openssh/openssh-6.6p1-audit3-key_auth_usage-fips.patch

# HG changeset patch
# Parent 5482d21e8bd06309af51dea77a5f3668859fb2a0

diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c
--- a/openssh-6.6p1/auth-rsa.c
+++ b/openssh-6.6p1/auth-rsa.c
@@ -94,16 +94,20 @@ int
 auth_rsa_verify_response(Key *key, BIGNUM *challenge,
     u_char response[SSH_DIGEST_MAX_LENGTH])
 {
 	u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH];
 	struct ssh_digest_ctx *md;
 	int len;
 	int dgst;
 	size_t dgst_len;
+	int rv;
+#ifdef SSH_AUDIT_EVENTS
+	char *fp;
+#endif
 
 	/* don't allow short keys */
 	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
 		error("%s: RSA modulus too small: %d < minimum %d bits",
 		    __func__,
 		    BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
 		return (0);
 	}
@@ -121,22 +125,28 @@ auth_rsa_verify_response(Key *key, BIGNU
 	if ((md = ssh_digest_start(dgst)) == NULL ||
 	    ssh_digest_update(md, buf, 2 * dgst_len) < 0 ||
 	    ssh_digest_update(md, session_id, dgst_len) < 0 ||
 	    ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
 		fatal("%s: md5 failed", __func__);
 	ssh_digest_free(md);
 
 	/* Verify that the response is the original challenge. */
-	if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) {
-		/* Wrong answer. */
-		return (0);
+	rv = timingsafe_bcmp(response, mdbuf, dgst_len) == 0;
+
+#ifdef SSH_AUDIT_EVENTS
+	fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);
+	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
+		debug("unsuccessful audit");
+		rv = 0;
 	}
-	/* Correct answer. */
-	return (1);
+	free(fp);
+#endif
+
+	return rv;
 }
 
 /*
  * Performs the RSA authentication challenge-response dialog with the client,
  * and returns true (non-zero) if the client gave the correct answer to
  * our challenge; returns zero if the client gives a wrong answer.
  */
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76 2014-04-14 23:53:01 +02:00			`# HG changeset patch`
Accepting request 231427 from home:pcerny:factory - curve25519 key exchange fix (-curve25519-6.6.1p1.patch) - patch re-ordering (-audit3-key_auth_usage-fips.patch, -audit4-kex_results-fips.patch) OBS-URL: https://build.opensuse.org/request/show/231427 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=80 2014-04-25 15:11:58 +02:00			`# Parent 5482d21e8bd06309af51dea77a5f3668859fb2a0`
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76 2014-04-14 23:53:01 +02:00
			`diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c`
			`--- a/openssh-6.6p1/auth-rsa.c`
			`+++ b/openssh-6.6p1/auth-rsa.c`
			`@@ -94,16 +94,20 @@ int`
			`auth_rsa_verify_response(Key key, BIGNUM challenge,`
			`u_char response[SSH_DIGEST_MAX_LENGTH])`
			`{`
			`u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH];`
			`struct ssh_digest_ctx *md;`
			`int len;`
Accepting request 231427 from home:pcerny:factory - curve25519 key exchange fix (-curve25519-6.6.1p1.patch) - patch re-ordering (-audit3-key_auth_usage-fips.patch, -audit4-kex_results-fips.patch) OBS-URL: https://build.opensuse.org/request/show/231427 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=80 2014-04-25 15:11:58 +02:00			`int dgst;`
Accepting request 230097 from home:pcerny:factory - Update of the underlying OpenSSH to 6.6p1 - update to 6.6p1 Security: * sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character. Features since 6.5p1: * ssh(1), sshd(8): removal of the J-PAKE authentication code, which was experimental, never enabled and has been unmaintained for some time. * ssh(1): skip 'exec' clauses other clauses predicates failed to match while processing Match blocks. * ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied. Bugfixes: * ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. bz#2200, debian#738692 * sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase. * ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions. * sshd_config(5): clarify behaviour of a keyword that appears in multiple matching Match blocks. bz#2184 OBS-URL: https://build.opensuse.org/request/show/230097 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=76 2014-04-14 23:53:01 +02:00			`size_t dgst_len;`
			`+ int rv;`
			`+#ifdef SSH_AUDIT_EVENTS`
			`+ char *fp;`
			`+#endif`

			`/* don't allow short keys */`
			`if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {`
			`error("%s: RSA modulus too small: %d < minimum %d bits",`
			`__func__,`
			`BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);`
			`return (0);`
			`}`
			`@@ -121,22 +125,28 @@ auth_rsa_verify_response(Key *key, BIGNU`
			`if ((md = ssh_digest_start(dgst)) == NULL \|\|`
			`ssh_digest_update(md, buf, 2 * dgst_len) < 0 \|\|`
			`ssh_digest_update(md, session_id, dgst_len) < 0 \|\|`
			`ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)`
			`fatal("%s: md5 failed", __func__);`
			`ssh_digest_free(md);`

			`/* Verify that the response is the original challenge. */`
			`- if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) {`
			`- /* Wrong answer. */`
			`- return (0);`
			`+ rv = timingsafe_bcmp(response, mdbuf, dgst_len) == 0;`
			`+`
			`+#ifdef SSH_AUDIT_EVENTS`
			`+ fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX);`
			`+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {`
			`+ debug("unsuccessful audit");`
			`+ rv = 0;`
			`}`
			`- /* Correct answer. */`
			`- return (1);`
			`+ free(fp);`
			`+#endif`
			`+`
			`+ return rv;`
			`}`

			`/*`
			`* Performs the RSA authentication challenge-response dialog with the client,`
			`* and returns true (non-zero) if the client gave the correct answer to`
			`* our challenge; returns zero if the client gives a wrong answer.`
			`*/`