Fix build against updated OpenSSL

Resolves: rhbz#2158966
2023-01-09 12:48:20 +01:00 · 2023-01-09 12:48:20 +01:00 · c9904c7c8a
commit c9904c7c8a
parent ebc2a70dee
2 changed files with 73 additions and 30 deletions
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -1,6 +1,14 @@
 diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
 --- openssh-8.6p1/dh.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.6p1/dh.c	2021-04-19 16:58:47.750263410 +0200
+++ openssh-8.6p1/dh.c	2021-05-06 12:12:10.107634472 +0200
@@ -36,6 +36,7 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 +#include <openssl/fips.h>
 #include "dh.h"
 #include "pathnames.h"
@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
 	int best, bestcount, which, linenum;
 	struct dhgroup dhg;
@ -54,8 +62,8 @@ diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
 +
 #endif /* WITH_OPENSSL */
 diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.6p1/dh.h.fips	2021-04-19 16:53:03.064577862 +0200
+--- openssh-8.6p1/dh.h.fips	2021-05-06 12:08:36.498926877 +0200
-+++ openssh-8.6p1/dh.h	2021-04-19 16:59:31.951616078 +0200
+++ openssh-8.6p1/dh.h	2021-05-06 12:11:28.393298005 +0200
@@ -45,6 +45,7 @@ DH	*dh_new_group_fallback(int);
 int	 dh_gen_key(DH *, int);
@ -65,8 +73,16 @@ diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
 u_int	 dh_estimate(int);
 void	 dh_set_moduli_file(const char *);
 diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.6p1/kex.c.fips	2021-04-19 16:53:03.058577815 +0200
+--- openssh-8.6p1/kex.c.fips	2021-05-06 12:08:36.489926807 +0200
-+++ openssh-8.6p1/kex.c	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/kex.c	2021-05-06 12:08:36.498926877 +0200
@@ -39,6 +39,7 @@
 #ifdef WITH_OPENSSL
 #include <openssl/crypto.h>
 +#include <openssl/fips.h>
 #include <openssl/dh.h>
 # ifdef HAVE_EVP_KDF_CTX_NEW_ID
 # include <openssl/kdf.h>
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
@ -81,12 +97,12 @@ diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
 		}
 diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
 --- openssh-8.6p1/kexgexc.c.fips	2021-04-16 05:55:25.000000000 +0200
-+++ openssh-8.6p1/kexgexc.c	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/kexgexc.c	2021-05-06 12:08:36.498926877 +0200
@@ -28,6 +28,7 @@
 #ifdef WITH_OPENSSL
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include <sys/types.h>
 #include <openssl/dh.h>
@ -152,8 +168,16 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
 #define	SSH_ALLOWED_CA_SIGALGS	\
 	"ssh-ed25519," \
 diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.6p1/readconf.c.fips	2021-04-19 16:53:02.999577362 +0200
+--- openssh-8.6p1/readconf.c.fips	2021-05-06 12:08:36.428926336 +0200
-+++ openssh-8.6p1/readconf.c	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/readconf.c	2021-05-06 12:08:36.499926885 +0200
@@ -39,6 +39,7 @@
 #include <string.h>
 #include <stdarg.h>
 #include <unistd.h>
 +#include <openssl/fips.h>
 #ifdef USE_SYSTEM_GLOB
 # include <glob.h>
 #else
@@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
@ -177,8 +201,8 @@ diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
 	do { \
 		if ((r = kex_assemble_names(&options->what, \
 diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.6p1/sandbox-seccomp-filter.c.fips	2021-04-19 16:53:03.034577631 +0200
+--- openssh-8.6p1/sandbox-seccomp-filter.c.fips	2021-05-06 12:08:36.463926606 +0200
-+++ openssh-8.6p1/sandbox-seccomp-filter.c	2021-04-19 16:53:03.065577869 +0200
+++ openssh-8.6p1/sandbox-seccomp-filter.c	2021-05-06 12:08:36.499926885 +0200
@@ -160,6 +160,9 @@ static const struct sock_filter preauth_
 #ifdef __NR_open
 	SC_DENY(__NR_open, EACCES),
@ -190,8 +214,16 @@ diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-secco
 	SC_DENY(__NR_openat, EACCES),
 #endif
 diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.6p1/servconf.c.fips	2021-04-19 16:53:03.027577577 +0200
+--- openssh-8.6p1/servconf.c.fips	2021-05-06 12:08:36.455926545 +0200
-+++ openssh-8.6p1/servconf.c	2021-04-19 16:53:03.066577877 +0200
+++ openssh-8.6p1/servconf.c	2021-05-06 12:08:36.500926893 +0200
@@ -38,6 +38,7 @@
 #include <limits.h>
 #include <stdarg.h>
 #include <errno.h>
