Accepting request 680202 from home:vitezslav_cizek:branches:network

- Correctly filter out non-compliant algorithms when in FIPS mode
  (bsc#1126397)
  * A hunk was applied to a wrong place due to a patch fuzz when
    the fips patch was being ported to openssh 7.9p1
- update openssh-7.7p1-fips.patch

OBS-URL: https://build.opensuse.org/request/show/680202
OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=182
This commit is contained in:
Tomáš Chvátal 2019-02-28 20:03:36 +00:00 committed by Git OBS Bridge
parent 5fcc01190a
commit 3f73bd9831
2 changed files with 38 additions and 29 deletions

View File

@ -5,8 +5,8 @@ algorithms.
Index: openssh-7.9p1/Makefile.in Index: openssh-7.9p1/Makefile.in
=================================================================== ===================================================================
--- openssh-7.9p1.orig/Makefile.in 2019-02-27 14:05:59.153078796 +0100 --- openssh-7.9p1.orig/Makefile.in 2019-02-28 17:20:15.767164591 +0100
+++ openssh-7.9p1/Makefile.in 2019-02-27 15:41:46.539774099 +0100 +++ openssh-7.9p1/Makefile.in 2019-02-28 20:18:30.666473978 +0100
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
platform-pledge.o platform-tracing.o platform-misc.o platform-pledge.o platform-tracing.o platform-misc.o
@ -19,7 +19,7 @@ Index: openssh-7.9p1/Makefile.in
Index: openssh-7.9p1/cipher-ctr.c Index: openssh-7.9p1/cipher-ctr.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/cipher-ctr.c 2019-02-27 14:05:59.305079731 +0100 +++ openssh-7.9p1/cipher-ctr.c 2019-02-28 17:20:15.919165544 +0100
@@ -27,6 +27,8 @@ @@ -27,6 +27,8 @@
#include "xmalloc.h" #include "xmalloc.h"
#include "log.h" #include "log.h"
@ -41,7 +41,7 @@ Index: openssh-7.9p1/cipher-ctr.c
Index: openssh-7.9p1/cipher.c Index: openssh-7.9p1/cipher.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/cipher.c 2019-02-27 15:41:46.539774099 +0100 +++ openssh-7.9p1/cipher.c 2019-02-28 20:18:30.666473978 +0100
@@ -51,6 +51,8 @@ @@ -51,6 +51,8 @@
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
@ -134,7 +134,7 @@ Index: openssh-7.9p1/cipher.c
Index: openssh-7.9p1/fips.c Index: openssh-7.9p1/fips.c
=================================================================== ===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.9p1/fips.c 2019-02-27 15:41:46.311772744 +0100 +++ openssh-7.9p1/fips.c 2019-02-28 20:18:30.534473204 +0100
@@ -0,0 +1,215 @@ @@ -0,0 +1,215 @@
+/* +/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved. + * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -354,7 +354,7 @@ Index: openssh-7.9p1/fips.c
Index: openssh-7.9p1/fips.h Index: openssh-7.9p1/fips.h
=================================================================== ===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000 --- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssh-7.9p1/fips.h 2019-02-27 15:41:46.311772744 +0100 +++ openssh-7.9p1/fips.h 2019-02-28 20:18:30.534473204 +0100
@@ -0,0 +1,44 @@ @@ -0,0 +1,44 @@
+/* +/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved. + * Copyright (c) 2012 Petr Cerny. All rights reserved.
@ -403,7 +403,7 @@ Index: openssh-7.9p1/fips.h
Index: openssh-7.9p1/hmac.c Index: openssh-7.9p1/hmac.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/hmac.c 2019-02-27 14:05:59.305079731 +0100 +++ openssh-7.9p1/hmac.c 2019-02-28 17:20:15.919165544 +0100
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void * @@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
size_t i; size_t i;
u_char digest[16]; u_char digest[16];
@ -416,7 +416,7 @@ Index: openssh-7.9p1/hmac.c
Index: openssh-7.9p1/kex.c Index: openssh-7.9p1/kex.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/kex.c 2019-02-27 15:41:45.951770606 +0100 +++ openssh-7.9p1/kex.c 2019-02-28 17:20:15.919165544 +0100
@@ -54,6 +54,8 @@ @@ -54,6 +54,8 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "digest.h" #include "digest.h"
@ -515,7 +515,7 @@ Index: openssh-7.9p1/kex.c
