[openssh] Revert "use hmac_suffix for ssh{,d} hmac checksums"
plautrba
plautrba at fedoraproject.org
Tue Oct 8 16:57:20 UTC 2013
commit b61d9c10d35222dee36428dd48495323b671128f
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Tue Oct 8 17:04:53 2013 +0200
Revert "use hmac_suffix for ssh{,d} hmac checksums"
This reverts commit c6724c72f437fef9e2baf55f91b98ec49e6d88e4.
openssh-6.2p1-fips.patch | 26 ++++----------------------
openssh.spec | 21 ++++++++-------------
2 files changed, 12 insertions(+), 35 deletions(-)
---
diff --git a/openssh-6.2p1-fips.patch b/openssh-6.2p1-fips.patch
index c2b2e75..6cbc983 100644
--- a/openssh-6.2p1-fips.patch
+++ b/openssh-6.2p1-fips.patch
@@ -375,13 +375,12 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
-@@ -253,6 +255,11 @@ main(int ac, char **av)
+@@ -253,6 +255,10 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
-+
-+ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
+ fatal("FIPS integrity verification test failed.");
+ }
@@ -476,13 +475,12 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
-@@ -1423,6 +1425,12 @@ main(int ac, char **av)
+@@ -1423,6 +1425,11 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
-+
-+ if (!FIPSCHECK_verify_ex(NULL, NULL, HMAC_SUFFIX, 0)) {
++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
+ fatal("FIPS integrity verification test failed.");
+ }
+
@@ -540,19 +538,3 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-diff -up openssh-6.2p2/configure.ac.fips openssh-6.2p2/configure.ac
---- openssh-6.2p2/configure.ac.fips 2013-09-10 17:54:55.092279052 +0200
-+++ openssh-6.2p2/configure.ac 2013-09-10 17:55:18.021172145 +0200
-@@ -4421,6 +4421,12 @@ AC_ARG_WITH([lastlog],
- ]
- )
-
-+AC_ARG_ENABLE(hmac-suffix,
-+ [ --enable-hmac-suffix=suffix specify the full hmac_suffix for fipscheck library],
-+ [AC_DEFINE_UNQUOTED(HMAC_SUFFIX,["$enableval"],[Define to %{version}-%{release}.hmac])],
-+ [AC_DEFINE(HMAC_SUFFIX, NULL)]
-+)
-+
- dnl lastlog, [uw]tmpx? detection
- dnl NOTE: set the paths in the platform section to avoid the
- dnl need for command-line parameters
diff --git a/openssh.spec b/openssh.spec
index 35a4ee7..ca263e5 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -68,8 +68,6 @@
%define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 5
-%define hmac_suffix .%{openssh_ver}-%{openssh_rel}.hmac
-
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: %{openssh_ver}
@@ -214,7 +212,7 @@ BuildRequires: audit-libs-devel >= 2.0.5
BuildRequires: util-linux, groff
BuildRequires: pam-devel
BuildRequires: tcp_wrappers-devel
-BuildRequires: fipscheck-devel >= 1.4.1
+BuildRequires: fipscheck-devel >= 1.3.0
BuildRequires: openssl-devel >= 0.9.8j
BuildRequires: perl-podlators
@@ -244,7 +242,7 @@ Requires: openssh = %{version}-%{release}
Summary: The FIPS module package for SSH client
Group: Applications/Internet
Requires: openssh-clients = %{version}-%{release}
-Requires: fipscheck-lib%{_isa} >= 1.4.1
+Requires: fipscheck-lib%{_isa} >= 1.3.0
Requires: openssl-fips
%package server
@@ -518,11 +516,10 @@ fi
--without-kerberos5 \
%endif
%if %{libedit}
- --with-libedit \
+ --with-libedit
%else
- --without-libedit \
+ --without-libedit
%endif
- --enable-hmac-suffix=%{hmac_suffix}
%if %{static_libcrypto}
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
@@ -564,8 +561,6 @@ popd
%{__arch_install_post} \
%{__os_install_post} \
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
- mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/ssh%{hmac_suffix} \
- mv $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd.hmac $RPM_BUILD_ROOT%{_libdir}/fipscheck/sshd%{hmac_suffix}
%{nil}
%check
@@ -641,13 +636,13 @@ getent passwd sshd >/dev/null || \
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
-%pre clients-fips
+%post clients-fips
prelink -u %{_bindir}/ssh 2>/dev/null || :
%post server
%systemd_post sshd.service sshd.socket
-%pre server-fips
+%post server-fips
prelink -u %{_sbindir}/sshd 2>/dev/null || :
%preun server
@@ -709,7 +704,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || :
%files clients-fips
%defattr(-,root,root)
-%attr(0644,root,root) %{_libdir}/fipscheck/ssh%{hmac_suffix}
+%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
# We don't want to depend on prelink for this directory
%dir %{_sysconfdir}/prelink.conf.d
%{_sysconfdir}/prelink.conf.d/openssh-clients-fips.conf
@@ -735,7 +730,7 @@ prelink -u %{_sbindir}/sshd 2>/dev/null || :
%files server-fips
%defattr(-,root,root)
-%attr(0644,root,root) %{_libdir}/fipscheck/sshd%{hmac_suffix}
+%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
# We don't want to depend on prelink for this directory
%dir %{_sysconfdir}/prelink.conf.d
%{_sysconfdir}/prelink.conf.d/openssh-server-fips.conf
More information about the scm-commits
mailing list