Use the new OpenSSL API to export PEM files to avoid dependency on MD5
This commit is contained in:
Jakub Jelen
parent
f15fbdc5fe
commit
56fdfa2a52
67
openssh-8.0p1-openssl-pem.patch
Normal file
67
openssh-8.0p1-openssl-pem.patch
Normal file
@ -0,0 +1,67 @@
|
||||
commit 2fe812887139ce32eeca52f9a0c141bdc7c4c8af
|
||||
Author: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Wed May 22 17:25:22 2019 +0200
|
||||
|
||||
New PEM export format withou MD5
|
||||
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index b95ed0b1..1a271512 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -3805,26 +3805,28 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
||||
const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
|
||||
char *bptr;
|
||||
BIO *bio = NULL;
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
|
||||
if (len > 0 && len <= 4)
|
||||
return SSH_ERR_PASSPHRASE_TOO_SHORT;
|
||||
if ((bio = BIO_new(BIO_s_mem())) == NULL)
|
||||
return SSH_ERR_ALLOC_FAIL;
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL) {
|
||||
+ BIO_free(bio);
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ }
|
||||
|
||||
switch (key->type) {
|
||||
case KEY_DSA:
|
||||
- success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
|
||||
- cipher, passphrase, len, NULL, NULL);
|
||||
+ success = EVP_PKEY_set1_DSA(pkey, key->dsa);
|
||||
break;
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
case KEY_ECDSA:
|
||||
- success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
|
||||
- cipher, passphrase, len, NULL, NULL);
|
||||
+ success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
|
||||
break;
|
||||
#endif
|
||||
case KEY_RSA:
|
||||
- success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
|
||||
- cipher, passphrase, len, NULL, NULL);
|
||||
+ success = EVP_PKEY_set1_RSA(pkey, key->rsa);
|
||||
break;
|
||||
default:
|
||||
success = 0;
|
||||
@@ -3834,6 +3836,12 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
||||
r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
+ success = PEM_write_bio_PrivateKey(bio, pkey,
|
||||
+ cipher, passphrase, len, NULL, NULL);
|
||||
+ if (success == 0) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
|
||||
r = SSH_ERR_INTERNAL_ERROR;
|
||||
goto out;
|
||||
@@ -3842,6 +3850,7 @@ sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
|
||||
goto out;
|
||||
r = 0;
|
||||
out:
|
||||
+ EVP_PKEY_free(pkey);
|
||||
BIO_free(bio);
|
||||
return r;
|
||||
}
|
||||
|
||||
@ -214,6 +214,8 @@ Patch962: openssh-8.0p1-crypto-policies.patch
|
||||
Patch963: openssh-8.0p1-openssl-evp.patch
|
||||
# Use OpenSSL KDF (#1631761)
|
||||
Patch964: openssh-8.0p1-openssl-kdf.patch
|
||||
# Use new OpenSSL for PEM export to avoid MD5 dependency (#1712436)
|
||||
Patch965: openssh-8.0p1-openssl-pem.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -420,6 +422,7 @@ popd
|
||||
%patch962 -p1 -b .crypto-policies
|
||||
%patch963 -p1 -b .openssl-evp
|
||||
%patch964 -p1 -b .openssl-kdf
|
||||
%patch965 -p1 -b .openssl-pem
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
|
||||
Loading…
Reference in New Issue
Block a user