Accepting request 224302 from home:pcerny:factory

- re-enabling FIPS-enablement patch - enable X11 forwarding when IPv6 is present but disabled on server (bnc#712683, FATE#31503; -X_forward_with_disabled_ipv6.patch) OBS-URL: https://build.opensuse.org/request/show/224302 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=70
2014-03-01 00:05:55 +00:00 · 2014-03-01 00:05:55 +00:00 · 25f021b853
commit 25f021b853
parent 5f397d839b
5 changed files with 189 additions and 288 deletions
--- a/openssh-6.5p1-X_forward_with_disabled_ipv6.patch
+++ b/openssh-6.5p1-X_forward_with_disabled_ipv6.patch
@ -0,0 +1,34 @@
 # HG changeset patch
 # Parent d7526bd96e81981aa3c94b7695a3f4009a2c176b
 Do not throw away already open sockets for X11 forwarding if another socket
 family is not available for bind()
 diff --git a/openssh-6.5p1/channels.c b/openssh-6.5p1/channels.c
 --- a/openssh-6.5p1/channels.c
 +++ b/openssh-6.5p1/channels.c
@@ -3475,22 +3475,24 @@ x11_create_display_inet(int x11_display_
 			}
 			if (ai->ai_family == AF_INET6)
 				sock_set_v6only(sock);
 			if (x11_use_localhost)
 				channel_set_reuseaddr(sock);
 			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
 				debug2("bind port %d: %.100s", port, strerror(errno));
 				close(sock);
 -
 +				continue;
 +				/* do not remove successfully opened sockets
 				for (n = 0; n < num_socks; n++) {
 					close(socks[n]);
 				}
 				num_socks = 0;
 				break;
 +				*/
 			}
 			socks[num_socks++] = sock;
 			if (num_socks == NUM_SOCKS)
 				break;
 		}
 		freeaddrinfo(aitop);
 		if (num_socks > 0)
 			break;
--- a/openssh-6.5p1-audit6-server_key_destruction.patch
+++ b/openssh-6.5p1-audit6-server_key_destruction.patch
@ -164,7 +164,7 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
 diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
 --- a/openssh-6.5p1/key.c
 +++ b/openssh-6.5p1/key.c
-@@ -1959,16 +1959,41 @@ key_demote(const Key *k)
+@@ -1959,16 +1959,43 @@ key_demote(const Key *k)
 		fatal("key_demote: bad key type %d", k->type);
 		break;
 	}
@ -190,9 +190,11 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
 +	case KEY_ECDSA:
 +		return EC_KEY_get0_private_key(k->ecdsa) != NULL;
 +#endif
 +	case KEY_ED25519_CERT:
 +	case KEY_ED25519:
 +		return k->ed25519_sk != NULL;
 +	default:
-+		/* fatal("key_is_private: bad key type %d", k->type); */
+		fatal("key_is_private: bad key type %d", k->type);
 +		debug2("key_is_private: bad key type %d", k->type);
 +		return 1;
 +	}
 +}
--- a/openssh-6.5p1-fips.patch
+++ b/openssh-6.5p1-fips.patch
@ -2,22 +2,23 @@
 # when OpenSSL is detected to be running in FIPS mode
 #
 # HG changeset patch
-# Parent 6536ed881743cbf05afe962021b985f9b1eab495
+# Parent 2a4df1014f286ec93a3e4dcf036f054745e4fee8
 diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
 --- a/openssh-6.5p1/Makefile.in
 +++ b/openssh-6.5p1/Makefile.in
-@@ -72,17 +72,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
+@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
 	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
 	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-	jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
+ 	jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
-+	jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o fips.o
+ 	kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
 	ssh-ed25519.o digest.o \
 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
 -	auditstub.o
 +	auditstub.o \
 +	fips.o
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@ -211,14 +212,14 @@ diff --git a/openssh-6.5p1/cipher-ctr.c b/openssh-6.5p1/cipher-ctr.c
 diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
 --- a/openssh-6.5p1/cipher.c
 +++ b/openssh-6.5p1/cipher.c
-@@ -42,16 +42,17 @@
+@@ -44,25 +44,26 @@
 #include <openssl/md5.h>
