rpms / openssh

Clone
Source Code
GIT

#50 Fix regression in pkcs11 introduced in the previous patch
Merged a year ago by npocs. Opened a year ago by npocs.
rpms/ npocs/openssh main  into  main

file modified
+66 -34 
@@ -534,7 +534,7 @@ 
 

  diff -up openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.7p1/regress/unittests/pkcs11/tests.c
 

  --- openssh-8.7p1/regress/unittests/pkcs11/tests.c.pkcs11-uri	2021-08-30 13:07:43.664700104 +0200
 

  +++ openssh-8.7p1/regress/unittests/pkcs11/tests.c	2021-08-30 13:07:43.664700104 +0200
 

- @@ -0,0 +1,337 @@
 

+ @@ -0,0 +1,342 @@
 

  +/*
 

  + * Copyright (c) 2017 Red Hat
 

  + *
 
@@ -563,7 +563,7 @@ 
 

  +#include "sshbuf.h"
 

  +#include "ssh-pkcs11-uri.h"
 

  +
 

- +#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL)
 

+ +#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL)
 

  +
 

  +/* prototypes are not public -- specify them here internally for tests */
 

  +struct sshbuf *percent_encode(const char *, size_t, char *);
 
@@ -596,6 +596,10 @@ 
 

  +		ASSERT_STRING_EQ(a->lib_manuf, b->lib_manuf);
 

  +	else /* both should be null */
 

  +		ASSERT_PTR_EQ(a->lib_manuf, b->lib_manuf);
 

+ +	if (b->serial != NULL)
 

+ +		ASSERT_STRING_EQ(a->serial, b->serial);
 

+ +	else /* both should be null */
 

+ +		ASSERT_PTR_EQ(a->serial, b->serial);
 

  +}
 

  +
 

  +void
 
@@ -630,7 +634,7 @@ 
 

  +
 

  +struct pkcs11_uri *
 

  +compose_uri(unsigned char *id, size_t id_len, char *token, char *lib_manuf,
 

- +    char *manuf, char *module_path, char *object, char *pin)
 

+ +    char *manuf, char *serial, char *module_path, char *object, char *pin)
 

  +{
 

  +	struct pkcs11_uri *uri = pkcs11_uri_init();
 

  +	if (id_len > 0) {
 
@@ -641,6 +645,7 @@ 
 

  +	uri->token = token;
 

  +	uri->lib_manuf = lib_manuf;
 

  +	uri->manuf = manuf;
 

+ +	uri->serial = serial;
 

  +	uri->object = object;
 

  +	uri->pin = pin;
 

  +	return uri;
 
@@ -651,47 +656,47 @@ 
 

  +{
 

  +	/* path arguments */
 

  +	check_parse("pkcs11:id=%01",
 

- +	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	check_parse("pkcs11:id=%00%01",
 

- +	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	check_parse("pkcs11:token=SSH%20Keys",
 

- +	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	check_parse("pkcs11:library-manufacturer=OpenSC",
 

- +	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL));
 

+ +	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL, NULL));
 

  +	check_parse("pkcs11:manufacturer=piv_II",
 

- +	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL, NULL));
 

  +	check_parse("pkcs11:object=SIGN%20Key",
 

- +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "SIGN Key", NULL));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "SIGN Key", NULL));
 

  +	/* query arguments */
 

  +	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
 

- +	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 

  +	check_parse("pkcs11:?pin-value=123456",
 

- +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "123456"));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, "123456"));
 

  +
 

  +	/* combinations */
 

  +	/* ID SHOULD be percent encoded */
 

  +	check_parse("pkcs11:token=SSH%20Key;id=0",
 

- +	    compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	check_parse(
 

  +	    "pkcs11:manufacturer=CAC?module-path=/usr/lib64/p11-kit-proxy.so",
 

- +	    compose_uri(NULL, 0, NULL, NULL, "CAC",
 

+ +	    compose_uri(NULL, 0, NULL, NULL, "CAC", NULL,
 

  +	    "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 

  +	check_parse(
 

  +	    "pkcs11:object=RSA%20Key?module-path=/usr/lib64/pkcs11/opencryptoki.so",
 

- +	    compose_uri(NULL, 0, NULL, NULL, NULL,
 

+ +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL,
 

  +	    "/usr/lib64/pkcs11/opencryptoki.so", "RSA Key", NULL));
 

