Accepting request 680202 from home:vitezslav_cizek:branches:network

- Correctly filter out non-compliant algorithms when in FIPS mode (bsc#1126397) * A hunk was applied to a wrong place due to a patch fuzz when the fips patch was being ported to openssh 7.9p1 - update openssh-7.7p1-fips.patch OBS-URL: https://build.opensuse.org/request/show/680202 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=182
2019-02-28 20:03:36 +00:00 · 2019-02-28 20:03:36 +00:00 · 3f73bd9831
commit 3f73bd9831
parent 5fcc01190a
2 changed files with 38 additions and 29 deletions
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -5,8 +5,8 @@ algorithms.

 Index: openssh-7.9p1/Makefile.in
 ===================================================================
--- openssh-7.9p1.orig/Makefile.in	2019-02-27 14:05:59.153078796 +0100
-+++ openssh-7.9p1/Makefile.in	2019-02-27 15:41:46.539774099 +0100
+--- openssh-7.9p1.orig/Makefile.in	2019-02-28 17:20:15.767164591 +0100
+++ openssh-7.9p1/Makefile.in	2019-02-28 20:18:30.666473978 +0100
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
 	platform-pledge.o platform-tracing.o platform-misc.o
@ -19,7 +19,7 @@ Index: openssh-7.9p1/Makefile.in
 Index: openssh-7.9p1/cipher-ctr.c
 ===================================================================
 --- openssh-7.9p1.orig/cipher-ctr.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/cipher-ctr.c	2019-02-27 14:05:59.305079731 +0100
+++ openssh-7.9p1/cipher-ctr.c	2019-02-28 17:20:15.919165544 +0100
@@ -27,6 +27,8 @@
 #include "xmalloc.h"
 #include "log.h"
@ -41,7 +41,7 @@ Index: openssh-7.9p1/cipher-ctr.c
 Index: openssh-7.9p1/cipher.c
 ===================================================================
 --- openssh-7.9p1.orig/cipher.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/cipher.c	2019-02-27 15:41:46.539774099 +0100
+++ openssh-7.9p1/cipher.c	2019-02-28 20:18:30.666473978 +0100
@@ -51,6 +51,8 @@
 
 #include "openbsd-compat/openssl-compat.h"
@ -134,7 +134,7 @@ Index: openssh-7.9p1/cipher.c
 Index: openssh-7.9p1/fips.c
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssh-7.9p1/fips.c	2019-02-27 15:41:46.311772744 +0100
+++ openssh-7.9p1/fips.c	2019-02-28 20:18:30.534473204 +0100
@@ -0,0 +1,215 @@
 +/*
 + * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -354,7 +354,7 @@ Index: openssh-7.9p1/fips.c
 Index: openssh-7.9p1/fips.h
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssh-7.9p1/fips.h	2019-02-27 15:41:46.311772744 +0100
+++ openssh-7.9p1/fips.h	2019-02-28 20:18:30.534473204 +0100
@@ -0,0 +1,44 @@
 +/*
 + * Copyright (c) 2012 Petr Cerny.  All rights reserved.
@ -403,7 +403,7 @@ Index: openssh-7.9p1/fips.h
 Index: openssh-7.9p1/hmac.c
 ===================================================================
 --- openssh-7.9p1.orig/hmac.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/hmac.c	2019-02-27 14:05:59.305079731 +0100
+++ openssh-7.9p1/hmac.c	2019-02-28 17:20:15.919165544 +0100
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
 	size_t			 i;
 	u_char			 digest[16];
@ -416,7 +416,7 @@ Index: openssh-7.9p1/hmac.c
 Index: openssh-7.9p1/kex.c
 ===================================================================
 --- openssh-7.9p1.orig/kex.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/kex.c	2019-02-27 15:41:45.951770606 +0100
+++ openssh-7.9p1/kex.c	2019-02-28 17:20:15.919165544 +0100
@@ -54,6 +54,8 @@
 #include "sshbuf.h"
 #include "digest.h"
@ -515,7 +515,7 @@ Index: openssh-7.9p1/kex.c
 Index: openssh-7.9p1/kexgexs.c
 ===================================================================
 --- openssh-7.9p1.orig/kexgexs.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/kexgexs.c	2019-02-27 14:05:59.305079731 +0100
+++ openssh-7.9p1/kexgexs.c	2019-02-28 17:20:15.923165569 +0100
@@ -56,6 +56,8 @@
 #include "sshbuf.h"
 #include "misc.h"
@ -528,7 +528,7 @@ Index: openssh-7.9p1/kexgexs.c
 Index: openssh-7.9p1/mac.c
 ===================================================================
 --- openssh-7.9p1.orig/mac.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/mac.c	2019-02-27 15:31:46.644209847 +0100
+++ openssh-7.9p1/mac.c	2019-02-28 17:20:15.923165569 +0100
@@ -40,6 +40,9 @@
 
