Attachment 3335 Details for Bug 3082 – patch for 8.0p1 to support derived keys

[patch] patch for 8.0p1 to support derived keys

add-derived-keys.patch (text/plain), 3.26 KB, created by Nils Rennebarth on 2019-10-11 22:46:00 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Nils Rennebarth

Created: 2019-10-11 22:46:00 AEDT

Size: 3.26 KB

patch

obsolete

>Index: openssh-8.0p1/openbsd-compat/arc4random.c
>===================================================================
>--- openssh-8.0p1.orig/openbsd-compat/arc4random.c
>+++ openssh-8.0p1/openbsd-compat/arc4random.c
>@@ -232,6 +232,15 @@ arc4random_addrandom(u_char *dat, int da
> 	_ARC4_UNLOCK();
> }
> 
>+void
>+arc4random_set(void *buf, size_t n)
>+{
>+	_rs_init(buf, n);
>+	rs_have = 0;
>+	memset(rs_buf, 0, RSBUFSZ);
>+	rs_count = 1600000;
>+}
>+
> u_int32_t
> arc4random(void)
> {
>Index: openssh-8.0p1/ssh-keygen.c
>===================================================================
>--- openssh-8.0p1.orig/ssh-keygen.c
>+++ openssh-8.0p1/ssh-keygen.c
>@@ -60,7 +60,7 @@
> #include "digest.h"
> #include "utf8.h"
> #include "authfd.h"
>-
>+#include "crypto_api.h"
> #ifdef WITH_OPENSSL
> # define DEFAULT_KEY_TYPE_NAME "rsa"
> #else
>@@ -2419,6 +2419,7 @@ main(int argc, char **argv)
> {
> 	char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2;
> 	char *rr_hostname = NULL, *ep, *fp, *ra;
>+	char *derive_from = NULL;
> 	struct sshkey *private, *public;
> 	struct passwd *pw;
> 	struct stat st;
>@@ -2465,10 +2466,10 @@ main(int argc, char **argv)
> 	if (gethostname(hostname, sizeof(hostname)) < 0)
> 		fatal("gethostname: %s", strerror(errno));
> 
>-	/* Remaining characters: Ydw */
>+	/* Remaining characters: Yw */
> 	while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvxy"
> 	    "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
>-	    "a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
>+	    "a:b:d:f:g:j:m:n:r:s:t:z:")) != -1) {
> 		switch (opt) {
> 		case 'A':
> 			gen_all_hostkeys = 1;
>@@ -2479,6 +2480,9 @@ main(int argc, char **argv)
> 				fatal("Bits has bad value %s (%s)",
> 					optarg, errstr);
> 			break;
>+		case 'd':
>+			derive_from = optarg;
>+			break;
> 		case 'E':
> 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
> 			if (fingerprint_hash == -1)
>@@ -2773,6 +2777,11 @@ main(int argc, char **argv)
> 			exit(0);
> 		}
> 	}
>+	if (derive_from) {
>+		unsigned char hbuf[64];
>+		crypto_hash_sha512(hbuf, derive_from, strlen(derive_from));
>+		arc4random_set(hbuf, sizeof(hbuf));
>+	}
> 
> #ifdef WITH_OPENSSL
> 	if (do_gen_candidates) {
>Index: openssh-8.0p1/openbsd-compat/openbsd-compat.h
>===================================================================
>--- openssh-8.0p1.orig/openbsd-compat/openbsd-compat.h
>+++ openssh-8.0p1/openbsd-compat/openbsd-compat.h
>@@ -218,6 +218,10 @@ void arc4random_buf(void *, size_t);
> u_int32_t arc4random_uniform(u_int32_t);
> #endif
> 
>+#ifndef HAVE_ARC4RANDOM_SET
>+void arc4random_set(void *buf, size_t n);
>+#endif
>+
> #ifndef HAVE_ASPRINTF
> int asprintf(char **, const char *, ...);
> #endif
>Index: openssh-8.0p1/ssh-keygen.1
>===================================================================
>--- openssh-8.0p1.orig/ssh-keygen.1
>+++ openssh-8.0p1/ssh-keygen.1
>@@ -51,6 +51,7 @@
> .Op Fl C Ar comment
> .Op Fl f Ar output_keyfile
> .Op Fl m Ar format
>+.Op Fl d Ar data
> .Nm ssh-keygen
> .Fl p
> .Op Fl P Ar old_passphrase
>@@ -274,6 +275,8 @@ Provides a new comment.
> Requests changing the comment in the private and public key files.
> The program will prompt for the file containing the private keys, for
> the passphrase if the key has one, and for the new comment.
>+.It Fl d Ar data
>+Derive the generated key from the given data deterministically.
> .It Fl D Ar pkcs11
> Download the public keys provided by the PKCS#11 shared library
> .Ar pkcs11 .

Actions: View | Diff

Attachments on bug 3082: 3335 | 3336 | 3393