From ad9644f74c83ac26c38bad04f494576e4bb83e46 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Sep 23 2022 09:14:03 +0000 Subject: [PATCH 1/21] Set minimal value of RSA key length via configuration option Added a support for our name as alias. Resolves: rhbz#2128352 --- diff --git a/openssh-8.7p1-minrsabits.patch b/openssh-8.7p1-minrsabits.patch index 255d34d..b53c383 100644 --- a/openssh-8.7p1-minrsabits.patch +++ b/openssh-8.7p1-minrsabits.patch @@ -43,11 +43,12 @@ index 7f26c680..42be690b 100644 oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; -@@ -320,6 +320,7 @@ static struct { +@@ -320,6 +320,8 @@ static struct { { "proxyjump", oProxyJump }, { "securitykeyprovider", oSecurityKeyProvider }, { "knownhostscommand", oKnownHostsCommand }, + { "requiredrsasize", oRequiredRSASize }, ++ { "rsaminsize", oRequiredRSASize }, /* alias */ { NULL, oBadOption } }; @@ -129,11 +130,12 @@ index 29df0463..423772b1 100644 sDeprecated, sIgnore, sUnsupported } ServerOpCodes; -@@ -676,6 +680,7 @@ static struct { +@@ -676,6 +680,8 @@ static struct { { "rdomain", sRDomain, SSHCFG_ALL }, { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, + { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, ++ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */ { NULL, sBadOption, 0 } }; diff --git a/openssh.spec b/openssh.spec index 3c8d66a..d6b2c6b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 23 +%global openssh_rel 24 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -734,6 +734,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Sep 23 2022 Dmitry Belyavskiy - 8.7p1-24 +- Set minimal value of RSA key length via configuration option - support both names + Resolves: rhbz#2128352 + * Thu Sep 22 2022 Dmitry Belyavskiy - 8.7p1-23 - Set minimal value of RSA key length via configuration option Resolves: rhbz#2128352 From 6a26537f1406fd90b98673945ccf98f14c62252b Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Oct 17 2022 21:22:30 +0000 Subject: [PATCH 2/21] Merge upstream changes --- diff --git a/openssh-8.7p1-minrsabits.patch b/openssh-8.7p1-minrsabits.patch index 107fe70..b53c383 100644 --- a/openssh-8.7p1-minrsabits.patch +++ b/openssh-8.7p1-minrsabits.patch @@ -1,184 +1,188 @@ diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 2ab222ed6..4e9437912 100644 +index 36b9d2f5..6b517db4 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c -@@ -118,6 +118,10 @@ userauth_hostbased(struct ssh *ssh, const char *method) +@@ -119,6 +119,11 @@ userauth_hostbased(struct ssh *ssh, const char *method) "(null)" : key->cert->signature_type); goto done; } -+ if ((r = sshkey_check_rsa_length(key, options.rsa_min_size)) != 0) { -+ logit("refusing %s key", sshkey_type(key)); ++ if ((r = sshkey_check_rsa_length(key, ++ options.required_rsa_size)) != 0) { ++ logit_r(r, "refusing %s key", sshkey_type(key)); + goto done; + } if (!authctxt->valid || authctxt->user == NULL) { debug2_f("disabled because of invalid user"); diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index daa756a01..68e7dea1f 100644 +index 962fd342..5d59febc 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c -@@ -172,6 +172,10 @@ userauth_pubkey(struct ssh *ssh, const char *method) +@@ -175,6 +175,11 @@ userauth_pubkey(struct ssh *ssh, const char *method) "(null)" : key->cert->signature_type); goto done; } -+ if ((r = sshkey_check_rsa_length(key, options.rsa_min_size)) != 0) { -+ logit("refusing %s key", sshkey_type(key)); ++ if ((r = sshkey_check_rsa_length(key, ++ options.required_rsa_size)) != 0) { ++ logit_r(r, "refusing %s key", sshkey_type(key)); + goto done; + } key_s = format_key(key); if (sshkey_is_cert(key)) ca_s = format_key(key->cert->signature_key); diff --git a/readconf.c b/readconf.c -index 5b5afa8e3..5e17abd41 100644 +index 7f26c680..42be690b 100644 --- a/readconf.c +++ b/readconf.c -@@ -160,7 +160,7 @@ typedef enum { +@@ -174,7 +174,7 @@ typedef enum { oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, oFingerprintHash, oUpdateHostkeys, oHostbasedAcceptedAlgorithms, oPubkeyAcceptedAlgorithms, oCASignatureAlgorithms, oProxyJump, - oSecurityKeyProvider, oKnownHostsCommand, -+ oSecurityKeyProvider, oKnownHostsCommand, oRSAMinSize, ++ oSecurityKeyProvider, oKnownHostsCommand, oRequiredRSASize, oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; -@@ -306,6 +306,7 @@ static struct { +@@ -320,6 +320,8 @@ static struct { { "proxyjump", oProxyJump }, { "securitykeyprovider", oSecurityKeyProvider }, { "knownhostscommand", oKnownHostsCommand }, -+ { "rsaminsize", oRSAMinSize }, ++ { "requiredrsasize", oRequiredRSASize }, ++ { "rsaminsize", oRequiredRSASize }, /* alias */ { NULL, oBadOption } }; -@@ -2162,6 +2163,10 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host, +@@ -2176,6 +2177,10 @@ parse_pubkey_algos: *charptr = xstrdup(arg); break; -+ case oRSAMinSize: -+ intptr = &options->rsa_min_size; ++ case oRequiredRSASize: ++ intptr = &options->required_rsa_size; + goto parse_int; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); -@@ -2409,6 +2414,7 @@ initialize_options(Options * options) +@@ -2423,6 +2428,7 @@ initialize_options(Options * options) options->hostbased_accepted_algos = NULL; options->pubkey_accepted_algos = NULL; options->known_hosts_command = NULL; -+ options->rsa_min_size = -1; ++ options->required_rsa_size = -1; } /* -@@ -2598,6 +2604,8 @@ fill_default_options(Options * options) +@@ -2619,6 +2625,8 @@ fill_default_options(Options * options) if (options->sk_provider == NULL) options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); #endif -+ if (options->rsa_min_size == -1) -+ options->rsa_min_size = SSH_RSA_MINIMUM_MODULUS_SIZE; ++ if (options->required_rsa_size == -1) ++ options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; /* Expand KEX name lists */ all_cipher = cipher_alg_list(',', 0); -@@ -3287,6 +3295,7 @@ dump_client_config(Options *o, const char *host) +@@ -3308,6 +3316,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts); dump_cfg_int(oServerAliveCountMax, o->server_alive_count_max); dump_cfg_int(oServerAliveInterval, o->server_alive_interval); -+ dump_cfg_int(oRSAMinSize, o->rsa_min_size); ++ dump_cfg_int(oRequiredRSASize, o->required_rsa_size); /* String options */ dump_cfg_string(oBindAddress, o->bind_address); diff --git a/readconf.h b/readconf.h -index f647bd42a..29db353ab 100644 +index f647bd42..ffb5ec4f 100644 --- a/readconf.h +++ b/readconf.h @@ -176,6 +176,8 @@ typedef struct { char *known_hosts_command; -+ int rsa_min_size; /* minimum size of RSA keys */ ++ int required_rsa_size; /* minimum size of RSA keys */ + char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ } Options; diff --git a/servconf.c b/servconf.c -index f7317a5cb..362ff5b67 100644 +index 29df0463..423772b1 100644 --- a/servconf.c +++ b/servconf.c -@@ -177,6 +177,7 @@ initialize_server_options(ServerOptions *options) +@@ -195,6 +195,7 @@ initialize_server_options(ServerOptions *options) options->fingerprint_hash = -1; options->disable_forwarding = -1; options->expose_userauth_info = -1; -+ options->rsa_min_size = -1; ++ options->required_rsa_size = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -416,6 +417,8 @@ fill_default_server_options(ServerOptions *options) +@@ -441,6 +442,8 @@ fill_default_server_options(ServerOptions *options) options->expose_userauth_info = 0; if (options->sk_provider == NULL) options->sk_provider = xstrdup("internal"); -+ if (options->rsa_min_size == -1) -+ options->rsa_min_size = SSH_RSA_MINIMUM_MODULUS_SIZE; ++ if (options->required_rsa_size == -1) ++ options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; assemble_algorithms(options); -@@ -489,6 +492,7 @@ typedef enum { +@@ -517,6 +520,7 @@ typedef enum { sStreamLocalBindMask, sStreamLocalBindUnlink, sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, -+ sRSAMinSize, ++ sRequiredRSASize, sDeprecated, sIgnore, sUnsupported } ServerOpCodes; -@@ -632,6 +636,7 @@ static struct { +@@ -676,6 +680,8 @@ static struct { { "rdomain", sRDomain, SSHCFG_ALL }, { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, -+ { "rsaminsize", sRSAMinSize, SSHCFG_ALL }, ++ { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, ++ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */ { NULL, sBadOption, 0 } }; -@@ -2377,6 +2382,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, +@@ -2438,6 +2443,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, *charptr = xstrdup(arg); break; -+ case sRSAMinSize: -+ intptr = &options->rsa_min_size; ++ case sRequiredRSASize: ++ intptr = &options->required_rsa_size; + goto parse_int; + case sDeprecated: case sIgnore: case sUnsupported: -@@ -2549,6 +2558,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) +@@ -2610,6 +2619,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); M_CP_INTOPT(log_level); -+ M_CP_INTOPT(rsa_min_size); ++ M_CP_INTOPT(required_rsa_size); /* * The bind_mask is a mode_t that may be unsigned, so we can't use -@@ -2810,6 +2820,7 @@ dump_config(ServerOptions *o) +@@ -2874,6 +2884,7 @@ dump_config(ServerOptions *o) dump_cfg_int(sMaxSessions, o->max_sessions); dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); -+ dump_cfg_int(sRSAMinSize, o->rsa_min_size); ++ dump_cfg_int(sRequiredRSASize, o->required_rsa_size); dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); /* formatted integer arguments */ diff --git a/servconf.h b/servconf.h -index 115db1e79..2e3486906 100644 +index 8a04463e..9346155c 100644 --- a/servconf.h +++ b/servconf.h -@@ -227,6 +227,7 @@ typedef struct { +@@ -229,6 +229,7 @@ typedef struct { int expose_userauth_info; u_int64_t timing_secret; char *sk_provider; -+ int rsa_min_size; /* minimum size of RSA keys */ ++ int required_rsa_size; /* minimum size of RSA keys */ } ServerOptions; /* Information about the incoming connection as used by Match */ diff --git a/ssh.c b/ssh.c -index a926cc007..cd13fb879 100644 +index 559bf2af..25be53d5 100644 --- a/ssh.c +++ b/ssh.c -@@ -500,14 +500,22 @@ resolve_canonicalize(char **hostp, int port) +@@ -516,14 +516,22 @@ resolve_canonicalize(char **hostp, int port) } /* @@ -196,7 +200,7 @@ index a926cc007..cd13fb879 100644 + /* Check RSA keys size and discard if undersized */ + if (k != NULL && *k != NULL && + (r = sshkey_check_rsa_length(*k, -+ options.rsa_min_size)) != 0) { ++ options.required_rsa_size)) != 0) { + error_r(r, "load %s \"%s\"", message, path); + free(*k); + *k = NULL; @@ -204,7 +208,7 @@ index a926cc007..cd13fb879 100644 break; case SSH_ERR_INTERNAL_ERROR: case SSH_ERR_ALLOC_FAIL: -@@ -1557,12 +1565,13 @@ main(int ac, char **av) +@@ -1578,7 +1586,7 @@ main(int ac, char **av) if ((o) >= sensitive_data.nkeys) \ fatal_f("pubkey out of array bounds"); \ check_load(sshkey_load_public(p, &(sensitive_data.keys[o]), NULL), \ @@ -213,6 +217,9 @@ index a926cc007..cd13fb879 100644 } while (0) #define L_CERT(p,o) do { \ if ((o) >= sensitive_data.nkeys) \ +@@ -1586,7 +1594,8 @@ main(int ac, char **av) + #define L_CERT(p,o) do { \ + if ((o) >= sensitive_data.nkeys) \ fatal_f("cert out of array bounds"); \ - check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert"); \ + check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), \ @@ -229,7 +236,7 @@ index a926cc007..cd13fb879 100644 debug("identity file %s type %d", filename, public ? public->type : -1); free(options.identity_files[i]); -@@ -2263,7 +2272,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo) +@@ -2284,7 +2293,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo) continue; xasprintf(&cp, "%s-cert", filename); check_load(sshkey_load_public(cp, &public, NULL), @@ -238,7 +245,7 @@ index a926cc007..cd13fb879 100644 debug("identity file %s type %d", cp, public ? public->type : -1); if (public == NULL) { -@@ -2294,7 +2303,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo) +@@ -2315,7 +2324,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo) free(cp); check_load(sshkey_load_public(filename, &public, NULL), @@ -248,25 +255,27 @@ index a926cc007..cd13fb879 100644 public ? public->type : -1); free(options.certificate_files[i]); diff --git a/sshconnect2.c b/sshconnect2.c -index 67f8e0309..d050c1656 100644 +index f9bd19ea..58fe98db 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -91,6 +91,10 @@ static const struct ssh_conn_info *xxx_conn_info; +@@ -96,6 +96,11 @@ static const struct ssh_conn_info *xxx_conn_info; static int verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) { + int r; + -+ if ((r = sshkey_check_rsa_length(hostkey, options.rsa_min_size)) != 0) ++ if ((r = sshkey_check_rsa_length(hostkey, ++ options.required_rsa_size)) != 0) + fatal_r(r, "Bad server host key"); if (verify_host_key(xxx_host, xxx_hostaddr, hostkey, xxx_conn_info) == -1) fatal("Host key verification failed."); -@@ -1762,6 +1762,12 @@ load_identity_file(Identity *id) +@@ -1606,6 +1611,13 @@ load_identity_file(Identity *id) private = NULL; quit = 1; } -+ if (r = sshkey_check_rsa_length(private, options.rsa_min_size) != 0) { ++ if (!quit && (r = sshkey_check_rsa_length(private, ++ options.required_rsa_size)) != 0) { + debug_fr(r, "Skipping key %s", id->filename); + sshkey_free(private); + private = NULL; @@ -275,12 +284,12 @@ index 67f8e0309..d050c1656 100644 if (!quit && private != NULL && id->agent_fd == -1 && !(id->key && id->isprivate)) maybe_add_key_to_agent(id->filename, private, comment, -@@ -1747,6 +1751,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt) +@@ -1752,6 +1764,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt) close(agent_fd); } else { for (j = 0; j < idlist->nkeys; j++) { + if ((r = sshkey_check_rsa_length(idlist->keys[j], -+ options.rsa_min_size)) != 0) { ++ options.required_rsa_size)) != 0) { + debug_fr(r, "ignoring %s agent key", + sshkey_ssh_name(idlist->keys[j])); + continue; @@ -289,15 +298,15 @@ index 67f8e0309..d050c1656 100644 TAILQ_FOREACH(id, &files, next) { /* diff --git a/sshd.c b/sshd.c -index d26eb86ae..5f36905a1 100644 +index 17eee9d8..395ef493 100644 --- a/sshd.c +++ b/sshd.c -@@ -1746,6 +1746,13 @@ main(int ac, char **av) +@@ -1870,6 +1870,13 @@ main(int ac, char **av) fatal_r(r, "Could not demote key: \"%s\"", options.host_key_files[i]); } + if (pubkey != NULL && (r = sshkey_check_rsa_length(pubkey, -+ options.rsa_min_size)) != 0) { ++ options.required_rsa_size)) != 0) { + error_fr(r, "Host key %s", options.host_key_files[i]); + sshkey_free(pubkey); + sshkey_free(key); @@ -307,10 +316,10 @@ index d26eb86ae..5f36905a1 100644 sensitive_data.host_pubkeys[i] = pubkey; diff --git a/sshkey.c b/sshkey.c -index 47864e6d8..8bad6bd99 100644 +index ed2b5dff..77093235 100644 --- a/sshkey.c +++ b/sshkey.c -@@ -2319,18 +2319,24 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) +@@ -2365,18 +2365,24 @@ cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf) return ret; } @@ -341,7 +350,7 @@ index 47864e6d8..8bad6bd99 100644 static int sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, -@@ -2391,7 +2397,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, +@@ -2439,7 +2445,7 @@ sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp, goto out; } rsa_n = rsa_e = NULL; /* transferred */ @@ -350,7 +359,7 @@ index 47864e6d8..8bad6bd99 100644 goto out; #ifdef DEBUG_PK RSA_print_fp(stderr, key->rsa, 8); -@@ -3580,7 +3586,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) +@@ -3642,7 +3648,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) goto out; } rsa_p = rsa_q = NULL; /* transferred */ @@ -359,7 +368,7 @@ index 47864e6d8..8bad6bd99 100644 goto out; if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0) goto out; -@@ -4566,7 +4572,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, +@@ -4644,7 +4650,7 @@ sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type, r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } @@ -369,10 +378,10 @@ index 47864e6d8..8bad6bd99 100644 } else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA && (type == KEY_UNSPEC || type == KEY_DSA)) { diff --git a/sshkey.h b/sshkey.h -index 125cadb64..52e879456 100644 +index 094815e0..be254e6b 100644 --- a/sshkey.h +++ b/sshkey.h -@@ -267,6 +267,7 @@ int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, +@@ -273,6 +273,7 @@ int sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type, int sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type, struct sshkey **pubkeyp); @@ -381,57 +390,57 @@ index 125cadb64..52e879456 100644 int ssh_rsa_complete_crt_parameters(struct sshkey *, const BIGNUM *); diff --git a/ssh.1 b/ssh.1 -index b4956aec..b1a40ebd 100644 +index b4956aec..e255b9b9 100644 --- a/ssh.1 +++ b/ssh.1 -@@ -554,6 +554,7 @@ For full details of the options listed below, and their possible values, see - .It LogLevel - .It MACs - .It Match -+.It RSAMinSize - .It NoHostAuthenticationForLocalhost - .It NumberOfPasswordPrompts - .It PasswordAuthentication +@@ -571,6 +571,7 @@ For full details of the options listed below, and their possible values, see + .It RemoteCommand + .It RemoteForward + .It RequestTTY ++.It RequiredRSASize + .It SendEnv + .It ServerAliveInterval + .It ServerAliveCountMax diff --git a/ssh_config.5 b/ssh_config.5 -index 24a46460..68771e4b 100644 +index 24a46460..d1ede18e 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -1322,6 +1322,10 @@ The argument to this keyword must be - or - .Cm no - (the default). -+.It Cm RSAMinSize -+Provides a minimal bits requirement for RSA keys when used for signature and -+verification but not for the key generation. The default value is 1024 and -+can't be reduced. - .It Cm NumberOfPasswordPrompts - Specifies the number of password prompts before giving up. - The argument to this keyword must be an integer. +@@ -1634,6 +1634,17 @@ and + .Fl T + flags for + .Xr ssh 1 . ++.It Cm RequiredRSASize ++Specifies the minimum RSA key size (in bits) that ++.Xr ssh 1 ++will accept. ++User authentication keys smaller than this limit will be ignored. ++Servers that present host keys smaller than this limit will cause the ++connection to be terminated. ++The default is ++.Cm 1024 ++bits. ++Note that this limit may only be raised from the default. + .It Cm RevokedHostKeys + Specifies revoked host public keys. + Keys listed in this file will be refused for host authentication. diff --git a/sshd_config.5 b/sshd_config.5 -index 867a747d..e08811ca 100644 +index 867a747d..f5a06637 100644 --- a/sshd_config.5 +++ b/sshd_config.5 -@@ -1266,6 +1266,10 @@ will refuse connection attempts with a probability of rate/100 (30%) - if there are currently start (10) unauthenticated connections. - The probability increases linearly and all connection attempts - are refused if the number of unauthenticated connections reaches full (60). -+.It Cm RSAMinSize -+Provides a minimal bits requirement for RSA keys when used for signature and -+verification but not for the key generation. The default value is 1024 and -+can't be reduced. - .It Cm ModuliFile - Specifies the - .Xr moduli 5 -diff --git a/sshkey.h b/sshkey.h -index 094815e0..2bb8cb90 100644 ---- a/sshkey.h -+++ b/sshkey.h -@@ -286,6 +286,8 @@ int sshkey_private_serialize_maxsign(struct sshkey *key, - - void sshkey_sig_details_free(struct sshkey_sig_details *); - -+int ssh_set_rsa_min_bits(int minbits); -+ - #ifdef SSHKEY_INTERNAL - int ssh_rsa_sign(const struct sshkey *key, - u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, +@@ -1596,6 +1596,16 @@ is + .Cm default none , + which means that rekeying is performed after the cipher's default amount + of data has been sent or received and no time based rekeying is done. ++.It Cm RequiredRSASize ++Specifies the minimum RSA key size (in bits) that ++.Xr sshd 8 ++will accept. ++User and host-based authentication keys smaller than this limit will be ++refused. ++The default is ++.Cm 1024 ++bits. ++Note that this limit may only be raised from the default. + .It Cm RevokedKeys + Specifies revoked public keys file, or + .Cm none diff --git a/openssh-8.7p1-ssh-manpage.patch b/openssh-8.7p1-ssh-manpage.patch index bd0bdb7..04e4c06 100644 --- a/openssh-8.7p1-ssh-manpage.patch +++ b/openssh-8.7p1-ssh-manpage.patch @@ -33,16 +33,16 @@ diff --color -ru a/ssh.1 b/ssh.1 +.It LogVerbose .It MACs .It Match - .It RSAMinSize + .It NoHostAuthenticationForLocalhost @@ -566,6 +571,8 @@ .It RemoteCommand .It RemoteForward .It RequestTTY +.It RevokedHostKeys +.It SecurityKeyProvider + .It RequiredRSASize .It SendEnv .It ServerAliveInterval - .It ServerAliveCountMax @@ -575,6 +582,7 @@ .It StreamLocalBindMask .It StreamLocalBindUnlink diff --git a/openssh.spec b/openssh.spec index 8f59b0a..b5bd101 100644 --- a/openssh.spec +++ b/openssh.spec @@ -55,8 +55,8 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 22 -%global hyperscale_rel 4 +%global openssh_rel 24 +%global hyperscale_rel 5 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -800,6 +800,18 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog + +* Wed Sep 21 2022 Raymond Colebaugh - 8.7p1-24.5 + 0.10.4-5.5 +- Merge new changes from upstream + +* Fri Sep 23 2022 Dmitry Belyavskiy - 8.7p1-24 +- Set minimal value of RSA key length via configuration option - support both names + Resolves: rhbz#2128352 + +* Thu Sep 22 2022 Dmitry Belyavskiy - 8.7p1-23 +- Set minimal value of RSA key length via configuration option + Resolves: rhbz#2128352 + * Wed Sep 21 2022 Raymond Colebaugh - 8.7p1-22.4 + 0.10.4-5.4 - Merge new changes from upstream From b0f3205a21300de9b3cfea940f71e389858779de Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Dec 16 2022 10:52:54 +0000 Subject: [PATCH 3/21] - Build fix after OpenSSL rebase Resolves: rhbz#2153626 --- diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 1466b40..05b2907 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -1,6 +1,14 @@ diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c --- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/dh.c 2021-05-06 12:12:10.107634472 +0200 +@@ -36,6 +36,7 @@ + + #include + #include ++#include + + #include "dh.h" + #include "pathnames.h" @@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max int best, bestcount, which, linenum; struct dhgroup dhg; @@ -67,6 +75,14 @@ diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c --- openssh-8.6p1/kex.c.fips 2021-05-06 12:08:36.489926807 +0200 +++ openssh-8.6p1/kex.c 2021-05-06 12:08:36.498926877 +0200 +@@ -39,6 +39,7 @@ + + #ifdef WITH_OPENSSL + #include ++#include + #include + # ifdef HAVE_EVP_KDF_CTX_NEW_ID + # include @@ -203,7 +203,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { @@ -86,7 +102,7 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c #ifdef WITH_OPENSSL -+#include ++#include #include #include @@ -154,6 +170,14 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c --- openssh-8.6p1/readconf.c.fips 2021-05-06 12:08:36.428926336 +0200 +++ openssh-8.6p1/readconf.c 2021-05-06 12:08:36.499926885 +0200 +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #ifdef USE_SYSTEM_GLOB + # include + #else @@ -2538,11 +2538,16 @@ fill_default_options(Options * options) all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); @@ -192,6 +216,14 @@ diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-secco diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c --- openssh-8.6p1/servconf.c.fips 2021-05-06 12:08:36.455926545 +0200 +++ openssh-8.6p1/servconf.c 2021-05-06 12:08:36.500926893 +0200 +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + #ifdef HAVE_UTIL_H + #include + #endif @@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o) all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); @@ -221,7 +253,7 @@ diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c #include #include #endif -+#include ++#include #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" @@ -243,7 +275,7 @@ diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c #include #endif -+#include ++#include + #include "openbsd-compat/sys-queue.h" @@ -332,7 +364,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c #include #include #include -+#include ++#include #include "openbsd-compat/openssl-compat.h" #endif @@ -395,7 +427,7 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c #include #include #include -+#include ++#include #endif #include "crypto_api.h" @@ -482,6 +514,14 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c --- openssh-8.6p1/ssh-keygen.c.fips 2021-05-06 12:08:36.467926637 +0200 +++ openssh-8.6p1/ssh-keygen.c 2021-05-06 12:08:36.503926916 +0200 +@@ -20,6 +20,7 @@ + + #ifdef WITH_OPENSSL + #include ++#include + #include + #include "openbsd-compat/openssl-compat.h" + #endif @@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na #endif } @@ -521,7 +561,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c #include #include #include -+#include ++#include #include "sshkey.h" #include "kex.h" @@ -607,7 +647,7 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c #include #include -+#include ++#include #include "log.h" #include "sshbuf.h" diff --git a/openssh.spec b/openssh.spec index d6b2c6b..0baac59 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 24 +%global openssh_rel 25 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -734,6 +734,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Dec 16 2022 Dmitry Belyavskiy - 8.7p1-25 +- Build fix after OpenSSL rebase + Resolves: rhbz#2153626 + * Fri Sep 23 2022 Dmitry Belyavskiy - 8.7p1-24 - Set minimal value of RSA key length via configuration option - support both names Resolves: rhbz#2128352 From 6f747825fa312a10d6f0834efbb7df1e0fdaa445 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Jan 06 2023 10:57:27 +0000 Subject: [PATCH 4/21] Minor cleanups from upstream Fix one-byte overflow in SSH banner processing Resolves: rhbz#2138345 Fix double free() in error path Resolves: rhbz#2138347 --- diff --git a/openssh-9.1p1-sshbanner.patch b/openssh-9.1p1-sshbanner.patch new