[openssh] - make audit compatible with the fips mode

Jan F. Chadima jfch2222 at fedoraproject.org
Sun Jan 16 22:50:17 UTC 2011 

commit af8738486cb69eb49183e1341ba4889a28c88421
Author: Jan F <jfch at kerberos.example.com>
Date:   Sun Jan 16 23:50:01 2011 +0100

    - make audit compatible with the fips mode

 openssh-5.6p1-fips.patch |  102 ++++++++++++++++++++++++++++-----------------
 openssh.spec             |    5 ++-
 2 files changed, 67 insertions(+), 40 deletions(-)
---
diff --git a/openssh-5.6p1-fips.patch b/openssh-5.6p1-fips.patch
index 7277c3b..41cb742 100644
--- a/openssh-5.6p1-fips.patch
+++ b/openssh-5.6p1-fips.patch
@@ -1,6 +1,18 @@
+diff -up openssh-5.6p1/audit.c.fips openssh-5.6p1/audit.c
+--- openssh-5.6p1/audit.c.fips	2011-01-16 23:45:01.000000000 +0100
++++ openssh-5.6p1/audit.c	2011-01-16 23:45:59.000000000 +0100
+@@ -124,7 +124,7 @@ audit_key(int type, int *rv, const Key *
+ 		"ssh-dsa",
+ 		"unknown" };
+ 
+-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++	fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+ 	switch(key->type) {
+ 		case KEY_RSA1:
+ 		case KEY_RSA:
 diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c
---- openssh-5.6p1/auth2-pubkey.c.fips	2010-08-23 12:43:40.000000000 +0200
-+++ openssh-5.6p1/auth2-pubkey.c	2010-08-23 12:43:41.000000000 +0200
+--- openssh-5.6p1/auth2-pubkey.c.fips	2011-01-16 23:41:58.000000000 +0100
++++ openssh-5.6p1/auth2-pubkey.c	2011-01-16 23:41:59.000000000 +0100
 @@ -36,6 +36,7 @@
  #include <string.h>
  #include <time.h>
@@ -9,7 +21,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c
  
  #include "xmalloc.h"
  #include "ssh.h"
-@@ -359,7 +360,7 @@ user_search_key_in_file(FILE *f, char *f
+@@ -371,7 +372,7 @@ user_search_key_in_file(FILE *f, char *f
  			found_key = 1;
  			debug("matching key found: file %s, line %lu",
  			    file, linenum);
@@ -20,7 +32,7 @@ diff -up openssh-5.6p1/auth2-pubkey.c.fips openssh-5.6p1/auth2-pubkey.c
  			xfree(fp);
 diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
 --- openssh-5.6p1/authfile.c.fips	2010-08-05 05:05:16.000000000 +0200
-+++ openssh-5.6p1/authfile.c	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/authfile.c	2011-01-16 23:41:59.000000000 +0100
 @@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
  	/* Allocate space for the private part of the key in the buffer. */
  	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@@ -55,9 +67,21 @@ diff -up openssh-5.6p1/authfile.c.fips openssh-5.6p1/authfile.c
  	cipher_crypt(&ciphercontext, cp,
  	    buffer_ptr(&buffer), buffer_len(&buffer));
  	cipher_cleanup(&ciphercontext);
+diff -up openssh-5.6p1/auth-rsa.c.fips openssh-5.6p1/auth-rsa.c
+--- openssh-5.6p1/auth-rsa.c.fips	2011-01-16 23:46:11.000000000 +0100
++++ openssh-5.6p1/auth-rsa.c	2011-01-16 23:46:31.000000000 +0100
+@@ -122,7 +122,7 @@ auth_rsa_verify_response(Key *key, BIGNU
+ 	rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
+ 
+ #ifdef SSH_AUDIT_EVENTS
+-	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++	fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
+ 	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
+ 		debug("unsuccessful audit");
+ 		rv = 0;
 diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
---- openssh-5.6p1/cipher.c.fips	2010-08-23 09:49:50.000000000 +0200
-+++ openssh-5.6p1/cipher.c	2010-08-23 12:43:41.000000000 +0200
+--- openssh-5.6p1/cipher.c.fips	2011-01-16 23:41:56.000000000 +0100
++++ openssh-5.6p1/cipher.c	2011-01-16 23:41:59.000000000 +0100
 @@ -40,6 +40,7 @@
  #include <sys/types.h>
  
