rpms/openssh
5
0
Fork 1
Code Issues Pull Requests Releases Activity

Change ssh-keygen defaults in FIPS mode

Browse Source 
Resolves: RHEL-37324
This commit is contained in:
Dmitry Belyavskiy 2024-07-26 13:18:20 +02:00
parent 7a357709f5
commit 1c01acf847
2 changed files with 33 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
openssh-7.7p1-fips.patch
View File

@ -516,6 +516,14 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
#include <openssl/pem.h> #include <openssl/pem.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#endif #endif
@@ -69,6 +69,7 @@
#include "cipher.h"
#define DEFAULT_KEY_TYPE_NAME "ed25519"
+#define FIPS_DEFAULT_KEY_TYPE_NAME "rsa"
/*
* Default number of bits in the RSA, DSA and ECDSA keys. These value can be
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na @@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
#endif #endif
} }
@ -529,6 +537,15 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
switch (type) { switch (type) {
case KEY_DSA: case KEY_DSA:
if (*bitsp != 1024) if (*bitsp != 1024)
@@ -266,7 +267,7 @@ ask_filename(struct passwd *pw, const ch
char *name = NULL;
if (key_type_name == NULL)
- name = _PATH_SSH_CLIENT_ID_ED25519;
+ name = FIPS_mode() ? _PATH_SSH_CLIENT_ID_RSA : _PATH_SSH_CLIENT_ID_ED25519;
else {
switch (sshkey_type_from_name(key_type_name)) {
#ifdef WITH_DSA
@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1; first = 1;
printf("%s: generating new host keys: ", __progname); printf("%s: generating new host keys: ", __progname);
@ -548,6 +565,15 @@ diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
if ((fd = mkstemp(prv_tmp)) == -1) { if ((fd = mkstemp(prv_tmp)) == -1) {
error("Could not save your private key in %s: %s", error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno)); prv_tmp, strerror(errno));
@@ -3830,7 +3831,7 @@ main(int argc, char **argv)
}
if (key_type_name == NULL)
- key_type_name = DEFAULT_KEY_TYPE_NAME;
+ key_type_name = FIPS_mode() ? FIPS_DEFAULT_KEY_TYPE_NAME : DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
type_bits_valid(type, key_type_name, &bits);
diff -up openssh-9.3p1/ssh-rsa.c.evpgenrsa openssh-9.3p1/ssh-rsa.c diff -up openssh-9.3p1/ssh-rsa.c.evpgenrsa openssh-9.3p1/ssh-rsa.c
--- openssh-9.3p1/ssh-rsa.c.evpgenrsa 2022-06-30 15:14:58.200518353 +0200 --- openssh-9.3p1/ssh-rsa.c.evpgenrsa 2022-06-30 15:14:58.200518353 +0200
+++ openssh-9.3p1/ssh-rsa.c 2022-06-30 15:24:31.499641196 +0200 +++ openssh-9.3p1/ssh-rsa.c 2022-06-30 15:24:31.499641196 +0200

10
openssh.spec
View File

@ -39,7 +39,7 @@
%{?static_openssl:%global static_libcrypto 1} %{?static_openssl:%global static_libcrypto 1}
%global openssh_ver 9.8p1 %global openssh_ver 9.8p1
%global openssh_rel 1 %global openssh_rel 2
Summary: An open source implementation of SSH protocol version 2 Summary: An open source implementation of SSH protocol version 2
Name: openssh Name: openssh
@ -653,11 +653,15 @@ test -f %{sysconfig_anaconda} && \
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
%changelog %changelog
* Fri Jul 26 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-2.0
- Temporary disabling self-test
Related: RHEL-42635
- Change ssh-keygen defaults in FIPS mode
Resolves: RHEL-37324
* Thu Jul 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-1.0 * Thu Jul 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-1.0
- Rebase OpenSSH to 9.8p1 - Rebase OpenSSH to 9.8p1
Resolves: RHEL-42635 Resolves: RHEL-42635
- Temporary disabling self-test
Related: RHEL-42635
* Fri Jul 12 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.5 * Fri Jul 12 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.5
- Build OpenSSH without ENGINE API - Build OpenSSH without ENGINE API