rpms/openssh/devel openssh-5.2p1-fips.patch, 1.4, 1.5 openssh.spec, 1.142, 1.143
Tomáš Mráz
tmraz at fedoraproject.org
Thu Apr 30 12:03:30 UTC 2009
- Previous message (by thread): rpms/hunspell-ur/devel .cvsignore, 1.1, 1.2 hunspell-ur.spec, 1.2, 1.3 sources, 1.1, 1.2 UrduDictionary.xpi, 1.1, NONE
- Next message (by thread): rpms/stunnel/devel stunnel-4.27-aliasing.patch, NONE, 1.1 stunnel.spec, 1.57, 1.58
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27070
Modified Files:
openssh-5.2p1-fips.patch openssh.spec
Log Message:
* Thu Apr 30 2009 Tomas Mraz <tmraz at redhat.com> - 5.2p1-5
- do integrity verification only on binaries which are part
of the OpenSSH FIPS modules
openssh-5.2p1-fips.patch:
Index: openssh-5.2p1-fips.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.2p1-fips.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- openssh-5.2p1-fips.patch 20 Apr 2009 12:18:49 -0000 1.4
+++ openssh-5.2p1-fips.patch 30 Apr 2009 12:03:29 -0000 1.5
@@ -1,6 +1,6 @@
diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
---- openssh-5.2p1/auth2-pubkey.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/auth2-pubkey.c 2009-04-17 14:52:11.000000000 +0200
+--- openssh-5.2p1/auth2-pubkey.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/auth2-pubkey.c 2009-04-17 23:23:42.000000000 +0200
@@ -33,6 +33,7 @@
#include <stdio.h>
#include <stdarg.h>
@@ -20,7 +20,7 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fi
xfree(fp);
diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
--- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100
-+++ openssh-5.2p1/cipher.c 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/cipher.c 2009-04-17 23:23:42.000000000 +0200
@@ -40,6 +40,7 @@
#include <sys/types.h>
@@ -81,7 +81,7 @@ diff -up openssh-5.2p1/cipher.c.fips ope
return -1;
diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c
--- openssh-5.2p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
-+++ openssh-5.2p1/cipher-ctr.c 2009-04-17 23:23:06.000000000 +0200
++++ openssh-5.2p1/cipher-ctr.c 2009-04-17 23:23:42.000000000 +0200
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@@ -94,7 +94,7 @@ diff -up openssh-5.2p1/cipher-ctr.c.fips
}
diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
--- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.2p1/mac.c 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/mac.c 2009-04-17 23:23:42.000000000 +0200
@@ -28,6 +28,7 @@
#include <sys/types.h>
@@ -145,8 +145,8 @@ diff -up openssh-5.2p1/mac.c.fips openss
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
---- openssh-5.2p1/Makefile.in.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/Makefile.in 2009-04-17 14:52:11.000000000 +0200
+--- openssh-5.2p1/Makefile.in.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/Makefile.in 2009-04-17 23:23:42.000000000 +0200
@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
@@ -185,7 +185,7 @@ diff -up openssh-5.2p1/Makefile.in.fips
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
--- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
-+++ openssh-5.2p1/myproposal.h 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/myproposal.h 2009-04-17 23:23:42.000000000 +0200
@@ -53,7 +53,12 @@
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
@@ -201,8 +201,8 @@ diff -up openssh-5.2p1/myproposal.h.fips
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
---- openssh-5.2p1/nsskeys.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/nsskeys.c 2009-04-17 14:52:11.000000000 +0200
+--- openssh-5.2p1/nsskeys.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/nsskeys.c 2009-04-17 23:23:42.000000000 +0200
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
break;
}
@@ -216,7 +216,7 @@ diff -up openssh-5.2p1/nsskeys.c.fips op
return 0;
diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
-+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-04-17 23:23:42.000000000 +0200
@@ -39,6 +39,7 @@
static int rc4_ready = 0;
static RC4_KEY rc4;
@@ -259,18 +259,17 @@ diff -up openssh-5.2p1/openbsd-compat/bs
#ifndef ARC4RANDOM_BUF
diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
---- openssh-5.2p1/ssh-add.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/ssh-add.c 2009-04-17 14:52:11.000000000 +0200
-@@ -42,6 +42,8 @@
+--- openssh-5.2p1/ssh-add.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/ssh-add.c 2009-04-30 13:56:56.000000000 +0200
+@@ -42,6 +42,7 @@
#include <sys/param.h>
#include <openssl/evp.h>
+#include <openssl/fips.h>
-+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_LIBNSS
-@@ -254,7 +256,7 @@ list_identities(AuthenticationConnection
+@@ -254,7 +255,7 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
if (do_fp) {
@@ -279,40 +278,18 @@ diff -up openssh-5.2p1/ssh-add.c.fips op
SSH_FP_HEX);
printf("%d %s %s (%s)\n",
key_size(key), fp, comment, key_type(key));
-@@ -463,10 +465,19 @@ main(int argc, char **argv)
- sanitise_stdfd();
-
- __progname = ssh_get_progname(argv[0]);
-+ SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fprintf(stderr,
-+ "FIPS integrity verification test failed.\n");
-+ exit(3);
-+ }
-+
- init_rng();
- seed_rng();
-
-- SSLeay_add_all_algorithms();
-+ if (FIPS_mode()) {
-+ logit("FIPS mode initialized");
-+ }
-
- /* At first, get a connection to the authentication agent. */
- ac = ssh_get_authentication_connection();
diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
---- openssh-5.2p1/ssh-agent.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/ssh-agent.c 2009-04-17 14:52:11.000000000 +0200
-@@ -51,6 +51,8 @@
+--- openssh-5.2p1/ssh-agent.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/ssh-agent.c 2009-04-30 13:57:34.000000000 +0200
+@@ -51,6 +51,7 @@
#include <openssl/evp.h>
#include <openssl/md5.h>
+#include <openssl/fips.h>
-+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#include <errno.h>
-@@ -200,9 +202,9 @@ confirm_key(Identity *id)
+@@ -200,9 +201,9 @@ confirm_key(Identity *id)
char *p;
int ret = -1;
@@ -325,32 +302,9 @@ diff -up openssh-5.2p1/ssh-agent.c.fips
ret = 0;
xfree(p);
-@@ -1196,6 +1198,11 @@ main(int ac, char **av)
- #endif
-
- SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fprintf(stderr,
-+ "FIPS integrity verification test failed.\n");
-+ exit(3);
-+ }
-
- __progname = ssh_get_progname(av[0]);
- init_rng();
-@@ -1356,6 +1363,10 @@ main(int ac, char **av)
- /* child */
- log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0);
-
-+ if (FIPS_mode()) {
-+ logit("FIPS mode initialized");
-+ }
-+
- if (setsid() == -1) {
- error("setsid: %s", strerror(errno));
- cleanup_exit(1);
diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
---- openssh-5.2p1/ssh.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/ssh.c 2009-04-17 14:52:11.000000000 +0200
+--- openssh-5.2p1/ssh.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/ssh.c 2009-04-17 23:23:42.000000000 +0200
@@ -71,6 +71,8 @@
#include <openssl/evp.h>
@@ -391,8 +345,8 @@ diff -up openssh-5.2p1/ssh.c.fips openss
options.user = xstrdup(pw->pw_name);
diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
---- openssh-5.2p1/sshconnect2.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/sshconnect2.c 2009-04-17 14:52:11.000000000 +0200
+--- openssh-5.2p1/sshconnect2.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/sshconnect2.c 2009-04-17 23:23:42.000000000 +0200
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@@ -437,8 +391,8 @@ diff -up openssh-5.2p1/sshconnect2.c.fip
/*
diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
---- openssh-5.2p1/sshconnect.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/sshconnect.c 2009-04-17 14:52:11.000000000 +0200
+--- openssh-5.2p1/sshconnect.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/sshconnect.c 2009-04-17 23:23:42.000000000 +0200
@@ -40,6 +40,8 @@
#include <unistd.h>
#include <fcntl.h>
@@ -526,8 +480,8 @@ diff -up openssh-5.2p1/sshconnect.c.fips
xfree(fp);
diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
---- openssh-5.2p1/sshd.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/sshd.c 2009-04-17 14:52:11.000000000 +0200
+--- openssh-5.2p1/sshd.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/sshd.c 2009-04-17 23:23:42.000000000 +0200
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -591,18 +545,17 @@ diff -up openssh-5.2p1/sshd.c.fips opens
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c
---- openssh-5.2p1/ssh-keygen.c.fips 2009-04-17 14:52:11.000000000 +0200
-+++ openssh-5.2p1/ssh-keygen.c 2009-04-17 14:52:11.000000000 +0200
-@@ -21,6 +21,8 @@
+--- openssh-5.2p1/ssh-keygen.c.fips 2009-04-17 23:23:42.000000000 +0200
++++ openssh-5.2p1/ssh-keygen.c 2009-04-30 13:58:02.000000000 +0200
+@@ -21,6 +21,7 @@
#include <openssl/evp.h>
#include <openssl/pem.h>
+#include <openssl/fips.h>
-+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#include <errno.h>
-@@ -537,7 +539,7 @@ do_fingerprint(struct passwd *pw)
+@@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw)
enum fp_type fptype;
struct stat st;
@@ -611,29 +564,7 @@ diff -up openssh-5.2p1/ssh-keygen.c.fips
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity)
-@@ -1125,11 +1127,21 @@ main(int argc, char **argv)
- __progname = ssh_get_progname(argv[0]);
-
- SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fprintf(stderr,
-+ "FIPS integrity verification test failed.\n");
-+ exit(3);
-+ }
-+
- log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
-
- init_rng();
- seed_rng();
-
-+ if (FIPS_mode()) {
-+ logit("FIPS mode initialized");
-+ }
-+
- /* we need this for the home * directory. */
- pw = getpwuid(getuid());