 #include <string.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include "xmalloc.h"
 #include "log.h"
 #include "misc.h"
 #include "cipher.h"
 +#include "fips.h"
@ -229,12 +230,22 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
 extern const EVP_CIPHER *evp_ssh1_3des(void);
 extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-@@ -81,18 +82,57 @@ struct Cipher ciphers[] = {
+-struct Cipher ciphers[] = {
- 	{ "aes128-gcm@openssh.com",
+struct Cipher ciphers_all[] = {
- 			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+ 	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
 	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
 	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
 	{ "blowfish",	SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
 	{ "blowfish-cbc",
 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
@@ -85,27 +86,67 @@ struct Cipher ciphers[] = {
 	{ "aes256-gcm@openssh.com",
 			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
 #endif
 	{ "chacha20-poly1305@openssh.com",
 			SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL },
 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };
@ -262,40 +273,51 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
 +
 /*--*/
 +/* Returns array of ciphers available depending on selected FIPS mode */
 +static struct Cipher *
 +fips_select_ciphers(void)
 +{
 +	int fips = fips_mode();
 +	switch (fips) {
 +		case 0:
-+			return ciphers;
+			return ciphers_all;
 +		case 1:
 +			return ciphers_fips140_2;
 +		default:
 +			/* should not be reached */
 +			fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
 +			    fips, __FILE__, __LINE__);
-+//			return NULL;
+			return NULL;
 +	}
 +}
 +
- u_int
+ /* Returns a list of supported ciphers separated by the specified char. */
- cipher_blocksize(const Cipher *c)
+ char *
 cipher_alg_list(char sep, int auth_only)
 {
- 	return (c->block_size);
+ 	char *ret = NULL;
- }
+ 	size_t nlen, rlen = 0;
 	const Cipher *c;
- u_int
+-	for (c = ciphers; c->name != NULL; c++) {
- cipher_keylen(const Cipher *c)
+	for (c = fips_select_ciphers(); c->name != NULL; c++) {
-@@ -135,27 +175,27 @@ cipher_mask_ssh1(int client)
+ 		if (c->number != SSH_CIPHER_SSH2)
 			continue;
 		if (auth_only && c->auth_len == 0)
 			continue;
 		if (ret != NULL)
 			ret[rlen++] = sep;
 		nlen = strlen(c->name);
 		ret = xrealloc(ret, 1, rlen + nlen + 2);
@@ -175,27 +216,27 @@ cipher_mask_ssh1(int client)
 	}
 	return mask;
 }
- Cipher *
+ const Cipher *
 cipher_by_name(const char *name)
 {
- 	Cipher *c;
+ 	const Cipher *c;
 -	for (c = ciphers; c->name != NULL; c++)
 +	for (c = fips_select_ciphers(); c->name != NULL; c++)
 		if (strcmp(c->name, name) == 0)
@ -303,10 +325,10 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
 	return NULL;
 }
- Cipher *
+ const Cipher *
 cipher_by_number(int id)
 {
- 	Cipher *c;
+ 	const Cipher *c;
 -	for (c = ciphers; c->name != NULL; c++)
 +	for (c = fips_select_ciphers(); c->name != NULL; c++)
 		if (c->number == id)
@ -317,13 +339,13 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
 #define	CIPHER_SEP	","
 int
 ciphers_valid(const char *names)
-@@ -189,17 +229,17 @@ ciphers_valid(const char *names)
+@@ -229,17 +270,17 @@ ciphers_valid(const char *names)
  */
 int
 cipher_number(const char *name)
 {
- 	Cipher *c;
+ 	const Cipher *c;
 	if (name == NULL)
 		return -1;
 -	for (c = ciphers; c->name != NULL; c++)
@ -336,13 +358,13 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
 char *
 cipher_name(int id)
 {
-@@ -352,24 +392,29 @@ cipher_cleanup(CipherContext *cc)
+@@ -417,24 +458,29 @@ cipher_cleanup(CipherContext *cc)
  * Selects the cipher, and keys if by computing the MD5 checksum of the
  * passphrase and using the resulting 16 bytes as the key.
  */
 void
- cipher_set_key_string(CipherContext *cc, Cipher *cipher,
+ cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
     const char *passphrase, int do_encrypt)
 {
 -	MD5_CTX md;
@ -616,8 +638,7 @@ new file mode 100644
 diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
 --- a/openssh-6.5p1/key.c
 +++ b/openssh-6.5p1/key.c
-@@ -49,16 +49,17 @@
+@@ -52,16 +52,17 @@
 #include "xmalloc.h"
 #include "key.h"
 #include "rsa.h"
 #include "uuencode.h"
@ -625,16 +646,17 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
 #include "log.h"
 #include "misc.h"
 #include "ssh2.h"
 #include "digest.h"
 +#include "fips.h"
 static int to_blob(const Key *, u_char **, u_int *, int);
 static Key *key_from_blob2(const u_char *, u_int, int);
 static struct KeyCert *
 cert_new(void)
 {
 	struct KeyCert *cert;
- 
+@@ -664,16 +665,19 @@ key_fp_type_select(void)
@@ -634,16 +635,19 @@ key_fp_type_select(void)
 				error("invalid key type in environment variable "
 				    SSH_FP_TYPE_ENVVAR ": '%s' - falling back to MD5.",
 				    env);
@ -657,7 +679,7 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
 diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
 --- a/openssh-6.5p1/mac.c
 +++ b/openssh-6.5p1/mac.c
-@@ -36,34 +36,35 @@
+@@ -36,16 +36,17 @@
 #include "xmalloc.h"
 #include "log.h"
 #include "cipher.h"
@ -675,18 +697,17 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
 #define SSH_EVP		1	/* OpenSSL EVP-based MAC */
 #define SSH_UMAC	2	/* UMAC (not integrated with OpenSSL) */
 #define SSH_UMAC128	3
- 
+@@ -55,17 +56,17 @@ struct macalg {
 -struct {
 +struct Macs {
 	char		*name;
 	int		type;
 	const EVP_MD *	(*mdfunc)(void);
 	int		truncatebits;	/* truncate digest if != 0 */
 	int		key_len;	/* just for UMAC */
 	int		len;		/* just for UMAC */
 	int		etm;		/* Encrypt-then-MAC */
-} macs[] = {
+ };
-+} macs_all[] = {
+ 
 -static const struct macalg macs[] = {
 +static const struct macalg macs_all[] = {
 	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
 	{ "hmac-sha1",				SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
 	{ "hmac-sha1-96",			SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
@ -695,7 +716,7 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
 	{ "hmac-sha2-512",			SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
 #endif
 	{ "hmac-md5",				SSH_EVP, EVP_md5, 0, 0, 0, 0 },
-@@ -84,19 +85,46 @@ struct {
+@@ -86,25 +87,57 @@ static const struct macalg macs[] = {
 	{ "hmac-md5-96-etm@openssh.com",	SSH_EVP, EVP_md5, 96, 0, 0, 1 },
 	{ "hmac-ripemd160-etm@openssh.com",	SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 },
 	{ "umac-64-etm@openssh.com",		SSH_UMAC, NULL, 0, 128, 64, 1 },
@ -704,15 +725,21 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
 	{ NULL,					0, NULL, 0, 0, 0, 0 }
 };
-+struct Macs macs_fips140_2[] = {
+static const struct macalg macs_fips140_2[] = {
 +	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
 +	{ "hmac-sha1",				SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
 +#ifdef HAVE_EVP_SHA256
 +	{ "hmac-sha2-256",			SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
 +	{ "hmac-sha2-512",			SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
 +#endif
 +#ifdef HAVE_EVP_SHA256
 +	{ "hmac-sha2-256-etm@openssh.com",	SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