Index: openssh-7.9p1/kexgexs.c Index: openssh-7.9p1/kexgexs.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/kexgexs.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/kexgexs.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/kexgexs.c 2019-02-27 14:05:59.305079731 +0100 +++ openssh-7.9p1/kexgexs.c 2019-02-28 17:20:15.923165569 +0100
@@ -56,6 +56,8 @@ @@ -56,6 +56,8 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "misc.h" #include "misc.h"
@ -528,7 +528,7 @@ Index: openssh-7.9p1/kexgexs.c
Index: openssh-7.9p1/mac.c Index: openssh-7.9p1/mac.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/mac.c 2019-02-27 15:31:46.644209847 +0100 +++ openssh-7.9p1/mac.c 2019-02-28 17:20:15.923165569 +0100
@@ -40,6 +40,9 @@ @@ -40,6 +40,9 @@
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
@ -611,7 +611,7 @@ Index: openssh-7.9p1/mac.c
Index: openssh-7.9p1/myproposal.h Index: openssh-7.9p1/myproposal.h
=================================================================== ===================================================================
--- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/myproposal.h 2019-02-27 14:05:59.309079755 +0100 +++ openssh-7.9p1/myproposal.h 2019-02-28 17:20:15.923165569 +0100
@@ -151,6 +151,8 @@ @@ -151,6 +151,8 @@
#else /* WITH_OPENSSL */ #else /* WITH_OPENSSL */
@ -624,7 +624,7 @@ Index: openssh-7.9p1/myproposal.h
Index: openssh-7.9p1/readconf.c Index: openssh-7.9p1/readconf.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/readconf.c 2019-02-27 15:42:19.495969910 +0100 +++ openssh-7.9p1/readconf.c 2019-02-28 20:18:54.650614520 +0100
@@ -68,6 +68,8 @@ @@ -68,6 +68,8 @@
#include "myproposal.h" #include "myproposal.h"
#include "digest.h" #include "digest.h"
@ -667,18 +667,18 @@ Index: openssh-7.9p1/readconf.c
if (options->update_hostkeys == -1) if (options->update_hostkeys == -1)
options->update_hostkeys = 0; options->update_hostkeys = 0;
@@ -2577,6 +2598,7 @@ dump_client_config(Options *o, const cha @@ -2122,6 +2143,7 @@ fill_default_options(Options * options)
KEX_DEFAULT_PK_ALG, all_key) != 0) free(all_kex);
fatal("%s: kex_assemble_names failed", __func__);
free(all_key); free(all_key);
+ filter_fips_algorithms(o); free(all_sig);
+ filter_fips_algorithms(options);
/* Most interesting options first: user, host, port */ #define CLEAR_ON_NONE(v) \
dump_cfg_string(oUser, o->user); do { \
Index: openssh-7.9p1/readconf.h Index: openssh-7.9p1/readconf.h
=================================================================== ===================================================================
--- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/readconf.h 2019-02-27 15:41:45.951770606 +0100 +++ openssh-7.9p1/readconf.h 2019-02-28 17:20:15.923165569 +0100
@@ -197,6 +197,7 @@ typedef struct { @@ -197,6 +197,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3 #define SSH_STRICT_HOSTKEY_ASK 3
@ -689,8 +689,8 @@ Index: openssh-7.9p1/readconf.h
void fill_default_options_for_canonicalization(Options *); void fill_default_options_for_canonicalization(Options *);
Index: openssh-7.9p1/servconf.c Index: openssh-7.9p1/servconf.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/servconf.c 2019-02-27 14:05:59.237079313 +0100 --- openssh-7.9p1.orig/servconf.c 2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/servconf.c 2019-02-27 15:41:45.951770606 +0100 +++ openssh-7.9p1/servconf.c 2019-02-28 17:20:15.923165569 +0100
@@ -64,6 +64,7 @@ @@ -64,6 +64,7 @@
#include "auth.h" #include "auth.h"
#include "myproposal.h" #include "myproposal.h"
@ -744,7 +744,7 @@ Index: openssh-7.9p1/servconf.c
Index: openssh-7.9p1/ssh-keygen.c Index: openssh-7.9p1/ssh-keygen.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/ssh-keygen.c 2019-02-27 14:05:59.309079755 +0100 +++ openssh-7.9p1/ssh-keygen.c 2019-02-28 17:20:15.923165569 +0100
@@ -61,6 +61,8 @@ @@ -61,6 +61,8 @@
#include "utf8.h" #include "utf8.h"
#include "authfd.h" #include "authfd.h"
@ -820,7 +820,7 @@ Index: openssh-7.9p1/ssh-keygen.c
