From 077597136cbd1fcb40035d396c6e9f634581c246 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 16 Feb 2018 17:26:53 +0100 Subject: [PATCH] PKCS#11: Load public keys from ECDSA certificates Submitted in upstream bugzilla https://bugzilla.mindrot.org/show_bug.cgi?id=2474#c21 --- openssh-7.3p1-openssl-1.1.0.patch | 47 ++++++++++++++++++++----------- openssh-7.6p1-pkcs11-ecdsa.patch | 42 +++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 17 deletions(-) diff --git a/openssh-7.3p1-openssl-1.1.0.patch b/openssh-7.3p1-openssl-1.1.0.patch index 2d19bd5..4d7855e 100644 --- a/openssh-7.3p1-openssl-1.1.0.patch +++ b/openssh-7.3p1-openssl-1.1.0.patch @@ -2563,23 +2563,36 @@ diff -up openssh/ssh-pkcs11.c.openssl openssh/ssh-pkcs11.c + if (RSA_set0_key(rsa, rsa_n, rsa_e, NULL) == 0) + error("RSA_set0_key failed"); } - } else { - cp = attribs[2].pValue; -@@ -525,16 +538,18 @@ pkcs11_fetch_keys_filter(struct pkcs11_p - == NULL) { - error("d2i_X509 failed"); - } else if ((evp = X509_get_pubkey(x509)) == NULL || -- evp->type != EVP_PKEY_RSA || -- evp->pkey.rsa == NULL) { -+ EVP_PKEY_id(evp) != EVP_PKEY_RSA || -+ EVP_PKEY_get0_RSA(evp) == NULL) { - debug("X509_get_pubkey failed or no rsa"); -- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) -+ } else if ((rsa = RSAPublicKey_dup(EVP_PKEY_get0_RSA(evp))) - == NULL) { - error("RSAPublicKey_dup"); - } - X509_free(x509); + #ifdef ENABLE_PKCS11_ECDSA + } else if (attribs[2].type == CKA_EC_PARAMS ) { +@@ -920,19 +936,19 @@ pkcs11_fetch_keys_filter(struct pkcs11_p + } else if ((evp = X509_get_pubkey(x509)) == NULL) { + debug("X509_get_pubkey failed"); + } else { +- switch (evp->type) { ++ switch (EVP_PKEY_id(evp)) { + case EVP_PKEY_RSA: +- if (evp->pkey.rsa == NULL) ++ if (EVP_PKEY_get0_RSA(evp) == NULL) + debug("Missing RSA key"); +- else if ((rsa = RSAPublicKey_dup( +- evp->pkey.rsa)) == NULL) ++ else if ((rsa = RSAPublicKey_dup( ++ EVP_PKEY_get0_RSA(evp))) == NULL) + error("RSAPublicKey_dup failed"); + break; + case EVP_PKEY_EC: +- if (evp->pkey.ecdsa == NULL) ++ if (EVP_PKEY_get0_EC_KEY(evp) == NULL) + debug("Missing ECDSA key"); +- else if ((ecdsa = EC_KEY_dup( +- evp->pkey.ecdsa)) == NULL) ++ else if ((ecdsa = EC_KEY_dup( ++ EVP_PKEY_get0_EC_KEY(evp))) == NULL) + error("EC_KEY_dup failed"); + break; + default: +@@ -538,7 +551,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p } key = NULL; if (rsa || ecdsa) { diff --git a/openssh-7.6p1-pkcs11-ecdsa.patch b/openssh-7.6p1-pkcs11-ecdsa.patch index 3781e26..ff36699 100644 --- a/openssh-7.6p1-pkcs11-ecdsa.patch +++ b/openssh-7.6p1-pkcs11-ecdsa.patch @@ -750,3 +750,45 @@ diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***); int pkcs11_del_provider(char *); int pkcs11_uri_write(const struct sshkey *, FILE *); + + + +diff -up openssh-7.6p1/ssh-pkcs11.c.old openssh-7.6p1/ssh-pkcs11.c +--- openssh-7.6p1/ssh-pkcs11.c.old 2018-02-16 16:43:08.861520255 +0100 ++++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 16:56:35.312601451 +0100 +@@ -917,13 +917,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p + } else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen) + == NULL) { + error("d2i_X509 failed"); +- } else if ((evp = X509_get_pubkey(x509)) == NULL || +- evp->type != EVP_PKEY_RSA || +- evp->pkey.rsa == NULL) { +- debug("X509_get_pubkey failed or no rsa"); +- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa)) +- == NULL) { +- error("RSAPublicKey_dup"); ++ } else if ((evp = X509_get_pubkey(x509)) == NULL) { ++ debug("X509_get_pubkey failed"); ++ } else { ++ switch (evp->type) { ++ case EVP_PKEY_RSA: ++ if (evp->pkey.rsa == NULL) ++ debug("Missing RSA key"); ++ else if ((rsa = RSAPublicKey_dup( ++ evp->pkey.rsa)) == NULL) ++ error("RSAPublicKey_dup failed"); ++ break; ++ case EVP_PKEY_EC: ++ if (evp->pkey.ecdsa == NULL) ++ debug("Missing ECDSA key"); ++ else if ((ecdsa = EC_KEY_dup( ++ evp->pkey.ecdsa)) == NULL) ++ error("EC_KEY_dup failed"); ++ break; ++ default: ++ debug("not a RSA or ECDSA key"); ++ break; ++ } + } + if (x509) + X509_free(x509);