Change-Id: Ib8d792f58e4a406e5dc415fbcd89378a0211266a
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5657
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
... | ... |
@@ -1,14 +1,14 @@ |
1 | 1 |
Summary: A shared library implementation of IPMI and the basic tools |
2 | 2 |
Name: openipmi |
3 |
-Version: 2.0.24 |
|
4 |
-Release: 2%{?dist} |
|
3 |
+Version: 2.0.25 |
|
4 |
+Release: 1%{?dist} |
|
5 | 5 |
URL: https://sourceforge.net/projects/openipmi/ |
6 | 6 |
License: LGPLv2+ and GPLv2+ or BSD |
7 | 7 |
Group: System Environment/Base |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: https://sourceforge.net/projects/openipmi/files/latest/download/%{name}-%{version}.tar.gz |
11 |
-%define sha1 openipmi=f37656813a826a3147ed557c32408f8daa399c28 |
|
11 |
+%define sha1 openipmi=06751d0cd4353edc9711405f829fa7039533239d |
|
12 | 12 |
Source1: openipmi-helper |
13 | 13 |
Source2: ipmi.service |
14 | 14 |
BuildRequires: systemd |
... | ... |
@@ -178,6 +178,8 @@ echo "disable ipmi.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-ip |
178 | 178 |
%{_mandir}/man5/ipmi_sim_cmd.5.gz |
179 | 179 |
|
180 | 180 |
%changelog |
181 |
+* Mon Sep 10 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 2.0.25-1 |
|
182 |
+- Upgrade to 2.0.25 |
|
181 | 183 |
* Fri Sep 15 2017 Xiaolin Li <xiaolinl@vmware.com> 2.0.24-2 |
182 | 184 |
- openipmi-devel requires ncurses-devel |
183 | 185 |
* Mon Sep 11 2017 Xiaolin Li <xiaolinl@vmware.com> 2.0.24-1 |
184 | 186 |
deleted file mode 100644 |
... | ... |
@@ -1,26 +0,0 @@ |
1 |
-From c32e74763f77675b9e144126e375977ed6dc562c Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Howard Chu <hyc@openldap.org> |
|
3 |
-Date: Mon, 19 Jan 2015 22:25:53 +0000 |
|
4 |
-Subject: [PATCH] ITS#8027 require non-empty AttributeList |
|
5 |
- |
|
6 |
- servers/slapd/overlays/deref.c | 3 ++- |
|
7 |
- 1 file changed, 2 insertions(+), 1 deletion(-) |
|
8 |
- |
|
9 |
-diff --git a/servers/slapd/overlays/deref.c b/servers/slapd/overlays/deref.c |
|
10 |
-index 9420e3e..05aa890 100644 |
|
11 |
-+++ b/servers/slapd/overlays/deref.c |
|
12 |
-@@ -183,7 +183,8 @@ deref_parseCtrl ( |
|
13 |
- ber_len_t cnt = sizeof(struct berval); |
|
14 |
- ber_len_t off = 0; |
|
15 |
- |
|
16 |
-- if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR ) |
|
17 |
-+ if ( ber_scanf( ber, "{m{M}}", &derefAttr, &attributes, &cnt, off ) == LBER_ERROR |
|
18 |
-+ || !cnt ) |
|
19 |
- { |
|
20 |
- rs->sr_text = "Dereference control: derefSpec decoding error"; |
|
21 |
- rs->sr_err = LDAP_PROTOCOL_ERROR; |
|
22 |
-1.7.10.4 |
|
23 |
- |
24 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,34 +0,0 @@ |
1 |
-From 2f1a2dd329b91afe561cd06b872d09630d4edb6a Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Howard Chu <hyc@openldap.org> |
|
3 |
-Date: Wed, 4 Feb 2015 02:03:55 +0000 |
|
4 |
-Subject: [PATCH] ITS#8046 fix vrFilter_free |
|
5 |
- |
|
6 |
- servers/slapd/filter.c | 10 +++------- |
|
7 |
- 1 file changed, 3 insertions(+), 7 deletions(-) |
|
8 |
- |
|
9 |
-diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c |
|
10 |
-index b859f73..22c81c8 100644 |
|
11 |
-+++ b/servers/slapd/filter.c |
|
12 |
-@@ -1158,14 +1158,10 @@ get_vrFilter( Operation *op, BerElement *ber, |
|
13 |
- void |
|
14 |
- vrFilter_free( Operation *op, ValuesReturnFilter *vrf ) |
|
15 |
- { |
|
16 |
-- ValuesReturnFilter *p, *next; |
|
17 |
-+ ValuesReturnFilter *next; |
|
18 |
- |
|
19 |
-- if ( vrf == NULL ) { |
|
20 |
-- return; |
|
21 |
-- } |
|
22 |
-- |
|
23 |
-- for ( p = vrf; p != NULL; p = next ) { |
|
24 |
-- next = p->vrf_next; |
|
25 |
-+ for ( ; vrf != NULL; vrf = next ) { |
|
26 |
-+ next = vrf->vrf_next; |
|
27 |
- |
|
28 |
- switch ( vrf->vrf_choice & SLAPD_FILTER_MASK ) { |
|
29 |
- case LDAP_FILTER_PRESENT: |
|
30 |
-1.7.10.4 |
|
31 |
- |
32 | 1 |
deleted file mode 100755 |
... | ... |
@@ -1,188 +0,0 @@ |
1 |
-Submitted By: Armin K. <krejzi at email dot com> |
|
2 |
-Date: 2012-04-06 |
|
3 |
-Initial Package Version: 2.4.30 |
|
4 |
-Upstream Status: BLFS Specific |
|
5 |
-Origin: Self |
|
6 |
-Description: Patch changes various installation options, such as ldap database path, |
|
7 |
- configuration file options, slapd install location, etc. |
|
8 |
- |
|
9 |
-+++ openldap/doc/man/man5/slapd-bdb.5 2012-04-06 00:18:54.171136608 +0200 |
|
10 |
-@@ -131,7 +131,7 @@ |
|
11 |
- associated indexes live. |
|
12 |
- A separate directory must be specified for each database. |
|
13 |
- The default is |
|
14 |
--.BR LOCALSTATEDIR/openldap\-data . |
|
15 |
-+.BR LOCALSTATEDIR/lib/openldap . |
|
16 |
- .TP |
|
17 |
- .B dirtyread |
|
18 |
- Allow reads of modified but not yet committed data. |
|
19 |
-+++ openldap/doc/man/man5/slapd.conf.5 2012-04-06 00:18:54.174136671 +0200 |
|
20 |
-@@ -1987,7 +1987,7 @@ |
|
21 |
- # The database directory MUST exist prior to |
|
22 |
- # running slapd AND should only be accessible |
|
23 |
- # by the slapd/tools. Mode 0700 recommended. |
|
24 |
--directory LOCALSTATEDIR/openldap\-data |
|
25 |
-+directory LOCALSTATEDIR/lib/openldap |
|
26 |
- # Indices to maintain |
|
27 |
- index objectClass eq |
|
28 |
- index cn,sn,mail pres,eq,approx,sub |
|
29 |
-+++ openldap/doc/man/man5/slapd-config.5 2012-04-06 00:18:54.194137078 +0200 |
|
30 |
-@@ -2029,7 +2029,7 @@ |
|
31 |
- # The database directory MUST exist prior to |
|
32 |
- # running slapd AND should only be accessible |
|
33 |
- # by the slapd/tools. Mode 0700 recommended. |
|
34 |
--olcDbDirectory: LOCALSTATEDIR/openldap\-data |
|
35 |
-+olcDbDirectory: LOCALSTATEDIR/lib/openldap |
|
36 |
- # Indices to maintain |
|
37 |
- olcDbIndex: objectClass eq |
|
38 |
- olcDbIndex: cn,sn,mail pres,eq,approx,sub |
|
39 |
-+++ openldap/include/ldap_defaults.h 2012-04-06 00:18:54.200137199 +0200 |
|
40 |
-@@ -39,7 +39,7 @@ |
|
41 |
- #define LDAP_ENV_PREFIX "LDAP" |
|
42 |
- |
|
43 |
- /* default ldapi:// socket */ |
|
44 |
--#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" |
|
45 |
-+#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "openldap" LDAP_DIRSEP "ldapi" |
|
46 |
- |
|
47 |
- /* |
|
48 |
- * SLAPD DEFINITIONS |
|
49 |
-@@ -47,7 +47,7 @@ |
|
50 |
- /* location of the default slapd config file */ |
|
51 |
- #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf" |
|
52 |
- #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" |
|
53 |
--#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" |
|
54 |
-+#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "openldap" |
|
55 |
- #define SLAPD_DEFAULT_DB_MODE 0600 |
|
56 |
- #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata" |
|
57 |
- /* default max deref depth for aliases */ |
|
58 |
-+++ openldap/libraries/liblber/Makefile.in 2012-04-06 00:18:54.204137280 +0200 |
|
59 |
-@@ -48,6 +48,6 @@ |
|
60 |
- |
|
61 |
- install-local: FORCE |
|
62 |
- -$(MKDIR) $(DESTDIR)$(libdir) |
|
63 |
-- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) |
|
64 |
-+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) |
|
65 |
- $(LTFINISH) $(DESTDIR)$(libdir) |
|
66 |
- |
|
67 |
-+++ openldap/libraries/libldap/Makefile.in 2012-04-06 00:18:54.204137280 +0200 |
|
68 |
-@@ -68,7 +68,7 @@ |
|
69 |
- |
|
70 |
- install-local: $(CFFILES) FORCE |
|
71 |
- -$(MKDIR) $(DESTDIR)$(libdir) |
|
72 |
-- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) |
|
73 |
-+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) |
|
74 |
- $(LTFINISH) $(DESTDIR)$(libdir) |
|
75 |
- -$(MKDIR) $(DESTDIR)$(sysconfdir) |
|
76 |
- @for i in $(CFFILES); do \ |
|
77 |
-+++ openldap/libraries/libldap_r/Makefile.in 2012-04-06 00:18:54.208137362 +0200 |
|
78 |
-@@ -83,6 +83,6 @@ |
|
79 |
- |
|
80 |
- install-local: $(CFFILES) FORCE |
|
81 |
- -$(MKDIR) $(DESTDIR)$(libdir) |
|
82 |
-- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir) |
|
83 |
-+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir) |
|
84 |
- $(LTFINISH) $(DESTDIR)$(libdir) |
|
85 |
- |
|
86 |
-+++ openldap/servers/slapd/Makefile.in 2012-04-06 00:18:54.208137362 +0200 |
|
87 |
-@@ -370,10 +370,10 @@ |
|
88 |
- install-conf install-db-config install-schema install-tools |
|
89 |
- |
|
90 |
- install-slapd: FORCE |
|
91 |
-- -$(MKDIR) $(DESTDIR)$(libexecdir) |
|
92 |
-+ -$(MKDIR) $(DESTDIR)$(sbindir) |
|
93 |
- -$(MKDIR) $(DESTDIR)$(localstatedir)/run |
|
94 |
- $(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 \ |
|
95 |
-- slapd$(EXEEXT) $(DESTDIR)$(libexecdir) |
|
96 |
-+ slapd$(EXEEXT) $(DESTDIR)$(sbindir) |
|
97 |
- @for i in $(SUBDIRS); do \ |
|
98 |
- if test -d $$i && test -f $$i/Makefile ; then \ |
|
99 |
- echo; echo " cd $$i; $(MAKE) $(MFLAGS) install"; \ |
|
100 |
-@@ -439,9 +439,9 @@ |
|
101 |
- |
|
102 |
- install-db-config: FORCE |
|
103 |
- @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) |
|
104 |
-- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data |
|
105 |
-+ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/openldap |
|
106 |
- $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ |
|
107 |
-- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example |
|
108 |
-+ $(DESTDIR)$(localstatedir)/lib/openldap/DB_CONFIG.example |
|
109 |
- $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ |
|
110 |
- $(DESTDIR)$(sysconfdir)/DB_CONFIG.example |
|
111 |
- |
|
112 |
-@@ -449,6 +449,6 @@ |
|
113 |
- -$(MKDIR) $(DESTDIR)$(sbindir) |
|
114 |
- for i in $(SLAPTOOLS); do \ |
|
115 |
- $(RM) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ |
|
116 |
-- $(LN_S) -f $(DESTDIR)$(libexecdir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ |
|
117 |
-+ $(LN_S) -f $(DESTDIR)$(sbindir)/slapd$(EXEEXT) $(DESTDIR)$(sbindir)/$$i$(EXEEXT); \ |
|
118 |
- done |
|
119 |
- |
|
120 |
-+++ openldap/servers/slapd/slapd.conf 2012-04-06 00:21:12.891992222 +0200 |
|
121 |
-@@ -10,14 +10,12 @@ |
|
122 |
- # service AND an understanding of referrals. |
|
123 |
- #referral ldap://root.openldap.org |
|
124 |
- |
|
125 |
--pidfile %LOCALSTATEDIR%/run/slapd.pid |
|
126 |
--argsfile %LOCALSTATEDIR%/run/slapd.args |
|
127 |
-+pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid |
|
128 |
-+argsfile %LOCALSTATEDIR%/run/openldap/slapd.args |
|
129 |
- |
|
130 |
- # Load dynamic backend modules: |
|
131 |
--# modulepath %MODULEDIR% |
|
132 |
--# moduleload back_bdb.la |
|
133 |
--# moduleload back_hdb.la |
|
134 |
--# moduleload back_ldap.la |
|
135 |
-+modulepath %MODULEDIR% |
|
136 |
-+moduleload back_bdb |
|
137 |
- |
|
138 |
- # Sample security restrictions |
|
139 |
- # Require integrity protection (prevent hijacking) |
|
140 |
-@@ -46,20 +44,26 @@ |
|
141 |
- # |
|
142 |
- # rootdn can always read and write EVERYTHING! |
|
143 |
- |
|
144 |
-+# Specific Backend Directives for bdb: |
|
145 |
-+backend bdb |
|
146 |
-+ |
|
147 |
- ####################################################################### |
