pool/openssh
SHA256
8
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 224303 from network

Browse Source 
- re-enabling FIPS-enablement patch
- enable X11 forwarding when IPv6 is present but disabled on server
  (bnc#712683, FATE#31503; -X_forward_with_disabled_ipv6.patch) (forwarded request 224302 from pcerny)

OBS-URL: https://build.opensuse.org/request/show/224303
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssh?expand=0&rev=92
This commit is contained in:
Stephan Kulow
2014-03-01 20:20:10 +00:00
committed by Git OBS Bridge
parent 36c921d588 25f021b853
commit c8d3d86692
5 changed files with 189 additions and 288 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
openssh-6.5p1-X_forward_with_disabled_ipv6.patch Normal file
View File

@@ -0,0 +1,34 @@
# HG changeset patch
# Parent d7526bd96e81981aa3c94b7695a3f4009a2c176b
Do not throw away already open sockets for X11 forwarding if another socket
family is not available for bind()
diff --git a/openssh-6.5p1/channels.c b/openssh-6.5p1/channels.c
--- a/openssh-6.5p1/channels.c
+++ b/openssh-6.5p1/channels.c
@@ -3475,22 +3475,24 @@ x11_create_display_inet(int x11_display_
}
if (ai->ai_family == AF_INET6)
sock_set_v6only(sock);
if (x11_use_localhost)
channel_set_reuseaddr(sock);
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
debug2("bind port %d: %.100s", port, strerror(errno));
close(sock);
-
+ continue;
+ /* do not remove successfully opened sockets
for (n = 0; n < num_socks; n++) {
close(socks[n]);
}
num_socks = 0;
break;
+ */
}
socks[num_socks++] = sock;
if (num_socks == NUM_SOCKS)
break;
}
freeaddrinfo(aitop);
if (num_socks > 0)
break;

8
openssh-6.5p1-audit6-server_key_destruction.patch
View File

@@ -164,7 +164,7 @@ diff --git a/openssh-6.5p1/audit.h b/openssh-6.5p1/audit.h
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -1959,16 +1959,41 @@ key_demote(const Key *k)
@@ -1959,16 +1959,43 @@ key_demote(const Key *k)
fatal("key_demote: bad key type %d", k->type);
break;
}
@@ -190,9 +190,11 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
+ case KEY_ECDSA:
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
+#endif
+ case KEY_ED25519_CERT:
+ case KEY_ED25519:
+ return k->ed25519_sk != NULL;
+ default:
+ /* fatal("key_is_private: bad key type %d", k->type); */
+ debug2("key_is_private: bad key type %d", k->type);
+ fatal("key_is_private: bad key type %d", k->type);
+ return 1;
+ }
+}

422
openssh-6.5p1-fips.patch
View File

@@ -2,22 +2,23 @@
# when OpenSSL is detected to be running in FIPS mode
#
# HG changeset patch
# Parent 6536ed881743cbf05afe962021b985f9b1eab495
# Parent 2a4df1014f286ec93a3e4dcf036f054745e4fee8
diff --git a/openssh-6.5p1/Makefile.in b/openssh-6.5p1/Makefile.in
--- a/openssh-6.5p1/Makefile.in
+++ b/openssh-6.5p1/Makefile.in
@@ -72,17 +72,17 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
@@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o
+ jpake.o schnorr.o ssh-pkcs11.o krl.o auditstub.o fips.o
jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
- auditstub.o
+ auditstub.o \
+ fips.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@@ -211,14 +212,14 @@ diff --git a/openssh-6.5p1/cipher-ctr.c b/openssh-6.5p1/cipher-ctr.c
diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
--- a/openssh-6.5p1/cipher.c
+++ b/openssh-6.5p1/cipher.c
@@ -42,16 +42,17 @@
#include <openssl/md5.h>
@@ -44,25 +44,26 @@
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
#include "xmalloc.h"
#include "log.h"
#include "misc.h"
#include "cipher.h"
+#include "fips.h"
@@ -229,12 +230,22 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
@@ -81,18 +82,57 @@ struct Cipher ciphers[] = {
{ "aes128-gcm@openssh.com",
SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
-struct Cipher ciphers[] = {
+struct Cipher ciphers_all[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
{ "blowfish-cbc",
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
@@ -85,27 +86,67 @@ struct Cipher ciphers[] = {
{ "aes256-gcm@openssh.com",
SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
#endif
{ "chacha20-poly1305@openssh.com",
SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL },
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
@@ -262,40 +273,51 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
+
/*--*/
+/* Returns array of ciphers available depending on selected FIPS mode */
+static struct Cipher *
+fips_select_ciphers(void)
+{
+ int fips = fips_mode();
+ switch (fips) {
+ case 0:
+ return ciphers;
+ return ciphers_all;
+ case 1:
+ return ciphers_fips140_2;
+ default:
+ /* should not be reached */
+ fatal("Fatal error: incorrect FIPS mode '%i' at %s:%u",
+ fips, __FILE__, __LINE__);
+// return NULL;
+ return NULL;
+ }
+}
+
u_int
cipher_blocksize(const Cipher *c)
/* Returns a list of supported ciphers separated by the specified char. */
char *
cipher_alg_list(char sep, int auth_only)
{
return (c->block_size);
}
char *ret = NULL;
size_t nlen, rlen = 0;
const Cipher *c;
u_int
cipher_keylen(const Cipher *c)
@@ -135,27 +175,27 @@ cipher_mask_ssh1(int client)
- for (c = ciphers; c->name != NULL; c++) {
+ for (c = fips_select_ciphers(); c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
continue;
if (auth_only && c->auth_len == 0)
continue;
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(c->name);
ret = xrealloc(ret, 1, rlen + nlen + 2);
@@ -175,27 +216,27 @@ cipher_mask_ssh1(int client)
}
return mask;
}
Cipher *
const Cipher *
cipher_by_name(const char *name)
{
Cipher *c;
const Cipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = fips_select_ciphers(); c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
@@ -303,10 +325,10 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
return NULL;
}
Cipher *
const Cipher *
cipher_by_number(int id)
{
Cipher *c;
const Cipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = fips_select_ciphers(); c->name != NULL; c++)
if (c->number == id)
@@ -317,13 +339,13 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
#define CIPHER_SEP ","
int
ciphers_valid(const char *names)
@@ -189,17 +229,17 @@ ciphers_valid(const char *names)
@@ -229,17 +270,17 @@ ciphers_valid(const char *names)
*/
int
cipher_number(const char *name)
{
Cipher *c;
const Cipher *c;
if (name == NULL)
return -1;
- for (c = ciphers; c->name != NULL; c++)
@@ -336,13 +358,13 @@ diff --git a/openssh-6.5p1/cipher.c b/openssh-6.5p1/cipher.c
char *
cipher_name(int id)
{
@@ -352,24 +392,29 @@ cipher_cleanup(CipherContext *cc)
@@ -417,24 +458,29 @@ cipher_cleanup(CipherContext *cc)
* Selects the cipher, and keys if by computing the MD5 checksum of the
* passphrase and using the resulting 16 bytes as the key.