  +	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so&pin-value=123456",
 

- +	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, "123456"));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, "123456"));
 

  +
 

  +	/* empty path component matches everything */
 

  +	check_parse("pkcs11:", EMPTY_URI);
 

  +
 

  +	/* empty string is a valid to match against (and different from NULL) */
 

  +	check_parse("pkcs11:token=",
 

- +	    compose_uri(NULL, 0, "", NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri(NULL, 0, "", NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	/* Percent character needs to be percent-encoded */
 

  +	check_parse("pkcs11:token=%25",
 

- +	     compose_uri(NULL, 0, "%", NULL, NULL, NULL, NULL, NULL));
 

+ +	     compose_uri(NULL, 0, "%", NULL, NULL, NULL, NULL, NULL, NULL));
 

  +}
 

  +
 

  +static void
 
@@ -703,7 +708,7 @@ 
 

  +	check_parse_rv("pkcs11:id=%ZZ", EMPTY_URI, -1);
 

  +	/* Space MUST be percent encoded -- XXX not enforced yet */
 

  +	check_parse("pkcs11:token=SSH Keys",
 

- +	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	/* MUST NOT contain duplicate attributes of the same name */
 

  +	check_parse_rv("pkcs11:id=%01;id=%02", EMPTY_URI, -1);
 

  +	/* MUST NOT contain duplicate attributes of the same name */
 
@@ -734,29 +739,29 @@ 
 

  +{
 

  +	/* path arguments */
 

  +	check_gen("pkcs11:id=%01",
 

- +	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	check_gen("pkcs11:id=%00%01",
 

- +	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	check_gen("pkcs11:token=SSH%20Keys", /* space must be percent encoded */
 

- +	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	/* library-manufacturer is not implmented now */
 

  +	/*check_gen("pkcs11:library-manufacturer=OpenSC",
 

- +	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL));*/
 

+ +	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL, NULL));*/
 

  +	check_gen("pkcs11:manufacturer=piv_II",
 

- +	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL, NULL));
 

  +	check_gen("pkcs11:object=RSA%20Key",
 

- +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "RSA Key", NULL));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "RSA Key", NULL));
 

  +	/* query arguments */
 

  +	check_gen("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",
 

- +	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 

  +
 

  +	/* combinations */
 

  +	check_gen("pkcs11:id=%02;token=SSH%20Keys",
 

- +	    compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL, NULL, NULL));
 

+ +	    compose_uri("\x02", 1, "SSH Keys", NULL, NULL, NULL, NULL, NULL, NULL));
 

  +	check_gen("pkcs11:id=%EE%02?module-path=/usr/lib64/p11-kit-proxy.so",
 

- +	    compose_uri("\xEE\x02", 2, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 

+ +	    compose_uri("\xEE\x02", 2, NULL, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));
 

  +	check_gen("pkcs11:object=Encryption%20Key;manufacturer=piv_II",
 

- +	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, "Encryption Key", NULL));
 

+ +	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, "Encryption Key", NULL));
 

  +
 

  +	/* empty path component matches everything */
 

  +	check_gen("pkcs11:", EMPTY_URI);
 
@@ -1545,7 +1550,7 @@ 
 

   }
 

   

   static RSA_METHOD *rsa_method;
 

- @@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method;
 

+ @@ -195,6 +286,56 @@ static EC_KEY_METHOD *ec_key_method;
 

   static int ec_key_idx = 0;
 

   #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
 

   
@@ -1587,6 +1592,7 @@ 
 

  +	uri.module_path = k11->provider->module->module_path;
 

  +	uri.lib_manuf = k11->provider->module->info.manufacturerID;
 

  +	uri.manuf = k11->provider->module->slotinfo[k11->slotidx].token.manufacturerID;
 

+ +	uri.serial = k11->provider->module->slotinfo[k11->slotidx].token.serialNumber;
 

  +
 

  +	p = pkcs11_uri_get(&uri);
 

  +	/* do not cleanup -- we do not allocate here, only reference */
 
@@ -2157,7 +2163,7 @@ 
 

   	int ret = -1;
 

   	struct pkcs11_provider *p = NULL;
 

   	void *handle = NULL;
 