 +#include <openssl/fips.h>
 #ifdef HAVE_UTIL_H
 #include <util.h>
 #endif
@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
 	all_key = sshkey_alg_list(0, 0, 1, ',');
 	all_sig = sshkey_alg_list(0, 1, 1, ',');
@ -215,13 +247,13 @@ diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
 	do { \
 		if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
 diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.6p1/ssh.c.fips	2021-04-19 16:53:03.038577662 +0200
+--- openssh-8.6p1/ssh.c.fips	2021-05-06 12:08:36.467926637 +0200
-+++ openssh-8.6p1/ssh.c	2021-04-19 16:53:03.066577877 +0200
+++ openssh-8.6p1/ssh.c	2021-05-06 12:08:36.500926893 +0200
@@ -77,6 +77,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #endif
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
@ -237,13 +269,13 @@ diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
 	if (options.sk_provider != NULL && *options.sk_provider == '$' &&
 	    strlen(options.sk_provider) > 1) {
 diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
--- openssh-8.6p1/sshconnect2.c.fips	2021-04-19 16:53:03.055577792 +0200
+--- openssh-8.6p1/sshconnect2.c.fips	2021-05-06 12:08:36.485926777 +0200
-+++ openssh-8.6p1/sshconnect2.c	2021-04-19 16:53:03.066577877 +0200
+++ openssh-8.6p1/sshconnect2.c	2021-05-06 12:08:36.501926900 +0200
@@ -45,6 +45,8 @@
 #include <vis.h>
 #endif
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 +
 #include "openbsd-compat/sys-queue.h"
@ -318,8 +350,8 @@ diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
 	}
 #endif
 diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.fips	2021-04-19 16:53:03.060577831 +0200
+--- openssh-8.6p1/sshd.c.fips	2021-05-06 12:08:36.493926838 +0200
-+++ openssh-8.6p1/sshd.c	2021-04-19 16:57:45.827769340 +0200
+++ openssh-8.6p1/sshd.c	2021-05-06 12:13:56.501492639 +0200
@@ -66,6 +66,7 @@
 #endif
 #include <pwd.h>
@ -332,7 +364,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "openbsd-compat/openssl-compat.h"
 #endif
@ -389,13 +421,13 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
 	if (gss && orig)
 		xasprintf(&newstr, "%s,%s", gss, orig);
 diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.6p1/sshkey.c.fips	2021-04-19 16:53:03.061577838 +0200
+--- openssh-8.6p1/sshkey.c.fips	2021-05-06 12:08:36.493926838 +0200
-+++ openssh-8.6p1/sshkey.c	2021-04-19 16:53:03.067577885 +0200
+++ openssh-8.6p1/sshkey.c	2021-05-06 12:08:36.502926908 +0200
@@ -34,6 +34,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #endif
 #include "crypto_api.h"
@ -480,8 +512,16 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
 		    compat, detailsp);
 #ifdef WITH_XMSS
 diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.6p1/ssh-keygen.c.fips	2021-04-19 16:53:03.038577662 +0200
+--- openssh-8.6p1/ssh-keygen.c.fips	2021-05-06 12:08:36.467926637 +0200
-+++ openssh-8.6p1/ssh-keygen.c	2021-04-19 16:53:03.068577892 +0200
+++ openssh-8.6p1/ssh-keygen.c	2021-05-06 12:08:36.503926916 +0200
@@ -20,6 +20,7 @@
 #ifdef WITH_OPENSSL
 #include <openssl/evp.h>
 +#include <openssl/fips.h>
 #include <openssl/pem.h>
 #include "openbsd-compat/openssl-compat.h"
 #endif
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
 #endif
 	}
@ -521,7 +561,7 @@ diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c
 #include <stdio.h>
 #include <string.h>
 #include <signal.h>
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "sshkey.h"
 #include "kex.h"
@ -607,7 +647,7 @@ diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c
 #include <string.h>
 #include <stdarg.h>
-+#include <openssl/crypto.h>
+#include <openssl/fips.h>
 #include "log.h"
 #include "sshbuf.h"
--- a/openssh.spec
+++ b/openssh.spec
@ -47,7 +47,7 @@
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 9.0p1
-%global openssh_rel 8
+%global openssh_rel 9
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 7
@ -724,6 +724,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 %changelog
 * Mon Jan 09 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-9
 - Fix build against updated OpenSSL (rhbz#2158966)
 * Mon Oct 24 2022 Norbert Pocs <npocs@redhat.com> - 9.0p1-8
 - Add additional audit logging about ssh key used to login (rhbz#2049947)