 +	{ "hmac-sha2-512-etm@openssh.com",	SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
 +#endif
 +	{ NULL,					0, NULL, 0, 0, 0, 0 }
 +};
 +
 +/* Returns array of macs available depending on selected FIPS mode */
 +static struct Macs *
 +fips_select_macs(void)
 +{
@ -730,61 +757,68 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
 +	}
 +}
 +
- static void
+ /* Returns a list of supported MACs separated by the specified char. */
- mac_setup_by_id(Mac *mac, int which)
+ char *
 mac_alg_list(char sep)
 {
-+	struct Macs *macs = fips_select_macs();
+ 	char *ret = NULL;
- 	int evp_len;
+ 	size_t nlen, rlen = 0;
- 	mac->type = macs[which].type;
+ 	const struct macalg *m;
- 	if (mac->type == SSH_EVP) {
+ 
- 		mac->evp_md = (*macs[which].mdfunc)();
+-	for (m = macs; m->name != NULL; m++) {
- 		if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
+	for (m = fips_select_macs(); m->name != NULL; m++) {
- 			fatal("mac %s len %d", mac->name, evp_len);
+ 		if (ret != NULL)
- 		mac->key_len = mac->mac_len = (u_int)evp_len;
+ 			ret[rlen++] = sep;
- 	} else {
+ 		nlen = strlen(m->name);
-@@ -107,16 +135,17 @@ mac_setup_by_id(Mac *mac, int which)
+ 		ret = xrealloc(ret, 1, rlen + nlen + 2);
- 	if (macs[which].truncatebits != 0)
+ 		memcpy(ret + rlen, m->name, nlen + 1);
- 		mac->mac_len = macs[which].truncatebits / 8;
+ 		rlen += nlen;
- 	mac->etm = macs[which].etm;
+ 	}
 	return ret;
@@ -131,17 +164,17 @@ mac_setup_by_alg(Mac *mac, const struct 
 	mac->etm = macalg->etm;
 }
 int
 mac_setup(Mac *mac, char *name)
 {
-+	struct Macs *macs = fips_select_macs();
+ 	const struct macalg *m;
 	int i;
- 	for (i = 0; macs[i].name; i++) {
+-	for (m = macs; m->name != NULL; m++) {
- 		if (strcmp(name, macs[i].name) == 0) {
+	for (m = fips_select_macs(); m->name != NULL; m++) {
- 			if (mac != NULL)
+ 		if (strcmp(name, m->name) != 0)
- 				mac_setup_by_id(mac, i);
+ 			continue;
- 			debug2("mac_setup: found %s", name);
+ 		if (mac != NULL)
- 			return (0);
+ 			mac_setup_by_alg(mac, m);
 		debug2("mac_setup: found %s", name);
 		return (0);
 	}
 	debug2("mac_setup: unknown %s", name);
 diff --git a/openssh-6.5p1/myproposal.h b/openssh-6.5p1/myproposal.h
 --- a/openssh-6.5p1/myproposal.h
 +++ b/openssh-6.5p1/myproposal.h
-@@ -71,16 +71,20 @@
+@@ -104,16 +104,20 @@
 	"ssh-dss"
 #define	KEX_DEFAULT_ENCRYPT \
 	"aes128-ctr,aes192-ctr,aes256-ctr," \
 	"arcfour256,arcfour128," \
- 	"aes128-gcm@openssh.com,aes256-gcm@openssh.com," \
+ 	AESGCM_CIPHER_MODES \
 	"chacha20-poly1305@openssh.com," \
 	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
 	"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
 +#define	KEX_FIPS_140_2_ENCRYPT \
 +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 +	"aes128-cbc,3des-cbc," \
 +	"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
- #ifdef HAVE_EVP_SHA256
+ 
 #define	SHA2_HMAC_MODES \
 	"hmac-sha2-256," \
 	"hmac-sha2-512,"
 #else
 # define SHA2_HMAC_MODES
 #endif
 #define	KEX_DEFAULT_MAC \
-@@ -97,16 +101,19 @@
+ 	"hmac-md5-etm@openssh.com," \
 	"hmac-sha1-etm@openssh.com," \
 	"umac-64-etm@openssh.com," \
 	"umac-128-etm@openssh.com," \
 	"hmac-sha2-256-etm@openssh.com," \
 	"hmac-sha2-512-etm@openssh.com," \
@@ -124,16 +128,19 @@
 	"hmac-sha1," \
 	"umac-64@openssh.com," \
 	"umac-128@openssh.com," \
@ -804,189 +838,6 @@ diff --git a/openssh-6.5p1/myproposal.h b/openssh-6.5p1/myproposal.h