file mode 100644 index 0000000..57112be --- /dev/null +++ b/openssh-9.1p1-sshbanner.patch @@ -0,0 +1,57 @@ +diff --git a/ssh-keyscan.c b/ssh-keyscan.c +index d29a03b4..d7283136 100644 +--- a/ssh-keyscan.c ++++ b/ssh-keyscan.c +@@ -490,6 +490,15 @@ congreet(int s) + return; + } + ++ /* ++ * Read the server banner as per RFC4253 section 4.2. The "SSH-" ++ * protocol identification string may be preceeded by an arbitarily ++ * large banner which we must read and ignore. Loop while reading ++ * newline-terminated lines until we have one starting with "SSH-". ++ * The ID string cannot be longer than 255 characters although the ++ * preceeding banner lines may (in which case they'll be discarded ++ * in multiple iterations of the outer loop). ++ */ + for (;;) { + memset(buf, '\0', sizeof(buf)); + bufsiz = sizeof(buf); +@@ -517,6 +526,11 @@ congreet(int s) + conrecycle(s); + return; + } ++ if (cp >= buf + sizeof(buf)) { ++ error("%s: greeting exceeds allowable length", c->c_name); ++ confree(s); ++ return; ++ } + if (*cp != '\n' && *cp != '\r') { + error("%s: bad greeting", c->c_name); + confree(s); +diff --git a/sshsig.c b/sshsig.c +index 1e3b6398..eb2a931e 100644 +--- a/sshsig.c ++++ b/sshsig.c +@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + { + char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH]; + ssize_t n, total = 0; +- struct ssh_digest_ctx *ctx; ++ struct ssh_digest_ctx *ctx = NULL; + int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR; + struct sshbuf *b = NULL; + +@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + /* success */ + r = 0; + out: ++ oerrno = errno; + sshbuf_free(b); + ssh_digest_free(ctx); + explicit_bzero(hash, sizeof(hash)); ++ errno = oerrno; + return r; + } + diff --git a/openssh.spec b/openssh.spec index 0baac59..8271a20 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 25 +%global openssh_rel 26 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -221,6 +221,8 @@ Patch983: openssh-8.7p1-evpgenkey.patch # downstream only, IBMCA tentative fix # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14 Patch984: openssh-8.7p1-ibmca.patch +# Upstream ff89b1bed80721295555bd083b173247a9c0484e, 5062ad48814b06162511c4f5924a33d97b6b2566 +Patch986: openssh-9.1p1-sshbanner.patch # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868) # upstream commits: @@ -442,6 +444,7 @@ popd %patch982 -p1 -b .minrsabits %patch983 -p1 -b .evpgenrsa %patch984 -p1 -b .ibmca +%patch986 -p1 -b .91cleanup %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -734,6 +737,12 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Jan 06 2023 Dmitry Belyavskiy - 8.7p1-26 +- Fix one-byte overflow in SSH banner processing + Resolves: rhbz#2138345 +- Fix double free() in error path + Resolves: rhbz#2138347 + * Fri Dec 16 2022 Dmitry Belyavskiy - 8.7p1-25 - Build fix after OpenSSL rebase Resolves: rhbz#2153626 From 5cfb97500b2b50f8eab8285d1826135687de6183 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Jan 12 2023 10:23:15 +0000 Subject: [PATCH 5/21] Add sk-dummy subpackage for test purposes Resolves: rhbz#2092780 Signed-off-by: Zoltan Fridrich --- diff --git a/openssh.spec b/openssh.spec index 8271a20..fe43beb 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 26 +%global openssh_rel 27 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -326,6 +326,10 @@ Requires: openssh = %{version}-%{release} Summary: A passphrase dialog for OpenSSH and X Requires: openssh = %{version}-%{release} +%package sk-dummy +Summary: OpenSSH SK driver for test purposes +Requires: openssh = %{version}-%{release} + %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} @@ -366,6 +370,9 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. +%description sk-dummy +This package contains a test SK driver used for OpenSSH test purposes + %description -n pam_ssh_agent_auth This package contains a PAM module which can be used to authenticate users using ssh keys stored in a ssh-agent. Through the use of the @@ -535,6 +542,7 @@ perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile %endif %make_build +make regress/misc/sk-dummy/sk-dummy.so # Define a variable to toggle gnome1/gtk2 building. This is necessary # because RPM doesn't handle nested %%if statements. @@ -626,6 +634,10 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} %make_install popd %endif + +install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/sshtest/ +install -m 755 regress/misc/sk-dummy/sk-dummy.so $RPM_BUILD_ROOT%{_libdir}/sshtest + %pre getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : @@ -729,6 +741,9 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass %endif +%files sk-dummy +%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so + %if %{pam_ssh_agent} %files -n pam_ssh_agent_auth %license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE @@ -737,6 +752,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Jan 12 2023 Zoltan Fridrich - 8.7p1-27 +- Add sk-dummy subpackage for test purposes + Resolves: rhbz#2092780 + * Fri Jan 06 2023 Dmitry Belyavskiy - 8.7p1-26 - Fix one-byte overflow in SSH banner processing Resolves: rhbz#2138345 From ebbbfce0aa7db57b0e3a3e3631db763c7e043548 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Jan 12 2023 15:16:08 +0000 Subject: [PATCH 6/21] Do not try to use SHA1 for host key ownership proof when we don't support it server-side Resolves: rhbz#2088750 --- diff --git a/openssh-8.7p1-nohostsha1proof.patch b/openssh-8.7p1-nohostsha1proof.patch new file mode 100644 index 0000000..4f173f1 --- /dev/null +++ b/openssh-8.7p1-nohostsha1proof.patch @@ -0,0 +1,100 @@ +diff -up openssh-8.7p1/compat.c.sshrsacheck openssh-8.7p1/compat.c +--- openssh-8.7p1/compat.c.sshrsacheck 2023-01-12 13:29:06.338710923 +0100 ++++ openssh-8.7p1/compat.c 2023-01-12 13:29:06.357711165 +0100 +@@ -43,6 +43,7 @@ void + compat_banner(struct ssh *ssh, const char *version) + { + int i; ++ int forbid_ssh_rsa = 0; + static struct { + char *pat; + int bugs; +@@ -145,16 +146,21 @@ compat_banner(struct ssh *ssh, const cha + }; + + /* process table, return first match */ ++ forbid_ssh_rsa = (ssh->compat & SSH_RH_RSASIGSHA); + ssh->compat = 0; + for (i = 0; check[i].pat; i++) { + if (match_pattern_list(version, check[i].pat, 0) == 1) { + debug_f("match: %s pat %s compat 0x%08x", + version, check[i].pat, check[i].bugs); + ssh->compat = check[i].bugs; ++ if (forbid_ssh_rsa) ++ ssh->compat |= SSH_RH_RSASIGSHA; + return; + } + } + debug_f("no match: %s", version); ++ if (forbid_ssh_rsa) ++ ssh->compat |= SSH_RH_RSASIGSHA; + } + + /* Always returns pointer to allocated memory, caller must free. */ +diff -up openssh-8.7p1/compat.h.sshrsacheck openssh-8.7p1/compat.h +--- openssh-8.7p1/compat.h.sshrsacheck 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/compat.h 2023-01-12 13:29:06.358711178 +0100 +@@ -30,7 +30,7 @@ + #define SSH_BUG_UTF8TTYMODE 0x00000001 + #define SSH_BUG_SIGTYPE 0x00000002 + #define SSH_BUG_SIGTYPE74 0x00000004 +-/* #define unused 0x00000008 */ ++#define SSH_RH_RSASIGSHA 0x00000008 + #define SSH_OLD_SESSIONID 0x00000010 + /* #define unused 0x00000020 */ + #define SSH_BUG_DEBUG 0x00000040 +diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c +--- openssh-8.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100 ++++ openssh-8.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100 +@@ -737,6 +737,10 @@ server_input_hostkeys_prove(struct ssh * + else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED) + sigalg = "rsa-sha2-256"; + } ++ if (ssh->compat & SSH_RH_RSASIGSHA && sigalg == NULL) { ++ sigalg = "rsa-sha2-512"; ++ debug3_f("SHA1 signature is not supported, falling back to %s", sigalg); ++ } + debug3_f("sign %s key (index %d) using sigalg %s", + sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg); + if ((r = sshbuf_put_cstring(sigbuf, +diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c +--- openssh-8.7p1/sshd.c.sshrsacheck 2023-01-12 13:29:06.355711140 +0100 ++++ openssh-8.7p1/sshd.c 2023-01-12 13:29:06.358711178 +0100 +@@ -1640,6 +1651,7 @@ main(int ac, char **av) + int keytype; + Authctxt *authctxt; + struct connection_info *connection_info = NULL; ++ int forbid_ssh_rsa = 0; + + #ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); +@@ -1938,6 +1950,19 @@ main(int ac, char **av) + key = NULL; + continue; + } ++ if (sshkey_type_plain(key->type) == KEY_RSA || sshkey_type_plain(key->type) == KEY_RSA_CERT) { ++ size_t sign_size = 0; ++ u_char *tmp = NULL; ++ u_char data[] = "Test SHA1 vector"; ++ int res; ++ ++ res = ssh_rsa_sign(key, &tmp, &sign_size, data, sizeof(data), NULL); ++ free(tmp); ++ if (res == SSH_ERR_LIBCRYPTO_ERROR) { ++ logit_f("sshd: ssh-rsa algorithm is disabled"); ++ forbid_ssh_rsa = 1; ++ } ++ } + if (sshkey_is_sk(key) && + key->sk_flags & SSH_SK_USER_PRESENCE_REQD) { + debug("host key %s requires user presence, ignoring", +@@ -2275,6 +2306,9 @@ main(int ac, char **av) + + check_ip_options(ssh); + ++ if (forbid_ssh_rsa) ++ ssh->compat |= SSH_RH_RSASIGSHA; ++ + /* Prepare the channels layer */ + channel_init_channels(ssh); + channel_set_af(ssh, options.address_family); diff --git a/openssh.spec b/openssh.spec index fe43beb..93f2613 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 27 +%global openssh_rel 28 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -259,6 +259,8 @@ Patch1005: openssh-8.7p1-host-based-auth.patch # upstream MR: # https://github.com/openssh/openssh-portable/pull/323 Patch1006: openssh-8.7p1-negotiate-supported-algs.patch +# +Patch1007: openssh-8.7p1-nohostsha1proof.patch License: BSD Requires: /sbin/nologin @@ -467,6 +469,8 @@ popd %patch100 -p1 -b .coverity +%patch1007 -p1 -b .sshrsacheck + autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -752,6 +756,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Jan 12 2023 Dmitry Belyavskiy - 8.7p1-28 +- Do not try to use SHA1 for host key ownership proof when we don't support it server-side + Resolves: rhbz#2088750 + * Thu Jan 12 2023 Zoltan Fridrich - 8.7p1-27 - Add sk-dummy subpackage for test purposes Resolves: rhbz#2092780 From 42aa6f597e09df17f6a6ec19737ff3d36b47adb7 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Jan 13 2023 14:24:38 +0000 Subject: [PATCH 7/21] Do not try to use SHA1 for host key ownership proof when we don't support it server-side Related: rhbz#2088750 --- diff --git a/openssh-8.7p1-nohostsha1proof.patch b/openssh-8.7p1-nohostsha1proof.patch index 4f173f1..a5323e4 100644 --- a/openssh-8.7p1-nohostsha1proof.patch +++ b/openssh-8.7p1-nohostsha1proof.patch @@ -72,7 +72,7 @@ diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c key = NULL; continue; } -+ if (sshkey_type_plain(key->type) == KEY_RSA || sshkey_type_plain(key->type) == KEY_RSA_CERT) { ++ if (key && (sshkey_type_plain(key->type) == KEY_RSA || sshkey_type_plain(key->type) == KEY_RSA_CERT)) { + size_t sign_size = 0; + u_char *tmp = NULL; + u_char data[] = "Test SHA1 vector"; From f7003be68cd4d4264ac669ee5ec82ff146563192 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Apr 13 2023 12:24:35 +0000 Subject: [PATCH 8/21] Resolve possible self-DoS with some clients Resolves: rhbz#2186473 --- diff --git a/openssh-8.7p1-CVE-2023-25136.patch b/openssh-8.7p1-CVE-2023-25136.patch new file mode 100644 index 0000000..ca661ee --- /dev/null +++ b/openssh-8.7p1-CVE-2023-25136.patch @@ -0,0 +1,38 @@ +diff --git a/compat.c b/compat.c +index 46dfe3a9c2e..478a9403eea 100644 +--- a/compat.c ++++ b/compat.c +@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { +- char *cp = NULL; ++ char *cp = NULL, *cp2 = NULL; + + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) + return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) +- if ((p = match_filter_denylist(p, ++ if ((cp = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { +- cp = p; +- if ((p = match_filter_denylist(p, ++ if ((cp2 = match_filter_denylist(cp ? cp : p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); + free(cp); ++ cp = cp2; + } +- debug2_f("compat KEX proposal: %s", p); +- if (*p == '\0') ++ if (cp == NULL || *cp == '\0') + fatal("No supported key exchange algorithms found"); +- return p; ++ debug2_f("compat KEX proposal: %s", cp); ++ return cp; + } + diff --git a/openssh.spec b/openssh.spec index 93f2613..a9f129b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 28 +%global openssh_rel 29 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -261,6 +261,10 @@ Patch1005: openssh-8.7p1-host-based-auth.patch Patch1006: openssh-8.7p1-negotiate-supported-algs.patch # Patch1007: openssh-8.7p1-nohostsha1proof.patch +# CVE-2023-25136 +# upstream 12da7823336434a403f25c7cc0c2c6aed0737a35 +# to fix 1005 +Patch1008: openssh-8.7p1-CVE-2023-25136.patch License: BSD Requires: /sbin/nologin @@ -470,6 +474,7 @@ popd %patch100 -p1 -b .coverity %patch1007 -p1 -b .sshrsacheck +%patch1008 -p1 -b .cve-2023-25136 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -756,6 +761,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 +- Resolve possible self-DoS with some clients + Resolves: rhbz#2186473 + * Thu Jan 12 2023 Dmitry Belyavskiy - 8.7p1-28 - Do not try to use SHA1 for host key ownership proof when we don't support it server-side Resolves: rhbz#2088750 From cc7d7a5730fa57eb891a95b2bbb6ca27d11fb8fc Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Apr 20 2023 15:29:37 +0000 Subject: [PATCH 9/21] Some non-terminating processes were listening on ports. Resolves: rhbz#2177768 --- diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index e372f09..f12f40e 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -74,33 +74,6 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c close(c->sock); c->sock = c->rfd = c->wfd = sock; channel_find_maxfd(ssh->chanctxt); -@@ -3804,7 +3804,7 @@ int - channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) - { - int r, success = 0, idx = -1; -- char *host_to_connect, *listen_host, *listen_path; -+ char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL; - int port_to_connect, listen_port; - - /* Send the forward request to the remote side. */ -@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct - success = 1; - if (success) { - /* Record that connection to this host/port is permitted. */ -- host_to_connect = listen_host = listen_path = NULL; - port_to_connect = listen_port = 0; - if (fwd->connect_path != NULL) { - host_to_connect = xstrdup(fwd->connect_path); -@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct - host_to_connect, port_to_connect, - listen_host, listen_path, listen_port, NULL); - } -+ free(host_to_connect); -+ free(listen_host); -+ free(listen_path); - return idx; - } - diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c --- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 diff --git a/openssh.spec b/openssh.spec index a9f129b..3a34c58 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 29 +%global openssh_rel 30 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -761,6 +761,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Apr 20 2023 Dmitry Belyavskiy - 8.7p1-30 +- Some non-terminating processes were listening on ports. + Resolves: rhbz#2177768 + * Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 - Resolve possible self-DoS with some clients Resolves: rhbz#2186473 From 79e2cf3d1672cdedca2c1034ae8b81c47395bcc8 Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Apr 24 2023 22:30:31 +0000 Subject: [PATCH 10/21] Merge remote-tracking branch 'upstream/c9s' into c9s-sig-hyperscale --- diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 8530336..5b2aaef 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -1,6 +1,14 @@ diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c --- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200 +++ openssh-8.6p1/dh.c 2021-05-06 12:12:10.107634472 +0200 +@@ -36,6 +36,7 @@ + + #include + #include ++#include + + #include "dh.h" + #include "pathnames.h" @@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max int best, bestcount, which, linenum; struct dhgroup dhg; @@ -67,6 +75,14 @@ diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c --- openssh-8.6p1/kex.c.fips 2021-05-06 12:08:36.489926807 +0200 +++ openssh-8.6p1/kex.c 2021-05-06 12:08:36.498926877 +0200 +@@ -39,6 +39,7 @@ + + #ifdef WITH_OPENSSL + #include ++#include + #include + # ifdef HAVE_EVP_KDF_CTX_NEW_ID + # include @@ -203,7 +203,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { @@ -86,7 +102,7 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c #ifdef WITH_OPENSSL -+#include ++#include #include #include @@ -154,6 +170,14 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c --- openssh-8.6p1/readconf.c.fips 2021-05-06 12:08:36.428926336 +0200 +++ openssh-8.6p1/readconf.c 2021-05-06 12:08:36.499926885 +0200 +@@ -39,6 +39,7 @@ + #include + #include + #include ++#include + #ifdef USE_SYSTEM_GLOB + # include + #else @@ -2538,11 +2538,16 @@ fill_default_options(Options * options) all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); @@ -192,6 +216,14 @@ diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-secco diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c --- openssh-8.6p1/servconf.c.fips 2021-05-06 12:08:36.455926545 +0200 +++ openssh-8.6p1/servconf.c 2021-05-06 12:08:36.500926893 +0200 +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + #ifdef HAVE_UTIL_H + #include + #endif @@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o) all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); @@ -221,7 +253,7 @@ diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c #include #include #endif -+#include ++#include #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" @@ -243,7 +275,7 @@ diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c #include #endif -+#include ++#include + #include "openbsd-compat/sys-queue.h" @@ -332,7 +364,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c #include #include #include -+#include ++#include #include "openbsd-compat/openssl-compat.h" #endif @@ -395,7 +427,7 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c #include #include #include -+#include ++#include #endif #include "crypto_api.h" @@ -473,6 +505,14 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c --- openssh-8.6p1/ssh-keygen.c.fips 2021-05-06 12:08:36.467926637 +0200 +++ openssh-8.6p1/ssh-keygen.c 2021-05-06 12:08:36.503926916 +0200 +@@ -20,6 +20,7 @@ + + #ifdef WITH_OPENSSL + #include ++#include + #include + #include "openbsd-compat/openssl-compat.h" + #endif @@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na #endif } @@ -512,7 +552,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c #include #include #include -+#include ++#include #include "sshkey.h" #include "kex.h" @@ -598,7 +638,7 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c #include #include -+#include ++#include #include "log.h" #include "sshbuf.h" diff --git a/openssh-8.7p1-CVE-2023-25136.patch b/openssh-8.7p1-CVE-2023-25136.patch new file mode 100644 index 0000000..ca661ee --- /dev/null +++ b/openssh-8.7p1-CVE-2023-25136.patch @@ -0,0 +1,38 @@ +diff --git a/compat.c b/compat.c +index 46dfe3a9c2e..478a9403eea 100644 +--- a/compat.c ++++ b/compat.c +@@ -190,26 +190,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { +- char *cp = NULL; ++ char *cp = NULL, *cp2 = NULL; + + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) + return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) +- if ((p = match_filter_denylist(p, ++ if ((cp = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { +- cp = p; +- if ((p = match_filter_denylist(p, ++ if ((cp2 = match_filter_denylist(cp ? cp : p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); + free(cp); ++ cp = cp2; + } +- debug2_f("compat KEX proposal: %s", p); +- if (*p == '\0') ++ if (cp == NULL || *cp == '\0') + fatal("No supported key exchange algorithms found"); +- return p; ++ debug2_f("compat KEX proposal: %s", cp); ++ return cp; + } + diff --git a/openssh-8.7p1-nohostsha1proof.patch b/openssh-8.7p1-nohostsha1proof.patch new file mode 100644 index 0000000..a5323e4 --- /dev/null +++ b/openssh-8.7p1-nohostsha1proof.patch @@ -0,0 +1,100 @@ +diff -up openssh-8.7p1/compat.c.sshrsacheck openssh-8.7p1/compat.c +--- openssh-8.7p1/compat.c.sshrsacheck 2023-01-12 13:29:06.338710923 +0100 ++++ openssh-8.7p1/compat.c 2023-01-12 13:29:06.357711165 +0100 +@@ -43,6 +43,7 @@ void + compat_banner(struct ssh *ssh, const char *version) + { + int i; ++ int forbid_ssh_rsa = 0; + static struct { + char *pat; + int bugs; +@@ -145,16 +146,21 @@ compat_banner(struct ssh *ssh, const cha + }; + + /* process table, return first match */ ++ forbid_ssh_rsa = (ssh->compat & SSH_RH_RSASIGSHA); + ssh->compat = 0; + for (i = 0; check[i].pat; i++) { + if (match_pattern_list(version, check[i].pat, 0) == 1) { + debug_f("match: %s pat %s compat 0x%08x", + version, check[i].pat, check[i].bugs); + ssh->compat = check[i].bugs; ++ if (forbid_ssh_rsa) ++ ssh->compat |= SSH_RH_RSASIGSHA; + return; + } + } + debug_f("no match: %s", version); ++ if (forbid_ssh_rsa) ++ ssh->compat |= SSH_RH_RSASIGSHA; + } + + /* Always returns pointer to allocated memory, caller must free. */ +diff -up openssh-8.7p1/compat.h.sshrsacheck openssh-8.7p1/compat.h +--- openssh-8.7p1/compat.h.sshrsacheck 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/compat.h 2023-01-12 13:29:06.358711178 +0100 +@@ -30,7 +30,7 @@ + #define SSH_BUG_UTF8TTYMODE 0x00000001 + #define SSH_BUG_SIGTYPE 0x00000002 + #define SSH_BUG_SIGTYPE74 0x00000004 +-/* #define unused 0x00000008 */ ++#define SSH_RH_RSASIGSHA 0x00000008 + #define SSH_OLD_SESSIONID 0x00000010 + /* #define unused 0x00000020 */ + #define SSH_BUG_DEBUG 0x00000040 +diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c +--- openssh-8.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100 ++++ openssh-8.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100 +@@ -737,6 +737,10 @@ server_input_hostkeys_prove(struct ssh * + else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED) + sigalg = "rsa-sha2-256"; + } ++ if (ssh->compat & SSH_RH_RSASIGSHA && sigalg == NULL) { ++ sigalg = "rsa-sha2-512"; ++ debug3_f("SHA1 signature is not supported, falling back to %s", sigalg); ++ } + debug3_f("sign %s key (index %d) using sigalg %s", + sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg); + if ((r = sshbuf_put_cstring(sigbuf, +diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c +--- openssh-8.7p1/sshd.c.sshrsacheck 2023-01-12 13:29:06.355711140 +0100 ++++ openssh-8.7p1/sshd.c 2023-01-12 13:29:06.358711178 +0100 +@@ -1640,6 +1651,7 @@ main(int ac, char **av) + int keytype; + Authctxt *authctxt; + struct connection_info *connection_info = NULL; ++ int forbid_ssh_rsa = 0; + + #ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); +@@ -1938,6 +1950,19 @@ main(int ac, char **av) + key = NULL; + continue; + } ++ if (key && (sshkey_type_plain(key->type) == KEY_RSA || sshkey_type_plain(key->type) == KEY_RSA_CERT)) { ++ size_t sign_size = 0; ++ u_char *tmp = NULL; ++ u_char data[] = "Test SHA1 vector"; ++ int res; ++ ++ res = ssh_rsa_sign(key, &tmp, &sign_size, data, sizeof(data), NULL); ++ free(tmp); ++ if (res == SSH_ERR_LIBCRYPTO_ERROR) { ++ logit_f("sshd: ssh-rsa algorithm is disabled"); ++ forbid_ssh_rsa = 1; ++ } ++ } + if (sshkey_is_sk(key) && + key->sk_flags & SSH_SK_USER_PRESENCE_REQD) { + debug("host key %s requires user presence, ignoring", +@@ -2275,6 +2306,9 @@ main(int ac, char **av) + + check_ip_options(ssh); + ++ if (forbid_ssh_rsa) ++ ssh->compat |= SSH_RH_RSASIGSHA; ++ + /* Prepare the channels layer */ + channel_init_channels(ssh); + channel_set_af(ssh, options.address_family); diff --git a/openssh-9.1p1-sshbanner.patch b/openssh-9.1p1-sshbanner.patch new file mode 100644 index 0000000..57112be --- /dev/null +++ b/openssh-9.1p1-sshbanner.patch @@ -0,0 +1,57 @@ +diff --git a/ssh-keyscan.c b/ssh-keyscan.c +index d29a03b4..d7283136 100644 +--- a/ssh-keyscan.c ++++ b/ssh-keyscan.c +@@ -490,6 +490,15 @@ congreet(int s) + return; + } + ++ /* ++ * Read the server banner as per RFC4253 section 4.2. The "SSH-" ++ * protocol identification string may be preceeded by an arbitarily ++ * large banner which we must read and ignore. Loop while reading ++ * newline-terminated lines until we have one starting with "SSH-". ++ * The ID string cannot be longer than 255 characters although the ++ * preceeding banner lines may (in which case they'll be discarded ++ * in multiple iterations of the outer loop). ++ */ + for (;;) { + memset(buf, '\0', sizeof(buf)); + bufsiz = sizeof(buf); +@@ -517,6 +526,11 @@ congreet(int s) + conrecycle(s); + return; + } ++ if (cp >= buf + sizeof(buf)) { ++ error("%s: greeting exceeds allowable length", c->c_name); ++ confree(s); ++ return; ++ } + if (*cp != '\n' && *cp != '\r') { + error("%s: bad greeting", c->c_name); + confree(s); +diff --git a/sshsig.c b/sshsig.c +index 1e3b6398..eb2a931e 100644 +--- a/sshsig.c ++++ b/sshsig.c +@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + { + char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH]; + ssize_t n, total = 0; +- struct ssh_digest_ctx *ctx; ++ struct ssh_digest_ctx *ctx = NULL; + int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR; + struct sshbuf *b = NULL; + +@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp) + /* success */ + r = 0; + out: ++ oerrno = errno; + sshbuf_free(b); + ssh_digest_free(ctx); + explicit_bzero(hash, sizeof(hash)); ++ errno = oerrno; + return r; + } + diff --git a/openssh.spec b/openssh.spec index b5bd101..bde5c0b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -55,7 +55,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 24 +%global openssh_rel 29 %global hyperscale_rel 5 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -230,6 +230,8 @@ Patch983: openssh-8.7p1-evpgenkey.patch # downstream only, IBMCA