diff --git a/openssh-7.7p1-fips-warning.patch b/openssh-7.7p1-fips-warning.patch
deleted file mode 100644
index 54720cf..0000000
--- a/openssh-7.7p1-fips-warning.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
---- openssh-8.6p1/sshkey.c.fips 2021-05-06 12:08:36.493926838 +0200
-+++ openssh-8.6p1/sshkey.c 2021-05-06 12:08:36.502926908 +0200
-@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
- goto out;
-
- if (EVP_PKEY_keygen(ctx, &res) <= 0) {
-+ if (FIPS_mode())
-+ logit_f("the key length might be unsupported by FIPS mode approved key generation method");
- ret = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch
index 5b2aaef..213e332 100644
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@@ -81,7 +81,7 @@ diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
#include <openssl/crypto.h>
+#include <openssl/fips.h>
#include <openssl/dh.h>
- # ifdef HAVE_EVP_KDF_CTX_NEW_ID
+ # ifdef HAVE_EVP_KDF_CTX_NEW
# include <openssl/kdf.h>
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
diff --git a/openssh-8.0p1-openssl-kdf.patch b/openssh-8.0p1-openssl-kdf.patch
index 5d76a4f..e190472 100644
--- a/openssh-8.0p1-openssl-kdf.patch
+++ b/openssh-8.0p1-openssl-kdf.patch
@@ -12,7 +12,7 @@ index 2a455e4e..e01c3d43 100644
HMAC_CTX_init \
RSA_generate_key_ex \
RSA_get_default_method \
-+ EVP_KDF_CTX_new_id \
++ EVP_KDF_CTX_new \
])
# OpenSSL_add_all_algorithms may be a macro.
@@ -20,33 +20,35 @@ diff --git a/kex.c b/kex.c
index b6f041f4..1fbce2bb 100644
--- a/kex.c
+++ b/kex.c
-@@ -38,6 +38,9 @@
+@@ -38,6 +38,11 @@
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
#include <openssl/dh.h>
-+# ifdef HAVE_EVP_KDF_CTX_NEW_ID
++# ifdef HAVE_EVP_KDF_CTX_NEW
+# include <openssl/kdf.h>
++# include <openssl/param_build.h>
++# include <openssl/core_names.h>
+# endif
#endif
#include "ssh.h"
-@@ -942,6 +945,95 @@ kex_choose_conf(struct ssh *ssh)
+@@ -942,6 +945,112 @@ kex_choose_conf(struct ssh *ssh)
return r;
}
-+#ifdef HAVE_EVP_KDF_CTX_NEW_ID
-+static const EVP_MD *
++#ifdef HAVE_EVP_KDF_CTX_NEW
++static const char *
+digest_to_md(int digest_type)
+{
+ switch (digest_type) {
+ case SSH_DIGEST_SHA1:
-+ return EVP_sha1();
++ return SN_sha1;
+ case SSH_DIGEST_SHA256:
-+ return EVP_sha256();
++ return SN_sha256;
+ case SSH_DIGEST_SHA384:
-+ return EVP_sha384();
++ return SN_sha384;
+ case SSH_DIGEST_SHA512:
-+ return EVP_sha512();
++ return SN_sha512;
+ }
+ return NULL;
+}
@@ -56,52 +58,67 @@ index b6f041f4..1fbce2bb 100644
+ const struct sshbuf *shared_secret, u_char **keyp)
+{
+ struct kex *kex = ssh->kex;
-+ EVP_KDF_CTX *ctx = NULL;
+ u_char *key = NULL;
+ int r, key_len;
+
-+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0)
-+ return SSH_ERR_INVALID_ARGUMENT;
-+ key_len = ROUNDUP(need, key_len);
-+ if ((key = calloc(1, key_len)) == NULL) {
-+ r = SSH_ERR_ALLOC_FAIL;
++ EVP_KDF *kdf = EVP_KDF_fetch(NULL, "SSHKDF", NULL);
++ EVP_KDF_CTX *ctx = NULL;
++ OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new();
++ OSSL_PARAM *params = NULL;
++ const char *md = digest_to_md(kex->hash_alg);
++ char keytype = (char)id;
++
++ if (!kdf) {
++ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
-+
-+ ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
++ ctx = EVP_KDF_CTX_new(kdf);
++ EVP_KDF_free(kdf);
+ if (!ctx) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
-+
-+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, digest_to_md(kex->hash_alg));
-+ if (r != 1) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
++ if (md == NULL) {
++ r = SSH_ERR_INVALID_ARGUMENT;
+ goto out;
+ }
-+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY,
