/[pkgs]/rpms/openssh/devel/openssh-5.3p1-fips.patch
ViewVC logotype

Contents of /rpms/openssh/devel/openssh-5.3p1-fips.patch

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.1 - (show annotations) (download) (as text)
Fri Oct 2 13:17:07 2009 UTC (7 weeks, 4 days ago) by jfch2222
Branch: MAIN
CVS Tags: openssh-5_3p1-10_fc13, openssh-5_3p1-4_fc13, openssh-5_3p1-1_fc13, openssh-5_3p1-2_fc13, openssh-5_3p1-5_fc13, openssh-5_3p1-3_fc13, openssh-5_3p1-6_fc13, openssh-5_3p1-9_fc13, openssh-5_3p1-7_fc13, openssh-5_3p1-8_fc13, HEAD
File MIME type: text/x-patch 
Upgrade to new wersion 5.3p1
1 diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
2 --- openssh-5.3p1/auth2-pubkey.c.fips 2009-10-02 14:12:00.000000000 +0200
3 +++ openssh-5.3p1/auth2-pubkey.c 2009-10-02 14:12:00.000000000 +0200
4 @@ -33,6 +33,7 @@
5 #include <stdio.h>
6 #include <stdarg.h>
7 #include <unistd.h>
8 +#include <openssl/fips.h>
9
10 #include "xmalloc.h"
11 #include "ssh.h"
12 @@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key
13 found_key = 1;
14 debug("matching key found: file %s, line %lu",
15 file, linenum);
16 - fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
17 + fp = key_fingerprint(found, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
18 verbose("Found matching %s key: %s",
19 key_type(found), fp);
20 xfree(fp);
21 diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
22 --- openssh-5.3p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200
23 +++ openssh-5.3p1/authfile.c 2009-10-02 14:12:00.000000000 +0200
24 @@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch
25 /* Allocate space for the private part of the key in the buffer. */
26 cp = buffer_append_space(&encrypted, buffer_len(&buffer));
27
28 - cipher_set_key_string(&ciphercontext, cipher, passphrase,
29 - CIPHER_ENCRYPT);
30 + if (cipher_set_key_string(&ciphercontext, cipher, passphrase,
31 + CIPHER_ENCRYPT) < 0) {
32 + error("cipher_set_key_string failed.");
33 + buffer_free(&encrypted);
34 + buffer_free(&buffer);
35 + return 0;
36 + }
37 +
38 cipher_crypt(&ciphercontext, cp,
39 buffer_ptr(&buffer), buffer_len(&buffer));
40 cipher_cleanup(&ciphercontext);
41 @@ -414,8 +420,14 @@ key_load_private_rsa1(int fd, const char
42 cp = buffer_append_space(&decrypted, buffer_len(&buffer));
43
44 /* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
45 - cipher_set_key_string(&ciphercontext, cipher, passphrase,
46 - CIPHER_DECRYPT);
47 + if (cipher_set_key_string(&ciphercontext, cipher, passphrase,
48 + CIPHER_DECRYPT) < 0) {
49 + error("cipher_set_key_string failed.");
50 + buffer_free(&decrypted);
51 + buffer_free(&buffer);
52 + goto fail;
53 + }
54 +
55 cipher_crypt(&ciphercontext, cp,
56 buffer_ptr(&buffer), buffer_len(&buffer));
57 cipher_cleanup(&ciphercontext);
58 diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
59 --- openssh-5.3p1/cipher.c.fips 2009-10-02 13:44:03.000000000 +0200
60 +++ openssh-5.3p1/cipher.c 2009-10-02 14:12:00.000000000 +0200
61 @@ -40,6 +40,7 @@
62 #include <sys/types.h>
63
64 #include <openssl/md5.h>
65 +#include <openssl/fips.h>
66
67 #include <string.h>
68 #include <stdarg.h>
69 @@ -93,6 +94,22 @@ struct Cipher {
70 { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
71 };
72
73 +struct Cipher fips_ciphers[] = {
74 + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
75 + { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
76 +
77 + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc },
78 + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc },
79 + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc },
80 + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
81 + { "rijndael-cbc@lysator.liu.se",
82 + SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
83 + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
84 + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
85 + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
86 + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
87 +};
88 +
89 /*--*/
90
91 u_int
92 @@ -135,7 +152,7 @@ Cipher *
93 cipher_by_name(const char *name)
94 {
95 Cipher *c;
96 - for (c = ciphers; c->name != NULL; c++)
97 + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
98 if (strcmp(c->name, name) == 0)
99 return c;
100 return NULL;
101 @@ -145,7 +162,7 @@ Cipher *
102 cipher_by_number(int id)
103 {
104 Cipher *c;
105 - for (c = ciphers; c->name != NULL; c++)
106 + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
107 if (c->number == id)
108 return c;
109 return NULL;
110 @@ -189,7 +206,7 @@ cipher_number(const char *name)
111 Cipher *c;
112 if (name == NULL)
113 return -1;
114 - for (c = ciphers; c->name != NULL; c++)
115 + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
116 if (strcasecmp(c->name, name) == 0)
117 return c->number;
118 return -1;
119 @@ -296,14 +313,15 @@ cipher_cleanup(CipherContext *cc)
120 * passphrase and using the resulting 16 bytes as the key.
