Revert "use hmac_suffix for ssh{,d} hmac checksums"
This reverts commit c6724c72f4.
This commit is contained in:
Petr Lautrbach
parent
47b1c9e6a4
commit
b61d9c10d3
@ -375,13 +375,12 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
|
|||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
@@ -253,6 +255,11 @@ main(int ac, char **av)
|
@@ -253,6 +255,10 @@ main(int ac, char **av)
|
||||||
sanitise_stdfd();
|
sanitise_stdfd();
|
||||||
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
+ SSLeay_add_all_algorithms();
|
+ SSLeay_add_all_algorithms();
|
||||||
+
|
+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
|
||||||
+ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
|
|
||||||
+ fatal("FIPS integrity verification test failed.");
|
+ fatal("FIPS integrity verification test failed.");
|
||||||
+ }
|
+ }
|
||||||
|
|
||||||
@ -476,13 +475,12 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
|
||||||
#ifdef HAVE_SECUREWARE
|
#ifdef HAVE_SECUREWARE
|
||||||
@@ -1423,6 +1425,12 @@ main(int ac, char **av)
|
@@ -1423,6 +1425,11 @@ main(int ac, char **av)
|
||||||
#endif
|
#endif
|
||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
|
||||||
+ SSLeay_add_all_algorithms();
|
+ SSLeay_add_all_algorithms();
|
||||||
+
|
+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
|
||||||
+ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
|
|
||||||
+ fatal("FIPS integrity verification test failed.");
|
+ fatal("FIPS integrity verification test failed.");
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -540,19 +538,3 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||||||
}
|
}
|
||||||
if (options.compression == COMP_NONE) {
|
if (options.compression == COMP_NONE) {
|
||||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||||
diff -up openssh-6.2p2/configure.ac.fips openssh-6.2p2/configure.ac
|
|
||||||
--- openssh-6.2p2/configure.ac.fips 2013-09-10 17:54:55.092279052 +0200
|
|
||||||
+++ openssh-6.2p2/configure.ac 2013-09-10 17:55:18.021172145 +0200
|
|
||||||
@@ -4421,6 +4421,12 @@ AC_ARG_WITH([lastlog],
|
|
||||||
]
|
|
||||||
)
|
|
||||||
|
|
||||||
+AC_ARG_ENABLE(hmac-suffix,
|
|
||||||
+ [ --enable-hmac-suffix=suffix specify the full hmac_suffix for fipscheck library],
|
|
||||||
+ [AC_DEFINE_UNQUOTED(HMAC_SUFFIX,["$enableval"],[Define to %{version}-%{release}.hmac])],
|
|
||||||
+ [AC_DEFINE(HMAC_SUFFIX, NULL)]
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
dnl lastlog, [uw]tmpx? detection
|
|
||||||
dnl NOTE: set the paths in the platform section to avoid the
|
|
||||||
dnl need for command-line parameters
|
|
||||||
|
|||||||
21
openssh.spec
21
openssh.spec
@ -68,8 +68,6 @@
|
|||||||
%define pam_ssh_agent_ver 0.9.3
|
%define pam_ssh_agent_ver 0.9.3
|
||||||
%define pam_ssh_agent_rel 5
|
%define pam_ssh_agent_rel 5
|
||||||
|
|
||||||
%define hmac_suffix .%{openssh_ver}-%{openssh_rel}.hmac
|
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: %{openssh_ver}
|
Version: %{openssh_ver}
|
||||||
@ -214,7 +212,7 @@ BuildRequires: audit-libs-devel >= 2.0.5
|
|||||||
BuildRequires: util-linux, groff
|
BuildRequires: util-linux, groff
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: tcp_wrappers-devel
|
BuildRequires: tcp_wrappers-devel
|
||||||
BuildRequires: fipscheck-devel >= 1.4.1
|
BuildRequires: fipscheck-devel >= 1.3.0
|
||||||
BuildRequires: openssl-devel >= 0.9.8j
|
BuildRequires: openssl-devel >= 0.9.8j
|
||||||
BuildRequires: perl-podlators
|
BuildRequires: perl-podlators
|
||||||
|
|
||||||
