From ac6e5f3f163923f1fa3ee55c68eb6ce3d852eebd Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Jul 20 2022 20:59:56 +0000 Subject: Refactor and reinstate FIPS patch for el8 --- diff --git a/openssh-7.7p1-fips-warning.patch b/openssh-7.7p1-fips-warning.patch new file mode 100644 index 0000000..54720cf --- /dev/null +++ b/openssh-7.7p1-fips-warning.patch @@ -0,0 +1,12 @@ +diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c +--- openssh-8.6p1/sshkey.c.fips 2021-05-06 12:08:36.493926838 +0200 ++++ openssh-8.6p1/sshkey.c 2021-05-06 12:08:36.502926908 +0200 +@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA + goto out; + + if (EVP_PKEY_keygen(ctx, &res) <= 0) { ++ if (FIPS_mode()) ++ logit_f("the key length might be unsupported by FIPS mode approved key generation method"); + ret = SSH_ERR_LIBCRYPTO_ERROR; + goto out; + } diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 1466b40..8530336 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -447,15 +447,6 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c /* Fill in ret from parsed key */ ret->type = type; if (sshkey_is_cert(ret)) { -@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA - goto out; - - if (EVP_PKEY_keygen(ctx, &res) <= 0) { -+ if (FIPS_mode()) -+ logit_f("the key length might be unsupported by FIPS mode approved key generation method"); - ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } @@ -2916,6 +2916,11 @@ sshkey_sign(struct sshkey *key, break; case KEY_ED25519_SK: diff --git a/openssh.spec b/openssh.spec index 4353618..8a66c22 100644 --- a/openssh.spec +++ b/openssh.spec @@ -52,7 +52,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 %global openssh_rel 19 -%global hyperscale_rel 1 +%global hyperscale_rel 2 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -254,6 +254,9 @@ Patch1005: openssh-8.7p1-host-based-auth.patch # https://github.com/openssh/openssh-portable/pull/323 Patch1006: openssh-8.7p1-negotiate-supported-algs.patch +# c9s specific logic factored out of openssh-7.7p1-fips.patch +Patch2000: openssh-7.7p1-fips-warning.patch + License: BSD Requires: /sbin/nologin @@ -443,9 +446,10 @@ popd %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race +%patch700 -p1 -b .fips %if 0%{?rhel} > 8 # This patch is based onto evpgenrsa and doesn't apply cleanly without it -%patch700 -p1 -b .fips +%patch2000 -p1 -b .fips-warning %endif %patch1000 -p1 -b .minimize-sha1-use @@ -735,6 +739,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Wed Jul 20 2022 Davide Cavalca - 8.7p1-19.2 + 0.10.4-5.2 +- Refactor and reinstate FIPS patch for el8 + * Wed Jul 20 2022 Davide Cavalca - 8.7p1-19.1 + 0.10.4-5.1 - Make it build on el8 as well for Hyperscale