tentative fix # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14 Patch984: openssh-8.7p1-ibmca.patch +# Upstream ff89b1bed80721295555bd083b173247a9c0484e, 5062ad48814b06162511c4f5924a33d97b6b2566 +Patch986: openssh-9.1p1-sshbanner.patch # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868) # upstream commits: @@ -266,6 +268,12 @@ Patch1005: openssh-8.7p1-host-based-auth.patch # upstream MR: # https://github.com/openssh/openssh-portable/pull/323 Patch1006: openssh-8.7p1-negotiate-supported-algs.patch +# +Patch1007: openssh-8.7p1-nohostsha1proof.patch +# CVE-2023-25136 +# upstream 12da7823336434a403f25c7cc0c2c6aed0737a35 +# to fix 1005 +Patch1008: openssh-8.7p1-CVE-2023-25136.patch # c9s specific logic factored out of openssh-7.7p1-fips.patch Patch2000: openssh-7.7p1-fips-warning.patch @@ -365,6 +373,10 @@ Requires: openssh = %{version}-%{release} Summary: A passphrase dialog for OpenSSH and X Requires: openssh = %{version}-%{release} +%package sk-dummy +Summary: OpenSSH SK driver for test purposes +Requires: openssh = %{version}-%{release} + %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} @@ -405,6 +417,9 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. +%description sk-dummy +This package contains a test SK driver used for OpenSSH test purposes + %description -n pam_ssh_agent_auth This package contains a PAM module which can be used to authenticate users using ssh keys stored in a ssh-agent. Through the use of the @@ -486,6 +501,7 @@ popd %patch983 -p1 -b .evpgenrsa %endif %patch984 -p1 -b .ibmca +%patch986 -p1 -b .91cleanup %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -505,6 +521,9 @@ popd %patch100 -p1 -b .coverity +%patch1007 -p1 -b .sshrsacheck +%patch1008 -p1 -b .cve-2023-25136 + %if 0%{?facebook} && !0%{?use_quilt} %patch2010 -p1 -b .log_session_id %patch2011 -p1 -b .slog @@ -598,6 +617,7 @@ perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile %endif %make_build +make regress/misc/sk-dummy/sk-dummy.so # Define a variable to toggle gnome1/gtk2 building. This is necessary # because RPM doesn't handle nested %%if statements. @@ -689,6 +709,10 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} %make_install popd %endif + +install -m 755 -d $RPM_BUILD_ROOT%{_libdir}/sshtest/ +install -m 755 regress/misc/sk-dummy/sk-dummy.so $RPM_BUILD_ROOT%{_libdir}/sshtest + %pre getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : @@ -792,6 +816,9 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass %endif +%files sk-dummy +%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so + %if %{pam_ssh_agent} %files -n pam_ssh_agent_auth %license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE @@ -800,6 +827,27 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 +- Resolve possible self-DoS with some clients + Resolves: rhbz#2186473 + +* Thu Jan 12 2023 Dmitry Belyavskiy - 8.7p1-28 +- Do not try to use SHA1 for host key ownership proof when we don't support it server-side + Resolves: rhbz#2088750 + +* Thu Jan 12 2023 Zoltan Fridrich - 8.7p1-27 +- Add sk-dummy subpackage for test purposes + Resolves: rhbz#2092780 + +* Fri Jan 06 2023 Dmitry Belyavskiy - 8.7p1-26 +- Fix one-byte overflow in SSH banner processing + Resolves: rhbz#2138345 +- Fix double free() in error path + Resolves: rhbz#2138347 + +* Fri Dec 16 2022 Dmitry Belyavskiy - 8.7p1-25 +- Build fix after OpenSSL rebase + Resolves: rhbz#2153626 * Wed Sep 21 2022 Raymond Colebaugh - 8.7p1-24.5 + 0.10.4-5.5 - Merge new changes from upstream From b5ba5af9976ecb982ac84d5ec73a5f8fbcc72f2d Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Apr 28 2023 14:04:07 +0000 Subject: [PATCH 11/21] Eliminating remnants of SHA1 usage in OpenSSH Resolves: rhbz#2070163 --- diff --git a/openssh-8.7p1-nohostsha1proof.patch b/openssh-8.7p1-nohostsha1proof.patch index a5323e4..5c54e78 100644 --- a/openssh-8.7p1-nohostsha1proof.patch +++ b/openssh-8.7p1-nohostsha1proof.patch @@ -43,6 +43,255 @@ diff -up openssh-8.7p1/compat.h.sshrsacheck openssh-8.7p1/compat.h #define SSH_OLD_SESSIONID 0x00000010 /* #define unused 0x00000020 */ #define SSH_BUG_DEBUG 0x00000040 +diff -up openssh-8.7p1/monitor.c.sshrsacheck openssh-8.7p1/monitor.c +--- openssh-8.7p1/monitor.c.sshrsacheck 2023-01-20 13:07:54.279676981 +0100 ++++ openssh-8.7p1/monitor.c 2023-01-20 15:01:07.007821379 +0100 +@@ -660,11 +660,12 @@ mm_answer_sign(struct ssh *ssh, int sock + struct sshkey *key; + struct sshbuf *sigbuf = NULL; + u_char *p = NULL, *signature = NULL; +- char *alg = NULL; ++ char *alg = NULL, *effective_alg; + size_t datlen, siglen, alglen; + int r, is_proof = 0; + u_int keyid, compat; + const char proof_req[] = "hostkeys-prove-00@openssh.com"; ++ const char safe_rsa[] = "rsa-sha2-256"; + + debug3_f("entering"); + +@@ -719,18 +720,30 @@ mm_answer_sign(struct ssh *ssh, int sock + } + + if ((key = get_hostkey_by_index(keyid)) != NULL) { +- if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, ++ if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0 ++ && (sshkey_type_plain(key->type) == KEY_RSA)) { ++ effective_alg = safe_rsa; ++ } else { ++ effective_alg = alg; ++ } ++ if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, effective_alg, + options.sk_provider, NULL, compat)) != 0) + fatal_fr(r, "sign"); + } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && + auth_sock > 0) { ++ if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0 ++ && (sshkey_type_plain(key->type) == KEY_RSA)) { ++ effective_alg = safe_rsa; ++ } else { ++ effective_alg = alg; ++ } + if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen, +- p, datlen, alg, compat)) != 0) ++ p, datlen, effective_alg, compat)) != 0) + fatal_fr(r, "agent sign"); + } else + fatal_f("no hostkey from index %d", keyid); + +- debug3_f("%s %s signature len=%zu", alg, ++ debug3_f("%s (effective: %s) %s signature len=%zu", alg, effective_alg, + is_proof ? "hostkey proof" : "KEX", siglen); + + sshbuf_reset(m); +diff -up openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck openssh-8.7p1/regress/cert-userkey.sh +--- openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck 2023-01-25 14:26:52.885963113 +0100 ++++ openssh-8.7p1/regress/cert-userkey.sh 2023-01-25 14:27:25.757219800 +0100 +@@ -7,7 +7,8 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us + cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak + +-PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` ++#ssh-dss keys are incompatible with DEFAULT crypto policy ++PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss' | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` + EXTRA_TYPES="" + rsa="" + +diff -up openssh-8.7p1/regress/Makefile.sshrsacheck openssh-8.7p1/regress/Makefile +--- openssh-8.7p1/regress/Makefile.sshrsacheck 2023-01-20 13:07:54.169676051 +0100 ++++ openssh-8.7p1/regress/Makefile 2023-01-20 13:07:54.290677074 +0100 +@@ -2,7 +2,8 @@ + + tests: prep file-tests t-exec unit + +-REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 ++#ssh-dss tests will not pass on DEFAULT crypto-policy because of SHA1, skipping ++REGRESS_TARGETS= t1 t2 t3 t4 t5 t7 t8 t9 t10 t11 t12 + + # File based tests + file-tests: $(REGRESS_TARGETS) +diff -up openssh-8.7p1/regress/test-exec.sh.sshrsacheck openssh-8.7p1/regress/test-exec.sh +--- openssh-8.7p1/regress/test-exec.sh.sshrsacheck 2023-01-25 14:24:54.778040819 +0100 ++++ openssh-8.7p1/regress/test-exec.sh 2023-01-25 14:26:39.500858590 +0100 +@@ -581,8 +581,9 @@ maybe_filter_sk() { + fi + } + +-SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` +-SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk` ++#ssh-dss keys are incompatible with DEFAULT crypto policy ++SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss'` ++SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss'` + + for t in ${SSH_KEYTYPES}; do + # generate user key +diff -up openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-8.7p1/regress/unittests/kex/test_kex.c +--- openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck 2023-01-26 13:34:52.645743677 +0100 ++++ openssh-8.7p1/regress/unittests/kex/test_kex.c 2023-01-26 13:36:56.220745823 +0100 +@@ -97,7 +97,8 @@ do_kex_with_key(char *kex, int keytype, + memcpy(kex_params.proposal, myproposal, sizeof(myproposal)); + if (kex != NULL) + kex_params.proposal[PROPOSAL_KEX_ALGS] = kex; +- keyname = strdup(sshkey_ssh_name(private)); ++ keyname = (strcmp(sshkey_ssh_name(private), "ssh-rsa")) ? ++ strdup(sshkey_ssh_name(private)) : strdup("rsa-sha2-256"); + ASSERT_PTR_NE(keyname, NULL); + kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname; + ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0); +@@ -180,7 +181,7 @@ do_kex(char *kex) + { + #ifdef WITH_OPENSSL + do_kex_with_key(kex, KEY_RSA, 2048); +- do_kex_with_key(kex, KEY_DSA, 1024); ++ /* do_kex_with_key(kex, KEY_DSA, 1024); */ + #ifdef OPENSSL_HAS_ECC + do_kex_with_key(kex, KEY_ECDSA, 256); + #endif /* OPENSSL_HAS_ECC */ +diff -up openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_file.c +--- openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck 2023-01-26 12:04:55.946343408 +0100 ++++ openssh-8.7p1/regress/unittests/sshkey/test_file.c 2023-01-26 12:06:35.235164432 +0100 +@@ -110,6 +110,7 @@ sshkey_file_tests(void) + sshkey_free(k2); + TEST_DONE(); + ++ /* Skip this test, SHA1 signatures are not supported + TEST_START("load RSA cert with SHA1 signature"); + ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha1"), &k2), 0); + ASSERT_PTR_NE(k2, NULL); +@@ -117,7 +118,7 @@ sshkey_file_tests(void) + ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1); + ASSERT_STRING_EQ(k2->cert->signature_type, "ssh-rsa"); + sshkey_free(k2); +- TEST_DONE(); ++ TEST_DONE(); */ + + TEST_START("load RSA cert with SHA512 signature"); + ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha512"), &k2), 0); +diff -up openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c +--- openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck 2023-01-26 12:10:37.533168013 +0100 ++++ openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c 2023-01-26 12:15:35.637631860 +0100 +@@ -333,13 +333,14 @@ sshkey_fuzz_tests(void) + TEST_DONE(); + + #ifdef WITH_OPENSSL ++ /* Skip this test, SHA1 signatures are not supported + TEST_START("fuzz RSA sig"); + buf = load_file("rsa_1"); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); + sshbuf_free(buf); + sig_fuzz(k1, "ssh-rsa"); + sshkey_free(k1); +- TEST_DONE(); ++ TEST_DONE();*/ + + TEST_START("fuzz RSA SHA256 sig"); + buf = load_file("rsa_1"); +@@ -357,6 +358,7 @@ sshkey_fuzz_tests(void) + sshkey_free(k1); + TEST_DONE(); + ++ /* Skip this test, SHA1 signatures are not supported + TEST_START("fuzz DSA sig"); + buf = load_file("dsa_1"); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); +@@ -364,6 +366,7 @@ sshkey_fuzz_tests(void) + sig_fuzz(k1, NULL); + sshkey_free(k1); + TEST_DONE(); ++ */ + + #ifdef OPENSSL_HAS_ECC + TEST_START("fuzz ECDSA sig"); +diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c +--- openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck 2023-01-26 11:02:52.339413463 +0100 ++++ openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c 2023-01-26 11:58:42.324253896 +0100 +@@ -60,6 +60,9 @@ build_cert(struct sshbuf *b, struct sshk + u_char *sigblob; + size_t siglen; + ++ /* ssh-rsa implies SHA1, forbidden in DEFAULT cp */ ++ int expected = (sig_alg == NULL || strcmp(sig_alg, "ssh-rsa") == 0) ? SSH_ERR_LIBCRYPTO_ERROR : 0; ++ + ca_buf = sshbuf_new(); + ASSERT_PTR_NE(ca_buf, NULL); + ASSERT_INT_EQ(sshkey_putb(ca_key, ca_buf), 0); +@@ -101,8 +104,9 @@ build_cert(struct sshbuf *b, struct sshk + ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */ + ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */ + ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen, +- sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, NULL, 0), 0); +- ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */ ++ sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, NULL, 0), expected); ++ if (expected == 0) ++ ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */ + + free(sigblob); + sshbuf_free(ca_buf); +@@ -119,16 +123,22 @@ signature_test(struct sshkey *k, struct + { + size_t len; + u_char *sig; ++ /* ssh-rsa implies SHA1, forbidden in DEFAULT cp */ ++ int expected = (sig_alg && strcmp(sig_alg, "ssh-rsa") == 0) ? SSH_ERR_LIBCRYPTO_ERROR : 0; ++ if (k && (sshkey_type_plain(k->type) == KEY_DSA || sshkey_type_plain(k->type) == KEY_DSA_CERT)) ++ expected = SSH_ERR_LIBCRYPTO_ERROR; + + ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, +- NULL, NULL, 0), 0); +- ASSERT_SIZE_T_GT(len, 8); +- ASSERT_PTR_NE(sig, NULL); +- ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0); +- ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0); +- /* Fuzz test is more comprehensive, this is just a smoke test */ +- sig[len - 5] ^= 0x10; +- ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0); ++ NULL, NULL, 0), expected); ++ if (expected == 0) { ++ ASSERT_SIZE_T_GT(len, 8); ++ ASSERT_PTR_NE(sig, NULL); ++ ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0); ++ ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0); ++ /* Fuzz test is more comprehensive, this is just a smoke test */ ++ sig[len - 5] ^= 0x10; ++ ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0); ++ } + free(sig); + } + +@@ -514,7 +524,7 @@ sshkey_tests(void) + ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2, + NULL), 0); + k3 = get_private("rsa_1"); +- build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, NULL); ++ build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, "rsa-sha2-256"); + ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4), + SSH_ERR_KEY_CERT_INVALID_SIGN_KEY); + ASSERT_PTR_EQ(k4, NULL); +diff -up openssh-8.7p1/regress/unittests/sshsig/tests.c.sshrsacheck openssh-8.7p1/regress/unittests/sshsig/tests.c +--- openssh-8.7p1/regress/unittests/sshsig/tests.c.sshrsacheck 2023-01-26 12:19:23.659513651 +0100 ++++ openssh-8.7p1/regress/unittests/sshsig/tests.c 2023-01-26 12:20:28.021044803 +0100 +@@ -102,9 +102,11 @@ tests(void) + check_sig("rsa.pub", "rsa.sig", msg, namespace); + TEST_DONE(); + ++ /* Skip this test, SHA1 signatures are not supported + TEST_START("check DSA signature"); + check_sig("dsa.pub", "dsa.sig", msg, namespace); + TEST_DONE(); ++ */ + + #ifdef OPENSSL_HAS_ECC + TEST_START("check ECDSA signature"); diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c --- openssh-8.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100 +++ openssh-8.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100 @@ -57,6 +306,24 @@ diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c debug3_f("sign %s key (index %d) using sigalg %s", sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg); if ((r = sshbuf_put_cstring(sigbuf, +diff -up openssh-8.7p1/sshconnect2.c.sshrsacheck openssh-8.7p1/sshconnect2.c +--- openssh-8.7p1/sshconnect2.c.sshrsacheck 2023-01-25 15:33:29.140353651 +0100 ++++ openssh-8.7p1/sshconnect2.c 2023-01-25 15:59:34.225364883 +0100 +@@ -1461,6 +1464,14 @@ identity_sign(struct identity *id, u_cha + retried = 1; + goto retry_pin; + } ++ if ((r == SSH_ERR_LIBCRYPTO_ERROR) && strcmp("ssh-rsa", alg)) { ++ char rsa_safe_alg[] = "rsa-sha2-512"; ++ debug3_f("trying to fallback to algorithm %s", rsa_safe_alg); ++ ++ if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen, ++ rsa_safe_alg, options.sk_provider, pin, compat)) != 0) ++ debug_fr(r, "sshkey_sign - RSA fallback"); ++ } + goto out; + } + diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c --- openssh-8.7p1/sshd.c.sshrsacheck 2023-01-12 13:29:06.355711140 +0100 +++ openssh-8.7p1/sshd.c 2023-01-12 13:29:06.358711178 +0100 @@ -68,7 +335,7 @@ diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); -@@ -1938,6 +1950,19 @@ main(int ac, char **av) +@@ -1938,6 +1950,33 @@ main(int ac, char **av) key = NULL; continue; } @@ -78,13 +345,27 @@ diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c + u_char data[] = "Test SHA1 vector"; + int res; + -+ res = ssh_rsa_sign(key, &tmp, &sign_size, data, sizeof(data), NULL); ++ res = sshkey_sign(key, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0); + free(tmp); + if (res == SSH_ERR_LIBCRYPTO_ERROR) { -+ logit_f("sshd: ssh-rsa algorithm is disabled"); ++ verbose_f("sshd: SHA1 in signatures is disabled for RSA keys"); + forbid_ssh_rsa = 1; + } + } ++ if (key && (sshkey_type_plain(key->type) == KEY_DSA || sshkey_type_plain(key->type) == KEY_DSA_CERT)) { ++ size_t sign_size = 0; ++ u_char *tmp = NULL; ++ u_char data[] = "Test SHA1 vector"; ++ int res; ++ ++ res = sshkey_sign(key, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0); ++ free(tmp); ++ if (res == SSH_ERR_LIBCRYPTO_ERROR) { ++ logit_f("sshd: ssh-dss is disabled, skipping key file %s", options.host_key_files[i]); ++ key = NULL; ++ continue; ++ } ++ } if (sshkey_is_sk(key) && key->sk_flags & SSH_SK_USER_PRESENCE_REQD) { debug("host key %s requires user presence, ignoring", @@ -98,3 +379,48 @@ diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c /* Prepare the channels layer */ channel_init_channels(ssh); channel_set_af(ssh, options.address_family); +diff -Nur openssh-8.7p1/ssh-keygen.c openssh-8.7p1_patched/ssh-keygen.c +--- openssh-8.7p1/ssh-keygen.c 2023-01-18 17:41:47.894515779 +0100 ++++ openssh-8.7p1_patched/ssh-keygen.c 2023-01-18 17:41:44.500488818 +0100 +@@ -491,6 +491,8 @@ + BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; + BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; + BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL; ++ char rsa_safe_alg[] = "rsa-sha2-256"; ++ char *alg = NULL; + + if ((r = sshbuf_get_u32(b, &magic)) != 0) + fatal_fr(r, "parse magic"); +@@ -590,6 +592,7 @@ do_convert_private_ssh2(struct sshbuf *b + if ((r = ssh_rsa_complete_crt_parameters(key, rsa_iqmp)) != 0) + fatal_fr(r, "generate RSA parameters"); + BN_clear_free(rsa_iqmp); ++ alg = rsa_safe_alg; + break; + } + rlen = sshbuf_len(b); +@@ -598,9 +601,9 @@ do_convert_private_ssh2(struct sshbuf *b + + /* try the key */ + if (sshkey_sign(key, &sig, &slen, data, sizeof(data), +- NULL, NULL, NULL, 0) != 0 || ++ alg, NULL, NULL, 0) != 0 || + sshkey_verify(key, sig, slen, data, sizeof(data), +- NULL, 0, NULL) != 0) { ++ alg, 0, NULL) != 0) { + sshkey_free(key); + free(sig); + return NULL; +diff -up openssh-8.7p1/ssh-rsa.c.sshrsacheck openssh-8.7p1/ssh-rsa.c +--- openssh-8.7p1/ssh-rsa.c.sshrsacheck 2023-01-20 13:07:54.180676144 +0100 ++++ openssh-8.7p1/ssh-rsa.c 2023-01-20 13:07:54.290677074 +0100 +@@ -254,7 +254,8 @@ ssh_rsa_verify(const struct sshkey *key, + ret = SSH_ERR_INVALID_ARGUMENT; + goto out; + } +- if (hash_alg != want_alg) { ++ if (hash_alg != want_alg && want_alg != SSH_DIGEST_SHA1) { ++ debug_f("Unexpected digest algorithm: got %d, wanted %d", hash_alg, want_alg); + ret = SSH_ERR_SIGNATURE_INVALID; + goto out; + } diff --git a/openssh.spec b/openssh.spec index 3a34c58..9971e54 100644 --- a/openssh.spec +++ b/openssh.spec @@ -764,6 +764,18 @@ test -f %{sysconfig_anaconda} && \ * Thu Apr 20 2023 Dmitry Belyavskiy - 8.7p1-30 - Some non-terminating processes were listening on ports. Resolves: rhbz#2177768 +- On sshd startup, we check whether signing using the SHA1 for signing is + available and don't use it when it isn't. +- On ssh private key conversion we explicitly use SHA2 for testing RSA keys. +- In sshd, when SHA1 signatures are unavailable, we fallback (fall forward :) ) + to SHA2 on host keys proof confirmation. +- On a client side we permit SHA2-based proofs from server when requested SHA1 + proof (or didn't specify the hash algorithm that implies SHA1 on the client + side). It is aligned with already present exception for RSA certificates. +- We fallback to SHA2 if SHA1 signatures is not available on the client side + (file sshconnect2.c). +- We skip dss-related tests (they don't work without SHA1). + Resolves: rhbz#2070163 * Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 - Resolve possible self-DoS with some clients From 587d7b215ff2b07a7fdb25691f05e5acd25035cb Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: May 03 2023 13:52:40 +0000 Subject: [PATCH 12/21] Add FIPS compliance efforts for dh, ecdh and signing Resolves: rhbz#2091694 Signed-off-by: Norbert Pocs --- diff --git a/openssh-8.7p1-evp-fips-compl-dh.patch b/openssh-8.7p1-evp-fips-compl-dh.patch new file mode 100644 index 0000000..7494245 --- /dev/null +++ b/openssh-8.7p1-evp-fips-compl-dh.patch @@ -0,0 +1,266 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/dh.c ./dh.c +--- ../../openssh-8.7p1/dh.c 2023-03-01 14:26:52.504445780 +0100 ++++ ./dh.c 2023-03-01 14:20:09.823193384 +0100 +@@ -37,6 +37,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include "dh.h" + #include "pathnames.h" +@@ -289,10 +292,15 @@ + int + dh_gen_key(DH *dh, int need) + { +- int pbits; +- const BIGNUM *dh_p, *pub_key; ++ const BIGNUM *dh_p, *dh_g; ++ BIGNUM *pub_key = NULL, *priv_key = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ OSSL_PARAM_BLD *param_bld = NULL; ++ OSSL_PARAM *params = NULL; ++ int pbits, r = 0; + +- DH_get0_pqg(dh, &dh_p, NULL, NULL); ++ DH_get0_pqg(dh, &dh_p, NULL, &dh_g); + + if (need < 0 || dh_p == NULL || + (pbits = BN_num_bits(dh_p)) <= 0 || +@@ -300,19 +308,85 @@ + return SSH_ERR_INVALID_ARGUMENT; + if (need < 256) + need = 256; ++ ++ if ((param_bld = OSSL_PARAM_BLD_new()) == NULL || ++ (ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL)) == NULL) { ++ OSSL_PARAM_BLD_free(param_bld); ++ return SSH_ERR_ALLOC_FAIL; ++ } ++ ++ if (OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_FFC_P, dh_p) != 1 || ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_FFC_G, dh_g) != 1) { ++ error_f("Could not set p,q,g parameters"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } + /* + * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)), + * so double requested need here. + */ +- if (!DH_set_length(dh, MINIMUM(need * 2, pbits - 1))) +- return SSH_ERR_LIBCRYPTO_ERROR; +- +- if (DH_generate_key(dh) == 0) +- return SSH_ERR_LIBCRYPTO_ERROR; +- DH_get0_key(dh, &pub_key, NULL); +- if (!dh_pub_is_valid(dh, pub_key)) +- return SSH_ERR_INVALID_FORMAT; +- return 0; ++ if (OSSL_PARAM_BLD_push_int(param_bld, ++ OSSL_PKEY_PARAM_DH_PRIV_LEN, ++ MINIMUM(need * 2, pbits - 1)) != 1 || ++ (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_fromdata_init(ctx) != 1) { ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_fromdata(ctx, &pkey, ++ EVP_PKEY_KEY_PARAMETERS, params) != 1) { ++ error_f("Failed key generation"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ /* reuse context for key generation */ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = NULL; ++ ++ if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL || ++ EVP_PKEY_keygen_init(ctx) != 1) { ++ error_f("Could not create or init context"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_generate(ctx, &pkey) != 1) { ++ error_f("Could not generate keys"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_public_check(ctx) != 1) { ++ error_f("The public key is incorrect"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, ++ &pub_key) != 1 || ++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, ++ &priv_key) != 1 || ++ DH_set0_key(dh, pub_key, priv_key) != 1) { ++ error_f("Could not set pub/priv keys to DH struct"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ /* transferred */ ++ pub_key = NULL; ++ priv_key = NULL; ++out: ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ EVP_PKEY_free(pkey); ++ BN_clear_free(pub_key); ++ BN_clear_free(priv_key); ++ return r; + } + + DH * +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kex.c ./kex.c +--- ../../openssh-8.7p1/kex.c 2023-03-01 14:26:52.508445832 +0100 ++++ ./kex.c 2023-02-28 14:09:27.164743771 +0100 +@@ -1602,3 +1602,47 @@ + return r; + } + ++#ifdef WITH_OPENSSL ++/* ++ * Creates an EVP_PKEY from the given parameters and keys. ++ * The private key can be omitted. ++ */ ++int ++kex_create_evp_dh(EVP_PKEY **pkey, const BIGNUM *p, const BIGNUM *q, ++ const BIGNUM *g, const BIGNUM *pub, const BIGNUM *priv) ++{ ++ OSSL_PARAM_BLD *param_bld = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ int r = 0; ++ ++ /* create EVP_PKEY-DH key */ ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { ++ error_f("EVP_PKEY_CTX or PARAM_BLD init failed"); ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ if (OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 || ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) != 1 || ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) != 1 || ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PUB_KEY, pub) != 1) { ++ error_f("Failed pushing params to OSSL_PARAM_BLD"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (priv != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1) { ++ error_f("Failed pushing private key to OSSL_PARAM_BLD"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++out: ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ return r; ++} ++#endif /* WITH_OPENSSL */ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kexdh.c ./kexdh.c +--- ../../openssh-8.7p1/kexdh.c 2023-03-01 14:26:52.448445050 +0100 ++++ ./kexdh.c 2023-02-28 14:05:00.700902124 +0100 +@@ -35,6 +35,9 @@ + + #include "openbsd-compat/openssl-compat.h" + #include ++#include ++#include ++#include + + #include "sshkey.h" + #include "kex.h" +@@ -83,6 +86,9 @@ + kex_dh_compute_key(struct kex *kex, BIGNUM *dh_pub, struct sshbuf *out) + { + BIGNUM *shared_secret = NULL; ++ const BIGNUM *pub, *priv, *p, *q, *g; ++ EVP_PKEY *pkey = NULL, *dh_pkey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; + u_char *kbuf = NULL; + size_t klen = 0; + int kout, r; +@@ -106,18 +112,39 @@ + r = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 || +- BN_bin2bn(kbuf, kout, shared_secret) == NULL) { ++ ++ DH_get0_key(kex->dh, &pub, &priv); ++ DH_get0_pqg(kex->dh, &p, &q, &g); ++ /* import key */ ++ kex_create_evp_dh(&pkey, p, q, g, pub, priv); ++ /* import peer key ++ * the parameters should be the same as with pkey ++ */ ++ kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL); ++ ++ if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL) { ++ error_f("Could not init EVP_PKEY_CTX for dh"); ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ if (EVP_PKEY_derive_init(ctx) != 1 || ++ EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 || ++ EVP_PKEY_derive(ctx, kbuf, &klen) != 1 || ++ BN_bin2bn(kbuf, klen, shared_secret) == NULL) { ++ error_f("Could not derive key"); + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } + #ifdef DEBUG_KEXDH +- dump_digest("shared secret", kbuf, kout); ++ dump_digest("shared secret", kbuf, klen); + #endif + r = sshbuf_put_bignum2(out, shared_secret); + out: + freezero(kbuf, klen); + BN_clear_free(shared_secret); ++ EVP_PKEY_free(pkey); ++ EVP_PKEY_free(dh_pkey); ++ EVP_PKEY_CTX_free(ctx); + return r; + } + +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kex.h ./kex.h +--- ../../openssh-8.7p1/kex.h 2023-03-01 14:26:52.508445832 +0100 ++++ ./kex.h 2023-02-28 13:16:49.811047554 +0100 +@@ -33,6 +33,9 @@ + # include + # include + # include ++# include ++# include ++# include + # ifdef OPENSSL_HAS_ECC + # include + # else /* OPENSSL_HAS_ECC */ +@@ -278,6 +281,8 @@ + const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); ++int kex_create_evp_dh(EVP_PKEY **, const BIGNUM *, const BIGNUM *, ++ const BIGNUM *, const BIGNUM *, const BIGNUM *); + + #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) + void dump_digest(const char *, const u_char *, int); diff --git a/openssh-8.7p1-evp-fips-compl-ecdh.patch b/openssh-8.7p1-evp-fips-compl-ecdh.patch new file mode 100644 index 0000000..0313c6f --- /dev/null +++ b/openssh-8.7p1-evp-fips-compl-ecdh.patch @@ -0,0 +1,207 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../openssh-8.7p1/kexecdh.c ./kexecdh.c +--- ../openssh-8.7p1/kexecdh.c 2021-08-20 06:03:49.000000000 +0200 ++++ ./kexecdh.c 2023-04-13 14:30:14.882449593 +0200 +@@ -35,17 +35,57 @@ + #include + + #include ++#include ++#include ++#include ++#include + + #include "sshkey.h" + #include "kex.h" + #include "sshbuf.h" + #include "digest.h" + #include "ssherr.h" ++#include "log.h" + + static int + kex_ecdh_dec_key_group(struct kex *, const struct sshbuf *, EC_KEY *key, + const EC_GROUP *, struct sshbuf **); + ++static EC_KEY * ++generate_ec_keys(int ec_nid) ++{ ++ EC_KEY *client_key = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ OSSL_PARAM_BLD *param_bld = NULL; ++ OSSL_PARAM *params = NULL; ++ const char *group_name; ++ ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) ++ goto out; ++ if ((group_name = OSSL_EC_curve_nid2name(ec_nid)) == NULL || ++ OSSL_PARAM_BLD_push_utf8_string(param_bld, ++ OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) != 1 || ++ (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { ++ error_f("Could not create OSSL_PARAM"); ++ goto out; ++ } ++ if (EVP_PKEY_keygen_init(ctx) != 1 || ++ EVP_PKEY_CTX_set_params(ctx, params) != 1 || ++ EVP_PKEY_generate(ctx, &pkey) != 1 || ++ (client_key = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) { ++ error_f("Could not generate ec keys"); ++ goto out; ++ } ++out: ++ EVP_PKEY_free(pkey); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_BLD_free(param_bld); ++ OSSL_PARAM_free(params); ++ return client_key; ++} ++ + int + kex_ecdh_keypair(struct kex *kex) + { +@@ -55,11 +95,7 @@ + struct sshbuf *buf = NULL; + int r; + +- if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) { +- r = SSH_ERR_ALLOC_FAIL; +- goto out; +- } +- if (EC_KEY_generate_key(client_key) != 1) { ++ if ((client_key = generate_ec_keys(kex->ec_nid)) == NULL) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +@@ -101,11 +137,7 @@ + *server_blobp = NULL; + *shared_secretp = NULL; + +- if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) { +- r = SSH_ERR_ALLOC_FAIL; +- goto out; +- } +- if (EC_KEY_generate_key(server_key) != 1) { ++ if ((server_key = generate_ec_keys(kex->ec_nid)) == NULL) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +@@ -140,11 +172,21 @@ + { + struct sshbuf *buf = NULL; + BIGNUM *shared_secret = NULL; +- EC_POINT *dh_pub = NULL; +- u_char *kbuf = NULL; +- size_t klen = 0; ++ EVP_PKEY_CTX *ctx = NULL; ++ EVP_PKEY *pkey = NULL, *dh_pkey = NULL; ++ OSSL_PARAM_BLD *param_bld = NULL; ++ OSSL_PARAM *params = NULL; ++ u_char *kbuf = NULL, *pub = NULL; ++ size_t klen = 0, publen; ++ const char *group_name; + int r; + ++ /* import EC_KEY to EVP_PKEY */ ++ if ((r = ssh_create_evp_ec(key, kex->ec_nid, &pkey)) != 0) { ++ error_f("Could not create EVP_PKEY"); ++ goto out; ++ } ++ + *shared_secretp = NULL; + + if ((buf = sshbuf_new()) == NULL) { +@@ -153,45 +195,82 @@ + } + if ((r = sshbuf_put_stringb(buf, ec_blob)) != 0) + goto out; +- if ((dh_pub = EC_POINT_new(group)) == NULL) { ++ ++ /* the public key is in the buffer in octet string UNCOMPRESSED ++ * format. See sshbuf_put_ec */ ++ if ((r = sshbuf_get_string(buf, &pub, &publen)) != 0) ++ goto out; ++ sshbuf_reset(buf); ++ if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if ((r = sshbuf_get_ec(buf, dh_pub, group)) != 0) { ++ if ((group_name = OSSL_EC_curve_nid2name(kex->ec_nid)) == NULL) { ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (OSSL_PARAM_BLD_push_octet_string(param_bld, ++ OSSL_PKEY_PARAM_PUB_KEY, pub, publen) != 1 || ++ OSSL_PARAM_BLD_push_utf8_string(param_bld, ++ OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) != 1 || ++ (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { ++ error_f("Failed to set params for dh_pkey"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_fromdata_init(ctx) != 1 || ++ EVP_PKEY_fromdata(ctx, &dh_pkey, ++ EVP_PKEY_PUBLIC_KEY, params) != 1 || ++ EVP_PKEY_public_check(ctx) != 1) { ++ error_f("Peer public key import failed"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +- sshbuf_reset(buf); + + #ifdef DEBUG_KEXECDH + fputs("public key:\n", stderr); +- sshkey_dump_ec_point(group, dh_pub); ++ EVP_PKEY_print_public_fp(stderr, dh_pkey, 0, NULL); + #endif +- if (sshkey_ec_validate_public(group, dh_pub) != 0) { +- r = SSH_ERR_MESSAGE_INCOMPLETE; ++ EVP_PKEY_CTX_free(ctx); ++ ctx = NULL; ++ if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL || ++ EVP_PKEY_derive_init(ctx) != 1 || ++ EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 || ++ EVP_PKEY_derive(ctx, NULL, &klen) != 1) { ++ error_f("Failed to get derive information"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +- klen = (EC_GROUP_get_degree(group) + 7) / 8; +- if ((kbuf = malloc(klen)) == NULL || +- (shared_secret = BN_new()) == NULL) { ++ if ((kbuf = malloc(klen)) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen || +- BN_bin2bn(kbuf, klen, shared_secret) == NULL) { ++ if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } + #ifdef DEBUG_KEXECDH + dump_digest("shared secret", kbuf, klen); + #endif ++ if ((shared_secret = BN_new()) == NULL || ++ (BN_bin2bn(kbuf, klen, shared_secret) == NULL)) { ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } + if ((r = sshbuf_put_bignum2(buf, shared_secret)) != 0) + goto out; + *shared_secretp = buf; + buf = NULL; + out: +- EC_POINT_clear_free(dh_pub); ++ EVP_PKEY_CTX_free(ctx); ++ EVP_PKEY_free(pkey); ++ EVP_PKEY_free(dh_pkey); ++ OSSL_PARAM_BLD_free(param_bld); ++ OSSL_PARAM_free(params); + BN_clear_free(shared_secret); + freezero(kbuf, klen); ++ freezero(pub, publen); + sshbuf_free(buf); + return r; + } diff --git a/openssh-8.7p1-evp-fips-compl-sign.patch b/openssh-8.7p1-evp-fips-compl-sign.patch new file mode 100644 index 0000000..fc71678 --- /dev/null +++ b/openssh-8.7p1-evp-fips-compl-sign.patch @@ -0,0 +1,468 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-dss.c ./ssh-dss.c +--- ../../openssh-8.7p1/ssh-dss.c 2023-03-08 15:35:14.669943335 +0100 ++++ ./ssh-dss.c 2023-03-08 15:34:33.508578129 +0100 +@@ -32,6 +32,8 @@ + #include + #include + #include ++#include ++#include + + #include + #include +@@ -72,9 +74,8 @@ + sshkey_type_plain(key->type) != KEY_DSA) + return SSH_ERR_INVALID_ARGUMENT; + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) +- return SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_dss(key, &pkey)) != 0) ++ return ret; + ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len, + data, datalen); + EVP_PKEY_free(pkey); +@@ -201,11 +202,8 @@ + goto out; + } + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) { +- ret = SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_dss(key, &pkey)) != 0) + goto out; +- } + ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen, + sigb, slen); + EVP_PKEY_free(pkey); +@@ -221,4 +219,63 @@ + freezero(sigblob, len); + return ret; + } ++ ++int ++ssh_create_evp_dss(const struct sshkey *k, EVP_PKEY **pkey) ++{ ++ OSSL_PARAM_BLD *param_bld = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ const BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL; ++ int ret = 0; ++ ++ if (k == NULL) ++ return SSH_ERR_INVALID_ARGUMENT; ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ DSA_get0_pqg(k->dsa, &p, &q, &g); ++ DSA_get0_key(k->dsa, &pub, &priv); ++ ++ if (p != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (q != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (g != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (pub != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PUB_KEY, ++ pub) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (priv != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PRIV_KEY, ++ priv) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++out: ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ return ret; ++} + #endif /* WITH_OPENSSL */ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-ecdsa.c ./ssh-ecdsa.c +--- ../../openssh-8.7p1/ssh-ecdsa.c 2023-03-08 15:35:14.669943335 +0100 ++++ ./ssh-ecdsa.c 2023-03-08 15:40:52.628201267 +0100 +@@ -34,6 +34,8 @@ + #include + #include + #include ++#include ++#include + + #include + +@@ -72,9 +74,8 @@ + if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) + return SSH_ERR_INTERNAL_ERROR; + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) +- return SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0) ++ return ret; + ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data, + datalen); + EVP_PKEY_free(pkey); +@@ -193,11 +194,8 @@ + goto out; + } + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) { +- ret = SSH_ERR_ALLOC_FAIL; ++ if (ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey) != 0) + goto out; +- } + ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len); + EVP_PKEY_free(pkey); + +@@ -212,4 +210,76 @@ + return ret; + } + ++int ++ssh_create_evp_ec(EC_KEY *k, int ecdsa_nid, EVP_PKEY **pkey) ++{ ++ OSSL_PARAM_BLD *param_bld = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ BN_CTX *bn_ctx = NULL; ++ uint8_t *pub_ser = NULL; ++ const char *group_name; ++ const EC_POINT *pub = NULL; ++ const BIGNUM *priv = NULL; ++ int ret = 0; ++ ++ if (k == NULL) ++ return SSH_ERR_INVALID_ARGUMENT; ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL || ++ (bn_ctx = BN_CTX_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ if ((group_name = OSSL_EC_curve_nid2name(ecdsa_nid)) == NULL || ++ OSSL_PARAM_BLD_push_utf8_string(param_bld, ++ OSSL_PKEY_PARAM_GROUP_NAME, ++ group_name, ++ strlen(group_name)) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((pub = EC_KEY_get0_public_key(k)) != NULL) { ++ const EC_GROUP *group; ++ size_t len; ++ ++ group = EC_KEY_get0_group(k); ++ len = EC_POINT_point2oct(group, pub, ++ POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); ++ if ((pub_ser = malloc(len)) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ EC_POINT_point2oct(group, ++ pub, ++ POINT_CONVERSION_UNCOMPRESSED, ++ pub_ser, ++ len, ++ bn_ctx); ++ if (OSSL_PARAM_BLD_push_octet_string(param_bld, ++ OSSL_PKEY_PARAM_PUB_KEY, ++ pub_ser, ++ len) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ } ++ if ((priv = EC_KEY_get0_private_key(k)) != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++out: ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ BN_CTX_free(bn_ctx); ++ free(pub_ser); ++ return ret; ++} + #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/sshkey.c ./sshkey.c +--- ../../openssh-8.7p1/sshkey.c 2023-03-08 15:35:14.702943628 +0100 ++++ ./sshkey.c 2023-03-08 15:39:03.354082015 +0100 +@@ -35,6 +35,8 @@ + #include + #include + #include ++#include ++#include + #endif + + #include "crypto_api.h" +@@ -492,13 +494,14 @@ + { + EVP_MD_CTX *ctx = NULL; + u_char *sig = NULL; +- int ret, slen, len; ++ int ret, slen; ++ size_t len; + + if (sigp == NULL || lenp == NULL) { + return SSH_ERR_INVALID_ARGUMENT; + } + +- slen = EVP_PKEY_size(pkey); ++ slen = EVP_PKEY_get_size(pkey); + if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) + return SSH_ERR_INVALID_ARGUMENT; + +@@ -511,9 +514,10 @@ + ret = SSH_ERR_ALLOC_FAIL; + goto error; + } +- if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || +- EVP_SignUpdate(ctx, data, datalen) <= 0 || +- EVP_SignFinal(ctx, sig, &len, pkey) <= 0) { ++ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg), ++ NULL, pkey) != 1 || ++ EVP_DigestSignUpdate(ctx, data, datalen) != 1 || ++ EVP_DigestSignFinal(ctx, sig, &len) != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto error; + } +@@ -540,12 +544,13 @@ + if ((ctx = EVP_MD_CTX_new()) == NULL) { + return SSH_ERR_ALLOC_FAIL; + } +- if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || +- EVP_VerifyUpdate(ctx, data, datalen) <= 0) { ++ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg), ++ NULL, pkey) != 1 || ++ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto done; + } +- ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey); ++ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen); + switch (ret) { + case 1: + ret = 0; +@@ -5038,3 +5043,27 @@ + return 0; + } + #endif /* WITH_XMSS */ ++ ++#ifdef WITH_OPENSSL ++EVP_PKEY * ++sshkey_create_evp(OSSL_PARAM_BLD *param_bld, EVP_PKEY_CTX *ctx) ++{ ++ EVP_PKEY *ret = NULL; ++ OSSL_PARAM *params = NULL; ++ if (param_bld == NULL || ctx == NULL) { ++ debug2_f("param_bld or ctx is NULL"); ++ return NULL; ++ } ++ if ((params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { ++ debug2_f("Could not build param list"); ++ return NULL; ++ } ++ if (EVP_PKEY_fromdata_init(ctx) != 1 || ++ EVP_PKEY_fromdata(ctx, &ret, EVP_PKEY_KEYPAIR, params) != 1) { ++ debug2_f("EVP_PKEY_fromdata failed"); ++ OSSL_PARAM_free(params); ++ return NULL; ++ } ++ return ret; ++} ++#endif /* WITH_OPENSSL */ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/sshkey.h ./sshkey.h +--- ../../openssh-8.7p1/sshkey.h 2023-03-08 15:35:14.702943628 +0100 ++++ ./sshkey.h 2023-03-08 15:34:33.509578138 +0100 +@@ -31,6 +31,9 @@ + #ifdef WITH_OPENSSL + #include + #include ++#include ++#include ++#include + # ifdef OPENSSL_HAS_ECC + # include + # include +@@ -293,6 +295,13 @@ + + void sshkey_sig_details_free(struct sshkey_sig_details *); + ++#ifdef WITH_OPENSSL ++EVP_PKEY *sshkey_create_evp(OSSL_PARAM_BLD *, EVP_PKEY_CTX *); ++int ssh_create_evp_dss(const struct sshkey *, EVP_PKEY **); ++int ssh_create_evp_rsa(const struct sshkey *, EVP_PKEY **); ++int ssh_create_evp_ec(EC_KEY *, int, EVP_PKEY **); ++#endif /* WITH_OPENSSL */ ++ + #ifdef SSHKEY_INTERNAL + int ssh_rsa_sign(const struct sshkey *key, + u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-rsa.c ./ssh-rsa.c +--- ../../openssh-8.7p1/ssh-rsa.c 2023-03-08 15:35:14.669943335 +0100 ++++ ./ssh-rsa.c 2023-03-08 15:34:33.509578138 +0100 +@@ -23,6 +23,8 @@ + + #include + #include ++#include ++#include + + #include + #include +@@ -172,9 +174,8 @@ + if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE) + return SSH_ERR_KEY_LENGTH; + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) +- return SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) ++ return ret; + ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data, + datalen); + EVP_PKEY_free(pkey); +@@ -285,11 +286,8 @@ + len = modlen; + } + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) { +- ret = SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) + goto out; +- } + ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey); + EVP_PKEY_free(pkey); + +@@ -306,11 +304,9 @@ + u_char *sigbuf, size_t siglen, EVP_PKEY *pkey) + { + size_t rsasize = 0; +- const RSA *rsa; + int ret; + +- rsa = EVP_PKEY_get0_RSA(pkey); +- rsasize = RSA_size(rsa); ++ rsasize = EVP_PKEY_get_size(pkey); + if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM || + siglen == 0 || siglen > rsasize) { + ret = SSH_ERR_INVALID_ARGUMENT; +@@ -323,4 +319,87 @@ + done: + return ret; + } ++ ++int ++ssh_create_evp_rsa(const struct sshkey *k, EVP_PKEY **pkey) ++{ ++ OSSL_PARAM_BLD *param_bld = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ int ret = 0; ++ const BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; ++ const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; ++ ++ if (k == NULL) ++ return SSH_ERR_INVALID_ARGUMENT; ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ RSA_get0_key(k->rsa, &n, &e, &d); ++ RSA_get0_factors(k->rsa, &p, &q); ++ RSA_get0_crt_params(k->rsa, &dmp1, &dmq1, &iqmp); ++ ++ if (n != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (e != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (d != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, d) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ /* setting this to param_build makes the creation process fail */ ++ if (p != NULL && ++ EVP_PKEY_set_bn_param(*pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, p) != 1) { ++ debug2_f("failed to add 'p' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (q != NULL && ++ EVP_PKEY_set_bn_param(*pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, q) != 1) { ++ debug2_f("failed to add 'q' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (dmp1 != NULL && ++ EVP_PKEY_set_bn_param(*pkey, ++ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) != 1) { ++ debug2_f("failed to add 'dmp1' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (dmq1 != NULL && ++ EVP_PKEY_set_bn_param(*pkey, ++ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) != 1) { ++ debug2_f("failed to add 'dmq1' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (iqmp != NULL && ++ EVP_PKEY_set_bn_param(*pkey, ++ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp) != 1) { ++ debug2_f("failed to add 'iqmp' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++out: ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ return ret; ++} + #endif /* WITH_OPENSSL */ diff --git a/openssh.spec b/openssh.spec index 9971e54..48d1d18 100644 --- a/openssh.spec +++ b/openssh.spec @@ -266,6 +266,11 @@ Patch1007: openssh-8.7p1-nohostsha1proof.patch # to fix 1005 Patch1008: openssh-8.7p1-CVE-2023-25136.patch +# fips compliance for signing, dh, ecdh +Patch1009: openssh-8.7p1-evp-fips-compl-sign.patch +Patch1010: openssh-8.7p1-evp-fips-compl-dh.patch +Patch1011: openssh-8.7p1-evp-fips-compl-ecdh.patch + License: BSD Requires: /sbin/nologin @@ -476,6 +481,10 @@ popd %patch1007 -p1 -b .sshrsacheck %patch1008 -p1 -b .cve-2023-25136 +%patch1009 -p1 -b .evp_fips_sign +%patch1010 -p1 -b .evp_fips_dh +%patch1011 -p1 -b .evp_fips_ecdh + autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -776,6 +785,8 @@ test -f %{sysconfig_anaconda} && \ (file sshconnect2.c). - We skip dss-related tests (they don't work without SHA1). Resolves: rhbz#2070163 +- FIPS compliance efforts for dh, ecdh and signing + Resolves: rhbz#2091694 * Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 - Resolve possible self-DoS with some clients From 1490ffd3e0d4c9568453423160794f72a513c61f Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: May 16 2023 13:50:52 +0000 Subject: [PATCH 13/21] Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch - Check return values - Use EVP API to get the size of DH Related: rhbz#2091694 Signed-off-by: Norbert Pocs --- diff --git a/openssh-8.7p1-evp-fips-compl-dh.patch b/openssh-8.7p1-evp-fips-compl-dh.patch index 7494245..e36ef60 100644 --- a/openssh-8.7p1-evp-fips-compl-dh.patch +++ b/openssh-8.7p1-evp-fips-compl-dh.patch @@ -1,7 +1,7 @@ -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/dh.c ./dh.c ---- ../../openssh-8.7p1/dh.c 2023-03-01 14:26:52.504445780 +0100 -+++ ./dh.c 2023-03-01 14:20:09.823193384 +0100 -@@ -37,6 +37,9 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/dh.c openssh-8.7p1-patched/dh.c +--- openssh-8.7p1/dh.c 2023-05-16 15:38:53.461326047 +0200 ++++ openssh-8.7p1-patched/dh.c 2023-05-16 15:37:14.785260359 +0200 +@@ -37,6 +37,9 @@ #include #include #include @@ -11,7 +11,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x #include "dh.h" #include "pathnames.h" -@@ -289,10 +292,15 @@ +@@ -290,10 +293,15 @@ int dh_gen_key(DH *dh, int need) { @@ -30,7 +30,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x if (need < 0 || dh_p == NULL || (pbits = BN_num_bits(dh_p)) <= 0 || -@@ -300,19 +308,85 @@ +@@ -301,19 +309,85 @@ return SSH_ERR_INVALID_ARGUMENT; if (need < 256) need = 256; @@ -125,10 +125,10 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x } DH * -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kex.c ./kex.c ---- ../../openssh-8.7p1/kex.c 2023-03-01 14:26:52.508445832 +0100 -+++ ./kex.c 2023-02-28 14:09:27.164743771 +0100 -@@ -1602,3 +1602,47 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kex.c openssh-8.7p1-patched/kex.c +--- openssh-8.7p1/kex.c 2023-05-16 15:38:53.465326090 +0200 ++++ openssh-8.7p1-patched/kex.c 2023-05-16 15:37:14.785260359 +0200 +@@ -1603,3 +1603,47 @@ return r; } @@ -176,20 +176,21 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x + return r; +} +#endif /* WITH_OPENSSL */ -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kexdh.c ./kexdh.c ---- ../../openssh-8.7p1/kexdh.c 2023-03-01 14:26:52.448445050 +0100 -+++ ./kexdh.c 2023-02-28 14:05:00.700902124 +0100 -@@ -35,6 +35,9 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kexdh.c openssh-8.7p1-patched/kexdh.c +--- openssh-8.7p1/kexdh.c 2023-05-16 15:38:53.403325420 +0200 ++++ openssh-8.7p1-patched/kexdh.c 2023-05-16 15:37:34.097468928 +0200 +@@ -35,6 +35,10 @@ #include "openbsd-compat/openssl-compat.h" #include ++#include +#include +#include +#include #include "sshkey.h" #include "kex.h" -@@ -83,6 +86,9 @@ +@@ -83,9 +87,12 @@ kex_dh_compute_key(struct kex *kex, BIGNUM *dh_pub, struct sshbuf *out) { BIGNUM *shared_secret = NULL; @@ -198,31 +199,61 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x + EVP_PKEY_CTX *ctx = NULL; u_char *kbuf = NULL; size_t klen = 0; - int kout, r; -@@ -106,18 +112,39 @@ - r = SSH_ERR_ALLOC_FAIL; +- int kout, r; ++ int kout, r = 0; + + #ifdef DEBUG_KEXDH + fprintf(stderr, "dh_pub= "); +@@ -100,24 +107,64 @@ + r = SSH_ERR_MESSAGE_INCOMPLETE; goto out; } -- if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 || -- BN_bin2bn(kbuf, kout, shared_secret) == NULL) { +- klen = DH_size(kex->dh); + + DH_get0_key(kex->dh, &pub, &priv); + DH_get0_pqg(kex->dh, &p, &q, &g); + /* import key */ -+ kex_create_evp_dh(&pkey, p, q, g, pub, priv); ++ r = kex_create_evp_dh(&pkey, p, q, g, pub, priv); ++ if (r != 0) { ++ error_f("Could not create EVP_PKEY for dh"); ++ ERR_print_errors_fp(stderr); ++ goto out; ++ } + /* import peer key + * the parameters should be the same as with pkey + */ -+ kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL); ++ debug_f("import peer key to evp"); ++ r = kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL); ++ if (r != 0) { ++ error_f("Could not import peer key for dh"); ++ ERR_print_errors_fp(stderr); ++ goto out; ++ } + ++ debug_f("creating EVP_PKEY_CTX"); + if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL) { + error_f("Could not init EVP_PKEY_CTX for dh"); + r = SSH_ERR_ALLOC_FAIL; + goto out; + } ++ debug_f("Deriving - init context"); + if (EVP_PKEY_derive_init(ctx) != 1 || + EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 || -+ EVP_PKEY_derive(ctx, kbuf, &klen) != 1 || ++ EVP_PKEY_derive(ctx, NULL, &klen) != 1) { ++ error_f("Could not get key size"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ debug_f("Deriving - buffer size is %d", (int)klen); + if ((kbuf = malloc(klen)) == NULL || + (shared_secret = BN_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 || +- BN_bin2bn(kbuf, kout, shared_secret) == NULL) { ++ debug_f("Deriving - using real buffer"); ++ if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1 || + BN_bin2bn(kbuf, klen, shared_secret) == NULL) { + error_f("Could not derive key"); r = SSH_ERR_LIBCRYPTO_ERROR; @@ -242,9 +273,9 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x return r; } -diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kex.h ./kex.h ---- ../../openssh-8.7p1/kex.h 2023-03-01 14:26:52.508445832 +0100 -+++ ./kex.h 2023-02-28 13:16:49.811047554 +0100 +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kex.h openssh-8.7p1-patched/kex.h +--- openssh-8.7p1/kex.h 2023-05-16 15:38:53.465326090 +0200 ++++ openssh-8.7p1-patched/kex.h 2023-05-16 15:37:14.786260370 +0200 @@ -33,6 +33,9 @@ # include # include diff --git a/openssh.spec b/openssh.spec index 48d1d18..eae9abb 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 30 +%global openssh_rel 31 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -770,6 +770,13 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Tue May 16 2023 Norbert Pocs - 8.7p1-31 +- Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch: +- Check return values +- Use EVP API to get the size of DH +- Add some log debug lines +- Related: rhbz#2091694 + * Thu Apr 20 2023 Dmitry Belyavskiy - 8.7p1-30 - Some non-terminating processes were listening on ports. Resolves: rhbz#2177768 From 48718a1a729a014da3cc267d363729f4e1dc0464 Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: May 25 2023 07:17:38 +0000 Subject: [PATCH 14/21] Delete unneeded debug messages from fips-compl-dh patch Related: rhbz#2091694 Signed-off-by: Norbert Pocs --- diff --git a/openssh-8.7p1-evp-fips-compl-dh.patch b/openssh-8.7p1-evp-fips-compl-dh.patch index e36ef60..ec04910 100644 --- a/openssh-8.7p1-evp-fips-compl-dh.patch +++ b/openssh-8.7p1-evp-fips-compl-dh.patch @@ -1,6 +1,6 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/dh.c openssh-8.7p1-patched/dh.c ---- openssh-8.7p1/dh.c 2023-05-16 15:38:53.461326047 +0200 -+++ openssh-8.7p1-patched/dh.c 2023-05-16 15:37:14.785260359 +0200 +--- openssh-8.7p1/dh.c 2023-05-25 09:01:23.295627077 +0200 ++++ openssh-8.7p1-patched/dh.c 2023-05-25 09:00:56.519332820 +0200 @@ -37,6 +37,9 @@ #include #include @@ -126,8 +126,8 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x DH * diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kex.c openssh-8.7p1-patched/kex.c ---- openssh-8.7p1/kex.c 2023-05-16 15:38:53.465326090 +0200 -+++ openssh-8.7p1-patched/kex.c 2023-05-16 15:37:14.785260359 +0200 +--- openssh-8.7p1/kex.c 2023-05-25 09:01:23.299627122 +0200 ++++ openssh-8.7p1-patched/kex.c 2023-05-25 09:00:56.519332820 +0200 @@ -1603,3 +1603,47 @@ return r; } @@ -177,8 +177,8 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x +} +#endif /* WITH_OPENSSL */ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kexdh.c openssh-8.7p1-patched/kexdh.c ---- openssh-8.7p1/kexdh.c 2023-05-16 15:38:53.403325420 +0200 -+++ openssh-8.7p1-patched/kexdh.c 2023-05-16 15:37:34.097468928 +0200 +--- openssh-8.7p1/kexdh.c 2023-05-25 09:01:23.237626425 +0200 ++++ openssh-8.7p1-patched/kexdh.c 2023-05-25 09:03:21.817957988 +0200 @@ -35,6 +35,10 @@ #include "openbsd-compat/openssl-compat.h" @@ -204,7 +204,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x #ifdef DEBUG_KEXDH fprintf(stderr, "dh_pub= "); -@@ -100,24 +107,64 @@ +@@ -100,24 +107,59 @@ r = SSH_ERR_MESSAGE_INCOMPLETE; goto out; } @@ -222,7 +222,6 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x + /* import peer key + * the parameters should be the same as with pkey + */ -+ debug_f("import peer key to evp"); + r = kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL); + if (r != 0) { + error_f("Could not import peer key for dh"); @@ -230,13 +229,11 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x + goto out; + } + -+ debug_f("creating EVP_PKEY_CTX"); + if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL) { + error_f("Could not init EVP_PKEY_CTX for dh"); + r = SSH_ERR_ALLOC_FAIL; + goto out; + } -+ debug_f("Deriving - init context"); + if (EVP_PKEY_derive_init(ctx) != 1 || + EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 || + EVP_PKEY_derive(ctx, NULL, &klen) != 1) { @@ -244,7 +241,6 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } -+ debug_f("Deriving - buffer size is %d", (int)klen); if ((kbuf = malloc(klen)) == NULL || (shared_secret = BN_new()) == NULL) { r = SSH_ERR_ALLOC_FAIL; @@ -252,7 +248,6 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x } - if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 || - BN_bin2bn(kbuf, kout, shared_secret) == NULL) { -+ debug_f("Deriving - using real buffer"); + if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1 || + BN_bin2bn(kbuf, klen, shared_secret) == NULL) { + error_f("Could not derive key"); @@ -274,8 +269,8 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x } diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kex.h openssh-8.7p1-patched/kex.h ---- openssh-8.7p1/kex.h 2023-05-16 15:38:53.465326090 +0200 -+++ openssh-8.7p1-patched/kex.h 2023-05-16 15:37:14.786260370 +0200 +--- openssh-8.7p1/kex.h 2023-05-25 09:01:23.299627122 +0200 ++++ openssh-8.7p1-patched/kex.h 2023-05-25 09:00:56.519332820 +0200 @@ -33,6 +33,9 @@ # include # include From 6b2353418c4eac53132b180efd7fab9b40543ef5 Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: May 25 2023 07:22:24 +0000 Subject: [PATCH 15/21] Fix regression in pkcs11 introduced in the previous patch Resolves: rhbz#2207793 Signed-off-by: Norbert Pocs --- diff --git a/openssh-8.7p1-evp-pkcs11.patch b/openssh-8.7p1-evp-pkcs11.patch new file mode 100644 index 0000000..44e0b8f --- /dev/null +++ b/openssh-8.7p1-evp-pkcs11.patch @@ -0,0 +1,131 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-ecdsa.c openssh-8.7p1-patched/ssh-ecdsa.c +--- openssh-8.7p1/ssh-ecdsa.c 2023-05-24 09:39:45.002631174 +0200 ++++ openssh-8.7p1-patched/ssh-ecdsa.c 2023-05-24 09:09:34.400853951 +0200 +@@ -74,8 +74,18 @@ + if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) + return SSH_ERR_INTERNAL_ERROR; + +- if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0) +- return ret; ++#ifdef ENABLE_PKCS11 ++ if (is_ecdsa_pkcs11(key->ecdsa)) { ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) ++ return SSH_ERR_ALLOC_FAIL; ++ } else { ++#endif ++ if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0) ++ return ret; ++#ifdef ENABLE_PKCS11 ++ } ++#endif + ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data, + datalen); + EVP_PKEY_free(pkey); +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11.c openssh-8.7p1-patched/ssh-pkcs11.c +--- openssh-8.7p1/ssh-pkcs11.c 2023-05-24 09:39:44.950630607 +0200 ++++ openssh-8.7p1-patched/ssh-pkcs11.c 2023-05-24 09:33:59.153866357 +0200 +@@ -775,8 +775,24 @@ + + return (0); + } ++ ++int ++is_ecdsa_pkcs11(EC_KEY *ecdsa) ++{ ++ if (EC_KEY_get_ex_data(ecdsa, ec_key_idx) != NULL) ++ return 1; ++ return 0; ++} + #endif /* HAVE_EC_KEY_METHOD_NEW */ + ++int ++is_rsa_pkcs11(RSA *rsa) ++{ ++ if (RSA_get_ex_data(rsa, rsa_idx) != NULL) ++ return 1; ++ return 0; ++} ++ + /* remove trailing spaces */ + static void + rmspace(u_char *buf, size_t len) +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11-client.c openssh-8.7p1-patched/ssh-pkcs11-client.c +--- openssh-8.7p1/ssh-pkcs11-client.c 2023-05-24 09:39:44.950630607 +0200 ++++ openssh-8.7p1-patched/ssh-pkcs11-client.c 2023-05-24 09:31:16.139092673 +0200 +@@ -225,8 +225,36 @@ + static RSA_METHOD *helper_rsa; + #ifdef HAVE_EC_KEY_METHOD_NEW + static EC_KEY_METHOD *helper_ecdsa; ++ ++int ++is_ecdsa_pkcs11(EC_KEY *ecdsa) ++{ ++ const EC_KEY_METHOD *meth; ++ ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgstlen, ++ const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey) = NULL; ++ ++ meth = EC_KEY_get_method(ecdsa); ++ EC_KEY_METHOD_get_sign(meth, NULL, NULL, &sign_sig); ++ if (sign_sig == ecdsa_do_sign) ++ return 1; ++ return 0; ++} + #endif /* HAVE_EC_KEY_METHOD_NEW */ + ++int ++is_rsa_pkcs11(RSA *rsa) ++{ ++ const RSA_METHOD *meth; ++ int (*priv_enc)(int flen, const unsigned char *from, ++ unsigned char *to, RSA *rsa, int padding) = NULL; ++ ++ meth = RSA_get_method(rsa); ++ priv_enc = RSA_meth_get_priv_enc(meth); ++ if (priv_enc == rsa_encrypt) ++ return 1; ++ return 0; ++} ++ + /* redirect private key crypto operations to the ssh-pkcs11-helper */ + static void + wrap_key(struct sshkey *k) +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11.h openssh-8.7p1-patched/ssh-pkcs11.h +--- openssh-8.7p1/ssh-pkcs11.h 2023-05-24 09:39:44.950630607 +0200 ++++ openssh-8.7p1-patched/ssh-pkcs11.h 2023-05-24 09:36:49.055714975 +0200 +@@ -39,6 +39,11 @@ + u_int32_t *); + #endif + ++#ifdef HAVE_EC_KEY_METHOD_NEW ++int is_ecdsa_pkcs11(EC_KEY *ecdsa); ++#endif ++int is_rsa_pkcs11(RSA *rsa); ++ + #if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11) + #undef ENABLE_PKCS11 + #endif +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-rsa.c openssh-8.7p1-patched/ssh-rsa.c +--- openssh-8.7p1/ssh-rsa.c 2023-05-24 09:39:45.003631184 +0200 ++++ openssh-8.7p1-patched/ssh-rsa.c 2023-05-24 09:31:37.019319860 +0200 +@@ -174,8 +174,18 @@ + if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE) + return SSH_ERR_KEY_LENGTH; + +- if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) +- return ret; ++#ifdef ENABLE_PKCS11 ++ if (is_rsa_pkcs11(key->rsa)) { ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) ++ return SSH_ERR_ALLOC_FAIL; ++ } else { ++#endif ++ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) ++ return ret; ++#ifdef ENABLE_PKCS11 ++ } ++#endif + ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data, + datalen); + EVP_PKEY_free(pkey); diff --git a/openssh.spec b/openssh.spec index eae9abb..a51e330 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 31 +%global openssh_rel 32 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -270,6 +270,7 @@ Patch1008: openssh-8.7p1-CVE-2023-25136.patch Patch1009: openssh-8.7p1-evp-fips-compl-sign.patch Patch1010: openssh-8.7p1-evp-fips-compl-dh.patch Patch1011: openssh-8.7p1-evp-fips-compl-ecdh.patch +Patch1012: openssh-8.7p1-evp-pkcs11.patch License: BSD Requires: /sbin/nologin @@ -484,6 +485,7 @@ popd %patch1009 -p1 -b .evp_fips_sign %patch1010 -p1 -b .evp_fips_dh %patch1011 -p1 -b .evp_fips_ecdh +%patch1012 -p1 -b .evp_pkcs11 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -770,6 +772,11 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Wed May 24 2023 Norbert Pocs - 8.7p1-32 +- Fix pkcs11 issue with the recent changes +- Delete unnecessary log messages from previous compl-dh patch +- Resolves: rhbz#2207793 + * Tue May 16 2023 Norbert Pocs - 8.7p1-31 - Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch: - Check return values From 415f8e730bda6e3baafc37b24420c2d2bf427b39 Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: Jun 02 2023 07:16:33 +0000 Subject: [PATCH 16/21] Clarify rhbz#2068423 on the ssh_config man page Resolves: rhbz#2209096 Signed-off-by: Norbert Pocs --- diff --git a/openssh-8.7p1-man-hostkeyalgos.patch b/openssh-8.7p1-man-hostkeyalgos.patch new file mode 100644 index 0000000..92c53b1 --- /dev/null +++ b/openssh-8.7p1-man-hostkeyalgos.patch @@ -0,0 +1,31 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh_config.5 openssh-8.7p1-patched/ssh_config.5 +--- openssh-8.7p1/ssh_config.5 2023-06-02 09:14:40.279373577 +0200 ++++ openssh-8.7p1-patched/ssh_config.5 2023-05-30 16:01:04.533848172 +0200 +@@ -989,6 +989,17 @@ + .Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q HostKeyAlgorithms . ++.Pp ++The proposed ++.Cm HostKeyAlgorithms ++during KEX are limited to the set of algorithms that is defined in ++.Cm PubkeyAcceptedAlgorithms ++and therefore they are indirectly affected by system-wide ++.Xr crypto_policies 7 . ++.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so ++would break the order given by the ++.Pa known_hosts ++file. + .It Cm HostKeyAlias + Specifies an alias that should be used instead of the + real host name when looking up or saving the host key +@@ -1564,6 +1575,9 @@ + .Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q PubkeyAcceptedAlgorithms . ++.Pp ++This option affects also ++.Cm HostKeyAlgorithms + .It Cm PubkeyAuthentication + Specifies whether to try public key authentication. + The argument to this keyword must be diff --git a/openssh.spec b/openssh.spec index a51e330..29682b8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -272,6 +272,9 @@ Patch1010: openssh-8.7p1-evp-fips-compl-dh.patch Patch1011: openssh-8.7p1-evp-fips-compl-ecdh.patch Patch1012: openssh-8.7p1-evp-pkcs11.patch +# clarify rhbz#2068423 on the man page of ssh_config +Patch1013: openssh-8.7p1-man-hostkeyalgos.patch + License: BSD Requires: /sbin/nologin @@ -487,6 +490,8 @@ popd %patch1011 -p1 -b .evp_fips_ecdh %patch1012 -p1 -b .evp_pkcs11 +%patch1013 -p1 -b .man-hostkeyalgos + autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} autoreconf @@ -775,7 +780,8 @@ test -f %{sysconfig_anaconda} && \ * Wed May 24 2023 Norbert Pocs - 8.7p1-32 - Fix pkcs11 issue with the recent changes - Delete unnecessary log messages from previous compl-dh patch -- Resolves: rhbz#2207793 +- Add ssh_config man page explanation on rhbz#2068423 +- Resolves: rhbz#2207793, rhbz#2209096 * Tue May 16 2023 Norbert Pocs - 8.7p1-31 - Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch: From c5140cafa35147e6ea4b478036a4d721a8c823ff Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Jun 14 2023 09:15:41 +0000 Subject: [PATCH 17/21] Allow specifying validity interval in UTC Resolves: rhbz#2115043 --- diff --git a/openssh-8.7p1-UTC-time-parse.patch b/openssh-8.7p1-UTC-time-parse.patch new file mode 100644 index 0000000..1fd953d --- /dev/null +++ b/openssh-8.7p1-UTC-time-parse.patch @@ -0,0 +1,323 @@ +diff --git a/misc.c b/misc.c +index a8e87430..f2135803 100644 +--- a/misc.c ++++ b/misc.c +@@ -2399,15 +2399,26 @@ parse_absolute_time(const char *s, uint64_t *tp) + struct tm tm; + time_t tt; + char buf[32], *fmt; ++ const char *cp; ++ size_t l; ++ int is_utc = 0; + + *tp = 0; + ++ l = strlen(s); ++ if (l > 1 && strcasecmp(s + l - 1, "Z") == 0) { ++ is_utc = 1; ++ l--; ++ } else if (l > 3 && strcasecmp(s + l - 3, "UTC") == 0) { ++ is_utc = 1; ++ l -= 3; ++ } + /* + * POSIX strptime says "The application shall ensure that there + * is white-space or other non-alphanumeric characters between + * any two conversion specifications" so arrange things this way. + */ +- switch (strlen(s)) { ++ switch (l) { + case 8: /* YYYYMMDD */ + fmt = "%Y-%m-%d"; + snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6); +@@ -2427,10 +2438,15 @@ parse_absolute_time(const char *s, uint64_t *tp) + } + + memset(&tm, 0, sizeof(tm)); +- if (strptime(buf, fmt, &tm) == NULL) +- return SSH_ERR_INVALID_FORMAT; +- if ((tt = mktime(&tm)) < 0) ++ if ((cp = strptime(buf, fmt, &tm)) == NULL || *cp != '\0') + return SSH_ERR_INVALID_FORMAT; ++ if (is_utc) { ++ if ((tt = timegm(&tm)) < 0) ++ return SSH_ERR_INVALID_FORMAT; ++ } else { ++ if ((tt = mktime(&tm)) < 0) ++ return SSH_ERR_INVALID_FORMAT; ++ } + /* success */ + *tp = (uint64_t)tt; + return 0; +diff --git a/regress/unittests/misc/test_convtime.c b/regress/unittests/misc/test_convtime.c +index ef6fd77d..4794dbd9 100644 +--- a/regress/unittests/misc/test_convtime.c ++++ b/regress/unittests/misc/test_convtime.c +@@ -20,6 +20,7 @@ + + #include "log.h" + #include "misc.h" ++#include "ssherr.h" + + void test_convtime(void); + +@@ -27,6 +28,7 @@ void + test_convtime(void) + { + char buf[1024]; ++ uint64_t t; + + TEST_START("misc_convtime"); + ASSERT_INT_EQ(convtime("0"), 0); +@@ -56,4 +58,64 @@ test_convtime(void) + ASSERT_INT_EQ(convtime("3550w5d3h14m8s"), -1); + #endif + TEST_DONE(); ++ ++ /* XXX timezones/DST make verification of this tricky */ ++ /* XXX maybe setenv TZ and tzset() to make it unambiguous? */ ++ TEST_START("misc_parse_absolute_time"); ++ ASSERT_INT_EQ(parse_absolute_time("20000101", &t), 0); ++ ASSERT_INT_EQ(parse_absolute_time("200001011223", &t), 0); ++ ASSERT_INT_EQ(parse_absolute_time("20000101122345", &t), 0); ++ ++ /* forced UTC TZ */ ++ ASSERT_INT_EQ(parse_absolute_time("20000101Z", &t), 0); ++ ASSERT_U64_EQ(t, 946684800); ++ ASSERT_INT_EQ(parse_absolute_time("200001011223Z", &t), 0); ++ ASSERT_U64_EQ(t, 946729380); ++ ASSERT_INT_EQ(parse_absolute_time("20000101122345Z", &t), 0); ++ ASSERT_U64_EQ(t, 946729425); ++ ASSERT_INT_EQ(parse_absolute_time("20000101UTC", &t), 0); ++ ASSERT_U64_EQ(t, 946684800); ++ ASSERT_INT_EQ(parse_absolute_time("200001011223UTC", &t), 0); ++ ASSERT_U64_EQ(t, 946729380); ++ ASSERT_INT_EQ(parse_absolute_time("20000101122345UTC", &t), 0); ++ ASSERT_U64_EQ(t, 946729425); ++ ++ /* Bad month */ ++ ASSERT_INT_EQ(parse_absolute_time("20001301", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000001", &t), ++ SSH_ERR_INVALID_FORMAT); ++ /* Incomplete */ ++ ASSERT_INT_EQ(parse_absolute_time("2", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("2000", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("200001", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("2000010", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("200001010", &t), ++ SSH_ERR_INVALID_FORMAT); ++ /* Bad day, hour, minute, second */ ++ ASSERT_INT_EQ(parse_absolute_time("20000199", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("200001019900", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("200001010099", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000101000099", &t), ++ SSH_ERR_INVALID_FORMAT); ++ /* Invalid TZ specifier */ ++ ASSERT_INT_EQ(parse_absolute_time("20000101ZZ", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000101PDT", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000101U", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000101UTCUTC", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ++ TEST_DONE(); + } +diff --git a/ssh-keygen.1 b/ssh-keygen.1 +index 5f429813..6aeab1cb 100644 +--- a/ssh-keygen.1 ++++ b/ssh-keygen.1 +@@ -511,8 +511,11 @@ Print the full public key to standard output after signature verification. + .It Cm verify-time Ns = Ns Ar timestamp + Specifies a time to use when validating signatures instead of the current + time. +-The time may be specified as a date in YYYYMMDD format or a time +-in YYYYMMDDHHMM[SS] format. ++The time may be specified as a date or time in the YYYYMMDD[Z] or ++in YYYYMMDDHHMM[SS][Z] formats. ++Dates and times will be interpreted in the current system time zone unless ++suffixed with a Z character, which causes them to be interpreted in the ++UTC time zone. + .El + .Pp + The +@@ -603,31 +606,67 @@ A validity interval may consist of a single time, indicating that the + certificate is valid beginning now and expiring at that time, or may consist + of two times separated by a colon to indicate an explicit time interval. + .Pp +-The start time may be specified as the string ++The start time may be specified as: ++.Bl -bullet -compact ++.It ++The string + .Dq always +-to indicate the certificate has no specified start time, +-a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format, +-a relative time (to the current time) consisting of a minus sign followed by +-an interval in the format described in the ++to indicate the certificate has no specified start time. ++.It ++A date or time in the system time zone formatted as YYYYMMDD or ++YYYYMMDDHHMM[SS]. ++.It ++A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z. ++.It ++A relative time before the current system time consisting of a minus sign ++followed by an interval in the format described in the + TIME FORMATS section of + .Xr sshd_config 5 . ++.It ++A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal ++number beginning with ++.Dq 0x . ++.El + .Pp +-The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time, +-a relative time starting with a plus character or the string ++The end time may be specified similarly to the start time: ++.Bl -bullet -compact ++.It ++The string + .Dq forever +-to indicate that the certificate has no expiry date. ++to indicate the certificate has no specified end time. ++.It ++A date or time in the system time zone formatted as YYYYMMDD or ++YYYYMMDDHHMM[SS]. ++.It ++A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z. ++.It ++A relative time after the current system time consisting of a plus sign ++followed by an interval in the format described in the ++TIME FORMATS section of ++.Xr sshd_config 5 . ++.It ++A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal ++number beginning with ++.Dq 0x . ++.El + .Pp + For example: +-.Dq +52w1d +-(valid from now to 52 weeks and one day from now), +-.Dq -4w:+4w +-(valid from four weeks ago to four weeks from now), +-.Dq 20100101123000:20110101123000 +-(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), +-.Dq -1d:20110101 +-(valid from yesterday to midnight, January 1st, 2011), +-.Dq -1m:forever +-(valid from one minute ago and never expiring). ++.Bl -tag -width Ds ++.It +52w1d ++Valid from now to 52 weeks and one day from now. ++.It -4w:+4w ++Valid from four weeks ago to four weeks from now. ++.It 20100101123000:20110101123000 ++Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011. ++.It 20100101123000Z:20110101123000Z ++Similar, but interpreted in the UTC time zone rather than the system time zone. ++.It -1d:20110101 ++Valid from yesterday to midnight, January 1st, 2011. ++.It 0x1:0x2000000000 ++Valid from roughly early 1970 to May 2033. ++.It -1m:forever ++Valid from one minute ago and never expiring. ++.El + .It Fl v + Verbose mode. + Causes +@@ -1206,7 +1245,10 @@ signature object and presented on the verification command-line must + match the specified list before the key will be considered acceptable. + .It Cm valid-after Ns = Ns "timestamp" + Indicates that the key is valid for use at or after the specified timestamp, +-which may be a date in YYYYMMDD format or a time in YYYYMMDDHHMM[SS] format. ++which may be a date or time in the YYYYMMDD[Z] or YYYYMMDDHHMM[SS][Z] formats. ++Dates and times will be interpreted in the current system time zone unless ++suffixed with a Z character, which causes them to be interpreted in the UTC ++time zone. + .It Cm valid-before Ns = Ns "timestamp" + Indicates that the key is valid for use at or before the specified timestamp. + .El +diff --git a/ssh-keygen.c b/ssh-keygen.c +index 20b321cc..9b2beda0 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -1916,6 +1916,21 @@ parse_relative_time(const char *s, time_t now) + return now + (u_int64_t)(secs * mul); + } + ++static void ++parse_hex_u64(const char *s, uint64_t *up) ++{ ++ char *ep; ++ unsigned long long ull; ++ ++ errno = 0; ++ ull = strtoull(s, &ep, 16); ++ if (*s == '\0' || *ep != '\0') ++ fatal("Invalid certificate time: not a number"); ++ if (errno == ERANGE && ull == ULONG_MAX) ++ fatal_fr(SSH_ERR_SYSTEM_ERROR, "Invalid certificate time"); ++ *up = (uint64_t)ull; ++} ++ + static void + parse_cert_times(char *timespec) + { +@@ -1938,8 +1953,8 @@ parse_cert_times(char *timespec) + + /* + * from:to, where +- * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always" +- * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever" ++ * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | 0x... | "always" ++ * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | 0x... | "forever" + */ + from = xstrdup(timespec); + to = strchr(from, ':'); +@@ -1951,6 +1966,8 @@ parse_cert_times(char *timespec) + cert_valid_from = parse_relative_time(from, now); + else if (strcmp(from, "always") == 0) + cert_valid_from = 0; ++ else if (strncmp(from, "0x", 2) == 0) ++ parse_hex_u64(from, &cert_valid_from); + else if (parse_absolute_time(from, &cert_valid_from) != 0) + fatal("Invalid from time \"%s\"", from); + +@@ -1958,6 +1975,8 @@ parse_cert_times(char *timespec) + cert_valid_to = parse_relative_time(to, now); + else if (strcmp(to, "forever") == 0) + cert_valid_to = ~(u_int64_t)0; ++ else if (strncmp(to, "0x", 2) == 0) ++ parse_hex_u64(to, &cert_valid_to); + else if (parse_absolute_time(to, &cert_valid_to) != 0) + fatal("Invalid to time \"%s\"", to); + +diff --git a/sshd.8 b/sshd.8 +index 2b50514e..8ccc5bc0 100644 +--- a/sshd.8 ++++ b/sshd.8 +@@ -533,8 +533,9 @@ controlled via the + option. + .It Cm expiry-time="timespec" + Specifies a time after which the key will not be accepted. +-The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time +-in the system time-zone. ++The time may be specified as a YYYYMMDD[Z] date or a YYYYMMDDHHMM[SS][Z] time. ++Dates and times will be interpreted in the system time zone unless suffixed ++by a Z character, in which case they will be interpreted in the UTC time zone. + .It Cm from="pattern-list" + Specifies that in addition to public key authentication, either the canonical + name of the remote host or its IP address must be present in the diff --git a/openssh.spec b/openssh.spec index 29682b8..be72146 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 32 +%global openssh_rel 33 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -274,6 +274,11 @@ Patch1012: openssh-8.7p1-evp-pkcs11.patch # clarify rhbz#2068423 on the man page of ssh_config Patch1013: openssh-8.7p1-man-hostkeyalgos.patch +# upstream commits +# ec1ddb72a146fd66d18df9cd423517453a5d8044 +# b98a42afb69d60891eb0488935990df6ee571c4 +# a00f59a645072e5f5a8d207af15916a7b23e2642 +Patch1014: openssh-8.7p1-UTC-time-parse.patch License: BSD Requires: /sbin/nologin @@ -491,6 +496,7 @@ popd %patch1012 -p1 -b .evp_pkcs11 %patch1013 -p1 -b .man-hostkeyalgos +%patch1014 -p1 -b .utc_parse autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -777,6 +783,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Tue Jun 13 2023 Dmitry Belyavskiy - 8.7p1-33 +- Allow specifying validity interval in UTC + Resolves: rhbz#2115043 + * Wed May 24 2023 Norbert Pocs - 8.7p1-32 - Fix pkcs11 issue with the recent changes - Delete unnecessary log messages from previous compl-dh patch From 6fa799e1aad28b98d7e9b01c4c6ab109e491720d Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Jul 20 2023 10:02:42 +0000 Subject: [PATCH 18/21] Avoid remote code execution in ssh-agent PKCS#11 support Resolves: CVE-2023-38408 --- diff --git a/openssh-9.3p1-upstream-cve-2023-38408.patch b/openssh-9.3p1-upstream-cve-2023-38408.patch new file mode 100644 index 0000000..5632ba1 --- /dev/null +++ b/openssh-9.3p1-upstream-cve-2023-38408.patch @@ -0,0 +1,17 @@ +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 6be647ec..ebddf6c3 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin, + error("dlopen %s failed: %s", provider_module, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + + p->module->handle = handle; + /* setup the pkcs11 callbacks */ From edaf6c0fb436ba3c8daea56eefb7c8db76b8465c Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Jul 20 2023 10:10:35 +0000 Subject: [PATCH 19/21] Avoid remote code execution in ssh-agent PKCS#11 support Resolves: CVE-2023-38408 --- diff --git a/openssh.spec b/openssh.spec index be72146..aa68685 