From af8738486cb69eb49183e1341ba4889a28c88421 Mon Sep 17 00:00:00 2001 From: Jan F Date: Sun, 16 Jan 2011 23:50:01 +0100 Subject: [PATCH] - make audit compatible with the fips mode --- openssh-5.6p1-fips.patch | 102 ++++++++++++++++++++++++--------------- openssh.spec | 5 +- 2 files changed, 67 insertions(+), 40 deletions(-) diff --git a/openssh-5.6p1-fips.patch b/openssh-5.6p1-fips.patch index 7277c3b..41cb742 100644 --- a/openssh-5.6p1-fips.patch +++ b/openssh-5.6p1-fips.patch @@ -1,6 +1,18 @@ +diff -up openssh-5.6p1/audit.c.fips openssh-5.6p1/audit.c +--- openssh-5.6p1/audit.c.fips 2011-01-16 23:45:01.000000000 +0100 ++++ openssh-5.6p1/audit.c 2011-01-16 23:45:59.000000000 +0100 +@@ -124,7 +124,7 @@ audit_key(int type, int *rv, const Key * + "ssh-dsa", + "unknown" }; + +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); + switch(key->type) { + case KEY_RSA1: + case KEY_RSA: diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c ---- openssh-5.6p1/auth2-pubkey.c.fips 2010-08-23 12:43:40.000000000 +0200 -+++ openssh-5.6p1/auth2-pubkey.c 2010-08-23 12:43:41.000000000 +0200 +--- openssh-5.6p1/auth2-pubkey.c.fips 2011-01-16 23:41:58.000000000 +0100 ++++ openssh-5.6p1/auth2-pubkey.c 2011-01-16 23:41:59.000000000 +0100 @@ -36,6 +36,7 @@ #include #include @@ -9,7 +21,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c #include "xmalloc.h" #include "ssh.h" -@@ -359,7 +360,7 @@ user_search_key_in_file(FILE *f, char *f +@@ -371,7 +372,7 @@ user_search_key_in_file(FILE *f, char *f found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); @@ -20,7 +32,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c xfree(fp); diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c --- openssh-5.6p1/authfile.c.fips 2010-08-05 05:05:16.000000000 +0200 -+++ openssh-5.6p1/authfile.c 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/authfile.c 2011-01-16 23:41:59.000000000 +0100 @@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch /* Allocate space for the private part of the key in the buffer. */ cp = buffer_append_space(&encrypted, buffer_len(&buffer)); @@ -55,9 +67,21 @@ diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c cipher_crypt(&ciphercontext, cp, buffer_ptr(&buffer), buffer_len(&buffer)); cipher_cleanup(&ciphercontext); +diff -up openssh-5.6p1/auth-rsa.c.fips openssh-5.6p1/auth-rsa.c +--- openssh-5.6p1/auth-rsa.c.fips 2011-01-16 23:46:11.000000000 +0100 ++++ openssh-5.6p1/auth-rsa.c 2011-01-16 23:46:31.000000000 +0100 +@@ -122,7 +122,7 @@ auth_rsa_verify_response(Key *key, BIGNU + rv = timingsafe_bcmp(response, mdbuf, 16) == 0; + + #ifdef SSH_AUDIT_EVENTS +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); + if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) { + debug("unsuccessful audit"); + rv = 0; diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c ---- openssh-5.6p1/cipher.c.fips 2010-08-23 09:49:50.000000000 +0200 -+++ openssh-5.6p1/cipher.c 2010-08-23 12:43:41.000000000 +0200 +--- openssh-5.6p1/cipher.c.fips 2011-01-16 23:41:56.000000000 +0100 ++++ openssh-5.6p1/cipher.c 2011-01-16 23:41:59.000000000 +0100 @@ -40,6 +40,7 @@ #include @@ -66,7 +90,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c #include #include -@@ -93,6 +94,22 @@ struct Cipher { +@@ -85,6 +86,22 @@ struct Cipher ciphers[] = { { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } }; @@ -89,7 +113,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c /*--*/ u_int -@@ -135,7 +152,7 @@ Cipher * +@@ -127,7 +144,7 @@ Cipher * cipher_by_name(const char *name) { Cipher *c; @@ -98,7 +122,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c if (strcmp(c->name, name) == 0) return c; return NULL; -@@ -145,7 +162,7 @@ Cipher * +@@ -137,7 +154,7 @@ Cipher * cipher_by_number(int id) { Cipher *c; @@ -107,7 +131,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c if (c->number == id) return c; return NULL; -@@ -189,7 +206,7 @@ cipher_number(const char *name) +@@ -181,7 +198,7 @@ cipher_number(const char *name) Cipher *c; if (name == NULL) return -1; @@ -116,7 +140,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c if (strcasecmp(c->name, name) == 