- @@ -1517,164 +1702,298 @@ pkcs11_register_provider(char *provider_
 

+ @@ -1517,164 +1702,305 @@ pkcs11_register_provider(char *provider_
 

   	CK_FUNCTION_LIST *f = NULL;
 

   	CK_TOKEN_INFO *token;
 

   	CK_ULONG i;
 
@@ -2402,6 +2408,13 @@ 
 

  +			    "slot %lu", token->manufacturerID, (unsigned long)i);
 

  +			continue;
 

  +		}
 

+ +		if (uri->serial != NULL &&
 

+ +		    strcmp(token->serialNumber, uri->serial) != 0) {
 

+ +			debug2_f("ignoring token not matching requrested "
 

+ +			    "serialNumber (%s) specified by PKCS#11 URI in "
 

+ +			    "slot %lu", token->serialNumber, (unsigned long)i);
 

+ +			continue;
 

+ +		}
 

   		debug("provider %s slot %lu: label <%s> manufacturerID <%s> "
 

   		    "model <%s> serial <%s> flags 0x%lx",
 

  -		    provider_id, (unsigned long)i,
 
@@ -2591,7 +2604,7 @@ 
 

  diff -up openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.c
 

  --- openssh-8.7p1/ssh-pkcs11-uri.c.pkcs11-uri	2021-08-30 13:07:43.667700130 +0200
 

  +++ openssh-8.7p1/ssh-pkcs11-uri.c	2021-08-30 13:07:43.667700130 +0200
 

- @@ -0,0 +1,419 @@
 

+ @@ -0,0 +1,437 @@
 

  +/*
 

  + * Copyright (c) 2017 Red Hat
 

  + *
 
@@ -2634,13 +2647,14 @@ 
 

  +#define PKCS11_URI_OBJECT "object"
 

  +#define PKCS11_URI_LIB_MANUF "library-manufacturer"
 

  +#define PKCS11_URI_MANUF "manufacturer"
 

+ +#define PKCS11_URI_SERIAL "serial"
 

  +#define PKCS11_URI_MODULE_PATH "module-path"
 

  +#define PKCS11_URI_PIN_VALUE "pin-value"
 

  +
 

  +/* Keyword tokens. */
 

  +typedef enum {
 

- +	pId, pToken, pObject, pLibraryManufacturer, pManufacturer, pModulePath,
 

- +	pPinValue, pBadOption
 

+ +	pId, pToken, pObject, pLibraryManufacturer, pManufacturer, pSerial,
 

+ +	pModulePath, pPinValue, pBadOption
 

  +} pkcs11uriOpCodes;
 

  +
 

  +/* Textual representation of the tokens. */
 
@@ -2653,6 +2667,7 @@ 
 

  +	{ PKCS11_URI_OBJECT, pObject },
 

  +	{ PKCS11_URI_LIB_MANUF, pLibraryManufacturer },
 

  +	{ PKCS11_URI_MANUF, pManufacturer },
 

+ +	{ PKCS11_URI_SERIAL, pSerial },
 

  +	{ PKCS11_URI_MODULE_PATH, pModulePath },
 

  +	{ PKCS11_URI_PIN_VALUE, pPinValue },
 

  +	{ NULL, pBadOption }
 
@@ -2811,6 +2826,16 @@ 
 

  +			goto err;
 

  +	}
 

  +
 

+ +	/* Write serial */
 

+ +	if (uri->serial) {
 

+ +		struct sshbuf *serial = percent_encode(uri->serial,
 

+ +		    strlen(uri->serial), PKCS11_URI_WHITELIST);
 

+ +		path = pkcs11_uri_append(path, PKCS11_URI_PATH_SEPARATOR,
 

+ +		    PKCS11_URI_SERIAL, serial);
 

+ +		if (path == NULL)
 

+ +			goto err;
 

+ +	}
 

+ +
 

  +	/* Write module_path */
 

  +	if (uri->module_path) {
 

  +		struct sshbuf *module = percent_encode(uri->module_path,
 
@@ -2853,6 +2878,7 @@ 
 

  +	free(pkcs11->object);
 

  +	free(pkcs11->lib_manuf);
 

  +	free(pkcs11->manuf);
 

+ +	free(pkcs11->serial);
 

  +	if (pkcs11->pin)
 

  +		freezero(pkcs11->pin, strlen(pkcs11->pin));
 

  +	free(pkcs11);
 
@@ -2948,6 +2974,11 @@ 
 

  +			charptr = &pkcs11->manuf;
 

  +			goto parse_string;
 

  +
 

+ +		case pSerial:
 

+ +			/* CK_TOKEN_INFO -> serialNumber */
 

+ +			charptr = &pkcs11->serial;
 

+ +			goto parse_string;
 

+ +
 

  +		case pLibraryManufacturer:
 

  +			/* CK_INFO -> manufacturerID */
 

  +			charptr = &pkcs11->lib_manuf;
 
@@ -3014,7 +3045,7 @@ 
 

  diff -up openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri openssh-8.7p1/ssh-pkcs11-uri.h
 

  --- openssh-8.7p1/ssh-pkcs11-uri.h.pkcs11-uri	2021-08-30 13:07:43.667700130 +0200
 

  +++ openssh-8.7p1/ssh-pkcs11-uri.h	2021-08-30 13:07:43.667700130 +0200
 

- @@ -0,0 +1,42 @@
 

+ @@ -0,0 +1,43 @@
 

  +/*
 

  + * Copyright (c) 2017 Red Hat
 

  + *
 
@@ -3046,6 +3077,7 @@ 
 

  +	char *object;
 

  +	char *lib_manuf;
 

  +	char *manuf;
 

+ +	char *serial;
 

  +	/* query */
 

  +	char *module_path;
 

  +	char *pin; /* Only parsed, but not printed */

file modified
+53 -27 
@@ -1,7 +1,7 @@ 
 

- diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/dh.c ./dh.c
 

- --- ../../openssh-8.7p1/dh.c	2023-03-01 14:26:52.504445780 +0100
 

- +++ ./dh.c	2023-03-01 14:20:09.823193384 +0100
 

- @@ -37,6 +37,9 @@ 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/dh.c openssh-9.0p1-patched/dh.c
 

+ --- openssh-9.0p1/dh.c	2023-05-25 09:24:28.730868316 +0200
 

+ +++ openssh-9.0p1-patched/dh.c	2023-05-25 09:23:44.841379532 +0200
 

+ @@ -37,6 +37,9 @@
 

   #include <openssl/bn.h>
 

   #include <openssl/dh.h>
 

   #include <openssl/fips.h>
 
@@ -11,7 +11,7 @@ 
 

   

   #include "dh.h"
 

   #include "pathnames.h"
 

- @@ -289,10 +292,15 @@
 

+ @@ -290,10 +293,15 @@
 

   int
 

   dh_gen_key(DH *dh, int need)
 

   {
 
@@ -30,7 +30,7 @@ 
 

   

   	if (need < 0 || dh_p == NULL ||
 

   	    (pbits = BN_num_bits(dh_p)) <= 0 ||
 

- @@ -300,19 +308,85 @@
 

+ @@ -301,19 +309,85 @@
 

   		return SSH_ERR_INVALID_ARGUMENT;
 

   	if (need < 256)
 

   		need = 256;
 
@@ -125,10 +125,10 @@ 
 

   }
 

   

   DH *
 

- diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kex.c ./kex.c
 

- --- ../../openssh-8.7p1/kex.c	2023-03-01 14:26:52.508445832 +0100
 

- +++ ./kex.c	2023-02-28 14:09:27.164743771 +0100
 

- @@ -1602,3 +1602,47 @@
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/kex.c openssh-9.0p1-patched/kex.c
 

+ --- openssh-9.0p1/kex.c	2023-05-25 09:24:28.731868327 +0200
 

+ +++ openssh-9.0p1-patched/kex.c	2023-05-25 09:23:44.841379532 +0200
 

+ @@ -1623,3 +1623,47 @@
 

   	return r;
 

   }
 

   
@@ -176,20 +176,21 @@ 
 

  +	return r;
 

  +}
 

  +#endif /* WITH_OPENSSL */
 

- diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kexdh.c ./kexdh.c
 

- --- ../../openssh-8.7p1/kexdh.c	2023-03-01 14:26:52.448445050 +0100
 

- +++ ./kexdh.c	2023-02-28 14:05:00.700902124 +0100
 

- @@ -35,6 +35,9 @@
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/kexdh.c openssh-9.0p1-patched/kexdh.c
 

