lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-11-27 13:21:11 +03:00
Code Activity

Get rid of the deprecated OpenSSL API

Browse Source 
It turns out there is a way to get the uncompressed format from the low-level
API, which is not (yet?) deprecated so this removes all of the TODO's for ECDSA
keys and moves the EC_KEY structure in the high-level EVP_PKEY.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Norbert Pocs <npocs@redhat.com>
This commit is contained in:
Jakub Jelen
2023-01-06 17:25:44 +01:00
parent 02fda2ef80
commit 1eb3df5254
7 changed files with 444 additions and 763 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/libssh/crypto.h
View File

@@ -111,11 +111,7 @@ struct ssh_crypto_struct {
#endif /* WITH_GEX */ #endif /* WITH_GEX */
#ifdef HAVE_ECDH #ifdef HAVE_ECDH
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_KEY *ecdh_privkey; EC_KEY *ecdh_privkey;
#else #else
EVP_PKEY *ecdh_privkey; EVP_PKEY *ecdh_privkey;

4
include/libssh/libcrypto.h
View File

@@ -25,6 +25,7 @@
#ifdef HAVE_LIBCRYPTO #ifdef HAVE_LIBCRYPTO
#include "libssh/libssh.h"
#include <openssl/dsa.h> #include <openssl/dsa.h>
#include <openssl/rsa.h> #include <openssl/rsa.h>
#include <openssl/sha.h> #include <openssl/sha.h>
@@ -32,6 +33,7 @@
#include <openssl/hmac.h> #include <openssl/hmac.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/crypto.h> #include <openssl/crypto.h>
#include <openssl/ec.h>
typedef EVP_MD_CTX* SHACTX; typedef EVP_MD_CTX* SHACTX;
typedef EVP_MD_CTX* SHA256CTX; typedef EVP_MD_CTX* SHA256CTX;
@@ -116,6 +118,8 @@ typedef BN_CTX* bignum_CTX;
#define ssh_fips_mode() false #define ssh_fips_mode() false
#endif #endif
ssh_string pki_key_make_ecpoint_string(const EC_GROUP *g, const EC_POINT *p);
int pki_key_ecgroup_name_to_nid(const char *group);
#endif /* HAVE_LIBCRYPTO */ #endif /* HAVE_LIBCRYPTO */
#endif /* LIBCRYPTO_H_ */ #endif /* LIBCRYPTO_H_ */

13
include/libssh/pki.h
View File

@@ -65,17 +65,8 @@ struct ssh_key_struct {
mbedtls_ecdsa_context *ecdsa; mbedtls_ecdsa_context *ecdsa;
void *dsa; void *dsa;
#elif defined(HAVE_LIBCRYPTO) #elif defined(HAVE_LIBCRYPTO)
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Move into the #if above
*/
# if defined(HAVE_OPENSSL_ECC)
EC_KEY *ecdsa;
# else
void *ecdsa;
# endif /* HAVE_OPENSSL_EC_H */
/* This holds either ENGINE key for PKCS#11 support or just key in /* This holds either ENGINE key for PKCS#11 support or just key in
* high-level format required by OpenSSL 3.0 */ * high-level format */
EVP_PKEY *key; EVP_PKEY *key;
uint8_t *ed25519_pubkey; uint8_t *ed25519_pubkey;
uint8_t *ed25519_privkey; uint8_t *ed25519_privkey;
@@ -103,7 +94,7 @@ struct ssh_signature_struct {
#endif /* HAVE_LIBGCRYPT */ #endif /* HAVE_LIBGCRYPT */
#ifndef HAVE_LIBCRYPTO #ifndef HAVE_LIBCRYPTO
ed25519_signature *ed25519_sig; ed25519_signature *ed25519_sig;
#endif #endif /* HAVE_LIBGCRYPT */
ssh_string raw_sig; ssh_string raw_sig;
/* Security Key specific additions */ /* Security Key specific additions */

