rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

cleanup and remove FIPS code from audit patch

Browse Source
This commit is contained in:
Petr Lautrbach 2014-07-09 21:08:53 +02:00
parent 5160c9c8f3
commit 9f526c6f31
1 changed files with 34 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
openssh-6.6p1-audit.patch
View File

@ -894,25 +894,30 @@ index 0f52b68..472a5b2 100644
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) if (options.use_pam)
diff --git a/cipher.c b/cipher.c diff --git a/cipher.c b/cipher.c
index 53d9b4f..87317ab 100644 index 53d9b4f..226e56d 100644
--- a/cipher.c --- a/cipher.c
+++ b/cipher.c +++ b/cipher.c
@@ -57,6 +57,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(void); @@ -57,20 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void); extern const EVP_CIPHER *evp_ssh1_3des(void);
extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+#if 0 -struct Cipher {
struct Cipher { - char *name;
char *name; - int number; /* for ssh1 only */
int number; /* for ssh1 only */ - u_int block_size;
@@ -70,6 +71,7 @@ struct Cipher { - u_int key_len;
#define CFLAG_CHACHAPOLY (1<<1) - u_int iv_len; /* defaults to block_size */
const EVP_CIPHER *(*evptype)(void); - u_int auth_len;
}; - u_int discard_len;
+#endif - u_int flags;
-#define CFLAG_CBC (1<<0)
-#define CFLAG_CHACHAPOLY (1<<1)
- const EVP_CIPHER *(*evptype)(void);
-};
-
static const struct Cipher ciphers[] = { static const struct Cipher ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
diff --git a/cipher.h b/cipher.h diff --git a/cipher.h b/cipher.h
index 133d2e7..d41758e 100644 index 133d2e7..d41758e 100644
--- a/cipher.h --- a/cipher.h
@ -2038,7 +2043,7 @@ index 6a2f35e..e9b312e 100644
void session_close(Session *); void session_close(Session *);
void do_setusercontext(struct passwd *); void do_setusercontext(struct passwd *);
diff --git a/sshd.c b/sshd.c diff --git a/sshd.c b/sshd.c
index 512c7ed..be1171b 100644 index 512c7ed..b561ec8 100644
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -119,6 +119,7 @@ @@ -119,6 +119,7 @@
@ -2074,7 +2079,7 @@ index 512c7ed..be1171b 100644
static void static void
close_startup_pipes(void) close_startup_pipes(void)
{ {
@@ -562,22 +572,47 @@ sshd_exchange_identification(int sock_in, int sock_out) @@ -562,22 +572,45 @@ sshd_exchange_identification(int sock_in, int sock_out)
} }
} }
@ -2102,9 +2107,7 @@ index 512c7ed..be1171b 100644
+ char *fp; + char *fp;
+ +
+ if (key_is_private(sensitive_data.host_keys[i])) + if (key_is_private(sensitive_data.host_keys[i]))
+ fp = key_fingerprint(sensitive_data.host_keys[i], + fp = key_selected_fingerprint(sensitive_data.host_keys[i], SSH_FP_HEX);
+ FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
+ SSH_FP_HEX);
+ else + else
+ fp = NULL; + fp = NULL;
key_free(sensitive_data.host_keys[i]); key_free(sensitive_data.host_keys[i]);
@ -2125,7 +2128,7 @@ index 512c7ed..be1171b 100644
key_free(sensitive_data.host_certificates[i]); key_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL; sensitive_data.host_certificates[i] = NULL;
} }
@@ -591,6 +626,8 @@ void @@ -591,6 +624,8 @@ void
demote_sensitive_data(void) demote_sensitive_data(void)
{ {
Key *tmp; Key *tmp;
@ -2134,7 +2137,7 @@ index 512c7ed..be1171b 100644
int i; int i;
if (sensitive_data.server_key) { if (sensitive_data.server_key) {
@@ -599,13 +636,27 @@ demote_sensitive_data(void) @@ -599,13 +634,25 @@ demote_sensitive_data(void)
sensitive_data.server_key = tmp; sensitive_data.server_key = tmp;
} }
@ -2145,9 +2148,7 @@ index 512c7ed..be1171b 100644
+ char *fp; + char *fp;
+ +
+ if (key_is_private(sensitive_data.host_keys[i])) + if (key_is_private(sensitive_data.host_keys[i]))
+ fp = key_fingerprint(sensitive_data.host_keys[i], + fp = key_selected_fingerprint(sensitive_data.host_keys[i], SSH_FP_HEX);
+ FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
+ SSH_FP_HEX);
+ else + else
+ fp = NULL; + fp = NULL;
tmp = key_demote(sensitive_data.host_keys[i]); tmp = key_demote(sensitive_data.host_keys[i]);
@ -2162,7 +2163,7 @@ index 512c7ed..be1171b 100644
} }
/* Certs do not need demotion */ /* Certs do not need demotion */
} }
@@ -675,7 +726,7 @@ privsep_preauth(Authctxt *authctxt) @@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt)
if (use_privsep == PRIVSEP_ON) if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor); box = ssh_sandbox_init(pmonitor);
@ -2171,7 +2172,7 @@ index 512c7ed..be1171b 100644
if (pid == -1) { if (pid == -1) {
fatal("fork of unprivileged child failed"); fatal("fork of unprivileged child failed");
} else if (pid != 0) { } else if (pid != 0) {
@@ -729,6 +780,8 @@ privsep_preauth(Authctxt *authctxt) @@ -729,6 +776,8 @@ privsep_preauth(Authctxt *authctxt)
} }
} }
@ -2180,7 +2181,7 @@ index 512c7ed..be1171b 100644
static void static void
privsep_postauth(Authctxt *authctxt) privsep_postauth(Authctxt *authctxt)
{ {
@@ -753,6 +806,10 @@ privsep_postauth(Authctxt *authctxt) @@ -753,6 +802,10 @@ privsep_postauth(Authctxt *authctxt)
else if (pmonitor->m_pid != 0) { else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid); verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg); buffer_clear(&loginmsg);
@ -2191,7 +2192,7 @@ index 512c7ed..be1171b 100644
monitor_child_postauth(pmonitor); monitor_child_postauth(pmonitor);
/* NEVERREACHED */ /* NEVERREACHED */
@@ -1211,6 +1268,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) @@ -1211,6 +1264,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
if (received_sigterm) { if (received_sigterm) {
logit("Received signal %d; terminating.", logit("Received signal %d; terminating.",
(int) received_sigterm); (int) received_sigterm);
@ -2199,7 +2200,7 @@ index 512c7ed..be1171b 100644
close_listen_socks(); close_listen_socks();
unlink(options.pid_file); unlink(options.pid_file);
exit(received_sigterm == SIGTERM ? 0 : 255); exit(received_sigterm == SIGTERM ? 0 : 255);
@@ -2134,6 +2192,7 @@ main(int ac, char **av) @@ -2134,6 +2188,7 @@ main(int ac, char **av)
*/ */
if (use_privsep) { if (use_privsep) {
mm_send_keystate(pmonitor); mm_send_keystate(pmonitor);
@ -2207,7 +2208,7 @@ index 512c7ed..be1171b 100644
exit(0); exit(0);
} }
@@ -2179,7 +2238,7 @@ main(int ac, char **av) @@ -2179,7 +2234,7 @@ main(int ac, char **av)
privsep_postauth(authctxt); privsep_postauth(authctxt);
/* the monitor process [priv] will not return */ /* the monitor process [priv] will not return */
if (!compat20) if (!compat20)
@ -2216,7 +2217,7 @@ index 512c7ed..be1171b 100644
} }
packet_set_timeout(options.client_alive_interval, packet_set_timeout(options.client_alive_interval,
@@ -2189,6 +2248,9 @@ main(int ac, char **av) @@ -2189,6 +2244,9 @@ main(int ac, char **av)
do_authenticated(authctxt); do_authenticated(authctxt);
/* The connection has been terminated. */ /* The connection has been terminated. */
@ -2226,7 +2227,7 @@ index 512c7ed..be1171b 100644
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
verbose("Transferred: sent %llu, received %llu bytes", verbose("Transferred: sent %llu, received %llu bytes",
@@ -2346,6 +2408,10 @@ do_ssh1_kex(void) @@ -2346,6 +2404,10 @@ do_ssh1_kex(void)
if (cookie[i] != packet_get_char()) if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match."); packet_disconnect("IP Spoofing check bytes do not match.");
@ -2237,7 +2238,7 @@ index 512c7ed..be1171b 100644
debug("Encryption type: %.200s", cipher_name(cipher_type)); debug("Encryption type: %.200s", cipher_name(cipher_type));
/* Get the encrypted integer. */ /* Get the encrypted integer. */
@@ -2418,7 +2484,7 @@ do_ssh1_kex(void) @@ -2418,7 +2480,7 @@ do_ssh1_kex(void)
session_id[i] = session_key[i] ^ session_key[i + 16]; session_id[i] = session_key[i] ^ session_key[i + 16];
} }
/* Destroy the private and public keys. No longer. */ /* Destroy the private and public keys. No longer. */
@ -2246,7 +2247,7 @@ index 512c7ed..be1171b 100644
if (use_privsep) if (use_privsep)
mm_ssh1_session_id(session_id); mm_ssh1_session_id(session_id);
@@ -2584,6 +2650,16 @@ do_ssh2_kex(void) @@ -2584,6 +2646,16 @@ do_ssh2_kex(void)
void void
cleanup_exit(int i) cleanup_exit(int i)
{ {
@ -2263,7 +2264,7 @@ index 512c7ed..be1171b 100644
if (the_authctxt) { if (the_authctxt) {
do_cleanup(the_authctxt); do_cleanup(the_authctxt);
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) { if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
@@ -2594,9 +2670,14 @@ cleanup_exit(int i) @@ -2594,9 +2666,14 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno)); pmonitor->m_pid, strerror(errno));
} }
} }