypt_context_hmac {
pool_t pool;
const EVP_MD *md;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_N...
2023 Apr 19
1
FIPS compliance efforts in Fedora and RHEL
On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote:
> > While I'm sure this is good for RHEL/rawhide users who care about FIPS,
> > Portable OpenSSH won't be able to merge this. We explictly aim to support
> > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
> > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
> >
2016 Nov 02
2
v2.2.26.0 released
...;>>>> dovecot 2.2.26.0 uses the following functions, which are not
>>>>>>>> available on libressl 2.4.3:
>>>>>>>>
>>>>>>>> HMAC_CTX_new
>>>>>>>> HMAC_CTX_free
>>>>>>>> EVP_PKEY_get0_EC_KEY
>>>>>>>> EVP_PKEY_get0_RSA
>>>>>>>> OBJ_length
>>>>>>>> EVP_MD_CTX_new
>>>>>>>> EVP_MD_CTX_free
>>>>>>>>
>>>>>>>> The result of calling a non-e...
2017 Oct 26
3
[RFC 0/2] add engine based keys
Engine keys are private key files which are only understood by openssl
external engines. ?The problem is they can't be loaded with the usual
openssl methods, they have to be loaded via ENGINE_load_private_key().
?Because they're files, they fit well into openssh pub/private file
structure, so they're not very appropriately handled by the pkcs11
interface because it assumes the private
2013 Jul 06
1
[PATCH] login-common: Add support for ECDH/ECDHE cipher suites
...if
}
static void
@@ -1084,6 +1135,28 @@
}
static int
+ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set)
+{
+ int nid = 0;
+#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L
+ EVP_PKEY *pkey;
+ const char *password;
+ EC_KEY *eckey;
+ EC_GROUP *ecgrp;
+
+ password = *set->ssl_key_password != '\0' ? set->ssl_key_password :
+ getenv(MASTER_SSL_KEY_PASSWORD_ENV);
+ pkey = ssl_proxy_load_key(set->ssl_key, password);
+ if (pkey != NULL &&
+ (eckey = EVP_P...
2020 Jul 14
7
[Bug 3192] New: openssh-8.2 & openssl-1.1.1d error: dereferencing pointer to incomplete type Not found struct BIO , bio->num_write
...ad(bio, keybuf, bio->num_write);
---
sshkey.c code view
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/ossl_typ.h>
....
static int
sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
const char *passphrase, struct sshkey **keyp)
{
EVP_PKEY *pk = NULL;
struct sshkey *prv = NULL;
BIO *bio = NULL;
int r;
if (keyp != NULL)
*keyp = NULL;
if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) >
INT_MAX)
return SSH_ERR_ALLOC_FAIL;
if (BIO_write(bio, s...
2024 Sep 15
2
Call for testing: OpenSSH 9.9
...private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported in OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
* sshd(8): add a random amount of jitter (up to 4 seconds) to the
grace login time to make its expiry unpredictable.
Bugfixes
--------
* sshd(8): relax absolute path requirement back to what it was prior
to OpenSSH 9.8, which incorrectly required that s...
2012 Sep 09
2
Patch for ssh-keygen to allow conversion of public key to openssh format
.../authfile.c openssh-6.1p1-lano/authfile.c
--- openssh-6.1p1/authfile.c 2012-02-10 22:19:02.000000000 +0100
+++ openssh-6.1p1-lano/authfile.c 2012-09-08 11:59:08.000000000 +0200
@@ -792,6 +792,58 @@
return 0;
}
+Key *
+key_load_public_pem(char *filename, char **commentp)
+{
+ FILE *fp = NULL;
+ EVP_PKEY *pk = NULL;
+ X509 *x = NULL;
+ Key *pub = NULL;
+ char *name = "<no key>";
+
+ fp = fopen(filename, "r");
+ if (fp == NULL) {
+ error("fopen of %s failed: %s", filename, strerror(errno));
+ return NULL;
+ }
+ x = PEM_read_X509(fp, NULL, NULL, NULL);
+ if (x ==...
2001 Sep 27
4
ssh2 key passphrase problems in 2.9.9 on Linux
I've just compiled and installed openssh-2.9.9p2 (compiled against
openssl-0.9.6b using gcc-3.0.0) on a Slackware 7-based Linux machine
(kernel 2.4.6ac2). The previously installed version was 2.9p2, compiled
against openssl-0.9.6a, also with gcc-3.0.0, but with a different build of
gcc-3.0.0.
Everything seems to work fine except for one problem: passphrase matching
for ssh2 keys
2024 Sep 20
0
Announce: OpenSSH 9.9 released
...private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
* sshd(8): add a random amount of jitter (up to 4 seconds) to the
grace login time to make its expiry unpredictable.
Bugfixes
--------
* sshd(8): relax absolute path requirement back to what it was prior
to OpenSSH 9.8, which incorrectly required that s...
2024 Sep 20
0
Announce: OpenSSH 9.9 released
...private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
* sshd(8): add a random amount of jitter (up to 4 seconds) to the
grace login time to make its expiry unpredictable.
Bugfixes
--------
* sshd(8): relax absolute path requirement back to what it was prior
to OpenSSH 9.8, which incorrectly required that s...
2024 Sep 22
0
Announce: OpenSSH 9.9 released
...private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
* sshd(8): add a random amount of jitter (up to 4 seconds) to the
grace login time to make its expiry unpredictable.
Bugfixes
--------
* sshd(8): relax absolute path requirement back to what it was prior
to OpenSSH 9.8, which incorrectly required that s...
2024 Sep 22
0
Announce: OpenSSH 9.9 released
...private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.
* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.
* sshd(8): add a random amount of jitter (up to 4 seconds) to the
grace login time to make its expiry unpredictable.
Bugfixes
--------
* sshd(8): relax absolute path requirement back to what it was prior
to OpenSSH 9.8, which incorrectly required that s...
2020 Jan 30
6
[PATCH 1/2] Add support for openssl engine based keys
...t asked for one
+ * send an interrupt event to avoid DA implications */
+ d->ret = -2;
+ } else {
+ UI_set_result(ui, uis, d->passphrase);
+ d->ret = 1;
+ }
+ }
+
+ return d->ret;
+}
+
+int
+engine_process_add(char *engine, char *file, char *pin,
+ struct sshkey **k)
+{
+ EVP_PKEY *pk;
+ ENGINE *e;
+ struct sshkey *key;
+ int ret;
+ UI_METHOD *ui;
+ EVP_PKEY_CTX *ctx;
+ char hash[SHA256_DIGEST_LENGTH], result[1024];
+ size_t siglen;
+ struct ui_data d;
+
+ verbose("%s: add provider=%s, key=%s", __func__, engine, file);
+
+ ret = SSH_ERR_INTERNAL_ERROR;
+ e = ENGINE...
2008 May 07
2
Request for generic engine support
...11a614,679
> return prv;
> }
>
> /* Arguments passphrase and commentp are not used */
> Key *
> key_load_engine_private(char *engkey, const char *conffile,
> const char* stanza, const char *passphrase, char **commentp)
> {
> ENGINE *eng = NULL;
> EVP_PKEY *pk = NULL;
> Key *prv = NULL;
> char *name = "<no key>";
>
> // Load the OpenSSL internal engine called 'dynamic'
> ENGINE_load_dynamic();
>
> // Add the OpenSSL ENGINE configuration module
> OPENSSL_load_bu...