 static char *myproposal[PROPOSAL_MAX] = {
 	KEX_DEFAULT_KEX,
 	KEX_DEFAULT_PK_ALG,
 diff --git a/openssh-6.5p1/openbsd-compat/bsd-arc4random.c b/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
 --- a/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
 +++ b/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
@@ -18,34 +18,35 @@
 #include <sys/types.h>
 #include <string.h>
 #include <stdlib.h>
 #include <stdarg.h>
 #include "log.h"
 +#include "fips.h"
 #ifndef HAVE_ARC4RANDOM
 #include <openssl/rand.h>
 #include <openssl/rc4.h>
 #include <openssl/err.h>
 /* Size of key to use */
 #define SEED_SIZE 20
 /* Number of bytes to reseed after */
 #define REKEY_BYTES	(1 << 24)
 static int rc4_ready = 0;
 static RC4_KEY rc4;
 -unsigned int
 -arc4random(void)
 +static unsigned int
 +arc4random_bsd(void)
 {
 	unsigned int r = 0;
 	static int first_time = 1;
 	if (rc4_ready <= 0) {
 		if (first_time)
 			seed_rng();
 		first_time = 0;
@@ -54,18 +55,18 @@ arc4random(void)
 	RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
 	rc4_ready -= sizeof(r);
 	return(r);
 }
 -void
 -arc4random_stir(void)
 +static void
 +arc4random_stir_bsd(void)
 {
 	unsigned char rand_buf[SEED_SIZE];
 	int i;
 	memset(&rc4, 0, sizeof(rc4));
 	if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
 		fatal("Couldn't obtain random bytes (error %ld)",
 		    ERR_get_error());
@@ -77,16 +78,63 @@ arc4random_stir(void)
 	 */
 	for(i = 0; i <= 256; i += sizeof(rand_buf))
 		RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
 	memset(rand_buf, 0, sizeof(rand_buf));
 	rc4_ready = REKEY_BYTES;
 }
 +
 +static unsigned int
 +arc4random_fips(void)
 +{
 +	unsigned int r = 0;
 +	void *rp = &r;
 +	static int first_time = 1;
 +
 +	if (first_time) {
 +		seed_rng();
 +		first_time = 0;
 +	}
 +	if (!rc4_ready)
 +		arc4random_stir();
 +	RAND_bytes(rp, sizeof(r));
 +
 +	return(r);
 +}
 +
 +static void
 +arc4random_stir_fips(void)
 +{
 +	unsigned char rand_buf[SEED_SIZE];
 +
 +	if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
 +		fatal("Couldn't obtain random bytes (error %ld)",
 +		    ERR_get_error());
 +	rc4_ready = 1;
 +}
 +
 +unsigned int
 +arc4random(void)
 +{
 +	if (fips_mode())
 +		return arc4random_fips();
 +	else
 +		return arc4random_bsd();
 +}
 +
 +void
 +arc4random_stir(void)
 +{
 +	if (fips_mode())
 +		return arc4random_stir_fips();
 +	else
 +		return arc4random_stir_bsd();
 +}
 #endif /* !HAVE_ARC4RANDOM */
 #ifndef HAVE_ARC4RANDOM_BUF
 void
 arc4random_buf(void *_buf, size_t n)
 {
 	size_t i;
 	u_int32_t r = 0;
 diff --git a/openssh-6.5p1/ssh-rsa.c b/openssh-6.5p1/ssh-rsa.c
 --- a/openssh-6.5p1/ssh-rsa.c
 +++ b/openssh-6.5p1/ssh-rsa.c
@@ -27,16 +27,17 @@
 #include "xmalloc.h"
 #include "log.h"
 #include "buffer.h"
 #include "key.h"
 #include "compat.h"
 #include "misc.h"
 #include "ssh.h"
 +#include "fips.h"
 static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
 /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
 int
 ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
     const u_char *data, u_int datalen)
 {
@@ -48,16 +49,17 @@ ssh_rsa_sign(const Key *key, u_char **si
 	Buffer b;
 	if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA &&
 	    key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) {
 		error("ssh_rsa_sign: no RSA key");
 		return -1;
 	}
 	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
