b63272d9eb
FIPS compliancy can be stated by using only compliant crypto functions. This is achieved by using EVP API from openssl 3.0 version. The solution uses a non-intrusive approach - instead of rewriting everything to use EVP API it converts the data to it at the critical places. Signed-off-by: Norbert Pocs <npocs@redhat.com>
469 lines
14 KiB
Diff
469 lines
14 KiB
Diff
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-dss.c ./ssh-dss.c
|
|
--- ../../openssh-8.7p1/ssh-dss.c 2023-03-08 15:35:14.669943335 +0100
|
|
+++ ./ssh-dss.c 2023-03-08 15:34:33.508578129 +0100
|
|
@@ -32,6 +32,8 @@
|
|
#include <openssl/bn.h>
|
|
#include <openssl/dsa.h>
|
|
#include <openssl/evp.h>
|
|
+#include <openssl/core_names.h>
|
|
+#include <openssl/param_build.h>
|
|
|
|
#include <stdarg.h>
|
|
#include <string.h>
|
|
@@ -72,9 +74,8 @@
|
|
sshkey_type_plain(key->type) != KEY_DSA)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
|
|
- if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
- EVP_PKEY_set1_DSA(pkey, key->dsa) != 1)
|
|
- return SSH_ERR_ALLOC_FAIL;
|
|
+ if ((ret = ssh_create_evp_dss(key, &pkey)) != 0)
|
|
+ return ret;
|
|
ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len,
|
|
data, datalen);
|
|
EVP_PKEY_free(pkey);
|
|
@@ -201,11 +202,8 @@
|
|
goto out;
|
|
}
|
|
|
|
- if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
- EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) {
|
|
- ret = SSH_ERR_ALLOC_FAIL;
|
|
+ if ((ret = ssh_create_evp_dss(key, &pkey)) != 0)
|
|
goto out;
|
|
- }
|
|
ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen,
|
|
sigb, slen);
|
|
EVP_PKEY_free(pkey);
|
|
@@ -221,4 +219,63 @@
|
|
freezero(sigblob, len);
|
|
return ret;
|
|
}
|
|
+
|
|
+int
|
|
+ssh_create_evp_dss(const struct sshkey *k, EVP_PKEY **pkey)
|
|
+{
|
|
+ OSSL_PARAM_BLD *param_bld = NULL;
|
|
+ EVP_PKEY_CTX *ctx = NULL;
|
|
+ const BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL;
|
|
+ int ret = 0;
|
|
+
|
|
+ if (k == NULL)
|
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
|
+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL)) == NULL ||
|
|
+ (param_bld = OSSL_PARAM_BLD_new()) == NULL) {
|
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+ DSA_get0_pqg(k->dsa, &p, &q, &g);
|
|
+ DSA_get0_key(k->dsa, &pub, &priv);
|
|
+
|
|
+ if (p != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (q != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (g != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (pub != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld,
|
|
+ OSSL_PKEY_PARAM_PUB_KEY,
|
|
+ pub) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (priv != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld,
|
|
+ OSSL_PKEY_PARAM_PRIV_KEY,
|
|
+ priv) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+out:
|
|
+ OSSL_PARAM_BLD_free(param_bld);
|
|
+ EVP_PKEY_CTX_free(ctx);
|
|
+ return ret;
|
|
+}
|
|
#endif /* WITH_OPENSSL */
|
|
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-ecdsa.c ./ssh-ecdsa.c
|
|
--- ../../openssh-8.7p1/ssh-ecdsa.c 2023-03-08 15:35:14.669943335 +0100
|
|
+++ ./ssh-ecdsa.c 2023-03-08 15:40:52.628201267 +0100
|
|
@@ -34,6 +34,8 @@
|
|
#include <openssl/ec.h>
|
|
#include <openssl/ecdsa.h>
|
|
#include <openssl/evp.h>
|
|
+#include <openssl/core_names.h>
|
|
+#include <openssl/param_build.h>
|
|
|
|
#include <string.h>
|
|
|
|
@@ -72,9 +74,8 @@
|
|
if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
|
|
return SSH_ERR_INTERNAL_ERROR;
|
|
|
|