|
148 |
- # BDB database definitions |
|
149 |
- ####################################################################### |
|
150 |
- |
|
151 |
- database bdb |
|
152 |
- suffix "dc=my-domain,dc=com" |
|
153 |
--rootdn "cn=Manager,dc=my-domain,dc=com" |
|
154 |
-+#rootdn "cn=Manager,dc=my-domain,dc=com" |
|
155 |
-+ |
|
156 |
- # Cleartext passwords, especially for the rootdn, should |
|
157 |
- # be avoid. See slappasswd(8) and slapd.conf(5) for details. |
|
158 |
- # Use of strong authentication encouraged. |
|
159 |
--rootpw secret |
|
160 |
-+#rootpw secret |
|
161 |
-+ |
|
162 |
- # The database directory MUST exist prior to running slapd AND |
|
163 |
- # should only be accessible by the slapd and slap tools. |
|
164 |
- # Mode 700 recommended. |
|
165 |
--directory %LOCALSTATEDIR%/openldap-data |
|
166 |
-+directory %LOCALSTATEDIR%/lib/openldap |
|
167 |
-+ |
|
168 |
- # Indices to maintain |
|
169 |
- index objectClass eq |
|
170 |
-+++ openldap/servers/slapd/slapi/Makefile.in 2012-04-06 00:18:54.210137403 +0200 |
|
171 |
-@@ -46,6 +46,6 @@ |
|
172 |
- install-local: FORCE |
|
173 |
- if test "$(BUILD_MOD)" = "yes"; then \ |
|
174 |
- $(MKDIR) $(DESTDIR)$(libdir); \ |
|
175 |
-- $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(LIBRARY) $(DESTDIR)$(libdir); \ |
|
176 |
-+ $(LTINSTALL) $(INSTALLFLAGS) -m 755 $(LIBRARY) $(DESTDIR)$(libdir); \ |
|
177 |
- fi |
|
178 |
- |
179 | 1 |
deleted file mode 100755 |
... | ... |
@@ -1,160 +0,0 @@ |
1 |
-Submitted By: Armin K. <krejzi at email dot com> |
|
2 |
-Date: 2012-04-06 |
|
3 |
-Initial Package Version: 2.4.30 |
|
4 |
-Upstream Status: Unknown |
|
5 |
-Origin: Debian |
|
6 |
-Description: This patch enables symbol versioning in ldap libraries. Without this |
|
7 |
- patch some applications might generate a warning about missing symbol |
|
8 |
- versions. |
|
9 |
- |
|
10 |
-+++ openldap/build/openldap.m4 2012-04-01 17:29:50.973881411 +0200 |
|
11 |
-@@ -1136,3 +1136,54 @@ |
|
12 |
- #endif |
|
13 |
- ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])]) |
|
14 |
- ]) |
|
15 |
-+ |
|
16 |
-+dnl ==================================================================== |
|
17 |
-+dnl check for symbol versioning support |
|
18 |
-+AC_DEFUN([OL_SYMBOL_VERSIONING], |
|
19 |
-+[AC_CACHE_CHECK([for .symver assembler directive], |
|
20 |
-+ [ol_cv_asm_symver_directive],[ |
|
21 |
-+cat > conftest.s <<EOF |
|
22 |
-+${libc_cv_dot_text} |
|
23 |
-+_sym: |
|
24 |
-+.symver _sym,sym@VERS |
|
25 |
-+EOF |
|
26 |
-+if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then |
|
27 |
-+ ol_cv_asm_symver_directive=yes |
|
28 |
-+else |
|
29 |
-+ ol_cv_asm_symver_directive=no |
|
30 |
-+fi |
|
31 |
-+rm -f conftest*]) |
|
32 |
-+AC_CACHE_CHECK([for ld --version-script], |
|
33 |
-+ [ol_cv_ld_version_script_option],[ |
|
34 |
-+if test $ol_cv_asm_symver_directive = yes; then |
|
35 |
-+ cat > conftest.s <<EOF |
|
36 |
-+${libc_cv_dot_text} |
|
37 |
-+_sym: |
|
38 |
-+.symver _sym,sym@VERS |
|
39 |
-+EOF |
|
40 |
-+ cat > conftest.map <<EOF |
|
41 |
-+VERS_1 { |
|
42 |
-+ global: sym; |
|
43 |
-+}; |
|
44 |
-+ |
|
45 |
-+VERS_2 { |
|
46 |
-+ global: sym; |
|
47 |
-+} VERS_1; |
|
48 |
-+EOF |
|
49 |
-+ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then |
|
50 |
-+ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared |
|
51 |
-+ -o conftest.so conftest.o |
|
52 |
-+ -Wl,--version-script,conftest.map |
|
53 |
-+ 1>&AS_MESSAGE_LOG_FD]); |
|
54 |
-+ then |
|
55 |
-+ ol_cv_ld_version_script_option=yes |
|
56 |
-+ else |
|
57 |
-+ ol_cv_ld_version_script_option=no |
|
58 |
-+ fi |
|
59 |
-+ else |
|
60 |
-+ ol_cv_ld_version_script_option=no |
|
61 |
-+ fi |
|
62 |
-+else |
|
63 |
-+ ol_cv_ld_version_script_option=no |
|
64 |
-+fi |
|
65 |
-+rm -f conftest*])]) |
|
66 |
-+++ openldap/build/top.mk 2012-04-01 17:29:50.972881390 +0200 |
|
67 |
-@@ -104,6 +104,9 @@ |
|
68 |
- # LINK_LIBS referenced in library and module link commands. |
|
69 |
- LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS) |
|
70 |
- |
|
71 |
-+# option to pass to $(CC) to support library symbol versioning, if any |
|
72 |
-+VERSION_OPTION = @VERSION_OPTION@ |
|
73 |
-+ |
|
74 |
- LTSTATIC = @LTSTATIC@ |
|
75 |
- |
|
76 |
- LTLINK = $(LIBTOOL) --mode=link \ |
|
77 |
-@@ -113,7 +116,7 @@ |
|
78 |
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c |
|
79 |
- |
|
80 |
- LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ |
|
81 |
-- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) |
|
82 |
-+ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS) |
|
83 |
- |
|
84 |
- LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ |
|
85 |
- $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c |
|
86 |
-+++ openldap/configure.in 2012-04-01 17:29:50.981881580 +0200 |
|
87 |
-@@ -1907,6 +1907,13 @@ |
|
88 |
- fi |
|
89 |
- AC_SUBST(LTSTATIC)dnl |
|
90 |
- |
|
91 |
-+VERSION_OPTION="" |
|
92 |
-+OL_SYMBOL_VERSIONING |
|
93 |
-+if test $ol_cv_ld_version_script_option = yes ; then |
|
94 |
-+ VERSION_OPTION="-Wl,--version-script=" |
|
95 |
-+fi |
|
96 |
-+AC_SUBST(VERSION_OPTION) |
|
97 |
-+ |
|
98 |
- dnl ---------------------------------------------------------------- |
|
99 |
- if test $ol_enable_wrappers != no ; then |
|
100 |
- AC_CHECK_HEADERS(tcpd.h,[ |
|
101 |
-+++ openldap/libraries/liblber/liblber.map 2012-04-01 17:29:50.983881622 +0200 |
|
102 |
-@@ -0,0 +1,8 @@ |
|
103 |
-+OPENLDAP_2.4_2 { |
|
104 |
-+ global: |
|
105 |
-+ ber_*; |
|
106 |
-+ der_alloc; |
|
107 |
-+ lutil_*; |
|
108 |
-+ local: |
|
109 |
-+ *; |
|
110 |
-+}; |
|
111 |
-+++ openldap/libraries/liblber/Makefile.in 2012-04-01 17:29:50.982881601 +0200 |
|
112 |
-@@ -38,6 +38,9 @@ |
|
113 |
- XXLIBS = |
|
114 |
- NT_LINK_LIBS = $(AC_LIBS) |
|
115 |
- UNIX_LINK_LIBS = $(AC_LIBS) |
|
116 |
-+ifneq (,$(VERSION_OPTION)) |
|
117 |
-+ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map" |
|
118 |
-+endif |
|
119 |
- |
|
120 |
- dtest: $(XLIBS) dtest.o |
|
121 |
- $(LTLINK) -o $@ dtest.o $(LIBS) |
|
122 |
-+++ openldap/libraries/libldap/libldap.map 2012-04-01 17:29:50.981881580 +0200 |
|
123 |
-@@ -0,0 +1,7 @@ |
|
124 |
-+OPENLDAP_2.4_2 { |
|
125 |
-+ global: |
|
126 |
-+ ldap_*; |
|
127 |
-+ ldif_*; |
|
128 |
-+ local: |
|
129 |
-+ *; |
|
130 |
-+}; |
|
131 |
-+++ openldap/libraries/libldap/Makefile.in 2012-04-01 17:29:50.982881601 +0200 |
|
132 |
-@@ -52,6 +52,9 @@ |
|
133 |
- XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) |
|
134 |
- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) |
|
135 |
- UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) |
|
136 |
-+ifneq (,$(VERSION_OPTION)) |
|
137 |
-+ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map |
|
138 |
-+endif |
|
139 |
- |
|
140 |
- apitest: $(XLIBS) apitest.o |
|
141 |
- $(LTLINK) -o $@ apitest.o $(LIBS) |
|
142 |
-+++ openldap/libraries/libldap_r/Makefile.in 2012-04-01 17:29:50.971881369 +0200 |
|
143 |
-@@ -61,6 +61,9 @@ |
|
144 |
- XXXLIBS = $(LTHREAD_LIBS) |
|
145 |
- NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) |
|
146 |
- UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) |
|
147 |
-+ifneq (,$(VERSION_OPTION)) |
|
148 |
-+ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map" |
|
149 |
-+endif |
|
150 |
- |
|
151 |
- .links : Makefile |
|
152 |
- @for i in $(XXSRCS); do \ |
153 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,28 +0,0 @@ |
1 |
-From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Ryan Tandy <ryan@nardis.ca> |
|
3 |
-Date: Wed, 17 May 2017 20:07:39 -0700 |
|
4 |
-Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0 |
|
5 |
- |
|
6 |
-Fixes a double free when a search includes the Paged Results control |
|
7 |
-with a page size of 0 and the search base matches the filter. |
|
8 |
- servers/slapd/back-mdb/search.c | 3 ++- |
|
9 |
- 1 file changed, 2 insertions(+), 1 deletion(-) |
|
10 |
- |
|
11 |
-diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c |
|
12 |
-index 301d1a4..43442aa 100644 |
|
13 |
-+++ b/servers/slapd/back-mdb/search.c |
|
14 |
-@@ -1066,7 +1066,8 @@ notfound: |
|
15 |
- /* check size limit */ |
|
16 |
- if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) { |
|
17 |
- if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) { |
|
18 |
-- mdb_entry_return( op, e ); |
|
19 |
-+ if (e != base) |
|
20 |
-+ mdb_entry_return( op, e ); |
|
21 |
- e = NULL; |
|
22 |
- send_paged_response( op, rs, &lastid, tentries ); |
|
23 |
- goto done; |
|
24 |
-1.7.10.4 |
|
25 |
- |
... | ... |
@@ -1,18 +1,17 @@ |
1 | 1 |
%global _default_patch_fuzz 2 |
2 | 2 |
Summary: OpenLdap-2.4.43 |
3 | 3 |
Name: openldap |
4 |
-Version: 2.4.44 |
|
5 |
-Release: 3%{?dist} |
|
4 |
+Version: 2.4.46 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: OpenLDAP |
7 | 7 |
URL: http://cyrusimap.web.cmu.edu/ |
8 | 8 |
Group: System Environment/Security |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/%{name}-%{version}.tgz |
12 |
-%define sha1 openldap=016a738d050a68d388602a74b5e991035cdba149 |
|
13 |
-Patch0: openldap-2.4.44-consolidated-2.patch |
|
14 |
-Patch1: openldap-CVE-2017-9287.patch |
|
15 |
-Patch2: openldap-2.4.40-gssapi-1.patch |
|
12 |
+%define sha1 openldap=a9ae2273eb9bdd70090dafe0d018a3132606bef6 |
|
13 |
+Patch0: openldap-2.4.40-gssapi-1.patch |
|
14 |
+Patch1: openldap-2.4.44-consolidated-2.patch |
|
16 | 15 |
Requires: openssl >= 1.0.1, cyrus-sasl >= 2.1 |
17 | 16 |
BuildRequires: cyrus-sasl >= 2.1 |
18 | 17 |
BuildRequires: openssl-devel >= 1.0.1 |
... | ... |
@@ -30,7 +29,6 @@ libraries, and documentation for OpenLDAP. |
30 | 30 |
|
31 | 31 |
%prep |
32 | 32 |
%setup -q |
33 |
-%patch2 -p1 |
|
34 | 33 |
%patch0 -p1 |
35 | 34 |
%patch1 -p1 |
36 | 35 |
%build |
... | ... |
@@ -76,19 +74,21 @@ rm -rf %{buildroot}/* |
76 | 76 |
/etc/openldap/* |
77 | 77 |
|
78 | 78 |
%changelog |
79 |
+* Mon Sep 10 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 2.4.46-1 |
|
80 |
+- Upgrade to 2.4.46 |
|
79 | 81 |
* Fri Oct 13 2017 Alexey Makhalov <amakhalov@vmware.com> 2.4.44-3 |
80 | 82 |
- Use standard configure macros |
81 |
-* Tue Jul 11 2017 Divya Thaluru <dthaluru@vmware.com> 2.4.44-2 |
|
82 |
-- Applied patch for CVE-2017-9287 |
|
83 |
-* Sat Apr 15 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.44-1 |
|
84 |
-- Update to 2.4.44 |
|
85 |
-* Wed Oct 05 2016 ChangLee <changlee@vmware.com> 2.4.43-3 |
|
86 |
-- Modified %check |
|
87 |
-* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.43-2 |
|
88 |
-- GA - Bump release of all rpms |
|
89 |
-* Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 2.4.43-1 |
|
90 |
-- Updated to version 2.4.43 |
|
91 |
-* Fri Aug 14 2015 Vinay Kulkarni <kulkarniv@vmware.com> 2.4.40-2 |
|
92 |
-- Patches for CVE-2015-1545 and CVE-2015-1546. |
|
93 |