+ --- openssh-9.0p1/kexdh.c	2023-05-25 09:24:28.674867692 +0200
 

+ +++ openssh-9.0p1-patched/kexdh.c	2023-05-25 09:25:28.494533889 +0200
 

+ @@ -35,6 +35,10 @@
 

   

   #include "openbsd-compat/openssl-compat.h"
 

   #include <openssl/dh.h>
 

+ +#include <openssl/err.h>
 

  +#include <openssl/evp.h>
 

  +#include <openssl/core_names.h>
 

  +#include <openssl/param_build.h>
 

   

   #include "sshkey.h"
 

   #include "kex.h"
 

- @@ -83,6 +86,9 @@
 

+ @@ -83,9 +87,12 @@
 

   kex_dh_compute_key(struct kex *kex, BIGNUM *dh_pub, struct sshbuf *out)
 

   {
 

   	BIGNUM *shared_secret = NULL;
 
@@ -198,22 +199,35 @@ 
 

  +	EVP_PKEY_CTX *ctx = NULL;
 

   	u_char *kbuf = NULL;
 

   	size_t klen = 0;
 

-  	int kout, r;
 

- @@ -106,18 +112,39 @@
 

-  		r = SSH_ERR_ALLOC_FAIL;
 

+ -	int kout, r;
 

+ +	int kout, r = 0;
 

+  

+  #ifdef DEBUG_KEXDH
 

+  	fprintf(stderr, "dh_pub= ");
 

+ @@ -100,24 +107,59 @@
 

+  		r = SSH_ERR_MESSAGE_INCOMPLETE;
 

   		goto out;
 

   	}
 

- -	if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 ||
 

- -	    BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
 

+ -	klen = DH_size(kex->dh);
 

  +
 

  +	DH_get0_key(kex->dh, &pub, &priv);
 

  +	DH_get0_pqg(kex->dh, &p, &q, &g);
 

  +	/* import key */
 

- +	kex_create_evp_dh(&pkey, p, q, g, pub, priv);
 

+ +	r = kex_create_evp_dh(&pkey, p, q, g, pub, priv);
 

+ +	if (r != 0) {
 

+ +		error_f("Could not create EVP_PKEY for dh");
 

+ +		ERR_print_errors_fp(stderr);
 

+ +		goto out;
 

+ +	}
 

  +	/* import peer key 

  +	 * the parameters should be the same as with pkey
 

  +	 */
 

- +	kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL);
 

+ +	r = kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL);
 

+ +	if (r != 0) {
 

+ +		error_f("Could not import peer key for dh");
 

+ +		ERR_print_errors_fp(stderr);
 

+ +		goto out;
 

+ +	}
 

  +
 

  +	if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL) {
 

  +		error_f("Could not init EVP_PKEY_CTX for dh");
 
@@ -222,7 +236,19 @@ 
 

  +	}
 

  +	if (EVP_PKEY_derive_init(ctx) != 1 ||
 

  +	    EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 ||
 

- +	    EVP_PKEY_derive(ctx, kbuf, &klen) != 1 ||
 

+ +	    EVP_PKEY_derive(ctx, NULL, &klen) != 1) {
 

+ +		error_f("Could not get key size");
 

+ +		r = SSH_ERR_LIBCRYPTO_ERROR;
 

+ +		goto out;
 

+ +	}
 

+  	if ((kbuf = malloc(klen)) == NULL ||
 

+  	    (shared_secret = BN_new()) == NULL) {
 

+  		r = SSH_ERR_ALLOC_FAIL;
 

+  		goto out;
 

+  	}
 

+ -	if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 ||
 

+ -	    BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
 

+ +	if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1 ||
 

  +	    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
 

  +		error_f("Could not derive key");
 

   		r = SSH_ERR_LIBCRYPTO_ERROR;
 
@@ -242,9 +268,9 @@ 
 

   	return r;
 

   }
 

   

- diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kex.h ./kex.h
 

- --- ../../openssh-8.7p1/kex.h	2023-03-01 14:26:52.508445832 +0100
 

- +++ ./kex.h	2023-02-28 13:16:49.811047554 +0100
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/kex.h openssh-9.0p1-patched/kex.h
 

