Skip to content

Commit c70ef27

Browse files
ColtonWilleyColtonWilley
committed
fips-baseline: re-add SSHKDF to default and FIPS providers
SSHKDF (RFC 4253) was stripped from both the default and FIPS providers by the fips-baseline patches, but the KDF is FIPS-compliant: it derives keys using FIPS-approved hash functions (SHA-2 family). Stock OpenSSL 3 ships it in both providers. wolfProvider implements it, and RHEL's openssh-kdf patch (Patch964) routes every SSH key exchange through EVP_KDF_fetch("SSHKDF") — so stripping it breaks RHEL-patched openssh entirely under the baseline. Re-add the entry across all 4 defltprov and 5 fipsprov variant files so callers using the fips-baseline build can fetch SSHKDF the same as they would from stock OpenSSL.
1 parent 029b06b commit c70ef27

9 files changed

Lines changed: 9 additions & 0 deletions

File tree

patches/openssl-fips-baseline/providers/defltprov/3.0.0-3.1.x.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,7 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
141141
{ PROV_NAMES_PBKDF2, "provider=default", ossl_kdf_pbkdf2_functions },
142142
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions },
143143
{ PROV_NAMES_KBKDF, "provider=default", ossl_kdf_kbkdf_functions },
144+
{ PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions },
144145
{ NULL, NULL, NULL }
145146
};
146147

patches/openssl-fips-baseline/providers/defltprov/3.2.0-3.3.x.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,7 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
141141
{ PROV_NAMES_PBKDF2, "provider=default", ossl_kdf_pbkdf2_functions },
142142
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions },
143143
{ PROV_NAMES_KBKDF, "provider=default", ossl_kdf_kbkdf_functions },
144+
{ PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions },
144145
{ NULL, NULL, NULL }
145146
};
146147

patches/openssl-fips-baseline/providers/defltprov/3.4.0-3.4.x.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,7 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
134134
{ PROV_NAMES_PBKDF2, "provider=default", ossl_kdf_pbkdf2_functions },
135135
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions },
136136
{ PROV_NAMES_KBKDF, "provider=default", ossl_kdf_kbkdf_functions },
137+
{ PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions },
137138
{ NULL, NULL, NULL }
138139
};
139140

patches/openssl-fips-baseline/providers/defltprov/3.5.0+.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,7 @@ static const OSSL_ALGORITHM deflt_kdfs[] = {
164164
{ PROV_NAMES_TLS1_PRF, "provider=default", ossl_kdf_tls1_prf_functions },
165165
{ PROV_NAMES_KBKDF, "provider=default", ossl_kdf_kbkdf_functions },
166166
{ PROV_NAMES_KRB5KDF, "provider=default", ossl_kdf_krb5kdf_functions },
167+
{ PROV_NAMES_SSHKDF, "provider=default", ossl_kdf_sshkdf_functions },
167168
{ NULL, NULL, NULL }
168169
};
169170

patches/openssl-fips-baseline/providers/fips/fipsprov/3.0.0-3.1.x.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -308,6 +308,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
308308
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
309309
ossl_kdf_tls1_prf_functions },
310310
{ PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
311+
{ PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
311312
{ NULL, NULL, NULL }
312313
};
313314

patches/openssl-fips-baseline/providers/fips/fipsprov/3.2.0-3.3.x.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -308,6 +308,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
308308
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
309309
ossl_kdf_tls1_prf_functions },
310310
{ PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
311+
{ PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
311312
{ NULL, NULL, NULL }
312313
};
313314

patches/openssl-fips-baseline/providers/fips/fipsprov/3.4.0-3.4.x.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -314,6 +314,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
314314
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
315315
ossl_kdf_tls1_prf_functions },
316316
{ PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
317+
{ PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
317318
{ NULL, NULL, NULL }
318319
};
319320

patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.0-3.5.1.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -343,6 +343,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
343343
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
344344
ossl_kdf_tls1_prf_functions },
345345
{ PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
346+
{ PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
346347
{ NULL, NULL, NULL }
347348
};
348349

patches/openssl-fips-baseline/providers/fips/fipsprov/3.5.2+.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -343,6 +343,7 @@ static const OSSL_ALGORITHM fips_kdfs[] = {
343343
{ PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES,
344344
ossl_kdf_tls1_prf_functions },
345345
{ PROV_NAMES_KBKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_kbkdf_functions },
346+
{ PROV_NAMES_SSHKDF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_sshkdf_functions },
346347
{ NULL, NULL, NULL }
347348
};
348349

0 commit comments

Comments
 (0)