0) return c->number; return -1; -@@ -296,14 +313,15 @@ cipher_cleanup(CipherContext *cc) +@@ -288,14 +305,15 @@ cipher_cleanup(CipherContext *cc) * passphrase and using the resulting 16 bytes as the key. */ @@ -134,7 +158,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); MD5_Final(digest, &md); -@@ -311,6 +329,7 @@ cipher_set_key_string(CipherContext *cc, +@@ -303,6 +321,7 @@ cipher_set_key_string(CipherContext *cc, memset(digest, 0, sizeof(digest)); memset(&md, 0, sizeof(md)); @@ -144,7 +168,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c /* diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c --- openssh-5.6p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 -+++ openssh-5.6p1/cipher-ctr.c 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/cipher-ctr.c 2011-01-16 23:41:59.000000000 +0100 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -156,9 +180,9 @@ diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c return (&aes_ctr); } diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h ---- openssh-5.6p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100 -+++ openssh-5.6p1/cipher.h 2010-08-23 12:43:41.000000000 +0200 -@@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe +--- openssh-5.6p1/cipher.h.fips 2011-01-16 23:41:56.000000000 +0100 ++++ openssh-5.6p1/cipher.h 2011-01-16 23:41:59.000000000 +0100 +@@ -87,7 +87,7 @@ void cipher_init(CipherContext *, Ciphe const u_char *, u_int, int); void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); void cipher_cleanup(CipherContext *); @@ -169,7 +193,7 @@ diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h u_int cipher_is_cbc(const Cipher *); diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c --- openssh-5.6p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.6p1/mac.c 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/mac.c 2011-01-16 23:41:59.000000000 +0100 @@ -28,6 +28,7 @@ #include @@ -220,9 +244,9 @@ diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c for (i = 0; macs[i].name; i++) { if (strcmp(name, macs[i].name) == 0) { diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in ---- openssh-5.6p1/Makefile.in.fips 2010-08-23 12:43:40.000000000 +0200 -+++ openssh-5.6p1/Makefile.in 2010-08-23 12:46:24.000000000 +0200 -@@ -141,25 +141,25 @@ libssh.a: $(LIBSSH_OBJS) +--- openssh-5.6p1/Makefile.in.fips 2011-01-16 23:41:58.000000000 +0100 ++++ openssh-5.6p1/Makefile.in 2011-01-16 23:41:59.000000000 +0100 +@@ -142,25 +142,25 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -254,7 +278,7 @@ diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -@@ -168,7 +168,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l +@@ -169,7 +169,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o @@ -265,7 +289,7 @@ diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h --- openssh-5.6p1/myproposal.h.fips 2010-04-16 07:56:22.000000000 +0200 -+++ openssh-5.6p1/myproposal.h 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/myproposal.h 2011-01-16 23:41:59.000000000 +0100 @@ -58,7 +58,12 @@ "hmac-sha1-96,hmac-md5-96" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" @@ -282,7 +306,7 @@ diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h KEX_DEFAULT_KEX, diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbsd-compat/bsd-arc4random.c --- openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 -+++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c 2011-01-16 23:41:59.000000000 +0100 @@ -39,6 +39,7 @@ static int rc4_ready = 0; static RC4_KEY rc4; @@ -326,7 +350,7 @@ diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbs #ifndef HAVE_ARC4RANDOM_BUF diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c --- openssh-5.6p1/ssh-add.c.fips 2010-05-21 06:56:47.000000000 +0200 -+++ openssh-5.6p1/ssh-add.c 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/ssh-add.c 2011-01-16 23:41:59.000000000 +0100 @@ -42,6 +42,7 @@ #include @@ -346,7 +370,7 @@ diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c key_size(key), fp, comment, key_type(key)); diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c --- openssh-5.6p1/ssh-agent.c.fips 