-+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
-+ if (r != 1) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
++
++ if (param_bld == NULL) {
++ EVP_KDF_CTX_free(ctx);
++ return -1;
++ }
++ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0) {
++ r = SSH_ERR_INVALID_ARGUMENT;
+ goto out;
+ }
-+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, hash, hashlen);
-+ if (r != 1) {
-+ r = SSH_ERR_LIBCRYPTO_ERROR;
++
++ key_len = ROUNDUP(need, key_len);
++ if ((key = calloc(1, key_len)) == NULL) {
++ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
-+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, id);
++
++ r = OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_DIGEST,
++ md, strlen(md)) && /* SN */
++ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_KEY,
++ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret)) &&
++ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_XCGHASH,
++ hash, hashlen) &&
++ OSSL_PARAM_BLD_push_octet_string(param_bld, OSSL_KDF_PARAM_SSHKDF_SESSION_ID,
++ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id)) &&
++ OSSL_PARAM_BLD_push_utf8_string(param_bld, OSSL_KDF_PARAM_SSHKDF_TYPE,
++ &keytype, 1);
+ if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
-+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
-+ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
-+ if (r != 1) {
++
++ params = OSSL_PARAM_BLD_to_param(param_bld);
++ if (params == NULL) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
-+ r = EVP_KDF_derive(ctx, key, key_len);
++ r = EVP_KDF_derive(ctx, key, key_len, params);
+ if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
@@ -115,6 +132,8 @@ index b6f041f4..1fbce2bb 100644
+ r = 0;
+
+out:
++ OSSL_PARAM_BLD_free(param_bld);
++ OSSL_PARAM_free(params);
+ free (key);
+ EVP_KDF_CTX_free(ctx);
+ if (r < 0) {
@@ -130,7 +149,7 @@ index b6f041f4..1fbce2bb 100644
ssh_digest_free(hashctx);
return r;
}
-+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID */
++#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW */
#define NKEYS 6
int
diff --git a/openssh-8.7p1-CVE-2024-6387.patch b/openssh-8.7p1-CVE-2024-6387.patch
deleted file mode 100644
index e32f68f..0000000
--- a/openssh-8.7p1-CVE-2024-6387.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- a/log.c
-+++ b/log.c
-@@ -455,12 +455,14 @@ void
- sshsigdie(const char *file, const char *func, int line, int showfunc,
- LogLevel level, const char *suffix, const char *fmt, ...)
- {
-+#ifdef SYSLOG_R_SAFE_IN_SIGHAND
- va_list args;
-
- va_start(args, fmt);
- sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
- suffix, fmt, args);
- va_end(args);
-+#endif
- _exit(1);
- }
-
diff --git a/openssh-8.7p1-audit-hostname.patch b/openssh-8.7p1-audit-hostname.patch
new file mode 100644
index 0000000..e450c00
--- /dev/null
+++ b/openssh-8.7p1-audit-hostname.patch
@@ -0,0 +1,106 @@
+diff --color -ruNp a/audit-linux.c b/audit-linux.c
+--- a/audit-linux.c 2024-05-09 12:38:08.843017319 +0200
++++ b/audit-linux.c 2024-05-09 12:47:05.162267634 +0200
+@@ -52,7 +52,7 @@ extern u_int utmp_len;
+ const char *audit_username(void);
+
+ static void
+-linux_audit_user_logxxx(int uid, const char *username,
++linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
+ const char *ip, const char *ttyn, int success, int event)
+ {
+ int audit_fd, rc, saved_errno;
+@@ -66,7 +66,7 @@ linux_audit_user_logxxx(int uid, const c
+ }
+ rc = audit_log_acct_message(audit_fd, event,
+ NULL, "login", username ? username : "(unknown)",
+- username == NULL ? uid : -1, NULL, ip, ttyn, success);
++ username == NULL ? uid : -1, hostname, ip, ttyn, success);
+ saved_errno = errno;