@@ -66,7 +90,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
  
  #include <string.h>
  #include <stdarg.h>
-@@ -93,6 +94,22 @@ struct Cipher {
+@@ -85,6 +86,22 @@ struct Cipher ciphers[] = {
  	{ NULL,			SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
  };
  
@@ -89,7 +113,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
  /*--*/
  
  u_int
-@@ -135,7 +152,7 @@ Cipher *
+@@ -127,7 +144,7 @@ Cipher *
  cipher_by_name(const char *name)
  {
  	Cipher *c;
@@ -98,7 +122,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
  		if (strcmp(c->name, name) == 0)
  			return c;
  	return NULL;
-@@ -145,7 +162,7 @@ Cipher *
+@@ -137,7 +154,7 @@ Cipher *
  cipher_by_number(int id)
  {
  	Cipher *c;
@@ -107,7 +131,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
  		if (c->number == id)
  			return c;
  	return NULL;
-@@ -189,7 +206,7 @@ cipher_number(const char *name)
+@@ -181,7 +198,7 @@ cipher_number(const char *name)
  	Cipher *c;
  	if (name == NULL)
  		return -1;
@@ -116,7 +140,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
  		if (strcasecmp(c->name, name) == 0)
  			return c->number;
  	return -1;
-@@ -296,14 +313,15 @@ cipher_cleanup(CipherContext *cc)
+@@ -288,14 +305,15 @@ cipher_cleanup(CipherContext *cc)
   * passphrase and using the resulting 16 bytes as the key.
   */
  
@@ -134,7 +158,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
  	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
  	MD5_Final(digest, &md);
  
-@@ -311,6 +329,7 @@ cipher_set_key_string(CipherContext *cc,
+@@ -303,6 +321,7 @@ cipher_set_key_string(CipherContext *cc,
  
  	memset(digest, 0, sizeof(digest));
  	memset(&md, 0, sizeof(md));
@@ -144,7 +168,7 @@ diff -up openssh-5.6p1/cipher.c.fips openssh-5.6p1/cipher.c
  /*
 diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c
 --- openssh-5.6p1/cipher-ctr.c.fips	2007-06-14 15:21:33.000000000 +0200
-+++ openssh-5.6p1/cipher-ctr.c	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/cipher-ctr.c	2011-01-16 23:41:59.000000000 +0100
 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
  	aes_ctr.do_cipher = ssh_aes_ctr;
  #ifndef SSH_OLD_EVP
@@ -156,9 +180,9 @@ diff -up openssh-5.6p1/cipher-ctr.c.fips openssh-5.6p1/cipher-ctr.c
  	return (&aes_ctr);
  }
 diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h
---- openssh-5.6p1/cipher.h.fips	2009-01-28 06:38:41.000000000 +0100
-+++ openssh-5.6p1/cipher.h	2010-08-23 12:43:41.000000000 +0200
-@@ -78,7 +78,7 @@ void	 cipher_init(CipherContext *, Ciphe
+--- openssh-5.6p1/cipher.h.fips	2011-01-16 23:41:56.000000000 +0100
++++ openssh-5.6p1/cipher.h	2011-01-16 23:41:59.000000000 +0100
+@@ -87,7 +87,7 @@ void	 cipher_init(CipherContext *, Ciphe
      const u_char *, u_int, int);
  void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
  void	 cipher_cleanup(CipherContext *);
@@ -169,7 +193,7 @@ diff -up openssh-5.6p1/cipher.h.fips openssh-5.6p1/cipher.h
  u_int	 cipher_is_cbc(const Cipher *);
 diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c
 --- openssh-5.6p1/mac.c.fips	2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.6p1/mac.c	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/mac.c	2011-01-16 23:41:59.000000000 +0100
 @@ -28,6 +28,7 @@
  #include <sys/types.h>
  
