From 3f73bd983145d4df53128bcaa98d5f171bdcfeec8e68a1caa07643802fabf5d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Thu, 28 Feb 2019 20:03:36 +0000 Subject: [PATCH] Accepting request 680202 from home:vitezslav_cizek:branches:network - Correctly filter out non-compliant algorithms when in FIPS mode (bsc#1126397) * A hunk was applied to a wrong place due to a patch fuzz when the fips patch was being ported to openssh 7.9p1 - update openssh-7.7p1-fips.patch OBS-URL: https://build.opensuse.org/request/show/680202 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=182 --- openssh-7.7p1-fips.patch | 58 ++++++++++++++++++++-------------------- openssh.changes | 9 +++++++ 2 files changed, 38 insertions(+), 29 deletions(-) diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 5e07f93..7d6bc9d 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -5,8 +5,8 @@ algorithms. Index: openssh-7.9p1/Makefile.in =================================================================== ---- openssh-7.9p1.orig/Makefile.in 2019-02-27 14:05:59.153078796 +0100 -+++ openssh-7.9p1/Makefile.in 2019-02-27 15:41:46.539774099 +0100 +--- openssh-7.9p1.orig/Makefile.in 2019-02-28 17:20:15.767164591 +0100 ++++ openssh-7.9p1/Makefile.in 2019-02-28 20:18:30.666473978 +0100 @@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ platform-pledge.o platform-tracing.o platform-misc.o @@ -19,7 +19,7 @@ Index: openssh-7.9p1/Makefile.in Index: openssh-7.9p1/cipher-ctr.c =================================================================== --- openssh-7.9p1.orig/cipher-ctr.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/cipher-ctr.c 2019-02-27 14:05:59.305079731 +0100 ++++ openssh-7.9p1/cipher-ctr.c 2019-02-28 17:20:15.919165544 +0100 @@ -27,6 +27,8 @@ #include "xmalloc.h" #include "log.h" @@ -41,7 +41,7 @@ Index: openssh-7.9p1/cipher-ctr.c Index: openssh-7.9p1/cipher.c =================================================================== --- openssh-7.9p1.orig/cipher.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/cipher.c 2019-02-27 15:41:46.539774099 +0100 ++++ openssh-7.9p1/cipher.c 2019-02-28 20:18:30.666473978 +0100 @@ -51,6 +51,8 @@ #include "openbsd-compat/openssl-compat.h" @@ -134,7 +134,7 @@ Index: openssh-7.9p1/cipher.c Index: openssh-7.9p1/fips.c =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-7.9p1/fips.c 2019-02-27 15:41:46.311772744 +0100 ++++ openssh-7.9p1/fips.c 2019-02-28 20:18:30.534473204 +0100 @@ -0,0 +1,215 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -354,7 +354,7 @@ Index: openssh-7.9p1/fips.c Index: openssh-7.9p1/fips.h =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ openssh-7.9p1/fips.h 2019-02-27 15:41:46.311772744 +0100 ++++ openssh-7.9p1/fips.h 2019-02-28 20:18:30.534473204 +0100 @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -403,7 +403,7 @@ Index: openssh-7.9p1/fips.h Index: openssh-7.9p1/hmac.c =================================================================== --- openssh-7.9p1.orig/hmac.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/hmac.c 2019-02-27 14:05:59.305079731 +0100 ++++ openssh-7.9p1/hmac.c 2019-02-28 17:20:15.919165544 +0100 @@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void * size_t i; u_char digest[16]; @@ -416,7 +416,7 @@ Index: openssh-7.9p1/hmac.c Index: openssh-7.9p1/kex.c =================================================================== --- openssh-7.9p1.orig/kex.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/kex.c 2019-02-27 15:41:45.951770606 +0100 ++++ openssh-7.9p1/kex.c 2019-02-28 17:20:15.919165544 +0100 @@ -54,6 +54,8 @@ #include "sshbuf.h" #include "digest.h" @@ -515,7 +515,7 @@ Index: openssh-7.9p1/kex.c Index: openssh-7.9p1/kexgexs.c =================================================================== --- openssh-7.9p1.orig/kexgexs.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/kexgexs.c 2019-02-27 14:05:59.305079731 +0100 ++++ openssh-7.9p1/kexgexs.c 2019-02-28 17:20:15.923165569 +0100 @@ -56,6 +56,8 @@ #include "sshbuf.h" #include "misc.h" @@ -528,7 +528,7 @@ Index: openssh-7.9p1/kexgexs.c Index: openssh-7.9p1/mac.c =================================================================== --- openssh-7.9p1.orig/mac.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/mac.c 2019-02-27 15:31:46.644209847 +0100 ++++ openssh-7.9p1/mac.c 2019-02-28 17:20:15.923165569 +0100 @@ -40,6 +40,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -611,7 +611,7 @@ Index: openssh-7.9p1/mac.c Index: openssh-7.9p1/myproposal.h =================================================================== --- openssh-7.9p1.orig/myproposal.h 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/myproposal.h 2019-02-27 14:05:59.309079755 +0100 ++++ openssh-7.9p1/myproposal.h 2019-02-28 17:20:15.923165569 +0100 @@ -151,6 +151,8 @@ #else /* WITH_OPENSSL */ @@ -624,7 +624,7 @@ Index: openssh-7.9p1/myproposal.h Index: openssh-7.9p1/readconf.c =================================================================== --- openssh-7.9p1.orig/readconf.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/readconf.c 2019-02-27 15:42:19.495969910 +0100 ++++ openssh-7.9p1/readconf.c 2019-02-28 20:18:54.650614520 +0100 @@ -68,6 +68,8 @@ #include "myproposal.h" #include "digest.h" @@ -667,18 +667,18 @@ Index: openssh-7.9p1/readconf.c if (options->update_hostkeys == -1) options->update_hostkeys = 0; -@@ -2577,6 +2598,7 @@ dump_client_config(Options *o, const cha - KEX_DEFAULT_PK_ALG, all_key) != 0) - fatal("%s: kex_assemble_names failed", __func__); +@@ -2122,6 +2143,7 @@ fill_default_options(Options * options) + free(all_kex); free(all_key); -+ filter_fips_algorithms(o); + free(all_sig); ++ filter_fips_algorithms(options); - /* Most interesting options first: user, host, port */ - dump_cfg_string(oUser, o->user); + #define CLEAR_ON_NONE(v) \ + do { \ Index: openssh-7.9p1/readconf.h =================================================================== --- openssh-7.9p1.orig/readconf.h 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/readconf.h 2019-02-27 15:41:45.951770606 +0100 ++++ openssh-7.9p1/readconf.h 2019-02-28 17:20:15.923165569 +0100 @@ -197,6 +197,7 @@ typedef struct { #define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_ASK 3 @@ -689,8 +689,8 @@ Index: openssh-7.9p1/readconf.h void fill_default_options_for_canonicalization(Options *); Index: openssh-7.9p1/servconf.c =================================================================== ---- openssh-7.9p1.orig/servconf.c 2019-02-27 14:05:59.237079313 +0100 -+++ openssh-7.9p1/servconf.c 2019-02-27 15:41:45.951770606 +0100 +--- openssh-7.9p1.orig/servconf.c 2019-02-28 17:20:15.851165117 +0100 ++++ openssh-7.9p1/servconf.c 2019-02-28 17:20:15.923165569 +0100 @@ -64,6 +64,7 @@ #include "auth.h" #include "myproposal.h" @@ -744,7 +744,7 @@ Index: openssh-7.9p1/servconf.c Index: openssh-7.9p1/ssh-keygen.c =================================================================== --- openssh-7.9p1.orig/ssh-keygen.