+ close(audit_fd);
+
+@@ -181,9 +181,11 @@ audit_run_command(struct ssh *ssh, const
+ {
+ if (!user_login_count++)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++ options.use_dns ? remote_hostname(ssh) : NULL,
+ ssh_remote_ipaddr(ssh),
+ "ssh", 1, AUDIT_USER_LOGIN);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++ options.use_dns ? remote_hostname(ssh) : NULL,
+ ssh_remote_ipaddr(ssh),
+ "ssh", 1, AUDIT_USER_START);
+ return 0;
+@@ -193,10 +195,12 @@ void
+ audit_end_command(struct ssh *ssh, int handle, const char *command)
+ {
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++ options.use_dns ? remote_hostname(ssh) : NULL,
+ ssh_remote_ipaddr(ssh),
+ "ssh", 1, AUDIT_USER_END);
+ if (user_login_count && !--user_login_count)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++ options.use_dns ? remote_hostname(ssh) : NULL,
+ ssh_remote_ipaddr(ssh),
+ "ssh", 1, AUDIT_USER_LOGOUT);
+ }
+@@ -211,19 +215,27 @@ void
+ audit_session_open(struct logininfo *li)
+ {
+ if (!user_login_count++)
+- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++ linux_audit_user_logxxx(li->uid, NULL,
++ options.use_dns ? li->hostname : NULL,
++ options.use_dns ? NULL : li->hostname,
+ li->line, 1, AUDIT_USER_LOGIN);
+- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++ linux_audit_user_logxxx(li->uid, NULL,
++ options.use_dns ? li->hostname : NULL,
++ options.use_dns ? NULL : li->hostname,
+ li->line, 1, AUDIT_USER_START);
+ }
+
+ void
+ audit_session_close(struct logininfo *li)
+ {
+- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++ linux_audit_user_logxxx(li->uid, NULL,
++ options.use_dns ? li->hostname : NULL,
++ options.use_dns ? NULL : li->hostname,
+ li->line, 1, AUDIT_USER_END);
+ if (user_login_count && !--user_login_count)
+- linux_audit_user_logxxx(li->uid, NULL, li->hostname,
++ linux_audit_user_logxxx(li->uid, NULL,
++ options.use_dns ? li->hostname : NULL,
++ options.use_dns ? NULL : li->hostname,
+ li->line, 1, AUDIT_USER_LOGOUT);
+ }
+
+@@ -236,6 +248,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ linux_audit_user_auth(-1, audit_username(),
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
+ linux_audit_user_logxxx(-1, audit_username(),
++ options.use_dns ? remote_hostname(ssh) : NULL,
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
+ break;
+ case SSH_AUTH_FAIL_PASSWD:
+@@ -254,9 +267,11 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ if (user_login_count) {
+ while (user_login_count--)
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++ options.use_dns ? remote_hostname(ssh) : NULL,
+ ssh_remote_ipaddr(ssh),
+ "ssh", 1, AUDIT_USER_END);
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
++ options.use_dns ? remote_hostname(ssh) : NULL,
+ ssh_remote_ipaddr(ssh),
+ "ssh", 1, AUDIT_USER_LOGOUT);
+ }
+@@ -265,6 +280,7 @@ audit_event(struct ssh *ssh, ssh_audit_e
+ case SSH_CONNECTION_ABANDON:
+ case SSH_INVALID_USER:
+ linux_audit_user_logxxx(-1, audit_username(),
++ options.use_dns ? remote_hostname(ssh) : NULL,
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
+ break;
+ default:
diff --git a/openssh-8.7p1-sigpipe.patch b/openssh-8.7p1-sigpipe.patch
new file mode 100644
index 0000000..be73b2c
--- /dev/null
+++ b/openssh-8.7p1-sigpipe.patch
@@ -0,0 +1,21 @@
+diff --git a/ssh.c b/ssh.c
+index 89ca1940..559bf2af 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -1124,6 +1124,8 @@ main(int ac, char **av)
+ }
+ }
+
++ ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
++
+ /*
+ * Initialize "log" output. Since we are the client all output
+ * goes to stderr unless otherwise specified by -y or -E.