+ --- openssh-9.0p1/kex.h	2023-05-25 09:24:28.725868260 +0200
 

+ +++ openssh-9.0p1-patched/kex.h	2023-05-25 09:23:44.841379532 +0200
 

  @@ -33,6 +33,9 @@
 

   # include <openssl/bn.h>
 

   # include <openssl/dh.h>
 
@@ -255,7 +281,7 @@ 
 

   # ifdef OPENSSL_HAS_ECC
 

   #  include <openssl/ec.h>
 

   # else /* OPENSSL_HAS_ECC */
 

- @@ -278,6 +281,8 @@
 

+ @@ -283,6 +286,8 @@
 

       const u_char pub[CURVE25519_SIZE], struct sshbuf *out, int)
 

   	__attribute__((__bounded__(__minbytes__, 1, CURVE25519_SIZE)))
 

   	__attribute__((__bounded__(__minbytes__, 2, CURVE25519_SIZE)));

file added
+145 
@@ -0,0 +1,145 @@ 
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-ecdsa.c openssh-9.0p1-patched/ssh-ecdsa.c
 

+ --- openssh-9.0p1/ssh-ecdsa.c	2023-05-24 08:54:03.926443958 +0200
 

+ +++ openssh-9.0p1-patched/ssh-ecdsa.c	2023-05-24 09:46:19.082925921 +0200
 

+ @@ -74,8 +74,18 @@
 

+  	if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
 

+  		return SSH_ERR_INTERNAL_ERROR;
 

+  

+ -  	if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0)
 

+ -		return ret;
 

+ +#ifdef ENABLE_PKCS11
 

+ +	if (is_ecdsa_pkcs11(key->ecdsa)) {
 

+ +		if ((pkey = EVP_PKEY_new()) == NULL ||
 

+ +		    EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
 

+ +			return SSH_ERR_ALLOC_FAIL;
 

+ +	} else {
 

+ +#endif
 

+ +		if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0)
 

+ +			return ret;
 

+ +#ifdef ENABLE_PKCS11
 

+ +	}
 

+ +#endif
 

+  	ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
 

+  	    datalen);
 

+  	EVP_PKEY_free(pkey);
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/sshkey.h openssh-9.0p1-patched/sshkey.h
 

+ --- openssh-9.0p1/sshkey.h	2023-05-24 08:54:03.926443958 +0200
 

+ +++ openssh-9.0p1-patched/sshkey.h	2023-05-24 08:57:22.930642788 +0200
 

+ @@ -340,6 +340,10 @@
 

+      const u_char *data, size_t datalen, u_int compat);
 

+  #endif
 

+  

+ +#ifdef ENABLE_PKCS11
 

+ +int pkcs11_get_ecdsa_idx(void);
 

+ +#endif
 

+ +
 

+  #if !defined(WITH_OPENSSL)
 

+  # undef RSA
 

+  # undef DSA
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-pkcs11.c openssh-9.0p1-patched/ssh-pkcs11.c
 

+ --- openssh-9.0p1/ssh-pkcs11.c	2023-05-24 08:54:03.888443542 +0200
 

+ +++ openssh-9.0p1-patched/ssh-pkcs11.c	2023-05-24 09:48:13.101168512 +0200
 

+ @@ -776,8 +776,24 @@
 

+  

+  	return (0);
 

+  }
 

+ +
 

+ +int
 

+ +is_ecdsa_pkcs11(EC_KEY *ecdsa)
 

+ +{
 

+ +	if (EC_KEY_get_ex_data(ecdsa, ec_key_idx) != NULL)
 

+ +		return 1;
 

+ +	return 0;
 

+ +}
 

+  #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
 

+  

+ +int
 

+ +is_rsa_pkcs11(RSA *rsa)
 

+ +{
 

+ +	if (RSA_get_ex_data(rsa, rsa_idx) != NULL)
 

+ +		return 1;
 

+ +	return 0;
 

+ +}
 

+ +
 

+  /* remove trailing spaces */
 

+  static void
 

+  rmspace(u_char *buf, size_t len)
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-pkcs11-client.c openssh-9.0p1-patched/ssh-pkcs11-client.c
 

