Fix regression in pkcs11 introduced in the previous patch
Signed-off-by: Norbert Pocs <npocs@redhat.com>
This commit is contained in:
parent
2341f1769d
commit
e8e01dc82e
145
openssh-9.0p1-evp-pkcs11.patch
Normal file
145
openssh-9.0p1-evp-pkcs11.patch
Normal file
@ -0,0 +1,145 @@
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-ecdsa.c openssh-9.0p1-patched/ssh-ecdsa.c
|
||||
--- openssh-9.0p1/ssh-ecdsa.c 2023-05-24 08:54:03.926443958 +0200
|
||||
+++ openssh-9.0p1-patched/ssh-ecdsa.c 2023-05-24 09:46:19.082925921 +0200
|
||||
@@ -74,8 +74,18 @@
|
||||
if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
- if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0)
|
||||
- return ret;
|
||||
+#ifdef ENABLE_PKCS11
|
||||
+ if (is_ecdsa_pkcs11(key->ecdsa)) {
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ } else {
|
||||
+#endif
|
||||
+ if ((ret = ssh_create_evp_ec(key->ecdsa, key->ecdsa_nid, &pkey)) != 0)
|
||||
+ return ret;
|
||||
+#ifdef ENABLE_PKCS11
|
||||
+ }
|
||||
+#endif
|
||||
ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
|
||||
datalen);
|
||||
EVP_PKEY_free(pkey);
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/sshkey.h openssh-9.0p1-patched/sshkey.h
|
||||
--- openssh-9.0p1/sshkey.h 2023-05-24 08:54:03.926443958 +0200
|
||||
+++ openssh-9.0p1-patched/sshkey.h 2023-05-24 08:57:22.930642788 +0200
|
||||
@@ -340,6 +340,10 @@
|
||||
const u_char *data, size_t datalen, u_int compat);
|
||||
#endif
|
||||
|
||||
+#ifdef ENABLE_PKCS11
|
||||
+int pkcs11_get_ecdsa_idx(void);
|
||||
+#endif
|
||||
+
|
||||
#if !defined(WITH_OPENSSL)
|
||||
# undef RSA
|
||||
# undef DSA
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-pkcs11.c openssh-9.0p1-patched/ssh-pkcs11.c
|
||||
--- openssh-9.0p1/ssh-pkcs11.c 2023-05-24 08:54:03.888443542 +0200
|
||||
+++ openssh-9.0p1-patched/ssh-pkcs11.c 2023-05-24 09:48:13.101168512 +0200
|
||||
@@ -776,8 +776,24 @@
|
||||
|
||||
return (0);
|
||||
}
|
||||
+
|
||||
+int
|
||||
+is_ecdsa_pkcs11(EC_KEY *ecdsa)
|
||||
+{
|
||||
+ if (EC_KEY_get_ex_data(ecdsa, ec_key_idx) != NULL)
|
||||
+ return 1;
|
||||
+ return 0;
|
||||
+}
|
||||
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
|
||||
|
||||
+int
|
||||
+is_rsa_pkcs11(RSA *rsa)
|
||||
+{
|
||||
+ if (RSA_get_ex_data(rsa, rsa_idx) != NULL)
|
||||
+ return 1;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/* remove trailing spaces */
|
||||
static void
|
||||
rmspace(u_char *buf, size_t len)
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-pkcs11-client.c openssh-9.0p1-patched/ssh-pkcs11-client.c
|
||||
--- openssh-9.0p1/ssh-pkcs11-client.c 2023-05-24 08:54:03.887443531 +0200
|
||||
+++ openssh-9.0p1-patched/ssh-pkcs11-client.c 2023-05-24 09:49:41.741134514 +0200
|
||||
@@ -225,8 +225,36 @@
|
||||
static RSA_METHOD *helper_rsa;
|
||||
#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
|
||||
static EC_KEY_METHOD *helper_ecdsa;
|
||||
+
|
||||
+int
|
||||
+is_ecdsa_pkcs11(EC_KEY *ecdsa)
|
||||
+{
|
||||
+ const EC_KEY_METHOD *meth;
|
||||
+ ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgstlen,
|
||||
+ const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey) = NULL;
|
||||
+
|
||||
+ meth = EC_KEY_get_method(ecdsa);
|
||||
+ EC_KEY_METHOD_get_sign(meth, NULL, NULL, &sign_sig);
|
||||
+ if (sign_sig == ecdsa_do_sign)
|
||||
+ return 1;
|
