[openssh] Revert "use hmac_suffix for ssh{,d} hmac checksums"

Tue Oct 8 16:57:20 UTC 2013

commit b61d9c10d35222dee36428dd48495323b671128f
Author: Petr Lautrbach <plautrba at redhat.com>
Date:   Tue Oct 8 17:04:53 2013 +0200

    Revert "use hmac_suffix for ssh{,d} hmac checksums"
    
    This reverts commit c6724c72f437fef9e2baf55f91b98ec49e6d88e4.

 openssh-6.2p1-fips.patch |   26 ++++----------------------
 openssh.spec             |   21 ++++++++-------------
 2 files changed, 12 insertions(+), 35 deletions(-)
---

diff --git a/openssh-6.2p1-fips.patch b/openssh-6.2p1-fips.patch
index c2b2e75..6cbc983 100644
--- a/openssh-6.2p1-fips.patch
+++ b/openssh-6.2p1-fips.patch
@@ -375,13 +375,12 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
  #include "openbsd-compat/openssl-compat.h"
  #include "openbsd-compat/sys-queue.h"
  
-@@ -253,6 +255,11 @@ main(int ac, char **av)
+@@ -253,6 +255,10 @@ main(int ac, char **av)
  	sanitise_stdfd();
  
  	__progname = ssh_get_progname(av[0]);
 +        SSLeay_add_all_algorithms();
-+
-+        if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
++        if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
 +                fatal("FIPS integrity verification test failed.");
 +        }
  
@@ -476,13 +475,12 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
  #include "openbsd-compat/openssl-compat.h"
  
  #ifdef HAVE_SECUREWARE
-@@ -1423,6 +1425,12 @@ main(int ac, char **av)
+@@ -1423,6 +1425,11 @@ main(int ac, char **av)
  #endif
  	__progname = ssh_get_progname(av[0]);
  
 +        SSLeay_add_all_algorithms();
-+
-+        if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
++        if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
 +                fatal("FIPS integrity verification test failed.");
 +        }
 +
@@ -540,19 +538,3 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
  	}
  	if (options.compression == COMP_NONE) {
  		myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-diff -up openssh-6.2p2/configure.ac.fips openssh-6.2p2/configure.ac
---- openssh-6.2p2/configure.ac.fips	2013-09-10 17:54:55.092279052 +0200
-+++ openssh-6.2p2/configure.ac	2013-09-10 17:55:18.021172145 +0200
-@@ -4421,6 +4421,12 @@ AC_ARG_WITH([lastlog],
- 	]
- )
- 
-+AC_ARG_ENABLE(hmac-suffix,
-+  [  --enable-hmac-suffix=suffix specify the full hmac_suffix for fipscheck library],
-+  [AC_DEFINE_UNQUOTED(HMAC_SUFFIX,["$enableval"],[Define to %{version}-%{release}.hmac])],
-+  [AC_DEFINE(HMAC_SUFFIX, NULL)]
-+)
-+
- dnl lastlog, [uw]tmpx? detection
- dnl  NOTE: set the paths in the platform section to avoid the
- dnl   need for command-line parameters
diff --git a/openssh.spec b/openssh.spec
index 35a4ee7..ca263e5 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -68,8 +68,6 @@
 %define pam_ssh_agent_ver 0.9.3
 %define pam_ssh_agent_rel 5
 
-%define hmac_suffix .%{openssh_ver}-%{openssh_rel}.hmac
-
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: %{openssh_ver}
@@ -214,7 +212,7 @@ BuildRequires: audit-libs-devel >= 2.0.5
 BuildRequires: util-linux, groff
 BuildRequires: pam-devel
 BuildRequires: tcp_wrappers-devel
-BuildRequires: fipscheck-devel >= 1.4.1
+BuildRequires: fipscheck-devel >= 1.3.0
 BuildRequires: openssl-devel >= 0.9.8j
 BuildRequires: perl-podlators
 
@@ -244,7 +242,7 @@ Requires: openssh = %{version}-%{release}
 Summary: The FIPS module package for SSH client
 Group: Applications/Internet
 Requires: openssh-clients = %{version}-%{release}
-Requires: fipscheck-lib%{_isa} >= 1.4.1
+Requires: fipscheck-lib%{_isa} >= 1.3.0
 Requires: openssl-fips
 
 %package server
@@ -518,11 +516,10 @@ fi
 	--without-kerberos5 \
 %endif
 %if %{libedit}
-	--with-libedit \
+	--with-libedit
 %else
-	--without-libedit \
+	--without-libedit
 %endif
-	--enable-hmac-suffix=%{hmac_suffix}
 
 %if %{static_libcrypto}
 perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
@@ -564,8 +561,6 @@ popd
     %{__arch_install_post} \
     %{__os_install_post} \
     fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
-    mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh%{hmac_suffix} \
-    mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd%{hmac_suffix}
 %{nil}
 
 %check
@@ -641,13 +636,13 @@ getent passwd sshd >/dev/null || \
   useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
   -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
 
-%pre clients-fips
+%post clients-fips
 prelink -u %{_bindir}/ssh 2>/dev/null || :
 
 %post server
 %systemd_post sshd.service sshd.socket
 
-%pre server-fips
+%post server-fips
 prelink -u %{_sbindir}/sshd 2>/dev/null || :
 
 %preun server
@@ -709,7 +704,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || :
 
 %files clients-fips
 %defattr(-,root,root)
-%attr(0644,root,root) %{_libdir}/fipscheck/ssh%{hmac_suffix}
+%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
 # We don't want to depend on prelink for this directory
 %dir %{_sysconfdir}/prelink.conf.d
 %{_sysconfdir}/prelink.conf.d/openssh-clients-fips.conf
@@ -735,7 +730,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || :
 
 %files server-fips
 %defattr(-,root,root)
-%attr(0644,root,root) %{_libdir}/fipscheck/sshd%{hmac_suffix}
+%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
 # We don't want to depend on prelink for this directory
 %dir %{_sysconfdir}/prelink.conf.d
 %{_sysconfdir}/prelink.conf.d/openssh-server-fips.conf