*/
void
cipher_set_key_string(CipherContext *cc, Cipher *cipher,
cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
const char *passphrase, int do_encrypt)
{
- MD5_CTX md;
@@ -616,8 +638,7 @@ new file mode 100644
diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
--- a/openssh-6.5p1/key.c
+++ b/openssh-6.5p1/key.c
@@ -49,16 +49,17 @@
#include "xmalloc.h"
@@ -52,16 +52,17 @@
#include "key.h"
#include "rsa.h"
#include "uuencode.h"
@@ -625,16 +646,17 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
#include "log.h"
#include "misc.h"
#include "ssh2.h"
#include "digest.h"
+#include "fips.h"
static int to_blob(const Key *, u_char **, u_int *, int);
static Key *key_from_blob2(const u_char *, u_int, int);
static struct KeyCert *
cert_new(void)
{
struct KeyCert *cert;
@@ -634,16 +635,19 @@ key_fp_type_select(void)
@@ -664,16 +665,19 @@ key_fp_type_select(void)
error("invalid key type in environment variable "
SSH_FP_TYPE_ENVVAR ": '%s' - falling back to MD5.",
env);
@@ -657,7 +679,7 @@ diff --git a/openssh-6.5p1/key.c b/openssh-6.5p1/key.c
diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
--- a/openssh-6.5p1/mac.c
+++ b/openssh-6.5p1/mac.c
@@ -36,34 +36,35 @@
@@ -36,16 +36,17 @@
#include "xmalloc.h"
#include "log.h"
#include "cipher.h"
@@ -675,18 +697,17 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
#define SSH_EVP 1 /* OpenSSL EVP-based MAC */
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
#define SSH_UMAC128 3
-struct {
+struct Macs {
char *name;
@@ -55,17 +56,17 @@ struct macalg {
int type;
const EVP_MD * (*mdfunc)(void);
int truncatebits; /* truncate digest if != 0 */
int key_len; /* just for UMAC */
int len; /* just for UMAC */
int etm; /* Encrypt-then-MAC */
-} macs[] = {
+} macs_all[] = {
};
-static const struct macalg macs[] = {
+static const struct macalg macs_all[] = {
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
@@ -695,7 +716,7 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
{ "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
#endif
{ "hmac-md5", SSH_EVP, EVP_md5, 0, 0, 0, 0 },
@@ -84,19 +85,46 @@ struct {
@@ -86,25 +87,57 @@ static const struct macalg macs[] = {
{ "hmac-md5-96-etm@openssh.com", SSH_EVP, EVP_md5, 96, 0, 0, 1 },
{ "hmac-ripemd160-etm@openssh.com", SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 },
{ "umac-64-etm@openssh.com", SSH_UMAC, NULL, 0, 128, 64, 1 },
@@ -704,15 +725,21 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
{ NULL, 0, NULL, 0, 0, 0, 0 }
};
+struct Macs macs_fips140_2[] = {
+static const struct macalg macs_fips140_2[] = {
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
+ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
+#endif
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
+ { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
+#endif
+ { NULL, 0, NULL, 0, 0, 0, 0 }
+};
+
+/* Returns array of macs available depending on selected FIPS mode */
+static struct Macs *
+fips_select_macs(void)
+{
@@ -730,61 +757,68 @@ diff --git a/openssh-6.5p1/mac.c b/openssh-6.5p1/mac.c
+ }
+}
+
static void
mac_setup_by_id(Mac *mac, int which)
/* Returns a list of supported MACs separated by the specified char. */
char *
mac_alg_list(char sep)
{
+ struct Macs *macs = fips_select_macs();
int evp_len;
mac->type = macs[which].type;
if (mac->type == SSH_EVP) {
mac->evp_md = (*macs[which].mdfunc)();
if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
fatal("mac %s len %d", mac->name, evp_len);
mac->key_len = mac->mac_len = (u_int)evp_len;
} else {
@@ -107,16 +135,17 @@ mac_setup_by_id(Mac *mac, int which)
if (macs[which].truncatebits != 0)
mac->mac_len = macs[which].truncatebits / 8;
mac->etm = macs[which].etm;