121 */
122
123 -void
124 +int
125 cipher_set_key_string(CipherContext *cc, Cipher *cipher,
126 const char *passphrase, int do_encrypt)
127 {
128 MD5_CTX md;
129 u_char digest[16];
130
131 - MD5_Init(&md);
132 + if (MD5_Init(&md) <= 0)
133 + return -1;
134 MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
135 MD5_Final(digest, &md);
136
137 @@ -311,6 +329,7 @@ cipher_set_key_string(CipherContext *cc,
138
139 memset(digest, 0, sizeof(digest));
140 memset(&md, 0, sizeof(md));
141 + return 0;
142 }
143
144 /*
145 diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
146 --- openssh-5.3p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
147 +++ openssh-5.3p1/cipher-ctr.c 2009-10-02 14:12:00.000000000 +0200
148 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
149 aes_ctr.do_cipher = ssh_aes_ctr;
150 #ifndef SSH_OLD_EVP
151 aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
152 - EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
153 + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
154 + EVP_CIPH_FLAG_FIPS;
155 #endif
156 return (&aes_ctr);
157 }
158 diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
159 --- openssh-5.3p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
160 +++ openssh-5.3p1/cipher.h 2009-10-02 14:12:00.000000000 +0200
161 @@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe
162 const u_char *, u_int, int);
163 void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
164 void cipher_cleanup(CipherContext *);
165 -void cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
166 +int cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
167 u_int cipher_blocksize(const Cipher *);
168 u_int cipher_keylen(const Cipher *);
169 u_int cipher_is_cbc(const Cipher *);
170 diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
171 --- openssh-5.3p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
172 +++ openssh-5.3p1/mac.c 2009-10-02 14:12:00.000000000 +0200
173 @@ -28,6 +28,7 @@
174 #include <sys/types.h>
175
176 #include <openssl/hmac.h>
177 +#include <openssl/fips.h>
178
179 #include <stdarg.h>
180 #include <string.h>
181 @@ -47,14 +48,14 @@
182 #define SSH_EVP 1 /* OpenSSL EVP-based MAC */
183 #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
184
185 -struct {
186 +struct Macs {
187 char *name;
188 int type;
189 const EVP_MD * (*mdfunc)(void);
190 int truncatebits; /* truncate digest if != 0 */
191 int key_len; /* just for UMAC */
192 int len; /* just for UMAC */
193 -} macs[] = {
194 +} all_macs[] = {
195 { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 },
196 { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 },
197 { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 },
198 @@ -65,9 +66,15 @@ struct {
199 { NULL, 0, NULL, 0, -1, -1 }
200 };
201
202 +struct Macs fips_macs[] = {
203 + { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 },
204 + { NULL, 0, NULL, 0, -1, -1 }
205 +};
206 +
207 static void
208 mac_setup_by_id(Mac *mac, int which)
209 {
210 + struct Macs *macs = FIPS_mode() ? fips_macs : all_macs;
211 int evp_len;
212 mac->type = macs[which].type;
213 if (mac->type == SSH_EVP) {
214 @@ -88,6 +95,7 @@ int
215 mac_setup(Mac *mac, char *name)
216 {
217 int i;
218 + struct Macs *macs = FIPS_mode() ? fips_macs : all_macs;
219
220 for (i = 0; macs[i].name; i++) {
221 if (strcmp(name, macs[i].name) == 0) {
222 diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
223 --- openssh-5.3p1/Makefile.in.fips 2009-10-02 14:12:00.000000000 +0200
224 +++ openssh-5.3p1/Makefile.in 2009-10-02 14:20:18.000000000 +0200
225 @@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS)
226 $(RANLIB) $@
227
228 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
229 - $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
230 + $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
231
232 sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
233 - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
234 + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
235
236 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
237 $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
