rpms/openssh/devel openssh-5.2p1-fips.patch, 1.3, 1.4 openssh.spec, 1.141, 1.142
Tomáš Mráz
tmraz at fedoraproject.org
Mon Apr 20 12:18:53 UTC 2009
- Previous message (by thread): rpms/sabayon/devel sabayon-2.25.0-profile-save.patch, NONE, 1.1 sabayon.spec, 1.59, 1.60 sabayon-2.25.0-gconf-crashes.patch, 1.1, NONE
- Next message (by thread): rpms/galeon/F-11 galeon-2.0.7-moz191.patch, 1.1, 1.2 galeon.spec, 1.60, 1.61
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/pkgs/rpms/openssh/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11798
Modified Files:
openssh-5.2p1-fips.patch openssh.spec
Log Message:
* Mon Apr 20 2009 Tomas Mraz <tmraz at redhat.com> - 5.2p1-4
- log if FIPS mode is initialized
- make aes-ctr cipher modes work in the FIPS mode
openssh-5.2p1-fips.patch:
Index: openssh-5.2p1-fips.patch
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh-5.2p1-fips.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- openssh-5.2p1-fips.patch 13 Mar 2009 10:32:52 -0000 1.3
+++ openssh-5.2p1-fips.patch 20 Apr 2009 12:18:49 -0000 1.4
@@ -1,43 +1,6 @@
-diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
---- openssh-5.2p1/ssh-agent.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/ssh-agent.c 2009-03-13 11:23:15.000000000 +0100
-@@ -51,6 +51,8 @@
-
- #include <openssl/evp.h>
- #include <openssl/md5.h>
-+#include <openssl/fips.h>
-+#include <fipscheck.h>
- #include "openbsd-compat/openssl-compat.h"
-
- #include <errno.h>
-@@ -200,9 +202,9 @@ confirm_key(Identity *id)
- char *p;
- int ret = -1;
-
-- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
-- id->comment, p))
-+ p = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
-+ if (ask_permission("Allow use of key %s?\nKey %sfingerprint %s.",
-+ id->comment, FIPS_mode() ? "SHA1 " : "", p))
- ret = 0;
- xfree(p);
-
-@@ -1196,6 +1198,11 @@ main(int ac, char **av)
- #endif
-
- SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fprintf(stderr,
-+ "FIPS integrity verification test failed.\n");
-+ exit(3);
-+ }
-
- __progname = ssh_get_progname(av[0]);
- init_rng();
diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
---- openssh-5.2p1/auth2-pubkey.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/auth2-pubkey.c 2009-03-13 11:23:15.000000000 +0100
+--- openssh-5.2p1/auth2-pubkey.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/auth2-pubkey.c 2009-04-17 14:52:11.000000000 +0200
@@ -33,6 +33,7 @@
#include <stdio.h>
#include <stdarg.h>
@@ -55,179 +18,83 @@
verbose("Found matching %s key: %s",
key_type(found), fp);
xfree(fp);
-diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
---- openssh-5.2p1/ssh.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/ssh.c 2009-03-13 11:23:15.000000000 +0100
-@@ -71,6 +71,8 @@
+diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
+--- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100
++++ openssh-5.2p1/cipher.c 2009-04-17 14:52:11.000000000 +0200
+@@ -40,6 +40,7 @@
+ #include <sys/types.h>
- #include <openssl/evp.h>
- #include <openssl/err.h>
+ #include <openssl/md5.h>
+#include <openssl/fips.h>
-+#include <fipscheck.h>
- #include "openbsd-compat/openssl-compat.h"
- #include "openbsd-compat/sys-queue.h"
-
-@@ -220,6 +222,10 @@ main(int ac, char **av)
- sanitise_stdfd();
-
- __progname = ssh_get_progname(av[0]);
-+ SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fatal("FIPS integrity verification test failed.");
-+ }
- init_rng();
-
- /*
-@@ -550,7 +556,6 @@ main(int ac, char **av)
- if (!host)
- usage();
-
-- SSLeay_add_all_algorithms();
- ERR_load_crypto_strings();
-
- /* Initialize the command to execute on remote host. */
-diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
---- openssh-5.2p1/sshconnect2.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/sshconnect2.c 2009-03-13 11:23:15.000000000 +0100
-@@ -44,6 +44,8 @@
- #include <vis.h>
- #endif
-+#include <openssl/fips.h>
-+
- #include "openbsd-compat/sys-queue.h"
+ #include <string.h>
+ #include <stdarg.h>
+@@ -93,6 +94,22 @@ struct Cipher {
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
+ };
- #include "xmalloc.h"
-@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho
- if (options.ciphers != NULL) {
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
-+ } else if (FIPS_mode()) {
-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
++struct Cipher fips_ciphers[] = {
++ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
++ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
+
- }
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho
- if (options.macs != NULL) {
- myproposal[PROPOSAL_MAC_ALGS_CTOS] =
- myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
-+ } else if (FIPS_mode()) {
-+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
-+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
- }
++ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc },
++ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc },
++ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc },
++ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
++ { "rijndael-cbc at lysator.liu.se",
++ SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
++ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
++ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
++ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
++ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
++};
+
- if (options.hostkeyalgorithms != NULL)
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- options.hostkeyalgorithms;
-@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t
- key->type, pktype);
- goto done;
- }
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-- debug2("input_userauth_pk_ok: fp %s", fp);
-+ fp = key_fingerprint(key, SSH_FP_SHA1, SSH_FP_HEX);
-+ debug2("input_userauth_pk_ok: SHA1 fp %s", fp);
- xfree(fp);
-
- /*
-diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
---- openssh-5.2p1/Makefile.in.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/Makefile.in 2009-03-13 11:23:15.000000000 +0100
-@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS)
- $(RANLIB) $@
-
- ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
-- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
-+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS)
-
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-
- ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
-- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
-- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
-- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
-- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
-- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
-
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
---- openssh-5.2p1/sshd.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/sshd.c 2009-03-13 11:23:15.000000000 +0100
-@@ -76,6 +76,8 @@
- #include <openssl/bn.h>
- #include <openssl/md5.h>
- #include <openssl/rand.h>
-+#include <openssl/fips.h>
-+#include <fipscheck.h>
- #include "openbsd-compat/openssl-compat.h"
+ /*--*/
- #ifdef HAVE_SECUREWARE
-@@ -1260,6 +1262,12 @@ main(int ac, char **av)
- (void)set_auth_parameters(ac, av);
+ u_int
+@@ -135,7 +152,7 @@ Cipher *
+ cipher_by_name(const char *name)
+ {
+ Cipher *c;
+- for (c = ciphers; c->name != NULL; c++)
++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
+ if (strcmp(c->name, name) == 0)
+ return c;
+ return NULL;
+@@ -145,7 +162,7 @@ Cipher *
+ cipher_by_number(int id)
+ {
+ Cipher *c;
+- for (c = ciphers; c->name != NULL; c++)
++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
+ if (c->number == id)
+ return c;
+ return NULL;
+@@ -189,7 +206,7 @@ cipher_number(const char *name)
+ Cipher *c;
+ if (name == NULL)
+ return -1;
+- for (c = ciphers; c->name != NULL; c++)
++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
+ if (strcasecmp(c->name, name) == 0)
+ return c->number;
+ return -1;
+diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c
+--- openssh-5.2p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
++++ openssh-5.2p1/cipher-ctr.c 2009-04-17 23:23:06.000000000 +0200
+@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
+ aes_ctr.do_cipher = ssh_aes_ctr;
+ #ifndef SSH_OLD_EVP
+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
++ EVP_CIPH_FLAG_FIPS;
#endif
- __progname = ssh_get_progname(av[0]);
-+
-+ SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fatal("FIPS integrity verification test failed.");
-+ }
-+
- init_rng();
-
- /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1412,8 +1420,6 @@ main(int ac, char **av)
- else
- closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
-
-- SSLeay_add_all_algorithms();
--
- /*
- * Force logging to stderr until we have loaded the private host
- * key (unless started from inetd)
-@@ -2182,6 +2188,9 @@ do_ssh2_kex(void)
- if (options.ciphers != NULL) {
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
-+ } else if (FIPS_mode()) {
-+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
- }
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2191,6 +2200,9 @@ do_ssh2_kex(void)
- if (options.macs != NULL) {
- myproposal[PROPOSAL_MAC_ALGS_CTOS] =
- myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
-+ } else if (FIPS_mode()) {
-+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
-+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
- }
- if (options.compression == COMP_NONE) {
- myproposal[PROPOSAL_COMP_ALGS_CTOS] =
+ return (&aes_ctr);
+ }
diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
--- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.2p1/mac.c 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/mac.c 2009-04-17 14:52:11.000000000 +0200
@@ -28,6 +28,7 @@
#include <sys/types.h>
@@ -277,63 +144,65 @@
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
-diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c
---- openssh-5.2p1/ssh-keygen.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/ssh-keygen.c 2009-03-13 11:23:15.000000000 +0100
-@@ -21,6 +21,8 @@
+diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
+--- openssh-5.2p1/Makefile.in.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/Makefile.in 2009-04-17 14:52:11.000000000 +0200
+@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS)
+ $(RANLIB) $@
- #include <openssl/evp.h>
- #include <openssl/pem.h>
-+#include <openssl/fips.h>
-+#include <fipscheck.h>
- #include "openbsd-compat/openssl-compat.h"
+ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- #include <errno.h>
-@@ -537,7 +539,7 @@ do_fingerprint(struct passwd *pw)
- enum fp_type fptype;
- struct stat st;
+ sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
+- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS)
-- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-+ fptype = print_bubblebabble ? SSH_FP_SHA1 : FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5;
- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+ $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
- if (!have_identity)
-@@ -1125,6 +1127,12 @@ main(int argc, char **argv)
- __progname = ssh_get_progname(argv[0]);
+ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
+- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fprintf(stderr,
-+ "FIPS integrity verification test failed.\n");
-+ exit(3);
-+ }
-+
- log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
+ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
+- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- init_rng();
-@@ -1506,14 +1514,15 @@ passphrase_again:
- fclose(f);
+ ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
+- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
- if (!quiet) {
-- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
-- char *ra = key_fingerprint(public, SSH_FP_MD5,
-+ int fips_on = FIPS_mode();
-+ char *fp = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