+ --- openssh-9.0p1/ssh-pkcs11-client.c	2023-05-24 08:54:03.887443531 +0200
 

+ +++ openssh-9.0p1-patched/ssh-pkcs11-client.c	2023-05-24 09:49:41.741134514 +0200
 

+ @@ -225,8 +225,36 @@
 

+  static RSA_METHOD	*helper_rsa;
 

+  #if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
 

+  static EC_KEY_METHOD	*helper_ecdsa;
 

+ +
 

+ +int
 

+ +is_ecdsa_pkcs11(EC_KEY *ecdsa)
 

+ +{
 

+ +	const EC_KEY_METHOD *meth;
 

+ +	ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgstlen,
 

+ +		const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey) = NULL;
 

+ +
 

+ +	meth = EC_KEY_get_method(ecdsa);
 

+ +	EC_KEY_METHOD_get_sign(meth, NULL, NULL, &sign_sig);
 

+ +	if (sign_sig == ecdsa_do_sign)
 

+ +		return 1;
 

+ +	return 0;
 

+ +}
 

+  #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
 

+  

+ +int
 

+ +is_rsa_pkcs11(RSA *rsa)
 

+ +{
 

+ +	const RSA_METHOD *meth;
 

+ +	int (*priv_enc)(int flen, const unsigned char *from,
 

+ +        	unsigned char *to, RSA *rsa, int padding) = NULL;
 

+ +
 

+ +	meth = RSA_get_method(rsa);
 

+ +	priv_enc = RSA_meth_get_priv_enc(meth);
 

+ +	if (priv_enc == rsa_encrypt)
 

+ +		return 1;
 

+ +	return 0;
 

+ +}
 

+ +
 

+  /* redirect private key crypto operations to the ssh-pkcs11-helper */
 

+  static void
 

+  wrap_key(struct sshkey *k)
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-pkcs11.h openssh-9.0p1-patched/ssh-pkcs11.h
 

+ --- openssh-9.0p1/ssh-pkcs11.h	2023-05-24 08:54:03.888443542 +0200
 

+ +++ openssh-9.0p1-patched/ssh-pkcs11.h	2023-05-24 09:50:03.981376886 +0200
 

+ @@ -39,6 +39,11 @@
 

+  	    u_int32_t *);
 

+  #endif
 

+  

+ +#ifdef HAVE_EC_KEY_METHOD_NEW
 

+ +int is_ecdsa_pkcs11(EC_KEY *ecdsa);
 

+ +#endif
 

+ +int is_rsa_pkcs11(RSA *rsa);
 

+ +
 

+  #if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11)
 

+  #undef ENABLE_PKCS11
 

+  #endif
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-rsa.c openssh-9.0p1-patched/ssh-rsa.c
 

+ --- openssh-9.0p1/ssh-rsa.c	2023-05-24 08:54:03.927443969 +0200
 

+ +++ openssh-9.0p1-patched/ssh-rsa.c	2023-05-24 09:51:50.358536178 +0200
 

+ @@ -174,8 +174,18 @@
 

+  	if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
 

+  		return SSH_ERR_KEY_LENGTH;
 

+  

+ -  	if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0)
 

+ -		return ret;
 

+ +#ifdef ENABLE_PKCS11
 

+ +	if (is_rsa_pkcs11(key->rsa)) {
 

+ +		if ((pkey = EVP_PKEY_new()) == NULL ||
 

+ +		    EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
 

+ +			return SSH_ERR_ALLOC_FAIL;
 

+ +	} else {
 

+ +#endif
 

+ +		if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0)
 

+ +			return ret;
 

+ +#ifdef ENABLE_PKCS11
 

+ +	}
 

+ +#endif
 

+  	ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
 

+  	    datalen);
 

+  	EVP_PKEY_free(pkey);

file added
+16 
@@ -0,0 +1,16 @@ 
 

+ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/ssh_config.5 openssh-8.7p1-patched/ssh_config.5
 

+ --- openssh-8.7p1/ssh_config.5	2023-05-29 13:41:19.731835097 +0200
 

+ +++ openssh-8.7p1-patched/ssh_config.5	2023-05-29 13:40:58.806604144 +0200
 

+ @@ -989,6 +989,12 @@
 

+  .Pp
 

+  The list of available signature algorithms may also be obtained using
 

+  .Qq ssh -Q HostKeyAlgorithms .
 