469
src/ecdh_crypto.c
View File

@@ -30,11 +30,7 @@
#ifdef HAVE_ECDH #ifdef HAVE_ECDH
#include <openssl/ecdh.h> #include <openssl/ecdh.h>
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
#define NISTP256 NID_X9_62_prime256v1 #define NISTP256 NID_X9_62_prime256v1
#define NISTP384 NID_secp384r1 #define NISTP384 NID_secp384r1
#define NISTP521 NID_secp521r1 #define NISTP521 NID_secp521r1
@@ -48,11 +44,7 @@
/** @internal /** @internal
* @brief Map the given key exchange enum value to its curve name. * @brief Map the given key exchange enum value to its curve name.
*/ */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
static int ecdh_kex_type_to_curve(enum ssh_key_exchange_e kex_type) { static int ecdh_kex_type_to_curve(enum ssh_key_exchange_e kex_type) {
#else #else
static const char *ecdh_kex_type_to_curve(enum ssh_key_exchange_e kex_type) { static const char *ecdh_kex_type_to_curve(enum ssh_key_exchange_e kex_type) {
@@ -64,183 +56,156 @@ static const char *ecdh_kex_type_to_curve(enum ssh_key_exchange_e kex_type) {
} else if (kex_type == SSH_KEX_ECDH_SHA2_NISTP521) { } else if (kex_type == SSH_KEX_ECDH_SHA2_NISTP521) {
return NISTP521; return NISTP521;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
return SSH_ERROR; return SSH_ERROR;
#else #else
return NULL; return NULL;
#endif #endif
} }
/* @internal
* @brief Generate ECDH key pair for ecdh key exchange and store it in the
* session->next_crypto structure
*/
ssh_string ssh_ecdh_generate(ssh_session session)
{
ssh_string pubkey_string = NULL;
const EC_GROUP *group = NULL;
const EC_POINT *point = NULL;
int rc;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
EC_KEY *key = NULL;
int curve;
#else
const char *curve = NULL;
EVP_PKEY *key = NULL;
OSSL_PARAM *out_params = NULL;
const OSSL_PARAM *pubkey_param = NULL;
const void *pubkey = NULL;
size_t pubkey_len;
int nid;
#endif /* OPENSSL_VERSION_NUMBER */
curve = ecdh_kex_type_to_curve(session->next_crypto->kex_type);
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (curve == SSH_ERROR) {
SSH_LOG(SSH_LOG_TRACE, "Failed to get curve name");
return NULL;
}
key = EC_KEY_new_by_curve_name(curve);
#else
if (curve == NULL) {
SSH_LOG(SSH_LOG_TRACE, "Failed to get curve name");
return NULL;
}
key = EVP_EC_gen(curve);
#endif /* OPENSSL_VERSION_NUMBER */
if (key == NULL) {
SSH_LOG(SSH_LOG_TRACE, "Failed to generate key");
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
group = EC_KEY_get0_group(key);
EC_KEY_generate_key(key);
point = EC_KEY_get0_public_key(key);
#else
rc = EVP_PKEY_todata(key, EVP_PKEY_PUBLIC_KEY, &out_params);
if (rc != 1) {
SSH_LOG(SSH_LOG_TRACE, "Failed to export public key");
EVP_PKEY_free(key);
return NULL;
}
pubkey_param = OSSL_PARAM_locate_const(out_params, OSSL_PKEY_PARAM_PUB_KEY);
if (pubkey_param == NULL) {
SSH_LOG(SSH_LOG_TRACE, "Failed to find public key");
EVP_PKEY_free(key);
OSSL_PARAM_free(out_params);
return NULL;
}
rc = OSSL_PARAM_get_octet_string_ptr(pubkey_param,
(const void**)&pubkey,
&pubkey_len);
OSSL_PARAM_free(out_params);
if (rc != 1) {
SSH_LOG(SSH_LOG_TRACE, "Failed to read public key");
EVP_PKEY_free(key);
return NULL;
}
/* Convert the data to low-level representation */
nid = pki_key_ecgroup_name_to_nid(curve);
group = EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid);
point = EC_POINT_new(group);
rc = EC_POINT_oct2point(group, (EC_POINT *)point, pubkey, pubkey_len, NULL);
if (group == NULL || point == NULL || rc != 1) {
SSH_LOG(SSH_LOG_TRACE, "Failed to export public key");
EVP_PKEY_free(key);
return NULL;
}
#endif /* OPENSSL_VERSION_NUMBER */
pubkey_string = pki_key_make_ecpoint_string(group, point);
if (pubkey_string == NULL) {
SSH_LOG(SSH_LOG_TRACE, "Failed to convert public key");
#if OPENSSL_VERSION_NUMBER < 0x30000000L
EC_KEY_free(key);
#else
EVP_PKEY_free(key);
#endif /* OPENSSL_VERSION_NUMBER */
return NULL;
}
session->next_crypto->ecdh_privkey = key;
return pubkey_string;
}
/** @internal /** @internal
* @brief Starts ecdh-sha2-nistp256 key exchange * @brief Starts ecdh-sha2-nistp256 key exchange
*/ */
int ssh_client_ecdh_init(ssh_session session){ int ssh_client_ecdh_init(ssh_session session)
int rc; {
ssh_string client_pubkey; ssh_string client_pubkey = NULL;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys int rc;
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_KEY *key;
const EC_GROUP *group;
const EC_POINT *pubkey;
int curve;
int len;
bignum_CTX ctx = BN_CTX_new();
if (ctx == NULL) {
return SSH_ERROR;
}
#else
const char *curve = NULL;
EVP_PKEY *key = NULL;
OSSL_PARAM *out_params = NULL;
const OSSL_PARAM *pubkey_param = NULL;
const uint8_t *pubkey = NULL;
size_t pubkey_len;
#endif /* OPENSSL_VERSION_NUMBER */
rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT); rc = ssh_buffer_add_u8(session->out_buffer, SSH2_MSG_KEX_ECDH_INIT);
if (rc < 0) { if (rc < 0) {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys return SSH_ERROR;
* https://github.com/openssl/openssl/pull/16624 }
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
BN_CTX_free(ctx);
#endif /* OPENSSL_VERSION_NUMBER */
return SSH_ERROR;
}
curve = ecdh_kex_type_to_curve(session->next_crypto->kex_type); client_pubkey = ssh_ecdh_generate(session);
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys if (client_pubkey == NULL) {
* https://github.com/openssl/openssl/pull/16624 return SSH_ERROR;
* #if OPENSSL_VERSION_NUMBER < 0x30000000L }
*/
#if 1
if (curve == SSH_ERROR) {
BN_CTX_free(ctx);
return SSH_ERROR;
}
key = EC_KEY_new_by_curve_name(curve); rc = ssh_buffer_add_ssh_string(session->out_buffer, client_pubkey);
#else if (rc < 0) {
if (curve == NULL) { return SSH_ERROR;
return SSH_ERROR; }
}
key = EVP_EC_gen(curve); session->next_crypto->ecdh_client_pubkey = client_pubkey;
#endif /* OPENSSL_VERSION_NUMBER */
if (key == NULL) { /* register the packet callbacks */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys ssh_packet_set_callbacks(session, &ssh_ecdh_client_callbacks);
* https://github.com/openssl/openssl/pull/16624 session->dh_handshake_state = DH_STATE_INIT_SENT;
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
BN_CTX_free(ctx);
#endif /* OPENSSL_VERSION_NUMBER */
return SSH_ERROR;
}
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys rc = ssh_packet_send(session);
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
group = EC_KEY_get0_group(key);
EC_KEY_generate_key(key); return rc;
pubkey=EC_KEY_get0_public_key(key);
len = EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
NULL,0,ctx);
client_pubkey = ssh_string_new(len);
if (client_pubkey == NULL) {
BN_CTX_free(ctx);
EC_KEY_free(key);
return SSH_ERROR;
}
EC_POINT_point2oct(group,pubkey,POINT_CONVERSION_UNCOMPRESSED,
ssh_string_data(client_pubkey),len,ctx);
BN_CTX_free(ctx);
#else
rc = EVP_PKEY_todata(key, EVP_PKEY_PUBLIC_KEY, &out_params);
if (rc != 1) {
EVP_PKEY_free(key);
return SSH_ERROR;
}
pubkey_param = OSSL_PARAM_locate_const(out_params, OSSL_PKEY_PARAM_PUB_KEY);
if (pubkey_param == NULL) {
EVP_PKEY_free(key);
OSSL_PARAM_free(out_params);
return SSH_ERROR;
}
rc = OSSL_PARAM_get_octet_string_ptr(pubkey_param,
(const void**)&pubkey,
&pubkey_len);
if (rc != 1) {
OSSL_PARAM_free(out_params);
EVP_PKEY_free(key);
return SSH_ERROR;
}
client_pubkey = ssh_string_new(pubkey_len);
if (client_pubkey == NULL) {
OSSL_PARAM_free(out_params);
EVP_PKEY_free(key);
return SSH_ERROR;
}
memcpy(ssh_string_data(client_pubkey), pubkey, pubkey_len);
OSSL_PARAM_free(out_params);
#endif /* OPENSSL_VERSION_NUMBER */
rc = ssh_buffer_add_ssh_string(session->out_buffer,client_pubkey);
if (rc < 0) {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_KEY_free(key);
#else
EVP_PKEY_free(key);
