mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-28 16:23:23 +08:00
supply callback to PEM_read_bio_PrivateKey
OpenSSL 1.1.0i has changed the behaviour of their PEM APIs, so that empty passphrases are interpreted differently. This probabalistically breaks loading some keys, because the PEM format is terrible and doesn't include a proper MAC. Avoid this by providing a basic callback to avoid passing empty passphrases to OpenSSL in cases where one is required. Based on patch from Jakub Jelen in bz#2913; ok dtucker@
This commit is contained in:
parent
d1d301a1dd
commit
12731158c7
16
sshkey.c
16
sshkey.c
@ -3913,6 +3913,20 @@ convert_libcrypto_error(void)
|
||||
return translate_libcrypto_error(ERR_peek_last_error());
|
||||
}
|
||||
|
||||
static int
|
||||
pem_passphrase_cb(char *buf, int size, int rwflag, void *u)
|
||||
{
|
||||
char *p = (char *)u;
|
||||
size_t len;
|
||||
|
||||
if (p == NULL || (len = strlen(p)) == 0)
|
||||
return -1;
|
||||
if (size < 0 || len > (size_t)size)
|
||||
return -1;
|
||||
memcpy(buf, p, len);
|
||||
return (int)len;
|
||||
}
|
||||
|
||||
static int
|
||||
sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
|
||||
const char *passphrase, struct sshkey **keyp)
|
||||
@ -3934,7 +3948,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
|
||||
}
|
||||
|
||||
clear_libcrypto_errors();
|
||||
if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
|
||||
if ((pk = PEM_read_bio_PrivateKey(bio, NULL, pem_passphrase_cb,
|
||||
(char *)passphrase)) == NULL) {
|
||||
/*
|
||||
* libcrypto may return various ASN.1 errors when attempting
|
||||
|
Loading…
Reference in New Issue
Block a user