-+ char *ra = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5,
- SSH_FP_RANDOMART);
- printf("Your public key has been saved in %s.\n",
- identity_file);
-- printf("The key fingerprint is:\n");
-+ printf("The key %sfingerprint is:\n", fips_on ? "SHA1 " : "");
- printf("%s %s\n", fp, comment);
-- printf("The key's randomart image is:\n");
-+ printf("The key's %srandomart image is:\n", fips_on ? "SHA1 " :"");
- printf("%s\n", ra);
- xfree(ra);
- xfree(fp);
+ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
+- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
++ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+
+ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
+ $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
+--- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
++++ openssh-5.2p1/myproposal.h 2009-04-17 14:52:11.000000000 +0200
+@@ -53,7 +53,12 @@
+ "hmac-sha1-96,hmac-md5-96"
+ #define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
+ #define KEX_DEFAULT_LANG ""
+-
++#define KEX_FIPS_ENCRYPT \
++ "aes128-ctr,aes192-ctr,aes256-ctr," \
++ "aes128-cbc,3des-cbc," \
++ "aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se"
++#define KEX_FIPS_MAC \
++ "hmac-sha1"
+
+ static char *myproposal[PROPOSAL_MAX] = {
+ KEX_DEFAULT_KEX,
diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
---- openssh-5.2p1/nsskeys.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/nsskeys.c 2009-03-13 11:23:15.000000000 +0100
+--- openssh-5.2p1/nsskeys.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/nsskeys.c 2009-04-17 14:52:11.000000000 +0200
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
break;
}
@@ -345,49 +214,9 @@
xfree(p);
return 0;
-diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
---- openssh-5.2p1/ssh-add.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/ssh-add.c 2009-03-13 11:23:15.000000000 +0100
-@@ -42,6 +42,8 @@
- #include <sys/param.h>
-
- #include <openssl/evp.h>
-+#include <openssl/fips.h>
-+#include <fipscheck.h>
- #include "openbsd-compat/openssl-compat.h"
-
- #ifdef HAVE_LIBNSS
-@@ -254,7 +256,7 @@ list_identities(AuthenticationConnection
- key = ssh_get_next_identity(ac, &comment, version)) {
- had_identities = 1;
- if (do_fp) {
-- fp = key_fingerprint(key, SSH_FP_MD5,
-+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
- SSH_FP_HEX);
- printf("%d %s %s (%s)\n",
- key_size(key), fp, comment, key_type(key));
-@@ -463,11 +465,16 @@ main(int argc, char **argv)
- sanitise_stdfd();
-
- __progname = ssh_get_progname(argv[0]);
-+ SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fprintf(stderr,
-+ "FIPS integrity verification test failed.\n");
-+ exit(3);
-+ }
-+
- init_rng();
- seed_rng();
-
-- SSLeay_add_all_algorithms();
--
- /* At first, get a connection to the authentication agent. */
- ac = ssh_get_authentication_connection();
- if (ac == NULL) {
diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
-+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-03-13 11:23:15.000000000 +0100
++++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-04-17 14:52:11.000000000 +0200
@@ -39,6 +39,7 @@
static int rc4_ready = 0;
static RC4_KEY rc4;
@@ -429,145 +258,187 @@
#endif /* !HAVE_ARC4RANDOM */
#ifndef ARC4RANDOM_BUF
-diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
---- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
-+++ openssh-5.2p1/myproposal.h 2009-03-13 11:27:49.000000000 +0100
-@@ -53,7 +53,12 @@
- "hmac-sha1-96,hmac-md5-96"
- #define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
- #define KEX_DEFAULT_LANG ""
--
-+#define KEX_FIPS_ENCRYPT \
-+ "aes128-ctr,aes192-ctr,aes256-ctr," \
-+ "aes128-cbc,3des-cbc," \
-+ "aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se"
-+#define KEX_FIPS_MAC \
-+ "hmac-sha1"
+diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
+--- openssh-5.2p1/ssh-add.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/ssh-add.c 2009-04-17 14:52:11.000000000 +0200
+@@ -42,6 +42,8 @@
+ #include <sys/param.h>
- static char *myproposal[PROPOSAL_MAX] = {
- KEX_DEFAULT_KEX,
-diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c
---- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200
-+++ openssh-5.2p1/ssh-keysign.c 2009-03-13 11:23:15.000000000 +0100
-@@ -38,6 +38,8 @@
#include <openssl/evp.h>
- #include <openssl/rand.h>
- #include <openssl/rsa.h>
+#include <openssl/fips.h>
+#include <fipscheck.h>
+ #include "openbsd-compat/openssl-compat.h"
- #include "xmalloc.h"
- #include "log.h"
-@@ -175,6 +177,11 @@ main(int argc, char **argv)
-
- permanently_set_uid(pw);
+ #ifdef HAVE_LIBNSS
+@@ -254,7 +256,7 @@ list_identities(AuthenticationConnection
+ key = ssh_get_next_identity(ac, &comment, version)) {
+ had_identities = 1;
+ if (do_fp) {
+- fp = key_fingerprint(key, SSH_FP_MD5,
++ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
+ SSH_FP_HEX);
+ printf("%d %s %s (%s)\n",
+ key_size(key), fp, comment, key_type(key));
+@@ -463,10 +465,19 @@ main(int argc, char **argv)
+ sanitise_stdfd();
-+ SSLeay_add_all_algorithms();
-+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fatal("FIPS integrity verification test failed");
-+ }
+ __progname = ssh_get_progname(argv[0]);
++ SSLeay_add_all_algorithms();
++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
++ fprintf(stderr,
++ "FIPS integrity verification test failed.\n");
++ exit(3);
++ }
+
init_rng();
seed_rng();
- arc4random_stir();
-@@ -194,7 +201,6 @@ main(int argc, char **argv)
- if (key_fd[0] == -1 && key_fd[1] == -1)
- fatal("could not open any host key");
- SSLeay_add_all_algorithms();
- for (i = 0; i < 256; i++)
- rnd[i] = arc4random();
- RAND_seed(rnd, sizeof(rnd));
-diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
---- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100
-+++ openssh-5.2p1/cipher.c 2009-03-13 11:23:15.000000000 +0100
-@@ -40,6 +40,7 @@
- #include <sys/types.h>
++ if (FIPS_mode()) {
++ logit("FIPS mode initialized");
++ }
+
+ /* At first, get a connection to the authentication agent. */
+ ac = ssh_get_authentication_connection();
+diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
+--- openssh-5.2p1/ssh-agent.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/ssh-agent.c 2009-04-17 14:52:11.000000000 +0200
+@@ -51,6 +51,8 @@
+ #include <openssl/evp.h>
#include <openssl/md5.h>
+#include <openssl/fips.h>
++#include <fipscheck.h>
+ #include "openbsd-compat/openssl-compat.h"
- #include <string.h>
- #include <stdarg.h>
-@@ -93,6 +94,22 @@ struct Cipher {
- { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
- };
+ #include <errno.h>
+@@ -200,9 +202,9 @@ confirm_key(Identity *id)
+ char *p;
+ int ret = -1;
-+struct Cipher fips_ciphers[] = {
-+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
-+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
-+
-+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc },
-+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc },
-+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc },
-+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
-+ { "rijndael-cbc at lysator.liu.se",
-+ SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
-+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
-+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
-+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
-+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
-+};
-+
- /*--*/
+- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
+- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
+- id->comment, p))
++ p = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
++ if (ask_permission("Allow use of key %s?\nKey %sfingerprint %s.",
++ id->comment, FIPS_mode() ? "SHA1 " : "", p))
+ ret = 0;
+ xfree(p);
- u_int
-@@ -135,7 +152,7 @@ Cipher *
- cipher_by_name(const char *name)
- {
- Cipher *c;
-- for (c = ciphers; c->name != NULL; c++)
-+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
