Accepting request 680202 from home:vitezslav_cizek:branches:network
- Correctly filter out non-compliant algorithms when in FIPS mode (bsc#1126397) * A hunk was applied to a wrong place due to a patch fuzz when the fips patch was being ported to openssh 7.9p1 - update openssh-7.7p1-fips.patch OBS-URL: https://build.opensuse.org/request/show/680202 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=182
This commit is contained in:
parent
5fcc01190a
commit
3f73bd9831
@ -5,8 +5,8 @@ algorithms.
|
|||||||
|
|
||||||
Index: openssh-7.9p1/Makefile.in
|
Index: openssh-7.9p1/Makefile.in
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/Makefile.in 2019-02-27 14:05:59.153078796 +0100
|
--- openssh-7.9p1.orig/Makefile.in 2019-02-28 17:20:15.767164591 +0100
|
||||||
+++ openssh-7.9p1/Makefile.in 2019-02-27 15:41:46.539774099 +0100
|
+++ openssh-7.9p1/Makefile.in 2019-02-28 20:18:30.666473978 +0100
|
||||||
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||||
platform-pledge.o platform-tracing.o platform-misc.o
|
platform-pledge.o platform-tracing.o platform-misc.o
|
||||||
@ -19,7 +19,7 @@ Index: openssh-7.9p1/Makefile.in
|
|||||||
Index: openssh-7.9p1/cipher-ctr.c
|
Index: openssh-7.9p1/cipher-ctr.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/cipher-ctr.c 2019-02-27 14:05:59.305079731 +0100
|
+++ openssh-7.9p1/cipher-ctr.c 2019-02-28 17:20:15.919165544 +0100
|
||||||
@@ -27,6 +27,8 @@
|
@@ -27,6 +27,8 @@
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -41,7 +41,7 @@ Index: openssh-7.9p1/cipher-ctr.c
|
|||||||
Index: openssh-7.9p1/cipher.c
|
Index: openssh-7.9p1/cipher.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/cipher.c 2019-02-27 15:41:46.539774099 +0100
|
+++ openssh-7.9p1/cipher.c 2019-02-28 20:18:30.666473978 +0100
|
||||||
@@ -51,6 +51,8 @@
|
@@ -51,6 +51,8 @@
|
||||||
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
@ -134,7 +134,7 @@ Index: openssh-7.9p1/cipher.c
|
|||||||
Index: openssh-7.9p1/fips.c
|
Index: openssh-7.9p1/fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||||
+++ openssh-7.9p1/fips.c 2019-02-27 15:41:46.311772744 +0100
|
+++ openssh-7.9p1/fips.c 2019-02-28 20:18:30.534473204 +0100
|
||||||
@@ -0,0 +1,215 @@
|
@@ -0,0 +1,215 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||||
@ -354,7 +354,7 @@ Index: openssh-7.9p1/fips.c
|
|||||||
Index: openssh-7.9p1/fips.h
|
Index: openssh-7.9p1/fips.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
|
||||||
+++ openssh-7.9p1/fips.h 2019-02-27 15:41:46.311772744 +0100
|
+++ openssh-7.9p1/fips.h 2019-02-28 20:18:30.534473204 +0100
|
||||||
@@ -0,0 +1,44 @@
|
@@ -0,0 +1,44 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
|
||||||
@ -403,7 +403,7 @@ Index: openssh-7.9p1/fips.h
|
|||||||
Index: openssh-7.9p1/hmac.c
|
Index: openssh-7.9p1/hmac.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/hmac.c 2019-02-27 14:05:59.305079731 +0100
|
+++ openssh-7.9p1/hmac.c 2019-02-28 17:20:15.919165544 +0100
|
||||||
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
|
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
|
||||||
size_t i;
|
size_t i;
|
||||||
u_char digest[16];
|
u_char digest[16];
|
||||||
@ -416,7 +416,7 @@ Index: openssh-7.9p1/hmac.c
|
|||||||
Index: openssh-7.9p1/kex.c
|
Index: openssh-7.9p1/kex.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/kex.c 2019-02-27 15:41:45.951770606 +0100
|
+++ openssh-7.9p1/kex.c 2019-02-28 17:20:15.919165544 +0100
|
||||||
@@ -54,6 +54,8 @@
|
@@ -54,6 +54,8 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -515,7 +515,7 @@ Index: openssh-7.9p1/kex.c
|
|||||||
Index: openssh-7.9p1/kexgexs.c
|
Index: openssh-7.9p1/kexgexs.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/kexgexs.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/kexgexs.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/kexgexs.c 2019-02-27 14:05:59.305079731 +0100
|
+++ openssh-7.9p1/kexgexs.c 2019-02-28 17:20:15.923165569 +0100
|
||||||
@@ -56,6 +56,8 @@
|
@@ -56,6 +56,8 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
@ -528,7 +528,7 @@ Index: openssh-7.9p1/kexgexs.c
|
|||||||
Index: openssh-7.9p1/mac.c
|
Index: openssh-7.9p1/mac.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/mac.c 2019-02-27 15:31:46.644209847 +0100
|
+++ openssh-7.9p1/mac.c 2019-02-28 17:20:15.923165569 +0100
|
||||||
@@ -40,6 +40,9 @@
|
@@ -40,6 +40,9 @@
|
||||||
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
@ -611,7 +611,7 @@ Index: openssh-7.9p1/mac.c
|
|||||||
Index: openssh-7.9p1/myproposal.h
|
Index: openssh-7.9p1/myproposal.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/myproposal.h 2019-02-27 14:05:59.309079755 +0100
|
+++ openssh-7.9p1/myproposal.h 2019-02-28 17:20:15.923165569 +0100
|
||||||
@@ -151,6 +151,8 @@
|
@@ -151,6 +151,8 @@
|
||||||
|
|
||||||
#else /* WITH_OPENSSL */
|
#else /* WITH_OPENSSL */
|
||||||
@ -624,7 +624,7 @@ Index: openssh-7.9p1/myproposal.h
|
|||||||
Index: openssh-7.9p1/readconf.c
|
Index: openssh-7.9p1/readconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/readconf.c 2019-02-27 15:42:19.495969910 +0100
|
+++ openssh-7.9p1/readconf.c 2019-02-28 20:18:54.650614520 +0100
|
||||||
@@ -68,6 +68,8 @@
|
@@ -68,6 +68,8 @@
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
#include "digest.h"
|
#include "digest.h"
|
||||||
@ -667,18 +667,18 @@ Index: openssh-7.9p1/readconf.c
|
|||||||
if (options->update_hostkeys == -1)
|
if (options->update_hostkeys == -1)
|
||||||
options->update_hostkeys = 0;
|
options->update_hostkeys = 0;
|
||||||
|
|
||||||
@@ -2577,6 +2598,7 @@ dump_client_config(Options *o, const cha
|
@@ -2122,6 +2143,7 @@ fill_default_options(Options * options)
|
||||||
KEX_DEFAULT_PK_ALG, all_key) != 0)
|
free(all_kex);
|
||||||
fatal("%s: kex_assemble_names failed", __func__);
|
|
||||||
free(all_key);
|
free(all_key);
|
||||||
+ filter_fips_algorithms(o);
|
free(all_sig);
|
||||||
|
+ filter_fips_algorithms(options);
|
||||||
|
|
||||||
/* Most interesting options first: user, host, port */
|
#define CLEAR_ON_NONE(v) \
|
||||||
dump_cfg_string(oUser, o->user);
|
do { \
|
||||||
Index: openssh-7.9p1/readconf.h
|
Index: openssh-7.9p1/readconf.h
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/readconf.h 2019-02-27 15:41:45.951770606 +0100
|
+++ openssh-7.9p1/readconf.h 2019-02-28 17:20:15.923165569 +0100
|
||||||
@@ -197,6 +197,7 @@ typedef struct {
|
@@ -197,6 +197,7 @@ typedef struct {
|
||||||
#define SSH_STRICT_HOSTKEY_YES 2
|
#define SSH_STRICT_HOSTKEY_YES 2
|
||||||
#define SSH_STRICT_HOSTKEY_ASK 3
|
#define SSH_STRICT_HOSTKEY_ASK 3
|
||||||
@ -689,8 +689,8 @@ Index: openssh-7.9p1/readconf.h
|
|||||||
void fill_default_options_for_canonicalization(Options *);
|
void fill_default_options_for_canonicalization(Options *);
|
||||||
Index: openssh-7.9p1/servconf.c
|
Index: openssh-7.9p1/servconf.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/servconf.c 2019-02-27 14:05:59.237079313 +0100
|
--- openssh-7.9p1.orig/servconf.c 2019-02-28 17:20:15.851165117 +0100
|
||||||
+++ openssh-7.9p1/servconf.c 2019-02-27 15:41:45.951770606 +0100
|
+++ openssh-7.9p1/servconf.c 2019-02-28 17:20:15.923165569 +0100
|
||||||
@@ -64,6 +64,7 @@
|
@@ -64,6 +64,7 @@
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
#include "myproposal.h"
|
#include "myproposal.h"
|
||||||
@ -744,7 +744,7 @@ Index: openssh-7.9p1/servconf.c
|
|||||||
Index: openssh-7.9p1/ssh-keygen.c
|
Index: openssh-7.9p1/ssh-keygen.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/ssh-keygen.c 2019-02-27 14:05:59.309079755 +0100
|
+++ openssh-7.9p1/ssh-keygen.c 2019-02-28 17:20:15.923165569 +0100
|
||||||
@@ -61,6 +61,8 @@
|
@@ -61,6 +61,8 @@
|
||||||
#include "utf8.h"
|
#include "utf8.h"
|
||||||
#include "authfd.h"
|
#include "authfd.h"
|
||||||
@ -820,7 +820,7 @@ Index: openssh-7.9p1/ssh-keygen.c
|
|||||||
Index: openssh-7.9p1/ssh_config.0
|
Index: openssh-7.9p1/ssh_config.0
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200
|
--- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200
|
||||||
+++ openssh-7.9p1/ssh_config.0 2019-02-27 15:41:45.951770606 +0100
|
+++ openssh-7.9p1/ssh_config.0 2019-02-28 17:20:15.923165569 +0100
|
||||||
@@ -353,6 +353,9 @@ DESCRIPTION
|
@@ -353,6 +353,9 @@ DESCRIPTION
|
||||||
Specifies the hash algorithm used when displaying key
|
Specifies the hash algorithm used when displaying key
|
||||||
fingerprints. Valid options are: md5 and sha256 (the default).
|
fingerprints. Valid options are: md5 and sha256 (the default).
|
||||||
@ -844,7 +844,7 @@ Index: openssh-7.9p1/ssh_config.0
|
|||||||
Index: openssh-7.9p1/ssh_config.5
|
Index: openssh-7.9p1/ssh_config.5
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/ssh_config.5 2019-02-27 15:41:45.951770606 +0100
|
+++ openssh-7.9p1/ssh_config.5 2019-02-28 17:20:15.923165569 +0100
|
||||||
@@ -642,6 +642,8 @@ Valid options are:
|
@@ -642,6 +642,8 @@ Valid options are:
|
||||||
and
|
and
|
||||||
.Cm sha256
|
.Cm sha256
|
||||||
@ -857,7 +857,7 @@ Index: openssh-7.9p1/ssh_config.5
|
|||||||
Index: openssh-7.9p1/sshd.c
|
Index: openssh-7.9p1/sshd.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200
|
--- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200
|
||||||
+++ openssh-7.9p1/sshd.c 2019-02-27 15:41:46.311772744 +0100
|
+++ openssh-7.9p1/sshd.c 2019-02-28 20:18:30.534473204 +0100
|
||||||
@@ -123,6 +123,8 @@
|
@@ -123,6 +123,8 @@
|
||||||
#include "version.h"
|
#include "version.h"
|
||||||
#include "ssherr.h"
|
#include "ssherr.h"
|
||||||
@ -869,8 +869,8 @@ Index: openssh-7.9p1/sshd.c
|
|||||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||||
Index: openssh-7.9p1/sshd_config.0
|
Index: openssh-7.9p1/sshd_config.0
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/sshd_config.0 2019-02-27 14:05:59.237079313 +0100
|
--- openssh-7.9p1.orig/sshd_config.0 2019-02-28 17:20:15.851165117 +0100
|
||||||
+++ openssh-7.9p1/sshd_config.0 2019-02-27 15:41:45.951770606 +0100
|
+++ openssh-7.9p1/sshd_config.0 2019-02-28 17:20:15.927165594 +0100
|
||||||
@@ -348,6 +348,9 @@ DESCRIPTION
|
@@ -348,6 +348,9 @@ DESCRIPTION
|
||||||
Specifies the hash algorithm used when logging key fingerprints.
|
Specifies the hash algorithm used when logging key fingerprints.
|
||||||
Valid options are: md5 and sha256. The default is sha256.
|
Valid options are: md5 and sha256. The default is sha256.
|
||||||
@ -893,8 +893,8 @@ Index: openssh-7.9p1/sshd_config.0
|
|||||||
following forms may be used:
|
following forms may be used:
|
||||||
Index: openssh-7.9p1/sshd_config.5
|
Index: openssh-7.9p1/sshd_config.5
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssh-7.9p1.orig/sshd_config.5 2019-02-27 14:05:59.237079313 +0100
|
--- openssh-7.9p1.orig/sshd_config.5 2019-02-28 17:20:15.851165117 +0100
|
||||||
+++ openssh-7.9p1/sshd_config.5 2019-02-27 15:41:45.951770606 +0100
|
+++ openssh-7.9p1/sshd_config.5 2019-02-28 17:20:15.927165594 +0100
|
||||||
@@ -603,6 +603,8 @@ and
|
@@ -603,6 +603,8 @@ and
|
||||||
.Cm sha256 .
|
.Cm sha256 .
|
||||||
The default is
|
The default is
|
||||||
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 28 19:20:58 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||||
|
|
||||||
|
- Correctly filter out non-compliant algorithms when in FIPS mode
|
||||||
|
(bsc#1126397)
|
||||||
|
* A hunk was applied to a wrong place due to a patch fuzz when
|
||||||
|
the fips patch was being ported to openssh 7.9p1
|
||||||
|
- update openssh-7.7p1-fips.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Feb 27 12:29:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
Wed Feb 27 12:29:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user