 #include "openbsd-compat/openssl-compat.h"
@ -611,7 +611,7 @@ Index: openssh-7.9p1/mac.c
 Index: openssh-7.9p1/myproposal.h
 ===================================================================
 --- openssh-7.9p1.orig/myproposal.h	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/myproposal.h	2019-02-27 14:05:59.309079755 +0100
+++ openssh-7.9p1/myproposal.h	2019-02-28 17:20:15.923165569 +0100
@@ -151,6 +151,8 @@
 
 #else /* WITH_OPENSSL */
@ -624,7 +624,7 @@ Index: openssh-7.9p1/myproposal.h
 Index: openssh-7.9p1/readconf.c
 ===================================================================
 --- openssh-7.9p1.orig/readconf.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/readconf.c	2019-02-27 15:42:19.495969910 +0100
+++ openssh-7.9p1/readconf.c	2019-02-28 20:18:54.650614520 +0100
@@ -68,6 +68,8 @@
 #include "myproposal.h"
 #include "digest.h"
@ -667,18 +667,18 @@ Index: openssh-7.9p1/readconf.c
 	if (options->update_hostkeys == -1)
 		options->update_hostkeys = 0;
 
-@@ -2577,6 +2598,7 @@ dump_client_config(Options *o, const cha
- 	    KEX_DEFAULT_PK_ALG, all_key) != 0)
- 		fatal("%s: kex_assemble_names failed", __func__);
+@@ -2122,6 +2143,7 @@ fill_default_options(Options * options)
+ 	free(all_kex);
 	free(all_key);
-+	filter_fips_algorithms(o);
+ 	free(all_sig);
+	filter_fips_algorithms(options);
 
