rpms/openssh/devel openssh-5.2p1-fips.patch, 1.2, 1.3 openssh.spec, 1.138, 1.139
Tomáš Mráz
tmraz at fedoraproject.org
Fri Mar 13 10:32:53 UTC 2009
Author: tmraz
Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2498
Modified Files:
openssh-5.2p1-fips.patch openssh.spec
Log Message:
* Fri Mar 13 2009 Tomas Mraz <tmraz at redhat.com> - 5.2p1-2
- add AES-CTR ciphers to the FIPS mode proposal
openssh-5.2p1-fips.patch:
Index: openssh-5.2p1-fips.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.2p1-fips.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- openssh-5.2p1-fips.patch 10 Mar 2009 13:39:03 -0000 1.2
+++ openssh-5.2p1-fips.patch 13 Mar 2009 10:32:52 -0000 1.3
@@ -1,6 +1,6 @@
diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
---- openssh-5.2p1/ssh-agent.c.fips 2009-02-11 19:01:26.000000000 +0100
-+++ openssh-5.2p1/ssh-agent.c 2009-02-12 13:46:18.000000000 +0100
+--- openssh-5.2p1/ssh-agent.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/ssh-agent.c 2009-03-13 11:23:15.000000000 +0100
@@ -51,6 +51,8 @@
#include <openssl/evp.h>
@@ -36,8 +36,8 @@
__progname = ssh_get_progname(av[0]);
init_rng();
diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
---- openssh-5.2p1/auth2-pubkey.c.fips 2009-02-11 19:01:25.000000000 +0100
-+++ openssh-5.2p1/auth2-pubkey.c 2009-02-11 19:01:26.000000000 +0100
+--- openssh-5.2p1/auth2-pubkey.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/auth2-pubkey.c 2009-03-13 11:23:15.000000000 +0100
@@ -33,6 +33,7 @@
#include <stdio.h>
#include <stdarg.h>
@@ -56,8 +56,8 @@
key_type(found), fp);
xfree(fp);
diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
---- openssh-5.2p1/ssh.c.fips 2009-02-11 19:01:26.000000000 +0100
-+++ openssh-5.2p1/ssh.c 2009-02-12 13:48:43.000000000 +0100
+--- openssh-5.2p1/ssh.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/ssh.c 2009-03-13 11:23:15.000000000 +0100
@@ -71,6 +71,8 @@
#include <openssl/evp.h>
@@ -78,7 +78,7 @@
init_rng();
/*
-@@ -562,7 +568,6 @@ main(int ac, char **av)
+@@ -550,7 +556,6 @@ main(int ac, char **av)
if (!host)
usage();
@@ -87,9 +87,9 @@
/* Initialize the command to execute on remote host. */
diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
---- openssh-5.2p1/sshconnect2.c.fips 2009-02-11 19:01:26.000000000 +0100
-+++ openssh-5.2p1/sshconnect2.c 2009-02-11 19:01:26.000000000 +0100
-@@ -43,6 +43,8 @@
+--- openssh-5.2p1/sshconnect2.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/sshconnect2.c 2009-03-13 11:23:15.000000000 +0100
+@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@@ -98,7 +98,7 @@
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
-@@ -113,6 +115,10 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -109,7 +109,7 @@
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -128,7 +134,11 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -121,7 +121,7 @@
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms;
-@@ -478,8 +488,8 @@ input_userauth_pk_ok(int type, u_int32_t
+@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
@@ -133,8 +133,8 @@
/*
diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
---- openssh-5.2p1/Makefile.in.fips 2009-02-11 19:01:26.000000000 +0100
-+++ openssh-5.2p1/Makefile.in 2009-02-12 14:06:25.000000000 +0100
+--- openssh-5.2p1/Makefile.in.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/Makefile.in 2009-03-13 11:23:15.000000000 +0100
@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
@@ -172,8 +172,8 @@
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
---- openssh-5.2p1/sshd.c.fips 2009-02-11 19:01:25.000000000 +0100
-+++ openssh-5.2p1/sshd.c 2009-02-12 13:51:51.000000000 +0100
+--- openssh-5.2p1/sshd.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/sshd.c 2009-03-13 11:23:15.000000000 +0100
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@@ -183,7 +183,7 @@
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
-@@ -1261,6 +1263,12 @@ main(int ac, char **av)