238
239 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
240 - $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
241 + $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
242
243 ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
244 - $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
245 + $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
246
247 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
248 - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
249 + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
250
251 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o
252 - $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
253 + $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
254
255 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
256 - $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
257 + $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
258
259 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
260 $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
261 diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
262 --- openssh-5.3p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
263 +++ openssh-5.3p1/myproposal.h 2009-10-02 14:12:00.000000000 +0200
264 @@ -53,7 +53,12 @@
265 "hmac-sha1-96,hmac-md5-96"
266 #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
267 #define KEX_DEFAULT_LANG ""
268 -
269 +#define KEX_FIPS_ENCRYPT \
270 + "aes128-ctr,aes192-ctr,aes256-ctr," \
271 + "aes128-cbc,3des-cbc," \
272 + "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
273 +#define KEX_FIPS_MAC \
274 + "hmac-sha1"
275
276 static char *myproposal[PROPOSAL_MAX] = {
277 KEX_DEFAULT_KEX,
278 diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c
279 --- openssh-5.3p1/nsskeys.c.fips 2009-10-02 14:12:00.000000000 +0200
280 +++ openssh-5.3p1/nsskeys.c 2009-10-02 14:12:00.000000000 +0200
281 @@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
282 break;
283 }
284
285 - p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
286 - debug("fingerprint %u %s", key_size(k), p);
287 + p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX);
288 + debug("SHA1 fingerprint %u %s", key_size(k), p);
289 xfree(p);
290
291 return 0;
292 diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c
293 --- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
294 +++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c 2009-10-02 14:12:00.000000000 +0200
295 @@ -39,6 +39,7 @@
296 static int rc4_ready = 0;
297 static RC4_KEY rc4;
298
299 +#if 0
300 unsigned int
301 arc4random(void)
302 {
303 @@ -82,6 +83,32 @@ arc4random_stir(void)
304
305 rc4_ready = REKEY_BYTES;
306 }
307 +#else
308 +unsigned int
309 +arc4random(void)
310 +{
311 + unsigned int r = 0;
312 + void *rp = &r;
313 +
314 + if (!rc4_ready) {
315 + arc4random_stir();
316 + }
317 + RAND_bytes(rp, sizeof(r));
318 +
319 + return(r);
320 +}
321 +
322 +void
323 +arc4random_stir(void)
324 +{
325 + unsigned char rand_buf[SEED_SIZE];
326 +
327 + if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
328 + fatal("Couldn't obtain random bytes (error %ld)",
329 + ERR_get_error());
330 + rc4_ready = 1;
331 +}
332 +#endif
333 #endif /* !HAVE_ARC4RANDOM */
334
335 #ifndef ARC4RANDOM_BUF
336 diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
337 --- openssh-5.3p1/ssh-add.c.fips 2009-10-02 14:12:00.000000000 +0200
338 +++ openssh-5.3p1/ssh-add.c 2009-10-02 14:12:00.000000000 +0200
339 @@ -42,6 +42,7 @@
340 #include <sys/param.h>
341
342 #include <openssl/evp.h>
343 +#include <openssl/fips.h>
344 #include "openbsd-compat/openssl-compat.h"
345
346 #ifdef HAVE_LIBNSS
347 @@ -254,7 +255,7 @@ list_identities(AuthenticationConnection
348 key = ssh_get_next_identity(ac, &comment, version)) {
349 had_identities = 1;
350 if (do_fp) {
351 - fp = key_fingerprint(key, SSH_FP_MD5,
352 + fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
353 SSH_FP_HEX);
354 printf("%d %s %s (%s)\n",
355 key_size(key), fp, comment, key_type(key));
356 diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
357 --- openssh-5.3p1/ssh-agent.c.fips 2009-10-02 14:12:00.000000000 +0200
