openssh/openssh-8.1p1-ed25519-use-openssl-rng.patch

commit d281831d887044ede45d458c3dda74be9ae017e3
Author: Hans Petter Jansson <hpj@hpjansson.org>
Date:   Fri Sep 25 23:26:58 2020 +0200

    Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519

diff --git a/ed25519.c b/ed25519.c
index 767ec24..5d506a9 100644
--- a/ed25519.c
+++ b/ed25519.c
@@ -9,6 +9,13 @@
 
 #include "crypto_api.h"
 
+#ifdef WITH_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#endif
+
+#include "log.h"
+
 #define int8 crypto_int8
 #define uint8 crypto_uint8
 #define int16 crypto_int16
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
   sc25519 scsk;
   ge25519 gepk;
 
+#ifdef WITH_OPENSSL
+  /* Use FIPS approved RNG */
+  if (RAND_bytes(sk, 32) <= 0)
+    fatal("Couldn't obtain random bytes (error 0x%lx)",
+          (unsigned long)ERR_get_error());
+#else
   randombytes(sk,32);
+#endif
+
   crypto_hash_sha512(az,sk,32);
   az[0] &= 248;
   az[31] &= 127;
diff --git a/kexc25519.c b/kexc25519.c
index f13d766..2604eda 100644
--- a/kexc25519.c
+++ b/kexc25519.c
@@ -33,6 +33,13 @@
 #include <string.h>
 #include <signal.h>
 
+#ifdef WITH_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#endif
+
+#include "log.h"
+
 #include "sshkey.h"
 #include "kex.h"
 #include "sshbuf.h"
@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
 {
 	static const u_char basepoint[CURVE25519_SIZE] = {9};
 
+#ifdef WITH_OPENSSL
+	/* Use FIPS approved RNG */
+	if (RAND_bytes(key, CURVE25519_SIZE) <= 0)
+		fatal("Couldn't obtain random bytes (error 0x%lx)",
+		    (unsigned long)ERR_get_error());
+#else
 	arc4random_buf(key, CURVE25519_SIZE);
+#endif
+
 	crypto_scalarmult_curve25519(pub, key, basepoint);
 }
- Update to openssh 9.9p1: * No changes for askpass, see main package changelog for details. - Update to openssh 9.9p1: = Future deprecation notice * OpenSSH plans to remove support for the DSA signature algorithm in early 2025. This release disables DSA by default at compile time. DSA, as specified in the SSHv2 protocol, is inherently weak - being limited to a 160 bit private key and use of the SHA1 digest. Its estimated security level is only 80 bits symmetric equivalent. OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to-implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. = Potentially-incompatible changes * ssh(1): remove support for pre-authentication compression. OpenSSH has only supported post-authentication compression in the server for some years. Compression before authentication significantly increases the attack surface of SSH servers and risks creating oracles that reveal information about information sent during authentication. OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=275 2024-09-25 10:42:29 +02:00			`commit d281831d887044ede45d458c3dda74be9ae017e3`
			`Author: Hans Petter Jansson <hpj@hpjansson.org>`
			`Date: Fri Sep 25 23:26:58 2020 +0200`

			`Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519`

			`diff --git a/ed25519.c b/ed25519.c`
			`index 767ec24..5d506a9 100644`
			`--- a/ed25519.c`
			`+++ b/ed25519.c`
			`@@ -9,6 +9,13 @@`

			`#include "crypto_api.h"`

			`+#ifdef WITH_OPENSSL`
			`+#include <openssl/rand.h>`
			`+#include <openssl/err.h>`
			`+#endif`
			`+`
			`+#include "log.h"`
			`+`
			`#define int8 crypto_int8`
			`#define uint8 crypto_uint8`
			`#define int16 crypto_int16`
			`@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(`
			`sc25519 scsk;`
			`ge25519 gepk;`

			`+#ifdef WITH_OPENSSL`
			`+ /* Use FIPS approved RNG */`
			`+ if (RAND_bytes(sk, 32) <= 0)`
			`+ fatal("Couldn't obtain random bytes (error 0x%lx)",`
			`+ (unsigned long)ERR_get_error());`
			`+#else`
			`randombytes(sk,32);`
			`+#endif`
			`+`
			`crypto_hash_sha512(az,sk,32);`
			`az[0] &= 248;`
			`az[31] &= 127;`
			`diff --git a/kexc25519.c b/kexc25519.c`
			`index f13d766..2604eda 100644`
			`--- a/kexc25519.c`
			`+++ b/kexc25519.c`
			`@@ -33,6 +33,13 @@`
			`#include <string.h>`
			`#include <signal.h>`

			`+#ifdef WITH_OPENSSL`
			`+#include <openssl/rand.h>`
			`+#include <openssl/err.h>`
			`+#endif`
			`+`
			`+#include "log.h"`
			`+`
			`#include "sshkey.h"`
			`#include "kex.h"`
			`#include "sshbuf.h"`
			`@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])`
			`{`
			`static const u_char basepoint[CURVE25519_SIZE] = {9};`

			`+#ifdef WITH_OPENSSL`
			`+ /* Use FIPS approved RNG */`
			`+ if (RAND_bytes(key, CURVE25519_SIZE) <= 0)`
			`+ fatal("Couldn't obtain random bytes (error 0x%lx)",`
			`+ (unsigned long)ERR_get_error());`
			`+#else`
			`arc4random_buf(key, CURVE25519_SIZE);`
			`+#endif`
			`+`
			`crypto_scalarmult_curve25519(pub, key, basepoint);`
			`}`