vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Blob Blame History Raw
diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac
--- openssh-5.2p1/configure.ac.vendor	2009-03-10 03:51:54.862255585 +0100
+++ openssh-5.2p1/configure.ac	2009-03-10 03:51:55.850215090 +0100
@@ -3335,11 +3335,25 @@ AC_ARG_WITH(selinux,
 		AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
 		    AC_MSG_ERROR(SELinux support requires libselinux library))
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
+		LIBS="$LIBS $LIBSELINUX"
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
+		AC_CHECK_FUNCS(setkeycreatecon)
 		LIBS="$save_LIBS"
 	fi ]
 )
 
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+AC_ARG_WITH(linux-audit,
+	[  --with-linux-audit   Enable Linux audit support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+		LINUX_AUDIT_MSG="yes"
+		AC_CHECK_HEADERS(libaudit.h)
+		SSHDLIBS="$SSHDLIBS -laudit"
+	fi ]
+)
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
@@ -3448,6 +3462,20 @@ AC_ARG_WITH(kerberos5,
 	]
 )
 
+# Check whether user wants NSS support
+LIBNSS_MSG="no"
+AC_ARG_WITH(nss,
+	[  --with-nss   Enable NSS support],
+	[ if test "x$withval" != "xno" ; then
+		AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.])
+		LIBNSS_MSG="yes"
+		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"
+		AC_CHECK_HEADERS(pk11pub.h)
+		LIBS="$LIBS -lnss3"
+	fi
+	])
+AC_SUBST(LIBNSS)
+
 # Looking for programs, paths and files
 
 PRIVSEP_PATH=/var/empty
@@ -3916,6 +3944,12 @@ AC_ARG_WITH(lastlog,
 		fi
 	]
 )
+AC_ARG_ENABLE(vendor-patchlevel,
+  [  --enable-vendor-patchlevel=TAG  specify a vendor patch level],
+  [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
+   SSH_VENDOR_PATCHLEVEL="$enableval"],
+  [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
+   SSH_VENDOR_PATCHLEVEL=none])
 
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
@@ -4162,16 +4196,19 @@ echo "                       PAM support
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
+echo "               Linux audit support: $LINUX_AUDIT_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
+echo "                       NSS support: $LIBNSS_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
+echo "                Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
 if test ! -z "$USE_RAND_HELPER" ; then
 echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
 fi
diff -up openssh-5.2p1/servconf.c.vendor openssh-5.2p1/servconf.c
--- openssh-5.2p1/servconf.c.vendor	2009-01-28 06:31:23.000000000 +0100
+++ openssh-5.2p1/servconf.c	2009-03-10 03:51:54.956273911 +0100
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions 
 	options->max_authtries = -1;
 	options->max_sessions = -1;
 	options->banner = NULL;
+	options->show_patchlevel = -1;
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
@@ -262,6 +263,9 @@ fill_default_server_options(ServerOption
 	if (options->zero_knowledge_password_authentication == -1)
 		options->zero_knowledge_password_authentication = 0;
 
+	if (options->show_patchlevel == -1)
+ 		options->show_patchlevel = 0;
+ 
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = 1;
@@ -299,7 +303,7 @@ typedef enum {
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
 	sMaxStartups, sMaxAuthTries, sMaxSessions,
-	sBanner, sUseDNS, sHostbasedAuthentication,
+	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -410,6 +414,7 @@ static struct {
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
 	{ "banner", sBanner, SSHCFG_ALL },
+	{ "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1033,6 +1038,10 @@ process_server_config_line(ServerOptions
 		intptr = &use_privsep;
 		goto parse_flag;
 
+	case sShowPatchLevel:
+		intptr = &options->show_patchlevel;
+		goto parse_flag;
+
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1613,6 +1622,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseLogin, o->use_login);
 	dump_cfg_fmtint(sCompression, o->compression);
 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
+	dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-5.2p1/servconf.h.vendor openssh-5.2p1/servconf.h
--- openssh-5.2p1/servconf.h.vendor	2009-01-28 06:31:23.000000000 +0100
+++ openssh-5.2p1/servconf.h	2009-03-10 03:51:54.933236643 +0100
@@ -128,6 +128,7 @@ typedef struct {
 	int	max_authtries;
 	int	max_sessions;
 	char   *banner;			/* SSH-2 banner message */
+	int	show_patchlevel;	/* Show vendor patch level to clients */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
diff -up openssh-5.2p1/sshd_config.0.vendor openssh-5.2p1/sshd_config.0
--- openssh-5.2p1/sshd_config.0.vendor	2009-03-10 03:51:54.775230993 +0100
+++ openssh-5.2p1/sshd_config.0	2009-03-10 03:51:54.958364611 +0100
@@ -467,6 +467,11 @@ DESCRIPTION
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 1024.
 
+     ShowPatchLevel
+	     Specifies whether sshd will display the specific patch level of
+	     the binary in the server identification string.  The patch level
+	     is set at compile-time.  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
      StrictModes
              Specifies whether sshd(8) should check file modes and ownership
              of the user's files and home directory before accepting login.
diff -up openssh-5.2p1/sshd_config.5.vendor openssh-5.2p1/sshd_config.5
--- openssh-5.2p1/sshd_config.5.vendor	2009-03-10 03:51:54.785628316 +0100
+++ openssh-5.2p1/sshd_config.5	2009-03-10 03:51:54.931352756 +0100
@@ -814,6 +814,14 @@ This option applies to protocol version 
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
+.It Cm ShowPatchLevel 
+Specifies whether 
+.Nm sshd 
+will display the patch level of the binary in the identification string. 
+The patch level is set at compile-time. 
+The default is 
+.Dq no . 
+This option applies to protocol version 1 only. 
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8
diff -up openssh-5.2p1/sshd_config.vendor openssh-5.2p1/sshd_config
--- openssh-5.2p1/sshd_config.vendor	2009-03-10 03:51:54.747256884 +0100
+++ openssh-5.2p1/sshd_config	2009-03-10 03:51:54.960221540 +0100
@@ -112,6 +112,7 @@ X11Forwarding yes
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
+#ShowPatchLevel no
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
diff -up openssh-5.2p1/sshd.c.vendor openssh-5.2p1/sshd.c
--- openssh-5.2p1/sshd.c.vendor	2009-01-28 06:31:23.000000000 +0100
+++ openssh-5.2p1/sshd.c	2009-03-10 03:51:56.224238563 +0100
@@ -76,6 +76,8 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 #include <openssl/rand.h>
+#include <openssl/fips.h>
+#include <fipscheck.h>
 #include "openbsd-compat/openssl-compat.h"
 
 #ifdef HAVE_SECUREWARE
@@ -415,7 +417,7 @@ sshd_exchange_identification(int sock_in
 		minor = PROTOCOL_MINOR_1;
 	}
 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
-	    SSH_VERSION, newline);
+	   (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
 	server_version_string = xstrdup(buf);
 
 	/* Send our protocol version identification. */
@@ -590,6 +592,10 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
 
+	/* Open the syslog permanently so the chrooted process still
+	   can write to syslog. */
+	open_log();
+	
 	/* Change our root directory */
 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
@@ -1256,6 +1262,12 @@ main(int ac, char **av)
 	(void)set_auth_parameters(ac, av);
 #endif
 	__progname = ssh_get_progname(av[0]);
+
+        SSLeay_add_all_algorithms();
+        if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
+                fatal("FIPS integrity verification test failed.");
+        }
+
 	init_rng();
 
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
@@ -1408,8 +1420,6 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
 
-	SSLeay_add_all_algorithms();
-
 	/*
 	 * Force logging to stderr until we have loaded the private host
 	 * key (unless started from inetd)
@@ -1483,7 +1493,8 @@ main(int ac, char **av)
 		exit(1);
 	}
 
-	debug("sshd version %.100s", SSH_RELEASE);
+	debug("sshd version %.100s",
+	      (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
 
 	/* Store privilege separation user for later use if required. */
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
@@ -1894,6 +1905,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
+#ifdef WITH_SELINUX
+	ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
+#endif
 #ifdef USE_PAM
 	if (options.use_pam) {
 		do_pam_setcred(1);
@@ -2174,6 +2188,9 @@ do_ssh2_kex(void)
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+	} else if (FIPS_mode()) {
+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+		myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2183,6 +2200,9 @@ do_ssh2_kex(void)
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+	} else if (FIPS_mode()) {
+		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+		myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
 	}
 	if (options.compression == COMP_NONE) {
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =