use hmac_suffix for ssh{,d} hmac checksums
This commit is contained in:
Petr Lautrbach
parent
9acec07a0f
commit
c6724c72f4
|
|
@ -375,12 +375,13 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
|
|||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -253,6 +255,10 @@ main(int ac, char **av)
|
||||
@@ -253,6 +255,11 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
|
||||
+
|
||||
+ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
|
||||
+ fatal("FIPS integrity verification test failed.");
|
||||
+ }
|
||||
|
||||
|
|
@ -475,12 +476,13 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
@@ -1423,6 +1425,11 @@ main(int ac, char **av)
|
||||
@@ -1423,6 +1425,12 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
|
||||
+
|
||||
+ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
|
||||
+ fatal("FIPS integrity verification test failed.");
|
||||
+ }
|
||||
+
|
||||
|
|
@ -538,3 +540,19 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||
}
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
diff -up openssh-6.2p2/configure.ac.fips openssh-6.2p2/configure.ac
|
||||
--- openssh-6.2p2/configure.ac.fips 2013-09-10 17:54:55.092279052 +0200
|
||||
+++ openssh-6.2p2/configure.ac 2013-09-10 17:55:18.021172145 +0200
|
||||
@@ -4421,6 +4421,12 @@ AC_ARG_WITH([lastlog],
|
||||
]
|
||||
)
|
||||
|
||||
+AC_ARG_ENABLE(hmac-suffix,
|
||||
+ [ --enable-hmac-suffix=suffix specify the full hmac_suffix for fipscheck library],
|
||||
+ [AC_DEFINE_UNQUOTED(HMAC_SUFFIX,["$enableval"],[Define to %{version}-%{release}.hmac])],
|
||||
+ [AC_DEFINE(HMAC_SUFFIX, NULL)]
|
||||
+)
|
||||
+
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
dnl need for command-line parameters
|
||||
|
|
|
|||
21
openssh.spec
21
openssh.spec
|
|
@ -68,6 +68,8 @@
|
|||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 5
|
||||
|
||||
%define hmac_suffix .%{openssh_ver}-%{openssh_rel}.hmac
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: %{openssh_ver}
|
||||
|
|
@ -212,7 +214,7 @@ BuildRequires: audit-libs-devel >= 2.0.5
|
|||
BuildRequires: util-linux, groff
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: tcp_wrappers-devel
|
||||
BuildRequires: fipscheck-devel >= 1.3.0
|
||||
BuildRequires: fipscheck-devel >= 1.4.1
|
||||
BuildRequires: openssl-devel >= 0.9.8j
|
||||
BuildRequires: perl-podlators
|
||||
|
||||
|
|
@ -242,7 +244,7 @@ Requires: openssh = %{version}-%{release}
|
|||
Summary: The FIPS module package for SSH client
|
||||
Group: Applications/Internet
|
||||
Requires: openssh-clients = %{version}-%{release}
|
||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
||||
Requires: fipscheck-lib%{_isa} >= 1.4.1
|
||||
Requires: openssl-fips
|
||||
|
||||
%package server
|
||||
|
|
@ -516,10 +518,11 @@ fi
|
|||
--without-kerberos5 \
|
||||
%endif
|
||||
%if %{libedit}
|
||||
--with-libedit
|
||||
--with-libedit \
|
||||
%else
|
||||
--without-libedit
|
||||
--without-libedit \
|
||||
%endif
|
||||
--enable-hmac-suffix=%{hmac_suffix}
|
||||
|
||||
%if %{static_libcrypto}
|
||||
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
||||
|
|
@ -561,6 +564,8 @@ popd
|
|||
%{__arch_install_post} \
|
||||
%{__os_install_post} \
|
||||
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
|
||||
mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh%{hmac_suffix} \
|
||||
mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd%{hmac_suffix}
|
||||
%{nil}
|
||||
|
||||
%check
|
||||
|
|
@ -636,13 +641,13 @@ getent passwd sshd >/dev/null || \
|
|||
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
||||
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
|
||||
|
||||
%post clients-fips
|
||||
%pre clients-fips
|
||||
prelink -u %{_bindir}/ssh 2>/dev/null || :
|
||||
|
||||
%post server
|
||||
%systemd_post sshd.service sshd.socket
|
||||
|
||||
%post server-fips
|
||||
%pre server-fips
|
||||
prelink -u %{_sbindir}/sshd 2>/dev/null || :
|
||||
|
||||
%preun server
|
||||
|
|
@ -704,7 +709,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || :
|
|||
|
||||
%files clients-fips
|
||||
%defattr(-,root,root)
|
||||
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
|
||||
%attr(0644,root,root) %{_libdir}/fipscheck/ssh%{hmac_suffix}
|
||||
# We don't want to depend on prelink for this directory
|
||||
%dir %{_sysconfdir}/prelink.conf.d
|
||||
%{_sysconfdir}/prelink.conf.d/openssh-clients-fips.conf
|
||||
|
|
@ -730,7 +735,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || :
|
|||
|
||||
%files server-fips
|
||||
%defattr(-,root,root)
|
||||
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
|
||||
%attr(0644,root,root) %{_libdir}/fipscheck/sshd%{hmac_suffix}
|
||||
# We don't want to depend on prelink for this directory
|
||||
%dir %{_sysconfdir}/prelink.conf.d
|
||||
%{_sysconfdir}/prelink.conf.d/openssh-server-fips.conf
|
||||
|
|
|
|||
Loading…
Reference in New Issue