-* Wed Oct 08 2014 Divya Thaluru <dthaluru@vmware.com> 2.4.40-1 |
|
94 |
-- Initial build. First version |
|
83 |
+* Tue Jul 11 2017 Divya Thaluru <dthaluru@vmware.com> 2.4.44-2 |
|
84 |
+- Applied patch for CVE-2017-9287 |
|
85 |
+* Sat Apr 15 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.44-1 |
|
86 |
+- Update to 2.4.44 |
|
87 |
+* Wed Oct 05 2016 ChangLee <changlee@vmware.com> 2.4.43-3 |
|
88 |
+- Modified %check |
|
89 |
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.43-2 |
|
90 |
+- GA - Bump release of all rpms |
|
91 |
+* Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 2.4.43-1 |
|
92 |
+- Updated to version 2.4.43 |
|
93 |
+* Fri Aug 14 2015 Vinay Kulkarni <kulkarniv@vmware.com> 2.4.40-2 |
|
94 |
+- Patches for CVE-2015-1545 and CVE-2015-1546. |
|
95 |
+* Wed Oct 08 2014 Divya Thaluru <dthaluru@vmware.com> 2.4.40-1 |
|
96 |
+- Initial build. First version |
... | ... |
@@ -1,11 +1,11 @@ |
1 | 1 |
Summary: Open Source Security Compliance Solution |
2 | 2 |
Name: openscap |
3 |
-Version: 1.2.14 |
|
4 |
-Release: 3%{?dist} |
|
3 |
+Version: 1.2.17 |
|
4 |
+Release: 1%{?dist} |
|
5 | 5 |
License: GPL2+ |
6 | 6 |
URL: https://www.open-scap.org |
7 | 7 |
Source0: https://github.com/OpenSCAP/openscap/releases/download/%{version}/openscap-%{version}.tar.gz |
8 |
-%define sha1 openscap=6c2f4ff0bbbd6b80e6c99f15a2e0d052a1f9afe1 |
|
8 |
+%define sha1 openscap=588676a56b6adf389140d6fdbc6a6685ef06e7b3 |
|
9 | 9 |
Group: System Environment/Libraries |
10 | 10 |
Vendor: VMware, Inc. |
11 | 11 |
Distribution: Photon |
... | ... |
@@ -95,6 +95,8 @@ find %{buildroot} -name '*.la' -delete |
95 | 95 |
%{_libdir}/python2.7/* |
96 | 96 |
|
97 | 97 |
%changelog |
98 |
+* Mon Sep 10 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 1.2.17-1 |
|
99 |
+- Update to 1.2.17 |
|
98 | 100 |
* Thu Aug 10 2017 Rongrong Qiu <rqiu@vmware.com> 1.2.14-3 |
99 | 101 |
- Disable make check which need per-XML-XPATH for bug 1900358 |
100 | 102 |
* Fri May 5 2017 Alexey Makhalov <amakhalov@vmware.com> 1.2.14-2 |
101 | 103 |
deleted file mode 100644 |
... | ... |
@@ -1,298 +0,0 @@ |
1 |
-From b7727ac11601d06e63fa67c8975994cfdbb7e62f Mon Sep 17 00:00:00 2001 |
|
2 |
-From: Alexey Makhalov <amakhalov@vmware.com> |
|
3 |
-Date: Sat, 20 May 2017 05:19:04 +0000 |
|
4 |
-Subject: [PATCH] Configure FIPS |
|
5 |
- |
|
6 |
-New parameter: FipsMode yes/no |
|
7 |
- |
|
8 |
-As soon as FipsMode option parsed FIPS_mode_set(1) will be called. |
|
9 |
-See Bug #1872327 for details. |
|
10 |
- readconf.c | 38 +++++++++++++++++++++++++++++++++++++- |
|
11 |
- readconf.h | 1 + |
|
12 |
- servconf.c | 34 +++++++++++++++++++++++++++++++++- |
|
13 |
- servconf.h | 1 + |
|
14 |
- ssh_config | 1 + |
|
15 |
- ssh_config.0 | 4 ++++ |
|
16 |
- ssh_config.5 | 4 ++++ |
|
17 |
- sshd_config | 2 ++ |
|
18 |
- sshd_config.0 | 4 ++++ |
|
19 |
- sshd_config.5 | 4 ++++ |
|
20 |
- 10 files changed, 91 insertions(+), 2 deletions(-) |
|
21 |
- |
|
22 |
-diff --git a/readconf.c b/readconf.c |
|
23 |
-index 7f401d6..2c970e2 100644 |
|
24 |
-+++ b/readconf.c |
|
25 |
-@@ -171,7 +171,8 @@ typedef enum { |
|
26 |
- oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
|
27 |
- oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
|
28 |
- oPubkeyAcceptedKeyTypes, oProxyJump, |
|
29 |
-- oIgnoredUnknownOption, oDeprecated, oUnsupported |
|
30 |
-+ oIgnoredUnknownOption, oDeprecated, oUnsupported, |
|
31 |
-+ oFipsMode |
|
32 |
- } OpCodes; |
|
33 |
- |
|
34 |
- /* Textual representations of the tokens. */ |
|
35 |
-@@ -291,6 +292,7 @@ static struct { |
|
36 |
- { "streamlocalbindunlink", oStreamLocalBindUnlink }, |
|
37 |
- { "revokedhostkeys", oRevokedHostKeys }, |
|
38 |
- { "fingerprinthash", oFingerprintHash }, |
|
39 |
-+ { "fipsmode", oFipsMode }, |
|
40 |
- { "updatehostkeys", oUpdateHostkeys }, |
|
41 |
- { "hostbasedkeytypes", oHostbasedKeyTypes }, |
|
42 |
- { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, |
|
43 |
-@@ -965,6 +967,35 @@ parse_time: |
|
44 |
- intptr = &options->gss_deleg_creds; |
|
45 |
- goto parse_flag; |
|
46 |
- |
|
47 |
-+ case oFipsMode: |
|
48 |
-+ if (options->ciphers != NULL || options->cipher != -1) |
|
49 |
-+ fatal("%.200s line %d: FipsMode should be set before " |
|
50 |
-+ "Ciphers option", filename, linenum); |
|
51 |
-+ intptr = &options->fips_mode; |
|
52 |
-+ multistate_ptr = multistate_flag; |
|
53 |
-+ arg = strdelim(&s); |
|
54 |
-+ if (!arg || *arg == '\0') |
|
55 |
-+ fatal("%s line %d: missing argument.", |
|
56 |
-+ filename, linenum); |
|
57 |
-+ value = -1; |
|
58 |
-+ for (i = 0; multistate_ptr[i].key != NULL; i++) { |
|
59 |
-+ if (strcasecmp(arg, multistate_ptr[i].key) == 0) { |
|
60 |
-+ value = multistate_ptr[i].value; |
|
61 |
-+ break; |
|
62 |
-+ } |
|
63 |
-+ } |
|
64 |
-+ if (value == -1) |
|
65 |
-+ fatal("%s line %d: unsupported option \"%s\".", |
|
66 |
-+ filename, linenum, arg); |
|
67 |
-+ if (*activep && *intptr == -1) { |
|
68 |
-+ *intptr = value; |
|
69 |
-+ /* Call FIPS_mode_set as soon as possible */ |
|
70 |
-+ if (*intptr == 1) |
|
71 |
-+ if (!FIPS_mode_set(1)) |
|
72 |
-+ fatal("FIPS mode could not be set"); |
|
73 |
-+ } |
|
74 |
-+ break; |
|
75 |
-+ |
|
76 |
- case oBatchMode: |
|
77 |
- intptr = &options->batch_mode; |
|
78 |
- goto parse_flag; |
|
79 |
-@@ -1857,6 +1888,7 @@ initialize_options(Options * options) |
|
80 |
- options->update_hostkeys = -1; |
|
81 |
- options->hostbased_key_types = NULL; |
|
82 |
- options->pubkey_key_types = NULL; |
|
83 |
-+ options->fips_mode = -1; |
|
84 |
- } |
|
85 |
- |
|
86 |
- /* |
|
87 |
-@@ -2044,6 +2076,9 @@ fill_default_options(Options * options) |
|
88 |
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
|
89 |
- if (options->update_hostkeys == -1) |
|
90 |
- options->update_hostkeys = 0; |
|
91 |
-+ if (options->fips_mode == -1) |
|
92 |
-+ options->fips_mode = 0; |
|
93 |
-+ |
|
94 |
- if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT |
|
95 |
- : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 || |
|
96 |
- kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC |
|
97 |
-@@ -2535,6 +2570,7 @@ dump_client_config(Options *o, const char *host) |
|
98 |
- dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns); |
|
99 |
- dump_cfg_fmtint(oVisualHostKey, o->visual_host_key); |
|
100 |
- dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys); |
|
101 |
-+ dump_cfg_fmtint(oFipsMode, o->fips_mode); |
|
102 |
- |
|
103 |
- /* Integer options */ |
|
104 |
- dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots); |
|
105 |
-diff --git a/readconf.h b/readconf.h |
|
106 |
-index cef55f7..875931e 100644 |
|
107 |
-+++ b/readconf.h |
|
108 |
-@@ -157,6 +157,7 @@ typedef struct { |
|
109 |
- char *revoked_host_keys; |
|
110 |
- |
|
111 |
- int fingerprint_hash; |
|
112 |
-+ int fips_mode; |
|
113 |
- |
|
114 |
- int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */ |
|
115 |
- |
|
116 |
-diff --git a/servconf.c b/servconf.c |
|
117 |
-index 4e5401c..107647a 100644 |
|
118 |
-+++ b/servconf.c |
|
119 |
-@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options) |
|
120 |
- options->version_addendum = NULL; |
|
121 |
- options->fingerprint_hash = -1; |
|
122 |
- options->disable_forwarding = -1; |
|
123 |
-+ options->fips_mode = -1; |
|
124 |
- } |
|
125 |
- |
|
126 |
- /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
|
127 |
-@@ -336,6 +337,8 @@ fill_default_server_options(ServerOptions *options) |
|
128 |
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
|
129 |
- if (options->disable_forwarding == -1) |
|
130 |
- options->disable_forwarding = 0; |
|
131 |
-+ if (options->fips_mode == -1) |
|
132 |
-+ options->fips_mode = 0; |
|
133 |
- |
|
134 |
- assemble_algorithms(options); |
|
135 |
- |
|
136 |
-@@ -421,7 +424,8 @@ typedef enum { |
|
137 |
- sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
|
138 |
- sStreamLocalBindMask, sStreamLocalBindUnlink, |
|
139 |
- sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
|
140 |
-- sDeprecated, sIgnore, sUnsupported |
|
141 |
-+ sDeprecated, sIgnore, sUnsupported, |
|
142 |
-+ sFipsMode |
|
143 |
- } ServerOpCodes; |
|
144 |
- |
|
145 |
- #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ |
|
146 |
-@@ -564,6 +568,7 @@ static struct { |
|
147 |
- { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
|
148 |
- { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, |
|
149 |
- { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, |
|
150 |
-+ { "fipsmode", sFipsMode, SSHCFG_GLOBAL }, |
|
151 |
- { NULL, sBadOption, 0 } |
|
152 |
- }; |
|
153 |
- |
|
154 |
-@@ -1839,6 +1844,32 @@ process_server_config_line(ServerOptions *options, char *line, |
|
155 |
- options->fingerprint_hash = value; |
|
156 |
- break; |
|
157 |
- |
|
158 |
-+ case sFipsMode: |
|
159 |
-+ if (options->ciphers != NULL) |
|
160 |
-+ fatal("%.200s line %d: FipsMode should be set before " |
|
161 |
-+ "Ciphers option", filename, linenum); |
|
162 |
-+ intptr = &options->fips_mode; |
|
163 |
-+ arg = strdelim(&cp); |
|
164 |
-+ if (!arg || *arg == '\0') |
|
165 |
-+ fatal("%s line %d: missing yes/no argument.", |
|
166 |
-+ filename, linenum); |
|
167 |
-+ value = 0; /* silence compiler */ |
|
168 |
-+ if (strcmp(arg, "yes") == 0) |
|
169 |
-+ value = 1; |
|
170 |
-+ else if (strcmp(arg, "no") == 0) |
|
171 |
-+ value = 0; |
|
172 |
-+ else |
|
173 |
-+ fatal("%s line %d: Bad yes/no argument: %s", |
|
174 |
-+ filename, linenum, arg); |
|
175 |
-+ if (*activep && *intptr == -1) { |
|
176 |
-+ *intptr = value; |
|
177 |
-+ /* Call FIPS_mode_set as soon as possible */ |
|
178 |
-+ if (*intptr == 1) |
|
179 |
-+ if (!FIPS_mode_set(1)) |
|
180 |
-+ fatal("FIPS mode could not be set"); |
|
181 |
-+ } |
|
182 |
-+ break; |
|
183 |
-+ |
|
184 |
- case sDeprecated: |
|
185 |
- case sIgnore: |
|
186 |
- case sUnsupported: |
|
187 |
-@@ -2280,6 +2311,7 @@ dump_config(ServerOptions *o) |
|
188 |
- dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); |
|
189 |
- dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); |
|
190 |
- dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); |
|
191 |
-+ dump_cfg_fmtint(sFipsMode, o->fips_mode); |
|
192 |
- |
|
193 |
- /* string arguments */ |
|
194 |
- dump_cfg_string(sPidFile, o->pid_file); |
|
195 |
-diff --git a/servconf.h b/servconf.h |
|
196 |
-index 5853a97..a9ec1a2 100644 |
|
197 |
-+++ b/servconf.h |
|
198 |
-@@ -189,6 +189,7 @@ typedef struct { |
|
199 |
- char *auth_methods[MAX_AUTH_METHODS]; |
|
200 |
- |
|
201 |
- int fingerprint_hash; |
|
202 |
-+ int fips_mode; |
|
203 |
- } ServerOptions; |
|
204 |
- |
|
205 |
- /* Information about the incoming connection as used by Match */ |
|
206 |
-diff --git a/ssh_config b/ssh_config |
|
207 |
-index 90fb63f..fd6ab39 100644 |
|