#endif /* OPENSSL_VERSION_NUMBER */
SSH_STRING_FREE(client_pubkey);
return SSH_ERROR;
}
session->next_crypto->ecdh_privkey = key;
session->next_crypto->ecdh_client_pubkey = client_pubkey;
/* register the packet callbacks */
ssh_packet_set_callbacks(session, &ssh_ecdh_client_callbacks);
session->dh_handshake_state = DH_STATE_INIT_SENT;
rc = ssh_packet_send(session);
return rc;
} }
int ecdh_build_k(ssh_session session) { int ecdh_build_k(ssh_session session)
{
struct ssh_crypto_struct *next_crypto = session->next_crypto; struct ssh_crypto_struct *next_crypto = session->next_crypto;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
const EC_GROUP *group = EC_KEY_get0_group(next_crypto->ecdh_privkey); const EC_GROUP *group = EC_KEY_get0_group(next_crypto->ecdh_privkey);
EC_POINT *pubkey; EC_POINT *pubkey = NULL;
void *buffer; void *buffer = NULL;
int rc; int rc;
int len = (EC_GROUP_get_degree(group) + 7) / 8; int len = (EC_GROUP_get_degree(group) + 7) / 8;
bignum_CTX ctx = bignum_ctx_new(); bignum_CTX ctx = bignum_ctx_new();
@@ -292,11 +257,13 @@ int ecdh_build_k(ssh_session session) {
bignum_bin2bn(buffer, len, &next_crypto->shared_secret); bignum_bin2bn(buffer, len, &next_crypto->shared_secret);
free(buffer); free(buffer);
#else #else
const char *curve = NULL;
EVP_PKEY *pubkey = NULL; EVP_PKEY *pubkey = NULL;
void *secret = NULL; void *secret = NULL;
size_t secret_len; size_t secret_len;
int rc; int rc;
OSSL_PARAM params[2]; OSSL_PARAM params[3];
ssh_string peer_pubkey = NULL;
EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_from_pkey(NULL, EVP_PKEY_CTX *dh_ctx = EVP_PKEY_CTX_new_from_pkey(NULL,
next_crypto->ecdh_privkey, next_crypto->ecdh_privkey,
NULL); NULL);
@@ -324,15 +291,18 @@ int ecdh_build_k(ssh_session session) {
} }
if (session->server) { if (session->server) {
params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY, peer_pubkey = next_crypto->ecdh_client_pubkey;
ssh_string_data(next_crypto->ecdh_client_pubkey),
ssh_string_len(next_crypto->ecdh_client_pubkey));
} else { } else {
params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY, peer_pubkey = next_crypto->ecdh_server_pubkey;
ssh_string_data(next_crypto->ecdh_server_pubkey),
ssh_string_len(next_crypto->ecdh_server_pubkey));
} }
params[1] = OSSL_PARAM_construct_end(); params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
ssh_string_data(peer_pubkey),
ssh_string_len(peer_pubkey));
curve = ecdh_kex_type_to_curve(next_crypto->kex_type);
params[1] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
(char *)curve,
strlen(curve));
params[2] = OSSL_PARAM_construct_end();
rc = EVP_PKEY_fromdata(pubkey_ctx, &pubkey, EVP_PKEY_PUBLIC_KEY, params); rc = EVP_PKEY_fromdata(pubkey_ctx, &pubkey, EVP_PKEY_PUBLIC_KEY, params);
if (rc != 1) { if (rc != 1) {
@@ -374,11 +344,7 @@ int ecdh_build_k(ssh_session session) {
free(secret); free(secret);
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
if (next_crypto->shared_secret == NULL) { if (next_crypto->shared_secret == NULL) {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_KEY_free(next_crypto->ecdh_privkey); EC_KEY_free(next_crypto->ecdh_privkey);
#else #else
EVP_PKEY_free(next_crypto->ecdh_privkey); EVP_PKEY_free(next_crypto->ecdh_privkey);
@@ -386,11 +352,7 @@ int ecdh_build_k(ssh_session session) {
next_crypto->ecdh_privkey = NULL; next_crypto->ecdh_privkey = NULL;
return -1; return -1;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_KEY_free(next_crypto->ecdh_privkey); EC_KEY_free(next_crypto->ecdh_privkey);
#else #else
EVP_PKEY_free(next_crypto->ecdh_privkey); EVP_PKEY_free(next_crypto->ecdh_privkey);
@@ -413,29 +375,11 @@ int ecdh_build_k(ssh_session session) {
/** @brief Handle a SSH_MSG_KEXDH_INIT packet (server) and send a /** @brief Handle a SSH_MSG_KEXDH_INIT packet (server) and send a
* SSH_MSG_KEXDH_REPLY * SSH_MSG_KEXDH_REPLY
*/ */
SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init)
{
/* ECDH keys */ /* ECDH keys */
ssh_string q_c_string; ssh_string q_c_string = NULL;
ssh_string q_s_string; ssh_string q_s_string = NULL;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_KEY *ecdh_key;
const EC_GROUP *group;
const EC_POINT *ecdh_pubkey;
bignum_CTX ctx;
int curve;
int len;
#else
EVP_PKEY *ecdh_key = NULL;
const void *pubkey_ptr = NULL;
size_t len;
OSSL_PARAM *params = NULL;
const OSSL_PARAM *pubkey = NULL;
const char *curve = NULL;
#endif /* OPENSSL_VERSION_NUMBER */
/* SSH host keys (rsa,dsa,ecdsa) */ /* SSH host keys (rsa,dsa,ecdsa) */
ssh_key privkey; ssh_key privkey;
enum ssh_digest_e digest = SSH_DIGEST_AUTO; enum ssh_digest_e digest = SSH_DIGEST_AUTO;
@@ -445,125 +389,22 @@ SSH_PACKET_CALLBACK(ssh_packet_server_ecdh_init){
(void)type; (void)type;
(void)user; (void)user;
SSH_LOG(SSH_LOG_TRACE, "Processing SSH_MSG_KEXDH_INIT");
ssh_packet_remove_callbacks(session, &ssh_ecdh_server_callbacks); ssh_packet_remove_callbacks(session, &ssh_ecdh_server_callbacks);
/* Extract the client pubkey from the init packet */ /* Extract the client pubkey from the init packet */
q_c_string = ssh_buffer_get_ssh_string(packet); q_c_string = ssh_buffer_get_ssh_string(packet);
if (q_c_string == NULL) { if (q_c_string == NULL) {
ssh_set_error(session,SSH_FATAL, "No Q_C ECC point in packet"); ssh_set_error(session, SSH_FATAL, "No Q_C ECC point in packet");
goto error; goto error;
} }
session->next_crypto->ecdh_client_pubkey = q_c_string; session->next_crypto->ecdh_client_pubkey = q_c_string;
curve = ecdh_kex_type_to_curve(session->next_crypto->kex_type); q_s_string = ssh_ecdh_generate(session);
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
if (curve == SSH_ERROR) {
return SSH_ERROR;
}
#else
if (curve == NULL) {
return SSH_ERROR;
}
#endif /* OPENSSL_VERSION_NUMBER */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
ecdh_key = EC_KEY_new_by_curve_name(curve);
#else
ecdh_key = EVP_EC_gen(curve);
#endif /* OPENSSL_VERSION_NUMBER */
if (ecdh_key == NULL) {
ssh_set_error_oom(session);
goto error;
}
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
/* Build server's keypair */
ctx = BN_CTX_new();
if (ctx == NULL) {
EC_KEY_free(ecdh_key);
return SSH_ERROR;
}
group = EC_KEY_get0_group(ecdh_key);
EC_KEY_generate_key(ecdh_key);
ecdh_pubkey = EC_KEY_get0_public_key(ecdh_key);
len = EC_POINT_point2oct(group,
ecdh_pubkey,
POINT_CONVERSION_UNCOMPRESSED,
NULL,
0,
ctx);
#else
rc = EVP_PKEY_todata(ecdh_key, EVP_PKEY_PUBLIC_KEY, &params);
if (rc != 1) {
EVP_PKEY_free(ecdh_key);
return SSH_ERROR;
}
pubkey = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
if (pubkey == NULL) {
OSSL_PARAM_free(params);
EVP_PKEY_free(ecdh_key);
return SSH_ERROR;
}
rc = OSSL_PARAM_get_octet_string_ptr(pubkey, &pubkey_ptr, &len);
if (rc != 1) {
OSSL_PARAM_free(params);
EVP_PKEY_free(ecdh_key);
return SSH_ERROR;
}
#endif /* OPENSSL_VERSION_NUMBER */
q_s_string = ssh_string_new(len);
if (q_s_string == NULL) { if (q_s_string == NULL) {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_KEY_free(ecdh_key);
BN_CTX_free(ctx);
#else
EVP_PKEY_free(ecdh_key);
#endif /* OPENSSL_VERSION_NUMBER */
goto error; goto error;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_POINT_point2oct(group,
ecdh_pubkey,
POINT_CONVERSION_UNCOMPRESSED,
ssh_string_data(q_s_string),
len,
ctx);
BN_CTX_free(ctx);
#else
if (memcpy(ssh_string_data(q_s_string), pubkey_ptr, len)) {
OSSL_PARAM_free(params);
EVP_PKEY_free(ecdh_key);
return SSH_ERROR;
}
OSSL_PARAM_free(params);
#endif /* OPENSSL_VERSION_NUMBER */
session->next_crypto->ecdh_privkey = ecdh_key;
session->next_crypto->ecdh_server_pubkey = q_s_string; session->next_crypto->ecdh_server_pubkey = q_s_string;
/* build k and session_id */ /* build k and session_id */