358 +++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:12:00.000000000 +0200
359 @@ -51,6 +51,7 @@
360
361 #include <openssl/evp.h>
362 #include <openssl/md5.h>
363 +#include <openssl/fips.h>
364 #include "openbsd-compat/openssl-compat.h"
365
366 #include <errno.h>
367 @@ -200,9 +201,9 @@ confirm_key(Identity *id)
368 char *p;
369 int ret = -1;
370
371 - p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
372 - if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
373 - id->comment, p))
374 + p = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
375 + if (ask_permission("Allow use of key %s?\nKey %sfingerprint %s.",
376 + id->comment, FIPS_mode() ? "SHA1 " : "", p))
377 ret = 0;
378 xfree(p);
379
380 diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
381 --- openssh-5.3p1/ssh.c.fips 2009-10-02 14:12:00.000000000 +0200
382 +++ openssh-5.3p1/ssh.c 2009-10-02 14:12:00.000000000 +0200
383 @@ -72,6 +72,8 @@
384
385 #include <openssl/evp.h>
386 #include <openssl/err.h>
387 +#include <openssl/fips.h>
388 +#include <fipscheck.h>
389 #include "openbsd-compat/openssl-compat.h"
390 #include "openbsd-compat/sys-queue.h"
391
392 @@ -221,6 +223,10 @@ main(int ac, char **av)
393 sanitise_stdfd();
394
395 __progname = ssh_get_progname(av[0]);
396 + SSLeay_add_all_algorithms();
397 + if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
398 + fatal("FIPS integrity verification test failed.");
399 + }
400 init_rng();
401
402 /*
403 @@ -281,6 +287,9 @@ main(int ac, char **av)
404 "ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) {
405 switch (opt) {
406 case '1':
407 + if (FIPS_mode()) {
408 + fatal("Protocol 1 not allowed in the FIPS mode.");
409 + }
410 options.protocol = SSH_PROTO_1;
411 break;
412 case '2':
413 @@ -552,7 +561,6 @@ main(int ac, char **av)
414 if (!host)
415 usage();
416
417 - SSLeay_add_all_algorithms();
418 ERR_load_crypto_strings();
419
420 /* Initialize the command to execute on remote host. */
421 @@ -638,6 +646,10 @@ main(int ac, char **av)
422
423 seed_rng();
424
425 + if (FIPS_mode()) {
426 + logit("FIPS mode initialized");
427 + }
428 +
429 if (options.user == NULL)
430 options.user = xstrdup(pw->pw_name);
431
432 @@ -704,6 +716,12 @@ main(int ac, char **av)
433
434 timeout_ms = options.connection_timeout * 1000;
435
436 + if (FIPS_mode()) {
437 + options.protocol &= SSH_PROTO_2;
438 + if (options.protocol == 0)
439 + fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
440 + }
441 +
442 /* Open a connection to the remote host. */
443 if (ssh_connect(host, &hostaddr, options.port,
444 options.address_family, options.connection_attempts, &timeout_ms,
445 diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
446 --- openssh-5.3p1/sshconnect2.c.fips 2009-10-02 14:12:00.000000000 +0200
447 +++ openssh-5.3p1/sshconnect2.c 2009-10-02 14:12:00.000000000 +0200
448 @@ -44,6 +44,8 @@
449 #include <vis.h>
450 #endif
451
452 +#include <openssl/fips.h>
453 +
454 #include "openbsd-compat/sys-queue.h"
455
456 #include "xmalloc.h"
457 @@ -116,6 +118,10 @@ ssh_kex2(char *host, struct sockaddr *ho
458 if (options.ciphers != NULL) {
459 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
460 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
461 + } else if (FIPS_mode()) {
462 + myproposal[PROPOSAL_ENC_ALGS_CTOS] =
463 + myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
464 +
465 }
466 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
467 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
468 @@ -131,7 +137,11 @@ ssh_kex2(char *host, struct sockaddr *ho
469 if (options.macs != NULL) {
470 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
471 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
472 + } else if (FIPS_mode()) {
473 + myproposal[PROPOSAL_MAC_ALGS_CTOS] =
474 + myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
475 }
476 +
477 if (options.hostkeyalgorithms != NULL)
478 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
479 options.hostkeyalgorithms;
480 @@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t
481 key->type, pktype);
482 goto done;
