rpms/openssh
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- add AES-CTR ciphers to the FIPS mode proposal

Browse Source
This commit is contained in:
Tomáš Mráz 2009-03-13 10:32:52 +00:00
parent adad2a814e
commit 0f07b4ad95
2 changed files with 56 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
openssh-5.2p1-fips.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
--- openssh-5.2p1/ssh-agent.c.fips 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/ssh-agent.c 2009-02-12 13:46:18.000000000 +0100
--- openssh-5.2p1/ssh-agent.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/ssh-agent.c 2009-03-13 11:23:15.000000000 +0100
@@ -51,6 +51,8 @@
#include <openssl/evp.h>
@ -36,8 +36,8 @@ diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
__progname = ssh_get_progname(av[0]);
init_rng();
diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
--- openssh-5.2p1/auth2-pubkey.c.fips 2009-02-11 19:01:25.000000000 +0100
+++ openssh-5.2p1/auth2-pubkey.c 2009-02-11 19:01:26.000000000 +0100
--- openssh-5.2p1/auth2-pubkey.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/auth2-pubkey.c 2009-03-13 11:23:15.000000000 +0100
@@ -33,6 +33,7 @@
#include <stdio.h>
#include <stdarg.h>
@ -56,8 +56,8 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
key_type(found), fp);
xfree(fp);
diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
--- openssh-5.2p1/ssh.c.fips 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/ssh.c 2009-02-12 13:48:43.000000000 +0100
--- openssh-5.2p1/ssh.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/ssh.c 2009-03-13 11:23:15.000000000 +0100
@@ -71,6 +71,8 @@
#include <openssl/evp.h>
@ -78,7 +78,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
init_rng();
/*
@@ -562,7 +568,6 @@ main(int ac, char **av)
@@ -550,7 +556,6 @@ main(int ac, char **av)
if (!host)
usage();
@ -87,9 +87,9 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
/* Initialize the command to execute on remote host. */
diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
--- openssh-5.2p1/sshconnect2.c.fips 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/sshconnect2.c 2009-02-11 19:01:26.000000000 +0100
@@ -43,6 +43,8 @@
--- openssh-5.2p1/sshconnect2.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/sshconnect2.c 2009-03-13 11:23:15.000000000 +0100
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@ -98,7 +98,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -113,6 +115,10 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -109,7 +109,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -128,7 +134,11 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -121,7 +121,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms;
@@ -478,8 +488,8 @@ input_userauth_pk_ok(int type, u_int32_t
@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
@ -133,8 +133,8 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
/*
diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
--- openssh-5.2p1/Makefile.in.fips 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/Makefile.in 2009-02-12 14:06:25.000000000 +0100
--- openssh-5.2p1/Makefile.in.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/Makefile.in 2009-03-13 11:23:15.000000000 +0100
@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
@ -172,8 +172,8 @@ diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
--- openssh-5.2p1/sshd.c.fips 2009-02-11 19:01:25.000000000 +0100
+++ openssh-5.2p1/sshd.c 2009-02-12 13:51:51.000000000 +0100
--- openssh-5.2p1/sshd.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/sshd.c 2009-03-13 11:23:15.000000000 +0100
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@ -183,7 +183,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
@@ -1261,6 +1263,12 @@ main(int ac, char **av)
@@ -1260,6 +1262,12 @@ main(int ac, char **av)
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
@ -196,7 +196,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
init_rng();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
@@ -1413,8 +1421,6 @@ main(int ac, char **av)
@@ -1412,8 +1420,6 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -205,7 +205,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
/*
* Force logging to stderr until we have loaded the private host
* key (unless started from inetd)
@@ -2183,6 +2189,9 @@ do_ssh2_kex(void)
@@ -2182,6 +2188,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -215,7 +215,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2192,6 +2201,9 @@ do_ssh2_kex(void)
@@ -2191,6 +2200,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -227,7 +227,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
--- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.2p1/mac.c 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/mac.c 2009-03-13 11:23:15.000000000 +0100
@@ -28,6 +28,7 @@
#include <sys/types.h>
@ -278,8 +278,8 @@ diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c
--- openssh-5.2p1/ssh-keygen.c.fips 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/ssh-keygen.c 2009-02-12 13:46:00.000000000 +0100
--- openssh-5.2p1/ssh-keygen.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/ssh-keygen.c 2009-03-13 11:23:15.000000000 +0100
@@ -21,6 +21,8 @@
#include <openssl/evp.h>
@ -332,8 +332,8 @@ diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c
xfree(ra);
xfree(fp);
diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
--- openssh-5.2p1/nsskeys.c.fips 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/nsskeys.c 2009-02-11 19:01:26.000000000 +0100
--- openssh-5.2p1/nsskeys.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/nsskeys.c 2009-03-13 11:23:15.000000000 +0100
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
break;
}
@ -346,8 +346,8 @@ diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
return 0;
diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
--- openssh-5.2p1/ssh-add.c.fips 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/ssh-add.c 2009-02-12 13:46:31.000000000 +0100
--- openssh-5.2p1/ssh-add.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/ssh-add.c 2009-03-13 11:23:15.000000000 +0100