126
src/libcrypto.c
View File

@@ -1505,57 +1505,59 @@ int evp_build_pkey(const char* name, OSSL_PARAM_BLD *param_bld,
* *
* @return 0 on success, -1 on error * @return 0 on success, -1 on error
*/ */
static int evp_dup_pkey(const char* name, const ssh_key key, int demote, static int
ssh_key new_key) evp_dup_pkey(const char *name, const ssh_key key, int demote, ssh_key new_key)
{ {
int rc; int rc;
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, name, NULL); EVP_PKEY_CTX *ctx = NULL;
OSSL_PARAM *params = NULL; OSSL_PARAM *params = NULL;
/* The simple case -- just reference the existing key */
if (!demote || (key->flags & SSH_KEY_FLAG_PRIVATE) == 0) {
rc = EVP_PKEY_up_ref(key->key);
if (rc != 1) {
return -1;
}
new_key->key = key->key;
return SSH_OK;
}
/* demote == 1 */
ctx = EVP_PKEY_CTX_new_from_name(NULL, name, NULL);
if (ctx == NULL) { if (ctx == NULL) {
return -1; return -1;
} }
if (!demote && (key->flags & SSH_KEY_FLAG_PRIVATE)) { rc = EVP_PKEY_todata(key->key, EVP_PKEY_PUBLIC_KEY, &params);
rc = EVP_PKEY_todata(key->key, EVP_PKEY_KEYPAIR, &params); if (rc != 1) {
if (rc != 1) { EVP_PKEY_CTX_free(ctx);
EVP_PKEY_CTX_free(ctx); return -1;
return -1; }
}
rc = EVP_PKEY_fromdata_init(ctx); if (strcmp(name, "EC") == 0) {
if (rc != 1) { OSSL_PARAM *locate_param = NULL;
/* For ECC keys provided by engine or provider, we need to have the
* explicit public part available, otherwise the key will not be
* usable */
locate_param = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_PUB_KEY);
if (locate_param == NULL) {
EVP_PKEY_CTX_free(ctx); EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params); OSSL_PARAM_free(params);
return -1; return -1;
} }
}
rc = EVP_PKEY_fromdata_init(ctx);
if (rc != 1) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
return -1;
}
rc = EVP_PKEY_fromdata(ctx, &(new_key->key), EVP_PKEY_KEYPAIR, params); rc = EVP_PKEY_fromdata(ctx, &(new_key->key), EVP_PKEY_PUBLIC_KEY, params);
if (rc != 1) { if (rc != 1) {
EVP_PKEY_CTX_free(ctx); EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params); OSSL_PARAM_free(params);
return -1; return -1;
}
} else {
rc = EVP_PKEY_todata(key->key, EVP_PKEY_PUBLIC_KEY, &params);
if (rc != 1) {
EVP_PKEY_CTX_free(ctx);
return -1;
}
rc = EVP_PKEY_fromdata_init(ctx);
if (rc != 1) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
return -1;
}
rc = EVP_PKEY_fromdata(ctx, &(new_key->key), EVP_PKEY_PUBLIC_KEY, params);
if (rc != 1) {
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
return -1;
}
} }
OSSL_PARAM_free(params); OSSL_PARAM_free(params);
@@ -1580,4 +1582,54 @@ int evp_dup_ecdsa_pkey(const ssh_key key, ssh_key new_key, int demote)
} }
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
ssh_string
pki_key_make_ecpoint_string(const EC_GROUP *g, const EC_POINT *p)
{
ssh_string s = NULL;
size_t len;
len = EC_POINT_point2oct(g,
p,
POINT_CONVERSION_UNCOMPRESSED,
NULL,
0,
NULL);
if (len == 0) {
return NULL;
}
s = ssh_string_new(len);
if (s == NULL) {
return NULL;
}
len = EC_POINT_point2oct(g,
p,
POINT_CONVERSION_UNCOMPRESSED,
ssh_string_data(s),
ssh_string_len(s),
NULL);
if (len != ssh_string_len(s)) {
SSH_STRING_FREE(s);
return NULL;
}
return s;
}
int pki_key_ecgroup_name_to_nid(const char *group)
{
if (strcmp(group, NISTP256) == 0 ||
strcmp(group, "secp256r1") == 0 ||
strcmp(group, "prime256v1") == 0) {
return NID_X9_62_prime256v1;
} else if (strcmp(group, NISTP384) == 0 ||
strcmp(group, "secp384r1") == 0) {
return NID_secp384r1;
} else if (strcmp(group, NISTP521) == 0 ||
strcmp(group, "secp521r1") == 0) {
return NID_secp521r1;
}
return -1;
}
#endif /* LIBCRYPTO */ #endif /* LIBCRYPTO */

581
src/pki_crypto.c
View File

@@ -91,26 +91,12 @@ void pki_key_clean(ssh_key key)
{ {
if (key == NULL) if (key == NULL)
return; return;
#ifdef HAVE_OPENSSL_ECC
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Move whole HAVE_OPENSSL_ECC into #if < 0x3 above
*/
#if 1
EC_KEY_free(key->ecdsa);
key->ecdsa = NULL;
#endif
#endif /* HAVE_OPENSSL_ECC */
EVP_PKEY_free(key->key); EVP_PKEY_free(key->key);
key->key = NULL; key->key = NULL;
} }
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
static int pki_key_ecdsa_to_nid(EC_KEY *k) static int pki_key_ecdsa_to_nid(EC_KEY *k)
{ {
const EC_GROUP *g = EC_KEY_get0_group(k); const EC_GROUP *g = EC_KEY_get0_group(k);
@@ -133,28 +119,11 @@ static int pki_key_ecdsa_to_nid(EVP_PKEY *k)
if (rc != 1) if (rc != 1)
return -1; return -1;
if (strcmp(gname, NISTP256) == 0 return pki_key_ecgroup_name_to_nid(gname);
|| strcmp(gname, "secp256r1") == 0
|| strcmp(gname, "prime256v1") == 0) {
nid = NID_X9_62_prime256v1;
} else if (strcmp(gname, NISTP384) == 0
|| strcmp(gname, "secp384r1") == 0) {
nid = NID_secp384r1;
} else if (strcmp(gname, NISTP521) == 0
|| strcmp(gname, "secp521r1") == 0) {
nid = NID_secp521r1;
} else
return -1;
return nid;
} }
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(EC_KEY *k) static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(EC_KEY *k)
#else #else
static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(EVP_PKEY *k) static enum ssh_keytypes_e pki_key_ecdsa_to_key_type(EVP_PKEY *k)
@@ -221,60 +190,16 @@ int pki_key_ecdsa_nid_from_name(const char *name)
return -1; return -1;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
static ssh_string make_ecpoint_string(const EC_GROUP *g,
const EC_POINT *p)
{
ssh_string s;
size_t len;
len = EC_POINT_point2oct(g,
p,
POINT_CONVERSION_UNCOMPRESSED,
NULL,
0,
NULL);
if (len == 0) {
return NULL;
}
s = ssh_string_new(len);
if (s == NULL) {
return NULL;
}
len = EC_POINT_point2oct(g,
p,
POINT_CONVERSION_UNCOMPRESSED,
ssh_string_data(s),
ssh_string_len(s),
NULL);
if (len != ssh_string_len(s)) {
SSH_STRING_FREE(s);
return NULL;
}
return s;
}
#endif /* OPENSSL_VERSION_NUMBER */
int pki_privkey_build_ecdsa(ssh_key key, int nid, ssh_string e, ssh_string exp) int pki_privkey_build_ecdsa(ssh_key key, int nid, ssh_string e, ssh_string exp)
{ {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys int rc;
* https://github.com/openssl/openssl/pull/16624 #if OPENSSL_VERSION_NUMBER < 0x30000000L
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_POINT *p = NULL; EC_POINT *p = NULL;
const EC_GROUP *g = NULL; const EC_GROUP *g = NULL;
int ok; int ok;
BIGNUM *bexp = NULL; BIGNUM *bexp = NULL;
EC_KEY *ecdsa = NULL;
#else #else
int rc;
const BIGNUM *expb; const BIGNUM *expb;
const char *group_name = OSSL_EC_curve_nid2name(nid); const char *group_name = OSSL_EC_curve_nid2name(nid);
OSSL_PARAM_BLD *param_bld = NULL; OSSL_PARAM_BLD *param_bld = NULL;
@@ -288,20 +213,17 @@ int pki_privkey_build_ecdsa(ssh_key key, int nid, ssh_string e, ssh_string exp)
key->ecdsa_nid = nid; key->ecdsa_nid = nid;
key->type_c = pki_key_ecdsa_nid_to_name(nid); key->type_c = pki_key_ecdsa_nid_to_name(nid);
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624 ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid);
* #if OPENSSL_VERSION_NUMBER < 0x30000000L if (ecdsa == NULL) {
*/
#if 1
key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid);
if (key->ecdsa == NULL) {
return -1; return -1;
} }
g = EC_KEY_get0_group(key->ecdsa); g = EC_KEY_get0_group(ecdsa);
p = EC_POINT_new(g); p = EC_POINT_new(g);
if (p == NULL) { if (p == NULL) {
EC_KEY_free(ecdsa);
return -1; return -1;
} }
@@ -311,27 +233,42 @@ int pki_privkey_build_ecdsa(ssh_key key, int nid, ssh_string e, ssh_string exp)
ssh_string_len(e), ssh_string_len(e),
NULL); NULL);
if (!ok) { if (!ok) {
EC_KEY_free(ecdsa);
EC_POINT_free(p); EC_POINT_free(p);
return -1; return -1;
} }
/* EC_KEY_set_public_key duplicates p */ /* EC_KEY_set_public_key duplicates p */
ok = EC_KEY_set_public_key(key->ecdsa, p); ok = EC_KEY_set_public_key(ecdsa, p);
EC_POINT_free(p); EC_POINT_free(p);
if (!ok) { if (!ok) {
EC_KEY_free(ecdsa);
return -1; return -1;
} }
bexp = ssh_make_string_bn(exp); bexp = ssh_make_string_bn(exp);
if (bexp == NULL) { if (bexp == NULL) {
EC_KEY_free(key->ecdsa); EC_KEY_free(ecdsa);
return -1; return -1;
} }
/* EC_KEY_set_private_key duplicates exp */ /* EC_KEY_set_private_key duplicates exp */
ok = EC_KEY_set_private_key(key->ecdsa, bexp); ok = EC_KEY_set_private_key(ecdsa, bexp);
BN_free(bexp); BN_free(bexp);
if (!ok) { if (!ok) {
EC_KEY_free(key->ecdsa); EC_KEY_free(ecdsa);
return -1;
}
key->key = EVP_PKEY_new();
if (key->key == NULL) {
EC_KEY_free(ecdsa);
return -1;
}
rc = EVP_PKEY_assign_EC_KEY(key->key, ecdsa);
if (rc != 1) {
EVP_PKEY_free(key->key);
EC_KEY_free(ecdsa);
return -1; return -1;
} }
@@ -365,16 +302,13 @@ err:
int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e) int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e)
{ {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys int rc;
* https://github.com/openssl/openssl/pull/16624 #if OPENSSL_VERSION_NUMBER < 0x30000000L
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_POINT *p = NULL; EC_POINT *p = NULL;
const EC_GROUP *g = NULL; const EC_GROUP *g = NULL;
EC_KEY *ecdsa = NULL;
int ok; int ok;
#else #else
int rc;
const char *group_name = OSSL_EC_curve_nid2name(nid); const char *group_name = OSSL_EC_curve_nid2name(nid);
OSSL_PARAM_BLD *param_bld; OSSL_PARAM_BLD *param_bld;
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
@@ -382,20 +316,17 @@ int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e)
key->ecdsa_nid = nid; key->ecdsa_nid = nid;
key->type_c = pki_key_ecdsa_nid_to_name(nid); key->type_c = pki_key_ecdsa_nid_to_name(nid);
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624 ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid);
* #if OPENSSL_VERSION_NUMBER < 0x30000000L if (ecdsa == NULL) {
*/
#if 1
key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid);
if (key->ecdsa == NULL) {
return -1; return -1;
} }
g = EC_KEY_get0_group(key->ecdsa); g = EC_KEY_get0_group(ecdsa);
p = EC_POINT_new(g); p = EC_POINT_new(g);
if (p == NULL) { if (p == NULL) {
EC_KEY_free(ecdsa);
return -1; return -1;
} }
@@ -405,14 +336,28 @@ int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e)
ssh_string_len(e), ssh_string_len(e),
NULL); NULL);
if (!ok) { if (!ok) {
EC_KEY_free(ecdsa);
EC_POINT_free(p); EC_POINT_free(p);
return -1; return -1;
} }
/* EC_KEY_set_public_key duplicates p */ /* EC_KEY_set_public_key duplicates p */
ok = EC_KEY_set_public_key(key->ecdsa, p); ok = EC_KEY_set_public_key(ecdsa, p);
EC_POINT_free(p); EC_POINT_free(p);
if (!ok) { if (!ok) {
EC_KEY_free(ecdsa);
return -1;
}
key->key = EVP_PKEY_new();
if (key->key == NULL) {
EC_KEY_free(ecdsa);
return -1;
}
rc = EVP_PKEY_assign_EC_KEY(key->key, ecdsa);
if (rc != 1) {
EC_KEY_free(ecdsa);
return -1; return -1;
} }
@@ -709,44 +654,56 @@ ssh_key pki_key_dup(const ssh_key key, int demote)
goto fail; goto fail;
} }
new->key = key->key; new->key = key->key;
rc = EC_KEY_up_ref(key->ecdsa);
if (rc != 1) {
goto fail;
}
new->ecdsa = key->ecdsa;
return new; return new;
} }
#endif /* WITH_PKCS11_URI */ #endif /* WITH_PKCS11_URI */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
/* privkey -> pubkey */ /* privkey -> pubkey */
if (demote && ssh_key_is_private(key)) { if (demote && ssh_key_is_private(key)) {
const EC_POINT *p; const EC_POINT *p = NULL;
EC_KEY *new_ecdsa = NULL, *old_ecdsa = NULL;
int ok; int ok;
new->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid); new_ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid);
if (new->ecdsa == NULL) { if (new_ecdsa == NULL) {
goto fail; goto fail;
} }
p = EC_KEY_get0_public_key(key->ecdsa); old_ecdsa = EVP_PKEY_get0_EC_KEY(key->key);
if (old_ecdsa == NULL) {
EC_KEY_free(new_ecdsa);
goto fail;
}
p = EC_KEY_get0_public_key(old_ecdsa);
if (p == NULL) { if (p == NULL) {
EC_KEY_free(new_ecdsa);
goto fail; goto fail;
} }
ok = EC_KEY_set_public_key(new->ecdsa, p); ok = EC_KEY_set_public_key(new_ecdsa, p);
if (!ok) { if (ok != 1) {
EC_KEY_free(new_ecdsa);
goto fail;
}
new->key = EVP_PKEY_new();
if (new->key == NULL) {
EC_KEY_free(new_ecdsa);
goto fail;
}
ok = EVP_PKEY_assign_EC_KEY(new->key, new_ecdsa);
if (ok != 1) {
EC_KEY_free(new_ecdsa);
goto fail; goto fail;
} }
} else { } else {
rc = EC_KEY_up_ref(key->ecdsa); rc = EVP_PKEY_up_ref(key->key);
if (rc != 1) { if (rc != 1) {
goto fail; goto fail;
} }
new->ecdsa = key->ecdsa; new->key = key->key;
} }
#else #else
rc = evp_dup_ecdsa_pkey(key, new, demote); rc = evp_dup_ecdsa_pkey(key, new, demote);
@@ -945,12 +902,10 @@ int pki_key_generate_dss(ssh_key key, int parameter){
} }
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
int pki_key_generate_ecdsa(ssh_key key, int parameter) { int pki_key_generate_ecdsa(ssh_key key, int parameter)
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys {
* https://github.com/openssl/openssl/pull/16624 #if OPENSSL_VERSION_NUMBER < 0x30000000L
* #if OPENSSL_VERSION_NUMBER < 0x30000000L EC_KEY *ecdsa = NULL;
*/
#if 1
int ok; int ok;
#else #else
const char *group_name = NULL; const char *group_name = NULL;
@@ -959,33 +914,21 @@ int pki_key_generate_ecdsa(ssh_key key, int parameter) {
case 256: case 256:
key->ecdsa_nid = NID_X9_62_prime256v1; key->ecdsa_nid = NID_X9_62_prime256v1;
key->type = SSH_KEYTYPE_ECDSA_P256; key->type = SSH_KEYTYPE_ECDSA_P256;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER >= 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
group_name = NISTP256; group_name = NISTP256;
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
break; break;
case 384: case 384:
key->ecdsa_nid = NID_secp384r1; key->ecdsa_nid = NID_secp384r1;
key->type = SSH_KEYTYPE_ECDSA_P384; key->type = SSH_KEYTYPE_ECDSA_P384;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER >= 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
group_name = NISTP384; group_name = NISTP384;
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
break; break;
case 521: case 521:
key->ecdsa_nid = NID_secp521r1; key->ecdsa_nid = NID_secp521r1;
key->type = SSH_KEYTYPE_ECDSA_P521; key->type = SSH_KEYTYPE_ECDSA_P521;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER >= 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
group_name = NISTP521; group_name = NISTP521;
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
break; break;
@@ -994,15 +937,30 @@ int pki_key_generate_ecdsa(ssh_key key, int parameter) {
"generation", parameter); "generation", parameter);
return SSH_ERROR; return SSH_ERROR;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624 ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid);
* #if OPENSSL_VERSION_NUMBER < 0x30000000L if (ecdsa == NULL) {
*/
#if 1
key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid);
if (key->ecdsa == NULL) {
return SSH_ERROR; return SSH_ERROR;
} }
ok = EC_KEY_generate_key(ecdsa);
if (!ok) {
EC_KEY_free(ecdsa);
return SSH_ERROR;
}
EC_KEY_set_asn1_flag(ecdsa, OPENSSL_EC_NAMED_CURVE);
key->key = EVP_PKEY_new();
if (key->key == NULL) {
EC_KEY_free(ecdsa);
return SSH_ERROR;
}
ok = EVP_PKEY_assign_EC_KEY(key->key, ecdsa);
if (ok != 1) {
return SSH_ERROR;
}
#else #else
key->key = EVP_EC_gen(group_name); key->key = EVP_EC_gen(group_name);
if (key->key == NULL) { if (key->key == NULL) {
@@ -1010,19 +968,6 @@ int pki_key_generate_ecdsa(ssh_key key, int parameter) {
} }
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
ok = EC_KEY_generate_key(key->ecdsa);
if (!ok) {
EC_KEY_free(key->ecdsa);
return SSH_ERROR;
}
EC_KEY_set_asn1_flag(key->ecdsa, OPENSSL_EC_NAMED_CURVE);
#endif /* OPENSSL_VERSION_NUMBER */
return SSH_OK; return SSH_OK;
} }
#endif /* HAVE_OPENSSL_ECC */ #endif /* HAVE_OPENSSL_ECC */
@@ -1038,35 +983,30 @@ int pki_key_compare(const ssh_key k1,
(void) what; (void) what;
switch (k1->type) { switch (k1->type) {
case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1:
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* delete this part because it gets done below in EC
*/
rc = EVP_PKEY_eq(k1->key, k2->key);
if (rc != 1) {
return 1;
}
break;
case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384: case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521: case SSH_KEYTYPE_ECDSA_P521:
case SSH_KEYTYPE_SK_ECDSA: case SSH_KEYTYPE_SK_ECDSA:
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
{ {
const EC_POINT *p1 = EC_KEY_get0_public_key(k1->ecdsa); const EC_KEY *ec1 = EVP_PKEY_get0_EC_KEY(k1->key);
const EC_POINT *p2 = EC_KEY_get0_public_key(k2->ecdsa); const EC_KEY *ec2 = EVP_PKEY_get0_EC_KEY(k2->key);
const EC_GROUP *g1 = EC_KEY_get0_group(k1->ecdsa); const EC_POINT *p1 = NULL;
const EC_GROUP *g2 = EC_KEY_get0_group(k2->ecdsa); const EC_POINT *p2 = NULL;
const EC_GROUP *g1 = NULL;
const EC_GROUP *g2 = NULL;
if (p1 == NULL || p2 == NULL) { if (ec1 == NULL || ec2 == NULL) {
return 1;
}
p1 = EC_KEY_get0_public_key(ec1);
p2 = EC_KEY_get0_public_key(ec2);
g1 = EC_KEY_get0_group(ec1);
g2 = EC_KEY_get0_group(ec2);
if (p1 == NULL || p2 == NULL || g1 == NULL || g2 == NULL) {
return 1; return 1;
} }
@@ -1079,8 +1019,8 @@ int pki_key_compare(const ssh_key k1,
} }
if (what == SSH_KEY_CMP_PRIVATE) { if (what == SSH_KEY_CMP_PRIVATE) {
if (bignum_cmp(EC_KEY_get0_private_key(k1->ecdsa), if (bignum_cmp(EC_KEY_get0_private_key(ec1),
EC_KEY_get0_private_key(k2->ecdsa))) { EC_KEY_get0_private_key(ec2))) {
return 1; return 1;
} }
} }
@@ -1088,17 +1028,14 @@ int pki_key_compare(const ssh_key k1,
} }
#endif /* HAVE_OPENSSL_ECC */ #endif /* HAVE_OPENSSL_ECC */
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys case SSH_KEYTYPE_DSS:
* https://github.com/openssl/openssl/pull/16624 case SSH_KEYTYPE_RSA:
* else case SSH_KEYTYPE_RSA1:
*/
#if 0
rc = EVP_PKEY_eq(k1->key, k2->key); rc = EVP_PKEY_eq(k1->key, k2->key);
if (rc != 1) { if (rc != 1) {
return 1; return 1;
} }
break; break;
#endif /* OPENSSL_VERSION_NUMBER */
case SSH_KEYTYPE_ED25519: case SSH_KEYTYPE_ED25519:
case SSH_KEYTYPE_SK_ED25519: case SSH_KEYTYPE_SK_ED25519:
