From 685b6239bb45204eae75726c9b31d9d84e10c115 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= Date: Thu, 30 Apr 2009 12:03:29 +0000 Subject: [PATCH] - do integrity verification only on binaries which are part of the OpenSSH FIPS modules --- openssh-5.2p1-fips.patch | 213 ++++++--------------------------------- openssh.spec | 16 +-- 2 files changed, 37 insertions(+), 192 deletions(-) diff --git a/openssh-5.2p1-fips.patch b/openssh-5.2p1-fips.patch index 7866fb8..7aabc45 100644 --- a/openssh-5.2p1-fips.patch +++ b/openssh-5.2p1-fips.patch @@ -1,6 +1,6 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c ---- openssh-5.2p1/auth2-pubkey.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/auth2-pubkey.c 2009-04-17 14:52:11.000000000 +0200 +--- openssh-5.2p1/auth2-pubkey.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/auth2-pubkey.c 2009-04-17 23:23:42.000000000 +0200 @@ -33,6 +33,7 @@ #include #include @@ -20,7 +20,7 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c xfree(fp); diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c --- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100 -+++ openssh-5.2p1/cipher.c 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/cipher.c 2009-04-17 23:23:42.000000000 +0200 @@ -40,6 +40,7 @@ #include @@ -81,7 +81,7 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c return -1; diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c --- openssh-5.2p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 -+++ openssh-5.2p1/cipher-ctr.c 2009-04-17 23:23:06.000000000 +0200 ++++ openssh-5.2p1/cipher-ctr.c 2009-04-17 23:23:42.000000000 +0200 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -94,7 +94,7 @@ diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c } diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c --- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.2p1/mac.c 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/mac.c 2009-04-17 23:23:42.000000000 +0200 @@ -28,6 +28,7 @@ #include @@ -145,8 +145,8 @@ diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c for (i = 0; macs[i].name; i++) { if (strcmp(name, macs[i].name) == 0) { diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in ---- openssh-5.2p1/Makefile.in.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/Makefile.in 2009-04-17 14:52:11.000000000 +0200 +--- openssh-5.2p1/Makefile.in.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/Makefile.in 2009-04-17 23:23:42.000000000 +0200 @@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ @@ -185,7 +185,7 @@ diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h --- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 -+++ openssh-5.2p1/myproposal.h 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/myproposal.h 2009-04-17 23:23:42.000000000 +0200 @@ -53,7 +53,12 @@ "hmac-sha1-96,hmac-md5-96" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" @@ -201,8 +201,8 @@ diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c ---- openssh-5.2p1/nsskeys.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/nsskeys.c 2009-04-17 14:52:11.000000000 +0200 +--- openssh-5.2p1/nsskeys.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/nsskeys.c 2009-04-17 23:23:42.000000000 +0200 @@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k) break; } @@ -216,7 +216,7 @@ diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c return 0; diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c --- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 -+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-04-17 23:23:42.000000000 +0200 @@ -39,6 +39,7 @@ static int rc4_ready = 0; static RC4_KEY rc4; @@ -259,18 +259,17 @@ diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbs #ifndef ARC4RANDOM_BUF diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c ---- openssh-5.2p1/ssh-add.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/ssh-add.c 2009-04-17 14:52:11.000000000 +0200 -@@ -42,6 +42,8 @@ +--- openssh-5.2p1/ssh-add.