Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:Update
openssh-testuser.32839
openssh-fips-ensure-approved-moduli.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File openssh-fips-ensure-approved-moduli.patch of Package openssh-testuser.32839
From bb6b4d3908d308651f81940e31b67dfb47297482 Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson <hpj@suse.com> Date: Wed, 26 Oct 2022 10:01:18 +0200 Subject: [PATCH] openssh-fips-ensure-approved-moduli commit 102956da05b4b01c46cb2a555e1277ab3a8d0167 Author: Hans Petter Jansson <hpj@hpjansson.org> Date: Wed Nov 11 00:59:45 2020 +0100 Ensure DHGs are approved in FIPS mode using OpenSSL's DH_check() --- dh.c | 38 +++++++++++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/dh.c b/dh.c index 351c79ce..13e7c189 100644 --- a/dh.c +++ b/dh.c @@ -144,6 +144,28 @@ parse_prime(int linenum, char *line, struct dhgroup *dhg) return 0; } +static int +dhg_is_approved(const struct dhgroup *dhg) +{ + BIGNUM *g, *p; + DH *dh; + int dh_status; + int is_ok = 0; + + /* DH_set0_pqg() transfers ownership of the bignums, so we + * make temporary copies here for simplicity. */ + g = BN_dup(dhg->g); + p = BN_dup(dhg->p); + dh = dh_new_group(g, p); + + if (dh) { + is_ok = DH_check(dh, &dh_status); + } + + DH_free(dh); + return is_ok; +} + DH * choose_dh(int min, int wantbits, int max) { @@ -163,12 +185,20 @@ choose_dh(int min, int wantbits, int max) linenum = 0; best = bestcount = 0; while (fgets(line, sizeof(line), f)) { + int dhg_is_ok; + linenum++; if (!parse_prime(linenum, line, &dhg)) continue; + + dhg_is_ok = dhg_is_approved(&dhg); + BN_clear_free(dhg.g); BN_clear_free(dhg.p); + if (!dhg_is_ok) + continue; + if (dhg.size > max || dhg.size < min) continue; @@ -191,9 +221,15 @@ choose_dh(int min, int wantbits, int max) linenum = 0; which = arc4random_uniform(bestcount); while (fgets(line, sizeof(line), f)) { + int dhg_is_ok; + if (!parse_prime(linenum, line, &dhg)) continue; - if ((dhg.size > max || dhg.size < min) || + + dhg_is_ok = dhg_is_approved(&dhg); + + if (!dhg_is_ok || + (dhg.size > max || dhg.size < min) || dhg.size != best || linenum++ != which) { BN_clear_free(dhg.g); -- 2.38.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor