diff --git a/SOURCES/0001-ssh-Use-SHA256-fingerprints-when-available.patch b/SOURCES/0001-ssh-Use-SHA256-fingerprints-when-available.patch new file mode 100644 index 0000000..11663ae --- /dev/null +++ b/SOURCES/0001-ssh-Use-SHA256-fingerprints-when-available.patch @@ -0,0 +1,125 @@ +From 50873a820f9d9c655b93e8ff2d4158aff29761ff Mon Sep 17 00:00:00 2001 +From: Martin Pitt +Date: Mon, 8 Oct 2018 15:19:02 +0200 +Subject: [PATCH 1/2] ssh: Use SHA256 fingerprints when available + +libssh 0.8 offers SHA256 fingerprints in addition to the old MD5/SHA1 +ones. The latter are both cryptographically broken, and not allowed when +running in FIPS mode -- these cause an assertion crash in OpenSSL. + +The "ssh" CLI hasn't shown MD5 fingerprints in a long time, not even on +RHEL 7 (it shows SHA1 and SHA256 there by default), so this actually +improves compatibility with ssh. + +Use libssh 0.8's ssh_get_fingerprint_hash() function, as ssh itself +shows SHA256 fingerprints in base64 instead of hex. cockpit-ssh's +fingerprint prompts should be compatible, and hex fingerprints would be +overly long. + +Adjust most check-multi-machine tests to not care about the particular +type of fingerprint, as they don't check the actual fingerprint anyway. +Only `TestMultiMachine.testDirectLogin` does, so adjust the test to +accept both MD5 and SHA256 fingerprints. + +https://bugzilla.redhat.com/show_bug.cgi?id=1585191 + +Closes #10241 +--- + configure.ac | 2 ++ + src/ssh/cockpitsshrelay.c | 17 +++++++++++++++-- + src/ssh/test-sshbridge.c | 8 +++++++- + 3 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index af8b1e3..b0d4879 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -132,6 +132,8 @@ if test "$enable_ssh" != "no"; then + AC_DEFINE_UNQUOTED(HAVE_SSH_GET_SERVER_PUBLICKEY, 1, Whether ssh_get_server_publickey is available) + ]) + ++ AC_CHECK_DECLS([SSH_PUBLICKEY_HASH_SHA256, ssh_get_fingerprint_hash], [], [], [[#include ]]) ++ + COCKPIT_SSH_SESSION_CFLAGS="$COCKPIT_CFLAGS $LIBSSH_CFLAGS $KRB5_CFLAGS" + COCKPIT_SSH_SESSION_LIBS="$COCKPIT_LIBS $LIBSSH_LIBS $KRB5_LIBS" + AC_SUBST(COCKPIT_SSH_SESSION_LIBS) +diff --git a/src/ssh/cockpitsshrelay.c b/src/ssh/cockpitsshrelay.c +index 41286c3..1798345 100644 +--- a/src/ssh/cockpitsshrelay.c ++++ b/src/ssh/cockpitsshrelay.c +@@ -52,6 +52,15 @@ + #include + #include + ++/* libssh 0.8 offers SHA256 fingerprints, use them if available */ ++#if HAVE_DECL_SSH_PUBLICKEY_HASH_SHA256 ++#define SSH_PUBLICKEY_HASH SSH_PUBLICKEY_HASH_SHA256 ++#define SSH_PUBLICKEY_HASH_NAME "SHA256" ++#else ++#define SSH_PUBLICKEY_HASH SSH_PUBLICKEY_HASH_MD5 ++#define SSH_PUBLICKEY_HASH_NAME "MD5" ++#endif ++ + /* we had a private one before moving to /etc/ssh/ssh_known_hosts */ + #define LEGACY_KNOWN_HOSTS PACKAGE_LOCALSTATE_DIR "/known_hosts" + +@@ -505,7 +514,7 @@ prompt_for_host_key (CockpitSshData *data) + + message = g_strdup_printf ("The authenticity of host '%s:%d' can't be established. Do you want to proceed this time?", + host, port); +- prompt = g_strdup_printf ("MD5 Fingerprint (%s):", data->host_key_type); ++ prompt = g_strdup_printf (SSH_PUBLICKEY_HASH_NAME " Fingerprint (%s):", data->host_key_type); + + reply = prompt_with_authorize (data, prompt, message, data->host_fingerprint, data->host_key, TRUE); + +@@ -674,7 +683,7 @@ verify_knownhost (CockpitSshData *data, + goto done; + } + +- if (ssh_get_publickey_hash (key, SSH_PUBLICKEY_HASH_MD5, &hash, &len) < 0) ++ if (ssh_get_publickey_hash (key, SSH_PUBLICKEY_HASH, &hash, &len) < 0) + { + g_warning ("Couldn't hash ssh public key"); + ret = "internal-error"; +@@ -682,7 +691,11 @@ verify_knownhost (CockpitSshData *data, + } + else + { ++#if HAVE_DECL_SSH_GET_FINGERPRINT_HASH ++ data->host_fingerprint = ssh_get_fingerprint_hash (SSH_PUBLICKEY_HASH, hash, len); ++#else + data->host_fingerprint = ssh_get_hexa (hash, len); ++#endif + ssh_clean_pubkey_hash (&hash); + } + +diff --git a/src/ssh/test-sshbridge.c b/src/ssh/test-sshbridge.c +index e86f639..bc5bc3a 100644 +--- a/src/ssh/test-sshbridge.c ++++ b/src/ssh/test-sshbridge.c +@@ -563,7 +563,13 @@ test_echo_large (TestCase *tc, + + static const gchar MOCK_RSA_KEY[] = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYzo07OA0H6f7orVun9nIVjGYrkf8AuPDScqWGzlKpAqSipoQ9oY/mwONwIOu4uhKh7FTQCq5p+NaOJ6+Q4z++xBzSOLFseKX+zyLxgNG28jnF06WSmrMsSfvPdNuZKt9rZcQFKn9fRNa8oixa+RsqEEVEvTYhGtRf7w2wsV49xIoIza/bln1ABX1YLaCByZow+dK3ZlHn/UU0r4ewpAIZhve4vCvAsMe5+6KJH8ft/OKXXQY06h6jCythLV4h18gY/sYosOa+/4XgpmBiE7fDeFRKVjP3mvkxMpxce+ckOFae2+aJu51h513S9kxY2PmKaV/JU9HBYO+yO4j+j24v"; + ++#if HAVE_DECL_SSH_PUBLICKEY_HASH_SHA256 ++static const gchar MOCK_RSA_FP[] = "SHA256:XQ8a7zGxMFstDrGecBRUP9OMnOUXd/T3vkNGtYShs2w"; ++#define SSH_PUBLICKEY_HASH_NAME "SHA256" ++#else + static const gchar MOCK_RSA_FP[] = "0e:6a:c8:b1:07:72:e2:04:95:9f:0e:b3:56:af:48:e2"; ++#define SSH_PUBLICKEY_HASH_NAME "MD5" ++#endif + + + static void +@@ -634,7 +640,7 @@ do_hostkey_conversation (TestCase *tc, + (int)tc->ssh_port, MOCK_RSA_FP, + (int)tc->ssh_port, MOCK_RSA_KEY); + +- do_auth_conversation (tc->transport, "MD5 Fingerprint (ssh-rsa):", ++ do_auth_conversation (tc->transport, SSH_PUBLICKEY_HASH_NAME " Fingerprint (ssh-rsa):", + expect_json, response, add_header); + g_free (expect_json); + } +-- +2.19.1 + diff --git a/SOURCES/9999-Build-system-generated-changes-from-patches.patch b/SOURCES/9999-Build-system-generated-changes-from-patches.patch new file mode 100644 index 0000000..ec45230 --- /dev/null +++ b/SOURCES/9999-Build-system-generated-changes-from-patches.patch @@ -0,0 +1,97 @@ +From f2df0777226cf446d682812f464f68e91cbd25b4 Mon Sep 17 00:00:00 2001 +From: Martin Pitt +Date: Sun, 28 Oct 2018 13:55:38 +0100 +Subject: [PATCH 2/2] Build system generated changes from patches + +--- + configure | 90 ++++++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 80 insertions(+), 10 deletions(-) + +diff --git a/configure b/configure +index 841293e..665e89c 100755 +--- a/configure ++++ b/configure +@@ -1939,6 +1939,52 @@ fi + + } # ac_fn_c_try_link + ++# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES ++# --------------------------------------------- ++# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR ++# accordingly. ++ac_fn_c_check_decl () ++{ ++ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack ++ as_decl_name=`echo $2|sed 's/ *(.*//'` ++ as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'` ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5 ++$as_echo_n "checking whether $as_decl_name is declared... " >&6; } ++if eval \${$3+:} false; then : ++ $as_echo_n "(cached) " >&6 ++else ++ cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++$4 ++int ++main () ++{ ++#ifndef $as_decl_name ++#ifdef __cplusplus ++ (void) $as_decl_use; ++#else ++ (void) $as_decl_name; ++#endif ++#endif ++ ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_compile "$LINENO"; then : ++ eval "$3=yes" ++else ++ eval "$3=no" ++fi ++rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ++fi ++eval ac_res=\$$3 ++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 ++$as_echo "$ac_res" >&6; } ++ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno ++ ++} # ac_fn_c_check_decl ++ + # ac_fn_c_check_func LINENO FUNC VAR + # ---------------------------------- + # Tests whether FUNC exists, setting the cache variable VAR accordingly +@@ -6891,6 +6937,30 @@ _ACEOF + fi + + ++ ac_fn_c_check_decl "$LINENO" "SSH_PUBLICKEY_HASH_SHA256" "ac_cv_have_decl_SSH_PUBLICKEY_HASH_SHA256" "#include ++" ++if test "x$ac_cv_have_decl_SSH_PUBLICKEY_HASH_SHA256" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_SSH_PUBLICKEY_HASH_SHA256 $ac_have_decl ++_ACEOF ++ac_fn_c_check_decl "$LINENO" "ssh_get_fingerprint_hash" "ac_cv_have_decl_ssh_get_fingerprint_hash" "#include ++" ++if test "x$ac_cv_have_decl_ssh_get_fingerprint_hash" = xyes; then : ++ ac_have_decl=1 ++else ++ ac_have_decl=0 ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define HAVE_DECL_SSH_GET_FINGERPRINT_HASH $ac_have_decl ++_ACEOF ++ ++ + COCKPIT_SSH_SESSION_CFLAGS="$COCKPIT_CFLAGS $LIBSSH_CFLAGS $KRB5_CFLAGS" + COCKPIT_SSH_SESSION_LIBS="$COCKPIT_LIBS $LIBSSH_LIBS $KRB5_LIBS" + diff --git a/SPECS/cockpit.spec b/SPECS/cockpit.spec index 1ae0660..d26440a 100644 --- a/SPECS/cockpit.spec +++ b/SPECS/cockpit.spec @@ -45,7 +45,7 @@ %endif -%define libssh_version 0.7.1 +%define libssh_version 0.7.1-7 %if 0%{?fedora} > 0 && 0%{?fedora} < 22 %define libssh_version 0.6.0 %endif @@ -68,13 +68,16 @@ URL: https://cockpit-project.org/ Version: 176 %if %{defined wip} -Release: 2.%{wip}%{?dist} +Release: 1.%{wip}%{?dist} Source0: cockpit-%{version}.tar.gz %else -Release: 3%{?dist} +Release: 4%{?dist} Source0: https://github.com/cockpit-project/cockpit/releases/download/%{version}/cockpit-%{version}.tar.xz %endif +Patch1: 0001-ssh-Use-SHA256-fingerprints-when-available.patch +Patch9999: 9999-Build-system-generated-changes-from-patches.patch + BuildRequires: gcc BuildRequires: pkgconfig(gio-unix-2.0) BuildRequires: pkgconfig(json-glib-1.0) @@ -148,7 +151,7 @@ if [ -n "%{patches}" ]; then git config core.autocrlf false && git config core.safecrlf false && git config gc.auto 0 git add -f . && git commit -a -q -m "Base" && git tag -a initial --message="initial" git am --whitespace=nowarn %{patches} - touch -r $(git diff --name-only initial..HEAD) .git Makefile.in + touch -r $(git diff --name-only initial..HEAD) .git Makefile.in aclocal.m4 rm -rf .git fi @@ -789,6 +792,10 @@ The Cockpit component for installing package updates, via PackageKit. %endif # build optional extension packages %changelog +* Mon Oct 29 2018 Martin Pitt 176-4 +- Switch to ssh SHA256 fingerprints, to fix crash in FIPS mode + rhbz#1585191 + * Thu Aug 30 2018 Martin Pitt 176-3 - Storage: Offer installation of VDO on demand - Machines: Add disks to a virtual machine