 +	fips_correct_nid(&nid);
 	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
 		error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
 		return -1;
 	}
 	EVP_DigestInit(&md, evp_md);
 	EVP_DigestUpdate(&md, data, datalen);
 	EVP_DigestFinal(&md, digest, &dlen);
@@ -154,16 +156,17 @@ ssh_rsa_verify(const Key *key, const u_c
 		debug("ssh_rsa_verify: add padding: modlen %u > len %u",
 		    modlen, len);
 		sigblob = xrealloc(sigblob, 1, modlen);
 		memmove(sigblob + diff, sigblob, len);
 		memset(sigblob, 0, diff);
 		len = modlen;
 	}
 	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
 +	fips_correct_nid(&nid);
 	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
 		error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
 		free(sigblob);
 		return -1;
 	}
 	EVP_DigestInit(&md, evp_md);
 	EVP_DigestUpdate(&md, data, datalen);
 	EVP_DigestFinal(&md, digest, &dlen);
 diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
 --- a/openssh-6.5p1/ssh.c
 +++ b/openssh-6.5p1/ssh.c
@ -1008,13 +859,13 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
 extern char *__progname;
 /* Saves a copy of argv for setproctitle emulation */
-@@ -324,16 +325,18 @@ main(int ac, char **av)
+@@ -453,16 +454,18 @@ main(int ac, char **av)
- 	use_syslog = 0;
+ 	logfile = NULL;
 	argv0 = av[0];
  again:
 	while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
- 	    "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
+ 	    "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
 +			if (fips_mode())
@ -1027,8 +878,7 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
 		case '4':
 			options.address_family = AF_INET;
 			break;
-@@ -781,17 +784,22 @@ main(int ac, char **av)
+@@ -959,16 +962,22 @@ main(int ac, char **av)
 		free(cp);
 	}
 	if (muxclient_command != 0 && options.control_path == NULL)
 		fatal("No ControlPath specified for \"-O\" command");
@ -1036,7 +886,7 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
 		muxclient(options.control_path);
 	timeout_ms = options.connection_timeout * 1000;
-
+ 
 +	if (FIPS_mode()) {
 +		options.protocol &= SSH_PROTO_2;
 +		if (options.protocol == 0)
@ -1044,13 +894,13 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
 +	}
 +
 	/* Open a connection to the remote host. */
- 	if (ssh_connect(host, &hostaddr, options.port,
+ 	if (ssh_connect(host, addrs, &hostaddr, options.port,
- 	    options.address_family, options.connection_attempts, &timeout_ms,
+ 	    options.address_family, options.connection_attempts,
- 	    options.tcp_keep_alive, 
+ 	    &timeout_ms, options.tcp_keep_alive,
- #ifdef HAVE_CYGWIN
+ 	    options.use_privileged_port) != 0)
- 	    options.use_privileged_port,
+  		exit(255);
- #else
+ 
- 	    original_effective_uid == 0 && options.use_privileged_port,
+ 	if (addrs != NULL)
 diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 --- a/openssh-6.5p1/sshconnect2.c
 +++ b/openssh-6.5p1/sshconnect2.c
@ -1072,7 +922,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 /* import */
 extern char *client_version_string;
 extern char *server_version_string;
-@@ -165,31 +166,37 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -165,31 +166,41 @@ ssh_kex2(char *host, struct sockaddr *ho
 	if (options.ciphers == (char *)-1) {
 		logit("No valid ciphers for protocol version 2 given, using defaults.");