208 |
-+++ b/ssh_config |
|
209 |
-@@ -37,6 +37,7 @@ |
|
210 |
- # IdentityFile ~/.ssh/id_ecdsa |
|
211 |
- # IdentityFile ~/.ssh/id_ed25519 |
|
212 |
- # Port 22 |
|
213 |
-+# FipsMode no |
|
214 |
- # Protocol 2 |
|
215 |
- # Cipher 3des |
|
216 |
- # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc |
|
217 |
-diff --git a/ssh_config.0 b/ssh_config.0 |
|
218 |
-index 4ca9a5f..33ac338 100644 |
|
219 |
-+++ b/ssh_config.0 |
|
220 |
-@@ -362,6 +362,10 @@ DESCRIPTION |
|
221 |
- Specifies the hash algorithm used when displaying key |
|
222 |
- fingerprints. Valid options are: md5 and sha256 (the default). |
|
223 |
- |
|
224 |
-+ FipsMode |
|
225 |
-+ Enables or disables FIPS mode. Requires FIPS capable ssl modules. |
|
226 |
-+ The default is no. |
|
227 |
-+ |
|
228 |
- ForwardAgent |
|
229 |
- Specifies whether the connection to the authentication agent (if |
|
230 |
- any) will be forwarded to the remote machine. The argument must |
|
231 |
-diff --git a/ssh_config.5 b/ssh_config.5 |
|
232 |
-index 591365f..df46e0d 100644 |
|
233 |
-+++ b/ssh_config.5 |
|
234 |
-@@ -658,6 +658,10 @@ Valid options are: |
|
235 |
- and |
|
236 |
- .Cm sha256 |
|
237 |
- (the default). |
|
238 |
-+.It Cm FipsMode |
|
239 |
-+Enables or disables FIPS mode. Requires FIPS capable ssl modules. |
|
240 |
-+The default is |
|
241 |
-+.Cm no . |
|
242 |
- .It Cm ForwardAgent |
|
243 |
- Specifies whether the connection to the authentication agent (if any) |
|
244 |
- will be forwarded to the remote machine. |
|
245 |
-diff --git a/sshd_config b/sshd_config |
|
246 |
-index 9f09e4a..1a0d68a 100644 |
|
247 |
-+++ b/sshd_config |
|
248 |
-@@ -105,6 +105,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
|
249 |
- #ChrootDirectory none |
|
250 |
- #VersionAddendum none |
|
251 |
- |
|
252 |
-+#FipsMode no |
|
253 |
-+ |
|
254 |
- # no default banner path |
|
255 |
- #Banner none |
|
256 |
- |
|
257 |
-diff --git a/sshd_config.0 b/sshd_config.0 |
|
258 |
-index 022c052..af813b2 100644 |
|
259 |
-+++ b/sshd_config.0 |
|
260 |
-@@ -331,6 +331,10 @@ DESCRIPTION |
|
261 |
- Specifies the hash algorithm used when logging key fingerprints. |
|
262 |
- Valid options are: md5 and sha256. The default is sha256. |
|
263 |
- |
|
264 |
-+ FipsMode |
|
265 |
-+ Enables or disables FIPS mode. Requires FIPS capable ssl modules. |
|
266 |
-+ The default is no. |
|
267 |
-+ |
|
268 |
- ForceCommand |
|
269 |
- Forces the execution of the command specified by ForceCommand, |
|
270 |
- ignoring any command supplied by the client and ~/.ssh/rc if |
|
271 |
-diff --git a/sshd_config.5 b/sshd_config.5 |
|
272 |
-index 32b29d2..c618359 100644 |
|
273 |
-+++ b/sshd_config.5 |
|
274 |
-@@ -578,6 +578,10 @@ and |
|
275 |
- .Cm sha256 . |
|
276 |
- The default is |
|
277 |
- .Cm sha256 . |
|
278 |
-+.It Cm FipsMode |
|
279 |
-+Enables or disables FIPS mode. Requires FIPS capable ssl modules. |
|
280 |
-+The default is |
|
281 |
-+.Cm no . |
|
282 |
- .It Cm ForceCommand |
|
283 |
- Forces the execution of the command specified by |
|
284 |
- .Cm ForceCommand , |
|
285 |
-2.8.1 |
|
286 |
- |
287 | 1 |
deleted file mode 100644 |
... | ... |
@@ -1,441 +0,0 @@ |
1 |
-diff -rup openssh-7.5p1/cipher.c openssh-7.5p1-new/cipher.c |
|
2 |
-+++ openssh-7.5p1-new/cipher.c 2017-11-14 16:04:07.735036305 -0800 |
|
3 |
-@@ -136,6 +136,26 @@ static const struct sshcipher ciphers[] |
|
4 |
- { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } |
|
5 |
- }; |
|
6 |
- |
|
7 |
-+static const struct sshcipher fips_ciphers[] = { |
|
8 |
-+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, |
|
9 |
-+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, |
|
10 |
-+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, |
|
11 |
-+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, |
|
12 |
-+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, |
|
13 |
-+ { "rijndael-cbc@lysator.liu.se", |
|
14 |
-+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, |
|
15 |
-+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, |
|
16 |
-+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, |
|
17 |
-+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, |
|
18 |
-+# ifdef OPENSSL_HAVE_EVPGCM |
|
19 |
-+ { "aes128-gcm@openssh.com", |
|
20 |
-+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, |
|
21 |
-+ { "aes256-gcm@openssh.com", |
|
22 |
-+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, |
|
23 |
-+# endif /* OPENSSL_HAVE_EVPGCM */ |
|
24 |
-+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } |
|
25 |
-+}; |
|
26 |
-+ |
|
27 |
- /*--*/ |
|
28 |
- |
|
29 |
- /* Returns a comma-separated list of supported ciphers. */ |
|
30 |
-@@ -146,7 +166,7 @@ cipher_alg_list(char sep, int auth_only) |
|
31 |
- size_t nlen, rlen = 0; |
|
32 |
- const struct sshcipher *c; |
|
33 |
- |
|
34 |
-- for (c = ciphers; c->name != NULL; c++) { |
|
35 |
-+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) { |
|
36 |
- if (c->number != SSH_CIPHER_SSH2) |
|
37 |
- continue; |
|
38 |
- if (auth_only && c->auth_len == 0) |
|
39 |
-@@ -242,7 +262,7 @@ const struct sshcipher * |
|
40 |
- cipher_by_name(const char *name) |
|
41 |
- { |
|
42 |
- const struct sshcipher *c; |
|
43 |
-- for (c = ciphers; c->name != NULL; c++) |
|
44 |
-+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) |
|
45 |
- if (strcmp(c->name, name) == 0) |
|
46 |
- return c; |
|
47 |
- return NULL; |
|
48 |
-@@ -252,7 +272,7 @@ const struct sshcipher * |
|
49 |
- cipher_by_number(int id) |
|
50 |
- { |
|
51 |
- const struct sshcipher *c; |
|
52 |
-- for (c = ciphers; c->name != NULL; c++) |
|
53 |
-+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) |
|
54 |
- if (c->number == id) |
|
55 |
- return c; |
|
56 |
- return NULL; |
|
57 |
-@@ -293,7 +313,7 @@ cipher_number(const char *name) |
|
58 |
- const struct sshcipher *c; |
|
59 |
- if (name == NULL) |
|
60 |
- return -1; |
|
61 |
-- for (c = ciphers; c->name != NULL; c++) |
|
62 |
-+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) |
|
63 |
- if (strcasecmp(c->name, name) == 0) |
|
64 |
- return c->number; |
|
65 |
- return -1; |
|
66 |
-diff -rup openssh-7.5p1/cipher-ctr.c openssh-7.5p1-new/cipher-ctr.c |
|
67 |
-+++ openssh-7.5p1-new/cipher-ctr.c 2017-11-14 16:03:27.498694013 -0800 |
|
68 |
-@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) |
|
69 |
- aes_ctr.do_cipher = ssh_aes_ctr; |
|
70 |
- #ifndef SSH_OLD_EVP |
|
71 |
- aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | |
|
72 |
-- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; |
|
73 |
-+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | |
|
74 |
-+ EVP_CIPH_FLAG_FIPS; |
|
75 |
- #endif |
|
76 |
- return (&aes_ctr); |
|
77 |
- } |
|
78 |
-diff -rup openssh-7.5p1/dh.h openssh-7.5p1-new/dh.h |
|
79 |
-+++ openssh-7.5p1-new/dh.h 2017-11-14 16:03:27.498694013 -0800 |
|
80 |
-@@ -51,6 +51,7 @@ u_int dh_estimate(int); |
|
81 |
- * Miniumum increased in light of DH precomputation attacks. |
|
82 |
- */ |
|
83 |
- #define DH_GRP_MIN 2048 |
|
84 |
-+#define DH_GRP_MIN_FIPS 2048 |
|
85 |
- #define DH_GRP_MAX 8192 |
|
86 |
- |
|
87 |
- /* |
|
88 |
-diff -rup openssh-7.5p1/entropy.c openssh-7.5p1-new/entropy.c |
|
89 |
-+++ openssh-7.5p1-new/entropy.c 2017-11-14 16:03:27.498694013 -0800 |
|
90 |
-@@ -217,6 +217,9 @@ seed_rng(void) |
|
91 |
- fatal("OpenSSL version mismatch. Built against %lx, you " |
|
92 |
- "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); |
|
93 |
- |
|
94 |
-+ /* clean the PRNG status when exiting the program */ |
|
95 |
-+ atexit(RAND_cleanup); |
|
96 |
-+ |
|
97 |
- #ifndef OPENSSL_PRNG_ONLY |
|
98 |
- if (RAND_status() == 1) { |
|
99 |
- debug3("RNG is ready, skipping seeding"); |
|
100 |
-diff -rup openssh-7.5p1/kex.c openssh-7.5p1-new/kex.c |
|
101 |
-+++ openssh-7.5p1-new/kex.c 2017-11-14 16:10:16.816150390 -0800 |
|
102 |
-@@ -114,6 +114,27 @@ static const struct kexalg kexalgs[] = { |
|
103 |
- { NULL, -1, -1, -1}, |
|
104 |
- }; |
|
105 |
- |
|
106 |
-+static const struct kexalg kexalgs_fips[] = { |
|
107 |
-+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, |
|
108 |
-+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, |
|
109 |
-+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, |
|
110 |
-+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, |
|
111 |
-+#ifdef HAVE_EVP_SHA256 |
|
112 |
-+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, |
|
113 |
-+#endif |
|
114 |
-+#ifdef OPENSSL_HAS_ECC |
|
115 |
-+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, |
|
116 |
-+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, |
|
117 |
-+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, |
|
118 |
-+ SSH_DIGEST_SHA384 }, |
|
119 |
-+# ifdef OPENSSL_HAS_NISTP521 |
|
120 |
-+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, |
|
121 |
-+ SSH_DIGEST_SHA512 }, |
|
122 |
-+# endif |
|
123 |
-+#endif |
|
124 |
-+ { NULL, -1, -1, -1}, |
|
125 |
-+}; |
|
126 |
-+ |
|
127 |
- char * |
|
128 |
- kex_alg_list(char sep) |
|
129 |
- { |
|
130 |
-@@ -121,7 +142,7 @@ kex_alg_list(char sep) |
|
131 |
- size_t nlen, rlen = 0; |
|
132 |
- const struct kexalg *k; |
|
133 |
- |
|
134 |
-- for (k = kexalgs; k->name != NULL; k++) { |
|
135 |
-+ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) { |
|
136 |
- if (ret != NULL) |
|
137 |
- ret[rlen++] = sep; |
|
138 |
- nlen = strlen(k->name); |
|
139 |
-@@ -141,7 +162,7 @@ kex_alg_by_name(const char *name) |
|
140 |
- { |
|
141 |
- const struct kexalg *k; |
|
142 |
- |
|
143 |
-- for (k = kexalgs; k->name != NULL; k++) { |
|
144 |
-+ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) { |
|
145 |
- if (strcmp(k->name, name) == 0) |
|
146 |
- return k; |
|
147 |
- } |
|
148 |
-@@ -161,7 +182,10 @@ kex_names_valid(const char *names) |
|
149 |
- for ((p = strsep(&cp, ",")); p && *p != '\0'; |
|
150 |
- (p = strsep(&cp, ","))) { |
|
151 |
- if (kex_alg_by_name(p) == NULL) { |
|
152 |
-- error("Unsupported KEX algorithm \"%.100s\"", p); |
|
153 |
-+ if (FIPS_mode()) |
|
154 |
-+ error("\"%.100s\" is not allowed in FIPS mode", p); |
|
155 |
-+ else |
|
156 |
-+ error("Unsupported KEX algorithm \"%.100s\"", p); |
|
157 |
- free(s); |
|
158 |
- return 0; |
|
159 |
- } |
|
160 |
-diff -rup openssh-7.5p1/kexgexc.c openssh-7.5p1-new/kexgexc.c |
|
161 |
-+++ openssh-7.5p1-new/kexgexc.c 2017-11-14 16:03:27.498694013 -0800 |
|
162 |
-@@ -63,7 +63,7 @@ kexgex_client(struct ssh *ssh) |
|
163 |
- |
|
164 |
- nbits = dh_estimate(kex->dh_need * 8); |
|
165 |
- |
|
166 |
-- kex->min = DH_GRP_MIN; |
|
167 |
-+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; |
|
168 |
- kex->max = DH_GRP_MAX; |
|
169 |
- kex->nbits = nbits; |
|
170 |
- if (datafellows & SSH_BUG_DHGEX_LARGE) |
|
171 |
-diff -rup openssh-7.5p1/kexgexs.c openssh-7.5p1-new/kexgexs.c |