@@ -220,9 +244,9 @@ diff -up openssh-5.6p1/mac.c.fips openssh-5.6p1/mac.c
  	for (i = 0; macs[i].name; i++) {
  		if (strcmp(name, macs[i].name) == 0) {
 diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
---- openssh-5.6p1/Makefile.in.fips	2010-08-23 12:43:40.000000000 +0200
-+++ openssh-5.6p1/Makefile.in	2010-08-23 12:46:24.000000000 +0200
-@@ -141,25 +141,25 @@ libssh.a: $(LIBSSH_OBJS)
+--- openssh-5.6p1/Makefile.in.fips	2011-01-16 23:41:58.000000000 +0100
++++ openssh-5.6p1/Makefile.in	2011-01-16 23:41:59.000000000 +0100
+@@ -142,25 +142,25 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
  ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -254,7 +278,7 @@ diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
  
  ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
  	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -168,7 +168,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
+@@ -169,7 +169,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
  	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@@ -265,7 +289,7 @@ diff -up openssh-5.6p1/Makefile.in.fips openssh-5.6p1/Makefile.in
  	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h
 --- openssh-5.6p1/myproposal.h.fips	2010-04-16 07:56:22.000000000 +0200
-+++ openssh-5.6p1/myproposal.h	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/myproposal.h	2011-01-16 23:41:59.000000000 +0100
 @@ -58,7 +58,12 @@
  	"hmac-sha1-96,hmac-md5-96"
  #define	KEX_DEFAULT_COMP	"none,zlib at openssh.com,zlib"
@@ -282,7 +306,7 @@ diff -up openssh-5.6p1/myproposal.h.fips openssh-5.6p1/myproposal.h
  	KEX_DEFAULT_KEX,
 diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbsd-compat/bsd-arc4random.c
 --- openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
-+++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/openbsd-compat/bsd-arc4random.c	2011-01-16 23:41:59.000000000 +0100
 @@ -39,6 +39,7 @@
  static int rc4_ready = 0;
  static RC4_KEY rc4;
@@ -326,7 +350,7 @@ diff -up openssh-5.6p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.6p1/openbs
  #ifndef HAVE_ARC4RANDOM_BUF
 diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
 --- openssh-5.6p1/ssh-add.c.fips	2010-05-21 06:56:47.000000000 +0200
-+++ openssh-5.6p1/ssh-add.c	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/ssh-add.c	2011-01-16 23:41:59.000000000 +0100
 @@ -42,6 +42,7 @@
  #include <sys/param.h>
  
@@ -346,7 +370,7 @@ diff -up openssh-5.6p1/ssh-add.c.fips openssh-5.6p1/ssh-add.c
  				    key_size(key), fp, comment, key_type(key));
 diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c
 --- openssh-5.6p1/ssh-agent.c.fips	2010-04-16 07:56:22.000000000 +0200
-+++ openssh-5.6p1/ssh-agent.c	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/ssh-agent.c	2011-01-16 23:41:59.000000000 +0100
 @@ -51,6 +51,7 @@
  
  #include <openssl/evp.h>
@@ -370,7 +394,7 @@ diff -up openssh-5.6p1/ssh-agent.c.fips openssh-5.6p1/ssh-agent.c
  
 diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
 --- openssh-5.6p1/ssh.c.fips	2010-08-16 17:59:31.000000000 +0200
-+++ openssh-5.6p1/ssh.c	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/ssh.c	2011-01-16 23:41:59.000000000 +0100
 @@ -72,6 +72,8 @@
  
  #include <openssl/evp.h>
@@ -434,8 +458,8 @@ diff -up openssh-5.6p1/ssh.c.fips openssh-5.6p1/ssh.c
  	if (ssh_connect(host, &hostaddr, options.port,
  	    options.address_family, options.connection_attempts, &timeout_ms,
 diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
---- openssh-5.6p1/sshconnect2.c.fips	2010-08-23 12:43:41.000000000 +0200
-+++ openssh-5.6p1/sshconnect2.c	2010-08-23 12:43:41.000000000 +0200
+--- openssh-5.6p1/sshconnect2.c.fips	2011-01-16 23:41:59.000000000 +0100
++++ openssh-5.6p1/sshconnect2.c	2011-01-16 23:41:59.000000000 +0100
 @@ -44,6 +44,8 @@
  #include <vis.h>
  #endif
@@ -481,7 +505,7 @@ diff -up openssh-5.6p1/sshconnect2.c.fips openssh-5.6p1/sshconnect2.c
  	/*
 diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
 --- openssh-5.6p1/sshconnect.c.fips	2010-04-18 00:08:21.000000000 +0200
-+++ openssh-5.6p1/sshconnect.c	2010-08-23 12:43:41.000000000 +0200
++++ openssh-5.6p1/sshconnect.c	2011-01-16 23:41:59.000000000 +0100
 @@ -40,6 +40,8 @@
  #include <string.h>
  #include <unistd.h>
@@ -569,8 +593,8 @@ diff -up openssh-5.6p1/sshconnect.c.fips openssh-5.6p1/sshconnect.c
  
