diff --git a/openssh-5.2p1-fips.patch b/openssh-5.2p1-fips.patch index 8462301..7866fb8 100644 --- a/openssh-5.2p1-fips.patch +++ b/openssh-5.2p1-fips.patch @@ -1,43 +1,6 @@ -diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c ---- openssh-5.2p1/ssh-agent.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/ssh-agent.c 2009-03-13 11:23:15.000000000 +0100 -@@ -51,6 +51,8 @@ - - #include - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" - - #include -@@ -200,9 +202,9 @@ confirm_key(Identity *id) - char *p; - int ret = -1; - -- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); -- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", -- id->comment, p)) -+ p = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); -+ if (ask_permission("Allow use of key %s?\nKey %sfingerprint %s.", -+ id->comment, FIPS_mode() ? "SHA1 " : "", p)) - ret = 0; - xfree(p); - -@@ -1196,6 +1198,11 @@ main(int ac, char **av) - #endif - - SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } - - __progname = ssh_get_progname(av[0]); - init_rng(); diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c ---- openssh-5.2p1/auth2-pubkey.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/auth2-pubkey.c 2009-03-13 11:23:15.000000000 +0100 +--- openssh-5.2p1/auth2-pubkey.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/auth2-pubkey.c 2009-04-17 14:52:11.000000000 +0200 @@ -33,6 +33,7 @@ #include #include @@ -55,432 +18,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c verbose("Found matching %s key: %s", key_type(found), fp); xfree(fp); -diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c ---- openssh-5.2p1/ssh.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/ssh.c 2009-03-13 11:23:15.000000000 +0100 -@@ -71,6 +71,8 @@ - - #include - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" - #include "openbsd-compat/sys-queue.h" - -@@ -220,6 +222,10 @@ main(int ac, char **av) - sanitise_stdfd(); - - __progname = ssh_get_progname(av[0]); -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fatal("FIPS integrity verification test failed."); -+ } - init_rng(); - - /* -@@ -550,7 +556,6 @@ main(int ac, char **av) - if (!host) - usage(); - -- SSLeay_add_all_algorithms(); - ERR_load_crypto_strings(); - - /* Initialize the command to execute on remote host. */ -diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c ---- openssh-5.2p1/sshconnect2.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/sshconnect2.c 2009-03-13 11:23:15.000000000 +0100 -@@ -44,6 +44,8 @@ - #include - #endif - -+#include -+ - #include "openbsd-compat/sys-queue.h" - - #include "xmalloc.h" -@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = -+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; -+ - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_MAC_ALGS_CTOS] = -+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; - } -+ - if (options.hostkeyalgorithms != NULL) - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - options.hostkeyalgorithms; -@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t - key->type, pktype); - goto done; - } -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -- debug2("input_userauth_pk_ok: fp %s", fp); -+ fp = key_fingerprint(key, SSH_FP_SHA1, SSH_FP_HEX); -+ debug2("input_userauth_pk_ok: SHA1 fp %s", fp); - xfree(fp); - - /* -diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in ---- openssh-5.2p1/Makefile.in.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/Makefile.in 2009-03-13 11:23:15.000000000 +0100 -@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS) - $(RANLIB) $@ - - ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) -- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS) - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o -- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o -- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o -- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o -- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o -- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) - - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c ---- openssh-5.2p1/sshd.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/sshd.c 2009-03-13 11:23:15.000000000 +0100 -@@ -76,6 +76,8 @@ - #include - #include - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" - - #ifdef HAVE_SECUREWARE -@@ -1260,6 +1262,12 @@ main(int ac, char **av) - (void)set_auth_parameters(ac, av); - #endif - __progname = ssh_get_progname(av[0]); -+ -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fatal("FIPS integrity verification test failed."); -+ } -+ - init_rng(); - - /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -@@ -1412,8 +1420,6 @@ main(int ac, char **av) - else - closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); - -- SSLeay_add_all_algorithms(); -- - /* - * Force logging to stderr until we have loaded the private host - * key (unless started from inetd) -@@ -2182,6 +2188,9 @@ do_ssh2_kex(void) - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = -+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2191,6 +2200,9 @@ do_ssh2_kex(void) - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_MAC_ALGS_CTOS] = -+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; - } - if (options.compression == COMP_NONE) { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = -diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c ---- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.2p1/mac.c 2009-03-13 11:23:15.000000000 +0100 -@@ -28,6 +28,7 @@ - #include - - #include -+#include - - #include - #include -@@ -47,14 +48,14 @@ - #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ - #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ - --struct { -+struct Macs { - char *name; - int type; - const EVP_MD * (*mdfunc)(void); - int truncatebits; /* truncate digest if != 0 */ - int key_len; /* just for UMAC */ - int len; /* just for UMAC */ --} macs[] = { -+} all_macs[] = { - { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, - { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, - { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, -@@ -65,9 +66,15 @@ struct { - { NULL, 0, NULL, 0, -1, -1 } - }; - -+struct Macs fips_macs[] = { -+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, -+ { NULL, 0, NULL, 0, -1, -1 } -+}; -+ - static void - mac_setup_by_id(Mac *mac, int which) - { -+ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs; - int evp_len; - mac->type = macs[which].type; - if (mac->type == SSH_EVP) { -@@ -88,6 +95,7 @@ int - mac_setup(Mac *mac, char *name) - { - int i; -+ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs; - - for (i = 0; macs[i].name; i++) { - if (strcmp(name, macs[i].name) == 0) { -diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c ---- openssh-5.2p1/ssh-keygen.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/ssh-keygen.c 2009-03-13 11:23:15.000000000 +0100 -@@ -21,6 +21,8 @@ - - #include - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" - - #include -@@ -537,7 +539,7 @@ do_fingerprint(struct passwd *pw) - enum fp_type fptype; - struct stat st; - -- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; -+ fptype = print_bubblebabble ? SSH_FP_SHA1 : FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; - - if (!have_identity) -@@ -1125,6 +1127,12 @@ main(int argc, char **argv) - __progname = ssh_get_progname(argv[0]); - - SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } -+ - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); - - init_rng(); -@@ -1506,14 +1514,15 @@ passphrase_again: - fclose(f); - - if (!quiet) { -- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); -- char *ra = key_fingerprint(public, SSH_FP_MD5, -+ int fips_on = FIPS_mode(); -+ char *fp = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); -+ char *ra = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, - SSH_FP_RANDOMART); - printf("Your public key has been saved in %s.\n", - identity_file); -- printf("The key fingerprint is:\n"); -+ printf("The key %sfingerprint is:\n", fips_on ? "SHA1 " : ""); - printf("%s %s\n", fp, comment); -- printf("The key's randomart image is:\n"); -+ printf("The key's %srandomart image is:\n", fips_on ? "SHA1 " :""); - printf("%s\n", ra); - xfree(ra); - xfree(fp); -diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c ---- openssh-5.2p1/nsskeys.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/nsskeys.c 2009-03-13 11:23:15.000000000 +0100 -@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k) - break; - } - -- p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); -- debug("fingerprint %u %s", key_size(k), p); -+ p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX); -+ debug("SHA1 fingerprint %u %s", key_size(k), p); - xfree(p); - - return 0; -diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c ---- openssh-5.2p1/ssh-add.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/ssh-add.c 2009-03-13 11:23:15.000000000 +0100 -@@ -42,6 +42,8 @@ - #include - - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" - - #ifdef HAVE_LIBNSS -@@ -254,7 +256,7 @@ list_identities(AuthenticationConnection - key = ssh_get_next_identity(ac, &comment, version)) { - had_identities = 1; - if (do_fp) { -- fp = key_fingerprint(key, SSH_FP_MD5, -+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, - SSH_FP_HEX); - printf("%d %s %s (%s)\n", - key_size(key), fp, comment, key_type(key)); -@@ -463,11 +465,16 @@ main(int argc, char **argv) - sanitise_stdfd(); - - __progname = ssh_get_progname(argv[0]); -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } -+ - init_rng(); - seed_rng(); - -- SSLeay_add_all_algorithms(); -- - /* At first, get a connection to the authentication agent. */ - ac = ssh_get_authentication_connection(); - if (ac == NULL) { -diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c ---- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 -+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-03-13 11:23:15.000000000 +0100 -@@ -39,6 +39,7 @@ - static int rc4_ready = 0; - static RC4_KEY rc4; - -+#if 0 - unsigned int - arc4random(void) - { -@@ -82,6 +83,32 @@ arc4random_stir(void) - - rc4_ready = REKEY_BYTES; - } -+#else -+unsigned int -+arc4random(void) -+{ -+ unsigned int r = 0; -+ void *rp = &r; -+ -+ if (!rc4_ready) { -+ arc4random_stir(); -+ } -+ RAND_bytes(rp, sizeof(r)); -+ -+ return(r); -+} -+ -+void -+arc4random_stir(void) -+{ -+ unsigned char rand_buf[SEED_SIZE]; -+ -+ if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0) -+ fatal("Couldn't obtain random bytes (error %ld)", -+ ERR_get_error()); -+ rc4_ready = 1; -+} -+#endif - #endif /* !HAVE_ARC4RANDOM */ - - #ifndef ARC4RANDOM_BUF -diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h ---- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 -+++ openssh-5.2p1/myproposal.h 2009-03-13 11:27:49.000000000 +0100 -@@ -53,7 +53,12 @@ - "hmac-sha1-96,hmac-md5-96" - #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" - #define KEX_DEFAULT_LANG "" -- -+#define KEX_FIPS_ENCRYPT \ -+ "aes128-ctr,aes192-ctr,aes256-ctr," \ -+ "aes128-cbc,3des-cbc," \ -+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" -+#define KEX_FIPS_MAC \ -+ "hmac-sha1" - - static char *myproposal[PROPOSAL_MAX] = { - KEX_DEFAULT_KEX, -diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c ---- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-5.2p1/ssh-keysign.c 2009-03-13 11:23:15.000000000 +0100 -@@ -38,6 +38,8 @@ - #include - #include - #include -+#include -+#include - - #include "xmalloc.h" - #include "log.h" -@@ -175,6 +177,11 @@ main(int argc, char **argv) - - permanently_set_uid(pw); - -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fatal("FIPS integrity verification test failed"); -+ } -+ - init_rng(); - seed_rng(); - arc4random_stir(); -@@ -194,7 +201,6 @@ main(int argc, char **argv) - if (key_fd[0] == -1 && key_fd[1] == -1) - fatal("could not open any host key"); - -- SSLeay_add_all_algorithms(); - for (i = 0; i < 256; i++) - rnd[i] = arc4random(); - RAND_seed(rnd, sizeof(rnd)); diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c --- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100 -+++ openssh-5.2p1/cipher.c 2009-03-13 11:23:15.000000000 +0100 ++++ openssh-5.2p1/cipher.c 2009-04-17 14:52:11.000000000 +0200 @@ -40,6 +40,7 @@ #include @@ -539,35 +79,366 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c if (strcasecmp(c->name, name) == 0) return c->number; return -1; -diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c ---- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100 -+++ openssh-5.2p1/ssh-keyscan.c 2009-03-13 11:23:15.000000000 +0100 -@@ -19,6 +19,8 @@ - #include +diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c +--- openssh-5.2p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 ++++ openssh-5.2p1/cipher-ctr.c 2009-04-17 23:23:06.000000000 +0200 +@@ -140,7 +140,8 @@ evp_aes_128_ctr(void) + aes_ctr.do_cipher = ssh_aes_ctr; + #ifndef SSH_OLD_EVP + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | +- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; ++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | ++ EVP_CIPH_FLAG_FIPS; + #endif + return (&aes_ctr); + } +diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c +--- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 ++++ openssh-5.2p1/mac.c 2009-04-17 14:52:11.000000000 +0200 +@@ -28,6 +28,7 @@ + #include - #include + #include ++#include + + #include + #include +@@ -47,14 +48,14 @@ + #define SSH_EVP 1 /* OpenSSL EVP-based MAC */ + #define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */ + +-struct { ++struct Macs { + char *name; + int type; + const EVP_MD * (*mdfunc)(void); + int truncatebits; /* truncate digest if != 0 */ + int key_len; /* just for UMAC */ + int len; /* just for UMAC */ +-} macs[] = { ++} all_macs[] = { + { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, + { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 }, + { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 }, +@@ -65,9 +66,15 @@ struct { + { NULL, 0, NULL, 0, -1, -1 } + }; + ++struct Macs fips_macs[] = { ++ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 }, ++ { NULL, 0, NULL, 0, -1, -1 } ++}; ++ + static void + mac_setup_by_id(Mac *mac, int which) + { ++ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs; + int evp_len; + mac->type = macs[which].type; + if (mac->type == SSH_EVP) { +@@ -88,6 +95,7 @@ int + mac_setup(Mac *mac, char *name) + { + int i; ++ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs; + + for (i = 0; macs[i].name; i++) { + if (strcmp(name, macs[i].name) == 0) { +diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in +--- openssh-5.2p1/Makefile.in.