|
172 |
-+++ openssh-7.5p1-new/kexgexs.c 2017-11-14 16:03:27.498694013 -0800 |
|
173 |
-@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int |
|
174 |
- kex->nbits = nbits; |
|
175 |
- kex->min = min; |
|
176 |
- kex->max = max; |
|
177 |
-- min = MAXIMUM(DH_GRP_MIN, min); |
|
178 |
-+ min = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min); |
|
179 |
- max = MINIMUM(DH_GRP_MAX, max); |
|
180 |
-- nbits = MAXIMUM(DH_GRP_MIN, nbits); |
|
181 |
-+ nbits = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits); |
|
182 |
- nbits = MINIMUM(DH_GRP_MAX, nbits); |
|
183 |
- |
|
184 |
- if (kex->max < kex->min || kex->nbits < kex->min || |
|
185 |
-diff -rup openssh-7.5p1/mac.c openssh-7.5p1-new/mac.c |
|
186 |
-+++ openssh-7.5p1-new/mac.c 2017-11-14 16:03:27.498694013 -0800 |
|
187 |
-@@ -54,7 +54,7 @@ struct macalg { |
|
188 |
- int etm; /* Encrypt-then-MAC */ |
|
189 |
- }; |
|
190 |
- |
|
191 |
--static const struct macalg macs[] = { |
|
192 |
-+static const struct macalg all_macs[] = { |
|
193 |
- /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ |
|
194 |
- { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, |
|
195 |
- { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 }, |
|
196 |
-@@ -89,6 +89,24 @@ static const struct macalg macs[] = { |
|
197 |
- { NULL, 0, 0, 0, 0, 0, 0 } |
|
198 |
- }; |
|
199 |
- |
|
200 |
-+static const struct macalg fips_macs[] = { |
|
201 |
-+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ |
|
202 |
-+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, |
|
203 |
-+#ifdef HAVE_EVP_SHA256 |
|
204 |
-+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 }, |
|
205 |
-+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 }, |
|
206 |
-+#endif |
|
207 |
-+ |
|
208 |
-+ /* Encrypt-then-MAC variants */ |
|
209 |
-+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 }, |
|
210 |
-+#ifdef HAVE_EVP_SHA256 |
|
211 |
-+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 }, |
|
212 |
-+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 }, |
|
213 |
-+#endif |
|
214 |
-+ |
|
215 |
-+ { NULL, 0, 0, 0, 0, 0, 0 } |
|
216 |
-+}; |
|
217 |
-+ |
|
218 |
- /* Returns a list of supported MACs separated by the specified char. */ |
|
219 |
- char * |
|
220 |
- mac_alg_list(char sep) |
|
221 |
-@@ -97,7 +115,7 @@ mac_alg_list(char sep) |
|
222 |
- size_t nlen, rlen = 0; |
|
223 |
- const struct macalg *m; |
|
224 |
- |
|
225 |
-- for (m = macs; m->name != NULL; m++) { |
|
226 |
-+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) { |
|
227 |
- if (ret != NULL) |
|
228 |
- ret[rlen++] = sep; |
|
229 |
- nlen = strlen(m->name); |
|
230 |
-@@ -136,7 +154,7 @@ mac_setup(struct sshmac *mac, char *name |
|
231 |
- { |
|
232 |
- const struct macalg *m; |
|
233 |
- |
|
234 |
-- for (m = macs; m->name != NULL; m++) { |
|
235 |
-+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) { |
|
236 |
- if (strcmp(name, m->name) != 0) |
|
237 |
- continue; |
|
238 |
- if (mac != NULL) |
|
239 |
-diff -rup openssh-7.5p1/myproposal.h openssh-7.5p1-new/myproposal.h |
|
240 |
-+++ openssh-7.5p1-new/myproposal.h 2017-11-14 16:12:38.278996802 -0800 |
|
241 |
-@@ -138,6 +138,29 @@ |
|
242 |
- |
|
243 |
- #define KEX_CLIENT_MAC KEX_SERVER_MAC |
|
244 |
- |
|
245 |
-+#define KEX_DEFAULT_KEX_FIPS \ |
|
246 |
-+ KEX_ECDH_METHODS \ |
|
247 |
-+ KEX_SHA2_METHODS \ |
|
248 |
-+ KEX_SHA2_GROUP14 \ |
|
249 |
-+ "diffie-hellman-group14-sha1" |
|
250 |
-+#define KEX_FIPS_ENCRYPT \ |
|
251 |
-+ "aes128-ctr,aes192-ctr,aes256-ctr," \ |
|
252 |
-+ "aes128-cbc,3des-cbc," \ |
|
253 |
-+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \ |
|
254 |
-+ AESGCM_CIPHER_MODES |
|
255 |
-+#ifdef HAVE_EVP_SHA256 |
|
256 |
-+#define KEX_FIPS_MAC \ |
|
257 |
-+ "hmac-sha1," \ |
|
258 |
-+ "hmac-sha2-256," \ |
|
259 |
-+ "hmac-sha2-512," \ |
|
260 |
-+ "hmac-sha1-etm@openssh.com," \ |
|
261 |
-+ "hmac-sha2-256-etm@openssh.com," \ |
|
262 |
-+ "hmac-sha2-512-etm@openssh.com" |
|
263 |
-+#else |
|
264 |
-+#define KEX_FIPS_MAC \ |
|
265 |
-+ "hmac-sha1" |
|
266 |
-+#endif |
|
267 |
-+ |
|
268 |
- #else /* WITH_OPENSSL */ |
|
269 |
- |
|
270 |
- #define KEX_SERVER_KEX \ |
|
271 |
-diff -rup openssh-7.5p1/openbsd-compat/openssl-compat.h openssh-7.5p1-new/openbsd-compat/openssl-compat.h |
|
272 |
-+++ openssh-7.5p1-new/openbsd-compat/openssl-compat.h 2017-11-14 16:03:27.498694013 -0800 |
|
273 |
-@@ -24,6 +24,7 @@ |
|
274 |
- #include <openssl/evp.h> |
|
275 |
- #include <openssl/rsa.h> |
|
276 |
- #include <openssl/dsa.h> |
|
277 |
-+#include <openssl/crypto.h> |
|
278 |
- |
|
279 |
- int ssh_compatible_openssl(long, long); |
|
280 |
- |
|
281 |
-diff -rup openssh-7.5p1/readconf.c openssh-7.5p1-new/readconf.c |
|
282 |
-+++ openssh-7.5p1-new/readconf.c 2017-11-14 16:03:27.498694013 -0800 |
|
283 |
-@@ -2066,9 +2066,12 @@ fill_default_options(Options * options) |
|
284 |
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
|
285 |
- if (options->update_hostkeys == -1) |
|
286 |
- options->update_hostkeys = 0; |
|
287 |
-- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 || |
|
288 |
-- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 || |
|
289 |
-- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 || |
|
290 |
-+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT |
|
291 |
-+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 || |
|
292 |
-+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC |
|
293 |
-+ : KEX_CLIENT_MAC), &options->macs) != 0 || |
|
294 |
-+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS |
|
295 |
-+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 || |
|
296 |
- kex_assemble_names(KEX_DEFAULT_PK_ALG, |
|
297 |
- &options->hostbased_key_types) != 0 || |
|
298 |
- kex_assemble_names(KEX_DEFAULT_PK_ALG, |
|
299 |
-Only in openssh-7.5p1-new: readconf.c.orig |
|
300 |
-diff -rup openssh-7.5p1/sandbox-seccomp-filter.c openssh-7.5p1-new/sandbox-seccomp-filter.c |
|
301 |
-+++ openssh-7.5p1-new/sandbox-seccomp-filter.c 2017-11-14 16:03:27.498694013 -0800 |
|
302 |
-@@ -134,6 +134,9 @@ static const struct sock_filter preauth_ |
|
303 |
- #ifdef __NR_open |
|
304 |
- SC_DENY(__NR_open, EACCES), |
|
305 |
- #endif |
|
306 |
-+#ifdef __NR_socket |
|
307 |
-+ SC_DENY(__NR_socket, EACCES), |
|
308 |
-+#endif |
|
309 |
- #ifdef __NR_openat |
|
310 |
- SC_DENY(__NR_openat, EACCES), |
|
311 |
- #endif |
|
312 |
-Only in openssh-7.5p1-new: sandbox-seccomp-filter.c.orig |
|
313 |
-diff -rup openssh-7.5p1/servconf.c openssh-7.5p1-new/servconf.c |
|
314 |
-+++ openssh-7.5p1-new/servconf.c 2017-11-14 16:03:27.502704413 -0800 |
|
315 |
-@@ -176,9 +176,12 @@ option_clear_or_none(const char *o) |
|
316 |
- static void |
|
317 |
- assemble_algorithms(ServerOptions *o) |
|
318 |
- { |
|
319 |
-- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 || |
|
320 |
-- kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 || |
|
321 |
-- kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 || |
|
322 |
-+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT |
|
323 |
-+ : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 || |
|
324 |
-+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC |
|
325 |
-+ : KEX_SERVER_MAC), &o->macs) != 0 || |
|
326 |
-+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS |
|
327 |
-+ : KEX_SERVER_KEX), &o->kex_algorithms) != 0 || |
|
328 |
- kex_assemble_names(KEX_DEFAULT_PK_ALG, |
|
329 |
- &o->hostkeyalgorithms) != 0 || |
|
330 |
- kex_assemble_names(KEX_DEFAULT_PK_ALG, |
|
331 |
-@@ -2282,8 +2285,10 @@ dump_config(ServerOptions *o) |
|
332 |
- /* string arguments */ |
|
333 |
- dump_cfg_string(sPidFile, o->pid_file); |
|
334 |
- dump_cfg_string(sXAuthLocation, o->xauth_location); |
|
335 |
-- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); |
|
336 |
-- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); |
|
337 |
-+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode() |
|
338 |
-+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT); |
|
339 |
-+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode() |
|
340 |
-+ ? KEX_FIPS_MAC : KEX_SERVER_MAC); |
|
341 |
- dump_cfg_string(sBanner, o->banner); |
|
342 |
- dump_cfg_string(sForceCommand, o->adm_forced_command); |
|
343 |
- dump_cfg_string(sChrootDirectory, o->chroot_directory); |
|
344 |
-@@ -2298,8 +2303,8 @@ dump_config(ServerOptions *o) |
|
345 |
- dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); |
|
346 |
- dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); |
|
347 |
- dump_cfg_string(sHostKeyAgent, o->host_key_agent); |
|
348 |
-- dump_cfg_string(sKexAlgorithms, |
|
349 |
-- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); |
|
350 |
-+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : |
|
351 |
-+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX); |
|
352 |
- dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? |
|
353 |
- o->hostbased_key_types : KEX_DEFAULT_PK_ALG); |
|
354 |
- dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? |
|
355 |
-Only in openssh-7.5p1-new: servconf.c.orig |
|
356 |
-diff -rup openssh-7.5p1/ssh.c openssh-7.5p1-new/ssh.c |
|
357 |
-+++ openssh-7.5p1-new/ssh.c 2017-11-14 16:03:27.502704413 -0800 |
|
358 |
-@@ -609,6 +609,9 @@ main(int ac, char **av) |
|
359 |
- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { |
|
360 |
- switch (opt) { |
|
361 |
- case '1': |
|
362 |
-+ if (FIPS_mode()) { |
|
363 |
-+ fatal("Protocol 1 not allowed in the FIPS mode."); |
|
364 |
-+ } |
|
365 |
- options.protocol = SSH_PROTO_1; |
|
366 |
- break; |
|
367 |
- case '2': |
|
368 |
-@@ -1174,6 +1177,10 @@ main(int ac, char **av) |
|
369 |
- } |
|
370 |
- |
|
371 |
- seed_rng(); |
|
372 |
-+ |
|
373 |
-+ if (FIPS_mode()) { |
|
374 |
-+ logit("FIPS mode initialized"); |
|
375 |
-+ } |
|
376 |
- |
|
377 |
- if (options.user == NULL) |
|
378 |
- options.user = xstrdup(pw->pw_name); |
|
379 |
-@@ -1263,6 +1270,12 @@ main(int ac, char **av) |
|
380 |
- |
|
381 |
- timeout_ms = options.connection_timeout * 1000; |
|
382 |
- |
|
383 |
-+ if (FIPS_mode()) { |
|
384 |
-+ options.protocol &= SSH_PROTO_2; |
|
385 |
-+ if (options.protocol == 0) |
|
386 |
-+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode."); |
|
387 |
-+ } |
|
388 |
-+ |
|
389 |
- /* Open a connection to the remote host. */ |
|
390 |
- if (ssh_connect(host, addrs, &hostaddr, options.port, |
|
391 |
- options.address_family, options.connection_attempts, |
|
392 |
-diff -rup openssh-7.5p1/sshd.c openssh-7.5p1-new/sshd.c |
|
393 |
-+++ openssh-7.5p1-new/sshd.c 2017-11-14 16:03:27.502704413 -0800 |
|
394 |
-@@ -1841,6 +1841,10 @@ main(int ac, char **av) |
|
395 |
- /* Reinitialize the log (because of the fork above). */ |
|
396 |
- log_init(__progname, options.log_level, options.log_facility, log_stderr); |