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 33 +%global openssh_rel 34 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -279,6 +279,9 @@ Patch1013: openssh-8.7p1-man-hostkeyalgos.patch # b98a42afb69d60891eb0488935990df6ee571c4 # a00f59a645072e5f5a8d207af15916a7b23e2642 Patch1014: openssh-8.7p1-UTC-time-parse.patch +# upsream commit +# b23fe83f06ee7e721033769cfa03ae840476d280 +Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch License: BSD Requires: /sbin/nologin @@ -497,6 +500,7 @@ popd %patch1013 -p1 -b .man-hostkeyalgos %patch1014 -p1 -b .utc_parse +%patch1015 -p1 -b .cve-2023-38408 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -783,6 +787,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Jul 20 2023 Dmitry Belyavskiy - 8.7p1-34 +- Avoid remote code execution in ssh-agent PKCS#11 support + Resolves: CVE-2023-38408 + * Tue Jun 13 2023 Dmitry Belyavskiy - 8.7p1-33 - Allow specifying validity interval in UTC Resolves: rhbz#2115043 From 4c983d0192cb62cc26aee37e820c1d6a4ac5183d Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Aug 03 2023 23:35:15 +0000 Subject: [PATCH 20/21] Merge upstream changes for 8.7p1-29.6 --- diff --git a/fb87_slog.patch b/fb87_slog.patch index e6e907b..ffeb03d 100644 --- a/fb87_slog.patch +++ b/fb87_slog.patch @@ -1,7 +1,7 @@ -Index: b/slog.c +Index: openssh-8.7p1/slog.c =================================================================== --- /dev/null -+++ b/slog.c ++++ openssh-8.7p1/slog.c @@ -0,0 +1,619 @@ +/* + * Copyright 2004-present Facebook. All Rights Reserved. @@ -622,51 +622,51 @@ Index: b/slog.c + return "Unknown session state"; // Should never happen + } +} -Index: b/servconf.c +Index: openssh-8.7p1/servconf.c =================================================================== ---- b.orig/servconf.c -+++ b/servconf.c -@@ -204,6 +204,9 @@ initialize_server_options(ServerOptions +--- openssh-8.7p1.orig/servconf.c ++++ openssh-8.7p1/servconf.c +@@ -205,6 +205,9 @@ initialize_server_options(ServerOptions options->disable_forwarding = -1; options->expose_userauth_info = -1; - options->rsa_min_size = -1; -+ options->log_format_prefix = NULL; -+ options->num_log_format_keys = 0; -+ options->log_format_json = -1; + options->required_rsa_size = -1; ++ options->log_format_prefix = NULL; ++ options->num_log_format_keys = 0; ++ options->log_format_json = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -473,6 +476,8 @@ fill_default_server_options(ServerOption +@@ -474,6 +477,8 @@ fill_default_server_options(ServerOption options->sk_provider = xstrdup("internal"); - if (options->rsa_min_size == -1) - options->rsa_min_size = SSH_RSA_MINIMUM_MODULUS_SIZE; -+ if (options->log_format_json == -1) -+ options->log_format_json = 0; + if (options->required_rsa_size == -1) + options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; ++ if (options->log_format_json == -1) ++ options->log_format_json = 0; assemble_algorithms(options); -@@ -553,6 +558,10 @@ typedef enum { +@@ -554,6 +559,10 @@ typedef enum { sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, - sRSAMinSize, -+ /* Structured Logging options. Unless sLogFormatKeys is set, -+ structured logging is disabled */ -+ sLogFormatPrefix, sLogFormatKeys, sLogFormatJson, + sRequiredRSASize, ++ /* Structured Logging options. Unless sLogFormatKeys is set, ++ structured logging is disabled */ ++ sLogFormatPrefix, sLogFormatKeys, sLogFormatJson, + sDeprecated, sIgnore, sUnsupported } ServerOpCodes; -@@ -730,6 +739,9 @@ static struct { - { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, +@@ -732,6 +741,9 @@ static struct { { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, - { "rsaminsize", sRSAMinSize, SSHCFG_ALL }, -+ { "logformatprefix", sLogFormatPrefix, SSHCFG_GLOBAL }, -+ { "logformatkeys", sLogFormatKeys, SSHCFG_GLOBAL }, -+ { "logformatjson", sLogFormatJson, SSHCFG_GLOBAL }, + { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, + { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */ ++ { "logformatprefix", sLogFormatPrefix, SSHCFG_GLOBAL }, ++ { "logformatkeys", sLogFormatKeys, SSHCFG_GLOBAL }, ++ { "logformatjson", sLogFormatJson, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; -@@ -2367,6 +2379,30 @@ process_server_config_line_depth(ServerO +@@ -2369,6 +2381,30 @@ process_server_config_line_depth(ServerO } break; @@ -697,7 +697,7 @@ Index: b/servconf.c case sIPQoS: arg = argv_next(&ac, &av); if (!arg || *arg == '\0') -@@ -3024,6 +3060,7 @@ dump_config(ServerOptions *o) +@@ -3026,6 +3062,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); @@ -705,7 +705,7 @@ Index: b/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -@@ -3054,6 +3091,7 @@ dump_config(ServerOptions *o) +@@ -3056,6 +3093,7 @@ dump_config(ServerOptions *o) #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN) dump_cfg_string(sRDomain, o->routing_domain); #endif @@ -713,7 +713,7 @@ Index: b/servconf.c /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); -@@ -3076,6 +3114,7 @@ dump_config(ServerOptions *o) +@@ -3078,6 +3116,7 @@ dump_config(ServerOptions *o) o->num_auth_methods, o->auth_methods); dump_cfg_strarray_oneline(sLogVerbose, o->num_log_verbose, o->log_verbose); @@ -721,10 +721,10 @@ Index: b/servconf.c /* other arguments */ for (i = 0; i < o->num_subsystems; i++) -Index: b/auth2-pubkey.c +Index: openssh-8.7p1/auth2-pubkey.c =================================================================== ---- b.orig/auth2-pubkey.c -+++ b/auth2-pubkey.c +--- openssh-8.7p1.orig/auth2-pubkey.c ++++ openssh-8.7p1/auth2-pubkey.c @@ -66,6 +66,7 @@ #include "monitor_wrap.h" #include "authfile.h" @@ -733,7 +733,7 @@ Index: b/auth2-pubkey.c #include "ssherr.h" #include "channels.h" /* XXX for session.h */ #include "session.h" /* XXX for child_set_env(); refactor? */ -@@ -389,6 +390,7 @@ check_principals_line(struct ssh *ssh, c +@@ -390,6 +391,7 @@ check_principals_line(struct ssh *ssh, c debug3("%s: matched principal \"%.100s\"", loc, cert->principals[i]); found = 1; @@ -741,7 +741,7 @@ Index: b/auth2-pubkey.c } if (found && authoptsp != NULL) { *authoptsp = opts; -@@ -714,6 +716,7 @@ check_authkey_line(struct ssh *ssh, stru +@@ -715,6 +717,7 @@ check_authkey_line(struct ssh *ssh, stru (unsigned long long)key->cert->serial, sshkey_type(found), fp, loc); @@ -749,7 +749,7 @@ Index: b/auth2-pubkey.c success: if (finalopts == NULL) fatal_f("internal error: missing options"); -@@ -864,6 +867,7 @@ user_cert_trusted_ca(struct ssh *ssh, st +@@ -865,6 +868,7 @@ user_cert_trusted_ca(struct ssh *ssh, st *authoptsp = final_opts; final_opts = NULL; } @@ -757,10 +757,10 @@ Index: b/auth2-pubkey.c ret = 1; out: sshauthopt_free(principals_opts); -Index: b/regress/test-exec.sh +Index: openssh-8.7p1/regress/test-exec.sh =================================================================== ---- b.orig/regress/test-exec.sh -+++ b/regress/test-exec.sh +--- openssh-8.7p1.orig/regress/test-exec.sh ++++ openssh-8.7p1/regress/test-exec.sh @@ -689,7 +689,7 @@ start_sshd () trace "wait for sshd" @@ -770,10 +770,10 @@ Index: b/regress/test-exec.sh i=`expr $i + 1` sleep $i done -Index: b/session.c +Index: openssh-8.7p1/session.c =================================================================== ---- b.orig/session.c -+++ b/session.c +--- openssh-8.7p1.orig/session.c ++++ openssh-8.7p1/session.c @@ -96,6 +96,8 @@ #include "monitor_wrap.h" #include "sftp.h" @@ -813,10 +813,10 @@ Index: b/session.c return remote; } - -Index: b/log.h +Index: openssh-8.7p1/log.h =================================================================== ---- b.orig/log.h -+++ b/log.h +--- openssh-8.7p1.orig/log.h ++++ openssh-8.7p1/log.h @@ -133,4 +133,6 @@ void sshlogdirect(LogLevel, int, const #define logdie_fr(r, ...) sshlogdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__) #define sigdie_fr(r, ...) sshsigdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__) @@ -824,10 +824,10 @@ Index: b/log.h +void do_log_slog_payload(const char *); + #endif -Index: b/log.c +Index: openssh-8.7p1/log.c =================================================================== ---- b.orig/log.c -+++ b/log.c +--- openssh-8.7p1.orig/log.c ++++ openssh-8.7p1/log.c @@ -529,3 +529,39 @@ sshlogdirect(LogLevel level, int forced, do_log(level, forced, NULL, fmt, args); va_end(args); @@ -868,10 +868,10 @@ Index: b/log.c + } + errno = saved_errno; +} -Index: b/slog.h +Index: openssh-8.7p1/slog.h =================================================================== --- /dev/null -+++ b/slog.h ++++ openssh-8.7p1/slog.h @@ -0,0 +1,41 @@ +/* + * Copyright 2004-present Facebook. All Rights Reserved. @@ -914,10 +914,10 @@ Index: b/slog.h +void slog_log_session(void); + +#endif -Index: b/sshd.c +Index: openssh-8.7p1/sshd.c =================================================================== ---- b.orig/sshd.c -+++ b/sshd.c +--- openssh-8.7p1.orig/sshd.c ++++ openssh-8.7p1/sshd.c @@ -132,6 +132,8 @@ #include "sk-api.h" #include "srclimit.h" @@ -927,7 +927,7 @@ Index: b/sshd.c /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) -@@ -2149,6 +2151,7 @@ main(int ac, char **av) +@@ -2163,6 +2165,7 @@ main(int ac, char **av) } /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -935,7 +935,7 @@ Index: b/sshd.c if (FIPS_mode()) { debug("FIPS mode initialized"); -@@ -2315,8 +2318,15 @@ main(int ac, char **av) +@@ -2332,8 +2335,15 @@ main(int ac, char **av) rdomain == NULL ? "" : " rdomain \"", rdomain == NULL ? "" : rdomain, rdomain == NULL ? "" : "\""); @@ -952,7 +952,7 @@ Index: b/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2638,6 +2648,7 @@ cleanup_exit(int i) +@@ -2655,6 +2665,7 @@ cleanup_exit(int i) if (in_cleanup) _exit(i); in_cleanup = 1; @@ -960,10 +960,10 @@ Index: b/sshd.c if (the_active_state != NULL && the_authctxt != NULL) { do_cleanup(the_active_state, the_authctxt); if (use_privsep && privsep_is_preauth && -Index: b/sshd_config +Index: openssh-8.7p1/sshd_config =================================================================== ---- b.orig/sshd_config -+++ b/sshd_config +--- openssh-8.7p1.orig/sshd_config ++++ openssh-8.7p1/sshd_config @@ -33,6 +33,15 @@ Include /etc/ssh/sshd_config.d/*.conf # Logging #SyslogFacility AUTH @@ -980,10 +980,10 @@ Index: b/sshd_config # Authentication: -Index: b/auth-pam.c +Index: openssh-8.7p1/auth-pam.c =================================================================== ---- b.orig/auth-pam.c -+++ b/auth-pam.c +--- openssh-8.7p1.orig/auth-pam.c ++++ openssh-8.7p1/auth-pam.c @@ -94,6 +94,7 @@ extern char *__progname; #include "auth-pam.h" #include "canohost.h" @@ -1006,10 +1006,10 @@ Index: b/auth-pam.c else { sshpam_session_open = 0; auth_restrict_session(ssh); -Index: b/servconf.h +Index: openssh-8.7p1/servconf.h =================================================================== ---- b.orig/servconf.h -+++ b/servconf.h +--- openssh-8.7p1.orig/servconf.h ++++ openssh-8.7p1/servconf.h @@ -22,6 +22,8 @@ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ @@ -1022,20 +1022,20 @@ Index: b/servconf.h @@ -239,6 +241,12 @@ typedef struct { u_int64_t timing_secret; char *sk_provider; - int rsa_min_size; /* minimum size of RSA keys */ + int required_rsa_size; /* minimum size of RSA keys */ + -+ char *log_format_prefix; -+ u_int num_log_format_keys; -+ char *log_format_keys[MAX_LOGFORMAT_KEYS]; -+ int log_format_json; /* 1 to return "token": "token_val" in log format */ ++ char *log_format_prefix; ++ u_int num_log_format_keys; ++ char *log_format_keys[MAX_LOGFORMAT_KEYS]; ++ int log_format_json; /* 1 to return "token": "token_val" in log format */ + } ServerOptions; /* Information about the incoming connection as used by Match */ -Index: b/regress/slog.sh +Index: openssh-8.7p1/regress/slog.sh =================================================================== --- /dev/null -+++ b/regress/slog.sh ++++ openssh-8.7p1/regress/slog.sh @@ -0,0 +1,59 @@ +tid='structured log' + @@ -1096,10 +1096,10 @@ Index: b/regress/slog.sh + +test_log_counts +test_json_valid -Index: b/Makefile.in +Index: openssh-8.7p1/Makefile.in =================================================================== ---- b.orig/Makefile.in -+++ b/Makefile.in +--- openssh-8.7p1.orig/Makefile.in ++++ openssh-8.7p1/Makefile.in @@ -129,7 +129,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw monitor.o monitor_wrap.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ @@ -1118,10 +1118,10 @@ Index: b/Makefile.in rm -rf autom4te.cache rm -f regress/check-perm rm -f regress/mkdtemp -Index: b/auth.c +Index: openssh-8.7p1/auth.c =================================================================== ---- b.orig/auth.c -+++ b/auth.c +--- openssh-8.7p1.orig/auth.c ++++ openssh-8.7p1/auth.c @@ -76,6 +76,7 @@ #include "ssherr.h" #include "compat.h" diff --git a/openssh.spec b/openssh.spec index bde5c0b..350d05e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -56,7 +56,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 %global openssh_rel 29 -%global hyperscale_rel 5 +%global hyperscale_rel 6 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -827,6 +827,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Apr 24 2023 Raymond Colebaugh - 8.7p1-29.6 + 0.10.4-5.6 +- Merge new changes from upstream + * Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 - Resolve possible self-DoS with some clients Resolves: rhbz#2186473 From 1b7f4c8ad78f04d9f770a6b09e843d8f0e913a34 Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Aug 04 2023 00:06:24 +0000 Subject: [PATCH 21/21] Merge upstream changes for 8.7p1-34.7 --- diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index e372f09..f12f40e 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -74,33 +74,6 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c close(c->sock); c->sock = c->rfd = c->wfd = sock; channel_find_maxfd(ssh->chanctxt); -@@ -3804,7 +3804,7 @@ int - channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) - { - int r, success = 0, idx = -1; -- char *host_to_connect, *listen_host, *listen_path; -+ char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL; - int port_to_connect, listen_port; - - /* Send the forward request to the remote side. */ -@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct - success = 1; - if (success) { - /* Record that connection to this host/port is permitted. */ -- host_to_connect = listen_host = listen_path = NULL; - port_to_connect = listen_port = 0; - if (fwd->connect_path != NULL) { - host_to_connect = xstrdup(fwd->connect_path); -@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct - host_to_connect, port_to_connect, - listen_host, listen_path, listen_port, NULL); - } -+ free(host_to_connect); -+ free(listen_host); -+ free(listen_path); - return idx; - } - diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c --- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 diff --git a/openssh-8.7p1-UTC-time-parse.patch b/openssh-8.7p1-UTC-time-parse.patch new file mode 100644 index 0000000..1fd953d --- /dev/null +++ b/openssh-8.7p1-UTC-time-parse.patch @@ -0,0 +1,323 @@ +diff --git a/misc.c b/misc.c +index a8e87430..f2135803 100644 +--- a/misc.c ++++ b/misc.c +@@ -2399,15 +2399,26 @@ parse_absolute_time(const char *s, uint64_t *tp) + struct tm tm; + time_t tt; + char buf[32], *fmt; ++ const char *cp; ++ size_t l; ++ int is_utc = 0; + + *tp = 0; + ++ l = strlen(s); ++ if (l > 1 && strcasecmp(s + l - 1, "Z") == 0) { ++ is_utc = 1; ++ l--; ++ } else if (l > 3 && strcasecmp(s + l - 3, "UTC") == 0) { ++ is_utc = 1; ++ l -= 3; ++ } + /* + * POSIX strptime says "The application shall ensure that there + * is white-space or other non-alphanumeric characters between + * any two conversion specifications" so arrange things this way. + */ +- switch (strlen(s)) { ++ switch (l) { + case 8: /* YYYYMMDD */ + fmt = "%Y-%m-%d"; + snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6); +@@ -2427,10 +2438,15 @@ parse_absolute_time(const char *s, uint64_t *tp) + } + + memset(&tm, 0, sizeof(tm)); +- if (strptime(buf, fmt, &tm) == NULL) +- return SSH_ERR_INVALID_FORMAT; +- if ((tt = mktime(&tm)) < 0) ++ if ((cp = strptime(buf, fmt, &tm)) == NULL || *cp != '\0') + return SSH_ERR_INVALID_FORMAT; ++ if (is_utc) { ++ if ((tt = timegm(&tm)) < 0) ++ return SSH_ERR_INVALID_FORMAT; ++ } else { ++ if ((tt = mktime(&tm)) < 0) ++ return SSH_ERR_INVALID_FORMAT; ++ } + /* success */ + *tp = (uint64_t)tt; + return 0; +diff --git a/regress/unittests/misc/test_convtime.c b/regress/unittests/misc/test_convtime.c +index ef6fd77d..4794dbd9 100644 +--- a/regress/unittests/misc/test_convtime.c ++++ b/regress/unittests/misc/test_convtime.c +@@ -20,6 +20,7 @@ + + #include "log.h" + #include "misc.h" ++#include "ssherr.h" + + void test_convtime(void); + +@@ -27,6 +28,7 @@ void + test_convtime(void) + { + char buf[1024]; ++ uint64_t t; + + TEST_START("misc_convtime"); + ASSERT_INT_EQ(convtime("0"), 0); +@@ -56,4 +58,64 @@ test_convtime(void) + ASSERT_INT_EQ(convtime("3550w5d3h14m8s"), -1); + #endif + TEST_DONE(); ++ ++ /* XXX timezones/DST make verification of this tricky */ ++ /* XXX maybe setenv TZ and tzset() to make it unambiguous? */ ++ TEST_START("misc_parse_absolute_time"); ++ ASSERT_INT_EQ(parse_absolute_time("20000101", &t), 0); ++ ASSERT_INT_EQ(parse_absolute_time("200001011223", &t), 0); ++ ASSERT_INT_EQ(parse_absolute_time("20000101122345", &t), 0); ++ ++ /* forced UTC TZ */ ++ ASSERT_INT_EQ(parse_absolute_time("20000101Z", &t), 0); ++ ASSERT_U64_EQ(t, 946684800); ++ ASSERT_INT_EQ(parse_absolute_time("200001011223Z", &t), 0); ++ ASSERT_U64_EQ(t, 946729380); ++ ASSERT_INT_EQ(parse_absolute_time("20000101122345Z", &t), 0); ++ ASSERT_U64_EQ(t, 946729425); ++ ASSERT_INT_EQ(parse_absolute_time("20000101UTC", &t), 0); ++ ASSERT_U64_EQ(t, 946684800); ++ ASSERT_INT_EQ(parse_absolute_time("200001011223UTC", &t), 0); ++ ASSERT_U64_EQ(t, 946729380); ++ ASSERT_INT_EQ(parse_absolute_time("20000101122345UTC", &t), 0); ++ ASSERT_U64_EQ(t, 946729425); ++ ++ /* Bad month */ ++ ASSERT_INT_EQ(parse_absolute_time("20001301", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000001", &t), ++ SSH_ERR_INVALID_FORMAT); ++ /* Incomplete */ ++ ASSERT_INT_EQ(parse_absolute_time("2", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("2000", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("200001", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("2000010", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("200001010", &t), ++ SSH_ERR_INVALID_FORMAT); ++ /* Bad day, hour, minute, second */ ++ ASSERT_INT_EQ(parse_absolute_time("20000199", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("200001019900", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("200001010099", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000101000099", &t), ++ SSH_ERR_INVALID_FORMAT); ++ /* Invalid TZ specifier */ ++ ASSERT_INT_EQ(parse_absolute_time("20000101ZZ", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000101PDT", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000101U", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ASSERT_INT_EQ(parse_absolute_time("20000101UTCUTC", &t), ++ SSH_ERR_INVALID_FORMAT); ++ ++ TEST_DONE(); + } +diff --git a/ssh-keygen.1 b/ssh-keygen.1 +index 5f429813..6aeab1cb 100644 +--- a/ssh-keygen.1 ++++ b/ssh-keygen.1 +@@ -511,8 +511,11 @@ Print the full public key to standard output after signature verification. + .It Cm verify-time Ns = Ns Ar timestamp + Specifies a time to use when validating signatures instead of the current + time. +-The time may be specified as a date in YYYYMMDD format or a time +-in YYYYMMDDHHMM[SS] format. ++The time may be specified as a date or time in the YYYYMMDD[Z] or ++in YYYYMMDDHHMM[SS][Z] formats. ++Dates and times will be interpreted in the current system time zone unless ++suffixed with a Z character, which causes them to be interpreted in the ++UTC time zone. + .El + .Pp + The +@@ -603,31 +606,67 @@ A validity interval may consist of a single time, indicating that the + certificate is valid beginning now and expiring at that time, or may consist + of two times separated by a colon to indicate an explicit time interval. + .Pp +-The start time may be specified as the string ++The start time may be specified as: ++.Bl -bullet -compact ++.It ++The string + .Dq always +-to indicate the certificate has no specified start time, +-a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format, +-a relative time (to the current time) consisting of a minus sign followed by +-an interval in the format described in the ++to indicate the certificate has no specified start time. ++.It ++A date or time in the system time zone formatted as YYYYMMDD or ++YYYYMMDDHHMM[SS]. ++.It ++A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z. ++.It ++A relative time before the current system time consisting of a minus sign ++followed by an interval in the format described in the + TIME FORMATS section of + .Xr sshd_config 5 . ++.It ++A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal ++number beginning with ++.Dq 0x . ++.El + .Pp +-The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time, +-a relative time starting with a plus character or the string ++The end time may be specified similarly to the start time: ++.Bl -bullet -compact ++.It ++The string + .Dq forever +-to indicate that the certificate has no expiry date. ++to indicate the certificate has no specified end time. ++.It ++A date or time in the system time zone formatted as YYYYMMDD or ++YYYYMMDDHHMM[SS]. ++.It ++A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z. ++.It ++A relative time after the current system time consisting of a plus sign ++followed by an interval in the format described in the ++TIME FORMATS section of ++.Xr sshd_config 5 . ++.It ++A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal ++number beginning with ++.Dq 0x . ++.El + .Pp + For example: +-.Dq +52w1d +-(valid from now to 52 weeks and one day from now), +-.Dq -4w:+4w +-(valid from four weeks ago to four weeks from now), +-.Dq 20100101123000:20110101123000 +-(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), +-.Dq -1d:20110101 +-(valid from yesterday to midnight, January 1st, 2011), +-.Dq -1m:forever +-(valid from one minute ago and never expiring). ++.Bl -tag -width Ds ++.It +52w1d ++Valid from now to 52 weeks and one day from now. ++.It -4w:+4w ++Valid from four weeks ago to four weeks from now. ++.It 20100101123000:20110101123000 ++Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011. ++.It 20100101123000Z:20110101123000Z ++Similar, but interpreted in the UTC time zone rather than the system time zone. ++.It -1d:20110101 ++Valid from yesterday to midnight, January 1st, 2011. ++.It 0x1:0x2000000000 ++Valid from roughly early 1970 to May 2033. ++.It -1m:forever ++Valid from one minute ago and never expiring. ++.El + .It Fl v + Verbose mode. + Causes +@@ -1206,7 +1245,10 @@ signature object and presented on the verification command-line must + match the specified list before the key will be considered acceptable. + .It Cm valid-after Ns = Ns "timestamp" + Indicates that the key is valid for use at or after the specified timestamp, +-which may be a date in YYYYMMDD format or a time in YYYYMMDDHHMM[SS] format. ++which may be a date or time in the YYYYMMDD[Z] or YYYYMMDDHHMM[SS][Z] formats. ++Dates and times will be interpreted in the current system time zone unless ++suffixed with a Z character, which causes them to be interpreted in the UTC ++time zone. + .It Cm valid-before Ns = Ns "timestamp" + Indicates that the key is valid for use at or before the specified timestamp. + .El +diff --git a/ssh-keygen.c b/ssh-keygen.c +index 20b321cc..9b2beda0 100644 +--- a/ssh-keygen.c ++++ b/ssh-keygen.c +@@ -1916,6 +1916,21 @@ parse_relative_time(const char *s, time_t now) + return now + (u_int64_t)(secs * mul); + } + ++static void ++parse_hex_u64(const char *s, uint64_t *up) ++{ ++ char *ep; ++ unsigned long long ull; ++ ++ errno = 0; ++ ull = strtoull(s, &ep, 16); ++ if (*s == '\0' || *ep != '\0') ++ fatal("Invalid certificate time: not a number"); ++ if (errno == ERANGE && ull == ULONG_MAX) ++ fatal_fr(SSH_ERR_SYSTEM_ERROR, "Invalid certificate time"); ++ *up = (uint64_t)ull; ++} ++ + static void + parse_cert_times(char *timespec) + { +@@ -1938,8 +1953,8 @@ parse_cert_times(char *timespec) + + /* + * from:to, where +- * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always" +- * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever" ++ * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | 0x... | "always" ++ * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | 0x... | "forever" + */ + from = xstrdup(timespec); + to = strchr(from, ':'); +@@ -1951,6 +1966,8 @@ parse_cert_times(char *timespec) + cert_valid_from = parse_relative_time(from, now); + else if (strcmp(from, "always") == 0) + cert_valid_from = 0; ++ else if (strncmp(from, "0x", 2) == 0) ++ parse_hex_u64(from, &cert_valid_from); + else if (parse_absolute_time(from, &cert_valid_from) != 0) + fatal("Invalid from time \"%s\"", from); + +@@ -1958,6 +1975,8 @@ parse_cert_times(char *timespec) + cert_valid_to = parse_relative_time(to, now); + else if (strcmp(to, "forever") == 0) + cert_valid_to = ~(u_int64_t)0; ++ else if (strncmp(to, "0x", 2) == 0) ++ parse_hex_u64(to, &cert_valid_to); + else if (parse_absolute_time(to, &cert_valid_to) != 0) + fatal("Invalid to time \"%s\"", to); + +diff --git a/sshd.8 b/sshd.8 +index 2b50514e..8ccc5bc0 100644 +--- a/sshd.8 ++++ b/sshd.8 +@@ -533,8 +533,9 @@ controlled via the + option. + .It Cm expiry-time="timespec" + Specifies a time after which the key will not be accepted. +-The time may be specified as a YYYYMMDD date or a YYYYMMDDHHMM[SS] time +-in the system time-zone. ++The time may be specified as a YYYYMMDD[Z] date or a YYYYMMDDHHMM[SS][Z] time. ++Dates and times will be