||||
+ return 0;
|
||||
+}
|
||||
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
|
||||
|
||||
+int
|
||||
+is_rsa_pkcs11(RSA *rsa)
|
||||
+{
|
||||
+ const RSA_METHOD *meth;
|
||||
+ int (*priv_enc)(int flen, const unsigned char *from,
|
||||
+ unsigned char *to, RSA *rsa, int padding) = NULL;
|
||||
+
|
||||
+ meth = RSA_get_method(rsa);
|
||||
+ priv_enc = RSA_meth_get_priv_enc(meth);
|
||||
+ if (priv_enc == rsa_encrypt)
|
||||
+ return 1;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/* redirect private key crypto operations to the ssh-pkcs11-helper */
|
||||
static void
|
||||
wrap_key(struct sshkey *k)
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-pkcs11.h openssh-9.0p1-patched/ssh-pkcs11.h
|
||||
--- openssh-9.0p1/ssh-pkcs11.h 2023-05-24 08:54:03.888443542 +0200
|
||||
+++ openssh-9.0p1-patched/ssh-pkcs11.h 2023-05-24 09:50:03.981376886 +0200
|
||||
@@ -39,6 +39,11 @@
|
||||
u_int32_t *);
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_EC_KEY_METHOD_NEW
|
||||
+int is_ecdsa_pkcs11(EC_KEY *ecdsa);
|
||||
+#endif
|
||||
+int is_rsa_pkcs11(RSA *rsa);
|
||||
+
|
||||
#if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11)
|
||||
#undef ENABLE_PKCS11
|
||||
#endif
|
||||
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.0p1/ssh-rsa.c openssh-9.0p1-patched/ssh-rsa.c
|
||||
--- openssh-9.0p1/ssh-rsa.c 2023-05-24 08:54:03.927443969 +0200
|
||||
+++ openssh-9.0p1-patched/ssh-rsa.c 2023-05-24 09:51:50.358536178 +0200
|
||||
@@ -174,8 +174,18 @@
|
||||
if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||
return SSH_ERR_KEY_LENGTH;
|
||||
|
||||
- if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0)
|
||||
- return ret;
|
||||
+#ifdef ENABLE_PKCS11
|
||||
+ if (is_rsa_pkcs11(key->rsa)) {
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ } else {
|
||||
+#endif
|
||||
+ if ((ret = ssh_create_evp_rsa(key, &pkey)) != 0)
|
||||
+ return ret;
|
||||
+#ifdef ENABLE_PKCS11
|
||||
+ }
|
||||
+#endif
|
||||
ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
|
||||
datalen);
|
||||
EVP_PKEY_free(pkey);
|
@ -47,7 +47,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 9.0p1
|
||||
%global openssh_rel 17
|
||||
%global openssh_rel 18
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 8
|
||||
|
||||
@ -247,6 +247,7 @@ Patch1011: openssh-9.0p1-evp-fips-sign.patch
|
||||
Patch1012: openssh-9.0p1-evp-fips-dh.patch
|
||||
Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
|
||||
Patch1014: openssh-8.7p1-nohostsha1proof.patch
|
||||
Patch1015: openssh-9.0p1-evp-pkcs11.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -460,6 +461,7 @@ popd
|
||||
%patch1012 -p1 -b .evp-fips-dh
|
||||
%patch1013 -p1 -b .evp-fips-ecdh
|
||||
%patch1014 -p1 -b .nosha1hostproof
|
||||
%patch1015 -p1 -b .evp-pkcs11
|
||||
|
||||
%patch100 -p1 -b .coverity
|
||||
|
||||
@ -767,6 +769,9 @@ test -f %{sysconfig_anaconda} && \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed May 24 2023 Norbert Pocs <npocs@redhat.com> - 9.0p1-18
|
||||
- Fix pkcs11 issue with the recent changes
|
||||
|
||||
* Fri Apr 14 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-17
|
||||
- In case when sha1 signatures are not supported, fallback to sha2 in hostproof
|
||||
- Audit logging patch was not applied (rhbz#2177471)
|
||||
|
Loading…
Reference in New Issue
Block a user