|
397 |
- |
|
398 |
-+ if (FIPS_mode()) { |
|
399 |
-+ logit("FIPS mode initialized"); |
|
400 |
-+ } |
|
401 |
-+ |
|
402 |
- /* Chdir to the root directory so that the current disk can be |
|
403 |
- unmounted if desired. */ |
|
404 |
- if (chdir("/") == -1) |
|
405 |
-Only in openssh-7.5p1-new: sshd.c.orig |
|
406 |
-diff -rup openssh-7.5p1/sshkey.c openssh-7.5p1-new/sshkey.c |
|
407 |
-+++ openssh-7.5p1-new/sshkey.c 2017-11-14 16:03:27.502704413 -0800 |
|
408 |
-@@ -56,6 +56,7 @@ |
|
409 |
- #include "digest.h" |
|
410 |
- #define SSHKEY_INTERNAL |
|
411 |
- #include "sshkey.h" |
|
412 |
-+#include "log.h" |
|
413 |
- #include "match.h" |
|
414 |
- |
|
415 |
- /* openssh private key file format */ |
|
416 |
-@@ -1534,6 +1535,8 @@ rsa_generate_private_key(u_int bits, RSA |
|
417 |
- } |
|
418 |
- if (!BN_set_word(f4, RSA_F4) || |
|
419 |
- !RSA_generate_key_ex(private, bits, f4, NULL)) { |
|
420 |
-+ if (FIPS_mode()) |
|
421 |
-+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); |
|
422 |
- ret = SSH_ERR_LIBCRYPTO_ERROR; |
|
423 |
- goto out; |
|
424 |
- } |
|
425 |
-Only in openssh-7.5p1-new: sshkey.c.orig |
426 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,269 @@ |
0 |
+diff -rup openssh-7.8p1/readconf.c openssh-7.8p1-new/readconf.c |
|
1 |
+--- openssh-7.8p1/readconf.c 2018-08-22 22:41:42.000000000 -0700 |
|
2 |
+@@ -173,7 +173,8 @@ typedef enum { |
|
3 |
+ oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, |
|
4 |
+ oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, |
|
5 |
+ oPubkeyAcceptedKeyTypes, oProxyJump, |
|
6 |
+- oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported |
|
7 |
++ oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported, |
|
8 |
++ oFipsMode |
|
9 |
+ } OpCodes; |
|
10 |
+ |
|
11 |
+ /* Textual representations of the tokens. */ |
|
12 |
+@@ -303,6 +304,7 @@ static struct { |
|
13 |
+ { "streamlocalbindunlink", oStreamLocalBindUnlink }, |
|
14 |
+ { "revokedhostkeys", oRevokedHostKeys }, |
|
15 |
+ { "fingerprinthash", oFingerprintHash }, |
|
16 |
++ { "fipsmode", oFipsMode }, |
|
17 |
+ { "updatehostkeys", oUpdateHostkeys }, |
|
18 |
+ { "hostbasedkeytypes", oHostbasedKeyTypes }, |
|
19 |
+ { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, |
|
20 |
+@@ -977,6 +979,35 @@ parse_time: |
|
21 |
+ intptr = &options->gss_deleg_creds; |
|
22 |
+ goto parse_flag; |
|
23 |
+ |
|
24 |
++ case oFipsMode: |
|
25 |
++ if (options->ciphers != NULL) |
|
26 |
++ fatal("%.200s line %d: FipsMode should be set before " |
|
27 |
++ "Ciphers option", filename, linenum); |
|
28 |
++ intptr = &options->fips_mode; |
|
29 |
++ multistate_ptr = multistate_flag; |
|
30 |
++ arg = strdelim(&s); |
|
31 |
++ if (!arg || *arg == '\0') |
|
32 |
++ fatal("%s line %d: missing argument.", |
|
33 |
++ filename, linenum); |
|
34 |
++ value = -1; |
|
35 |
++ for (i = 0; multistate_ptr[i].key != NULL; i++) { |
|
36 |
++ if (strcasecmp(arg, multistate_ptr[i].key) == 0) { |
|
37 |
++ value = multistate_ptr[i].value; |
|
38 |
++ break; |
|
39 |
++ } |
|
40 |
++ } |
|
41 |
++ if (value == -1) |
|
42 |
++ fatal("%s line %d: unsupported option \"%s\".", |
|
43 |
++ filename, linenum, arg); |
|
44 |
++ if (*activep && *intptr == -1) { |
|
45 |
++ *intptr = value; |
|
46 |
++ /* Call FIPS_mode_set as soon as possible */ |
|
47 |
++ if (*intptr == 1) |
|
48 |
++ if (!FIPS_mode_set(1)) |
|
49 |
++ fatal("FIPS mode could not be set"); |
|
50 |
++ } |
|
51 |
++ break; |
|
52 |
++ |
|
53 |
+ case oBatchMode: |
|
54 |
+ intptr = &options->batch_mode; |
|
55 |
+ goto parse_flag; |
|
56 |
+@@ -1900,6 +1931,7 @@ initialize_options(Options * options) |
|
57 |
+ options->update_hostkeys = -1; |
|
58 |
+ options->hostbased_key_types = NULL; |
|
59 |
+ options->pubkey_key_types = NULL; |
|
60 |
++ options->fips_mode = -1; |
|
61 |
+ } |
|
62 |
+ |
|
63 |
+ /* |
|
64 |
+@@ -2071,6 +2103,8 @@ fill_default_options(Options * options) |
|
65 |
+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
|
66 |
+ if (options->update_hostkeys == -1) |
|
67 |
+ options->update_hostkeys = 0; |
|
68 |
++ if (options->fips_mode == -1) |
|
69 |
++ options->fips_mode = 0; |
|
70 |
+ |
|
71 |
+ /* Expand KEX name lists */ |
|
72 |
+ all_cipher = cipher_alg_list(',', 0); |
|
73 |
+@@ -2593,6 +2627,7 @@ dump_client_config(Options *o, const cha |
|
74 |
+ dump_cfg_fmtint(oVerifyHostKeyDNS, o->verify_host_key_dns); |
|
75 |
+ dump_cfg_fmtint(oVisualHostKey, o->visual_host_key); |
|
76 |
+ dump_cfg_fmtint(oUpdateHostkeys, o->update_hostkeys); |
|
77 |
++ dump_cfg_fmtint(oFipsMode, o->fips_mode); |
|
78 |
+ |
|
79 |
+ /* Integer options */ |
|
80 |
+ dump_cfg_int(oCanonicalizeMaxDots, o->canonicalize_max_dots); |
|
81 |
+diff -rup openssh-7.8p1/readconf.h openssh-7.8p1-new/readconf.h |
|
82 |
+--- openssh-7.8p1/readconf.h 2018-08-22 22:41:42.000000000 -0700 |
|
83 |
+@@ -153,6 +153,7 @@ typedef struct { |
|
84 |
+ char *revoked_host_keys; |
|
85 |
+ |
|
86 |
+ int fingerprint_hash; |
|
87 |
++ int fips_mode; |
|
88 |
+ |
|
89 |
+ int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */ |
|
90 |
+ |
|
91 |
+Only in openssh-7.8p1-new: readconf.h.orig |
|
92 |
+diff -rup openssh-7.8p1/servconf.c openssh-7.8p1-new/servconf.c |
|
93 |
+--- openssh-7.8p1/servconf.c 2018-08-22 22:41:42.000000000 -0700 |
|
94 |
+@@ -179,6 +179,7 @@ initialize_server_options(ServerOptions |
|
95 |
+ options->fingerprint_hash = -1; |
|
96 |
+ options->disable_forwarding = -1; |
|
97 |
+ options->expose_userauth_info = -1; |
|
98 |
++ options->fips_mode = -1; |
|
99 |
+ } |
|
100 |
+ |
|
101 |
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
|
102 |
+@@ -407,6 +408,8 @@ fill_default_server_options(ServerOption |
|
103 |
+ options->disable_forwarding = 0; |
|
104 |
+ if (options->expose_userauth_info == -1) |
|
105 |
+ options->expose_userauth_info = 0; |
|
106 |
++ if (options->fips_mode == -1) |
|
107 |
++ options->fips_mode = 0; |
|
108 |
+ |
|
109 |
+ assemble_algorithms(options); |
|
110 |
+ |
|
111 |
+@@ -493,7 +496,8 @@ typedef enum { |
|
112 |
+ sStreamLocalBindMask, sStreamLocalBindUnlink, |
|
113 |
+ sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
|
114 |
+ sExposeAuthInfo, sRDomain, |
|
115 |
+- sDeprecated, sIgnore, sUnsupported |
|
116 |
++ sDeprecated, sIgnore, sUnsupported, |
|
117 |
++ sFipsMode |
|
118 |
+ } ServerOpCodes; |
|
119 |
+ |
|
120 |
+ #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ |
|
121 |
+@@ -640,6 +644,7 @@ static struct { |
|
122 |
+ { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, |
|
123 |
+ { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
|
124 |
+ { "rdomain", sRDomain, SSHCFG_ALL }, |
|
125 |
++ { "fipsmode", sFipsMode, SSHCFG_GLOBAL }, |
|
126 |
+ { NULL, sBadOption, 0 } |
|
127 |
+ }; |
|
128 |
+ |
|
129 |
+@@ -2140,6 +2145,32 @@ process_server_config_line(ServerOptions |
|
130 |
+ *charptr = xstrdup(arg); |
|
131 |
+ break; |
|
132 |
+ |
|
133 |
++ case sFipsMode: |
|
134 |
++ if (options->ciphers != NULL) |
|
135 |
++ fatal("%.200s line %d: FipsMode should be set before " |
|
136 |
++ "Ciphers option", filename, linenum); |
|
137 |
++ intptr = &options->fips_mode; |
|
138 |
++ arg = strdelim(&cp); |
|
139 |
++ if (!arg || *arg == '\0') |
|
140 |
++ fatal("%s line %d: missing yes/no argument.", |
|
141 |
++ filename, linenum); |
|
142 |
++ value = 0; /* silence compiler */ |
|
143 |
++ if (strcmp(arg, "yes") == 0) |
|
144 |
++ value = 1; |
|
145 |
++ else if (strcmp(arg, "no") == 0) |
|
146 |
++ value = 0; |
|
147 |
++ else |
|
148 |
++ fatal("%s line %d: Bad yes/no argument: %s", |
|
149 |
++ filename, linenum, arg); |
|
150 |
++ if (*activep && *intptr == -1) { |
|
151 |
++ *intptr = value; |
|
152 |
++ /* Call FIPS_mode_set as soon as possible */ |
|
153 |
++ if (*intptr == 1) |
|
154 |
++ if (!FIPS_mode_set(1)) |
|
155 |
++ fatal("FIPS mode could not be set"); |
|
156 |
++ } |
|
157 |
++ break; |
|
158 |
++ |
|
159 |
+ case sDeprecated: |
|
160 |
+ case sIgnore: |
|
161 |
+ case sUnsupported: |
|
162 |
+@@ -2579,6 +2610,7 @@ dump_config(ServerOptions *o) |
|
163 |
+ dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); |
|
164 |
+ dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); |
|
165 |
+ dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); |
|
166 |
++ dump_cfg_fmtint(sFipsMode, o->fips_mode); |
|
167 |
+ |
|
168 |
+ /* string arguments */ |
|
169 |
+ dump_cfg_string(sPidFile, o->pid_file); |
|
170 |
+diff -rup openssh-7.8p1/servconf.h openssh-7.8p1-new/servconf.h |
|
171 |
+--- openssh-7.8p1/servconf.h 2018-08-22 22:41:42.000000000 -0700 |
|
172 |
+@@ -208,6 +208,7 @@ typedef struct { |
|
173 |
+ |
|
174 |
+ int fingerprint_hash; |
|
175 |
+ int expose_userauth_info; |
|
176 |
++ int fips_mode; |
|
177 |
+ u_int64_t timing_secret; |
|
178 |
+ } ServerOptions; |
|
179 |
+ |
|
180 |
+diff -rup openssh-7.8p1/ssh_config openssh-7.8p1-new/ssh_config |
|
181 |
+--- openssh-7.8p1/ssh_config 2018-08-22 22:41:42.000000000 -0700 |
|
182 |
+@@ -34,6 +34,7 @@ |
|
183 |
+ # IdentityFile ~/.ssh/id_ecdsa |
|
184 |
+ # IdentityFile ~/.ssh/id_ed25519 |
|
185 |
+ # Port 22 |
|
186 |
++# FipsMode no |
|
187 |
+ # Protocol 2 |
|
188 |
+ # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc |
|
189 |
+ # MACs hmac-md5,hmac-sha1,umac-64@openssh.com |
|
190 |
+diff -rup openssh-7.8p1/ssh_config.0 openssh-7.8p1-new/ssh_config.0 |
|
191 |
+--- openssh-7.8p1/ssh_config.0 2018-08-23 00:09:17.000000000 -0700 |
|
192 |
+@@ -343,6 +343,10 @@ DESCRIPTION |
|
193 |
+ Specifies the hash algorithm used when displaying key |
|
194 |
+ fingerprints. Valid options are: md5 and sha256 (the default). |
|
195 |
+ |
|
196 |
++ FipsMode |
|
197 |
++ Enables or disables FIPS mode. Requires FIPS capable ssl modules. |
|
198 |
++ The default is no. |
|
199 |
++ |
|
200 |
+ ForwardAgent |
|
201 |
+ Specifies whether the connection to the authentication agent (if |
|
202 |
+ any) will be forwarded to the remote machine. The argument must |
|
203 |
+Only in openssh-7.8p1-new: ssh_config.0.orig |
|
204 |
+diff -rup openssh-7.8p1/ssh_config.5 openssh-7.8p1-new/ssh_config.5 |
|
205 |
+--- openssh-7.8p1/ssh_config.5 2018-08-22 22:41:42.000000000 -0700 |
|
206 |
+@@ -628,6 +628,10 @@ Valid options are: |
|
207 |
+ and |
|
208 |
+ .Cm sha256 |
|
209 |
+ (the default). |
|
210 |
++.It Cm FipsMode |
|
211 |
++Enables or disables FIPS mode. Requires FIPS capable ssl modules. |
|
212 |
++The default is |
|
213 |
++.Cm no . |
|
214 |
+ .It Cm ForwardAgent |
|
215 |
+ Specifies whether the connection to the authentication agent (if any) |
|
216 |
+ will be forwarded to the remote machine. |
|
217 |
+Only in openssh-7.8p1-new: ssh_config.5.orig |
|
218 |
+Only in openssh-7.8p1-new: ssh_config.orig |
|
219 |
+diff -rup openssh-7.8p1/sshd_config openssh-7.8p1-new/sshd_config |
