metalefty/openssh
1
0
Fork 0
forked from rpms/openssh
Code Pull Requests Activity

- Update to 5.5p1

Browse Source
This commit is contained in:
Jan F. Chadima 2010-04-16 08:09:50 +00:00
parent e18b1170a3
commit 82bc825ff1
6 changed files with 503 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1,2 +1,2 @@
openssh-5.5p1-noacss.tar.bz2
pam_ssh_agent_auth-0.9.2.tar.bz2
openssh-5.4p1-noacss.tar.bz2

12
openssh-5.3p1-dso.patch
View File

@ -1,12 +0,0 @@
diff -up openssh-5.3p1/contrib/Makefile.dso openssh-5.3p1/contrib/Makefile
--- openssh-5.3p1/contrib/Makefile.dso 2010-02-15 11:51:53.000000000 +0100
+++ openssh-5.3p1/contrib/Makefile 2010-02-15 11:54:47.000000000 +0100
@@ -9,7 +9,7 @@ gnome-ssh-askpass1: gnome-ssh-askpass1.c
gnome-ssh-askpass2: gnome-ssh-askpass2.c
$(CC) `pkg-config --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
- `pkg-config --libs gtk+-2.0`
+ `pkg-config --libs gtk+-2.0` -lX11
clean:
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass

120
openssh-5.4p1-fips.patch → openssh-5.5p1-fips.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c
--- openssh-5.4p1/auth2-pubkey.c.fips 2010-03-01 17:55:26.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 17:57:56.000000000 +0100
diff -up openssh-5.5p1/auth2-pubkey.c.fips openssh-5.5p1/auth2-pubkey.c
--- openssh-5.5p1/auth2-pubkey.c.fips 2010-04-16 08:46:47.000000000 +0200
+++ openssh-5.5p1/auth2-pubkey.c 2010-04-16 08:46:48.000000000 +0200
@@ -35,6 +35,7 @@
#include <string.h>
#include <time.h>
@ -9,7 +9,7 @@ diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c
#include "xmalloc.h"
#include "ssh.h"
@@ -269,7 +270,7 @@ user_key_allowed2(struct passwd *pw, Key
@@ -274,7 +275,7 @@ user_key_allowed2(struct passwd *pw, Key
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
@ -18,9 +18,9 @@ diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c
verbose("Found matching %s key: %s",
key_type(found), fp);
xfree(fp);
diff -up openssh-5.4p1/authfile.c.fips openssh-5.4p1/authfile.c
--- openssh-5.4p1/authfile.c.fips 2010-01-12 09:42:29.000000000 +0100
+++ openssh-5.4p1/authfile.c 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/authfile.c.fips openssh-5.5p1/authfile.c
--- openssh-5.5p1/authfile.c.fips 2010-03-04 11:53:35.000000000 +0100
+++ openssh-5.5p1/authfile.c 2010-04-16 08:46:49.000000000 +0200
@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
/* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -55,9 +55,9 @@ diff -up openssh-5.4p1/authfile.c.fips openssh-5.4p1/authfile.c
cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer));
cipher_cleanup(&ciphercontext);
diff -up openssh-5.4p1/cipher.c.fips openssh-5.4p1/cipher.c
--- openssh-5.4p1/cipher.c.fips 2010-03-01 15:09:22.000000000 +0100
+++ openssh-5.4p1/cipher.c 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/cipher.c.fips openssh-5.5p1/cipher.c
--- openssh-5.5p1/cipher.c.fips 2010-04-16 08:34:06.000000000 +0200
+++ openssh-5.5p1/cipher.c 2010-04-16 08:46:49.000000000 +0200
@@ -40,6 +40,7 @@
#include <sys/types.h>
@ -142,9 +142,9 @@ diff -up openssh-5.4p1/cipher.c.fips openssh-5.4p1/cipher.c
}
/*
diff -up openssh-5.4p1/cipher-ctr.c.fips openssh-5.4p1/cipher-ctr.c
--- openssh-5.4p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