  	xfree(fp);
 diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
---- openssh-5.6p1/sshd.c.fips	2010-08-23 12:43:40.000000000 +0200
-+++ openssh-5.6p1/sshd.c	2010-08-23 12:43:41.000000000 +0200
+--- openssh-5.6p1/sshd.c.fips	2011-01-16 23:41:58.000000000 +0100
++++ openssh-5.6p1/sshd.c	2011-01-16 23:41:59.000000000 +0100
 @@ -76,6 +76,8 @@
  #include <openssl/bn.h>
  #include <openssl/md5.h>
@@ -580,7 +604,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
  #include "openbsd-compat/openssl-compat.h"
  
  #ifdef HAVE_SECUREWARE
-@@ -1307,6 +1309,12 @@ main(int ac, char **av)
+@@ -1309,6 +1311,12 @@ main(int ac, char **av)
  	(void)set_auth_parameters(ac, av);
  #endif
  	__progname = ssh_get_progname(av[0]);
@@ -593,7 +617,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
  	init_rng();
  
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1468,8 +1476,6 @@ main(int ac, char **av)
+@@ -1470,8 +1478,6 @@ main(int ac, char **av)
  	else
  		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
  
@@ -602,7 +626,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
  	/*
  	 * Force logging to stderr until we have loaded the private host
  	 * key (unless started from inetd)
-@@ -1587,6 +1593,10 @@ main(int ac, char **av)
+@@ -1589,6 +1595,10 @@ main(int ac, char **av)
  		debug("private host key: #%d type %d %s", i, key->type,
  		    key_type(key));
  	}
@@ -613,7 +637,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
  	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
-@@ -1751,6 +1761,10 @@ main(int ac, char **av)
+@@ -1753,6 +1763,10 @@ main(int ac, char **av)
  	/* Initialize the random number generator. */
  	arc4random_stir();
  
@@ -624,7 +648,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
  	/* Chdir to the root directory so that the current disk can be
  	   unmounted if desired. */
  	chdir("/");
-@@ -2284,6 +2298,9 @@ do_ssh2_kex(void)
+@@ -2293,6 +2307,9 @@ do_ssh2_kex(void)
  	if (options.ciphers != NULL) {
  		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -634,7 +658,7 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
  	}
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2293,6 +2310,9 @@ do_ssh2_kex(void)
+@@ -2302,6 +2319,9 @@ do_ssh2_kex(void)
  	if (options.macs != NULL) {
  		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
  		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -645,8 +669,8 @@ diff -up openssh-5.6p1/sshd.c.fips openssh-5.6p1/sshd.c
  	if (options.compression == COMP_NONE) {
  		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
 diff -up openssh-5.6p1/ssh-keygen.c.fips openssh-5.6p1/ssh-keygen.c
---- openssh-5.6p1/ssh-keygen.c.fips	2010-08-23 12:43:40.000000000 +0200
-+++ openssh-5.6p1/ssh-keygen.c	2010-08-23 12:43:41.000000000 +0200
+--- openssh-5.6p1/ssh-keygen.c.fips	2011-01-16 23:41:58.000000000 +0100
++++ openssh-5.6p1/ssh-keygen.c	2011-01-16 23:41:59.000000000 +0100
 @@ -21,6 +21,7 @@
  
  #include <openssl/evp.h>
diff --git a/openssh.spec b/openssh.spec
index febeb7d..1aacf9e 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.6p1
-%define openssh_rel 23
+%define openssh_rel 24
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 29
 
@@ -603,6 +603,9 @@ fi
 %endif
 
 %changelog
+* Mon Jan 17 2011 Jan F. Chadima <jchadima at redhat.com> - 5.6p1-24 + 0.9.2-29
+- make audit compatible with the fips mode
+
 * Fri Jan 14 2011 Jan F. Chadima <jchadima at redhat.com> - 5.6p1-23 + 0.9.2-29
 - add audit of destruction the server keys

More information about the scm-commits mailing list