interpreted in the system time zone unless suffixed ++by a Z character, in which case they will be interpreted in the UTC time zone. + .It Cm from="pattern-list" + Specifies that in addition to public key authentication, either the canonical + name of the remote host or its IP address must be present in the diff --git a/openssh-8.7p1-evp-fips-compl-dh.patch b/openssh-8.7p1-evp-fips-compl-dh.patch new file mode 100644 index 0000000..ec04910 --- /dev/null +++ b/openssh-8.7p1-evp-fips-compl-dh.patch @@ -0,0 +1,292 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/dh.c openssh-8.7p1-patched/dh.c +--- openssh-8.7p1/dh.c 2023-05-25 09:01:23.295627077 +0200 ++++ openssh-8.7p1-patched/dh.c 2023-05-25 09:00:56.519332820 +0200 +@@ -37,6 +37,9 @@ + #include + #include + #include ++#include ++#include ++#include + + #include "dh.h" + #include "pathnames.h" +@@ -290,10 +293,15 @@ + int + dh_gen_key(DH *dh, int need) + { +- int pbits; +- const BIGNUM *dh_p, *pub_key; ++ const BIGNUM *dh_p, *dh_g; ++ BIGNUM *pub_key = NULL, *priv_key = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ OSSL_PARAM_BLD *param_bld = NULL; ++ OSSL_PARAM *params = NULL; ++ int pbits, r = 0; + +- DH_get0_pqg(dh, &dh_p, NULL, NULL); ++ DH_get0_pqg(dh, &dh_p, NULL, &dh_g); + + if (need < 0 || dh_p == NULL || + (pbits = BN_num_bits(dh_p)) <= 0 || +@@ -301,19 +309,85 @@ + return SSH_ERR_INVALID_ARGUMENT; + if (need < 256) + need = 256; ++ ++ if ((param_bld = OSSL_PARAM_BLD_new()) == NULL || ++ (ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL)) == NULL) { ++ OSSL_PARAM_BLD_free(param_bld); ++ return SSH_ERR_ALLOC_FAIL; ++ } ++ ++ if (OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_FFC_P, dh_p) != 1 || ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_FFC_G, dh_g) != 1) { ++ error_f("Could not set p,q,g parameters"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } + /* + * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)), + * so double requested need here. + */ +- if (!DH_set_length(dh, MINIMUM(need * 2, pbits - 1))) +- return SSH_ERR_LIBCRYPTO_ERROR; +- +- if (DH_generate_key(dh) == 0) +- return SSH_ERR_LIBCRYPTO_ERROR; +- DH_get0_key(dh, &pub_key, NULL); +- if (!dh_pub_is_valid(dh, pub_key)) +- return SSH_ERR_INVALID_FORMAT; +- return 0; ++ if (OSSL_PARAM_BLD_push_int(param_bld, ++ OSSL_PKEY_PARAM_DH_PRIV_LEN, ++ MINIMUM(need * 2, pbits - 1)) != 1 || ++ (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_fromdata_init(ctx) != 1) { ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_fromdata(ctx, &pkey, ++ EVP_PKEY_KEY_PARAMETERS, params) != 1) { ++ error_f("Failed key generation"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ /* reuse context for key generation */ ++ EVP_PKEY_CTX_free(ctx); ++ ctx = NULL; ++ ++ if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL || ++ EVP_PKEY_keygen_init(ctx) != 1) { ++ error_f("Could not create or init context"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_generate(ctx, &pkey) != 1) { ++ error_f("Could not generate keys"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_public_check(ctx) != 1) { ++ error_f("The public key is incorrect"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, ++ &pub_key) != 1 || ++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, ++ &priv_key) != 1 || ++ DH_set0_key(dh, pub_key, priv_key) != 1) { ++ error_f("Could not set pub/priv keys to DH struct"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ /* transferred */ ++ pub_key = NULL; ++ priv_key = NULL; ++out: ++ OSSL_PARAM_free(params); ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ EVP_PKEY_free(pkey); ++ BN_clear_free(pub_key); ++ BN_clear_free(priv_key); ++ return r; + } + + DH * +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kex.c openssh-8.7p1-patched/kex.c +--- openssh-8.7p1/kex.c 2023-05-25 09:01:23.299627122 +0200 ++++ openssh-8.7p1-patched/kex.c 2023-05-25 09:00:56.519332820 +0200 +@@ -1603,3 +1603,47 @@ + return r; + } + ++#ifdef WITH_OPENSSL ++/* ++ * Creates an EVP_PKEY from the given parameters and keys. ++ * The private key can be omitted. ++ */ ++int ++kex_create_evp_dh(EVP_PKEY **pkey, const BIGNUM *p, const BIGNUM *q, ++ const BIGNUM *g, const BIGNUM *pub, const BIGNUM *priv) ++{ ++ OSSL_PARAM_BLD *param_bld = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ int r = 0; ++ ++ /* create EVP_PKEY-DH key */ ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "DH", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { ++ error_f("EVP_PKEY_CTX or PARAM_BLD init failed"); ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ if (OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) != 1 || ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) != 1 || ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) != 1 || ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PUB_KEY, pub) != 1) { ++ error_f("Failed pushing params to OSSL_PARAM_BLD"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (priv != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1) { ++ error_f("Failed pushing private key to OSSL_PARAM_BLD"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++out: ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ return r; ++} ++#endif /* WITH_OPENSSL */ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kexdh.c openssh-8.7p1-patched/kexdh.c +--- openssh-8.7p1/kexdh.c 2023-05-25 09:01:23.237626425 +0200 ++++ openssh-8.7p1-patched/kexdh.c 2023-05-25 09:03:21.817957988 +0200 +@@ -35,6 +35,10 @@ + + #include "openbsd-compat/openssl-compat.h" + #include ++#include ++#include ++#include ++#include + + #include "sshkey.h" + #include "kex.h" +@@ -83,9 +87,12 @@ + kex_dh_compute_key(struct kex *kex, BIGNUM *dh_pub, struct sshbuf *out) + { + BIGNUM *shared_secret = NULL; ++ const BIGNUM *pub, *priv, *p, *q, *g; ++ EVP_PKEY *pkey = NULL, *dh_pkey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; + u_char *kbuf = NULL; + size_t klen = 0; +- int kout, r; ++ int kout, r = 0; + + #ifdef DEBUG_KEXDH + fprintf(stderr, "dh_pub= "); +@@ -100,24 +107,59 @@ + r = SSH_ERR_MESSAGE_INCOMPLETE; + goto out; + } +- klen = DH_size(kex->dh); ++ ++ DH_get0_key(kex->dh, &pub, &priv); ++ DH_get0_pqg(kex->dh, &p, &q, &g); ++ /* import key */ ++ r = kex_create_evp_dh(&pkey, p, q, g, pub, priv); ++ if (r != 0) { ++ error_f("Could not create EVP_PKEY for dh"); ++ ERR_print_errors_fp(stderr); ++ goto out; ++ } ++ /* import peer key ++ * the parameters should be the same as with pkey ++ */ ++ r = kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL); ++ if (r != 0) { ++ error_f("Could not import peer key for dh"); ++ ERR_print_errors_fp(stderr); ++ goto out; ++ } ++ ++ if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL) { ++ error_f("Could not init EVP_PKEY_CTX for dh"); ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ if (EVP_PKEY_derive_init(ctx) != 1 || ++ EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 || ++ EVP_PKEY_derive(ctx, NULL, &klen) != 1) { ++ error_f("Could not get key size"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } + if ((kbuf = malloc(klen)) == NULL || + (shared_secret = BN_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 || +- BN_bin2bn(kbuf, kout, shared_secret) == NULL) { ++ if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1 || ++ BN_bin2bn(kbuf, klen, shared_secret) == NULL) { ++ error_f("Could not derive key"); + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } + #ifdef DEBUG_KEXDH +- dump_digest("shared secret", kbuf, kout); ++ dump_digest("shared secret", kbuf, klen); + #endif + r = sshbuf_put_bignum2(out, shared_secret); + out: + freezero(kbuf, klen); + BN_clear_free(shared_secret); ++ EVP_PKEY_free(pkey); ++ EVP_PKEY_free(dh_pkey); ++ EVP_PKEY_CTX_free(ctx); + return r; + } + +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kex.h openssh-8.7p1-patched/kex.h +--- openssh-8.7p1/kex.h 2023-05-25 09:01:23.299627122 +0200 ++++ openssh-8.7p1-patched/kex.h 2023-05-25 09:00:56.519332820 +0200 +@@ -33,6 +33,9 @@ + # include + # include + # include ++# include ++# include ++# include + # ifdef OPENSSL_HAS_ECC + # include + # else /* OPENSSL_HAS_ECC */ +@@ -278,6 +281,8 @@ + const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int) + __attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE))) + __attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE))); ++int kex_create_evp_dh(EVP_PKEY **, const BIGNUM *, const BIGNUM *, ++ const BIGNUM *, const BIGNUM *, const BIGNUM *); + + #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH) + void dump_digest(const char *, const u_char *, int); diff --git a/openssh-8.7p1-evp-fips-compl-ecdh.patch b/openssh-8.7p1-evp-fips-compl-ecdh.patch new file mode 100644 index 0000000..0313c6f --- /dev/null +++ b/openssh-8.7p1-evp-fips-compl-ecdh.patch @@ -0,0 +1,207 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../openssh-8.7p1/kexecdh.c ./kexecdh.c +--- ../openssh-8.7p1/kexecdh.c 2021-08-20 06:03:49.000000000 +0200 ++++ ./kexecdh.c 2023-04-13 14:30:14.882449593 +0200 +@@ -35,17 +35,57 @@ + #include + + #include ++#include ++#include ++#include ++#include + + #include "sshkey.h" + #include "kex.h" + #include "sshbuf.h" + #include "digest.h" + #include "ssherr.h" ++#include "log.h" + + static int + kex_ecdh_dec_key_group(struct kex *, const struct sshbuf *, EC_KEY *key, + const EC_GROUP *, struct sshbuf **); + ++static EC_KEY * ++generate_ec_keys(int ec_nid) ++{ ++ EC_KEY *client_key = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ OSSL_PARAM_BLD *param_bld = NULL; ++ OSSL_PARAM *params = NULL; ++ const char *group_name; ++ ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) ++ goto out; ++ if ((group_name = OSSL_EC_curve_nid2name(ec_nid)) == NULL || ++ OSSL_PARAM_BLD_push_utf8_string(param_bld, ++ OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) != 1 || ++ (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { ++ error_f("Could not create OSSL_PARAM"); ++ goto out; ++ } ++ if (EVP_PKEY_keygen_init(ctx) != 1 || ++ EVP_PKEY_CTX_set_params(ctx, params) != 1 || ++ EVP_PKEY_generate(ctx, &pkey) != 1 || ++ (client_key = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) { ++ error_f("Could not generate ec keys"); ++ goto out; ++ } ++out: ++ EVP_PKEY_free(pkey); ++ EVP_PKEY_CTX_free(ctx); ++ OSSL_PARAM_BLD_free(param_bld); ++ OSSL_PARAM_free(params); ++ return client_key; ++} ++ + int + kex_ecdh_keypair(struct kex *kex) + { +@@ -55,11 +95,7 @@ + struct sshbuf *buf = NULL; + int r; + +- if ((client_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) { +- r = SSH_ERR_ALLOC_FAIL; +- goto out; +- } +- if (EC_KEY_generate_key(client_key) != 1) { ++ if ((client_key = generate_ec_keys(kex->ec_nid)) == NULL) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +@@ -101,11 +137,7 @@ + *server_blobp = NULL; + *shared_secretp = NULL; + +- if ((server_key = EC_KEY_new_by_curve_name(kex->ec_nid)) == NULL) { +- r = SSH_ERR_ALLOC_FAIL; +- goto out; +- } +- if (EC_KEY_generate_key(server_key) != 1) { ++ if ((server_key = generate_ec_keys(kex->ec_nid)) == NULL) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +@@ -140,11 +172,21 @@ + { + struct sshbuf *buf = NULL; + BIGNUM *shared_secret = NULL; +- EC_POINT *dh_pub = NULL; +- u_char *kbuf = NULL; +- size_t klen = 0; ++ EVP_PKEY_CTX *ctx = NULL; ++ EVP_PKEY *pkey = NULL, *dh_pkey = NULL; ++ OSSL_PARAM_BLD *param_bld = NULL; ++ OSSL_PARAM *params = NULL; ++ u_char *kbuf = NULL, *pub = NULL; ++ size_t klen = 0, publen; ++ const char *group_name; + int r; + ++ /* import EC_KEY to EVP_PKEY */ ++ if ((r = ssh_create_evp_ec(key, kex->ec_nid, &pkey)) != 0) { ++ error_f("Could not create EVP_PKEY"); ++ goto out; ++ } ++ + *shared_secretp = NULL; + + if ((buf = sshbuf_new()) == NULL) { +@@ -153,45 +195,82 @@ + } + if ((r = sshbuf_put_stringb(buf, ec_blob)) != 0) + goto out; +- if ((dh_pub = EC_POINT_new(group)) == NULL) { ++ ++ /* the public key is in the buffer in octet string UNCOMPRESSED ++ * format. See sshbuf_put_ec */ ++ if ((r = sshbuf_get_string(buf, &pub, &publen)) != 0) ++ goto out; ++ sshbuf_reset(buf); ++ if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if ((r = sshbuf_get_ec(buf, dh_pub, group)) != 0) { ++ if ((group_name = OSSL_EC_curve_nid2name(kex->ec_nid)) == NULL) { ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (OSSL_PARAM_BLD_push_octet_string(param_bld, ++ OSSL_PKEY_PARAM_PUB_KEY, pub, publen) != 1 || ++ OSSL_PARAM_BLD_push_utf8_string(param_bld, ++ OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0) != 1 || ++ (params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { ++ error_f("Failed to set params for dh_pkey"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (EVP_PKEY_fromdata_init(ctx) != 1 || ++ EVP_PKEY_fromdata(ctx, &dh_pkey, ++ EVP_PKEY_PUBLIC_KEY, params) != 1 || ++ EVP_PKEY_public_check(ctx) != 1) { ++ error_f("Peer public key import failed"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +- sshbuf_reset(buf); + + #ifdef DEBUG_KEXECDH + fputs("public key:\n", stderr); +- sshkey_dump_ec_point(group, dh_pub); ++ EVP_PKEY_print_public_fp(stderr, dh_pkey, 0, NULL); + #endif +- if (sshkey_ec_validate_public(group, dh_pub) != 0) { +- r = SSH_ERR_MESSAGE_INCOMPLETE; ++ EVP_PKEY_CTX_free(ctx); ++ ctx = NULL; ++ if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL || ++ EVP_PKEY_derive_init(ctx) != 1 || ++ EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 || ++ EVP_PKEY_derive(ctx, NULL, &klen) != 1) { ++ error_f("Failed to get derive information"); ++ r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } +- klen = (EC_GROUP_get_degree(group) + 7) / 8; +- if ((kbuf = malloc(klen)) == NULL || +- (shared_secret = BN_new()) == NULL) { ++ if ((kbuf = malloc(klen)) == NULL) { + r = SSH_ERR_ALLOC_FAIL; + goto out; + } +- if (ECDH_compute_key(kbuf, klen, dh_pub, key, NULL) != (int)klen || +- BN_bin2bn(kbuf, klen, shared_secret) == NULL) { ++ if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } + #ifdef DEBUG_KEXECDH + dump_digest("shared secret", kbuf, klen); + #endif ++ if ((shared_secret = BN_new()) == NULL || ++ (BN_bin2bn(kbuf, klen, shared_secret) == NULL)) { ++ r = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } + if ((r = sshbuf_put_bignum2(buf, shared_secret)) != 0) + goto out; + *shared_secretp = buf; + buf = NULL; + out: +- EC_POINT_clear_free(dh_pub); ++ EVP_PKEY_CTX_free(ctx); ++ EVP_PKEY_free(pkey); ++ EVP_PKEY_free(dh_pkey); ++ OSSL_PARAM_BLD_free(param_bld); ++ OSSL_PARAM_free(params); + BN_clear_free(shared_secret); + freezero(kbuf, klen); ++ freezero(pub, publen); + sshbuf_free(buf); + return r; + } diff --git a/openssh-8.7p1-evp-fips-compl-sign.patch b/openssh-8.7p1-evp-fips-compl-sign.patch new file mode 100644 index 0000000..fc71678 --- /dev/null +++ b/openssh-8.7p1-evp-fips-compl-sign.patch @@ -0,0 +1,468 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-dss.c ./ssh-dss.c +--- ../../openssh-8.7p1/ssh-dss.c 2023-03-08 15:35:14.669943335 +0100 ++++ ./ssh-dss.c 2023-03-08 15:34:33.508578129 +0100 +@@ -32,6 +32,8 @@ + #include + #include + #include ++#include ++#include + + #include + #include +@@ -72,9 +74,8 @@ + sshkey_type_plain(key->type) != KEY_DSA) + return SSH_ERR_INVALID_ARGUMENT; + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) +- return SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_dss(key, &pkey)) != 0) ++ return ret; + ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len, + data, datalen); + EVP_PKEY_free(pkey); +@@ -201,11 +202,8 @@ + goto out; + } + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) { +- ret = SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_dss(key, &pkey)) != 0) + goto out; +- } + ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen, + sigb, slen); + EVP_PKEY_free(pkey); +@@ -221,4 +219,63 @@ + freezero(sigblob, len); + return ret; + } ++ ++int ++ssh_create_evp_dss(const struct sshkey *k, EVP_PKEY **pkey) ++{ ++ OSSL_PARAM_BLD *param_bld = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ const BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub = NULL, *priv = NULL; ++ int ret = 0; ++ ++ if (k == NULL) ++ return SSH_ERR_INVALID_ARGUMENT; ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "DSA", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ DSA_get0_pqg(k->dsa, &p, &q, &g); ++ DSA_get0_key(k->dsa, &pub, &priv); ++ ++ if (p != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_P, p) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (q != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_Q, q) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (g != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_FFC_G, g) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (pub != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PUB_KEY, ++ pub) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (priv != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PRIV_KEY, ++ priv) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++out: ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ return ret; ++} + #endif /* WITH_OPENSSL */ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-ecdsa.c ./ssh-ecdsa.c +--- ../../openssh-8.7p1/ssh-ecdsa.c 2023-03-08 15:35:14.669943335 +0100 ++++ ./ssh-ecdsa.c 2023-03-08 15:40:52.628201267 +0100 +@@ -34,6 +34,8 @@ + #include + #include + #include ++#include ++#include + + #include + +@@ -72,9 +74,8 @@ + if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) + return SSH_ERR_INTERNAL_ERROR; + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) +- return SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0) ++ return ret; + ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data, + datalen); + EVP_PKEY_free(pkey); +@@ -193,11 +194,8 @@ + goto out; + } + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) { +- ret = SSH_ERR_ALLOC_FAIL; ++ if (ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey) != 0) + goto out; +- } + ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len); + EVP_PKEY_free(pkey); + +@@ -212,4 +210,76 @@ + return ret; + } + ++int ++ssh_create_evp_ec(EC_KEY *k, int ecdsa_nid, EVP_PKEY **pkey) ++{ ++ OSSL_PARAM_BLD *param_bld = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ BN_CTX *bn_ctx = NULL; ++ uint8_t *pub_ser = NULL; ++ const char *group_name; ++ const EC_POINT *pub = NULL; ++ const BIGNUM *priv = NULL; ++ int ret = 0; ++ ++ if (k == NULL) ++ return SSH_ERR_INVALID_ARGUMENT; ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL || ++ (bn_ctx = BN_CTX_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ if ((group_name = OSSL_EC_curve_nid2name(ecdsa_nid)) == NULL || ++ OSSL_PARAM_BLD_push_utf8_string(param_bld, ++ OSSL_PKEY_PARAM_GROUP_NAME, ++ group_name, ++ strlen(group_name)) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((pub = EC_KEY_get0_public_key(k)) != NULL) { ++ const EC_GROUP *group; ++ size_t len; ++ ++ group = EC_KEY_get0_group(k); ++ len = EC_POINT_point2oct(group, pub, ++ POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); ++ if ((pub_ser = malloc(len)) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ EC_POINT_point2oct(group, ++ pub, ++ POINT_CONVERSION_UNCOMPRESSED, ++ pub_ser, ++ len, ++ bn_ctx); ++ if (OSSL_PARAM_BLD_push_octet_string(param_bld, ++ OSSL_PKEY_PARAM_PUB_KEY, ++ pub_ser, ++ len) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ } ++ if ((priv = EC_KEY_get0_private_key(k)) != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, ++ OSSL_PKEY_PARAM_PRIV_KEY, priv) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++out: ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ BN_CTX_free(bn_ctx); ++ free(pub_ser); ++ return ret; ++} + #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/sshkey.c ./sshkey.c +--- ../../openssh-8.7p1/sshkey.c 2023-03-08 15:35:14.702943628 +0100 ++++ ./sshkey.c 2023-03-08 15:39:03.354082015 +0100 +@@ -35,6 +35,8 @@ + #include + #include + #include ++#include ++#include + #endif + + #include "crypto_api.h" +@@ -492,13 +494,14 @@ + { + EVP_MD_CTX *ctx = NULL; + u_char *sig = NULL; +- int ret, slen, len; ++ int ret, slen; ++ size_t len; + + if (sigp == NULL || lenp == NULL) { + return SSH_ERR_INVALID_ARGUMENT; + } + +- slen = EVP_PKEY_size(pkey); ++ slen = EVP_PKEY_get_size(pkey); + if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) + return SSH_ERR_INVALID_ARGUMENT; + +@@ -511,9 +514,10 @@ + ret = SSH_ERR_ALLOC_FAIL; + goto error; + } +- if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || +- EVP_SignUpdate(ctx, data, datalen) <= 0 || +- EVP_SignFinal(ctx, sig, &len, pkey) <= 0) { ++ if (EVP_DigestSignInit(ctx, NULL, ssh_digest_to_md(hash_alg), ++ NULL, pkey) != 1 || ++ EVP_DigestSignUpdate(ctx, data, datalen) != 1 || ++ EVP_DigestSignFinal(ctx, sig, &len) != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto error; + } +@@ -540,12 +544,13 @@ + if ((ctx = EVP_MD_CTX_new()) == NULL) { + return SSH_ERR_ALLOC_FAIL; + } +- if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 || +- EVP_VerifyUpdate(ctx, data, datalen) <= 0) { ++ if (EVP_DigestVerifyInit(ctx, NULL, ssh_digest_to_md(hash_alg), ++ NULL, pkey) != 1 || ++ EVP_DigestVerifyUpdate(ctx, data, datalen) != 1) { + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto done; + } +- ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey); ++ ret = EVP_DigestVerifyFinal(ctx, sigbuf, siglen); + switch (ret) { + case 1: + ret = 0; +@@ -5038,3 +5043,27 @@ + return 0; + } + #endif /* WITH_XMSS */ ++ ++#ifdef WITH_OPENSSL ++EVP_PKEY * ++sshkey_create_evp(OSSL_PARAM_BLD *param_bld, EVP_PKEY_CTX *ctx) ++{ ++ EVP_PKEY *ret = NULL; ++ OSSL_PARAM *params = NULL; ++ if (param_bld == NULL || ctx == NULL) { ++ debug2_f("param_bld or ctx is NULL"); ++ return NULL; ++ } ++ if ((params = OSSL_PARAM_BLD_to_param(param_bld)) == NULL) { ++ debug2_f("Could not build param list"); ++ return NULL; ++ } ++ if (EVP_PKEY_fromdata_init(ctx) != 1 || ++ EVP_PKEY_fromdata(ctx, &ret, EVP_PKEY_KEYPAIR, params) != 1) { ++ debug2_f("EVP_PKEY_fromdata failed"); ++ OSSL_PARAM_free(params); ++ return NULL; ++ } ++ return ret; ++} ++#endif /* WITH_OPENSSL */ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/sshkey.h ./sshkey.h +--- ../../openssh-8.7p1/sshkey.h 2023-03-08 15:35:14.702943628 +0100 ++++ ./sshkey.h 2023-03-08 15:34:33.509578138 +0100 +@@ -31,6 +31,9 @@ + #ifdef WITH_OPENSSL + #include + #include ++#include ++#include ++#include + # ifdef OPENSSL_HAS_ECC + # include + # include +@@ -293,6 +295,13 @@ + + void sshkey_sig_details_free(struct sshkey_sig_details *); + ++#ifdef WITH_OPENSSL ++EVP_PKEY *sshkey_create_evp(OSSL_PARAM_BLD *, EVP_PKEY_CTX *); ++int ssh_create_evp_dss(const struct sshkey *, EVP_PKEY **); ++int ssh_create_evp_rsa(const struct sshkey *, EVP_PKEY **); ++int ssh_create_evp_ec(EC_KEY *, int, EVP_PKEY **); ++#endif /* WITH_OPENSSL */ ++ + #ifdef SSHKEY_INTERNAL + int ssh_rsa_sign(const struct sshkey *key, + u_char **sigp, size_t *lenp, const u_char *data, size_t datalen, +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/ssh-rsa.c ./ssh-rsa.c +--- ../../openssh-8.7p1/ssh-rsa.c 2023-03-08 15:35:14.669943335 +0100 ++++ ./ssh-rsa.c 2023-03-08 15:34:33.509578138 +0100 +@@ -23,6 +23,8 @@ + + #include + #include ++#include ++#include + + #include + #include +@@ -172,9 +174,8 @@ + if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE) + return SSH_ERR_KEY_LENGTH; + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) +- return SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) ++ return ret; + ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data, + datalen); + EVP_PKEY_free(pkey); +@@ -285,11 +286,8 @@ + len = modlen; + } + +- if ((pkey = EVP_PKEY_new()) == NULL || +- EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) { +- ret = SSH_ERR_ALLOC_FAIL; ++ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) + goto out; +- } + ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey); + EVP_PKEY_free(pkey); + +@@ -306,11 +304,9 @@ + u_char *sigbuf, size_t siglen, EVP_PKEY *pkey) + { + size_t rsasize = 0; +- const RSA *rsa; + int ret; + +- rsa = EVP_PKEY_get0_RSA(pkey); +- rsasize = RSA_size(rsa); ++ rsasize = EVP_PKEY_get_size(pkey); + if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM || + siglen == 0 || siglen > rsasize) { + ret = SSH_ERR_INVALID_ARGUMENT; +@@ -323,4 +319,87 @@ + done: + return ret; + } ++ ++int ++ssh_create_evp_rsa(const struct sshkey *k, EVP_PKEY **pkey) ++{ ++ OSSL_PARAM_BLD *param_bld = NULL; ++ EVP_PKEY_CTX *ctx = NULL; ++ int ret = 0; ++ const BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL; ++ const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; ++ ++ if (k == NULL) ++ return SSH_ERR_INVALID_ARGUMENT; ++ if ((ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL)) == NULL || ++ (param_bld = OSSL_PARAM_BLD_new()) == NULL) { ++ ret = SSH_ERR_ALLOC_FAIL; ++ goto out; ++ } ++ ++ RSA_get0_key(k->rsa, &n, &e, &d); ++ RSA_get0_factors(k->rsa, &p, &q); ++ RSA_get0_crt_params(k->rsa, &dmp1, &dmq1, &iqmp); ++ ++ if (n != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_N, n) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (e != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_E, e) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (d != NULL && ++ OSSL_PARAM_BLD_push_BN(param_bld, OSSL_PKEY_PARAM_RSA_D, d) != 1) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ if ((*pkey = sshkey_create_evp(param_bld, ctx)) == NULL) { ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++ /* setting this to param_build makes the creation process fail */ ++ if (p != NULL && ++ EVP_PKEY_set_bn_param(*pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, p) != 1) { ++ debug2_f("failed to add 'p' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (q != NULL && ++ EVP_PKEY_set_bn_param(*pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, q) != 1) { ++ debug2_f("failed to add 'q' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (dmp1 != NULL && ++ EVP_PKEY_set_bn_param(*pkey, ++ OSSL_PKEY_PARAM_RSA_EXPONENT1, dmp1) != 1) { ++ debug2_f("failed to add 'dmp1' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (dmq1 != NULL && ++ EVP_PKEY_set_bn_param(*pkey, ++ OSSL_PKEY_PARAM_RSA_EXPONENT2, dmq1) != 1) { ++ debug2_f("failed to add 'dmq1' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ if (iqmp != NULL && ++ EVP_PKEY_set_bn_param(*pkey, ++ OSSL_PKEY_PARAM_RSA_COEFFICIENT1, iqmp) != 1) { ++ debug2_f("failed to add 'iqmp' param"); ++ ret = SSH_ERR_LIBCRYPTO_ERROR; ++ goto out; ++ } ++ ++out: ++ OSSL_PARAM_BLD_free(param_bld); ++ EVP_PKEY_CTX_free(ctx); ++ return ret; ++} + #endif /* WITH_OPENSSL */ diff --git a/openssh-8.7p1-evp-pkcs11.patch b/openssh-8.7p1-evp-pkcs11.patch new file mode 100644 index 0000000..44e0b8f --- /dev/null +++ b/openssh-8.7p1-evp-pkcs11.patch @@ -0,0 +1,131 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-ecdsa.c openssh-8.7p1-patched/ssh-ecdsa.c +--- openssh-8.7p1/ssh-ecdsa.c 2023-05-24 09:39:45.002631174 +0200 ++++ openssh-8.7p1-patched/ssh-ecdsa.c 2023-05-24 09:09:34.400853951 +0200 +@@ -74,8 +74,18 @@ + if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1) + return SSH_ERR_INTERNAL_ERROR; + +- if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0) +- return ret; ++#ifdef ENABLE_PKCS11 ++ if (is_ecdsa_pkcs11(key->ecdsa)) { ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) ++ return SSH_ERR_ALLOC_FAIL; ++ } else { ++#endif ++ if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0) ++ return ret; ++#ifdef ENABLE_PKCS11 ++ } ++#endif + ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data, + datalen); + EVP_PKEY_free(pkey); +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11.c openssh-8.7p1-patched/ssh-pkcs11.c +--- openssh-8.7p1/ssh-pkcs11.c 2023-05-24 09:39:44.950630607 +0200 ++++ openssh-8.7p1-patched/ssh-pkcs11.c 2023-05-24 09:33:59.153866357 +0200 +@@ -775,8 +775,24 @@ + + return (0); + } ++ ++int ++is_ecdsa_pkcs11(EC_KEY *ecdsa) ++{ ++ if (EC_KEY_get_ex_data(ecdsa, ec_key_idx) != NULL) ++ return 1; ++ return 0; ++} + #endif /* HAVE_EC_KEY_METHOD_NEW */ + ++int ++is_rsa_pkcs11(RSA *rsa) ++{ ++ if (RSA_get_ex_data(rsa, rsa_idx) != NULL) ++ return 1; ++ return 0; ++} ++ + /* remove trailing spaces */ + static void + rmspace(u_char *buf, size_t len) +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11-client.c openssh-8.7p1-patched/ssh-pkcs11-client.c +--- openssh-8.7p1/ssh-pkcs11-client.c 2023-05-24 09:39:44.950630607 +0200 ++++ openssh-8.7p1-patched/ssh-pkcs11-client.c 2023-05-24 09:31:16.139092673 +0200 +@@ -225,8 +225,36 @@ + static RSA_METHOD *helper_rsa; + #ifdef HAVE_EC_KEY_METHOD_NEW + static EC_KEY_METHOD *helper_ecdsa; ++ ++int ++is_ecdsa_pkcs11(EC_KEY *ecdsa) ++{ ++ const EC_KEY_METHOD *meth; ++ ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgstlen, ++ const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey) = NULL; ++ ++ meth = EC_KEY_get_method(ecdsa); ++ EC_KEY_METHOD_get_sign(meth, NULL, NULL, &sign_sig); ++ if (sign_sig == ecdsa_do_sign) ++ return 1; ++ return 0; ++} + #endif /* HAVE_EC_KEY_METHOD_NEW */ + ++int ++is_rsa_pkcs11(RSA *rsa) ++{ ++ const RSA_METHOD *meth; ++ int (*priv_enc)(int flen, const unsigned char *from, ++ unsigned char *to, RSA *rsa, int padding) = NULL; ++ ++ meth = RSA_get_method(rsa); ++ priv_enc = RSA_meth_get_priv_enc(meth); ++ if (priv_enc == rsa_encrypt) ++ return 1; ++ return 0; ++} ++ + /* redirect private key crypto operations to the ssh-pkcs11-helper */ + static void + wrap_key(struct sshkey *k) +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-pkcs11.h openssh-8.7p1-patched/ssh-pkcs11.h +--- openssh-8.7p1/ssh-pkcs11.h 2023-05-24 09:39:44.950630607 +0200 ++++ openssh-8.7p1-patched/ssh-pkcs11.h 2023-05-24 09:36:49.055714975 +0200 +@@ -39,6 +39,11 @@ + u_int32_t *); + #endif + ++#ifdef HAVE_EC_KEY_METHOD_NEW ++int is_ecdsa_pkcs11(EC_KEY *ecdsa); ++#endif ++int is_rsa_pkcs11(RSA *rsa); ++ + #if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11) + #undef ENABLE_PKCS11 + #endif +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh-rsa.c openssh-8.7p1-patched/ssh-rsa.c +--- openssh-8.7p1/ssh-rsa.c 2023-05-24 09:39:45.003631184 +0200 ++++ openssh-8.7p1-patched/ssh-rsa.c 2023-05-24 09:31:37.019319860 +0200 +@@ -174,8 +174,18 @@ + if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE) + return SSH_ERR_KEY_LENGTH; + +- if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) +- return ret; ++#ifdef ENABLE_PKCS11 ++ if (is_rsa_pkcs11(key->rsa)) { ++ if ((pkey = EVP_PKEY_new()) == NULL || ++ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) ++ return SSH_ERR_ALLOC_FAIL; ++ } else { ++#endif ++ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0) ++ return ret; ++#ifdef ENABLE_PKCS11 ++ } ++#endif + ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data, + datalen); + EVP_PKEY_free(pkey); diff --git a/openssh-8.7p1-man-hostkeyalgos.patch b/openssh-8.7p1-man-hostkeyalgos.patch new file mode 100644 index 0000000..92c53b1 --- /dev/null +++ b/openssh-8.7p1-man-hostkeyalgos.patch @@ -0,0 +1,31 @@ +diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh_config.5 openssh-8.7p1-patched/ssh_config.5 +--- openssh-8.7p1/ssh_config.5 2023-06-02 09:14:40.279373577 +0200 ++++ openssh-8.7p1-patched/ssh_config.5 2023-05-30 16:01:04.533848172 +0200 +@@ -989,6 +989,17 @@ + .Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q HostKeyAlgorithms . ++.Pp ++The proposed ++.Cm HostKeyAlgorithms ++during KEX are limited to the set of algorithms that is defined in ++.Cm PubkeyAcceptedAlgorithms ++and therefore they are indirectly affected by system-wide ++.Xr crypto_policies 7 . ++.Xr crypto_policies 7 can not handle the list of host key algorithms directly as doing so ++would break the order given by the ++.Pa known_hosts ++file. + .It Cm HostKeyAlias + Specifies an alias that should be used instead of the + real host name when looking up or saving the host key +@@ -1564,6 +1575,9 @@ + .Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q PubkeyAcceptedAlgorithms . ++.Pp ++This option affects also ++.Cm HostKeyAlgorithms + .It Cm PubkeyAuthentication + Specifies whether to try public key authentication. + The argument to this keyword must be diff --git a/openssh-8.7p1-nohostsha1proof.patch b/openssh-8.7p1-nohostsha1proof.patch index a5323e4..5c54e78 100644 --- a/openssh-8.7p1-nohostsha1proof.patch +++ b/openssh-8.7p1-nohostsha1proof.patch @@ -43,6 +43,255 @@ diff -up openssh-8.7p1/compat.h.sshrsacheck openssh-8.7p1/compat.h #define SSH_OLD_SESSIONID 0x00000010 /* #define unused 0x00000020 */ #define SSH_BUG_DEBUG 0x00000040 +diff -up openssh-8.7p1/monitor.c.sshrsacheck openssh-8.7p1/monitor.c +--- openssh-8.7p1/monitor.c.sshrsacheck 2023-01-20 13:07:54.279676981 +0100 ++++ openssh-8.7p1/monitor.c 2023-01-20 15:01:07.007821379 +0100 +@@ -660,11 +660,12 @@ mm_answer_sign(struct ssh *ssh, int sock + struct sshkey *key; + struct sshbuf *sigbuf = NULL; + u_char *p = NULL, *signature = NULL; +- char *alg = NULL; ++ char *alg = NULL, *effective_alg; + size_t datlen, siglen, alglen; + int r, is_proof = 0; + u_int keyid, compat; + const char proof_req[] = "hostkeys-prove-00@openssh.com"; ++ const char safe_rsa[] = "rsa-sha2-256"; + + debug3_f("entering"); + +@@ -719,18 +720,30 @@ mm_answer_sign(struct ssh *ssh, int sock + } + + if ((key = get_hostkey_by_index(keyid)) != NULL) { +- if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, alg, ++ if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0 ++ && (sshkey_type_plain(key->type) == KEY_RSA)) { ++ effective_alg = safe_rsa; ++ } else { ++ effective_alg = alg; ++ } ++ if ((r = sshkey_sign(key, &signature, &siglen, p, datlen, effective_alg, + options.sk_provider, NULL, compat)) != 0) + fatal_fr(r, "sign"); + } else if ((key = get_hostkey_public_by_index(keyid, ssh)) != NULL && + auth_sock > 0) { ++ if (ssh->compat & SSH_RH_RSASIGSHA && strcmp(alg, "ssh-rsa") == 0 ++ && (sshkey_type_plain(key->type) == KEY_RSA)) { ++ effective_alg = safe_rsa; ++ } else { ++ effective_alg = alg; ++ } + if ((r = ssh_agent_sign(auth_sock, key, &signature, &siglen, +- p, datlen, alg, compat)) != 0) ++ p, datlen, effective_alg, compat)) != 0) + fatal_fr(r, "agent sign"); + } else + fatal_f("no hostkey from index %d", keyid); + +- debug3_f("%s %s signature len=%zu", alg, ++ debug3_f("%s (effective: %s) %s signature len=%zu", alg, effective_alg, + is_proof ? "hostkey proof" : "KEX", siglen); + + sshbuf_reset(m); +diff -up openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck openssh-8.7p1/regress/cert-userkey.sh +--- openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck 2023-01-25 14:26:52.885963113 +0100 ++++ openssh-8.7p1/regress/cert-userkey.sh 2023-01-25 14:27:25.757219800 +0100 +@@ -7,7 +7,8 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us + cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak + +-PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` ++#ssh-dss keys are incompatible with DEFAULT crypto policy ++PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss' | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` + EXTRA_TYPES="" + rsa="" + +diff -up openssh-8.7p1/regress/Makefile.sshrsacheck openssh-8.7p1/regress/Makefile +--- openssh-8.7p1/regress/Makefile.sshrsacheck 2023-01-20 13:07:54.169676051 +0100 ++++ openssh-8.7p1/regress/Makefile 2023-01-20 13:07:54.290677074 +0100 +@@ -2,7 +2,8 @@ + + tests: prep file-tests t-exec unit + +-REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 ++#ssh-dss tests will not pass on DEFAULT crypto-policy because of SHA1, skipping ++REGRESS_TARGETS= t1 t2 t3 t4 t5 t7 t8 t9 t10 t11 t12 + + # File based tests + file-tests: $(REGRESS_TARGETS) +diff -up openssh-8.7p1/regress/test-exec.sh.sshrsacheck openssh-8.7p1/regress/test-exec.sh +--- openssh-8.7p1/regress/test-exec.sh.sshrsacheck 2023-01-25 14:24:54.778040819 +0100 ++++ openssh-8.7p1/regress/test-exec.sh 2023-01-25 14:26:39.500858590 +0100 +@@ -581,8 +581,9 @@ maybe_filter_sk() { + fi + } + +-SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk` +-SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk` ++#ssh-dss keys are incompatible with DEFAULT crypto policy ++SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss'` ++SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk | grep -v 'ssh-dss'` + + for t in ${SSH_KEYTYPES}; do + # generate user key +diff -up openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-8.7p1/regress/unittests/kex/test_kex.c +--- openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck 2023-01-26 13:34:52.645743677 +0100 ++++ openssh-8.7p1/regress/unittests/kex/test_kex.c 2023-01-26 13:36:56.220745823 +0100 +@@ -97,7 +97,8 @@ do_kex_with_key(char *kex, int keytype, + memcpy(kex_params.proposal, myproposal, sizeof(myproposal)); + if (kex != NULL) + kex_params.proposal[PROPOSAL_KEX_ALGS] = kex; +- keyname = strdup(sshkey_ssh_name(private)); ++ keyname = (strcmp(sshkey_ssh_name(private), "ssh-rsa")) ? ++ strdup(sshkey_ssh_name(private)) : strdup("rsa-sha2-256"); + ASSERT_PTR_NE(keyname, NULL); + kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname; + ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0); +@@ -180,7 +181,7 @@ do_kex(char *kex) + { + #ifdef WITH_OPENSSL + do_kex_with_key(kex, KEY_RSA, 2048); +- do_kex_with_key(kex, KEY_DSA, 1024); ++ /* do_kex_with_key(kex, KEY_DSA, 1024); */ + #ifdef OPENSSL_HAS_ECC + do_kex_with_key(kex, KEY_ECDSA, 256); + #endif /* OPENSSL_HAS_ECC */ +diff -up openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_file.c +--- openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck 2023-01-26 12:04:55.946343408 +0100 ++++ openssh-8.7p1/regress/unittests/sshkey/test_file.c 2023-01-26 12:06:35.235164432 +0100 +@@ -110,6 +110,7 @@ sshkey_file_tests(void) + sshkey_free(k2); + TEST_DONE(); + ++ /* Skip this test, SHA1 signatures are not supported + TEST_START("load RSA cert with SHA1 signature"); + ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha1"), &k2), 0); + ASSERT_PTR_NE(k2, NULL); +@@ -117,7 +118,7 @@ sshkey_file_tests(void) + ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1); + ASSERT_STRING_EQ(k2->cert->signature_type, "ssh-rsa"); + sshkey_free(k2); +- TEST_DONE(); ++ TEST_DONE(); */ + + TEST_START("load RSA cert with SHA512 signature"); + ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha512"), &k2), 0); +diff -up openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c +--- openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck 2023-01-26 12:10:37.533168013 +0100 ++++ openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c 2023-01-26 12:15:35.637631860 +0100 +@@ -333,13 +333,14 @@ sshkey_fuzz_tests(void) + TEST_DONE(); + + #ifdef WITH_OPENSSL ++ /* Skip this test, SHA1 signatures are not supported + TEST_START("fuzz RSA sig"); + buf = load_file("rsa_1"); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); + sshbuf_free(buf); + sig_fuzz(k1, "ssh-rsa"); + sshkey_free(k1); +- TEST_DONE(); ++ TEST_DONE();*/ + + TEST_START("fuzz RSA SHA256 sig"); + buf = load_file("rsa_1"); +@@ -357,6 +358,7 @@ sshkey_fuzz_tests(void) + sshkey_free(k1); + TEST_DONE(); + ++ /* Skip this test, SHA1 signatures are not supported + TEST_START("fuzz DSA sig"); + buf = load_file("dsa_1"); + ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); +@@ -364,6 +366,7 @@ sshkey_fuzz_tests(void) + sig_fuzz(k1, NULL); + sshkey_free(k1); + TEST_DONE(); ++ */ + + #ifdef OPENSSL_HAS_ECC + TEST_START("fuzz ECDSA sig"); +diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c +--- openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck 2023-01-26 11:02:52.339413463 +0100 ++++ openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c 2023-01-26 11:58:42.324253896 +0100 +@@ -60,6 +60,9 @@ build_cert(struct sshbuf *b, struct sshk + u_char *sigblob; + size_t siglen; + ++ /* ssh-rsa implies SHA1, forbidden in DEFAULT cp */ ++ int expected = (sig_alg == NULL || strcmp(sig_alg, "ssh-rsa") == 0) ? SSH_ERR_LIBCRYPTO_ERROR : 0; ++ + ca_buf = sshbuf_new(); + ASSERT_PTR_NE(ca_buf, NULL); + ASSERT_INT_EQ(sshkey_putb(ca_key, ca_buf), 0); +@@ -101,8 +104,9 @@ build_cert(struct sshbuf *b, struct sshk + ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */ + ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */ + ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen, +- sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, NULL, 0), 0); +- ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */ ++ sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, NULL, 0), expected); ++ if (expected == 0) ++ ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */ + + free(sigblob); + sshbuf_free(ca_buf); +@@ -119,16 +123,22 @@ signature_test(struct sshkey *k, struct + { + size_t len; + u_char *sig; ++ /* ssh-rsa implies SHA1, forbidden in DEFAULT cp */ ++ int expected = (sig_alg && strcmp(sig_alg, "ssh-rsa") == 0) ? SSH_ERR_LIBCRYPTO_ERROR : 0; ++ if (k && (sshkey_type_plain(k->type) == KEY_DSA || sshkey_type_plain(k->type) == KEY_DSA_CERT)) ++ expected = SSH_ERR_LIBCRYPTO_ERROR; + + ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, +- NULL, NULL, 0), 0); +- ASSERT_SIZE_T_GT(len, 8); +- ASSERT_PTR_NE(sig, NULL); +- ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0); +- ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0); +- /* Fuzz test is more comprehensive, this is just a smoke test */ +- sig[len - 5] ^= 0x10; +- ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0); ++ NULL, NULL, 0), expected); ++ if (expected == 0) { ++ ASSERT_SIZE_T_GT(len, 8); ++ ASSERT_PTR_NE(sig, NULL); ++ ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0); ++ ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0); ++ /* Fuzz test is more comprehensive, this is just a smoke test */ ++ sig[len - 5] ^= 0x10; ++ ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0); ++ } + free(sig); + } + +@@ -514,7 +524,7 @@ sshkey_tests(void) + ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2, + NULL), 0); + k3 = get_private("rsa_1"); +- build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, NULL); ++ build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, "rsa-sha2-256"); + ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4), + SSH_ERR_KEY_CERT_INVALID_SIGN_KEY); + ASSERT_PTR_EQ(k4, NULL); +diff -up openssh-8.7p1/regress/unittests/sshsig/tests.c.sshrsacheck openssh-8.7p1/regress/unittests/sshsig/tests.c +--- openssh-8.7p1/regress/unittests/sshsig/tests.c.sshrsacheck 2023-01-26 12:19:23.659513651 +0100 ++++ openssh-8.7p1/regress/unittests/sshsig/tests.c 2023-01-26 12:20:28.021044803 +0100 +@@ -102,9 +102,11 @@ tests(void) + check_sig("rsa.pub", "rsa.sig", msg, namespace); + TEST_DONE(); + ++ /* Skip this test, SHA1 signatures are not supported + TEST_START("check DSA signature"); + check_sig("dsa.pub", "dsa.sig", msg, namespace); + TEST_DONE(); ++ */ + + #ifdef OPENSSL_HAS_ECC + TEST_START("check ECDSA signature"); diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c --- openssh-8.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100 +++ openssh-8.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100 @@ -57,6 +306,24 @@ diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c debug3_f("sign %s key (index %d) using sigalg %s", sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg); if ((r = sshbuf_put_cstring(sigbuf, +diff -up openssh-8.7p1/sshconnect2.c.sshrsacheck openssh-8.7p1/sshconnect2.c +--- openssh-8.7p1/sshconnect2.c.sshrsacheck 2023-01-25 15:33:29.140353651 +0100 ++++ openssh-8.7p1/sshconnect2.c 2023-01-25 15:59:34.225364883 +0100 +@@ -1461,6 +1464,14 @@ identity_sign(struct identity *id, u_cha + retried = 1; + goto retry_pin; + } ++ if ((r == SSH_ERR_LIBCRYPTO_ERROR) && strcmp("ssh-rsa", alg)) { ++ char rsa_safe_alg[] = "rsa-sha2-512"; ++ debug3_f("trying to fallback to algorithm %s", rsa_safe_alg); ++ ++ if ((r = sshkey_sign(sign_key, sigp, lenp, data, datalen, ++ rsa_safe_alg, options.sk_provider, pin, compat)) != 0) ++ debug_fr(r, "sshkey_sign - RSA fallback"); ++ } + goto out; + } + diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c --- openssh-8.7p1/sshd.c.sshrsacheck 2023-01-12 13:29:06.355711140 +0100 +++ openssh-8.7p1/sshd.c 2023-01-12 13:29:06.358711178 +0100 @@ -68,7 +335,7 @@ diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); -@@ -1938,6 +1950,19 @@ main(int ac, char **av) +@@ -1938,6 +1950,33 @@ main(int ac, char **av) key = NULL; continue; } @@ -78,13 +345,27 @@ diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c + u_char data[] = "Test SHA1 vector"; + int res; + -+ res = ssh_rsa_sign(key, &tmp, &sign_size, data, sizeof(data), NULL); ++ res = sshkey_sign(key, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0); + free(tmp); + if (res == SSH_ERR_LIBCRYPTO_ERROR) { -+ logit_f("sshd: ssh-rsa algorithm is disabled"); ++ verbose_f("sshd: SHA1 in signatures is disabled for RSA keys"); + forbid_ssh_rsa = 1; + } + } ++ if (key && (sshkey_type_plain(key->type) == KEY_DSA || sshkey_type_plain(key->type) == KEY_DSA_CERT)) { ++ size_t sign_size = 0; ++ u_char *tmp = NULL; ++ u_char data[] = "Test SHA1 vector"; ++ int res; ++ ++ res = sshkey_sign(key, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0); ++ free(tmp); ++ if (res == SSH_ERR_LIBCRYPTO_ERROR) { ++ logit_f("sshd: ssh-dss is disabled, skipping key file %s", options.host_key_files[i]); ++ key = NULL; ++ continue; ++ } ++ } if (sshkey_is_sk(key) && key->sk_flags & SSH_SK_USER_PRESENCE_REQD) { debug("host key %s requires user presence, ignoring", @@ -98,3 +379,48 @@ diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c /* Prepare the channels layer */ channel_init_channels(ssh); channel_set_af(ssh, options.address_family); +diff -Nur openssh-8.7p1/ssh-keygen.c openssh-8.7p1_patched/ssh-keygen.c +--- openssh-8.7p1/ssh-keygen.c 2023-01-18 17:41:47.894515779 +0100 ++++ openssh-8.7p1_patched/ssh-keygen.c 2023-01-18 17:41:44.500488818 +0100 +@@ -491,6 +491,8 @@ + BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL; + BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL; + BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL; ++ char rsa_safe_alg[] = "rsa-sha2-256"; ++ char *alg = NULL; + + if ((r = sshbuf_get_u32(b, &magic)) != 0) + fatal_fr(r, "parse magic"); +@@ -590,6 +592,7 @@ do_convert_private_ssh2(struct sshbuf *b + if ((r = ssh_rsa_complete_crt_parameters(key, rsa_iqmp)) != 0) + fatal_fr(r, "generate RSA parameters"); + BN_clear_free(rsa_iqmp); ++ alg = rsa_safe_alg; + break; + } + rlen = sshbuf_len(b); +@@ -598,9 +601,9 @@ do_convert_private_ssh2(struct sshbuf *b + + /* try the key */ + if (sshkey_sign(key, &sig, &slen, data, sizeof(data), +- NULL, NULL, NULL, 0) != 0 || ++ alg, NULL, NULL, 0) != 0 || + sshkey_verify(key, sig, slen, data, sizeof(data), +- NULL, 0, NULL) != 0) { ++ alg, 0, NULL) != 0) { + sshkey_free(key); + free(sig); + return NULL; +diff -up openssh-8.7p1/ssh-rsa.c.sshrsacheck openssh-8.7p1/ssh-rsa.c +--- openssh-8.7p1/ssh-rsa.c.sshrsacheck 2023-01-20 13:07:54.180676144 +0100 ++++ openssh-8.7p1/ssh-rsa.c 2023-01-20 13:07:54.290677074 +0100 +@@ -254,7 +254,8 @@ ssh_rsa_verify(const struct sshkey *key, + ret = SSH_ERR_INVALID_ARGUMENT; + goto out; + } +- if (hash_alg != want_alg) { ++ if (hash_alg != want_alg && want_alg != SSH_DIGEST_SHA1) { ++ debug_f("Unexpected digest algorithm: got %d, wanted %d", hash_alg, want_alg); + ret = SSH_ERR_SIGNATURE_INVALID; + goto out; + } diff --git a/openssh-9.3p1-upstream-cve-2023-38408.patch b/openssh-9.3p1-upstream-cve-2023-38408.patch new file mode 100644 index 0000000..5632ba1 --- /dev/null +++ b/openssh-9.3p1-upstream-cve-2023-38408.patch @@ -0,0 +1,17 @@ +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 6be647ec..ebddf6c3 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin, + error("dlopen %s failed: %s", provider_module, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + + p->module->handle = handle; + /* setup the pkcs11 callbacks */ diff --git a/openssh.spec b/openssh.spec index 350d05e..b7b2434 100644 --- a/openssh.spec +++ b/openssh.spec @@ -55,8 +55,8 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 29 -%global hyperscale_rel 6 +%global openssh_rel 34 +%global hyperscale_rel 7 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -275,6 +275,23 @@ Patch1007: openssh-8.7p1-nohostsha1proof.patch # to fix 1005 Patch1008: openssh-8.7p1-CVE-2023-25136.patch +# fips compliance for signing, dh, ecdh +Patch1009: openssh-8.7p1-evp-fips-compl-sign.patch +Patch1010: openssh-8.7p1-evp-fips-compl-dh.patch +Patch1011: openssh-8.7p1-evp-fips-compl-ecdh.patch +Patch1012: openssh-8.7p1-evp-pkcs11.patch + +# clarify rhbz#2068423 on the man page of ssh_config +Patch1013: openssh-8.7p1-man-hostkeyalgos.patch +# upstream commits +# ec1ddb72a146fd66d18df9cd423517453a5d8044 +# b98a42afb69d60891eb0488935990df6ee571c4 +# a00f59a645072e5f5a8d207af15916a7b23e2642 +Patch1014: openssh-8.7p1-UTC-time-parse.patch +# upsream commit +# b23fe83f06ee7e721033769cfa03ae840476d280 +Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch + # c9s specific logic factored out of openssh-7.7p1-fips.patch Patch2000: openssh-7.7p1-fips-warning.patch @@ -524,6 +541,15 @@ popd %patch1007 -p1 -b .sshrsacheck %patch1008 -p1 -b .cve-2023-25136 +%patch1009 -p1 -b .evp_fips_sign +%patch1010 -p1 -b .evp_fips_dh +%patch1011 -p1 -b .evp_fips_ecdh +%patch1012 -p1 -b .evp_pkcs11 + +%patch1013 -p1 -b .man-hostkeyalgos +%patch1014 -p1 -b .utc_parse +%patch1015 -p1 -b .cve-2023-38408 + %if 0%{?facebook} && !0%{?use_quilt} %patch2010 -p1 -b .log_session_id %patch2011 -p1 -b .slog @@ -827,9 +853,51 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Aug 3 2023 Raymond Colebaugh - 8.7p1-34.7 + 0.10.4-5.7 +- Merge new changes from upstream + +* Thu Jul 20 2023 Dmitry Belyavskiy - 8.7p1-34 +- Avoid remote code execution in ssh-agent PKCS#11 support + Resolves: CVE-2023-38408 + +* Tue Jun 13 2023 Dmitry Belyavskiy - 8.7p1-33 +- Allow specifying validity interval in UTC + Resolves: rhbz#2115043 + +* Wed May 24 2023 Norbert Pocs - 8.7p1-32 +- Fix pkcs11 issue with the recent changes +- Delete unnecessary log messages from previous compl-dh patch +- Add ssh_config man page explanation on rhbz#2068423 +- Resolves: rhbz#2207793, rhbz#2209096 + +* Tue May 16 2023 Norbert Pocs - 8.7p1-31 +- Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch: +- Check return values +- Use EVP API to get the size of DH +- Add some log debug lines +- Related: rhbz#2091694 + * Mon Apr 24 2023 Raymond Colebaugh - 8.7p1-29.6 + 0.10.4-5.6 - Merge new changes from upstream +* Thu Apr 20 2023 Dmitry Belyavskiy - 8.7p1-30 +- Some non-terminating processes were listening on ports. + Resolves: rhbz#2177768 +- On sshd startup, we check whether signing using the SHA1 for signing is + available and don't use it when it isn't. +- On ssh private key conversion we explicitly use SHA2 for testing RSA keys. +- In sshd, when SHA1 signatures are unavailable, we fallback (fall forward :) ) + to SHA2 on host keys proof confirmation. +- On a client side we permit SHA2-based proofs from server when requested SHA1 + proof (or didn't specify the hash algorithm that implies SHA1 on the client + side). It is aligned with already present exception for RSA certificates. +- We fallback to SHA2 if SHA1 signatures is not available on the client side + (file sshconnect2.c). +- We skip dss-related tests (they don't work without SHA1). + Resolves: rhbz#2070163 +- FIPS compliance efforts for dh, ecdh and signing + Resolves: rhbz#2091694 + * Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 - Resolve possible self-DoS with some clients Resolves: rhbz#2186473