- if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
- EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
|
|
- return SSH_ERR_ALLOC_FAIL;
|
|
+ if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0)
|
|
+ return ret;
|
|
ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
|
|
datalen);
|
|
EVP_PKEY_free(pkey);
|
|
@@ -193,11 +194,8 @@
|
|
goto out;
|
|
}
|
|
|
|
- if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
- EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) {
|
|
- ret = SSH_ERR_ALLOC_FAIL;
|
|
+ if (ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey) != 0)
|
|
goto out;
|
|
- }
|
|
ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len);
|
|
EVP_PKEY_free(pkey);
|
|
|
|
@@ -212,4 +210,76 @@
|
|
return ret;
|
|
}
|
|
|
|
+int
|
|
+ssh_create_evp_ec(EC_KEY *k, int ecdsa_nid, EVP_PKEY **pkey)
|
|
+{
|
|
+ OSSL_PARAM_BLD *param_bld = NULL;
|
|
+ EVP_PKEY_CTX *ctx = NULL;
|
|
+ BN_CTX *bn_ctx = NULL;
|
|
+ uint8_t *pub_ser = NULL;
|
|
+ const char *group_name;
|
|
+ const EC_POINT *pub = NULL;
|
|
+ const BIGNUM *priv = NULL;
|
|
+ int ret = 0;
|
|
+
|
|
+ if (k == NULL)
|
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
|
+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL ||
|
|
+ (param_bld = OSSL_PARAM_BLD_new()) == NULL ||
|
|
+ (bn_ctx = BN_CTX_new()) == NULL) {
|
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+ if ((group_name = OSSL_EC_curve_nid2name(ecdsa_nid)) == NULL ||
|
|
+ OSSL_PARAM_BLD_push_utf8_string(param_bld,
|
|
+ OSSL_PKEY_PARAM_GROUP_NAME,
|
|
+ group_name,
|
|
+ strlen(group_name)) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if ((pub = EC_KEY_get0_public_key(k)) != NULL) {
|
|
+ const EC_GROUP *group;
|
|
+ size_t len;
|
|
+
|
|
+ group = EC_KEY_get0_group(k);
|
|
+ len = EC_POINT_point2oct(group, pub,
|
|
+ POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
|
|
+ if ((pub_ser = malloc(len)) == NULL) {
|
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
+ goto out;
|
|
+ }
|
|
+ EC_POINT_point2oct(group,
|
|
+ pub,
|
|
+ POINT_CONVERSION_UNCOMPRESSED,
|
|
+ pub_ser,
|
|
+ len,
|
|
+ bn_ctx);
|
|
+ if (OSSL_PARAM_BLD_push_octet_string(param_bld,
|
|
+ OSSL_PKEY_PARAM_PUB_KEY,
|
|
+ pub_ser,
|
|
+ len) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ }
|
|
+ if ((priv = EC_KEY_get0_private_key(k)) != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld,
|
|
+ OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+out:
|
|
+ OSSL_PARAM_BLD_free(param_bld);
|
|
+ EVP_PKEY_CTX_free(ctx);
|
|
+ BN_CTX_free(bn_ctx);
|
|
+ free(pub_ser);
|
|
+ return ret;
|
|
+}
|
|
#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
|
|
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/sshkey.c ./sshkey.c
|
|
--- ../../openssh-8.7p1/sshkey.c 2023-03-08 15:35:14.702943628 +0100
|
|
+++ ./sshkey.c 2023-03-08 15:39:03.354082015 +0100
|
|
@@ -35,6 +35,8 @@
|
|
#include <openssl/err.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/fips.h>
|
|
+#include <openssl/core_names.h>
|
|
+#include <openssl/param_build.h>
|
|
#endif
|
|
|
|
#include "crypto_api.h"
|
|
@@ -492,13 +494,14 @@
|
|
{
|
|
EVP_MD_CTX *ctx = NULL;
|
|
u_char *sig = NULL;
|
|
- int ret, slen, len;
|
|
+ int ret, slen;
|
|
+ size_t len;
|
|
|
|
if (sigp == NULL || lenp == NULL) {
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
}
|
|
|
|
- slen = EVP_PKEY_size(pkey);
|
|
+ slen = EVP_PKEY_get_size(pkey);
|
|
if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
|
|
return SSH_ERR_INVALID_ARGUMENT;
