From 916f9ab5d23a3b368371b0aaa844137f504f91290a887c6929576d5f433f35dc Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Sun, 22 Nov 2020 16:59:16 +0000 Subject: [PATCH] Accepting request 849311 from home:hpjansson:branches:network - Fix build breakage caused by missing security key objects: + Modify openssh-7.7p1-cavstest-ctr.patch. + Modify openssh-7.7p1-cavstest-kdf.patch. + Add openssh-link-with-sk.patch. - Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). This ensures only approved DH parameters are used in FIPS mode. - Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). This uses OpenSSL's RAND_bytes() directly instead of the internal ChaCha20-based implementation to obtain random bytes for Ed25519 curve computations. This is required for FIPS compliance. OBS-URL: https://build.opensuse.org/request/show/849311 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=219 --- openssh-7.7p1-cavstest-ctr.patch | 4 +- openssh-7.7p1-cavstest-kdf.patch | 8 +-- openssh-8.1p1-ed25519-use-openssl-rng.patch | 74 +++++++++++++++++++ openssh-fips-ensure-approved-moduli.patch | 78 +++++++++++++++++++++ openssh-link-with-sk.patch | 15 ++++ openssh.changes | 22 ++++++ openssh.spec | 3 + 7 files changed, 198 insertions(+), 6 deletions(-) create mode 100644 openssh-8.1p1-ed25519-use-openssl-rng.patch create mode 100644 openssh-fips-ensure-approved-moduli.patch create mode 100644 openssh-link-with-sk.patch diff --git a/openssh-7.7p1-cavstest-ctr.patch b/openssh-7.7p1-cavstest-ctr.patch index e4d6791..6772d5c 100644 --- a/openssh-7.7p1-cavstest-ctr.patch +++ b/openssh-7.7p1-cavstest-ctr.patch @@ -28,8 +28,8 @@ index d5c37b5..5d4fcd2 100644 $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) +# FIPS tests -+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o -+ $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o ++ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o diff --git a/openssh-7.7p1-cavstest-kdf.patch b/openssh-7.7p1-cavstest-kdf.patch index 1c333f9..c838849 100644 --- a/openssh-7.7p1-cavstest-kdf.patch +++ b/openssh-7.7p1-cavstest-kdf.patch @@ -24,11 +24,11 @@ index 5d4fcd2..9eab827 100644 XMSS_OBJS=\ ssh-xmss.o \ @@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) - cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-ctr.o - $(LD) -o $@ cavstest-ctr.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o + $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a cavstest-kdf.o -+ $(LD) -o $@ cavstest-kdf.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o ++ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o diff --git a/openssh-8.1p1-ed25519-use-openssl-rng.patch b/openssh-8.1p1-ed25519-use-openssl-rng.patch new file mode 100644 index 0000000..2faf97f --- /dev/null +++ b/openssh-8.1p1-ed25519-use-openssl-rng.patch @@ -0,0 +1,74 @@ +commit d281831d887044ede45d458c3dda74be9ae017e3 +Author: Hans Petter Jansson +Date: Fri Sep 25 23:26:58 2020 +0200 + + Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519 + +diff --git a/ed25519.c b/ed25519.c +index 767ec24..5d506a9 100644 +--- a/ed25519.c ++++ b/ed25519.c +@@ -9,6 +9,13 @@ + #include "includes.h" + #include "crypto_api.h" + ++#ifdef WITH_OPENSSL ++#include ++#include ++#endif ++ ++#include "log.h" ++ + #include "ge25519.h" + + static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen) +@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair( + unsigned char extsk[64]; + int i; + ++#ifdef WITH_OPENSSL ++ /* Use FIPS approved RNG */ ++ if (RAND_bytes(sk, 32) <= 0) ++ fatal("Couldn't obtain random bytes (error 0x%lx)", ++ (unsigned long)ERR_get_error()); ++#else + randombytes(sk, 32); ++#endif ++ + crypto_hash_sha512(extsk, sk, 32); + extsk[0] &= 248; + extsk[31] &= 127; +diff --git a/kexc25519.c b/kexc25519.c +index f13d766..2604eda 100644 +--- a/kexc25519.c ++++ b/kexc25519.c +@@ -33,6 +33,13 @@ + #include + #include + ++#ifdef WITH_OPENSSL ++#include ++#include ++#endif ++ ++#include "log.h" ++ + #include "sshkey.h" + #include "kex.h" + #include "sshbuf.h" +@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE]) + { + static const u_char basepoint[CURVE25519_SIZE] = {9}; + ++#ifdef WITH_OPENSSL ++ /* Use FIPS approved RNG */ ++ if (RAND_bytes(key, CURVE25519_SIZE) <= 0) ++ fatal("Couldn't obtain random bytes (error 0x%lx)", ++ (unsigned long)ERR_get_error()); ++#else + arc4random_buf(key, CURVE25519_SIZE); ++#endif ++ + crypto_scalarmult_curve25519(pub, key, basepoint); + } + diff --git a/openssh-fips-ensure-approved-moduli.patch b/openssh-fips-ensure-approved-moduli.patch new file mode 100644 index 0000000..3bbdf89 --- /dev/null +++ b/openssh-fips-ensure-approved-moduli.patch @@ -0,0 +1,78 @@ +commit 15c95d6eb2e8bc549719578c9a16541015363360 +Author: Hans Petter Jansson +Date: Mon Oct 26 22:26:46 2020 +0100 + + Ensure DHGs are approved in FIPS mode using OpenSSL's DH_check_params() + +diff --git a/dh.c b/dh.c +index 7cb135d..3fe7f75 100644 +--- a/dh.c ++++ b/dh.c +@@ -143,6 +143,28 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) + return 0; + } + ++static int ++dhg_is_approved(const struct dhgroup *dhg) ++{ ++ BIGNUM *g, *p; ++ DH *dh; ++ int dh_status; ++ int is_ok = 0; ++ ++ /* DH_set0_pqg() transfers ownership of the bignums, so we ++ * make temporary copies here for simplicity. */ ++ g = BN_dup(dhg->g); ++ p = BN_dup(dhg->p); ++ dh = dh_new_group(g, p); ++ ++ if (dh) { ++ is_ok = DH_check_params(dh, &dh_status); ++ } ++ ++ DH_free(dh); ++ return is_ok; ++} ++ + DH * + choose_dh(int min, int wantbits, int max) + { +@@ -161,12 +183,20 @@ choose_dh(int min, int wantbits, int max) + linenum = 0; + best = bestcount = 0; + while (getline(&line, &linesize, f) != -1) { ++ int dhg_is_ok; ++ + linenum++; + if (!parse_prime(linenum, line, &dhg)) + continue; ++ ++ dhg_is_ok = dhg_is_approved(&dhg); ++ + BN_clear_free(dhg.g); + BN_clear_free(dhg.p); + ++ if (!dhg_is_ok) ++ continue; ++ + if (dhg.size > max || dhg.size < min) + continue; + +@@ -193,10 +223,16 @@ choose_dh(int min, int wantbits, int max) + linenum = 0; + bestcount = 0; + while (getline(&line, &linesize, f) != -1) { ++ int dhg_is_ok; ++ + linenum++; + if (!parse_prime(linenum, line, &dhg)) + continue; +- if ((dhg.size > max || dhg.size < min) || ++ ++ dhg_is_ok = dhg_is_approved(&dhg); ++ ++ if (!dhg_is_ok || ++ (dhg.size > max || dhg.size < min) || + dhg.size != best || + bestcount++ != which) { + BN_clear_free(dhg.g); diff --git a/openssh-link-with-sk.patch b/openssh-link-with-sk.patch new file mode 100644 index 0000000..6a3ba10 --- /dev/null +++ b/openssh-link-with-sk.patch @@ -0,0 +1,15 @@ +diff --git a/Makefile.in b/Makefile.in +index 6dec09c..25e74ac 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -251,8 +251,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) + ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + +-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) +- $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS) ++ $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) + + sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) + $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) diff --git a/openssh.changes b/openssh.changes index cd21072..a7ae76d 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Wed Nov 11 20:05:27 UTC 2020 - Hans Petter Jansson + +- Fix build breakage caused by missing security key objects: + + Modify openssh-7.7p1-cavstest-ctr.patch. + + Modify openssh-7.7p1-cavstest-kdf.patch. + + Add openssh-link-with-sk.patch. + +------------------------------------------------------------------- +Wed Nov 11 18:27:55 UTC 2020 - Hans Petter Jansson + +- Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939). + This ensures only approved DH parameters are used in FIPS mode. + +------------------------------------------------------------------- +Wed Nov 11 18:27:54 UTC 2020 - Hans Petter Jansson + +- Add openssh-8.1p1-ed25519-use-openssl-rng.patch (bsc#1173799). + This uses OpenSSL's RAND_bytes() directly instead of the internal + ChaCha20-based implementation to obtain random bytes for Ed25519 + curve computations. This is required for FIPS compliance. + ------------------------------------------------------------------- Thu Oct 8 21:38:27 UTC 2020 - Hans Petter Jansson diff --git a/openssh.spec b/openssh.spec index 359ae20..fbd1601 100644 --- a/openssh.spec +++ b/openssh.spec @@ -104,6 +104,9 @@ Patch36: openssh-8.1p1-seccomp-clock_nanosleep.patch Patch37: openssh-8.1p1-seccomp-clock_nanosleep_time64.patch Patch38: openssh-8.1p1-seccomp-clock_gettime64.patch Patch39: openssh-8.1p1-use-openssl-kdf.patch +Patch40: openssh-8.1p1-ed25519-use-openssl-rng.patch +Patch41: openssh-fips-ensure-approved-moduli.patch +Patch42: openssh-link-with-sk.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: groff