@@ -42,6 +42,8 @@
#include <sys/param.h>
@ -387,7 +387,7 @@ diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
if (ac == NULL) {
diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-03-13 11:23:15.000000000 +0100
@@ -39,6 +39,7 @@
static int rc4_ready = 0;
static RC4_KEY rc4;
@ -430,14 +430,15 @@ diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbs
#ifndef ARC4RANDOM_BUF
diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
--- openssh-5.2p1/myproposal.h.fips 2007-06-11 06:01:42.000000000 +0200
+++ openssh-5.2p1/myproposal.h 2009-02-11 19:01:26.000000000 +0100
@@ -52,7 +52,11 @@
--- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
+++ openssh-5.2p1/myproposal.h 2009-03-13 11:27:49.000000000 +0100
@@ -53,7 +53,12 @@
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
-
+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+#define KEX_FIPS_MAC \
@ -447,7 +448,7 @@ diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
KEX_DEFAULT_KEX,
diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c
--- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200
+++ openssh-5.2p1/ssh-keysign.c 2009-02-12 13:44:41.000000000 +0100
+++ openssh-5.2p1/ssh-keysign.c 2009-03-13 11:23:15.000000000 +0100
@@ -38,6 +38,8 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
@ -478,8 +479,8 @@ diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
--- openssh-5.2p1/cipher.c.fips 2008-07-23 14:03:19.000000000 +0200
+++ openssh-5.2p1/cipher.c 2009-02-11 19:01:26.000000000 +0100
--- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100
+++ openssh-5.2p1/cipher.c 2009-03-13 11:23:15.000000000 +0100
@@ -40,6 +40,7 @@
#include <sys/types.h>
@ -488,7 +489,7 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
#include <string.h>
#include <stdarg.h>
@@ -91,6 +92,22 @@ struct Cipher {
@@ -93,6 +94,22 @@ struct Cipher {
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
};
@ -511,7 +512,7 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
/*--*/
u_int
@@ -133,7 +150,7 @@ Cipher *
@@ -135,7 +152,7 @@ Cipher *
cipher_by_name(const char *name)
{
Cipher *c;
@ -520,7 +521,7 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
if (strcmp(c->name, name) == 0)
return c;
return NULL;
@@ -143,7 +160,7 @@ Cipher *
@@ -145,7 +162,7 @@ Cipher *
cipher_by_number(int id)
{
Cipher *c;
@ -529,7 +530,7 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
if (c->number == id)
return c;
return NULL;
@@ -187,7 +204,7 @@ cipher_number(const char *name)
@@ -189,7 +206,7 @@ cipher_number(const char *name)
Cipher *c;
if (name == NULL)
return -1;
@ -539,8 +540,8 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
return c->number;
return -1;
diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c
--- openssh-5.2p1/ssh-keyscan.c.fips 2008-07-04 15:10:49.000000000 +0200
+++ openssh-5.2p1/ssh-keyscan.c 2009-02-12 13:44:21.000000000 +0100
--- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100
+++ openssh-5.2p1/ssh-keyscan.c 2009-03-13 11:23:15.000000000 +0100
@@ -19,6 +19,8 @@
#include <arpa/inet.h>
@ -550,7 +551,7 @@ diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c
#include <netdb.h>
#include <errno.h>
@@ -730,6 +732,13 @@ main(int argc, char **argv)
@@ -731,6 +733,13 @@ main(int argc, char **argv)
extern char *optarg;
__progname = ssh_get_progname(argv[0]);
@ -565,8 +566,8 @@ diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c
seed_rng();
TAILQ_INIT(&tq);
diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
--- openssh-5.2p1/sshconnect.c.fips 2009-02-11 19:01:26.000000000 +0100
+++ openssh-5.2p1/sshconnect.c 2009-02-11 19:01:26.000000000 +0100
--- openssh-5.2p1/sshconnect.c.fips 2009-03-13 11:23:15.000000000 +0100
+++ openssh-5.2p1/sshconnect.c 2009-03-13 11:23:15.000000000 +0100
@@ -40,6 +40,8 @@
#include <unistd.h>
#include <fcntl.h>
@ -576,7 +577,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
#include "xmalloc.h"
#include "key.h"
#include "hostfile.h"
@@ -765,6 +767,7 @@ check_host_key(char *hostname, struct so
@@ -761,6 +763,7 @@ check_host_key(char *hostname, struct so
goto fail;
} else if (options.strict_host_key_checking == 2) {
char msg1[1024], msg2[1024];
@ -584,7 +585,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
if (show_other_keys(host, host_key))
snprintf(msg1, sizeof(msg1),
@@ -773,8 +776,8 @@ check_host_key(char *hostname, struct so
@@ -769,8 +772,8 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
@ -595,7 +596,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
SSH_FP_RANDOMART);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
@@ -790,10 +793,10 @@ check_host_key(char *hostname, struct so
@@ -786,10 +789,10 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
@ -608,7 +609,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
@@ -1081,17 +1084,18 @@ show_key_from_file(const char *file, con
@@ -1077,17 +1080,18 @@ show_key_from_file(const char *file, con
Key *found;
char *fp, *ra;
int line, ret;
@ -631,7 +632,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
xfree(ra);
xfree(fp);
}
@@ -1137,8 +1141,9 @@ warn_changed_key(Key *host_key)
@@ -1133,8 +1137,9 @@ warn_changed_key(Key *host_key)
{
char *fp;
const char *type = key_type(host_key);
@ -642,7 +643,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1146,8 +1151,8 @@ warn_changed_key(Key *host_key)
@@ -1142,8 +1147,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that the %s host key has just been changed.", type);

7
openssh.spec
View File

@ -63,7 +63,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.2p1
Release: 1%{?dist}%{?rescue_rel}
Release: 2%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -472,7 +472,10 @@ fi
%endif
%changelog
* Thu Mar 9 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-1
* Fri Mar 13 2009 Tomas Mraz <tmraz@redhat.com> - 5.2p1-2
- add AES-CTR ciphers to the FIPS mode proposal
* Mon Mar 9 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-1
- upgrade to new upstream release
* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 5.1p1-8