SHA256
1
0
forked from pool/openssh
openssh/openssh-8.1p1-ed25519-use-openssl-rng.patch
Hans Petter Jansson 03fc1a6def Accepting request 1087770 from home:alarrosa:branches:network
- Update to openssh 9.3p1
  * No changes for askpass, see main package changelog for
    details

- Update to openssh 9.3p1:
  = Security
  * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
   per-hop destination constraints (ssh-add -h ...) added in
   OpenSSH 8.9, a logic error prevented the constraints from being
   communicated to the agent. This resulted in the keys being added
   without constraints. The common cases of non-smartcard keys and
   keys without destination constraints are unaffected. This
   problem was reported by Luci Stanescu.
 * ssh(1): Portable OpenSSH provides an implementation of the
   getrrsetbyname(3) function if the standard library does not
   provide it, for use by the VerifyHostKeyDNS feature. A
   specifically crafted DNS response could cause this function to
   perform an out-of-bounds read of adjacent stack data, but this
   condition does not appear to be exploitable beyond denial-of-
   service to the ssh(1) client.
   The getrrsetbyname(3) replacement is only included if the
   system's standard library lacks this function and portable
   OpenSSH was not compiled with the ldns library (--with-ldns).
   getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to
   fetch SSHFP records. This problem was found by the Coverity
   static analyzer.
  = New features
  * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256
    when outputting SSHFP fingerprints to allow algorithm
    selection. bz3493

OBS-URL: https://build.opensuse.org/request/show/1087770
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=247
2023-05-22 19:32:26 +00:00

75 lines
1.7 KiB
Diff

commit d281831d887044ede45d458c3dda74be9ae017e3
Author: Hans Petter Jansson <hpj@hpjansson.org>
Date: Fri Sep 25 23:26:58 2020 +0200
Use OpenSSL's FIPS approved RAND_bytes() to get randomness for Ed25519
diff --git a/ed25519.c b/ed25519.c
index 767ec24..5d506a9 100644
--- a/ed25519.c
+++ b/ed25519.c
@@ -9,6 +9,13 @@
#include "crypto_api.h"
+#ifdef WITH_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#endif
+
+#include "log.h"
+
#define int8 crypto_int8
#define uint8 crypto_uint8
#define int16 crypto_int16
@@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair(
sc25519 scsk;
ge25519 gepk;
+#ifdef WITH_OPENSSL
+ /* Use FIPS approved RNG */
+ if (RAND_bytes(sk, 32) <= 0)
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
+ (unsigned long)ERR_get_error());
+#else
randombytes(sk,32);
+#endif
+
crypto_hash_sha512(az,sk,32);
az[0] &= 248;
az[31] &= 127;
diff --git a/kexc25519.c b/kexc25519.c
index f13d766..2604eda 100644
--- a/kexc25519.c
+++ b/kexc25519.c
@@ -33,6 +33,13 @@
#include <string.h>
#include <signal.h>
+#ifdef WITH_OPENSSL
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#endif
+
+#include "log.h"
+
#include "sshkey.h"
#include "kex.h"
#include "sshbuf.h"
@@ -51,7 +58,15 @@ kexc25519_keygen(u_char key[CURVE25519_SIZE], u_char pub[CURVE25519_SIZE])
{
static const u_char basepoint[CURVE25519_SIZE] = {9};
+#ifdef WITH_OPENSSL
+ /* Use FIPS approved RNG */
+ if (RAND_bytes(key, CURVE25519_SIZE) <= 0)
+ fatal("Couldn't obtain random bytes (error 0x%lx)",
+ (unsigned long)ERR_get_error());
+#else
arc4random_buf(key, CURVE25519_SIZE);
+#endif
+
crypto_scalarmult_curve25519(pub, key, basepoint);
}