- if (strcmp(c->name, name) == 0)
- return c;
- return NULL;
-@@ -145,7 +162,7 @@ Cipher *
- cipher_by_number(int id)
- {
- Cipher *c;
-- for (c = ciphers; c->name != NULL; c++)
-+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
- if (c->number == id)
- return c;
- return NULL;
-@@ -189,7 +206,7 @@ cipher_number(const char *name)
- Cipher *c;
- if (name == NULL)
- return -1;
-- for (c = ciphers; c->name != NULL; c++)
-+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
- if (strcasecmp(c->name, name) == 0)
- return c->number;
- return -1;
-diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c
---- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100
-+++ openssh-5.2p1/ssh-keyscan.c 2009-03-13 11:23:15.000000000 +0100
-@@ -19,6 +19,8 @@
- #include <arpa/inet.h>
+@@ -1196,6 +1198,11 @@ main(int ac, char **av)
+ #endif
+
+ SSLeay_add_all_algorithms();
++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
++ fprintf(stderr,
++ "FIPS integrity verification test failed.\n");
++ exit(3);
++ }
+
+ __progname = ssh_get_progname(av[0]);
+ init_rng();
+@@ -1356,6 +1363,10 @@ main(int ac, char **av)
+ /* child */
+ log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0);
- #include <openssl/bn.h>
++ if (FIPS_mode()) {
++ logit("FIPS mode initialized");
++ }
++
+ if (setsid() == -1) {
+ error("setsid: %s", strerror(errno));
+ cleanup_exit(1);
+diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
+--- openssh-5.2p1/ssh.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/ssh.c 2009-04-17 14:52:11.000000000 +0200
+@@ -71,6 +71,8 @@
+
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+#include <openssl/fips.h>
+#include <fipscheck.h>
+ #include "openbsd-compat/openssl-compat.h"
+ #include "openbsd-compat/sys-queue.h"
- #include <netdb.h>
- #include <errno.h>
-@@ -731,6 +733,13 @@ main(int argc, char **argv)
- extern char *optarg;
+@@ -220,6 +222,10 @@ main(int ac, char **av)
+ sanitise_stdfd();
- __progname = ssh_get_progname(argv[0]);
+ __progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
-+ fprintf(stderr,
-+ "FIPS integrity verification test failed.\n");
-+ exit(3);
++ fatal("FIPS integrity verification test failed.");
+ }
-+
init_rng();
+
+ /*
+@@ -550,7 +556,6 @@ main(int ac, char **av)
+ if (!host)
+ usage();
+
+- SSLeay_add_all_algorithms();
+ ERR_load_crypto_strings();
+
+ /* Initialize the command to execute on remote host. */
+@@ -635,6 +640,10 @@ main(int ac, char **av)
+
seed_rng();
- TAILQ_INIT(&tq);
+
++ if (FIPS_mode()) {
++ logit("FIPS mode initialized");
++ }
++
+ if (options.user == NULL)
+ options.user = xstrdup(pw->pw_name);
+
+diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
+--- openssh-5.2p1/sshconnect2.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/sshconnect2.c 2009-04-17 14:52:11.000000000 +0200
+@@ -44,6 +44,8 @@
+ #include <vis.h>
+ #endif
+
++#include <openssl/fips.h>
++
+ #include "openbsd-compat/sys-queue.h"
+
+ #include "xmalloc.h"
+@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho
+ if (options.ciphers != NULL) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
++ } else if (FIPS_mode()) {
++ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
++
+ }
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
+@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho
+ if (options.macs != NULL) {
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
++ } else if (FIPS_mode()) {
++ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
++ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
+ }
++
+ if (options.hostkeyalgorithms != NULL)
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
+ options.hostkeyalgorithms;
+@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t
+ key->type, pktype);
+ goto done;
+ }
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+- debug2("input_userauth_pk_ok: fp %s", fp);
++ fp = key_fingerprint(key, SSH_FP_SHA1, SSH_FP_HEX);
++ debug2("input_userauth_pk_ok: SHA1 fp %s", fp);
+ xfree(fp);