- if (!pw) {
-@@ -1506,14 +1518,15 @@ passphrase_again:
+@@ -1506,14 +1507,15 @@ passphrase_again:
fclose(f);
if (!quiet) {
@@ -653,83 +584,3 @@ diff -up openssh-5.2p1/ssh-keygen.c.fips
printf("%s\n", ra);
xfree(ra);
xfree(fp);
-diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c
---- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100
-+++ openssh-5.2p1/ssh-keyscan.c 2009-04-17 14:52:11.000000000 +0200
-@@ -19,6 +19,8 @@
- #include <arpa/inet.h>
-
- #include <openssl/bn.h>
-+#include <openssl/fips.h>
-+#include <fipscheck.h>
-
- #include <netdb.h>
- #include <errno.h>
-@@ -731,6 +733,13 @@ main(int argc, char **argv)
- extern char *optarg;
-
- __progname = ssh_get_progname(argv[0]);
-+ SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fprintf(stderr,
-+ "FIPS integrity verification test failed.\n");
-+ exit(3);
-+ }
-+
- init_rng();
- seed_rng();
- TAILQ_INIT(&tq);
-@@ -812,6 +821,10 @@ main(int argc, char **argv)
-
- log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1);
-
-+ if (FIPS_mode()) {
-+ logit("FIPS mode initialized");
-+ }
-+
- maxfd = fdlim_get(1);
- if (maxfd < 0)
- fatal("%s: fdlim_get: bad value", __progname);
-diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c
---- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200
-+++ openssh-5.2p1/ssh-keysign.c 2009-04-17 14:52:11.000000000 +0200
-@@ -38,6 +38,8 @@
- #include <openssl/evp.h>
- #include <openssl/rand.h>
- #include <openssl/rsa.h>
-+#include <openssl/fips.h>
-+#include <fipscheck.h>
-
- #include "xmalloc.h"
- #include "log.h"
-@@ -175,6 +177,11 @@ main(int argc, char **argv)
-
- permanently_set_uid(pw);
-
-+ SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fatal("FIPS integrity verification test failed");
-+ }
-+
- init_rng();
- seed_rng();
- arc4random_stir();
-@@ -183,6 +190,10 @@ main(int argc, char **argv)
- log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
- #endif
-
-+ if (FIPS_mode()) {
-+ logit("FIPS mode initialized");
-+ }
-+
- /* verify that ssh-keysign is enabled by the admin */
- initialize_options(&options);
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0);
-@@ -194,7 +205,6 @@ main(int argc, char **argv)
- if (key_fd[0] == -1 && key_fd[1] == -1)
- fatal("could not open any host key");
-
-- SSLeay_add_all_algorithms();
- for (i = 0; i < 256; i++)
- rnd[i] = arc4random();
- RAND_seed(rnd, sizeof(rnd));
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.142
retrieving revision 1.143
diff -u -p -r1.142 -r1.143
--- openssh.spec 20 Apr 2009 12:18:49 -0000 1.142
+++ openssh.spec 30 Apr 2009 12:03:29 -0000 1.143
@@ -63,7 +63,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.2p1
-Release: 4%{?dist}%{?rescue_rel}
+Release: 5%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -329,12 +329,7 @@ popd
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
- fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh-keygen \
- fipshmac $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-keysign \
fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh \
- fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh-agent \
- fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh-add \
- fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh-keyscan \
fipshmac $RPM_BUILD_ROOT%{_sbindir}/sshd \
%{nil}
@@ -410,11 +405,9 @@ fi
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
-%attr(0644,root,root) %{_bindir}/.ssh-keygen.hmac
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
%attr(4755,root,root) %{_libexecdir}/openssh/ssh-keysign
-%attr(0644,root,root) %{_libexecdir}/openssh/.ssh-keysign.hmac
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%endif
%if %{scard}
@@ -435,11 +428,8 @@ fi
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%if ! %{rescue}
%attr(2755,root,nobody) %{_bindir}/ssh-agent
-%attr(0644,root,nobody) %{_bindir}/.ssh-agent.hmac
%attr(0755,root,root) %{_bindir}/ssh-add
-%attr(0644,root,root) %{_bindir}/.ssh-add.hmac
%attr(0755,root,root) %{_bindir}/ssh-keyscan
-%attr(0644,root,root) %{_bindir}/.ssh-keyscan.hmac
%attr(0755,root,root) %{_bindir}/sftp
%attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
@@ -474,6 +464,10 @@ fi
%endif
%changelog
+* Thu Apr 30 2009 Tomas Mraz <tmraz at redhat.com> - 5.2p1-5
+- do integrity verification only on binaries which are part
+ of the OpenSSH FIPS modules
+
* Mon Apr 20 2009 Tomas Mraz <tmraz at redhat.com> - 5.2p1-4
- log if FIPS mode is initialized
- make aes-ctr cipher modes work in the FIPS mode
- Previous message (by thread): rpms/hunspell-ur/devel .cvsignore, 1.1, 1.2 hunspell-ur.spec, 1.2, 1.3 sources, 1.1, 1.2 UrduDictionary.xpi, 1.1, NONE
- Next message (by thread): rpms/stunnel/devel stunnel-4.27-aliasing.patch, NONE, 1.1 stunnel.spec, 1.57, 1.58
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list