+++ openssh-5.4p1/cipher-ctr.c 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/cipher-ctr.c.fips openssh-5.5p1/cipher-ctr.c
--- openssh-5.5p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
+++ openssh-5.5p1/cipher-ctr.c 2010-04-16 08:46:49.000000000 +0200
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@ -155,9 +155,9 @@ diff -up openssh-5.4p1/cipher-ctr.c.fips openssh-5.4p1/cipher-ctr.c
#endif
return (&aes_ctr);
}
diff -up openssh-5.4p1/cipher.h.fips openssh-5.4p1/cipher.h
--- openssh-5.4p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.4p1/cipher.h 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/cipher.h.fips openssh-5.5p1/cipher.h
--- openssh-5.5p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.5p1/cipher.h 2010-04-16 08:46:49.000000000 +0200
@@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe
const u_char *, u_int, int);
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -167,9 +167,9 @@ diff -up openssh-5.4p1/cipher.h.fips openssh-5.4p1/cipher.h
u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *);
u_int cipher_is_cbc(const Cipher *);
diff -up openssh-5.4p1/mac.c.fips openssh-5.4p1/mac.c
--- openssh-5.4p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.4p1/mac.c 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/mac.c.fips openssh-5.5p1/mac.c
--- openssh-5.5p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.5p1/mac.c 2010-04-16 08:46:49.000000000 +0200
@@ -28,6 +28,7 @@
#include <sys/types.h>
@ -219,9 +219,9 @@ diff -up openssh-5.4p1/mac.c.fips openssh-5.4p1/mac.c
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in
--- openssh-5.4p1/Makefile.in.fips 2010-02-24 08:18:51.000000000 +0100
+++ openssh-5.4p1/Makefile.in 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/Makefile.in.fips openssh-5.5p1/Makefile.in
--- openssh-5.5p1/Makefile.in.fips 2010-03-13 22:41:34.000000000 +0100
+++ openssh-5.5p1/Makefile.in 2010-04-16 09:48:16.000000000 +0200
@@ -139,31 +139,31 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
@ -242,7 +242,7 @@ diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@ -253,7 +253,7 @@ diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@ -261,9 +261,9 @@ diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.4p1/myproposal.h.fips openssh-5.4p1/myproposal.h
--- openssh-5.4p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/myproposal.h 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/myproposal.h.fips openssh-5.5p1/myproposal.h
--- openssh-5.5p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.5p1/myproposal.h 2010-04-16 08:46:49.000000000 +0200
@@ -55,7 +55,12 @@
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
@ -278,9 +278,9 @@ diff -up openssh-5.4p1/myproposal.h.fips openssh-5.4p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
diff -up openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.4p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
+++ openssh-5.4p1/openbsd-compat/bsd-arc4random.c 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.5p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.5p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
+++ openssh-5.5p1/openbsd-compat/bsd-arc4random.c 2010-04-16 09:17:30.000000000 +0200
@@ -39,6 +39,7 @@
static int rc4_ready = 0;
static RC4_KEY rc4;
