From 0d823b2f2a502838e9fa72a978241792de1b3889 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Wed, 13 Jul 2022 16:19:53 +0200
Subject: [PATCH] Disable ed25519 and ed25519-sk keys in FIPS mode

Related: rhbz#2087915
---
 openssh-7.7p1-fips.patch | 55 ++++++++++++++++++++++++++++++++--------
 openssh.spec             |  6 ++++-
 2 files changed, 50 insertions(+), 11 deletions(-)

diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index b072cf5..fe367a7 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -344,6 +344,20 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
  	saved_argc = ac;
  	rexec_argc = ac;
+@@ -1931,6 +1931,13 @@ main(int ac, char **av)
+ 		    &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR)
+ 			do_log2_r(r, ll, "Unable to load host key \"%s\"",
+ 			    options.host_key_files[i]);
++		if (FIPS_mode() && (sshkey_type_plain(key->type) == KEY_ED25519_SK
++				||  sshkey_type_plain(key->type) == KEY_ED25519)) {
++		    logit_f("sshd: Ed25519 keys are not allowed in FIPS mode, skipping %s", options.host_key_files[i]);
++		    sshkey_free(key);
++		    key = NULL;
++		    continue;
++		}
+ 		if (sshkey_is_sk(key) &&
+ 		    key->sk_flags & SSH_SK_USER_PRESENCE_REQD) {
+ 			debug("host key %s requires user presence, ignoring",
 @@ -2110,6 +2113,10 @@ main(int ac, char **av)
  	/* Reinitialize the log (because of the fork above). */
  	log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -393,6 +407,27 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
  #include "ssh-sk.h"
  
  #ifdef WITH_XMSS
+@@ -1503,6 +1503,20 @@ sshkey_read(struct sshkey *ret, char **c
+ 		return SSH_ERR_EC_CURVE_MISMATCH;
+ 	}
+ 
++	switch (type) {
++	case KEY_ED25519:
++	case KEY_ED25519_SK:
++	case KEY_ED25519_CERT:
++	case KEY_ED25519_SK_CERT:
++		if (FIPS_mode()) {
++		    sshkey_free(k);
++		    logit_f("Ed25519 keys are not allowed in FIPS mode");
++		    return SSH_ERR_INVALID_ARGUMENT;
++		}
++		break;
++	default:
++		break;
++	}
+ 	/* Fill in ret from parsed key */
+ 	ret->type = type;
+ 	if (sshkey_is_cert(ret)) {
 @@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
 		goto out;
 
@@ -407,7 +442,7 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
  	case KEY_ED25519_SK:
  	case KEY_ED25519_SK_CERT:
 +		if (FIPS_mode()) {
-+		    logit("Ed25519 keys are not alowed in FIPS mode");
++		    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +		    return SSH_ERR_INVALID_ARGUMENT;
 +		}
 +		/* Fallthrough */
@@ -419,7 +454,7 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
  	case KEY_ED25519_SK:
  	case KEY_ED25519_SK_CERT:
 +		if (FIPS_mode()) {
-+		    logit("Ed25519 keys are not alowed in FIPS mode");
++		    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +		    return SSH_ERR_INVALID_ARGUMENT;
 +		}
  		return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen,
@@ -477,7 +512,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
  	case KEX_C25519_SHA256:
 -		r = kex_c25519_keypair(kex);
 +		if (FIPS_mode()) {
-+		    logit("Key exchange type c25519 is not alowed in FIPS mode");
++		    logit_f("Key exchange type c25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_c25519_keypair(kex);
@@ -486,7 +521,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
  	case KEX_KEM_SNTRUP761X25519_SHA512:
 -		r = kex_kem_sntrup761x25519_keypair(kex);
 +		if (FIPS_mode()) {
-+		    logit("Key exchange type sntrup761 is not alowed in FIPS mode");
++		    logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_sntrup761x25519_keypair(kex);
@@ -500,7 +535,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
  	case KEX_C25519_SHA256:
 -		r = kex_c25519_dec(kex, server_blob, &shared_secret);
 +		if (FIPS_mode()) {
-+		    logit("Key exchange type c25519 is not alowed in FIPS mode");
++		    logit_f("Key exchange type c25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_c25519_dec(kex, server_blob, &shared_secret);
@@ -510,7 +545,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 -		r = kex_kem_sntrup761x25519_dec(kex, server_blob,
 -		    &shared_secret);
 +		if (FIPS_mode()) {
-+		    logit("Key exchange type sntrup761 is not alowed in FIPS mode");
++		    logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_sntrup761x25519_dec(kex, server_blob,
@@ -526,7 +561,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 -		r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
 -		    &shared_secret);
 +		if (FIPS_mode()) {
-+		    logit("Key exchange type c25519 is not alowed in FIPS mode");
++		    logit_f("Key exchange type c25519 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_c25519_enc(kex, client_pubkey, &server_pubkey,
@@ -537,7 +572,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 -		r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
 -		    &server_pubkey, &shared_secret);
 +		if (FIPS_mode()) {
-+		    logit("Key exchange type sntrup761 is not alowed in FIPS mode");
++		    logit_f("Key exchange type sntrup761 is not allowed in FIPS mode");
 +		    r = SSH_ERR_INVALID_ARGUMENT;
 +		} else {
 +		    r = kex_kem_sntrup761x25519_enc(kex, client_pubkey,
@@ -562,7 +597,7 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
  	    datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
  		return SSH_ERR_INVALID_ARGUMENT;
 +	if (FIPS_mode()) {
-+	    logit("Ed25519 keys are not alowed in FIPS mode");
++	    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +	    return SSH_ERR_INVALID_ARGUMENT;
 +	}
  	smlen = slen = datalen + crypto_sign_ed25519_BYTES;
@@ -573,7 +608,7 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
  	    signature == NULL || signaturelen == 0)
  		return SSH_ERR_INVALID_ARGUMENT;
 +	if (FIPS_mode()) {
-+	    logit("Ed25519 keys are not alowed in FIPS mode");
++	    logit_f("Ed25519 keys are not allowed in FIPS mode");
 +	    return SSH_ERR_INVALID_ARGUMENT;
 +	}
  
diff --git a/openssh.spec b/openssh.spec
index 325a8c9..4674942 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 13
+%global openssh_rel 14
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 4
 
@@ -720,6 +720,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Wed Jul 13 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-14
+- Disable ed25519 and ed25519-sk keys in FIPS mode
+  Related: rhbz#2087915
+
 * Tue Jul 12 2022 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-13
 - Add reference for policy customization in ssh/sshd_config manpages
   Resolves: rhbz#1984575