+ +.Pp
 

+ +.Xr crypto_policies 7 does not handle the list of algorithms as doing so
 

+ +would break the order given by the
 

+ +.Pa known_hosts
 

+ +file. Therefore the list is filtered by
 

+ +.Cm PubkeyAcceptedAlgorithms.
 

+  .It Cm HostKeyAlias
 

+  Specifies an alias that should be used instead of the
 

+  real host name when looking up or saving the host key

file modified
+13 -1 
@@ -47,7 +47,7 @@ 
 

  

  # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 

  %global openssh_ver 9.0p1
 

- %global openssh_rel 17
 

+ %global openssh_rel 18
 

  %global pam_ssh_agent_ver 0.10.4
 

  %global pam_ssh_agent_rel 8
 

  
@@ -247,6 +247,10 @@ 
 

  Patch1012: openssh-9.0p1-evp-fips-dh.patch
 

  Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
 

  Patch1014: openssh-8.7p1-nohostsha1proof.patch
 

+ Patch1015: openssh-9.0p1-evp-pkcs11.patch
 

+ 

+ # clarify rhbz#2068423 on the man page of ssh_config
 

+ Patch1016: openssh-9.0p1-man-hostkeyalgos.patch
 

  

  License: BSD
 

  Requires: /sbin/nologin
 
@@ -460,6 +464,9 @@ 
 

  %patch1012 -p1 -b .evp-fips-dh
 

  %patch1013 -p1 -b .evp-fips-ecdh
 

  %patch1014 -p1 -b .nosha1hostproof
 

+ %patch1015 -p1 -b .evp-pkcs11
 

+ 

+ %patch1016 -p1 -b .man-hostkeyalgos
 

  

  %patch100 -p1 -b .coverity
 

  
@@ -767,6 +774,11 @@ 
 

  %endif
 

  

  %changelog
 

+ * Wed May 24 2023 Norbert Pocs <npocs@redhat.com> - 9.0p1-18
 

+ - Fix pkcs11 issue with the recent changes
 

+ - Add support for 'serial' in PKCS#11 URI
 

+ - Clarify HostKeyAlgorithms relation with crypto-policies
 

+ 

  * Fri Apr 14 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-17
 

  - In case when sha1 signatures are not supported, fallback to sha2 in hostproof
 

  - Audit logging patch was not applied (rhbz#2177471)

Add:
- pkcs11: Add support for 'serial' in PKCS#11 URI
- fips compliance dh fix
- fips compliance pkcs11 fix

Signed-off-by: Norbert Pocs npocs@redhat.com

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/77b97cdf6c73474d9934754010200927

rebased onto d9e81fca97fc64e4eaf3fdd58f4d287c9d92a04f
a year ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/c77c347e6f8f4685b1abfdb1a305029d

3 new commits added

  • pkcs11: Add support for 'serial' in PKCS#11 URI
  • Fix regression in pkcs11 introduced in the previous patch
  • Fix minor issues with openssh-9.0p1-evp-fips-dh.patch
a year ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/bc2284944ed44b9f841e51ed8d151845

rebased onto 2341f17
a year ago

3 new commits added

  • pkcs11: Add support for 'serial' in PKCS#11 URI
  • Fix regression in pkcs11 introduced in the previous patch
  • Fix minor issues with openssh-9.0p1-evp-fips-dh.patch
a year ago

Build succeeded.
https://fedora.softwarefactory-project.io/zuul/buildset/f19e8156cc10465290268d755231d517

1 new commit added

  • Clarify HostKeyAlgorithms option on man page
a year ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/caca4e920fce46e1854aa1b908a3ba4a

The error does not seem to be connected with the changes so merging.

Pull-Request has been merged by npocs
a year ago
Metadata
None
No Tags
Changes Summary 5
+66 -34
file changed
openssh-8.0p1-pkcs11-uri.patch
+53 -27
file changed
openssh-9.0p1-evp-fips-dh.patch
+145
file added
openssh-9.0p1-evp-pkcs11.patch
+16
file added
openssh-9.0p1-man-hostkeyalgos.patch
+13 -1
file changed
openssh.spec
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.