+@@ -1652,7 +1654,6 @@ main(int ac, char **av)
+ options.num_system_hostfiles);
+ tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles);
+
+- ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
+ ssh_signal(SIGCHLD, main_sigchld_handler);
+
+ /* Log into the remote system. Never returns if the login fails. */
diff --git a/openssh-9.8p1-upstream-cve-2024-6387.patch b/openssh-9.8p1-upstream-cve-2024-6387.patch
new file mode 100644
index 0000000..fffd50a
--- /dev/null
+++ b/openssh-9.8p1-upstream-cve-2024-6387.patch
@@ -0,0 +1,30 @@
+diff -up openssh-8.7p1/log.c.xxx openssh-8.7p1/log.c
+--- openssh-8.7p1/log.c.xxx 2024-06-28 11:02:43.949912398 +0200
++++ openssh-8.7p1/log.c 2024-06-28 11:02:58.652297885 +0200
+@@ -455,12 +455,14 @@ void
+ sshsigdie(const char *file, const char *func, int line, int showfunc,
+ LogLevel level, const char *suffix, const char *fmt, ...)
+ {
++#if 0
+ va_list args;
+
+ va_start(args, fmt);
+ sshlogv(file, func, line, showfunc, SYSLOG_LEVEL_FATAL,
+ suffix, fmt, args);
+ va_end(args);
++#endif
+ _exit(1);
+ }
+
+diff -up openssh-8.7p1/sshd.c.xxx openssh-8.7p1/sshd.c
+--- openssh-8.7p1/sshd.c.xxx 2024-07-01 10:33:04.332907749 +0200
++++ openssh-8.7p1/sshd.c 2024-07-01 10:33:47.843998038 +0200
+@@ -384,7 +384,7 @@ grace_alarm_handler(int sig)
+
+ /* Log error and exit. */
+ if (use_privsep && pmonitor != NULL && pmonitor->m_pid <= 0)
+- cleanup_exit(255); /* don't log in privsep child */
++ _exit(255); /* don't log in privsep child */
+ else {
+ sigdie("Timeout before authentication for %s port %d",
+ ssh_remote_ipaddr(the_active_state),
diff --git a/openssh.spec b/openssh.spec
index 171e5d4..2c3dee8 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,8 +51,8 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1
-%global openssh_rel 38
-%global hyperscale_rel 9
+%global openssh_rel 43
+%global hyperscale_rel 1
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 5
@@ -79,8 +79,8 @@ Source15: sshd-keygen.target
Source16: ssh-agent.service
Source17: openssh-systemd-sysusers.conf
Source18: openssh-server-systemd-sysusers.conf
-%if 0%{?facebook} && 0%{?use_quilt}
Source19: series
+%if 0%{?facebook} && 0%{?use_quilt}
BuildRequires: quilt
%endif
@@ -93,6 +93,8 @@ Patch100: openssh-6.7p1-coverity.patch
Patch200: openssh-7.6p1-audit.patch
# Audit race condition in forked child (#1310684)
Patch201: openssh-7.1p2-audit-race-condition.patch
+# Correctly audit hostname and IP address
+Patch202: openssh-8.7p1-audit-hostname.patch
# --- pam_ssh-agent ---
# make it build reusing the openssh sources
@@ -122,9 +124,7 @@ Patch502: openssh-6.6p1-keycat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-6.6p1-allow-ip-opts.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893 (WONTFIX)
-%if ! 0%{?facebook}
Patch604: openssh-6.6p1-keyperm.patch
-%endif
#(drop?) https://bugzilla.mindrot.org/show_bug.cgi?id=1925
Patch606: openssh-5.9p1-ipv6man.patch
#?