2010-04-16 07:56:22.000000000 +0200 -+++ openssh-5.6p1/ssh-agent.c 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/ssh-agent.c 2011-01-16 23:41:59.000000000 +0100 @@ -51,6 +51,7 @@ #include @@ -370,7 +394,7 @@ diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c --- openssh-5.6p1/ssh.c.fips 2010-08-16 17:59:31.000000000 +0200 -+++ openssh-5.6p1/ssh.c 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/ssh.c 2011-01-16 23:41:59.000000000 +0100 @@ -72,6 +72,8 @@ #include @@ -434,8 +458,8 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, &timeout_ms, diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c ---- openssh-5.6p1/sshconnect2.c.fips 2010-08-23 12:43:41.000000000 +0200 -+++ openssh-5.6p1/sshconnect2.c 2010-08-23 12:43:41.000000000 +0200 +--- openssh-5.6p1/sshconnect2.c.fips 2011-01-16 23:41:59.000000000 +0100 ++++ openssh-5.6p1/sshconnect2.c 2011-01-16 23:41:59.000000000 +0100 @@ -44,6 +44,8 @@ #include #endif @@ -481,7 +505,7 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c /* diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c --- openssh-5.6p1/sshconnect.c.fips 2010-04-18 00:08:21.000000000 +0200 -+++ openssh-5.6p1/sshconnect.c 2010-08-23 12:43:41.000000000 +0200 ++++ openssh-5.6p1/sshconnect.c 2011-01-16 23:41:59.000000000 +0100 @@ -40,6 +40,8 @@ #include #include @@ -569,8 +593,8 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c xfree(fp); diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c ---- openssh-5.6p1/sshd.c.fips 2010-08-23 12:43:40.000000000 +0200 -+++ openssh-5.6p1/sshd.c 2010-08-23 12:43:41.000000000 +0200 +--- openssh-5.6p1/sshd.c.fips 2011-01-16 23:41:58.000000000 +0100 ++++ openssh-5.6p1/sshd.c 2011-01-16 23:41:59.000000000 +0100 @@ -76,6 +76,8 @@ #include #include @@ -580,7 +604,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1307,6 +1309,12 @@ main(int ac, char **av) +@@ -1309,6 +1311,12 @@ main(int ac, char **av) (void)set_auth_parameters(ac, av); #endif __progname = ssh_get_progname(av[0]); @@ -593,7 +617,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c init_rng(); /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -@@ -1468,8 +1476,6 @@ main(int ac, char **av) +@@ -1470,8 +1478,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -602,7 +626,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c /* * Force logging to stderr until we have loaded the private host * key (unless started from inetd) -@@ -1587,6 +1593,10 @@ main(int ac, char **av) +@@ -1589,6 +1595,10 @@ main(int ac, char **av) debug("private host key: #%d type %d %s", i, key->type, key_type(key)); } @@ -613,7 +637,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1751,6 +1761,10 @@ main(int ac, char **av) +@@ -1753,6 +1763,10 @@ main(int ac, char **av) /* Initialize the random number generator. */ arc4random_stir(); @@ -624,7 +648,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c /* Chdir to the root directory so that the current disk can be unmounted if desired. */ chdir("/"); -@@ -2284,6 +2298,9 @@ do_ssh2_kex(void) +@@ -2293,6 +2307,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -634,7 +658,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2293,6 +2310,9 @@ do_ssh2_kex(void) +@@ -2302,6 +2319,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -645,8 +669,8 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c ---- openssh-5.6p1/ssh-keygen.c.fips 2010-08-23 12:43:40.000000000 +0200 -+++ openssh-5.6p1/ssh-keygen.c 2010-08-23 12:43:41.000000000 +0200 +--- openssh-5.6p1/ssh-keygen.c.fips 2011-01-16 23:41:58.000000000 +0100 ++++ openssh-5.6p1/ssh-keygen.c 2011-01-16 23:41:59.000000000 +0100 @@ -21,6 +21,7 @@ #include diff --git a/openssh.spec b/openssh.spec index febeb7d..1aacf9e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.6p1 -%define openssh_rel 23 +%define openssh_rel 24 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 29 @@ -603,6 +603,9 @@ fi %endif %changelog +* Mon Jan 17 2011 Jan F. Chadima - 5.6p1-24 + 0.9.2-29 +- make audit compatible with the fips mode + * Fri Jan 14 2011 Jan F. Chadima - 5.6p1-23 + 0.9.2-29 - add audit of destruction the server keys