From c6724c72f437fef9e2baf55f91b98ec49e6d88e4 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 11 Sep 2013 16:05:58 +0200 Subject: [PATCH] use hmac_suffix for ssh{,d} hmac checksums --- openssh-6.2p1-fips.patch | 26 ++++++++++++++++++++++---- openssh.spec | 21 +++++++++++++-------- 2 files changed, 35 insertions(+), 12 deletions(-) diff --git a/openssh-6.2p1-fips.patch b/openssh-6.2p1-fips.patch index 6cbc983..c2b2e75 100644 --- a/openssh-6.2p1-fips.patch +++ b/openssh-6.2p1-fips.patch @@ -375,12 +375,13 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -253,6 +255,10 @@ main(int ac, char **av) +@@ -253,6 +255,11 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); + SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ ++ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) { + fatal("FIPS integrity verification test failed."); + } @@ -475,12 +476,13 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1423,6 +1425,11 @@ main(int ac, char **av) +@@ -1423,6 +1425,12 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); + SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ ++ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) { + fatal("FIPS integrity verification test failed."); + } + @@ -538,3 +540,19 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c } if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = +diff -up openssh-6.2p2/configure.ac.fips openssh-6.2p2/configure.ac +--- openssh-6.2p2/configure.ac.fips 2013-09-10 17:54:55.092279052 +0200 ++++ openssh-6.2p2/configure.ac 2013-09-10 17:55:18.021172145 +0200 +@@ -4421,6 +4421,12 @@ AC_ARG_WITH([lastlog], + ] + ) + ++AC_ARG_ENABLE(hmac-suffix, ++ [ --enable-hmac-suffix=suffix specify the full hmac_suffix for fipscheck library], ++ [AC_DEFINE_UNQUOTED(HMAC_SUFFIX,["$enableval"],[Define to %{version}-%{release}.hmac])], ++ [AC_DEFINE(HMAC_SUFFIX, NULL)] ++) ++ + dnl lastlog, [uw]tmpx? detection + dnl NOTE: set the paths in the platform section to avoid the + dnl need for command-line parameters diff --git a/openssh.spec b/openssh.spec index 81d4fe2..75ec40e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -68,6 +68,8 @@ %define pam_ssh_agent_ver 0.9.3 %define pam_ssh_agent_rel 5 +%define hmac_suffix .%{openssh_ver}-%{openssh_rel}.hmac + Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: %{openssh_ver} @@ -212,7 +214,7 @@ BuildRequires: audit-libs-devel >= 2.0.5 BuildRequires: util-linux, groff BuildRequires: pam-devel BuildRequires: tcp_wrappers-devel -BuildRequires: fipscheck-devel >= 1.3.0 +BuildRequires: fipscheck-devel >= 1.4.1 BuildRequires: openssl-devel >= 0.9.8j BuildRequires: perl-podlators @@ -242,7 +244,7 @@ Requires: openssh = %{version}-%{release} Summary: The FIPS module package for SSH client Group: Applications/Internet Requires: openssh-clients = %{version}-%{release} -Requires: fipscheck-lib%{_isa} >= 1.3.0 +Requires: fipscheck-lib%{_isa} >= 1.4.1 Requires: openssl-fips %package server @@ -516,10 +518,11 @@ fi --without-kerberos5 \ %endif %if %{libedit} - --with-libedit + --with-libedit \ %else - --without-libedit + --without-libedit \ %endif + --enable-hmac-suffix=%{hmac_suffix} %if %{static_libcrypto} perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile @@ -561,6 +564,8 @@ popd %{__arch_install_post} \ %{__os_install_post} \ fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \ + mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh%{hmac_suffix} \ + mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd%{hmac_suffix} %{nil} %check @@ -636,13 +641,13 @@ getent passwd sshd >/dev/null || \ useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : -%post clients-fips +%pre clients-fips prelink -u %{_bindir}/ssh 2>/dev/null || : %post server %systemd_post sshd.service sshd.socket -%post server-fips +%pre server-fips prelink -u %{_sbindir}/sshd 2>/dev/null || : %preun server @@ -704,7 +709,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || : %files clients-fips %defattr(-,root,root) -%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac +%attr(0644,root,root) %{_libdir}/fipscheck/ssh%{hmac_suffix} # We don't want to depend on prelink for this directory %dir %{_sysconfdir}/prelink.conf.d %{_sysconfdir}/prelink.conf.d/openssh-clients-fips.conf @@ -730,7 +735,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || : %files server-fips %defattr(-,root,root) -%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac +%attr(0644,root,root) %{_libdir}/fipscheck/sshd%{hmac_suffix} # We don't want to depend on prelink for this directory %dir %{_sysconfdir}/prelink.conf.d %{_sysconfdir}/prelink.conf.d/openssh-server-fips.conf