+
+ /*
diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
---- openssh-5.2p1/sshconnect.c.fips 2009-03-13 11:23:15.000000000 +0100
-+++ openssh-5.2p1/sshconnect.c 2009-03-13 11:23:15.000000000 +0100
+--- openssh-5.2p1/sshconnect.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/sshconnect.c 2009-04-17 14:52:11.000000000 +0200
@@ -40,6 +40,8 @@
#include <unistd.h>
#include <fcntl.h>
@@ -654,3 +525,211 @@
error("Please contact your system administrator.");
xfree(fp);
+diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
+--- openssh-5.2p1/sshd.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/sshd.c 2009-04-17 14:52:11.000000000 +0200
+@@ -76,6 +76,8 @@
+ #include <openssl/bn.h>
+ #include <openssl/md5.h>
+ #include <openssl/rand.h>
++#include <openssl/fips.h>
++#include <fipscheck.h>
+ #include "openbsd-compat/openssl-compat.h"
+
+ #ifdef HAVE_SECUREWARE
+@@ -1260,6 +1262,12 @@ main(int ac, char **av)
+ (void)set_auth_parameters(ac, av);
+ #endif
+ __progname = ssh_get_progname(av[0]);
++
++ SSLeay_add_all_algorithms();
++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
++ fatal("FIPS integrity verification test failed.");
++ }
++
+ init_rng();
+
+ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
+@@ -1412,8 +1420,6 @@ main(int ac, char **av)
+ else
+ closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
+
+- SSLeay_add_all_algorithms();
+-
+ /*
+ * Force logging to stderr until we have loaded the private host
+ * key (unless started from inetd)
+@@ -1655,6 +1661,10 @@ main(int ac, char **av)
+ /* Initialize the random number generator. */
+ arc4random_stir();
+
++ if (FIPS_mode()) {
++ logit("FIPS mode initialized");
++ }
++
+ /* Chdir to the root directory so that the current disk can be
+ unmounted if desired. */
+ chdir("/");
+@@ -2182,6 +2192,9 @@ do_ssh2_kex(void)
+ if (options.ciphers != NULL) {
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
++ } else if (FIPS_mode()) {
++ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
+ }
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] =
+ compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
+@@ -2191,6 +2204,9 @@ do_ssh2_kex(void)
+ if (options.macs != NULL) {
+ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+ myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
++ } else if (FIPS_mode()) {
++ myproposal[PROPOSAL_MAC_ALGS_CTOS] =
++ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
+ }
+ if (options.compression == COMP_NONE) {
+ myproposal[PROPOSAL_COMP_ALGS_CTOS] =
+diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c
+--- openssh-5.2p1/ssh-keygen.c.fips 2009-04-17 14:52:11.000000000 +0200
++++ openssh-5.2p1/ssh-keygen.c 2009-04-17 14:52:11.000000000 +0200
+@@ -21,6 +21,8 @@
+
+ #include <openssl/evp.h>
+ #include <openssl/pem.h>
++#include <openssl/fips.h>
++#include <fipscheck.h>
+ #include "openbsd-compat/openssl-compat.h"
+
+ #include <errno.h>
+@@ -537,7 +539,7 @@ do_fingerprint(struct passwd *pw)
+ enum fp_type fptype;
+ struct stat st;
+
+- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
++ fptype = print_bubblebabble ? SSH_FP_SHA1 : FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5;
+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+
+ if (!have_identity)
+@@ -1125,11 +1127,21 @@ main(int argc, char **argv)
+ __progname = ssh_get_progname(argv[0]);
+
+ SSLeay_add_all_algorithms();
++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
++ fprintf(stderr,
++ "FIPS integrity verification test failed.\n");
++ exit(3);
++ }
++
+ log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
+
+ init_rng();
+ seed_rng();
+
++ if (FIPS_mode()) {
++ logit("FIPS mode initialized");
++ }
++
+ /* we need this for the home * directory. */
+ pw = getpwuid(getuid());
+ if (!pw) {
+@@ -1506,14 +1518,15 @@ passphrase_again:
+ fclose(f);
+
+ if (!quiet) {
+- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
+- char *ra = key_fingerprint(public, SSH_FP_MD5,