|
|
|
|
@@ -511,9 +514,10 @@
|
|
ret = SSH_ERR_ALLOC_FAIL;
|
|
goto error;
|
|
}
|
|
- if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
|
- EVP_SignUpdate(ctx, data, datalen) <= 0 ||
|
|
- EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
|
|
+ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg),
|
|
+ NULL, pkey) != 1 ||
|
|
+ EVP_DigestSignUpdate(ctx, data, datalen) != 1 ||
|
|
+ EVP_DigestSignFinal(ctx, sig, &len) != 1) {
|
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
goto error;
|
|
}
|
|
@@ -540,12 +544,13 @@
|
|
if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
|
return SSH_ERR_ALLOC_FAIL;
|
|
}
|
|
- if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
|
- EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
|
|
+ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg),
|
|
+ NULL, pkey) != 1 ||
|
|
+ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) {
|
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
goto done;
|
|
}
|
|
- ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
|
|
+ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen);
|
|
switch (ret) {
|
|
case 1:
|
|
ret = 0;
|
|
@@ -5038,3 +5043,27 @@
|
|
return 0;
|
|
}
|
|
#endif /* WITH_XMSS */
|
|
+
|
|
+#ifdef WITH_OPENSSL
|
|
+EVP_PKEY *
|
|
+sshkey_create_evp(OSSL_PARAM_BLD *param_bld, EVP_PKEY_CTX *ctx)
|
|
+{
|
|
+ EVP_PKEY *ret = NULL;
|
|
+ OSSL_PARAM *params = NULL;
|
|
+ if (param_bld == NULL || ctx == NULL) {
|
|
+ debug2_f("param_bld or ctx is NULL");
|
|
+ return NULL;
|
|
+ }
|
|
+ if ((params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) {
|
|
+ debug2_f("Could not build param list");
|
|
+ return NULL;
|
|
+ }
|
|
+ if (EVP_PKEY_fromdata_init(ctx) != 1 ||
|
|
+ EVP_PKEY_fromdata(ctx, &ret, EVP_PKEY_KEYPAIR, params) != 1) {
|
|
+ debug2_f("EVP_PKEY_fromdata failed");
|
|
+ OSSL_PARAM_free(params);
|
|
+ return NULL;
|
|
+ }
|
|
+ return ret;
|
|
+}
|
|
+#endif /* WITH_OPENSSL */
|
|
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/sshkey.h ./sshkey.h
|
|
--- ../../openssh-8.7p1/sshkey.h 2023-03-08 15:35:14.702943628 +0100
|
|
+++ ./sshkey.h 2023-03-08 15:34:33.509578138 +0100
|
|
@@ -31,6 +31,9 @@
|
|
#ifdef WITH_OPENSSL
|
|
#include <openssl/rsa.h>
|
|
#include <openssl/dsa.h>
|
|
+#include <openssl/evp.h>
|
|
+#include <openssl/param_build.h>
|
|
+#include <openssl/core_names.h>
|
|
# ifdef OPENSSL_HAS_ECC
|
|
# include <openssl/ec.h>
|
|
# include <openssl/ecdsa.h>
|
|
@@ -293,6 +295,13 @@
|
|
|
|
void sshkey_sig_details_free(struct sshkey_sig_details *);
|
|
|
|
+#ifdef WITH_OPENSSL
|
|
+EVP_PKEY *sshkey_create_evp(OSSL_PARAM_BLD *, EVP_PKEY_CTX *);
|
|
+int ssh_create_evp_dss(const struct sshkey *, EVP_PKEY **);
|
|
+int ssh_create_evp_rsa(const struct sshkey *, EVP_PKEY **);
|
|
+int ssh_create_evp_ec(EC_KEY *, int, EVP_PKEY **);
|
|
+#endif /* WITH_OPENSSL */
|
|
+
|
|
#ifdef SSHKEY_INTERNAL
|
|
int ssh_rsa_sign(const struct sshkey *key,
|
|
u_char **sigp, size_t *lenp, const u_char *data, size_t datalen,
|
|
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-rsa.c ./ssh-rsa.c
|
|
--- ../../openssh-8.7p1/ssh-rsa.c 2023-03-08 15:35:14.669943335 +0100
|
|
+++ ./ssh-rsa.c 2023-03-08 15:34:33.509578138 +0100
|
|
@@ -23,6 +23,8 @@
|
|
|
|
#include <openssl/evp.h>
|
|
#include <openssl/err.h>
|
|
+#include <openssl/core_names.h>
|
|
+#include <openssl/param_build.h>
|
|
|
|
#include <stdarg.h>
|
|
#include <string.h>
|
|
@@ -172,9 +174,8 @@
|
|
if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