483 }
484 - fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
485 - debug2("input_userauth_pk_ok: fp %s", fp);
486 + fp = key_fingerprint(key, SSH_FP_SHA1, SSH_FP_HEX);
487 + debug2("input_userauth_pk_ok: SHA1 fp %s", fp);
488 xfree(fp);
489
490 /*
491 diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
492 --- openssh-5.3p1/sshconnect.c.fips 2009-10-02 14:12:00.000000000 +0200
493 +++ openssh-5.3p1/sshconnect.c 2009-10-02 14:12:00.000000000 +0200
494 @@ -40,6 +40,8 @@
495 #include <unistd.h>
496 #include <fcntl.h>
497
498 +#include <openssl/fips.h>
499 +
500 #include "xmalloc.h"
501 #include "key.h"
502 #include "hostfile.h"
503 @@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so
504 goto fail;
505 } else if (options.strict_host_key_checking == 2) {
506 char msg1[1024], msg2[1024];
507 + int fips_on = FIPS_mode();
508
509 if (show_other_keys(host, host_key))
510 snprintf(msg1, sizeof(msg1),
511 @@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so
512 else
513 snprintf(msg1, sizeof(msg1), ".");
514 /* The default */
515 - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
516 - ra = key_fingerprint(host_key, SSH_FP_MD5,
517 + fp = key_fingerprint(host_key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
518 + ra = key_fingerprint(host_key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5,
519 SSH_FP_RANDOMART);
520 msg2[0] = '\0';
521 if (options.verify_host_key_dns) {
522 @@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so
523 snprintf(msg, sizeof(msg),
524 "The authenticity of host '%.200s (%s)' can't be "
525 "established%s\n"
526 - "%s key fingerprint is %s.%s%s\n%s"
527 + "%s key %sfingerprint is %s.%s%s\n%s"
528 "Are you sure you want to continue connecting "
529 "(yes/no)? ",
530 - host, ip, msg1, type, fp,
531 + host, ip, msg1, type, fips_on ? "SHA1 " : "", fp,
532 options.visual_host_key ? "\n" : "",
533 options.visual_host_key ? ra : "",
534 msg2);
535 @@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con
536 Key *found;
537 char *fp, *ra;
538 int line, ret;
539 + int fips_on = FIPS_mode();
540
541 found = key_new(keytype);
542 if ((ret = lookup_key_in_hostfile_by_type(file, host,
543 keytype, found, &line))) {
544 - fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
545 - ra = key_fingerprint(found, SSH_FP_MD5, SSH_FP_RANDOMART);
546 + fp = key_fingerprint(found, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
547 + ra = key_fingerprint(found, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_RANDOMART);
548 logit("WARNING: %s key found for host %s\n"
549 "in %s:%d\n"
550 - "%s key fingerprint %s.\n%s\n",
551 + "%s key %sfingerprint %s.\n%s\n",
552 key_type(found), host, file, line,
553 - key_type(found), fp, ra);
554 + key_type(found), fips_on ? "SHA1 ":"", fp, ra);
555 xfree(ra);
556 xfree(fp);
557 }
558 @@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key)
559 {
560 char *fp;
561 const char *type = key_type(host_key);
562 + int fips_on = FIPS_mode();
563
564 - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
565 + fp = key_fingerprint(host_key, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
566
567 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
568 error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
569 @@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key)
570 error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
571 error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
572 error("It is also possible that the %s host key has just been changed.", type);
573 - error("The fingerprint for the %s key sent by the remote host is\n%s.",
574 - type, fp);
575 + error("The %sfingerprint for the %s key sent by the remote host is\n%s.",
576 + fips_on ? "SHA1 ":"", type, fp);
577 error("Please contact your system administrator.");
578
579 xfree(fp);
580 diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
581 --- openssh-5.3p1/sshd.c.fips 2009-10-02 14:12:00.000000000 +0200
582 +++ openssh-5.3p1/sshd.c 2009-10-02 14:12:00.000000000 +0200
583 @@ -76,6 +76,8 @@
584 #include <openssl/bn.h>
585 #include <openssl/md5.h>
586 #include <openssl/rand.h>
