bmh10 / rpms / openssh

Forked from rpms/openssh 2 days ago
Clone
Norbert Pocs 6b2353
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-ecdsa.c openssh-8.7p1-patched/ssh-ecdsa.c
Norbert Pocs 6b2353
--- openssh-8.7p1/ssh-ecdsa.c	2023-05-24 09:39:45.002631174 +0200
Norbert Pocs 6b2353
+++ openssh-8.7p1-patched/ssh-ecdsa.c	2023-05-24 09:09:34.400853951 +0200
Norbert Pocs 6b2353
@@ -74,8 +74,18 @@
Norbert Pocs 6b2353
 	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
Norbert Pocs 6b2353
 		return SSH_ERR_INTERNAL_ERROR;
Norbert Pocs 6b2353
 
Norbert Pocs 6b2353
-  	if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0)
Norbert Pocs 6b2353
-		return ret;
Norbert Pocs 6b2353
+#ifdef ENABLE_PKCS11
Norbert Pocs 6b2353
+	if (is_ecdsa_pkcs11(key->ecdsa)) {
Norbert Pocs 6b2353
+		if ((pkey = EVP_PKEY_new()) == NULL ||
Norbert Pocs 6b2353
+		    EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
Norbert Pocs 6b2353
+			return SSH_ERR_ALLOC_FAIL;
Norbert Pocs 6b2353
+	} else {
Norbert Pocs 6b2353
+#endif
Norbert Pocs 6b2353
+		if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0)
Norbert Pocs 6b2353
+			return ret;
Norbert Pocs 6b2353
+#ifdef ENABLE_PKCS11
Norbert Pocs 6b2353
+	}
Norbert Pocs 6b2353
+#endif
Norbert Pocs 6b2353
 	ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
Norbert Pocs 6b2353
 	    datalen);
Norbert Pocs 6b2353
 	EVP_PKEY_free(pkey);
Norbert Pocs 6b2353
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11.c openssh-8.7p1-patched/ssh-pkcs11.c
Norbert Pocs 6b2353
--- openssh-8.7p1/ssh-pkcs11.c	2023-05-24 09:39:44.950630607 +0200
Norbert Pocs 6b2353
+++ openssh-8.7p1-patched/ssh-pkcs11.c	2023-05-24 09:33:59.153866357 +0200
Norbert Pocs 6b2353
@@ -775,8 +775,24 @@
Norbert Pocs 6b2353
 
Norbert Pocs 6b2353
 	return (0);
Norbert Pocs 6b2353
 }
Norbert Pocs 6b2353
+
Norbert Pocs 6b2353
+int
Norbert Pocs 6b2353
+is_ecdsa_pkcs11(EC_KEY *ecdsa)
Norbert Pocs 6b2353
+{
Norbert Pocs 6b2353
+	if (EC_KEY_get_ex_data(ecdsa, ec_key_idx) != NULL)
Norbert Pocs 6b2353
+		return 1;
Norbert Pocs 6b2353
+	return 0;
Norbert Pocs 6b2353
+}
Norbert Pocs 6b2353
 #endif /* HAVE_EC_KEY_METHOD_NEW */
Norbert Pocs 6b2353
 
Norbert Pocs 6b2353
+int
Norbert Pocs 6b2353
+is_rsa_pkcs11(RSA *rsa)
Norbert Pocs 6b2353
+{
Norbert Pocs 6b2353
+	if (RSA_get_ex_data(rsa, rsa_idx) != NULL)
Norbert Pocs 6b2353
+		return 1;
Norbert Pocs 6b2353
+	return 0;
Norbert Pocs 6b2353
+}
Norbert Pocs 6b2353
+
Norbert Pocs 6b2353
 /* remove trailing spaces */
Norbert Pocs 6b2353
 static void
Norbert Pocs 6b2353
 rmspace(u_char *buf, size_t len)
Norbert Pocs 6b2353
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11-client.c openssh-8.7p1-patched/ssh-pkcs11-client.c
Norbert Pocs 6b2353
--- openssh-8.7p1/ssh-pkcs11-client.c	2023-05-24 09:39:44.950630607 +0200
Norbert Pocs 6b2353
+++ openssh-8.7p1-patched/ssh-pkcs11-client.c	2023-05-24 09:31:16.139092673 +0200
Norbert Pocs 6b2353
@@ -225,8 +225,36 @@
Norbert Pocs 6b2353
 static RSA_METHOD	*helper_rsa;
Norbert Pocs 6b2353
 #ifdef HAVE_EC_KEY_METHOD_NEW
Norbert Pocs 6b2353
 static EC_KEY_METHOD	*helper_ecdsa;
Norbert Pocs 6b2353
+
Norbert Pocs 6b2353
+int
Norbert Pocs 6b2353
+is_ecdsa_pkcs11(EC_KEY *ecdsa)
Norbert Pocs 6b2353
+{
Norbert Pocs 6b2353
+	const EC_KEY_METHOD *meth;
Norbert Pocs 6b2353
+	ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgstlen,
Norbert Pocs 6b2353
+		const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey) = NULL;
Norbert Pocs 6b2353
+
Norbert Pocs 6b2353
+	meth = EC_KEY_get_method(ecdsa);
Norbert Pocs 6b2353
+	EC_KEY_METHOD_get_sign(meth, NULL, NULL, &sign_sig);
Norbert Pocs 6b2353
+	if (sign_sig == ecdsa_do_sign)
Norbert Pocs 6b2353
+		return 1;
Norbert Pocs 6b2353
+	return 0;
Norbert Pocs 6b2353
+}
Norbert Pocs 6b2353
 #endif /* HAVE_EC_KEY_METHOD_NEW */
Norbert Pocs 6b2353
 