+@@ -1260,6 +1262,12 @@ main(int ac, char **av)
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
@@ -196,7 +196,7 @@
init_rng();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1413,8 +1421,6 @@ main(int ac, char **av)
+@@ -1412,8 +1420,6 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@@ -205,7 +205,7 @@
/*
* Force logging to stderr until we have loaded the private host
* key (unless started from inetd)
-@@ -2183,6 +2189,9 @@ do_ssh2_kex(void)
+@@ -2182,6 +2188,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -215,7 +215,7 @@
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2192,6 +2201,9 @@ do_ssh2_kex(void)
+@@ -2191,6 +2200,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -227,7 +227,7 @@
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
--- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.2p1/mac.c 2009-02-11 19:01:26.000000000 +0100
++++ openssh-5.2p1/mac.c 2009-03-13 11:23:15.000000000 +0100
@@ -28,6 +28,7 @@
#include <sys/types.h>
@@ -278,8 +278,8 @@
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c
---- openssh-5.2p1/ssh-keygen.c.fips 2009-02-11 19:01:26.000000000 +0100
-+++ openssh-5.2p1/ssh-keygen.c 2009-02-12 13:46:00.000000000 +0100
+--- openssh-5.2p1/ssh-keygen.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/ssh-keygen.c 2009-03-13 11:23:15.000000000 +0100
@@ -21,6 +21,8 @@
#include <openssl/evp.h>
@@ -332,8 +332,8 @@
xfree(ra);
xfree(fp);
diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
---- openssh-5.2p1/nsskeys.c.fips 2009-02-11 19:01:26.000000000 +0100
-+++ openssh-5.2p1/nsskeys.c 2009-02-11 19:01:26.000000000 +0100
+--- openssh-5.2p1/nsskeys.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/nsskeys.c 2009-03-13 11:23:15.000000000 +0100
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
break;
}
@@ -346,8 +346,8 @@
return 0;
diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
---- openssh-5.2p1/ssh-add.c.fips 2009-02-11 19:01:26.000000000 +0100
-+++ openssh-5.2p1/ssh-add.c 2009-02-12 13:46:31.000000000 +0100
+--- openssh-5.2p1/ssh-add.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/ssh-add.c 2009-03-13 11:23:15.000000000 +0100
@@ -42,6 +42,8 @@
#include <sys/param.h>
@@ -387,7 +387,7 @@
if (ac == NULL) {
diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
-+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-02-11 19:01:26.000000000 +0100
++++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-03-13 11:23:15.000000000 +0100
@@ -39,6 +39,7 @@
static int rc4_ready = 0;
static RC4_KEY rc4;
@@ -430,14 +430,15 @@
#ifndef ARC4RANDOM_BUF
diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
---- openssh-5.2p1/myproposal.h.fips 2007-06-11 06:01:42.000000000 +0200
-+++ openssh-5.2p1/myproposal.h 2009-02-11 19:01:26.000000000 +0100
-@@ -52,7 +52,11 @@
+--- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
++++ openssh-5.2p1/myproposal.h 2009-03-13 11:27:49.000000000 +0100
+@@ -53,7 +53,12 @@
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
-
+#define KEX_FIPS_ENCRYPT \
++ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se"
+#define KEX_FIPS_MAC \
@@ -447,7 +448,7 @@
KEX_DEFAULT_KEX,
diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c
--- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200
-+++ openssh-5.2p1/ssh-keysign.c 2009-02-12 13:44:41.000000000 +0100
++++ openssh-5.2p1/ssh-keysign.c 2009-03-13 11:23:15.000000000 +0100
@@ -38,6 +38,8 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
@@ -478,8 +479,8 @@
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
---- openssh-5.2p1/cipher.c.fips 2008-07-23 14:03:19.000000000 +0200
-+++ openssh-5.2p1/cipher.c 2009-02-11 19:01:26.000000000 +0100
+--- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100
++++ openssh-5.2p1/cipher.c 2009-03-13 11:23:15.000000000 +0100
@@ -40,6 +40,7 @@
#include <sys/types.h>
@@ -488,7 +489,7 @@
#include <string.h>
#include <stdarg.h>
-@@ -91,6 +92,22 @@ struct Cipher {
+@@ -93,6 +94,22 @@ struct Cipher {