@ -244,7 +242,7 @@ Requires: openssh = %{version}-%{release}
|
|||||||
Summary: The FIPS module package for SSH client
|
Summary: The FIPS module package for SSH client
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
Requires: openssh-clients = %{version}-%{release}
|
Requires: openssh-clients = %{version}-%{release}
|
||||||
Requires: fipscheck-lib%{_isa} >= 1.4.1
|
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
||||||
Requires: openssl-fips
|
Requires: openssl-fips
|
||||||
|
|
||||||
%package server
|
%package server
|
||||||
@ -518,11 +516,10 @@ fi
|
|||||||
--without-kerberos5 \
|
--without-kerberos5 \
|
||||||
%endif
|
%endif
|
||||||
%if %{libedit}
|
%if %{libedit}
|
||||||
--with-libedit \
|
--with-libedit
|
||||||
%else
|
%else
|
||||||
--without-libedit \
|
--without-libedit
|
||||||
%endif
|
%endif
|
||||||
--enable-hmac-suffix=%{hmac_suffix}
|
|
||||||
|
|
||||||
%if %{static_libcrypto}
|
%if %{static_libcrypto}
|
||||||
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
||||||
@ -564,8 +561,6 @@ popd
|
|||||||
%{__arch_install_post} \
|
%{__arch_install_post} \
|
||||||
%{__os_install_post} \
|
%{__os_install_post} \
|
||||||
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
|
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
|
||||||
mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh%{hmac_suffix} \
|
|
||||||
mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd%{hmac_suffix}
|
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
%check
|
%check
|
||||||
@ -641,13 +636,13 @@ getent passwd sshd >/dev/null || \
|
|||||||
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
||||||
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
|
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
|
||||||
|
|
||||||
%pre clients-fips
|
%post clients-fips
|
||||||
prelink -u %{_bindir}/ssh 2>/dev/null || :
|
prelink -u %{_bindir}/ssh 2>/dev/null || :
|
||||||
|
|
||||||
%post server
|
%post server
|
||||||
%systemd_post sshd.service sshd.socket
|
%systemd_post sshd.service sshd.socket
|
||||||
|
|
||||||
%pre server-fips
|
%post server-fips
|
||||||
prelink -u %{_sbindir}/sshd 2>/dev/null || :
|
prelink -u %{_sbindir}/sshd 2>/dev/null || :
|
||||||
|
|
||||||
%preun server
|
%preun server
|
||||||
@ -709,7 +704,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || :
|
|||||||
|
|
||||||
%files clients-fips
|
%files clients-fips
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/ssh%{hmac_suffix}
|
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
|
||||||
# We don't want to depend on prelink for this directory
|
# We don't want to depend on prelink for this directory
|
||||||
%dir %{_sysconfdir}/prelink.conf.d
|
%dir %{_sysconfdir}/prelink.conf.d
|
||||||
%{_sysconfdir}/prelink.conf.d/openssh-clients-fips.conf
|
%{_sysconfdir}/prelink.conf.d/openssh-clients-fips.conf
|
||||||
@ -735,7 +730,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || :
|
|||||||
|
|
||||||
%files server-fips
|
%files server-fips
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/sshd%{hmac_suffix}
|
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
|
||||||
# We don't want to depend on prelink for this directory
|
# We don't want to depend on prelink for this directory
|
||||||
%dir %{_sysconfdir}/prelink.conf.d
|
%dir %{_sysconfdir}/prelink.conf.d
|
||||||
%{_sysconfdir}/prelink.conf.d/openssh-server-fips.conf
|
%{_sysconfdir}/prelink.conf.d/openssh-server-fips.conf
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user