char *ret = NULL;
size_t nlen, rlen = 0;
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = fips_select_macs(); m->name != NULL; m++) {
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
ret = xrealloc(ret, 1, rlen + nlen + 2);
memcpy(ret + rlen, m->name, nlen + 1);
rlen += nlen;
}
return ret;
@@ -131,17 +164,17 @@ mac_setup_by_alg(Mac *mac, const struct
mac->etm = macalg->etm;
}
int
mac_setup(Mac *mac, char *name)
{
+ struct Macs *macs = fips_select_macs();
int i;
const struct macalg *m;
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
if (mac != NULL)
mac_setup_by_id(mac, i);
debug2("mac_setup: found %s", name);
return (0);
- for (m = macs; m->name != NULL; m++) {
+ for (m = fips_select_macs(); m->name != NULL; m++) {
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
mac_setup_by_alg(mac, m);
debug2("mac_setup: found %s", name);
return (0);
}
debug2("mac_setup: unknown %s", name);
diff --git a/openssh-6.5p1/myproposal.h b/openssh-6.5p1/myproposal.h
--- a/openssh-6.5p1/myproposal.h
+++ b/openssh-6.5p1/myproposal.h
@@ -71,16 +71,20 @@
"ssh-dss"
@@ -104,16 +104,20 @@
#define KEX_DEFAULT_ENCRYPT \
"aes128-ctr,aes192-ctr,aes256-ctr," \
"arcfour256,arcfour128," \
"aes128-gcm@openssh.com,aes256-gcm@openssh.com," \
AESGCM_CIPHER_MODES \
"chacha20-poly1305@openssh.com," \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
+#define KEX_FIPS_140_2_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
#ifdef HAVE_EVP_SHA256
#define SHA2_HMAC_MODES \
"hmac-sha2-256," \
"hmac-sha2-512,"
#else
# define SHA2_HMAC_MODES
#endif
#define KEX_DEFAULT_MAC \
@@ -97,16 +101,19 @@
"hmac-md5-etm@openssh.com," \
"hmac-sha1-etm@openssh.com," \
"umac-64-etm@openssh.com," \
"umac-128-etm@openssh.com," \
"hmac-sha2-256-etm@openssh.com," \
"hmac-sha2-512-etm@openssh.com," \
@@ -124,16 +128,19 @@
"hmac-sha1," \
"umac-64@openssh.com," \
"umac-128@openssh.com," \
@@ -804,189 +838,6 @@ diff --git a/openssh-6.5p1/myproposal.h b/openssh-6.5p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
KEX_DEFAULT_PK_ALG,
diff --git a/openssh-6.5p1/openbsd-compat/bsd-arc4random.c b/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
--- a/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
+++ b/openssh-6.5p1/openbsd-compat/bsd-arc4random.c
@@ -18,34 +18,35 @@
#include <sys/types.h>
#include <string.h>
#include <stdlib.h>
#include <stdarg.h>
#include "log.h"
+#include "fips.h"
#ifndef HAVE_ARC4RANDOM
#include <openssl/rand.h>
#include <openssl/rc4.h>
#include <openssl/err.h>
/* Size of key to use */
#define SEED_SIZE 20
/* Number of bytes to reseed after */
#define REKEY_BYTES (1 << 24)
static int rc4_ready = 0;
static RC4_KEY rc4;
-unsigned int
-arc4random(void)
+static unsigned int
+arc4random_bsd(void)
{
unsigned int r = 0;
static int first_time = 1;
if (rc4_ready <= 0) {
if (first_time)
seed_rng();
first_time = 0;
@@ -54,18 +55,18 @@ arc4random(void)
RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
rc4_ready -= sizeof(r);
return(r);
}
-void
-arc4random_stir(void)
+static void
+arc4random_stir_bsd(void)
{
unsigned char rand_buf[SEED_SIZE];
int i;
memset(&rc4, 0, sizeof(rc4));
if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
fatal("Couldn't obtain random bytes (error %ld)",
ERR_get_error());
@@ -77,16 +78,63 @@ arc4random_stir(void)
*/
for(i = 0; i <= 256; i += sizeof(rand_buf))
RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
memset(rand_buf, 0, sizeof(rand_buf));
rc4_ready = REKEY_BYTES;
}
+
+static unsigned int
+arc4random_fips(void)
+{
+ unsigned int r = 0;
+ void *rp = &r;
+ static int first_time = 1;
+
+ if (first_time) {
+ seed_rng();
+ first_time = 0;
+ }
+ if (!rc4_ready)
+ arc4random_stir();
