openssh/openssh-8.1p1-ed25519-use-openssl-rng.patch

commit d281831d887044ede45d458c3dda74be9ae017e3
Author: Hans Petter Jansson <hpj@hpjansson.org>
Date:   Fri Sep 25 23:26:58 2020 +0200

    Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519

diff --git a/ed25519.c b/ed25519.c
index 767ec24..5d506a9 100644
--- a/ed25519.c
+++ b/ed25519.c
@@ -9,6 +9,13 @@
 
 #include "crypto_api.h"
 
+#ifdef WITH_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#endif
+
+#include "log.h"
+
 #define int8 crypto_int8
 #define uint8 crypto_uint8
 #define int16 crypto_int16
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
   sc25519 scsk;
   ge25519 gepk;
 
+#ifdef WITH_OPENSSL
+  /* Use FIPS approved RNG */
+  if (RAND_bytes(sk, 32) <= 0)
+    fatal("Couldn't obtain random bytes (error 0x%lx)",
+          (unsigned long)ERR_get_error());
+#else
   randombytes(sk,32);
+#endif
+
   crypto_hash_sha512(az,sk,32);
   az[0] &= 248;
   az[31] &= 127;
diff --git a/kexc25519.c b/kexc25519.c
index f13d766..2604eda 100644
--- a/kexc25519.c
+++ b/kexc25519.c
@@ -33,6 +33,13 @@
 #include <string.h>
 #include <signal.h>
 
+#ifdef WITH_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#endif
+
+#include "log.h"
+
 #include "sshkey.h"
 #include "kex.h"
 #include "sshbuf.h"
@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
 {
 	static const u_char basepoint[CURVE25519_SIZE] = {9};
 
+#ifdef WITH_OPENSSL
+	/* Use FIPS approved RNG */
+	if (RAND_bytes(key, CURVE25519_SIZE) <= 0)
+		fatal("Couldn't obtain random bytes (error 0x%lx)",
+		    (unsigned long)ERR_get_error());
+#else
 	arc4random_buf(key, CURVE25519_SIZE);
+#endif
+
 	crypto_scalarmult_curve25519(pub, key, basepoint);
 }
Accepting request 849311 from home:hpjansson:branches:network - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. OBS-URL: https://build.opensuse.org/request/show/849311 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219 2020-11-22 17:59:16 +01:00			`commit d281831d887044ede45d458c3dda74be9ae017e3`
			`Author: Hans Petter Jansson <hpj@hpjansson.org>`
			`Date: Fri Sep 25 23:26:58 2020 +0200`

			`Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519`

			`diff --git a/ed25519.c b/ed25519.c`
			`index 767ec24..5d506a9 100644`
			`--- a/ed25519.c`
			`+++ b/ed25519.c`
			`@@ -9,6 +9,13 @@`
Accepting request 1087770 from home:alarrosa:branches:network - Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1\|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247 2023-05-22 21:32:26 +02:00
Accepting request 849311 from home:hpjansson:branches:network - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. OBS-URL: https://build.opensuse.org/request/show/849311 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219 2020-11-22 17:59:16 +01:00			`#include "crypto_api.h"`

			`+#ifdef WITH_OPENSSL`
			`+#include <openssl/rand.h>`
			`+#include <openssl/err.h>`
			`+#endif`
			`+`
			`+#include "log.h"`
			`+`
Accepting request 1087770 from home:alarrosa:branches:network - Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1\|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247 2023-05-22 21:32:26 +02:00			`#define int8 crypto_int8`
			`#define uint8 crypto_uint8`
			`#define int16 crypto_int16`
Accepting request 849311 from home:hpjansson:branches:network - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. OBS-URL: https://build.opensuse.org/request/show/849311 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219 2020-11-22 17:59:16 +01:00			`@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(`
Accepting request 1087770 from home:alarrosa:branches:network - Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1\|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247 2023-05-22 21:32:26 +02:00			`sc25519 scsk;`
			`ge25519 gepk;`
Accepting request 849311 from home:hpjansson:branches:network - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. OBS-URL: https://build.opensuse.org/request/show/849311 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219 2020-11-22 17:59:16 +01:00
			`+#ifdef WITH_OPENSSL`
			`+ /* Use FIPS approved RNG */`
			`+ if (RAND_bytes(sk, 32) <= 0)`
			`+ fatal("Couldn't obtain random bytes (error 0x%lx)",`
			`+ (unsigned long)ERR_get_error());`
			`+#else`
Accepting request 1087770 from home:alarrosa:branches:network - Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1\|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247 2023-05-22 21:32:26 +02:00			`randombytes(sk,32);`
Accepting request 849311 from home:hpjansson:branches:network - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. OBS-URL: https://build.opensuse.org/request/show/849311 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219 2020-11-22 17:59:16 +01:00			`+#endif`
			`+`
Accepting request 1087770 from home:alarrosa:branches:network - Update to openssh 9.3p1 * No changes for askpass, see main package changelog for details - Update to openssh 9.3p1: = Security * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. * ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of- service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. = New features * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1\|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 OBS-URL: https://build.opensuse.org/request/show/1087770 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247 2023-05-22 21:32:26 +02:00			`crypto_hash_sha512(az,sk,32);`
			`az[0] &= 248;`
			`az[31] &= 127;`
Accepting request 849311 from home:hpjansson:branches:network - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. OBS-URL: https://build.opensuse.org/request/show/849311 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219 2020-11-22 17:59:16 +01:00			`diff --git a/kexc25519.c b/kexc25519.c`
			`index f13d766..2604eda 100644`
			`--- a/kexc25519.c`
			`+++ b/kexc25519.c`
			`@@ -33,6 +33,13 @@`
			`#include <string.h>`
			`#include <signal.h>`

			`+#ifdef WITH_OPENSSL`
			`+#include <openssl/rand.h>`
			`+#include <openssl/err.h>`
			`+#endif`
			`+`
			`+#include "log.h"`
			`+`
			`#include "sshkey.h"`
			`#include "kex.h"`
			`#include "sshbuf.h"`
			`@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])`
			`{`
			`static const u_char basepoint[CURVE25519_SIZE] = {9};`

			`+#ifdef WITH_OPENSSL`
			`+ /* Use FIPS approved RNG */`
			`+ if (RAND_bytes(key, CURVE25519_SIZE) <= 0)`
			`+ fatal("Couldn't obtain random bytes (error 0x%lx)",`
			`+ (unsigned long)ERR_get_error());`
			`+#else`
			`arc4random_buf(key, CURVE25519_SIZE);`
			`+#endif`
			`+`
			`crypto_scalarmult_curve25519(pub, key, basepoint);`
			`}`