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/ssh-keygen.c 2019-02-27 14:05:59.309079755 +0100 ++++ openssh-7.9p1/ssh-keygen.c 2019-02-28 17:20:15.923165569 +0100 @@ -61,6 +61,8 @@ #include "utf8.h" #include "authfd.h" @@ -820,7 +820,7 @@ Index: openssh-7.9p1/ssh-keygen.c Index: openssh-7.9p1/ssh_config.0 =================================================================== --- openssh-7.9p1.orig/ssh_config.0 2018-10-19 03:06:19.000000000 +0200 -+++ openssh-7.9p1/ssh_config.0 2019-02-27 15:41:45.951770606 +0100 ++++ openssh-7.9p1/ssh_config.0 2019-02-28 17:20:15.923165569 +0100 @@ -353,6 +353,9 @@ DESCRIPTION Specifies the hash algorithm used when displaying key fingerprints. Valid options are: md5 and sha256 (the default). @@ -844,7 +844,7 @@ Index: openssh-7.9p1/ssh_config.0 Index: openssh-7.9p1/ssh_config.5 =================================================================== --- openssh-7.9p1.orig/ssh_config.5 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/ssh_config.5 2019-02-27 15:41:45.951770606 +0100 ++++ openssh-7.9p1/ssh_config.5 2019-02-28 17:20:15.923165569 +0100 @@ -642,6 +642,8 @@ Valid options are: and .Cm sha256 @@ -857,7 +857,7 @@ Index: openssh-7.9p1/ssh_config.5 Index: openssh-7.9p1/sshd.c =================================================================== --- openssh-7.9p1.orig/sshd.c 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/sshd.c 2019-02-27 15:41:46.311772744 +0100 ++++ openssh-7.9p1/sshd.c 2019-02-28 20:18:30.534473204 +0100 @@ -123,6 +123,8 @@ #include "version.h" #include "ssherr.h" @@ -869,8 +869,8 @@ Index: openssh-7.9p1/sshd.c #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) Index: openssh-7.9p1/sshd_config.0 =================================================================== ---- openssh-7.9p1.orig/sshd_config.0 2019-02-27 14:05:59.237079313 +0100 -+++ openssh-7.9p1/sshd_config.0 2019-02-27 15:41:45.951770606 +0100 +--- openssh-7.9p1.orig/sshd_config.0 2019-02-28 17:20:15.851165117 +0100 ++++ openssh-7.9p1/sshd_config.0 2019-02-28 17:20:15.927165594 +0100 @@ -348,6 +348,9 @@ DESCRIPTION Specifies the hash algorithm used when logging key fingerprints. Valid options are: md5 and sha256. The default is sha256. @@ -893,8 +893,8 @@ Index: openssh-7.9p1/sshd_config.0 following forms may be used: Index: openssh-7.9p1/sshd_config.5 =================================================================== ---- openssh-7.9p1.orig/sshd_config.5 2019-02-27 14:05:59.237079313 +0100 -+++ openssh-7.9p1/sshd_config.5 2019-02-27 15:41:45.951770606 +0100 +--- openssh-7.9p1.orig/sshd_config.5 2019-02-28 17:20:15.851165117 +0100 ++++ openssh-7.9p1/sshd_config.5 2019-02-28 17:20:15.927165594 +0100 @@ -603,6 +603,8 @@ and .Cm sha256 . The default is diff --git a/openssh.changes b/openssh.changes index 750c734..420fc0a 100644 --- a/openssh.changes +++ b/openssh.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Feb 28 19:20:58 UTC 2019 - Vítězslav Čížek + +- Correctly filter out non-compliant algorithms when in FIPS mode + (bsc#1126397) + * A hunk was applied to a wrong place due to a patch fuzz when + the fips patch was being ported to openssh 7.9p1 +- update openssh-7.7p1-fips.patch + ------------------------------------------------------------------- Wed Feb 27 12:29:05 UTC 2019 - Vítězslav Čížek