|
return SSH_ERR_KEY_LENGTH;
|
|
|
|
- if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
- EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
|
|
- return SSH_ERR_ALLOC_FAIL;
|
|
+ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0)
|
|
+ return ret;
|
|
ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
|
|
datalen);
|
|
EVP_PKEY_free(pkey);
|
|
@@ -285,11 +286,8 @@
|
|
len = modlen;
|
|
}
|
|
|
|
- if ((pkey = EVP_PKEY_new()) == NULL ||
|
|
- EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) {
|
|
- ret = SSH_ERR_ALLOC_FAIL;
|
|
+ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0)
|
|
goto out;
|
|
- }
|
|
ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey);
|
|
EVP_PKEY_free(pkey);
|
|
|
|
@@ -306,11 +304,9 @@
|
|
u_char *sigbuf, size_t siglen, EVP_PKEY *pkey)
|
|
{
|
|
size_t rsasize = 0;
|
|
- const RSA *rsa;
|
|
int ret;
|
|
|
|
- rsa = EVP_PKEY_get0_RSA(pkey);
|
|
- rsasize = RSA_size(rsa);
|
|
+ rsasize = EVP_PKEY_get_size(pkey);
|
|
if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
|
|
siglen == 0 || siglen > rsasize) {
|
|
ret = SSH_ERR_INVALID_ARGUMENT;
|
|
@@ -323,4 +319,87 @@
|
|
done:
|
|
return ret;
|
|
}
|
|
+
|
|
+int
|
|
+ssh_create_evp_rsa(const struct sshkey *k, EVP_PKEY **pkey)
|
|
+{
|
|
+ OSSL_PARAM_BLD *param_bld = NULL;
|
|
+ EVP_PKEY_CTX *ctx = NULL;
|
|
+ int ret = 0;
|
|
+ const BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL;
|
|
+ const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
|
|
+
|
|
+ if (k == NULL)
|
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
|
+ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL ||
|
|
+ (param_bld = OSSL_PARAM_BLD_new()) == NULL) {
|
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+ RSA_get0_key(k->rsa, &n, &e, &d);
|
|
+ RSA_get0_factors(k->rsa, &p, &q);
|
|
+ RSA_get0_crt_params(k->rsa, &dmp1, &dmq1, &iqmp);
|
|
+
|
|
+ if (n != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (e != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (d != NULL &&
|
|
+ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, d) != 1) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) {
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+ /* setting this to param_build makes the creation process fail */
|
|
+ if (p != NULL &&
|
|
+ EVP_PKEY_set_bn_param(*pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, p) != 1) {
|
|
+ debug2_f("failed to add 'p' param");
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (q != NULL &&
|
|
+ EVP_PKEY_set_bn_param(*pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, q) != 1) {
|
|
+ debug2_f("failed to add 'q' param");
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (dmp1 != NULL &&
|
|
+ EVP_PKEY_set_bn_param(*pkey,
|
|
+ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) != 1) {
|
|
+ debug2_f("failed to add 'dmp1' param");
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (dmq1 != NULL &&
|
|
+ EVP_PKEY_set_bn_param(*pkey,
|
|
+ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) != 1) {
|
|
+ debug2_f("failed to add 'dmq1' param");
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+ if (iqmp != NULL &&
|
|
+ EVP_PKEY_set_bn_param(*pkey,
|
|
+ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp) != 1) {
|
|
+ debug2_f("failed to add 'iqmp' param");
|
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
+out:
|
|
+ OSSL_PARAM_BLD_free(param_bld);
|
|
+ EVP_PKEY_CTX_free(ctx);
|
|
+ return ret;
|
|
+}
|
|
#endif /* WITH_OPENSSL */
|