- 	/* Most interesting options first: user, host, port */
- 	dump_cfg_string(oUser, o->user);
+ #define CLEAR_ON_NONE(v) \
+ 	do { \
 Index: openssh-7.9p1/readconf.h
 ===================================================================
 --- openssh-7.9p1.orig/readconf.h	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/readconf.h	2019-02-27 15:41:45.951770606 +0100
+++ openssh-7.9p1/readconf.h	2019-02-28 17:20:15.923165569 +0100
@@ -197,6 +197,7 @@ typedef struct {
 #define SSH_STRICT_HOSTKEY_YES	2
 #define SSH_STRICT_HOSTKEY_ASK	3
@ -689,8 +689,8 @@ Index: openssh-7.9p1/readconf.h
 void	 fill_default_options_for_canonicalization(Options *);
 Index: openssh-7.9p1/servconf.c
 ===================================================================
--- openssh-7.9p1.orig/servconf.c	2019-02-27 14:05:59.237079313 +0100
-+++ openssh-7.9p1/servconf.c	2019-02-27 15:41:45.951770606 +0100
+--- openssh-7.9p1.orig/servconf.c	2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/servconf.c	2019-02-28 17:20:15.923165569 +0100
@@ -64,6 +64,7 @@
 #include "auth.h"
 #include "myproposal.h"
@ -744,7 +744,7 @@ Index: openssh-7.9p1/servconf.c
 Index: openssh-7.9p1/ssh-keygen.c
 ===================================================================
 --- openssh-7.9p1.orig/ssh-keygen.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/ssh-keygen.c	2019-02-27 14:05:59.309079755 +0100
+++ openssh-7.9p1/ssh-keygen.c	2019-02-28 17:20:15.923165569 +0100
@@ -61,6 +61,8 @@
 #include "utf8.h"
 #include "authfd.h"
@ -820,7 +820,7 @@ Index: openssh-7.9p1/ssh-keygen.c
 Index: openssh-7.9p1/ssh_config.0
 ===================================================================
 --- openssh-7.9p1.orig/ssh_config.0	2018-10-19 03:06:19.000000000 +0200
-+++ openssh-7.9p1/ssh_config.0	2019-02-27 15:41:45.951770606 +0100
+++ openssh-7.9p1/ssh_config.0	2019-02-28 17:20:15.923165569 +0100
@@ -353,6 +353,9 @@ DESCRIPTION
              Specifies the hash algorithm used when displaying key
              fingerprints.  Valid options are: md5 and sha256 (the default).
@ -844,7 +844,7 @@ Index: openssh-7.9p1/ssh_config.0
 Index: openssh-7.9p1/ssh_config.5
 ===================================================================
 --- openssh-7.9p1.orig/ssh_config.5	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/ssh_config.5	2019-02-27 15:41:45.951770606 +0100
+++ openssh-7.9p1/ssh_config.5	2019-02-28 17:20:15.923165569 +0100
@@ -642,6 +642,8 @@ Valid options are:
 and
 .Cm sha256
@ -857,7 +857,7 @@ Index: openssh-7.9p1/ssh_config.5
 Index: openssh-7.9p1/sshd.c
 ===================================================================
 --- openssh-7.9p1.orig/sshd.c	2018-10-17 02:01:20.000000000 +0200
-+++ openssh-7.9p1/sshd.c	2019-02-27 15:41:46.311772744 +0100
+++ openssh-7.9p1/sshd.c	2019-02-28 20:18:30.534473204 +0100
@@ -123,6 +123,8 @@
 #include "version.h"
 #include "ssherr.h"
@ -869,8 +869,8 @@ Index: openssh-7.9p1/sshd.c
 #define REEXEC_STARTUP_PIPE_FD		(STDERR_FILENO + 2)
 Index: openssh-7.9p1/sshd_config.0
 ===================================================================
--- openssh-7.9p1.orig/sshd_config.0	2019-02-27 14:05:59.237079313 +0100
-+++ openssh-7.9p1/sshd_config.0	2019-02-27 15:41:45.951770606 +0100
+--- openssh-7.9p1.orig/sshd_config.0	2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/sshd_config.0	2019-02-28 17:20:15.927165594 +0100
@@ -348,6 +348,9 @@ DESCRIPTION
              Specifies the hash algorithm used when logging key fingerprints.
              Valid options are: md5 and sha256.  The default is sha256.
@ -893,8 +893,8 @@ Index: openssh-7.9p1/sshd_config.0
              following forms may be used:
 Index: openssh-7.9p1/sshd_config.5
 ===================================================================
--- openssh-7.9p1.orig/sshd_config.5	2019-02-27 14:05:59.237079313 +0100
-+++ openssh-7.9p1/sshd_config.5	2019-02-27 15:41:45.951770606 +0100
+--- openssh-7.9p1.orig/sshd_config.5	2019-02-28 17:20:15.851165117 +0100
+++ openssh-7.9p1/sshd_config.5	2019-02-28 17:20:15.927165594 +0100
@@ -603,6 +603,8 @@ and
 .Cm sha256 .
 The default is
--- a/openssh.changes
+++ b/openssh.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Feb 28 19:20:58 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+
+- Correctly filter out non-compliant algorithms when in FIPS mode
+  (bsc#1126397)
+  * A hunk was applied to a wrong place due to a patch fuzz when
+    the fips patch was being ported to openssh 7.9p1
+- update openssh-7.7p1-fips.patch
+
 -------------------------------------------------------------------
 Wed Feb 27 12:29:05 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>