++ int fips_on = FIPS_mode();
++ char *fp = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
++ char *ra = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5,
+ SSH_FP_RANDOMART);
+ printf("Your public key has been saved in %s.\n",
+ identity_file);
+- printf("The key fingerprint is:\n");
++ printf("The key %sfingerprint is:\n", fips_on ? "SHA1 " : "");
+ printf("%s %s\n", fp, comment);
+- printf("The key's randomart image is:\n");
++ printf("The key's %srandomart image is:\n", fips_on ? "SHA1 " :"");
+ printf("%s\n", ra);
+ xfree(ra);
+ xfree(fp);
+diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c
+--- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100
++++ openssh-5.2p1/ssh-keyscan.c 2009-04-17 14:52:11.000000000 +0200
+@@ -19,6 +19,8 @@
+ #include <arpa/inet.h>
+
+ #include <openssl/bn.h>
++#include <openssl/fips.h>
++#include <fipscheck.h>
+
+ #include <netdb.h>
+ #include <errno.h>
+@@ -731,6 +733,13 @@ main(int argc, char **argv)
+ extern char *optarg;
+
+ __progname = ssh_get_progname(argv[0]);
++ SSLeay_add_all_algorithms();
++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
++ fprintf(stderr,
++ "FIPS integrity verification test failed.\n");
++ exit(3);
++ }
++
+ init_rng();
+ seed_rng();
+ TAILQ_INIT(&tq);
+@@ -812,6 +821,10 @@ main(int argc, char **argv)
+
+ log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1);
+
++ if (FIPS_mode()) {
++ logit("FIPS mode initialized");
++ }
++
+ maxfd = fdlim_get(1);
+ if (maxfd < 0)
+ fatal("%s: fdlim_get: bad value", __progname);
+diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c
+--- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200
++++ openssh-5.2p1/ssh-keysign.c 2009-04-17 14:52:11.000000000 +0200
+@@ -38,6 +38,8 @@
+ #include <openssl/evp.h>
+ #include <openssl/rand.h>
+ #include <openssl/rsa.h>
++#include <openssl/fips.h>
++#include <fipscheck.h>
+
+ #include "xmalloc.h"
+ #include "log.h"
+@@ -175,6 +177,11 @@ main(int argc, char **argv)
+
+ permanently_set_uid(pw);
+
++ SSLeay_add_all_algorithms();
++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
++ fatal("FIPS integrity verification test failed");
++ }
++
+ init_rng();
+ seed_rng();
+ arc4random_stir();
+@@ -183,6 +190,10 @@ main(int argc, char **argv)
+ log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
+ #endif
+
++ if (FIPS_mode()) {
++ logit("FIPS mode initialized");
++ }
++
+ /* verify that ssh-keysign is enabled by the admin */
+ initialize_options(&options);
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0);
+@@ -194,7 +205,6 @@ main(int argc, char **argv)
+ if (key_fd[0] == -1 && key_fd[1] == -1)
+ fatal("could not open any host key");
+
+- SSLeay_add_all_algorithms();
+ for (i = 0; i < 256; i++)
+ rnd[i] = arc4random();
+ RAND_seed(rnd, sizeof(rnd));
Index: openssh.spec
===================================================================
RCS file: /cvs/pkgs/rpms/openssh/devel/openssh.spec,v
retrieving revision 1.141
retrieving revision 1.142
diff -u -r1.141 -r1.142
--- openssh.spec 3 Apr 2009 13:03:29 -0000 1.141
+++ openssh.spec 20 Apr 2009 12:18:49 -0000 1.142
@@ -63,7 +63,7 @@
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
Version: 5.2p1
-Release: 3%{?dist}%{?rescue_rel}
+Release: 4%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -474,6 +474,10 @@
%endif
%changelog
+* Mon Apr 20 2009 Tomas Mraz <tmraz at redhat.com> - 5.2p1-4
+- log if FIPS mode is initialized
+- make aes-ctr cipher modes work in the FIPS mode
+
* Fri Apr 3 2009 Jan F. Chadima <jchadima at redhat.com> - 5.2p1-3
- fix logging after chroot
- enable non root users to use chroot %%h in internal-sftp
- Previous message (by thread): rpms/sabayon/devel sabayon-2.25.0-profile-save.patch, NONE, 1.1 sabayon.spec, 1.59, 1.60 sabayon-2.25.0-gconf-crashes.patch, 1.1, NONE
- Next message (by thread): rpms/galeon/F-11 galeon-2.0.7-moz191.patch, 1.1, 1.2 galeon.spec, 1.60, 1.61
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list