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/ssh-add.c 2009-04-30 13:56:56.000000000 +0200 +@@ -42,6 +42,7 @@ #include #include +#include -+#include #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_LIBNSS -@@ -254,7 +256,7 @@ list_identities(AuthenticationConnection +@@ -254,7 +255,7 @@ list_identities(AuthenticationConnection key = ssh_get_next_identity(ac, &comment, version)) { had_identities = 1; if (do_fp) { @@ -279,40 +278,18 @@ diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c SSH_FP_HEX); printf("%d %s %s (%s)\n", key_size(key), fp, comment, key_type(key)); -@@ -463,10 +465,19 @@ main(int argc, char **argv) - sanitise_stdfd(); - - __progname = ssh_get_progname(argv[0]); -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } -+ - init_rng(); - seed_rng(); - -- SSLeay_add_all_algorithms(); -+ if (FIPS_mode()) { -+ logit("FIPS mode initialized"); -+ } - - /* At first, get a connection to the authentication agent. */ - ac = ssh_get_authentication_connection(); diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c ---- openssh-5.2p1/ssh-agent.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/ssh-agent.c 2009-04-17 14:52:11.000000000 +0200 -@@ -51,6 +51,8 @@ +--- openssh-5.2p1/ssh-agent.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/ssh-agent.c 2009-04-30 13:57:34.000000000 +0200 +@@ -51,6 +51,7 @@ #include #include +#include -+#include #include "openbsd-compat/openssl-compat.h" #include -@@ -200,9 +202,9 @@ confirm_key(Identity *id) +@@ -200,9 +201,9 @@ confirm_key(Identity *id) char *p; int ret = -1; @@ -325,32 +302,9 @@ diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c ret = 0; xfree(p); -@@ -1196,6 +1198,11 @@ main(int ac, char **av) - #endif - - SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } - - __progname = ssh_get_progname(av[0]); - init_rng(); -@@ -1356,6 +1363,10 @@ main(int ac, char **av) - /* child */ - log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0); - -+ if (FIPS_mode()) { -+ logit("FIPS mode initialized"); -+ } -+ - if (setsid() == -1) { - error("setsid: %s", strerror(errno)); - cleanup_exit(1); diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c ---- openssh-5.2p1/ssh.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/ssh.c 2009-04-17 14:52:11.000000000 +0200 +--- openssh-5.2p1/ssh.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/ssh.c 2009-04-17 23:23:42.000000000 +0200 @@ -71,6 +71,8 @@ #include @@ -391,8 +345,8 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c options.user = xstrdup(pw->pw_name); diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c ---- openssh-5.2p1/sshconnect2.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/sshconnect2.c 2009-04-17 14:52:11.000000000 +0200 +--- openssh-5.2p1/sshconnect2.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/sshconnect2.c 2009-04-17 23:23:42.000000000 +0200 @@ -44,6 +44,8 @@ #include #endif @@ -437,8 +391,8 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c /* diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c ---- openssh-5.2p1/sshconnect.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/sshconnect.c 2009-04-17 14:52:11.000000000 +0200 +--- openssh-5.2p1/sshconnect.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/sshconnect.c 2009-04-17 23:23:42.000000000 +0200 @@ -40,6 +40,8 @@ #include #include @@ -526,8 +480,8 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c xfree(fp); diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c ---- openssh-5.2p1/sshd.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/sshd.c 2009-04-17 14:52:11.000000000 +0200 +--- openssh-5.2p1/sshd.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/sshd.c 2009-04-17 23:23:42.000000000 +0200 @@ -76,6 +76,8 @@ #include #include @@ -591,18 +545,17 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c ---- openssh-5.2p1/ssh-keygen.c.fips 2009-04-17 14:52:11.000000000 +0200 -+++ openssh-5.2p1/ssh-keygen.c 2009-04-17 14:52:11.000000000 +0200 -@@ -21,6 +21,8 @@ +--- openssh-5.2p1/ssh-keygen.c.fips 2009-04-17 23:23:42.000000000 +0200 ++++ openssh-5.2p1/ssh-keygen.c 2009-04-30 13:58:02.000000000 +0200 +@@ -21,6 +21,7 @@ #include #include +#include -+#include #include "openbsd-compat/openssl-compat.h" #include -@@ -537,7 +539,7 @@ do_fingerprint(struct passwd *pw) +@@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw) enum fp_type fptype; struct stat st; @@ -611,29 +564,7 @@ diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; if (!have_identity) -@@ -1125,11 +1127,21 @@ main(int argc, char **argv) - __progname = ssh_get_progname(argv[0]); - - SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } -+ - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); - - init_rng(); - seed_rng(); - -+ if (FIPS_mode()) { -+ logit("FIPS mode initialized"); -+ } -+ - /* we need this for the home * directory. */ - pw = getpwuid(getuid()); - if (!pw) { -@@ -1506,14 +1518,15 @@ passphrase_again: +@@ -1506,14 +1507,15 @@ passphrase_again: fclose(f); if (!quiet) { @@ -653,83 +584,3 @@ diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c printf("%s\n", ra); xfree(ra); xfree(fp); -diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c ---- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100 -+++ openssh-5.2p1/ssh-keyscan.c 2009-04-17 14:52:11.000000000 +0200 -@@ -19,6 +19,8 @@ - #include - - #include -+#include -+#include - - #include - #include -@@ -731,6 +733,13 @@ main(int argc, char **argv) - extern char *optarg; - - __progname = ssh_get_progname(argv[0]); -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } -+ - init_rng(); - seed_rng(); - TAILQ_INIT(&tq); -@@ -812,6 +821,10 @@ main(int argc, char **argv) - - log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1); - -+ if (FIPS_mode()) { -+ logit("FIPS mode initialized"); -+ } -+ - maxfd = fdlim_get(1); - if (maxfd < 0) - fatal("%s: fdlim_get: bad value", __progname); -diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c ---- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-5.2p1/ssh-keysign.c 2009-04-17 14:52:11.000000000 +0200 -@@ -38,6 +38,8 @@ - #include - #include - #include -+#include -+#include - - #include "xmalloc.h" - #include "log.h" -@@ -175,6 +177,11 @@ main(int argc, char **argv) - - permanently_set_uid(pw); - -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fatal("FIPS integrity verification test failed"); -+ } -+ - init_rng(); - seed_rng(); - arc4random_stir(); -@@ -183,6 +190,10 @@ main(int argc, char **argv) - log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); - #endif - -+ if (FIPS_mode()) { -+ logit("FIPS mode initialized"); -+ } -+ - /* verify that ssh-keysign is enabled by the admin */ - initialize_options(&options); - (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0); -@@ -194,7 +205,6 @@ main(int argc, char **argv) - if (key_fd[0] == -1 && key_fd[1] == -1) - fatal("could not open any host key"); - -- SSLeay_add_all_algorithms(); - for (i = 0; i < 256; i++) - rnd[i] = arc4random(); - RAND_seed(rnd, sizeof(rnd)); diff --git a/openssh.spec b/openssh.spec index 03a49a8..64de503 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.2p1 -Release: 4%{?dist}%{?rescue_rel} +Release: 5%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -329,12 +329,7 @@ popd %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ - fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh-keygen \ - fipshmac $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-keysign \ fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh \ - fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh-agent \ - fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh-add \ - fipshmac $RPM_BUILD_ROOT%{_bindir}/ssh-keyscan \ fipshmac $RPM_BUILD_ROOT%{_sbindir}/sshd \ %{nil} @@ -410,11 +405,9 @@ fi %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %if ! %{rescue} %attr(0755,root,root) %{_bindir}/ssh-keygen -%attr(0644,root,root) %{_bindir}/.ssh-keygen.hmac %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0755,root,root) %dir %{_libexecdir}/openssh %attr(4755,root,root) %{_libexecdir}/openssh/ssh-keysign -%attr(0644,root,root) %{_libexecdir}/openssh/.ssh-keysign.hmac %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* %endif %if %{scard} @@ -435,11 +428,8 @@ fi %attr(0644,root,root) %{_mandir}/man5/ssh_config.5* %if ! %{rescue} %attr(2755,root,nobody) %{_bindir}/ssh-agent -%attr(0644,root,nobody) %{_bindir}/.ssh-agent.hmac %attr(0755,root,root) %{_bindir}/ssh-add -%attr(0644,root,root) %{_bindir}/.ssh-add.hmac %attr(0755,root,root) %{_bindir}/ssh-keyscan -%attr(0644,root,root) %{_bindir}/.ssh-keyscan.hmac %attr(0755,root,root) %{_bindir}/sftp %attr(0755,root,root) %{_bindir}/ssh-copy-id %attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* @@ -474,6 +464,10 @@ fi %endif %changelog +* Thu Apr 30 2009 Tomas Mraz - 5.2p1-5 +- do integrity verification only on binaries which are part + of the OpenSSH FIPS modules + * Mon Apr 20 2009 Tomas Mraz - 5.2p1-4 - log if FIPS mode is initialized - make aes-ctr cipher modes work in the FIPS mode