search for: evp_pkey

...ouldn't have the > luxury of being able to use OpenSSL code to do it (as we did last time) > as the license has changed to one that we don't want to accept in the > OpenSSH codebase. I think it's doable if libressl has 1.1.1-style EVP API. It is possible to assign RSA/EC/DH to EVP_PKEY object and use EVP API afterwards in 1.1.1 and use the OSSL_PARAM_BLD for 3.0 -- Dmitry Belyavskiy

...Critical cryptographic operations should be changed to the new EVP API to ensure FIPS compatibility. The affected operations are: key generation, signatures creation and Diffie-Hellman style shared secret calculation. To achieve that, the key structures needed to be changed from RSA, EC, DH to EVP_PKEY, but this change would be very costly as a lot of code should have been rewritten to align the function calls using these structures. Therefore a different approach was implemented: keep the old key structures and wrap the affected operations with EVP_PKEY API (importing the key to EVP_PKEY fro...

...engine code and the iteration over engines can be eliminated because the provider API will take care of doing all that internally. The only piece which will survive is the transmission of keys to the agent by URI. The way the patch is structured is to first make public an internal API to convert EVP_PKEY to sslkey. All openssl keys need this type of conversion so it's useful for engine keys as well and means we don't need a different sshkey type for engine keys (they key off the SSHKEY_FLAG_EXT instead). James --- James Bottomley (2): sshkey: expose openssl EVP_PKEY to sshkey conversi...

...================== RCS file: /home/markus/cvs/ssh/authfile.c,v retrieving revision 1.45 diff -u -r1.45 authfile.c --- authfile.c 29 Dec 2001 21:56:01 -0000 1.45 +++ authfile.c 31 Jan 2002 10:50:53 -0000 @@ -460,6 +460,24 @@ error("PEM_read_PrivateKey: mismatch or " "unknown EVP_PKEY save_type %d", pk->save_type); } + if (prv != NULL) { + /* try to get a certificate if we have the private key */ + prv->x509 = PEM_read_X509(fp, NULL, NULL, (char *)passphrase); + if (prv->x509 != NULL) { + debug("PEM_read_X509"); +#ifdef DEBUG_X509 + X509_print_fp...

...()) == NULL || ^~ sshkey.c:490:11: error: dereferencing pointer to incomplete type ?DSA {aka struct dsa_st}? (dsa->p = BN_new()) == NULL || ^~ sshkey.c: In function ?sshkey_parse_private_pem_fileblob?: sshkey.c:3792:8: error: dereferencing pointer to incomplete type ?EVP_PKEY {aka struct evp_pkey_st}? if (pk->type == EVP_PKEY_RSA && ^~ Cheers, -- Cristian

...b>1<tab>symmetric algo name<tab>salt<tab>hash algo<tab>rounds<tab>E(RSA = i2d_PrivateKey, EC=Private Point)<tab>key id **/ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define EVP_PKEY_get0_EC_KEY(x) x->pkey.ec #define EVP_PKEY_get0_RSA(x) x->pkey.rsa #define OBJ_length(o) ((o)->length) @@ -90,7 +90,7 @@ struct dcrypt_context_symmetric { struct dcrypt_context_hmac { pool_t pool; const EVP_MD *md; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_N...

On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote: > > While I'm sure this is good for RHEL/rawhide users who care about FIPS, > > Portable OpenSSH won't be able to merge this. We explictly aim to support > > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the > > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that > >

...;>>>> dovecot 2.2.26.0 uses the following functions, which are not >>>>>>>> available on libressl 2.4.3: >>>>>>>> >>>>>>>> HMAC_CTX_new >>>>>>>> HMAC_CTX_free >>>>>>>> EVP_PKEY_get0_EC_KEY >>>>>>>> EVP_PKEY_get0_RSA >>>>>>>> OBJ_length >>>>>>>> EVP_MD_CTX_new >>>>>>>> EVP_MD_CTX_free >>>>>>>> >>>>>>>> The result of calling a non-e...

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

...if } static void @@ -1084,6 +1135,28 @@ } static int +ssl_proxy_ctx_get_pkey_ec_curve_name(const struct master_service_ssl_settings *set) +{ + int nid = 0; +#if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L + EVP_PKEY *pkey; + const char *password; + EC_KEY *eckey; + EC_GROUP *ecgrp; + + password = *set->ssl_key_password != '\0' ? set->ssl_key_password : + getenv(MASTER_SSL_KEY_PASSWORD_ENV); + pkey = ssl_proxy_load_key(set->ssl_key, password); + if (pkey != NULL && + (eckey = EVP_P...

...ad(bio, keybuf, bio->num_write); --- sshkey.c code view #include <openssl/err.h> #include <openssl/pem.h> #include <openssl/ossl_typ.h> .... static int sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, const char *passphrase, struct sshkey **keyp) { EVP_PKEY *pk = NULL; struct sshkey *prv = NULL; BIO *bio = NULL; int r; if (keyp != NULL) *keyp = NULL; if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX) return SSH_ERR_ALLOC_FAIL; if (BIO_write(bio, s...

.../authfile.c openssh-6.1p1-lano/authfile.c --- openssh-6.1p1/authfile.c 2012-02-10 22:19:02.000000000 +0100 +++ openssh-6.1p1-lano/authfile.c 2012-09-08 11:59:08.000000000 +0200 @@ -792,6 +792,58 @@ return 0; } +Key * +key_load_public_pem(char *filename, char **commentp) +{ + FILE *fp = NULL; + EVP_PKEY *pk = NULL; + X509 *x = NULL; + Key *pub = NULL; + char *name = "<no key>"; + + fp = fopen(filename, "r"); + if (fp == NULL) { + error("fopen of %s failed: %s", filename, strerror(errno)); + return NULL; + } + x = PEM_read_X509(fp, NULL, NULL, NULL); + if (x ==...

I've just compiled and installed openssh-2.9.9p2 (compiled against openssl-0.9.6b using gcc-3.0.0) on a Slackware 7-based Linux machine (kernel 2.4.6ac2). The previously installed version was 2.9p2, compiled against openssl-0.9.6a, also with gcc-3.0.0, but with a different build of gcc-3.0.0. Everything seems to work fine except for one problem: passphrase matching for ssh2 keys

...t asked for one + * send an interrupt event to avoid DA implications */ + d->ret = -2; + } else { + UI_set_result(ui, uis, d->passphrase); + d->ret = 1; + } + } + + return d->ret; +} + +int +engine_process_add(char *engine, char *file, char *pin, + struct sshkey **k) +{ + EVP_PKEY *pk; + ENGINE *e; + struct sshkey *key; + int ret; + UI_METHOD *ui; + EVP_PKEY_CTX *ctx; + char hash[SHA256_DIGEST_LENGTH], result[1024]; + size_t siglen; + struct ui_data d; + + verbose("%s: add provider=%s, key=%s", __func__, engine, file); + + ret = SSH_ERR_INTERNAL_ERROR; + e = ENGINE...

...11a614,679 > return prv; > } > > /* Arguments passphrase and commentp are not used */ > Key * > key_load_engine_private(char *engkey, const char *conffile, > const char* stanza, const char *passphrase, char **commentp) > { > ENGINE *eng = NULL; > EVP_PKEY *pk = NULL; > Key *prv = NULL; > char *name = "<no key>"; > > // Load the OpenSSL internal engine called 'dynamic' > ENGINE_load_dynamic(); > > // Add the OpenSSL ENGINE configuration module > OPENSSL_load_bu...

Hi, OpenSSH 7.2 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This release contains many bugfixes and several new features. The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is available via Git at https://anongit.mindrot.org/openssh.git/ or via a mirror on Github at

...15 +4587,18 @@ pem_passphrase_cb(char *buf, int size, int rwflag, void *u) ? ?static int ?sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, -??? const char *passphrase, struct sshkey **keyp) +??? const char *passphrase, struct sshkey **keyp, struct sshkey_vault **vault_infop) ?{ ??? ?EVP_PKEY *pk = NULL; ??? ?struct sshkey *prv = NULL; +?? ?struct sshkey_vault *vault_info = NULL; ??? ?BIO *bio = NULL; ??? ?int r; ? ??? ?if (keyp != NULL) ??? ??? ?*keyp = NULL; +?? ?if (vault_infop != NULL) +?? ??? ?*vault_infop = NULL; ? ??? ?if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob)...

Hi, OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

Hi list, I have no idea if Damien Miller had the time to work on that. I have an initial patch to authenticate using PKCS#11 and ECDSA keys. This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the required interfaces to override the signature function pointer for ECDSA. The only limitation is that the OpenSSL API misses some cleanup function (finish, for instance), hence I have yet