/* ed25519 keys handled globally */ /* ed25519 keys handled globally */
@@ -1129,43 +1066,9 @@ ssh_string pki_private_key_to_pem(const ssh_key key,
case SSH_KEYTYPE_DSS: case SSH_KEYTYPE_DSS:
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Delete this part, because it is done below HAVE_ECC
*/
rc = EVP_PKEY_up_ref(key->key);
if (rc != 1) {
goto err;
}
pkey = key->key;
/* Mark the operation as successful as for the other key types */
rc = 1;
break;
case SSH_KEYTYPE_ECDSA_P256: case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384: case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521: case SSH_KEYTYPE_ECDSA_P521:
#ifdef HAVE_ECC
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
pkey = EVP_PKEY_new();
if (pkey == NULL) {
goto err;
}
rc = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
break;
#endif /* OPENSSL_VERSION_NUMBER */
#endif /* HAVE_ECC */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
rc = EVP_PKEY_up_ref(key->key); rc = EVP_PKEY_up_ref(key->key);
if (rc != 1) { if (rc != 1) {
goto err; goto err;
@@ -1176,7 +1079,6 @@ ssh_string pki_private_key_to_pem(const ssh_key key,
rc = 1; rc = 1;
break; break;
#endif /* OPENSSL_VERSION_NUMBER */
case SSH_KEYTYPE_ED25519: case SSH_KEYTYPE_ED25519:
/* In OpenSSL, the input is the private key seed only, which means /* In OpenSSL, the input is the private key seed only, which means
* the first half of the SSH private key (the second half is the * the first half of the SSH private key (the second half is the
@@ -1265,11 +1167,9 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
void *auth_data) void *auth_data)
{ {
BIO *mem = NULL; BIO *mem = NULL;
#ifdef HAVE_OPENSSL_ECC #if OPENSSL_VERSION_NUMBER < 0x30000000L
EC_KEY *ecdsa = NULL; EC_KEY *ecdsa = NULL;
#else #endif /* OPENSSL_VERSION_NUMBER */
void *ecdsa = NULL;
#endif /* HAVE_OPENSSL_ECC */
uint8_t *ed25519 = NULL; uint8_t *ed25519 = NULL;
ssh_key key = NULL; ssh_key key = NULL;
enum ssh_keytypes_e type = SSH_KEYTYPE_UNKNOWN; enum ssh_keytypes_e type = SSH_KEYTYPE_UNKNOWN;
@@ -1307,12 +1207,8 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
break; break;
case EVP_PKEY_EC: case EVP_PKEY_EC:
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624 ecdsa = EVP_PKEY_get0_EC_KEY(pkey);
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
ecdsa = EVP_PKEY_get1_EC_KEY(pkey);
if (ecdsa == NULL) { if (ecdsa == NULL) {
SSH_LOG(SSH_LOG_TRACE, SSH_LOG(SSH_LOG_TRACE,
"Error parsing private key: %s", "Error parsing private key: %s",
@@ -1323,11 +1219,7 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
/* pki_privatekey_type_from_string always returns P256 for ECDSA /* pki_privatekey_type_from_string always returns P256 for ECDSA
* keys, so we need to figure out the correct type here */ * keys, so we need to figure out the correct type here */
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
type = pki_key_ecdsa_to_key_type(ecdsa); type = pki_key_ecdsa_to_key_type(ecdsa);
#else #else
type = pki_key_ecdsa_to_key_type(pkey); type = pki_key_ecdsa_to_key_type(pkey);
@@ -1337,10 +1229,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
goto fail; goto fail;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Remove these three lines
*/
break; break;
#endif /* HAVE_OPENSSL_ECC */ #endif /* HAVE_OPENSSL_ECC */
case EVP_PKEY_ED25519: case EVP_PKEY_ED25519:
@@ -1395,20 +1283,11 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
key->type_c = ssh_key_type_to_char(type); key->type_c = ssh_key_type_to_char(type);
key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC; key->flags = SSH_KEY_FLAG_PRIVATE | SSH_KEY_FLAG_PUBLIC;
key->key = pkey; key->key = pkey;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Move key->ecdsa line into the #if above this
*/
key->ecdsa = ecdsa;
key->ed25519_privkey = ed25519; key->ed25519_privkey = ed25519;
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
if (is_ecdsa_key_type(key->type)) { if (is_ecdsa_key_type(key->type)) {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624 key->ecdsa_nid = pki_key_ecdsa_to_nid(ecdsa);
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
key->ecdsa_nid = pki_key_ecdsa_to_nid(key->ecdsa);
#else #else
key->ecdsa_nid = pki_key_ecdsa_to_nid(key->key); key->ecdsa_nid = pki_key_ecdsa_to_nid(key->key);
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
@@ -1419,13 +1298,6 @@ ssh_key pki_private_key_from_base64(const char *b64_key,
fail: fail:
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
ssh_key_free(key); ssh_key_free(key);
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Move HAVE_OPENSSL_ECC #ifdef inside the #if above
*/
#ifdef HAVE_OPENSSL_ECC
EC_KEY_free(ecdsa);
#endif
SAFE_FREE(ed25519); SAFE_FREE(ed25519);
return NULL; return NULL;
} }
@@ -2035,14 +1907,14 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
case SSH_KEYTYPE_SK_ECDSA: case SSH_KEYTYPE_SK_ECDSA:
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
{ {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys EC_GROUP *group = NULL;
* https://github.com/openssl/openssl/pull/16624 EC_POINT *point = NULL;
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
const void *pubkey; const void *pubkey;
size_t pubkey_len; size_t pubkey_len;
OSSL_PARAM *params = NULL, *locate_param = NULL; OSSL_PARAM *params = NULL, *locate_param = NULL;
#else
EC_KEY *ec = NULL;
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
type_s = ssh_string_from_char(pki_key_ecdsa_nid_to_char(key->ecdsa_nid)); type_s = ssh_string_from_char(pki_key_ecdsa_nid_to_char(key->ecdsa_nid));
@@ -2058,21 +1930,25 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
return NULL; return NULL;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624 ec = EVP_PKEY_get0_EC_KEY(key->key);
* #if OPENSSL_VERSION_NUMBER < 0x30000000L if (ec == NULL) {
*/ goto fail;
#if 1 }
#ifdef WITH_PKCS11_URI #ifdef WITH_PKCS11_URI
if (ssh_key_is_private(key) && !EC_KEY_get0_public_key(key->ecdsa)) { if (ssh_key_is_private(key) && !EC_KEY_get0_public_key(ec)) {
SSH_LOG(SSH_LOG_TRACE, "It is mandatory to have separate public" SSH_LOG(SSH_LOG_TRACE, "It is mandatory to have separate"
" ECDSA key objects in the PKCS #11 device. Unlike RSA," " public ECDSA key objects in the PKCS #11 device."
" ECDSA public keys cannot be derived from their private keys."); " Unlike RSA, ECDSA public keys cannot be derived"
goto fail; " from their private keys.");
} goto fail;
}
#endif /* WITH_PKCS11_URI */ #endif /* WITH_PKCS11_URI */
e = make_ecpoint_string(EC_KEY_get0_group(key->ecdsa), group = (EC_GROUP *)EC_KEY_get0_group(ec);
EC_KEY_get0_public_key(key->ecdsa)); point = (EC_POINT *)EC_KEY_get0_public_key(ec);
if (group == NULL || point == NULL) {
goto fail;
}
#else #else
rc = EVP_PKEY_todata(key->key, EVP_PKEY_PUBLIC_KEY, &params); rc = EVP_PKEY_todata(key->key, EVP_PKEY_PUBLIC_KEY, &params);
if (rc < 0) { if (rc < 0) {
@@ -2087,6 +1963,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
" public ECDSA key objects in the PKCS #11 device." " public ECDSA key objects in the PKCS #11 device."
" Unlike RSA, ECDSA public keys cannot be derived" " Unlike RSA, ECDSA public keys cannot be derived"
" from their private keys."); " from their private keys.");
OSSL_PARAM_free(params);
goto fail; goto fail;
} }
#endif /* WITH_PKCS11_URI */ #endif /* WITH_PKCS11_URI */
@@ -2096,31 +1973,26 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
OSSL_PARAM_free(params); OSSL_PARAM_free(params);
goto fail; goto fail;
} }
/* Convert the data to low-level representation */
group = EC_GROUP_new_by_curve_name_ex(NULL, NULL, key->ecdsa_nid);
point = EC_POINT_new(group);
rc = EC_POINT_oct2point(group, point, pubkey, pubkey_len, NULL);
if (group == NULL || point == NULL || rc != 1) {
EC_GROUP_free(group);
EC_POINT_free(point);
goto fail;
}
e = ssh_string_new(pubkey_len);
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
e = pki_key_make_ecpoint_string(group, point);
if (e == NULL) { if (e == NULL) {
SSH_BUFFER_FREE(buffer); SSH_BUFFER_FREE(buffer);
return NULL; return NULL;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
if (memcpy(ssh_string_data(e), pubkey, pubkey_len) == NULL) {
OSSL_PARAM_free(params);
goto fail;
}
#endif /* OPENSSL_VERSION_NUMBER */
rc = ssh_buffer_add_ssh_string(buffer, e); rc = ssh_buffer_add_ssh_string(buffer, e);
if (rc < 0) { if (rc < 0) {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER >= 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
OSSL_PARAM_free(params); OSSL_PARAM_free(params);
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
goto fail; goto fail;
@@ -2129,11 +2001,7 @@ ssh_string pki_publickey_to_blob(const ssh_key key)
ssh_string_burn(e); ssh_string_burn(e);
SSH_STRING_FREE(e); SSH_STRING_FREE(e);
e = NULL; e = NULL;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER >= 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
OSSL_PARAM_free(params); OSSL_PARAM_free(params);
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
@@ -2853,10 +2721,14 @@ static EVP_PKEY *pki_key_to_pkey(ssh_key key)
case SSH_KEYTYPE_RSA: case SSH_KEYTYPE_RSA:
case SSH_KEYTYPE_RSA1: case SSH_KEYTYPE_RSA1:
case SSH_KEYTYPE_RSA_CERT01: case SSH_KEYTYPE_RSA_CERT01:
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys case SSH_KEYTYPE_ECDSA_P256:
* https://github.com/openssl/openssl/pull/16624 case SSH_KEYTYPE_ECDSA_P384:
* Remove this case part from here case SSH_KEYTYPE_ECDSA_P521:
*/ case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01:
case SSH_KEYTYPE_ECDSA_P521_CERT01:
case SSH_KEYTYPE_SK_ECDSA:
case SSH_KEYTYPE_SK_ECDSA_CERT01:
if (key->key == NULL) { if (key->key == NULL) {
SSH_LOG(SSH_LOG_TRACE, "NULL key->key"); SSH_LOG(SSH_LOG_TRACE, "NULL key->key");
goto error; goto error;
@@ -2868,51 +2740,6 @@ static EVP_PKEY *pki_key_to_pkey(ssh_key key)
} }
pkey = key->key; pkey = key->key;
break; break;
case SSH_KEYTYPE_ECDSA_P256:
case SSH_KEYTYPE_ECDSA_P384:
case SSH_KEYTYPE_ECDSA_P521:
case SSH_KEYTYPE_ECDSA_P256_CERT01:
case SSH_KEYTYPE_ECDSA_P384_CERT01:
case SSH_KEYTYPE_ECDSA_P521_CERT01:
case SSH_KEYTYPE_SK_ECDSA:
case SSH_KEYTYPE_SK_ECDSA_CERT01:
# if defined(HAVE_OPENSSL_ECC)
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
if (key->ecdsa == NULL) {
SSH_LOG(SSH_LOG_TRACE, "NULL key->ecdsa");
goto error;
}
pkey = EVP_PKEY_new();
if (pkey == NULL) {
SSH_LOG(SSH_LOG_TRACE, "Out of memory");
return NULL;
}
EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
break;
#endif /* OPENSSL_VERSION_NUMBER */
# endif
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER >= 0x30000000L
*/
#if 0
if (key->key == NULL) {
SSH_LOG(SSH_LOG_TRACE, "NULL key->key");
goto error;
}
rc = EVP_PKEY_uo_ref(key->key);
if (rc != 1) {
SSH_LOG(SSH_LOG_TRACE, "Failed to reference EVP_PKEY");
return NULL;
}
pkey = key->key;
break;
#endif /* OPENSSL_VERSION_NUMBER */
case SSH_KEYTYPE_ED25519: case SSH_KEYTYPE_ED25519:
case SSH_KEYTYPE_ED25519_CERT01: case SSH_KEYTYPE_ED25519_CERT01:
case SSH_KEYTYPE_SK_ED25519: case SSH_KEYTYPE_SK_ED25519:
@@ -3328,17 +3155,11 @@ int pki_uri_import(const char *uri_name,
{ {
ENGINE *engine = NULL; ENGINE *engine = NULL;
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Move HAVE_OPENSSL_ECC #ifdef into #if above
*/
#ifdef HAVE_OPENSSL_ECC
EC_KEY *ecdsa = NULL;
#else
void *ecdsa = NULL;
#endif
ssh_key key = NULL; ssh_key key = NULL;
enum ssh_keytypes_e type = SSH_KEYTYPE_UNKNOWN; enum ssh_keytypes_e type = SSH_KEYTYPE_UNKNOWN;
#if OPENSSL_VERSION_NUMBER < 0x30000000L && HAVE_OPENSSL_ECC
EC_KEY *ecdsa = NULL;
#endif
/* Do the init only once */ /* Do the init only once */
engine = pki_get_engine(); engine = pki_get_engine();
@@ -3383,12 +3204,8 @@ int pki_uri_import(const char *uri_name,
break; break;
case EVP_PKEY_EC: case EVP_PKEY_EC:
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624 ecdsa = EVP_PKEY_get0_EC_KEY(pkey);
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
ecdsa = EVP_PKEY_get1_EC_KEY(pkey);
if (ecdsa == NULL) { if (ecdsa == NULL) {
SSH_LOG(SSH_LOG_TRACE, SSH_LOG(SSH_LOG_TRACE,
"Parsing pub key: %s", "Parsing pub key: %s",
@@ -3422,19 +3239,10 @@ int pki_uri_import(const char *uri_name,
if (key_type == SSH_KEY_PRIVATE) { if (key_type == SSH_KEY_PRIVATE) {
key->flags |= SSH_KEY_FLAG_PRIVATE; key->flags |= SSH_KEY_FLAG_PRIVATE;
} }
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Move line key->ecdsa into #if above
*/
key->ecdsa = ecdsa;
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
if (is_ecdsa_key_type(key->type)) { if (is_ecdsa_key_type(key->type)) {
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624 key->ecdsa_nid = pki_key_ecdsa_to_nid(ecdsa);
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
key->ecdsa_nid = pki_key_ecdsa_to_nid(key->ecdsa);
#else #else
key->ecdsa_nid = pki_key_ecdsa_to_nid(key->key); key->ecdsa_nid = pki_key_ecdsa_to_nid(key->key);
#endif /* OPENSSL_VERSION_NUMBER */ #endif /* OPENSSL_VERSION_NUMBER */
@@ -3448,13 +3256,6 @@ int pki_uri_import(const char *uri_name,
fail: fail:
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
ssh_key_free(key); ssh_key_free(key);
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys
* https://github.com/openssl/openssl/pull/16624
* Move HAVE_OPENSSL_ECC #ifdef into #if above
*/
#ifdef HAVE_OPENSSL_ECC
EC_KEY_free(ecdsa);
#endif
return SSH_ERROR; return SSH_ERROR;
} }

8
src/wrapper.c
View File

@@ -176,13 +176,9 @@ void crypto_free(struct ssh_crypto_struct *crypto)
#ifdef HAVE_ECDH #ifdef HAVE_ECDH
SAFE_FREE(crypto->ecdh_client_pubkey); SAFE_FREE(crypto->ecdh_client_pubkey);
SAFE_FREE(crypto->ecdh_server_pubkey); SAFE_FREE(crypto->ecdh_server_pubkey);
if(crypto->ecdh_privkey != NULL){ if (crypto->ecdh_privkey != NULL) {
#ifdef HAVE_OPENSSL_ECC #ifdef HAVE_OPENSSL_ECC
/* TODO Change to new API when the OpenSSL will support export of uncompressed EC keys #if OPENSSL_VERSION_NUMBER < 0x30000000L
* https://github.com/openssl/openssl/pull/16624
* #if OPENSSL_VERSION_NUMBER < 0x30000000L
*/
#if 1
EC_KEY_free(crypto->ecdh_privkey); EC_KEY_free(crypto->ecdh_privkey);
#else #else
EVP_PKEY_free(crypto->ecdh_privkey); EVP_PKEY_free(crypto->ecdh_privkey);