@ -321,10 +321,10 @@ diff -up openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.4p1/openbs
+#endif
#endif /* !HAVE_ARC4RANDOM */
#ifndef ARC4RANDOM_BUF
diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c
--- openssh-5.4p1/ssh-add.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-add.c 2010-03-01 17:55:28.000000000 +0100
#ifndef HAVE_ARC4RANDOM_BUF
diff -up openssh-5.5p1/ssh-add.c.fips openssh-5.5p1/ssh-add.c
--- openssh-5.5p1/ssh-add.c.fips 2010-03-03 00:25:42.000000000 +0100
+++ openssh-5.5p1/ssh-add.c 2010-04-16 08:46:49.000000000 +0200
@@ -42,6 +42,7 @@
#include <sys/param.h>
@ -333,7 +333,7 @@ diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c
#include "openbsd-compat/openssl-compat.h"
#include <fcntl.h>
@@ -270,7 +271,7 @@ list_identities(AuthenticationConnection
@@ -269,7 +270,7 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
if (do_fp) {
@ -342,9 +342,9 @@ diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c
SSH_FP_HEX);
printf("%d %s %s (%s)\n",
key_size(key), fp, comment, key_type(key));
diff -up openssh-5.4p1/ssh-agent.c.fips openssh-5.4p1/ssh-agent.c
--- openssh-5.4p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-agent.c 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/ssh-agent.c.fips openssh-5.5p1/ssh-agent.c
--- openssh-5.5p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.5p1/ssh-agent.c 2010-04-16 08:46:49.000000000 +0200
@@ -51,6 +51,7 @@
#include <openssl/evp.h>
@ -366,9 +366,9 @@ diff -up openssh-5.4p1/ssh-agent.c.fips openssh-5.4p1/ssh-agent.c
ret = 0;
xfree(p);
diff -up openssh-5.4p1/ssh.c.fips openssh-5.4p1/ssh.c
--- openssh-5.4p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh.c 2010-03-01 17:55:28.000000000 +0100
diff -up openssh-5.5p1/ssh.c.fips openssh-5.5p1/ssh.c
--- openssh-5.5p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.5p1/ssh.c 2010-04-16 08:46:49.000000000 +0200
@@ -72,6 +72,8 @@
#include <openssl/evp.h>
@ -431,9 +431,9 @@ diff -up openssh-5.4p1/ssh.c.fips openssh-5.4p1/ssh.c
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-5.4p1/sshconnect2.c.fips openssh-5.4p1/sshconnect2.c
--- openssh-5.4p1/sshconnect2.c.fips 2010-03-01 17:55:28.000000000 +0100
+++ openssh-5.4p1/sshconnect2.c 2010-03-01 17:55:29.000000000 +0100
diff -up openssh-5.5p1/sshconnect2.c.fips openssh-5.5p1/sshconnect2.c
--- openssh-5.5p1/sshconnect2.c.fips 2010-04-16 08:46:48.000000000 +0200
+++ openssh-5.5p1/sshconnect2.c 2010-04-16 08:46:49.000000000 +0200
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@ -477,9 +477,9 @@ diff -up openssh-5.4p1/sshconnect2.c.fips openssh-5.4p1/sshconnect2.c
xfree(fp);
/*
diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
--- openssh-5.4p1/sshconnect.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/sshconnect.c 2010-03-01 17:55:29.000000000 +0100
diff -up openssh-5.5p1/sshconnect.c.fips openssh-5.5p1/sshconnect.c
--- openssh-5.5p1/sshconnect.c.fips 2010-03-04 11:53:36.000000000 +0100
+++ openssh-5.5p1/sshconnect.c 2010-04-16 08:46:49.000000000 +0200
@@ -40,6 +40,8 @@
#include <string.h>
#include <unistd.h>
@ -521,7 +521,7 @@ diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
@@ -1131,17 +1134,18 @@ show_key_from_file(const char *file, con
@@ -1151,17 +1154,18 @@ show_key_from_file(const char *file, con
Key *found;
char *fp, *ra;
int line, ret;
@ -544,7 +544,7 @@ diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
xfree(ra);
xfree(fp);
}
@@ -1187,8 +1191,9 @@ warn_changed_key(Key *host_key)
@@ -1207,8 +1211,9 @@ warn_changed_key(Key *host_key)
{
char *fp;
const char *type = key_type(host_key);
@ -555,7 +555,7 @@ diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1196,8 +1201,8 @@ warn_changed_key(Key *host_key)
@@ -1216,8 +1221,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that the %s host key has just been changed.", type);
@ -566,9 +566,9 @@ diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
error("Please contact your system administrator.");
xfree(fp);
diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c
--- openssh-5.4p1/sshd.c.fips 2010-03-01 17:55:27.000000000 +0100
+++ openssh-5.4p1/sshd.c 2010-03-01 17:55:29.000000000 +0100
diff -up openssh-5.5p1/sshd.c.fips openssh-5.5p1/sshd.c
--- openssh-5.5p1/sshd.c.fips 2010-04-16 08:46:48.000000000 +0200
+++ openssh-5.5p1/sshd.c 2010-04-16 08:46:49.000000000 +0200
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@ -622,7 +622,7 @@ diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
chdir("/");
@@ -2274,6 +2288,9 @@ do_ssh2_kex(void)
@@ -2275,6 +2289,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -632,7 +632,7 @@ diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2283,6 +2300,9 @@ do_ssh2_kex(void)
@@ -2284,6 +2301,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -642,9 +642,9 @@ diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c
--- openssh-5.4p1/ssh-keygen.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-keygen.c 2010-03-01 17:55:29.000000000 +0100
diff -up openssh-5.5p1/ssh-keygen.c.fips openssh-5.5p1/ssh-keygen.c
--- openssh-5.5p1/ssh-keygen.c.fips 2010-03-21 19:58:24.000000000 +0100
+++ openssh-5.5p1/ssh-keygen.c 2010-04-16 08:46:49.000000000 +0200
@@ -21,6 +21,7 @@
#include <openssl/evp.h>
@ -653,7 +653,7 @@ diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c
#include "openbsd-compat/openssl-compat.h"
#include <errno.h>
@@ -524,7 +525,7 @@ do_fingerprint(struct passwd *pw)
@@ -527,7 +528,7 @@ do_fingerprint(struct passwd *pw)
enum fp_type fptype;
struct stat st;
@ -662,7 +662,7 @@ diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity)
@@ -1808,14 +1809,15 @@ passphrase_again:
@@ -1916,14 +1917,15 @@ passphrase_again:
fclose(f);
if (!quiet) {

432
openssh-5.5p1-mls.patch Normal file
View File

@ -0,0 +1,432 @@
diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 15:24:28.000000000 +0100
@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux,
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+ AC_CHECK_FUNCS(setkeycreatecon)
LIBS="$save_LIBS"
fi ]
)
diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c
--- openssh-5.4p1/misc.c.mls 2010-01-10 00:31:12.000000000 +0100
+++ openssh-5.4p1/misc.c 2010-03-01 15:24:28.000000000 +0100
@@ -423,6 +423,7 @@ char *
colon(char *cp)
{
int flag = 0;
+ int start = 1;
if (*cp == ':') /* Leading colon is part of file name. */
return (0);
@@ -436,8 +437,13 @@ colon(char *cp)
return (cp+1);
if (*cp == ':' && !flag)
return (cp);
- if (*cp == '/')
- return (0);
+ if (start) {
+ /* Slash on beginning or after dots only denotes file name. */
+ if (*cp == '/')
+ return (0);
+ if (*cp != '.')
+ start = 0;
+ }
}
return (0);
}
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:25:50.000000000 +0100
@@ -35,13 +35,24 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
+#include "xmalloc.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
+#include <selinux/context.h>
#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+#include <selinux/av_permissions.h>
+
+#ifdef HAVE_LINUX_AUDIT
+#include <libaudit.h>
+#include <unistd.h>
+#endif
extern Authctxt *the_authctxt;
+extern int inetd_flag;
+extern int rexeced_flag;
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
@@ -57,17 +68,173 @@ ssh_selinux_enabled(void)
return (enabled);
}
+/* Send audit message */
+static int
+send_audit_message(int success, security_context_t default_context,
+ security_context_t selected_context)
+{
+ int rc=0;
+#ifdef HAVE_LINUX_AUDIT
+ char *msg = NULL;
+ int audit_fd = audit_open();
+ security_context_t default_raw=NULL;
+ security_context_t selected_raw=NULL;
+ rc = -1;
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 0; /* No audit support in kernel */
+ error("Error connecting to audit system.");
+ return rc;
+ }
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+ error("Error translating default context.");
+ default_raw = NULL;
+ }
+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
+ error("Error translating selected context.");
+ selected_raw = NULL;
+ }
+ if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
+ default_raw ? default_raw : (default_context ? default_context: "?"),
+ selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
+ error("Error allocating memory.");
+ goto out;
+ }
+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, NULL, success) <= 0) {
+ error("Error sending audit message.");
+ goto out;
+ }
+ rc = 0;
+ out:
+ free(msg);
+ freecon(default_raw);
+ freecon(selected_raw);
+ close(audit_fd);
+#endif
+ return rc;
+}
+
+static int
+mls_range_allowed(security_context_t src, security_context_t dst)
+{
+ struct av_decision avd;
+ int retval;
+ unsigned int bit = CONTEXT__CONTAINS;
+
+ debug("%s: src:%s dst:%s", __func__, src, dst);
+ retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
+ if (retval || ((bit & avd.allowed) != bit))
+ return 0;
+
+ return 1;
+}
+
+static int
+get_user_context(const char *sename, const char *role, const char *lvl,
+ security_context_t *sc) {
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
+ /* User may have requested a level completely outside of his
+ allowed range. We get a context just for auditing as the
+ range check below will certainly fail for default context. */
+#endif
+ if (get_default_context(sename, NULL, sc) != 0) {
+ *sc = NULL;
+ return -1;
+ }
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ }
+#endif
+ if (role != NULL && role[0]) {
+ context_t con;
+ char *type=NULL;
+ if (get_default_type(role, &type) != 0) {
+ error("get_default_type: failed to get default type for '%s'",
+ role);
+ goto out;
+ }
+ con = context_new(*sc);
+ if (!con) {
+ goto out;
+ }
+ context_role_set(con, role);
+ context_type_set(con, type);
+ freecon(*sc);
+ *sc = strdup(context_str(con));
+ context_free(con);
+ if (!*sc)
+ return -1;
+ }
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ if (lvl != NULL && lvl[0]) {
+ /* verify that the requested range is obtained */
+ context_t con;
+ security_context_t obtained_raw;
+ security_context_t requested_raw;
+ con = context_new(*sc);
+ if (!con) {
+ goto out;
+ }
+ context_range_set(con, lvl);
+ if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) {
+ context_free(con);
+ goto out;
+ }
+ if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) {
+ freecon(obtained_raw);
+ context_free(con);
+ goto out;
+ }
+
+ debug("get_user_context: obtained context '%s' requested context '%s'",
+ obtained_raw, requested_raw);
+ if (strcmp(obtained_raw, requested_raw)) {
+ /* set the context to the real requested one but fail */
+ freecon(requested_raw);
+ freecon(obtained_raw);
+ freecon(*sc);
+ *sc = strdup(context_str(con));
+ context_free(con);
+ return -1;
+ }
+ freecon(requested_raw);
+ freecon(obtained_raw);
+ context_free(con);
+ }
+#endif
+ return 0;
+ out:
+ freecon(*sc);
+ *sc = NULL;
+ return -1;
+}
+
/* Return the default security context for the given username */
-static security_context_t
-ssh_selinux_getctxbyname(char *pwname)
+static int
+ssh_selinux_getctxbyname(char *pwname,
+ security_context_t *default_sc, security_context_t *user_sc)
{
- security_context_t sc = NULL;
char *sename, *lvl;
+ const char *reqlvl = NULL;
char *role = NULL;
- int r = 0;
+ int r = -1;
+ context_t con = NULL;
+
+ *default_sc = NULL;
+ *user_sc = NULL;
+ if (the_authctxt) {
+ if (the_authctxt->role != NULL) {
+ char *slash;
+ role = xstrdup(the_authctxt->role);
+ if ((slash = strchr(role, '/')) != NULL) {
+ *slash = '\0';
+ reqlvl = slash + 1;
+ }
+ }
+ }
- if (the_authctxt)
- role=the_authctxt->role;
#ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
sename = NULL;
@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname)
}
#else
sename = pwname;
- lvl = NULL;
+ lvl = "";
#endif
if (r == 0) {
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
- if (role != NULL && role[0])
- r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
- else
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ r = get_default_context_with_level(sename, lvl, NULL, default_sc);
#else
- if (role != NULL && role[0])
- r = get_default_context_with_role(sename, role, NULL, &sc);
- else
- r = get_default_context(sename, NULL, &sc);
+ r = get_default_context(sename, NULL, default_sc);
#endif
}
- if (r != 0) {
- switch (security_getenforce()) {
- case -1:
- fatal("%s: ssh_selinux_getctxbyname: "
- "security_getenforce() failed", __func__);
- case 0:
- error("%s: Failed to get default SELinux security "
- "context for %s", __func__, pwname);
- break;
- default:
- fatal("%s: Failed to get default SELinux security "
- "context for %s (in enforcing mode)",
- __func__, pwname);
+ if (r == 0) {
+ /* If launched from xinetd, we must use current level */
+ if (inetd_flag && !rexeced_flag) {
+ security_context_t sshdsc=NULL;
+
+ if (getcon_raw(&sshdsc) < 0)
+ fatal("failed to allocate security context");
+
+ if ((con=context_new(sshdsc)) == NULL)
+ fatal("failed to allocate selinux context");
+ reqlvl = context_range_get(con);
+ freecon(sshdsc);
+ if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0)
+ /* we actually don't change level */
+ reqlvl = "";
+
+ debug("%s: current connection level '%s'", __func__, reqlvl);
+ }
+
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
+ r = get_user_context(sename, role, reqlvl, user_sc);
+
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
+ security_context_t default_level_sc = *default_sc;
+ if (role != NULL && role[0]) {
+ if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
+ default_level_sc = *default_sc;
+ }
+ /* verify that the requested range is contained in the user range */
+ if (mls_range_allowed(default_level_sc, *user_sc)) {
+ logit("permit MLS level %s (user range %s)", reqlvl, lvl);
+ } else {
+ r = -1;
+ error("deny MLS level %s (user range %s)", reqlvl, lvl);
+ }
+ if (default_level_sc != *default_sc)
+ freecon(default_level_sc);
+ }
+ } else {
+ *user_sc = *default_sc;
}
}
+ if (r != 0) {
+ error("%s: Failed to get default SELinux security "
+ "context for %s", __func__, pwname);
+ }
#ifdef HAVE_GETSEUSERBYNAME
if (sename != NULL)
@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname)
if (lvl != NULL)
xfree(lvl);
#endif
+ if (role != NULL)
+ xfree(role);
+ if (con)
+ context_free(con);
- return (sc);
+ return (r);
}
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
{
+ int r = 0;
+ security_context_t default_ctx = NULL;
security_context_t user_ctx = NULL;
if (!ssh_selinux_enabled())
@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn
debug3("%s: setting execution context", __func__);
- user_ctx = ssh_selinux_getctxbyname(pwname);
- if (setexeccon(user_ctx) != 0) {
+ r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ if (r >= 0) {
+ r = setexeccon(user_ctx);
+ if (r < 0) {
+ error("%s: Failed to set SELinux execution context %s for %s",
+ __func__, user_ctx, pwname);
+ }
+#ifdef HAVE_SETKEYCREATECON
+ else if (setkeycreatecon(user_ctx) < 0) {
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
+ __func__, user_ctx, pwname);
+ }
+#endif
+ }
+ if (user_ctx == NULL) {
+ user_ctx = default_ctx;
+ }
+ if (r < 0 || user_ctx != default_ctx) {
+ /* audit just the case when user changed a role or there was
+ a failure */
+ send_audit_message(r >= 0, default_ctx, user_ctx);
+ }
+ if (r < 0) {
switch (security_getenforce()) {
case -1:
fatal("%s: security_getenforce() failed", __func__);
case 0:
- error("%s: Failed to set SELinux execution "
- "context for %s", __func__, pwname);
+ error("%s: SELinux failure. Continuing in permissive mode.",
+ __func__);
break;
default:
- fatal("%s: Failed to set SELinux execution context "
- "for %s (in enforcing mode)", __func__, pwname);
+ fatal("%s: SELinux failure. Aborting connection.",
+ __func__);
}
}
- if (user_ctx != NULL)
+ if (user_ctx != NULL && user_ctx != default_ctx)
freecon(user_ctx);
+ if (default_ctx != NULL)
+ freecon(default_ctx);
debug3("%s: done", __func__);
}
@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) < 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno));
+ goto out;
+ }
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c
--- openssh-5.4p1/sshd.c.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/sshd.c 2010-03-01 15:24:28.000000000 +0100
@@ -1987,6 +1987,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
+#ifdef WITH_SELINUX
+ ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
+#endif
#ifdef USE_PAM
if (options.use_pam) {
do_pam_setcred(1);

16
openssh.spec
View File

@ -67,13 +67,14 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_rel 3
%define pam_ssh_agent_rel 25
%define openssh_rel 1
%define openssh_ver 5.5p1
%define pam_ssh_agent_rel 26
%define pam_ssh_agent_ver 0.9.2
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.4p1
Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#URL1: http://pamsshagentauth.sourceforge.net
@ -93,7 +94,7 @@ Patch2: openssh-5.3p1-skip-initial.patch
Patch4: openssh-5.2p1-vendor.patch
Patch10: pam_ssh_agent_auth-0.9-build.patch
Patch12: openssh-5.4p1-selinux.patch
Patch13: openssh-5.4p1-mls.patch
Patch13: openssh-5.5p1-mls.patch
Patch16: openssh-5.3p1-audit.patch
Patch18: openssh-5.4p1-pam_selinux.patch
Patch24: openssh-4.3p1-fromto-remote.patch
@ -104,13 +105,12 @@ Patch38: openssh-4.3p2-askpass-grab-info.patch
Patch44: openssh-5.2p1-allow-ip-opts.patch
Patch49: openssh-4.3p2-gssapi-canohost.patch
Patch62: openssh-5.1p1-scp-manpage.patch
Patch65: openssh-5.4p1-fips.patch
Patch65: openssh-5.5p1-fips.patch
Patch69: openssh-5.3p1-selabel.patch
Patch71: openssh-5.2p1-edns.patch
Patch72: openssh-5.4p1-pka.patch
Patch73: openssh-5.4p1-gsskex.patch
Patch74: openssh-5.3p1-randclean.patch
Patch75: openssh-5.3p1-dso.patch
Patch76: openssh-5.4p1-staterr.patch
License: BSD
@ -264,7 +264,6 @@ popd
%patch72 -p1 -b .pka
%patch73 -p1 -b .gsskex
%patch74 -p1 -b .randclean
%patch75 -p1 -b .dso
%patch76 -p1 -b .staterr
autoreconf
@ -531,6 +530,9 @@ fi
%endif
%changelog
* Fri Apr 16 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-1 + 0.9.2-26
- Update to 5.5p1
* Fri Mar 12 2010 Jan F. Chadima <jchadima@redhat.com> - 5.4p1-3 + 0.9.2-25
- repair configure script of pam_ssh_agent
- repair error mesage in ssh-keygen

2
sources
View File

@ -1,2 +1,2 @@
cc327297ee5a169c7997d403bf37c9b0 openssh-5.5p1-noacss.tar.bz2
b68f1c385d7885fbe2c3626bf77aa3d6 pam_ssh_agent_auth-0.9.2.tar.bz2
96c95443133c2c5a459b95175ab7b555 openssh-5.4p1-noacss.tar.bz2