+ RAND_bytes(rp, sizeof(r));
+
+ return(r);
+}
+
+static void
+arc4random_stir_fips(void)
+{
+ unsigned char rand_buf[SEED_SIZE];
+
+ if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
+ fatal("Couldn't obtain random bytes (error %ld)",
+ ERR_get_error());
+ rc4_ready = 1;
+}
+
+unsigned int
+arc4random(void)
+{
+ if (fips_mode())
+ return arc4random_fips();
+ else
+ return arc4random_bsd();
+}
+
+void
+arc4random_stir(void)
+{
+ if (fips_mode())
+ return arc4random_stir_fips();
+ else
+ return arc4random_stir_bsd();
+}
#endif /* !HAVE_ARC4RANDOM */
#ifndef HAVE_ARC4RANDOM_BUF
void
arc4random_buf(void *_buf, size_t n)
{
size_t i;
u_int32_t r = 0;
diff --git a/openssh-6.5p1/ssh-rsa.c b/openssh-6.5p1/ssh-rsa.c
--- a/openssh-6.5p1/ssh-rsa.c
+++ b/openssh-6.5p1/ssh-rsa.c
@@ -27,16 +27,17 @@
#include "xmalloc.h"
#include "log.h"
#include "buffer.h"
#include "key.h"
#include "compat.h"
#include "misc.h"
#include "ssh.h"
+#include "fips.h"
static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
/* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
int
ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
const u_char *data, u_int datalen)
{
@@ -48,16 +49,17 @@ ssh_rsa_sign(const Key *key, u_char **si
Buffer b;
if (key == NULL || key->rsa == NULL || (key->type != KEY_RSA &&
key->type != KEY_RSA_CERT && key->type != KEY_RSA_CERT_V00)) {
error("ssh_rsa_sign: no RSA key");
return -1;
}
nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
+ fips_correct_nid(&nid);
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
return -1;
}
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);
@@ -154,16 +156,17 @@ ssh_rsa_verify(const Key *key, const u_c
debug("ssh_rsa_verify: add padding: modlen %u > len %u",
modlen, len);
sigblob = xrealloc(sigblob, 1, modlen);
memmove(sigblob + diff, sigblob, len);
memset(sigblob, 0, diff);
len = modlen;
}
nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
+ fips_correct_nid(&nid);
if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
error("ssh_rsa_verify: EVP_get_digestbynid %d failed", nid);
free(sigblob);
return -1;
}
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, data, datalen);
EVP_DigestFinal(&md, digest, &dlen);
diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
--- a/openssh-6.5p1/ssh.c
+++ b/openssh-6.5p1/ssh.c
@@ -1008,13 +859,13 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
extern char *__progname;
/* Saves a copy of argv for setproctitle emulation */
@@ -324,16 +325,18 @@ main(int ac, char **av)
use_syslog = 0;
@@ -453,16 +454,18 @@ main(int ac, char **av)
logfile = NULL;
argv0 = av[0];
again:
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
"ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (fips_mode())
@@ -1027,8 +878,7 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
case '4':
options.address_family = AF_INET;
break;
@@ -781,17 +784,22 @@ main(int ac, char **av)
free(cp);
@@ -959,16 +962,22 @@ main(int ac, char **av)
}
if (muxclient_command != 0 && options.control_path == NULL)
fatal("No ControlPath specified for \"-O\" command");
@@ -1036,21 +886,21 @@ diff --git a/openssh-6.5p1/ssh.c b/openssh-6.5p1/ssh.c
muxclient(options.control_path);
timeout_ms = options.connection_timeout * 1000;
-
+ if (FIPS_mode()) {
+ options.protocol &= SSH_PROTO_2;
+ if (options.protocol == 0)
+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode");
+ }
+
+
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms,
options.tcp_keep_alive,
#ifdef HAVE_CYGWIN
options.use_privileged_port,
#else
original_effective_uid == 0 && options.use_privileged_port,
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
&timeout_ms, options.tcp_keep_alive,
