pki: Fail more gracefully when parsing Ed25519 keys in FIPS mode

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Sahana Prasad <sahana@redhat.com>
2026-02-04 12:20:42 +09:00 · 2025-01-22 18:41:12 +01:00
parent de7903a633
commit b2b56151c0
2 changed files with 40 additions and 3 deletions
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -66,6 +66,9 @@ struct ssh_key_struct {
    /* This holds either ENGINE/PROVIDER key for PKCS#11 support
     * or just key in high-level format */
    EVP_PKEY *key;
+    /* keep this around for FIPS mode so we can parse the public keys. We won't
+     * be able to use them nor use the private keys though */
+    uint8_t *ed25519_pubkey;
 #endif /* HAVE_LIBGCRYPT */
 #ifndef HAVE_LIBCRYPTO
    ed25519_pubkey *ed25519_pubkey;