Add Fedora openssh-10.2p1 FIPS patch for wolfProvider#334
Open
ColtonWilley wants to merge 1 commit intowolfSSL:masterfrom
Open
Add Fedora openssh-10.2p1 FIPS patch for wolfProvider#334ColtonWilley wants to merge 1 commit intowolfSSL:masterfrom
ColtonWilley wants to merge 1 commit intowolfSSL:masterfrom
Conversation
Sibling to openssh-RHEL-9.9p1-FIPS-wolfprov.patch. Targets Fedora 44's openssh-10.2p1 + 59-patch RHEL set (which carries the SSHKDF routing patch openssh-8.0p1-openssl-kdf.patch and the FIPS adaptation patch openssh-7.7p1-fips.patch); the Red Hat-derived test fixtures still exercise pre-FIPS algorithms (Ed25519, MD5, RSA-1024, curve25519, SHA1, chacha20, MLKEM, sntrup761) which a FIPS-restricted OpenSSL or the wolfProvider fips-baseline build refuses. Differences from the 9.9p1 sibling: - t6 and t8 are not dropped from REGRESS_TARGETS: openssh removed the DSA ssh-keygen tests in 10.x, so the targets no longer exist. - test_kex.c gained cipher/mac/key parameters in the do_kex_with_key() signature; the FIPS-compliant cipher/MAC pins are applied unconditionally inside the function body to override callers that pass NULL. - The do_kex() helper now contains a benchmark path keyed on test_is_benchmark(); regular `make tests` does not enter that path, so the patch leaves it untouched. - Drops the redundant direct `#include "ssh-pkcs11-uri.h"` in ssh-pkcs11.c. Fedora's 0052-openssh-10.2p1-pkcs11-uri.patch makes ssh-pkcs11.h include the URI header, leaving both pulled into the same translation unit; without include guards on the URI header the resulting `struct pkcs11_uri` redefinition refuses to compile.
ColtonWilley
force-pushed
the
wp_openssh_rhel_fips_patch_10_2p1
branch
from
34b1adc to
20cc60d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sibling to #332 (openssh-9.9p1). Adds
openssh-RHEL-10.2p1-FIPS-wolfprov.patchfor FIPS-mode compatibility against Fedora 44's patched openssh-10.2p1, which carries the SSHKDF routing patch (openssh-8.0p1-openssl-kdf.patch) and the FIPS adaptation patch (openssh-7.7p1-fips.patch) — the same Red Hat-derived test-fixture hostility to FIPS-restricted crypto we hit on 9.9p1.The patch:
t1(RSA-1024),t4(MD5),t10andt12(Ed25519 keygen) fromREGRESS_TARGETS(t6/t8were removed upstream when DSA was deleted);test_sshkey,test_sshsig,test_authopt,test_hostkeyswhose testdata trees use Ed25519/DSA/short-RSA keys;regress/unittests/kex/test_kex.c, drops the Ed25519 host-key path, and strips curve25519/DH-SHA1/MLKEM/sntrup761 fromkex_testsso SSHKDF still runs through ECDH-NIST + DH-GEX-SHA256;#include "ssh-pkcs11-uri.h"fromssh-pkcs11.cto work around an unrelated build break in Fedora's0052-openssh-10.2p1-pkcs11-uri.patch(the URI header lacks include guards and ends up pulled into the same TU twice — once direct, once viassh-pkcs11.h).Validated on a CentOS Stream 10 FIPS-enabled VM (
fips=1,update-crypto-policies --set FIPS) against three stacks:openssl-3.5.5-2.el10(no patch)t1/t4/t10/t12+test_sshkey(RSA-1024) fail in FIPSwolfProviderfips-baseline patched OpenSSL 3.5.5 + this patchwolfProvider+ FIPS wolfSSL (5.9.1-fips-ready) + this patchtest_kexruns all 90 cases under wolfProvider-as-default-OpenSSL-provider, so SSHKDF routes through wolfSSL's FIPS module via the openssl-kdf RHEL patch.Test plan
rpmbuild --short-circuit -bcof Fedora f44 dist-git openssh-10.2p1 against system OpenSSL 3.5.5 in FIPS mode (with this patch applied — without it the pkcs11 hunk above blocks the build)make -k file-tests interop-tests extra-tests unitis greenregress/unittests/kex/test_kexexercises SSHKDF via theopenssl-kdfRHEL patch under wolfProvider'sEVP_KDFSSHKDF implementation