5.4p1 and FIPS 140-2

Bryan brakeb at gmail.com
Wed Mar 17 04:50:02 EST 2010 

On 3/16/2010 12:07 PM, Damien Miller wrote:
> On Mon, 15 Mar 2010, Bryan wrote:
>
>> Alright, I'm not really caring about x509 right now, my original question was
>> about FIPS.  Will it make new releases?  Will the patches I found on bugzilla
>> build with 5.4p1?
>
> The best way would be to try to apply the patches and attempt compilation.
> I can immediately think of any crypto that has changed between 5.3 and 5.4,
> so there is a reasonable chance they will work without modification.
>
> Otherwise, I'm sure the developer of the patches will update them to 5.4p1
> in the near future.
>
> -d

Thanks Damien...  I did try to apply the patch but not all of it 
completed...


Here is the output from 5.4p1 and the patch from my e-mail earlier.  I 
replaced all instances of "5.3p1" with "5.4p1" applied thusly:

mliu openssl # tar -zxf openssh-5.4p1.tar.gz
mliu openssl # pwd
/home/openssl
mliu openssl # patch -p0 < openssh_changes
patching file openssh-5.4p1/auth2-pubkey.c
Hunk #1 FAILED at 54.
Hunk #2 succeeded at 191 (offset 4 lines).
Hunk #3 succeeded at 272 (offset 30 lines).
1 out of 3 hunks FAILED -- saving rejects to file 
openssh-5.4p1/auth2-pubkey.c.rej
patching file openssh-5.4p1/auth-rsa.c
Hunk #3 succeeded at 92 with fuzz 1.
Hunk #4 succeeded at 109 (offset 3 lines).
Hunk #5 succeeded at 166 (offset 3 lines).
Hunk #6 succeeded at 188 (offset 3 lines).
Hunk #7 succeeded at 324 (offset 3 lines).
Hunk #8 succeeded at 358 (offset 3 lines).
patching file openssh-5.4p1/buffer.c
patching file openssh-5.4p1/buildpkg.sh.in
patching file openssh-5.4p1/cipher.c
patching file openssh-5.4p1/configure.ac
Hunk #4 succeeded at 1880 (offset 13 lines).
Hunk #5 succeeded at 2234 (offset 13 lines).
patching file openssh-5.4p1/contrib/redhat/sshd.init
patching file openssh-5.4p1/fips.h
patching file openssh-5.4p1/mac.c
patching file openssh-5.4p1/Makefile.in
Hunk #2 succeeded at 31 (offset 1 line).
Hunk #3 succeeded at 258 (offset 1 line).
patching file openssh-5.4p1/myproposal.h
Hunk #1 FAILED at 41.
Hunk #2 succeeded at 54 (offset 2 lines).
1 out of 2 hunks FAILED -- saving rejects to file 
openssh-5.4p1/myproposal.h.rej
patching file openssh-5.4p1/openbsd-compat/bsd-arc4random.c
patching file openssh-5.4p1/readconf.c
Hunk #2 succeeded at 230 (offset 2 lines).
Hunk #3 succeeded at 915 (offset 2 lines).
Hunk #4 succeeded at 1076 (offset 2 lines).
Hunk #5 succeeded at 1147 with fuzz 2 (offset 2 lines).
Hunk #6 succeeded at 1214 (offset 2 lines).
patching file openssh-5.4p1/readconf.h
patching file openssh-5.4p1/servconf.c
Hunk #1 succeeded at 108 (offset 1 line).
Hunk #2 succeeded at 132 with fuzz 1 (offset 1 line).
Hunk #3 succeeded at 269 (offset 4 lines).
Hunk #4 FAILED at 317.
Hunk #5 succeeded at 437 with fuzz 2 (offset 5 lines).
Hunk #6 succeeded at 1346 with fuzz 2 (offset 42 lines).
1 out of 6 hunks FAILED -- saving rejects to file 
openssh-5.4p1/servconf.c.rej
patching file openssh-5.4p1/servconf.h
Hunk #1 succeeded at 153 with fuzz 2 (offset 3 lines).
patching file openssh-5.4p1/ssh-add.c
Hunk #2 succeeded at 367 (offset 22 lines).
patching file openssh-5.4p1/ssh-agent.c
Hunk #1 succeeded at 75 with fuzz 2.
Hunk #2 succeeded at 1085 (offset 14 lines).
patching file openssh-5.4p1/ssh.c
Hunk #2 succeeded at 107 with fuzz 2 (offset 1 line).
Hunk #3 succeeded at 195 with fuzz 2 (offset 5 lines).
Hunk #4 FAILED at 300.
Hunk #5 succeeded at 691 (offset 32 lines).
1 out of 5 hunks FAILED -- saving rejects to file openssh-5.4p1/ssh.c.rej
patching file openssh-5.4p1/sshconnect2.c
Hunk #1 succeeded at 71 (offset 1 line).
Hunk #2 succeeded at 498 (offset 22 lines).
Hunk #3 succeeded at 537 (offset 22 lines).
patching file openssh-5.4p1/sshconnect.c
Hunk #1 succeeded at 60 with fuzz 2 (offset 2 lines).
Hunk #2 succeeded at 619 (offset 22 lines).
Hunk #3 succeeded at 804 (offset 30 lines).
Hunk #4 succeeded at 1159 (offset 76 lines).
Hunk #5 succeeded at 1222 (offset 76 lines).
patching file openssh-5.4p1/sshd.c
Hunk #3 succeeded at 429 (offset 2 lines).
Hunk #4 succeeded at 602 (offset 7 lines).
Hunk #5 succeeded at 648 (offset 7 lines).
Hunk #6 succeeded at 686 (offset 7 lines).
Hunk #7 succeeded at 707 (offset 7 lines).
Hunk #8 succeeded at 725 (offset 7 lines).
Hunk #9 succeeded at 746 (offset 7 lines).
Hunk #10 succeeded at 1126 (offset 37 lines).
Hunk #11 succeeded at 1262 (offset 37 lines).
Hunk #12 succeeded at 1286 (offset 37 lines).
Hunk #13 succeeded at 1597 (offset 46 lines).
Hunk #14 succeeded at 1826 (offset 86 lines).
patching file openssh-5.4p1/ssh-keygen.c
Hunk #1 FAILED at 48.
Hunk #2 succeeded at 1525 (offset 424 lines).
Hunk #3 succeeded at 1930 (offset 450 lines).
1 out of 3 hunks FAILED -- saving rejects to file 
openssh-5.4p1/ssh-keygen.c.rej
patching file openssh-5.4p1/ssh-keyscan.c
patching file openssh-5.4p1/ssh-keysign.c
patching file openssh-5.4p1/ssh-rand-helper.c
Hunk #2 succeeded at 829 with fuzz 1 (offset 1 line).
-------------------------------------------------------------------

There are some differences...  Should I pull from CVS and try to build, 
or am I not doing something right?

Thanks to all.

Bryan Brake

More information about the openssh-unix-dev mailing list