search for: siglen

...lient and OpenSSL 0.9.6a When trying to ssh to OpenSSH server of higher versions SSH-1.99-OpenSSH_2.5.2p2 or such, I see error in RSA key exchange: RSA_verify(..)routine. I see: error at:int RSA_verify(int dtype, unsigned char *m, unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa) { int i,ret=0,sigtype; unsigned char *p,*s; X509_SIG *sig=NULL; if (siglen != (unsigned int)RSA_size(rsa)) { RSAerr(RSA_F_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); return(0); } debugger output: Breakpoint 1, RSA_verify (dtype=64,...

...ctx->reader_count) { + r = SC_ERROR_NO_READERS_FOUND; + goto err; + } r = sc_connect_card(ctx->reader[sc_reader_id], 0, &card); if (r) goto err; *************** *** 190,212 **** unsigned char *sigret, unsigned int *siglen, RSA *rsa) { struct sc_pkcs15_object *key_obj; ! int r; unsigned long flags = 0; r = sc_prkey_op_init(rsa, &key_obj); ! if (r) ! return -1; /* FIXME: length of sigret correct? */ /* FIXME: check 'type' and modify fla...

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...int mm_answer_sign(int sock, Buffer *m) { @@ -714,10 +717,16 @@ mm_answer_sign(int sock, Buffer *m) memcpy(session_id2, p, session_id2_len); } - if ((key = get_hostkey_by_index(keyid)) == NULL) + if ((key = get_hostkey_by_index(keyid)) != NULL) { + if (key_sign(key, &signature, &siglen, p, datlen) < 0) + fatal("%s: key_sign failed", __func__); + } else if ((key = get_hostkey_public_by_index(keyid)) != NULL && + auth_conn != NULL) { + if (ssh_agent_sign(auth_conn, key, &signature, &siglen, p, + datlen) < 0) + fatal("%s: ssh_agent_...

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

...d->ret = 1; + } + } + + return d->ret; +} + +int +engine_process_add(char *engine, char *file, char *pin, + struct sshkey **k) +{ + EVP_PKEY *pk; + ENGINE *e; + struct sshkey *key; + int ret; + UI_METHOD *ui; + EVP_PKEY_CTX *ctx; + char hash[SHA256_DIGEST_LENGTH], result[1024]; + size_t siglen; + struct ui_data d; + + verbose("%s: add provider=%s, key=%s", __func__, engine, file); + + ret = SSH_ERR_INTERNAL_ERROR; + e = ENGINE_by_id(engine); + if (!e) { + verbose("%s: failed to get engine %s", __func__, engine); + ERR_print_errors_fp(stderr); + return ret; + } + +...

Hi list, I have no idea if Damien Miller had the time to work on that. I have an initial patch to authenticate using PKCS#11 and ECDSA keys. This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the required interfaces to override the signature function pointer for ECDSA. The only limitation is that the OpenSSL API misses some cleanup function (finish, for instance), hence I have yet

..._func__); keyid = buffer_get_int(m); - p = buffer_get_string(m, &datlen); + p = buffer_get_binary(m, &datlen); if (datlen != 20) fatal("%s: data length incorrect: %u", __func__, datlen); @@ -527,7 +527,7 @@ debug3("%s: signature %p(%u)", __func__, signature, siglen); buffer_clear(m); - buffer_put_string(m, signature, siglen); + buffer_put_binary(m, signature, siglen); xfree(p); xfree(signature); @@ -574,7 +574,7 @@ authctxt->valid = 1; buffer_put_char(m, 1); - buffer_put_string(m, pwent, sizeof(struct passwd)); + buffer_put_binary(m, pwent,...

...const u_char *cert, const Key *ca_key, const Key *key, + const u_char *identity) +{ + u_char ca_fp[128], ca_name[128], ca_id[128], ca_opts[512]; + u_char ca_vf[16], ca_vt[16], ca_alg[64], ca_sig[1024]; + u_char sigbuf[1024], datbuf[2048], c, *fp; + unsigned long vf, vt, now = time(NULL); + u_int siglen, i; + + if (cert == NULL || ca_key == NULL || ca_key->type != KEY_RSA || + ca_key->rsa == NULL || key == NULL) { + debug2("cert_verify: invalid arguments"); + return 0; + } + + cert_token(&cert, ca_fp, sizeof(ca_fp)); + cert_token(&cert, ca_name, sizeof(ca_name)); + ce...