587 +#include <openssl/fips.h>
588 +#include <fipscheck.h>
589 #include "openbsd-compat/openssl-compat.h"
590
591 #ifdef HAVE_SECUREWARE
592 @@ -1261,6 +1263,12 @@ main(int ac, char **av)
593 (void)set_auth_parameters(ac, av);
594 #endif
595 __progname = ssh_get_progname(av[0]);
596 +
597 + SSLeay_add_all_algorithms();
598 + if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
599 + fatal("FIPS integrity verification test failed.");
600 + }
601 +
602 init_rng();
603
604 /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
605 @@ -1413,8 +1421,6 @@ main(int ac, char **av)
606 else
607 closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
608
609 - SSLeay_add_all_algorithms();
610 -
611 /*
612 * Force logging to stderr until we have loaded the private host
613 * key (unless started from inetd)
614 @@ -1532,6 +1538,10 @@ main(int ac, char **av)
615 debug("private host key: #%d type %d %s", i, key->type,
616 key_type(key));
617 }
618 + if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
619 + logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
620 + options.protocol &= ~SSH_PROTO_1;
621 + }
622 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
623 logit("Disabling protocol version 1. Could not load host key");
624 options.protocol &= ~SSH_PROTO_1;
625 @@ -1656,6 +1666,10 @@ main(int ac, char **av)
626 /* Initialize the random number generator. */
627 arc4random_stir();
628
629 + if (FIPS_mode()) {
630 + logit("FIPS mode initialized");
631 + }
632 +
633 /* Chdir to the root directory so that the current disk can be
634 unmounted if desired. */
635 chdir("/");
636 @@ -2183,6 +2197,9 @@ do_ssh2_kex(void)
637 if (options.ciphers != NULL) {
638 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
639 myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
640 + } else if (FIPS_mode()) {
641 + myproposal[PROPOSAL_ENC_ALGS_CTOS] =
642 + myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
643 }
644 myproposal[PROPOSAL_ENC_ALGS_CTOS] =
645 compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
646 @@ -2192,6 +2209,9 @@ do_ssh2_kex(void)
647 if (options.macs != NULL) {
648 myproposal[PROPOSAL_MAC_ALGS_CTOS] =
649 myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
650 + } else if (FIPS_mode()) {
651 + myproposal[PROPOSAL_MAC_ALGS_CTOS] =
652 + myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
653 }
654 if (options.compression == COMP_NONE) {
655 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
656 diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
657 --- openssh-5.3p1/ssh-keygen.c.fips 2009-10-02 14:12:00.000000000 +0200
658 +++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:12:00.000000000 +0200
659 @@ -21,6 +21,7 @@
660
661 #include <openssl/evp.h>
662 #include <openssl/pem.h>
663 +#include <openssl/fips.h>
664 #include "openbsd-compat/openssl-compat.h"
665
666 #include <errno.h>
667 @@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw)
668 enum fp_type fptype;
669 struct stat st;
670
671 - fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
672 + fptype = print_bubblebabble ? SSH_FP_SHA1 : FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5;
673 rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
674
675 if (!have_identity)
676 @@ -1506,14 +1507,15 @@ passphrase_again:
677 fclose(f);
678
679 if (!quiet) {
680 - char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
681 - char *ra = key_fingerprint(public, SSH_FP_MD5,
682 + int fips_on = FIPS_mode();
683 + char *fp = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
684 + char *ra = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5,
685 SSH_FP_RANDOMART);
686 printf("Your public key has been saved in %s.\n",
687 identity_file);
688 - printf("The key fingerprint is:\n");
689 + printf("The key %sfingerprint is:\n", fips_on ? "SHA1 " : "");
690 printf("%s %s\n", fp, comment);
691 - printf("The key's randomart image is:\n");
692 + printf("The key's %srandomart image is:\n", fips_on ? "SHA1 " :"");
693 printf("%s\n", ra);
694 xfree(ra);
695 xfree(fp);
admin@fedoraproject.org
 ViewVC Help
Powered by ViewVC 1.1.2