md5: allow disabling old-style encrypted private keys at build-time

Before this patch, this happened at runtime when using an old (pre-3.0), FIPS-enabled OpenSSL backend. This patch makes it possible to disable this via the build-time option `LIBSSH2_NO_MD5_PEM`. Also: - make sure to exclude all MD5 internal APIs when both the above and `LIBSSH2_NO_MD5` are enabled. - fix tests to support build with`LIBSSH2_NO_MD5`, `LIBSSH2_NO_MD5_PEM` and `LIBSSH2_NO_3DES`. - add FIXME to apply this change to `os400qc3.*`. Old-style encrypted private keys require MD5 and they look like this: ``` -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,<MD5-hex> <base64> -----END RSA PRIVATE KEY----- ``` E.g.: `tests/key_rsa_encrypted` Ref: https://github.com/libssh2/www/issues/20 Closes #1181
2025-08-07 08:02:56 +03:00 · 2023-08-26 21:56:23 +00:00
parent 4a64ca1430
commit eb9f9de2c1
15 changed files with 170 additions and 79 deletions
--- a/tests/session_fixture.c
+++ b/tests/session_fixture.c
@@ -91,6 +91,10 @@ static char const *skip_crypt[] = {
    "rijndael-cbc@lysator.liu.se",
 #endif

+#if !LIBSSH2_3DES
+    "3des-cbc",
+#endif
+
 #if defined(LIBSSH2_LIBGCRYPT) || defined(LIBSSH2_OS400QC3) || \
    defined(LIBSSH2_WINCNG)
    /* Support for AES-GCM hasn't been added to these back-ends yet */
@@ -101,6 +105,15 @@ static char const *skip_crypt[] = {
    NULL
 };

+/* List of MAC protocols for which tests are skipped */
+static char const *skip_mac[] = {
+#if !LIBSSH2_MD5
+    "hmac-md5",
+    "hmac-md5-96",
+#endif
+    NULL
+};
+
 LIBSSH2_SESSION *start_session_fixture(int *skipped, int *err)
 {
    int rc;
@@ -112,11 +125,23 @@ LIBSSH2_SESSION *start_session_fixture(int *skipped, int *err)
    *err = LIBSSH2_ERROR_NONE;

    if(crypt) {
-        char const * const *cr;
-        for(cr = skip_crypt; *cr; ++cr) {
-            if(strcmp(*cr, crypt) == 0) {
-                fprintf(stderr, "crypt algorithm (%s) skipped "
-                                "for this crypto backend.\n", crypt);
+        char const * const *sk;
+        for(sk = skip_crypt; *sk; ++sk) {
+            if(strcmp(*sk, crypt) == 0) {
+                fprintf(stderr, "unsupported crypt algorithm (%s) skipped.\n",
+                                crypt);
+                *skipped = 1;
+                return NULL;
+            }
+        }
+    }
+
+    if(mac) {
+        char const * const *sk;
+        for(sk = skip_mac; *sk; ++sk) {
+            if(strcmp(*sk, mac) == 0) {
+                fprintf(stderr, "unsupported MAC algorithm (%s) skipped.\n",
+                                mac);
                *skipped = 1;
                return NULL;
            }