|
220 |
+--- openssh-7.8p1/sshd_config 2018-08-22 22:41:42.000000000 -0700 |
|
221 |
+@@ -102,6 +102,8 @@ AuthorizedKeysFile .ssh/authorized_keys |
|
222 |
+ #ChrootDirectory none |
|
223 |
+ #VersionAddendum none |
|
224 |
+ |
|
225 |
++#FipsMode no |
|
226 |
++ |
|
227 |
+ # no default banner path |
|
228 |
+ #Banner none |
|
229 |
+ |
|
230 |
+diff -rup openssh-7.8p1/sshd_config.0 openssh-7.8p1-new/sshd_config.0 |
|
231 |
+--- openssh-7.8p1/sshd_config.0 2018-08-23 00:09:17.000000000 -0700 |
|
232 |
+@@ -338,6 +338,10 @@ DESCRIPTION |
|
233 |
+ Specifies the hash algorithm used when logging key fingerprints. |
|
234 |
+ Valid options are: md5 and sha256. The default is sha256. |
|
235 |
+ |
|
236 |
++ FipsMode |
|
237 |
++ Enables or disables FIPS mode. Requires FIPS capable ssl modules. |
|
238 |
++ The default is no. |
|
239 |
++ |
|
240 |
+ ForceCommand |
|
241 |
+ Forces the execution of the command specified by ForceCommand, |
|
242 |
+ ignoring any command supplied by the client and ~/.ssh/rc if |
|
243 |
+Only in openssh-7.8p1-new: sshd_config.0.orig |
|
244 |
+diff -rup openssh-7.8p1/sshd_config.5 openssh-7.8p1-new/sshd_config.5 |
|
245 |
+--- openssh-7.8p1/sshd_config.5 2018-08-22 22:41:42.000000000 -0700 |
|
246 |
+@@ -592,6 +592,10 @@ and |
|
247 |
+ .Cm sha256 . |
|
248 |
+ The default is |
|
249 |
+ .Cm sha256 . |
|
250 |
++.It Cm FipsMode |
|
251 |
++Enables or disables FIPS mode. Requires FIPS capable ssl modules. |
|
252 |
++The default is |
|
253 |
++.Cm no . |
|
254 |
+ .It Cm ForceCommand |
|
255 |
+ Forces the execution of the command specified by |
|
256 |
+ .Cm ForceCommand , |
|
257 |
+Only in openssh-7.8p1-new: sshd_config.5.orig |
|
258 |
+Only in openssh-7.8p1-new: sshd_config.orig |
0 | 259 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,398 @@ |
0 |
+diff -rup openssh-7.8p1/cipher.c openssh-7.8p1-new/cipher.c |
|
1 |
+--- openssh-7.8p1/cipher.c 2018-08-22 22:41:42.000000000 -0700 |
|
2 |
+@@ -111,6 +111,26 @@ static const struct sshcipher ciphers[] |
|
3 |
+ { NULL, 0, 0, 0, 0, 0, NULL } |
|
4 |
+ }; |
|
5 |
+ |
|
6 |
++static const struct sshcipher fips_ciphers[] = { |
|
7 |
++ { "none", 8, 0, 0, 0, 0, EVP_enc_null }, |
|
8 |
++ { "3des-cbc", 8, 24, 0, 0, 1, EVP_des_ede3_cbc }, |
|
9 |
++ { "aes128-cbc", 16, 16, 0, 0, 1, EVP_aes_128_cbc }, |
|
10 |
++ { "aes192-cbc", 16, 24, 0, 0, 1, EVP_aes_192_cbc }, |
|
11 |
++ { "aes256-cbc", 16, 32, 0, 0, 1, EVP_aes_256_cbc }, |
|
12 |
++ { "rijndael-cbc@lysator.liu.se", |
|
13 |
++ 16, 32, 0, 0, 1, EVP_aes_256_cbc }, |
|
14 |
++ { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr }, |
|
15 |
++ { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr }, |
|
16 |
++ { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr }, |
|
17 |
++# ifdef OPENSSL_HAVE_EVPGCM |
|
18 |
++ { "aes128-gcm@openssh.com", |
|
19 |
++ 16, 16, 12, 16, 0, EVP_aes_128_gcm }, |
|
20 |
++ { "aes256-gcm@openssh.com", |
|
21 |
++ 16, 32, 12, 16, 0, EVP_aes_256_gcm }, |
|
22 |
++# endif /* OPENSSL_HAVE_EVPGCM */ |
|
23 |
++ { NULL, 0, 0, 0, 0, 0, NULL } |
|
24 |
++}; |
|
25 |
++ |
|
26 |
+ /*--*/ |
|
27 |
+ |
|
28 |
+ /* Returns a comma-separated list of supported ciphers. */ |
|
29 |
+@@ -121,7 +141,7 @@ cipher_alg_list(char sep, int auth_only) |
|
30 |
+ size_t nlen, rlen = 0; |
|
31 |
+ const struct sshcipher *c; |
|
32 |
+ |
|
33 |
+- for (c = ciphers; c->name != NULL; c++) { |
|
34 |
++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) { |
|
35 |
+ if ((c->flags & CFLAG_INTERNAL) != 0) |
|
36 |
+ continue; |
|
37 |
+ if (auth_only && c->auth_len == 0) |
|
38 |
+@@ -193,7 +213,7 @@ const struct sshcipher * |
|
39 |
+ cipher_by_name(const char *name) |
|
40 |
+ { |
|
41 |
+ const struct sshcipher *c; |
|
42 |
+- for (c = ciphers; c->name != NULL; c++) |
|
43 |
++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) |
|
44 |
+ if (strcmp(c->name, name) == 0) |
|
45 |
+ return c; |
|
46 |
+ return NULL; |
|
47 |
+Only in openssh-7.8p1-new: cipher.c.orig |
|
48 |
+Only in openssh-7.8p1-new: cipher.c.rej |
|
49 |
+diff -rup openssh-7.8p1/cipher-ctr.c openssh-7.8p1-new/cipher-ctr.c |
|
50 |
+--- openssh-7.8p1/cipher-ctr.c 2018-08-22 22:41:42.000000000 -0700 |
|
51 |
+@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) |
|
52 |
+ aes_ctr.do_cipher = ssh_aes_ctr; |
|
53 |
+ #ifndef SSH_OLD_EVP |
|
54 |
+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | |
|
55 |
+- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; |
|
56 |
++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | |
|
57 |
++ EVP_CIPH_FLAG_FIPS; |
|
58 |
+ #endif |
|
59 |
+ return (&aes_ctr); |
|
60 |
+ } |
|
61 |
+diff -rup openssh-7.8p1/dh.h openssh-7.8p1-new/dh.h |
|
62 |
+--- openssh-7.8p1/dh.h 2018-08-22 22:41:42.000000000 -0700 |
|
63 |
+@@ -51,6 +51,7 @@ u_int dh_estimate(int); |
|
64 |
+ * Miniumum increased in light of DH precomputation attacks. |
|
65 |
+ */ |
|
66 |
+ #define DH_GRP_MIN 2048 |
|
67 |
++#define DH_GRP_MIN_FIPS 2048 |
|
68 |
+ #define DH_GRP_MAX 8192 |
|
69 |
+ |
|
70 |
+ /* |
|
71 |
+diff -rup openssh-7.8p1/entropy.c openssh-7.8p1-new/entropy.c |
|
72 |
+--- openssh-7.8p1/entropy.c 2018-08-22 22:41:42.000000000 -0700 |
|
73 |
+@@ -223,6 +223,9 @@ seed_rng(void) |
|
74 |
+ fatal("OpenSSL version mismatch. Built against %lx, you " |
|
75 |
+ "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); |
|
76 |
+ |
|
77 |
++ /* clean the PRNG status when exiting the program */ |
|
78 |
++ atexit(RAND_cleanup); |
|
79 |
++ |
|
80 |
+ #ifndef OPENSSL_PRNG_ONLY |
|
81 |
+ if (RAND_status() == 1) { |
|
82 |
+ debug3("RNG is ready, skipping seeding"); |
|
83 |
+Only in openssh-7.8p1-new: entropy.c.orig |
|
84 |
+diff -rup openssh-7.8p1/kex.c openssh-7.8p1-new/kex.c |
|
85 |
+--- openssh-7.8p1/kex.c 2018-08-22 22:41:42.000000000 -0700 |
|
86 |
+@@ -106,6 +106,27 @@ static const struct kexalg kexalgs[] = { |
|
87 |
+ { NULL, -1, -1, -1}, |
|
88 |
+ }; |
|
89 |
+ |
|
90 |
++static const struct kexalg kexalgs_fips[] = { |
|
91 |
++ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, |
|
92 |
++ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, |
|
93 |
++ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, |
|
94 |
++ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, |
|
95 |
++#ifdef HAVE_EVP_SHA256 |
|
96 |
++ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, |
|
97 |
++#endif |
|
98 |
++#ifdef OPENSSL_HAS_ECC |
|
99 |
++ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2, |
|
100 |
++ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, |
|
101 |
++ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1, |
|
102 |
++ SSH_DIGEST_SHA384 }, |
|
103 |
++# ifdef OPENSSL_HAS_NISTP521 |
|
104 |
++ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1, |
|
105 |
++ SSH_DIGEST_SHA512 }, |
|
106 |
++# endif |
|
107 |
++#endif |
|
108 |
++ { NULL, -1, -1, -1}, |
|
109 |
++}; |
|
110 |
++ |
|
111 |
+ char * |
|
112 |
+ kex_alg_list(char sep) |
|
113 |
+ { |
|
114 |
+@@ -113,7 +134,7 @@ kex_alg_list(char sep) |
|
115 |
+ size_t nlen, rlen = 0; |
|
116 |
+ const struct kexalg *k; |
|
117 |
+ |
|
118 |
+- for (k = kexalgs; k->name != NULL; k++) { |
|
119 |
++ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) { |
|
120 |
+ if (ret != NULL) |
|
121 |
+ ret[rlen++] = sep; |
|
122 |
+ nlen = strlen(k->name); |
|
123 |
+@@ -133,7 +154,7 @@ kex_alg_by_name(const char *name) |
|
124 |
+ { |
|
125 |
+ const struct kexalg *k; |
|
126 |
+ |
|
127 |
+- for (k = kexalgs; k->name != NULL; k++) { |
|
128 |
++ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) { |
|
129 |
+ if (strcmp(k->name, name) == 0) |
|
130 |
+ return k; |
|
131 |
+ } |
|
132 |
+@@ -153,7 +174,10 @@ kex_names_valid(const char *names) |
|
133 |
+ for ((p = strsep(&cp, ",")); p && *p != '\0'; |
|
134 |
+ (p = strsep(&cp, ","))) { |
|
135 |
+ if (kex_alg_by_name(p) == NULL) { |
|
136 |
+- error("Unsupported KEX algorithm \"%.100s\"", p); |
|
137 |
++ if (FIPS_mode()) |
|
138 |
++ error("\"%.100s\" is not allowed in FIPS mode", p); |
|
139 |
++ else |
|
140 |
++ error("Unsupported KEX algorithm \"%.100s\"", p); |
|
141 |
+ free(s); |
|
142 |
+ return 0; |
|
143 |
+ } |
|
144 |
+Only in openssh-7.8p1-new: kex.c.orig |
|
145 |
+diff -rup openssh-7.8p1/kexgexc.c openssh-7.8p1-new/kexgexc.c |
|
146 |
+--- openssh-7.8p1/kexgexc.c 2018-08-22 22:41:42.000000000 -0700 |
|
147 |
+@@ -63,7 +63,7 @@ kexgex_client(struct ssh *ssh) |
|
148 |
+ |
|
149 |
+ nbits = dh_estimate(kex->dh_need * 8); |
|
150 |
+ |
|
151 |
+- kex->min = DH_GRP_MIN; |
|
152 |
++ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; |
|
153 |
+ kex->max = DH_GRP_MAX; |
|
154 |
+ kex->nbits = nbits; |
|
155 |
+ if (datafellows & SSH_BUG_DHGEX_LARGE) |
|
156 |
+diff -rup openssh-7.8p1/kexgexs.c openssh-7.8p1-new/kexgexs.c |
|
157 |
+--- openssh-7.8p1/kexgexs.c 2018-08-22 22:41:42.000000000 -0700 |
|
158 |
+@@ -82,9 +82,9 @@ input_kex_dh_gex_request(int type, u_int |
|
159 |
+ kex->nbits = nbits; |
|
160 |
+ kex->min = min; |
|
161 |
+ kex->max = max; |
|
162 |
+- min = MAXIMUM(DH_GRP_MIN, min); |
|
163 |
++ min = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min); |
|
164 |
+ max = MINIMUM(DH_GRP_MAX, max); |
|
165 |
+- nbits = MAXIMUM(DH_GRP_MIN, nbits); |
|
166 |
++ nbits = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits); |
|
167 |
+ nbits = MINIMUM(DH_GRP_MAX, nbits); |
|
168 |
+ |
|
169 |
+ if (kex->max < kex->min || kex->nbits < kex->min || |
|
170 |
+Only in openssh-7.8p1-new: kexgexs.c.orig |
|
171 |
+diff -rup openssh-7.8p1/mac.c openssh-7.8p1-new/mac.c |
|
172 |
+--- openssh-7.8p1/mac.c 2018-08-22 22:41:42.000000000 -0700 |
|
173 |
+@@ -54,7 +54,7 @@ struct macalg { |
|
174 |
+ int etm; /* Encrypt-then-MAC */ |
|
175 |
+ }; |
|
176 |
+ |
|
177 |
+-static const struct macalg macs[] = { |
|
178 |
++static const struct macalg all_macs[] = { |
|
179 |
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ |
|
180 |
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, |
|
181 |
+ { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 }, |
|
182 |
+@@ -82,6 +82,24 @@ static const struct macalg macs[] = { |
|
183 |
+ { NULL, 0, 0, 0, 0, 0, 0 } |
|
184 |
+ }; |
|
185 |
+ |
|
186 |
++static const struct macalg fips_macs[] = { |
|
187 |
++ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ |
|
188 |
++ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, |
|
189 |
++#ifdef HAVE_EVP_SHA256 |
|
190 |
++ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 }, |
|
191 |
++ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 }, |
|
192 |
++#endif |
|
193 |
++ |
|
194 |
++ /* Encrypt-then-MAC variants */ |
|
195 |
++ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 }, |
|
196 |
++#ifdef HAVE_EVP_SHA256 |
|
197 |
++ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 }, |
|
198 |
++ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 }, |
|
199 |
++#endif |
|
200 |
++ |
|
201 |
++ { NULL, 0, 0, 0, 0, 0, 0 } |
|
202 |
++}; |
|
203 |
++ |
|
204 |
+ /* Returns a list of supported MACs separated by the specified char. */ |
|
205 |
+ char * |
|
206 |
+ mac_alg_list(char sep) |
|
207 |
+@@ -90,7 +108,7 @@ mac_alg_list(char sep) |
|
208 |
+ size_t nlen, rlen = 0; |
|
209 |
+ const struct macalg *m; |
|
210 |
+ |
|
211 |
+- for (m = macs; m->name != NULL; m++) { |
|
212 |
++ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) { |
|
213 |
+ if (ret != NULL) |
|
214 |
+ ret[rlen++] = sep; |
|
215 |
+ nlen = strlen(m->name); |
|
216 |
+@@ -129,7 +147,7 @@ mac_setup(struct sshmac *mac, char *name |
|
217 |
+ { |
|
218 |
+ const struct macalg *m; |
|
219 |
+ |
|
220 |
+- for (m = macs; m->name != NULL; m++) { |
|
221 |
++ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) { |
|
222 |
+ if (strcmp(name, m->name) != 0) |
|
223 |
+ continue; |
|
224 |
+ if (mac != NULL) |
|
225 |
+Only in openssh-7.8p1-new: mac.c.orig |
|
226 |
+diff -rup openssh-7.8p1/myproposal.h openssh-7.8p1-new/myproposal.h |
|
227 |
+--- openssh-7.8p1/myproposal.h 2018-08-22 22:41:42.000000000 -0700 |
|
228 |
+@@ -139,6 +139,29 @@ |
|
229 |
+ |
|
230 |
+ #define KEX_CLIENT_MAC KEX_SERVER_MAC |
|
231 |
+ |
|
232 |
++#define KEX_DEFAULT_KEX_FIPS \ |
|
233 |
++ KEX_ECDH_METHODS \ |
|
234 |
++ KEX_SHA2_METHODS \ |
|
235 |
++ KEX_SHA2_GROUP14 \ |
|
236 |
++ "diffie-hellman-group14-sha1" |
|
237 |
++#define KEX_FIPS_ENCRYPT \ |
|
238 |
++ "aes128-ctr,aes192-ctr,aes256-ctr," \ |
|
239 |
++ "aes128-cbc,3des-cbc," \ |
|
240 |
++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \ |
|
241 |
++ AESGCM_CIPHER_MODES |
|
242 |
++#ifdef HAVE_EVP_SHA256 |
|
243 |
++#define KEX_FIPS_MAC \ |
|
244 |
++ "hmac-sha1," \ |
|
245 |
++ "hmac-sha2-256," \ |
|
246 |
++ "hmac-sha2-512," \ |
|
247 |
++ "hmac-sha1-etm@openssh.com," \ |
|
248 |
++ "hmac-sha2-256-etm@openssh.com," \ |
|
249 |
++ "hmac-sha2-512-etm@openssh.com" |
|
250 |
++#else |
|
251 |
++#define KEX_FIPS_MAC \ |
|
252 |
++ "hmac-sha1" |
|
253 |
++#endif |
|
254 |
++ |
|
255 |
+ #else /* WITH_OPENSSL */ |
|
256 |
+ |
|
257 |
+ #define KEX_SERVER_KEX \ |
|
258 |
+Only in openssh-7.8p1-new: myproposal.h.orig |
|
259 |
+diff -rup openssh-7.8p1/openbsd-compat/openssl-compat.h openssh-7.8p1-new/openbsd-compat/openssl-compat.h |
|
260 |
+--- openssh-7.8p1/openbsd-compat/openssl-compat.h 2018-08-22 22:41:42.000000000 -0700 |
|
261 |
+@@ -24,6 +24,7 @@ |
|
262 |
+ #include <openssl/evp.h> |
|
263 |
+ #include <openssl/rsa.h> |
|
264 |
+ #include <openssl/dsa.h> |
|
265 |
++#include <openssl/crypto.h> |
|
266 |
+ |
|
267 |
+ int ssh_compatible_openssl(long, long); |
|
268 |
+ |
|
269 |
+diff -rup openssh-7.8p1/readconf.c openssh-7.8p1-new/readconf.c |
|
270 |
+--- openssh-7.8p1/readconf.c 2018-08-22 22:41:42.000000000 -0700 |
|
271 |
+@@ -2083,9 +2083,9 @@ fill_default_options(Options * options) |
|
272 |
+ defaults, all)) != 0) \ |
|
273 |
+ fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |
|
274 |
+ } while (0) |
|
275 |
+- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher); |
|
276 |
+- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac); |
|
277 |
+- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); |
|
278 |
++ ASSEMBLE(ciphers, (FIPS_mode() ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); |
|
279 |
++ ASSEMBLE(macs, (FIPS_mode() ? KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); |
|
280 |
++ ASSEMBLE(kex_algorithms, (FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); |
|
281 |
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); |
|
282 |
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); |
|
283 |
+ #undef ASSEMBLE |
|
284 |
+diff -rup openssh-7.8p1/sandbox-seccomp-filter.c openssh-7.8p1-new/sandbox-seccomp-filter.c |
|
285 |
+--- openssh-7.8p1/sandbox-seccomp-filter.c 2018-08-22 22:41:42.000000000 -0700 |
|
286 |
+@@ -137,6 +137,9 @@ static const struct sock_filter preauth_ |
|
287 |
+ #ifdef __NR_open |
|
288 |
+ SC_DENY(__NR_open, EACCES), |
|
289 |
+ #endif |
|
290 |
++#ifdef __NR_socket |
|
291 |
++ SC_DENY(__NR_socket, EACCES), |
|
292 |
++#endif |
|
293 |
+ #ifdef __NR_openat |
|
294 |
+ SC_DENY(__NR_openat, EACCES), |
|
295 |
+ #endif |
|
296 |
+Only in openssh-7.8p1-new: sandbox-seccomp-filter.c.orig |
|
297 |
+diff -rup openssh-7.8p1/servconf.c openssh-7.8p1-new/servconf.c |
|
298 |
+--- openssh-7.8p1/servconf.c 2018-08-22 22:41:42.000000000 -0700 |
|
299 |
+@@ -203,9 +203,9 @@ assemble_algorithms(ServerOptions *o) |
|
300 |
+ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ |
|
301 |
+ fatal("%s: %s: %s", __func__, #what, ssh_err(r)); \ |
|
302 |
+ } while (0) |
|
303 |
+- ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, all_cipher); |
|
304 |
+- ASSEMBLE(macs, KEX_SERVER_MAC, all_mac); |
|
305 |
+- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); |
|
306 |
++ ASSEMBLE(ciphers, (FIPS_mode() ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); |
|
307 |
++ ASSEMBLE(macs, (FIPS_mode() ? KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); |
|
308 |
++ ASSEMBLE(kex_algorithms, (FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); |
|
309 |
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key); |
|
310 |
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); |
|
311 |
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); |
|
312 |
+@@ -2583,8 +2583,10 @@ dump_config(ServerOptions *o) |
|
313 |
+ /* string arguments */ |
|
314 |
+ dump_cfg_string(sPidFile, o->pid_file); |
|
315 |
+ dump_cfg_string(sXAuthLocation, o->xauth_location); |
|
316 |
+- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); |
|
317 |
+- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); |
|
318 |
++ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode() |
|
319 |
++ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT); |
|
320 |
++ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode() |
|
321 |
++ ? KEX_FIPS_MAC : KEX_SERVER_MAC); |
|
322 |
+ dump_cfg_string(sBanner, o->banner); |
|
323 |
+ dump_cfg_string(sForceCommand, o->adm_forced_command); |
|
324 |
+ dump_cfg_string(sChrootDirectory, o->chroot_directory); |
|
325 |
+@@ -2599,8 +2601,8 @@ dump_config(ServerOptions *o) |
|
326 |
+ dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command); |
|
327 |
+ dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user); |
|
328 |
+ dump_cfg_string(sHostKeyAgent, o->host_key_agent); |
|
329 |
+- dump_cfg_string(sKexAlgorithms, |
|
330 |
+- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); |
|
331 |
++ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : |
|
332 |
++ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX); |
|
333 |
+ dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? |
|
334 |
+ o->hostbased_key_types : KEX_DEFAULT_PK_ALG); |
|
335 |
+ dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ? |
|
336 |
+diff -rup openssh-7.8p1/ssh.c openssh-7.8p1-new/ssh.c |
|
337 |
+--- openssh-7.8p1/ssh.c 2018-08-22 22:41:42.000000000 -0700 |
|
338 |
+@@ -1259,6 +1259,10 @@ main(int ac, char **av) |
|
339 |
+ } |
|
340 |
+ |
|
341 |
+ seed_rng(); |
|
342 |
++ |
|
343 |
++ if (FIPS_mode()) { |
|
344 |
++ logit("FIPS mode initialized"); |
|
345 |
++ } |
|
346 |
+ |
|
347 |
+ if (options.user == NULL) |
|
348 |
+ options.user = xstrdup(pw->pw_name); |
|
349 |
+diff -rup openssh-7.8p1/sshd.c openssh-7.8p1-new/sshd.c |
|
350 |
+--- openssh-7.8p1/sshd.c 2018-08-22 22:41:42.000000000 -0700 |
|
351 |
+@@ -1940,6 +1940,10 @@ main(int ac, char **av) |
|
352 |
+ /* Reinitialize the log (because of the fork above). */ |
|
353 |
+ log_init(__progname, options.log_level, options.log_facility, log_stderr); |
|
354 |
+ |
|
355 |
++ if (FIPS_mode()) { |
|
356 |
++ logit("FIPS mode initialized"); |
|
357 |
++ } |
|
358 |
++ |
|
359 |
+ /* Chdir to the root directory so that the current disk can be |
|
360 |
+ unmounted if desired. */ |
|
361 |
+ if (chdir("/") == -1) |
|
362 |
+Only in openssh-7.8p1-new: sshd.c.orig |
|
363 |
+diff -rup openssh-7.8p1/sshkey.c openssh-7.8p1-new/sshkey.c |
|
364 |
+--- openssh-7.8p1/sshkey.c 2018-08-22 22:41:42.000000000 -0700 |
|
365 |
+@@ -55,6 +55,7 @@ |
|
366 |
+ #include "digest.h" |
|
367 |
+ #define SSHKEY_INTERNAL |
|
368 |
+ #include "sshkey.h" |
|
369 |
++#include "log.h" |
|
370 |
+ #include "sshkey-xmss.h" |
|
371 |
+ #include "match.h" |
|
372 |
+ |
|
373 |
+@@ -1517,6 +1518,8 @@ rsa_generate_private_key(u_int bits, RSA |
|
374 |
+ } |
|
375 |
+ if (!BN_set_word(f4, RSA_F4) || |
|
376 |
+ !RSA_generate_key_ex(private, bits, f4, NULL)) { |
|
377 |
++ if (FIPS_mode()) |
|
378 |
++ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); |
|
379 |
+ ret = SSH_ERR_LIBCRYPTO_ERROR; |
|
380 |
+ goto out; |
|
381 |
+ } |
... | ... |
@@ -1,22 +1,21 @@ |
1 | 1 |
Summary: Free version of the SSH connectivity tools |
2 | 2 |
Name: openssh |
3 |
-Version: 7.5p1 |
|
4 |
-Release: 11%{?dist} |
|
3 |
+Version: 7.8p1 |
|
4 |
+Release: 1%{?dist} |
|
5 | 5 |
License: BSD |
6 | 6 |
URL: https://www.openssh.com/ |
7 | 7 |
Group: System Environment/Security |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz |
11 |
-%define sha1 openssh=5e8f185d00afb4f4f89801e9b0f8b9cee9d87ebd |
|
11 |
+%define sha1 openssh=27e267e370315561de96577fccae563bc2c37a60 |
|
12 | 12 |
Source1: http://www.linuxfromscratch.org/blfs/downloads/systemd/blfs-systemd-units-20140907.tar.bz2 |
13 | 13 |
%define sha1 blfs-systemd-units=713afb3bbe681314650146e5ec412ef77aa1fe33 |
14 | 14 |
Source2: sshd.service |
15 | 15 |
Source3: sshd-keygen.service |
16 | 16 |
Patch0: blfs_systemd_fixes.patch |
17 |
-Patch1: openssh-7.5p1-fips.patch |
|
18 |
-Patch2: openssh-7.5p1-configure-fips.patch |
|
19 |
-Patch3: openssh-CVE-2017-15906.patch |
|
17 |
+Patch1: openssh-7.8p1-fips.patch |
|
18 |
+Patch2: openssh-7.8p1-configure-fips.patch |
|
20 | 19 |
BuildRequires: openssl-devel |
21 | 20 |
BuildRequires: Linux-PAM-devel |
22 | 21 |
BuildRequires: krb5-devel |
... | ... |
@@ -53,7 +52,6 @@ tar xf %{SOURCE1} --no-same-owner |
53 | 53 |
%patch0 -p0 |
54 | 54 |
%patch1 -p1 |
55 | 55 |
%patch2 -p1 |
56 |
-%patch3 -p3 |
|
57 | 56 |
%build |
58 | 57 |
./configure \ |
59 | 58 |
CFLAGS="%{optflags}" \ |
... | ... |
@@ -181,6 +179,8 @@ rm -rf %{buildroot}/* |
181 | 181 |
%{_mandir}/man8/ssh-pkcs11-helper.8.gz |
182 | 182 |
|
183 | 183 |
%changelog |
184 |
+* Tue Sep 11 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 7.8p1-1 |
|
185 |
+- Update version |
|
184 | 186 |
* Tue Nov 28 2017 Xiaolin Li <xiaolinl@vmware.comm> 7.5p1-11 |
185 | 187 |
- Fix CVE-2017-15906. |
186 | 188 |
* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-10 |