Index: openssh-7.9p1/ssh_config.0 Index: openssh-7.9p1/ssh_config.0
=================================================================== ===================================================================
--- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200 --- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200
+++ openssh-7.9p1/ssh_config.0 2019-02-27 15:41:45.951770606 +0100 +++ openssh-7.9p1/ssh_config.0 2019-02-28 17:20:15.923165569 +0100
@@ -353,6 +353,9 @@ DESCRIPTION @@ -353,6 +353,9 @@ DESCRIPTION
Specifies the hash algorithm used when displaying key Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: md5 and sha256 (the default). fingerprints. Valid options are: md5 and sha256 (the default).
@ -844,7 +844,7 @@ Index: openssh-7.9p1/ssh_config.0
Index: openssh-7.9p1/ssh_config.5 Index: openssh-7.9p1/ssh_config.5
=================================================================== ===================================================================
--- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/ssh_config.5 2019-02-27 15:41:45.951770606 +0100 +++ openssh-7.9p1/ssh_config.5 2019-02-28 17:20:15.923165569 +0100
@@ -642,6 +642,8 @@ Valid options are: @@ -642,6 +642,8 @@ Valid options are:
and and
.Cm sha256 .Cm sha256
@ -857,7 +857,7 @@ Index: openssh-7.9p1/ssh_config.5
Index: openssh-7.9p1/sshd.c Index: openssh-7.9p1/sshd.c
=================================================================== ===================================================================
--- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200 --- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/sshd.c 2019-02-27 15:41:46.311772744 +0100 +++ openssh-7.9p1/sshd.c 2019-02-28 20:18:30.534473204 +0100
@@ -123,6 +123,8 @@ @@ -123,6 +123,8 @@
#include "version.h" #include "version.h"
#include "ssherr.h" #include "ssherr.h"
@ -869,8 +869,8 @@ Index: openssh-7.9p1/sshd.c
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
Index: openssh-7.9p1/sshd_config.0 Index: openssh-7.9p1/sshd_config.0
=================================================================== ===================================================================
--- openssh-7.9p1.orig/sshd_config.0 2019-02-27 14:05:59.237079313 +0100 --- openssh-7.9p1.orig/sshd_config.0 2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/sshd_config.0 2019-02-27 15:41:45.951770606 +0100 +++ openssh-7.9p1/sshd_config.0 2019-02-28 17:20:15.927165594 +0100
@@ -348,6 +348,9 @@ DESCRIPTION @@ -348,6 +348,9 @@ DESCRIPTION
Specifies the hash algorithm used when logging key fingerprints. Specifies the hash algorithm used when logging key fingerprints.
Valid options are: md5 and sha256. The default is sha256. Valid options are: md5 and sha256. The default is sha256.
@ -893,8 +893,8 @@ Index: openssh-7.9p1/sshd_config.0
following forms may be used: following forms may be used:
Index: openssh-7.9p1/sshd_config.5 Index: openssh-7.9p1/sshd_config.5
=================================================================== ===================================================================
--- openssh-7.9p1.orig/sshd_config.5 2019-02-27 14:05:59.237079313 +0100 --- openssh-7.9p1.orig/sshd_config.5 2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/sshd_config.5 2019-02-27 15:41:45.951770606 +0100 +++ openssh-7.9p1/sshd_config.5 2019-02-28 17:20:15.927165594 +0100
@@ -603,6 +603,8 @@ and @@ -603,6 +603,8 @@ and
.Cm sha256 . .Cm sha256 .
The default is The default is

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Thu Feb 28 19:20:58 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Correctly filter out non-compliant algorithms when in FIPS mode
(bsc#1126397)
* A hunk was applied to a wrong place due to a patch fuzz when
the fips patch was being ported to openssh 7.9p1
- update openssh-7.7p1-fips.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Feb 27 12:29:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com> Wed Feb 27 12:29:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>