[openssh-commits] [openssh] 01/01: supply callback to PEM_read_bio_PrivateKey

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Oct 11 10:37:10 AEDT 2018


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 12731158c75c8760a8bea06350eeb3e763fe1a07
Author: Damien Miller <djm at mindrot.org>
Date:   Thu Oct 11 10:29:29 2018 +1100

    supply callback to PEM_read_bio_PrivateKey
    
    OpenSSL 1.1.0i has changed the behaviour of their PEM APIs,
    so that empty passphrases are interpreted differently. This
    probabalistically breaks loading some keys, because the PEM format
    is terrible and doesn't include a proper MAC.
    
    Avoid this by providing a basic callback to avoid passing empty
    passphrases to OpenSSL in cases where one is required.
    
    Based on patch from Jakub Jelen in bz#2913; ok dtucker@
---
 sshkey.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/sshkey.c b/sshkey.c
index e1e882b7..4a656f84 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -3913,6 +3913,20 @@ convert_libcrypto_error(void)
 	return translate_libcrypto_error(ERR_peek_last_error());
 }
 
+static int
+pem_passphrase_cb(char *buf, int size, int rwflag, void *u)
+{
+	char *p = (char *)u;
+	size_t len;
+
+	if (p == NULL || (len = strlen(p)) == 0)
+		return -1;
+	if (size < 0 || len > (size_t)size)
+		return -1;
+	memcpy(buf, p, len);
+	return (int)len;
+}
+
 static int
 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
     const char *passphrase, struct sshkey **keyp)
@@ -3934,7 +3948,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
 	}
 
 	clear_libcrypto_errors();
-	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
+	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb,
 	    (char *)passphrase)) == NULL) {
 	       /*
 		* libcrypto may return various ASN.1 errors when attempting

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list