jonathan/openssh
1
0
Fork 0
forked from rpms/openssh
Code Pull Requests Activity

Use the new OpenSSL API to export PEM files to avoid dependency on MD5

Browse Source
This commit is contained in:
Jakub Jelen 2019-05-30 11:29:43 +02:00
parent f15fbdc5fe
commit 56fdfa2a52
2 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
openssh-8.0p1-openssl-pem.patch Normal file
View File

@ -0,0 +1,67 @@
commit 2fe812887139ce32eeca52f9a0c141bdc7c4c8af
Author: Jakub Jelen <jjelen@redhat.com>
Date: Wed May 22 17:25:22 2019 +0200
New PEM export format withou MD5
diff --git a/sshkey.c b/sshkey.c
index b95ed0b1..1a271512 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -3805,26 +3805,28 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
char *bptr;
BIO *bio = NULL;
+ EVP_PKEY *pkey = NULL;
if (len > 0 && len <= 4)
return SSH_ERR_PASSPHRASE_TOO_SHORT;
if ((bio = BIO_new(BIO_s_mem())) == NULL)
return SSH_ERR_ALLOC_FAIL;
+ if ((pkey = EVP_PKEY_new()) == NULL) {
+ BIO_free(bio);
+ return SSH_ERR_ALLOC_FAIL;
+ }
switch (key->type) {
case KEY_DSA:
- success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
- cipher, passphrase, len, NULL, NULL);
+ success = EVP_PKEY_set1_DSA(pkey, key->dsa);
break;
#ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
- success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
- cipher, passphrase, len, NULL, NULL);
+ success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
break;
#endif
case KEY_RSA:
- success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
- cipher, passphrase, len, NULL, NULL);
+ success = EVP_PKEY_set1_RSA(pkey, key->rsa);
break;
default:
success = 0;
@@ -3834,6 +3836,12 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
+ success = PEM_write_bio_PrivateKey(bio, pkey,
+ cipher, passphrase, len, NULL, NULL);
+ if (success == 0) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
r = SSH_ERR_INTERNAL_ERROR;
goto out;
@@ -3842,6 +3850,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
goto out;
r = 0;
out:
+ EVP_PKEY_free(pkey);
BIO_free(bio);
return r;
}

3
openssh.spec
View File

@ -214,6 +214,8 @@ Patch962: openssh-8.0p1-crypto-policies.patch
Patch963: openssh-8.0p1-openssl-evp.patch Patch963: openssh-8.0p1-openssl-evp.patch
# Use OpenSSL KDF (#1631761) # Use OpenSSL KDF (#1631761)
Patch964: openssh-8.0p1-openssl-kdf.patch Patch964: openssh-8.0p1-openssl-kdf.patch
# Use new OpenSSL for PEM export to avoid MD5 dependency (#1712436)
Patch965: openssh-8.0p1-openssl-pem.patch
License: BSD License: BSD
Requires: /sbin/nologin Requires: /sbin/nologin
@ -420,6 +422,7 @@ popd
%patch962 -p1 -b .crypto-policies %patch962 -p1 -b .crypto-policies
%patch963 -p1 -b .openssl-evp %patch963 -p1 -b .openssl-evp
%patch964 -p1 -b .openssl-kdf %patch964 -p1 -b .openssl-kdf
%patch965 -p1 -b .openssl-pem
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race