@ -1082,6 +932,8 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
 +	} else if (fips_mode()) {
 +        /* TODO: use intersection of FIPS ciphers and those requested in
 +         * configuration */
 +		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 +		myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_140_2_ENCRYPT;
 	}
@ -1100,20 +952,22 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
 +	} else if (fips_mode()) {
 +        /* TODO: use intersection of FIPS macs and those requested in
 +         * configuration */
 +		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 +		myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_140_2_MAC;
 	}
 	if (options.hostkeyalgorithms != NULL)
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    options.hostkeyalgorithms;
+ 		    compat_pkalg_proposal(options.hostkeyalgorithms);
 	else {
 		/* Prefer algorithms that we already have keys for */
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    order_hostkeyalgs(host, hostaddr, port);
+ 		    compat_pkalg_proposal(
 diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 --- a/openssh-6.5p1/sshd.c
 +++ b/openssh-6.5p1/sshd.c
-@@ -118,16 +118,17 @@
+@@ -119,16 +119,17 @@
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
@ -1131,14 +985,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 int deny_severity;
 #endif /* LIBWRAP */
-@@ -1711,16 +1712,20 @@ main(int ac, char **av)
+@@ -1786,16 +1787,20 @@ main(int ac, char **av)
 		case KEY_DSA:
 		case KEY_ECDSA:
 		case KEY_ED25519:
 			sensitive_data.have_ssh2_key = 1;
 			break;
 		}
- 		debug("private host key: #%d type %d %s", i, key->type,
+ 		debug("private host key: #%d type %d %s", i, keytype,
- 		    key_type(key));
+ 		    key_type(key ? key : pubkey));
 	}
 +	if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
 +		logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
@ -1152,7 +1006,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
 		logit("Disabling protocol version 2. Could not load host key");
 		options.protocol &= ~SSH_PROTO_2;
 	}
-@@ -2413,25 +2418,31 @@ do_ssh1_kex(void)
+@@ -2506,25 +2511,31 @@ sshd_hostkey_sign(Key *privkey, Key *pub
 static void
 do_ssh2_kex(void)
 {
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Fri Feb 28 12:59:27 UTC 2014 - pcerny@suse.com
 - re-enabling FIPS-enablement patch
 - enable X11 forwarding when IPv6 is present but disabled on server
  (bnc#712683, FATE#31503; -X_forward_with_disabled_ipv6.patch)
 -------------------------------------------------------------------
 Tue Feb 18 12:56:31 UTC 2014 - pcerny@suse.com
--- a/openssh.spec
+++ b/openssh.spec
@ -143,6 +143,7 @@ Patch32:        openssh-6.5p1-host_ident.patch
 Patch33:        openssh-6.5p1-sftp_homechroot.patch
 Patch34:        openssh-6.5p1-sftp_force_permissions.patch
 Patch35:        openssh-6.5p1-seccomp_getuid.patch
 Patch36:        openssh-6.5p1-X_forward_with_disabled_ipv6.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -194,7 +195,9 @@ Helper applications for OpenSSH which retrieve keys from various sources.
 %patch24 -p2
 %patch25 -p2
 %patch26 -p2
-#patch27 -p2
+%if 0%{?suse_version} > 1310
 %patch27 -p2
 %endif
 #patch28 -p2
 %patch29 -p2
 %patch30 -p2
@ -203,6 +206,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
 %patch33 -p2
 %patch34 -p2
 %patch35 -p2
 %patch36 -p2
 cp %{SOURCE3} %{SOURCE4} .
 %build