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
};
@@ -511,7 +512,7 @@
/*--*/
u_int
-@@ -133,7 +150,7 @@ Cipher *
+@@ -135,7 +152,7 @@ Cipher *
cipher_by_name(const char *name)
{
Cipher *c;
@@ -520,7 +521,7 @@
if (strcmp(c->name, name) == 0)
return c;
return NULL;
-@@ -143,7 +160,7 @@ Cipher *
+@@ -145,7 +162,7 @@ Cipher *
cipher_by_number(int id)
{
Cipher *c;
@@ -529,7 +530,7 @@
if (c->number == id)
return c;
return NULL;
-@@ -187,7 +204,7 @@ cipher_number(const char *name)
+@@ -189,7 +206,7 @@ cipher_number(const char *name)
Cipher *c;
if (name == NULL)
return -1;
@@ -539,8 +540,8 @@
return c->number;
return -1;
diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c
---- openssh-5.2p1/ssh-keyscan.c.fips 2008-07-04 15:10:49.000000000 +0200
-+++ openssh-5.2p1/ssh-keyscan.c 2009-02-12 13:44:21.000000000 +0100
+--- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100
++++ openssh-5.2p1/ssh-keyscan.c 2009-03-13 11:23:15.000000000 +0100
@@ -19,6 +19,8 @@
#include <arpa/inet.h>
@@ -550,7 +551,7 @@
#include <netdb.h>
#include <errno.h>
-@@ -730,6 +732,13 @@ main(int argc, char **argv)
+@@ -731,6 +733,13 @@ main(int argc, char **argv)
extern char *optarg;
__progname = ssh_get_progname(argv[0]);
@@ -565,8 +566,8 @@
seed_rng();
TAILQ_INIT(&tq);
diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
---- openssh-5.2p1/sshconnect.c.fips 2009-02-11 19:01:26.000000000 +0100
-+++ openssh-5.2p1/sshconnect.c 2009-02-11 19:01:26.000000000 +0100
+--- openssh-5.2p1/sshconnect.c.fips 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/sshconnect.c 2009-03-13 11:23:15.000000000 +0100
@@ -40,6 +40,8 @@
#include <unistd.h>
#include <fcntl.h>
@@ -576,7 +577,7 @@
#include "xmalloc.h"
#include "key.h"
#include "hostfile.h"
-@@ -765,6 +767,7 @@ check_host_key(char *hostname, struct so
+@@ -761,6 +763,7 @@ check_host_key(char *hostname, struct so
goto fail;
} else if (options.strict_host_key_checking == 2) {
char msg1[1024], msg2[1024];
@@ -584,7 +585,7 @@
if (show_other_keys(host, host_key))
snprintf(msg1, sizeof(msg1),
-@@ -773,8 +776,8 @@ check_host_key(char *hostname, struct so
+@@ -769,8 +772,8 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
@@ -595,7 +596,7 @@
SSH_FP_RANDOMART);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
-@@ -790,10 +793,10 @@ check_host_key(char *hostname, struct so
+@@ -786,10 +789,10 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
@@ -608,7 +609,7 @@
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
-@@ -1081,17 +1084,18 @@ show_key_from_file(const char *file, con
+@@ -1077,17 +1080,18 @@ show_key_from_file(const char *file, con
Key *found;
char *fp, *ra;
int line, ret;
@@ -631,7 +632,7 @@
xfree(ra);
xfree(fp);
}
-@@ -1137,8 +1141,9 @@ warn_changed_key(Key *host_key)
+@@ -1133,8 +1137,9 @@ warn_changed_key(Key *host_key)
{
char *fp;
const char *type = key_type(host_key);
@@ -642,7 +643,7 @@
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
-@@ -1146,8 +1151,8 @@ warn_changed_key(Key *host_key)
+@@ -1142,8 +1147,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that the %s host key has just been changed.", type);
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.138
retrieving revision 1.139
diff -u -r1.138 -r1.139
--- openssh.spec 10 Mar 2009 11:54:44 -0000 1.138
+++ openssh.spec 13 Mar 2009 10:32:52 -0000 1.139
@@ -63,7 +63,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.2p1
-Release: 1%{?dist}%{?rescue_rel}
+Release: 2%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -472,7 +472,10 @@
%endif
%changelog
-* Thu Mar 9 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-1
+* Fri Mar 13 2009 Tomas Mraz <tmraz at redhat.com> - 5.2p1-2
+- add AES-CTR ciphers to the FIPS mode proposal
+
+* Mon Mar 9 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-1
- upgrade to new upstream release
* Thu Feb 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 5.1p1-8
More information about the fedora-extras-commits
mailing list