Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2022-12-23 10:20:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.1563 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssh" Fri Dec 23 10:20:44 2022 rev:161 rq:1044051 version:8.9p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2022-12-16 17:51:32.639982091 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.1563/openssh.changes 2022-12-23 10:20:48.075240196 +0100 @@ -1,0 +2,6 @@ +Mon Dec 19 15:41:26 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com> + +- Adapt OpenSSH to build with OpenSSL 3, use new KDF API (bsc#1205042) + Add openssh-openssl-3.patch + +------------------------------------------------------------------- New: ---- openssh-openssl-3.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.CxmSa4/_old 2022-12-23 10:20:49.099246049 +0100 +++ /var/tmp/diff_new_pack.CxmSa4/_new 2022-12-23 10:20:49.107246094 +0100 @@ -110,13 +110,14 @@ Patch47: openssh-8.4p1-vendordir.patch Patch48: openssh-8.4p1-pam_motd.patch Patch49: openssh-do-not-send-empty-message.patch +Patch50: openssh-openssl-3.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff BuildRequires: libedit-devel BuildRequires: libselinux-devel BuildRequires: openldap2-devel -BuildRequires: pkgconfig(openssl) < 3 +BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel ++++++ openssh-openssl-3.patch ++++++ --- fips.c | 5 +++++ kex.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 65 insertions(+), 1 deletion(-) --- a/fips.c +++ b/fips.c @@ -48,6 +48,11 @@ static int fips_state = -1; +#if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL) +# define FIPS_mode_set(x) EVP_default_properties_enable_fips(NULL,x) +#endif + /* calculates HMAC of contents of a file given by filename using the hash * algorithm specified by FIPS_HMAC_EVP in fips.h and placing the result into * newly allacated memory - remember to free it when not needed anymore */ --- a/kex.c +++ b/kex.c @@ -41,6 +41,9 @@ #include <openssl/crypto.h> #include <openssl/dh.h> #include <openssl/kdf.h> +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) +# include <openssl/core_names.h> +# endif #endif #include "ssh.h" @@ -1191,14 +1194,61 @@ derive_key_via_openssl(struct ssh *ssh, { struct kex *kex = ssh->kex; EVP_KDF_CTX *hashctx = NULL; - const EVP_MD *md = NULL; u_char *digest = NULL; int r = SSH_ERR_LIBCRYPTO_ERROR; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + OSSL_PARAM params[6], *p = params; + char type = (char) id; + EVP_KDF *kdf = EVP_KDF_fetch (NULL, "SSHKDF", NULL); + if (!kdf) + goto out; + hashctx = EVP_KDF_CTX_new (kdf); +# else + const EVP_MD *md = NULL; hashctx = EVP_KDF_CTX_new_id (EVP_KDF_SSHKDF); +# endif if (!hashctx) goto out; +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + switch (kex->hash_alg) + { + case SSH_DIGEST_MD5: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5, strlen(SN_md5)); + break; + case SSH_DIGEST_SHA1: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha1, strlen(SN_sha1)); + break; + case SSH_DIGEST_SHA256: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha256, strlen(SN_sha256)); + break; + case SSH_DIGEST_SHA384: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha384, strlen(SN_sha384)); + break; + case SSH_DIGEST_SHA512: + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_sha512, strlen(SN_sha512)); + break; + default: + goto out; + } + + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, + sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_XCGHASH, + hash, (size_t) hashlen); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SSHKDF_SESSION_ID, + sshbuf_ptr(kex->session_id), (size_t) sshbuf_len(kex->session_id)); + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, + &type, sizeof(type)); + *p = OSSL_PARAM_construct_end(); + +# else md = get_openssl_md_for_hash_alg (kex->hash_alg); if (!md) goto out; @@ -1215,6 +1265,7 @@ derive_key_via_openssl(struct ssh *ssh, sshbuf_ptr(kex->session_id), (size_t) sshbuf_len(kex->session_id)) != 1) goto out; +# endif digest = calloc (1, need); if (!digest) { @@ -1222,7 +1273,11 @@ derive_key_via_openssl(struct ssh *ssh, goto out; } +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + if (EVP_KDF_derive (hashctx, digest, need, params) != 1) +# else if (EVP_KDF_derive (hashctx, digest, need) != 1) +# endif goto out; *keyp = digest; @@ -1233,6 +1288,10 @@ derive_key_via_openssl(struct ssh *ssh, if (hashctx) EVP_KDF_CTX_free(hashctx); +# if (OPENSSL_VERSION_NUMBER >= 0x30000000L) + EVP_KDF_free(kdf); +# endif + if (digest) free(digest);