options.use_privileged_port) != 0)
exit(255);
if (addrs != NULL)
diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
--- a/openssh-6.5p1/sshconnect2.c
+++ b/openssh-6.5p1/sshconnect2.c
@@ -1072,7 +922,7 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
/* import */
extern char *client_version_string;
extern char *server_version_string;
@@ -165,31 +166,37 @@ ssh_kex2(char *host, struct sockaddr *ho
@@ -165,31 +166,41 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers == (char *)-1) {
logit("No valid ciphers for protocol version 2 given, using defaults.");
@@ -1082,6 +932,8 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ } else if (fips_mode()) {
+ /* TODO: use intersection of FIPS ciphers and those requested in
+ * configuration */
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_140_2_ENCRYPT;
}
@@ -1100,20 +952,22 @@ diff --git a/openssh-6.5p1/sshconnect2.c b/openssh-6.5p1/sshconnect2.c
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+ } else if (fips_mode()) {
+ /* TODO: use intersection of FIPS macs and those requested in
+ * configuration */
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_140_2_MAC;
}
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms;
compat_pkalg_proposal(options.hostkeyalgorithms);
else {
/* Prefer algorithms that we already have keys for */
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
order_hostkeyalgs(host, hostaddr, port);
compat_pkalg_proposal(
diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
--- a/openssh-6.5p1/sshd.c
+++ b/openssh-6.5p1/sshd.c
@@ -118,16 +118,17 @@
@@ -119,16 +119,17 @@
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
@@ -1131,14 +985,14 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
int deny_severity;
#endif /* LIBWRAP */
@@ -1711,16 +1712,20 @@ main(int ac, char **av)
case KEY_DSA:
@@ -1786,16 +1787,20 @@ main(int ac, char **av)
case KEY_ECDSA:
case KEY_ED25519:
sensitive_data.have_ssh2_key = 1;
break;
}
debug("private host key: #%d type %d %s", i, key->type,
key_type(key));
debug("private host key: #%d type %d %s", i, keytype,
key_type(key ? key : pubkey));
}
+ if ((options.protocol & SSH_PROTO_1) && fips_mode()) {
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
@@ -1152,7 +1006,7 @@ diff --git a/openssh-6.5p1/sshd.c b/openssh-6.5p1/sshd.c
logit("Disabling protocol version 2. Could not load host key");
options.protocol &= ~SSH_PROTO_2;
}
@@ -2413,25 +2418,31 @@ do_ssh1_kex(void)
@@ -2506,25 +2511,31 @@ sshd_hostkey_sign(Key *privkey, Key *pub
static void
do_ssh2_kex(void)
{

7
openssh.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Feb 28 12:59:27 UTC 2014 - pcerny@suse.com
- re-enabling FIPS-enablement patch
- enable X11 forwarding when IPv6 is present but disabled on server
(bnc#712683, FATE#31503; -X_forward_with_disabled_ipv6.patch)
-------------------------------------------------------------------
Tue Feb 18 12:56:31 UTC 2014 - pcerny@suse.com

6
openssh.spec
View File

@@ -143,6 +143,7 @@ Patch32: openssh-6.5p1-host_ident.patch
Patch33: openssh-6.5p1-sftp_homechroot.patch
Patch34: openssh-6.5p1-sftp_force_permissions.patch
Patch35: openssh-6.5p1-seccomp_getuid.patch
Patch36: openssh-6.5p1-X_forward_with_disabled_ipv6.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -194,7 +195,9 @@ Helper applications for OpenSSH which retrieve keys from various sources.
%patch24 -p2
%patch25 -p2
%patch26 -p2
#patch27 -p2
%if 0%{?suse_version} > 1310
%patch27 -p2
%endif
#patch28 -p2
%patch29 -p2
%patch30 -p2
@@ -203,6 +206,7 @@ Helper applications for OpenSSH which retrieve keys from various sources.
%patch33 -p2
%patch34 -p2
%patch35 -p2
%patch36 -p2
cp %{SOURCE3} %{SOURCE4} .
%build