Norbert Pocs 6b2353
+int
Norbert Pocs 6b2353
+is_rsa_pkcs11(RSA *rsa)
Norbert Pocs 6b2353
+{
Norbert Pocs 6b2353
+	const RSA_METHOD *meth;
Norbert Pocs 6b2353
+	int (*priv_enc)(int flen, const unsigned char *from,
Norbert Pocs 6b2353
+        	unsigned char *to, RSA *rsa, int padding) = NULL;
Norbert Pocs 6b2353
+
Norbert Pocs 6b2353
+	meth = RSA_get_method(rsa);
Norbert Pocs 6b2353
+	priv_enc = RSA_meth_get_priv_enc(meth);
Norbert Pocs 6b2353
+	if (priv_enc == rsa_encrypt)
Norbert Pocs 6b2353
+		return 1;
Norbert Pocs 6b2353
+	return 0;
Norbert Pocs 6b2353
+}
Norbert Pocs 6b2353
+
Norbert Pocs 6b2353
 /* redirect private key crypto operations to the ssh-pkcs11-helper */
Norbert Pocs 6b2353
 static void
Norbert Pocs 6b2353
 wrap_key(struct sshkey *k)
Norbert Pocs 6b2353
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11.h openssh-8.7p1-patched/ssh-pkcs11.h
Norbert Pocs 6b2353
--- openssh-8.7p1/ssh-pkcs11.h	2023-05-24 09:39:44.950630607 +0200
Norbert Pocs 6b2353
+++ openssh-8.7p1-patched/ssh-pkcs11.h	2023-05-24 09:36:49.055714975 +0200
Norbert Pocs 6b2353
@@ -39,6 +39,11 @@
Norbert Pocs 6b2353
 	    u_int32_t *);
Norbert Pocs 6b2353
 #endif
Norbert Pocs 6b2353
 
Norbert Pocs 6b2353
+#ifdef HAVE_EC_KEY_METHOD_NEW
Norbert Pocs 6b2353
+int is_ecdsa_pkcs11(EC_KEY *ecdsa);
Norbert Pocs 6b2353
+#endif
Norbert Pocs 6b2353
+int is_rsa_pkcs11(RSA *rsa);
Norbert Pocs 6b2353
+
Norbert Pocs 6b2353
 #if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11)
Norbert Pocs 6b2353
 #undef ENABLE_PKCS11
Norbert Pocs 6b2353
 #endif
Norbert Pocs 6b2353
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-rsa.c openssh-8.7p1-patched/ssh-rsa.c
Norbert Pocs 6b2353
--- openssh-8.7p1/ssh-rsa.c	2023-05-24 09:39:45.003631184 +0200
Norbert Pocs 6b2353
+++ openssh-8.7p1-patched/ssh-rsa.c	2023-05-24 09:31:37.019319860 +0200
Norbert Pocs 6b2353
@@ -174,8 +174,18 @@
Norbert Pocs 6b2353
 	if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
Norbert Pocs 6b2353
 		return SSH_ERR_KEY_LENGTH;
Norbert Pocs 6b2353
 
Norbert Pocs 6b2353
-  	if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0)
Norbert Pocs 6b2353
-		return ret;
Norbert Pocs 6b2353
+#ifdef ENABLE_PKCS11
Norbert Pocs 6b2353
+	if (is_rsa_pkcs11(key->rsa)) {
Norbert Pocs 6b2353
+		if ((pkey = EVP_PKEY_new()) == NULL ||
Norbert Pocs 6b2353
+		    EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
Norbert Pocs 6b2353
+			return SSH_ERR_ALLOC_FAIL;
Norbert Pocs 6b2353
+	} else {
Norbert Pocs 6b2353
+#endif
Norbert Pocs 6b2353
+		if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0)
Norbert Pocs 6b2353
+			return ret;
Norbert Pocs 6b2353
+#ifdef ENABLE_PKCS11
Norbert Pocs 6b2353
+	}
Norbert Pocs 6b2353
+#endif
Norbert Pocs 6b2353
 	ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
Norbert Pocs 6b2353
 	    datalen);
Norbert Pocs 6b2353
 	EVP_PKEY_free(pkey);