@@ -299,14 +299,10 @@ Patch1017: openssh-9.4p2-limit-delay.patch
Patch1018: openssh-9.6p1-CVE-2023-48795.patch
#upstream commit 7ef3787c84b6b524501211b11a26c742f829af1a
Patch1019: openssh-9.6p1-CVE-2023-51385.patch
+#upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c
+Patch1020: openssh-8.7p1-sigpipe.patch
+Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch
-# temporary CVE-2024-6387 fix; drop when rebasing on patched c9s
-Patch1020: openssh-8.7p1-CVE-2024-6387.patch
-
-# c9s specific logic factored out of openssh-7.7p1-fips.patch
-Patch2000: openssh-7.7p1-fips-warning.patch
-
-%if 0%{?facebook} && !0%{?use_quilt}
# Add a unique log session identifier to output messages for
# each sshd process and its children.
Patch2010: fb87_log_session_id.patch
@@ -333,7 +329,6 @@ Patch2018: fb87_pass_principals_to_child.patch
# Log extra authentication information to the auth_info structured
# logging field, and add tests for pubkey and cert auth.
Patch2019: fb87_log_auth_info.patch
-%endif
License: BSD
Requires: /sbin/nologin
@@ -526,20 +521,14 @@ popd
%patch980 -p1 -b .sftpdirs
%patch981 -p1 -b .scp-sftpdirs
%patch982 -p1 -b .minrsabits
-%if 0%{?rhel} > 8
-# This patch results in build failures on el8
%patch983 -p1 -b .evpgenrsa
-%endif
%patch984 -p1 -b .ibmca
%patch986 -p1 -b .91cleanup
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race
+%patch202 -p1 -b .audit-hostname
%patch700 -p1 -b .fips
-%if 0%{?rhel} > 8
-# This patch is based onto evpgenrsa and doesn't apply cleanly without it
-%patch2000 -p1 -b .fips-warning
-%endif
%patch1000 -p1 -b .minimize-sha1-use
%patch1001 -p1 -b .scp-clears-file
@@ -566,8 +555,8 @@ popd
%patch1017 -p1 -b .limitdelay
%patch1018 -p1 -b .cve-2023-48795
%patch1019 -p1 -b .cve-2023-51385
-
-%patch1020 -p1 -b .cve-2024-6387
+%patch1020 -p1 -b .earlypipe
+%patch1021 -p1 -b .cve-2024-6387
%if 0%{?facebook} && !0%{?use_quilt}
%patch2010 -p1 -b .log_session_id
@@ -873,6 +862,33 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
+* Tue Jul 09 2024 Michel Lind <salimma@centosproject.org> - 8.7p1-43.1 + 0.10.4-5.7
+- Merge new changes from upstream
+- Drop old EL8 workarounds
+- Make sure source RPM always contains all sources and patches
+
+* Tue Jul 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-43
+- Possible remote code execution due to a race condition (CVE-2024-6409)
+ Resolves: RHEL-45741
+
+* Thu Jul 04 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-42
+- Possible remote code execution due to a race condition (CVE-2024-6387)
+ Resolves: RHEL-45348
+
+* Mon Jun 03 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-41
+- Fix ssh multiplexing connect timeout processing
+ Resolves: RHEL-37748
+
+* Thu May 02 2024 Zoltan Fridrich <zfridric@redhat.com> - 8.7p1-40
+- Correctly audit hostname and IP address
+ Resolves: RHEL-22316
+- Make default key sizes configurable in sshd-keygen
+ Resolves: RHEL-26454
+
+* Wed Apr 24 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-39
+- Use FIPS-compatible API for key derivation
+ Resolves: RHEL-32809
+
* Tue Jul 02 2024 Michel Lind <salimma@centosproject.org> - 8.7p1-38.9 + 0.10.4-5.7
- Fix CVE-2024-6387 (regreSSHion)
- Refresh Facebook patches
diff --git a/sshd-keygen b/sshd-keygen
index 141814c..0fd2a53 100644
--- a/sshd-keygen
+++ b/sshd-keygen
@@ -9,8 +9,14 @@ case $KEYTYPE in
if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
exit 0
fi ;;
- "rsa") ;; # always ok
- "ecdsa") ;;
+ "rsa")
+ if [[ ! -z $SSH_RSA_BITS ]]; then
+ SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS"
+ fi ;; # always ok
+ "ecdsa")
+ if [[ ! -z $SSH_ECDSA_BITS ]]; then
+ SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS"
+ fi ;;
*) # wrong argument
exit 12 ;;
esac
@@ -25,7 +31,7 @@ fi
rm -f $KEY{,.pub}
# create new keys
-if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
+if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then
exit 1
fi
diff --git a/sshd.sysconfig b/sshd.sysconfig
index a217ce7..ee44ae6 100644
--- a/sshd.sysconfig
+++ b/sshd.sysconfig
@@ -5,3 +5,6 @@
# example using systemctl enable sshd-keygen@dsa.service to allow creation
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
# creation.
+
+#SSH_RSA_BITS=3072
+#SSH_ECDSA_BITS=256