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/Makefile.in 2009-04-17 14:52:11.000000000 +0200 +@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ + + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS) + + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o +- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o +- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o +- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o +- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o +- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h +--- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 ++++ openssh-5.2p1/myproposal.h 2009-04-17 14:52:11.000000000 +0200 +@@ -53,7 +53,12 @@ + "hmac-sha1-96,hmac-md5-96" + #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" + #define KEX_DEFAULT_LANG "" +- ++#define KEX_FIPS_ENCRYPT \ ++ "aes128-ctr,aes192-ctr,aes256-ctr," \ ++ "aes128-cbc,3des-cbc," \ ++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" ++#define KEX_FIPS_MAC \ ++ "hmac-sha1" + + static char *myproposal[PROPOSAL_MAX] = { + KEX_DEFAULT_KEX, +diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c +--- openssh-5.2p1/nsskeys.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/nsskeys.c 2009-04-17 14:52:11.000000000 +0200 +@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k) + break; + } + +- p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); +- debug("fingerprint %u %s", key_size(k), p); ++ p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX); ++ debug("SHA1 fingerprint %u %s", key_size(k), p); + xfree(p); + + return 0; +diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c +--- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 ++++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-04-17 14:52:11.000000000 +0200 +@@ -39,6 +39,7 @@ + static int rc4_ready = 0; + static RC4_KEY rc4; + ++#if 0 + unsigned int + arc4random(void) + { +@@ -82,6 +83,32 @@ arc4random_stir(void) + + rc4_ready = REKEY_BYTES; + } ++#else ++unsigned int ++arc4random(void) ++{ ++ unsigned int r = 0; ++ void *rp = &r; ++ ++ if (!rc4_ready) { ++ arc4random_stir(); ++ } ++ RAND_bytes(rp, sizeof(r)); ++ ++ return(r); ++} ++ ++void ++arc4random_stir(void) ++{ ++ unsigned char rand_buf[SEED_SIZE]; ++ ++ if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0) ++ fatal("Couldn't obtain random bytes (error %ld)", ++ ERR_get_error()); ++ rc4_ready = 1; ++} ++#endif + #endif /* !HAVE_ARC4RANDOM */ + + #ifndef ARC4RANDOM_BUF +diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c +--- openssh-5.2p1/ssh-add.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/ssh-add.c 2009-04-17 14:52:11.000000000 +0200 +@@ -42,6 +42,8 @@ + #include + + #include +#include +#include + #include "openbsd-compat/openssl-compat.h" - #include - #include -@@ -731,6 +733,13 @@ main(int argc, char **argv) - extern char *optarg; + #ifdef HAVE_LIBNSS +@@ -254,7 +256,7 @@ list_identities(AuthenticationConnection + key = ssh_get_next_identity(ac, &comment, version)) { + had_identities = 1; + if (do_fp) { +- fp = key_fingerprint(key, SSH_FP_MD5, ++ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, + SSH_FP_HEX); + printf("%d %s %s (%s)\n", + key_size(key), fp, comment, key_type(key)); +@@ -463,10 +465,19 @@ main(int argc, char **argv) + sanitise_stdfd(); __progname = ssh_get_progname(argv[0]); -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fprintf(stderr, ++ "FIPS integrity verification test failed.\n"); ++ exit(3); ++ } + init_rng(); seed_rng(); - TAILQ_INIT(&tq); + +- SSLeay_add_all_algorithms(); ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } + + /* At first, get a connection to the authentication agent. */ + ac = ssh_get_authentication_connection(); +diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c +--- openssh-5.2p1/ssh-agent.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/ssh-agent.c 2009-04-17 14:52:11.000000000 +0200 +@@ -51,6 +51,8 @@ + + #include + #include ++#include ++#include + #include "openbsd-compat/openssl-compat.h" + + #include +@@ -200,9 +202,9 @@ confirm_key(Identity *id) + char *p; + int ret = -1; + +- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); +- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", +- id->comment, p)) ++ p = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); ++ if (ask_permission("Allow use of key %s?\nKey %sfingerprint %s.", ++ id->comment, FIPS_mode() ? "SHA1 " : "", p)) + ret = 0; + xfree(p); + +@@ -1196,6 +1198,11 @@ main(int ac, char **av) + #endif + + SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fprintf(stderr, ++ "FIPS integrity verification test failed.\n"); ++ exit(3); ++ } + + __progname = ssh_get_progname(av[0]); + init_rng(); +@@ -1356,6 +1363,10 @@ main(int ac, char **av) + /* child */ + log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + if (setsid() == -1) { + error("setsid: %s", strerror(errno)); + cleanup_exit(1); +diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c +--- openssh-5.2p1/ssh.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/ssh.c 2009-04-17 14:52:11.000000000 +0200 +@@ -71,6 +71,8 @@ + + #include + #include ++#include ++#include + #include "openbsd-compat/openssl-compat.h" + #include "openbsd-compat/sys-queue.h" + +@@ -220,6 +222,10 @@ main(int ac, char **av) + sanitise_stdfd(); + + __progname = ssh_get_progname(av[0]); ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fatal("FIPS integrity verification test failed."); ++ } + init_rng(); + + /* +@@ -550,7 +556,6 @@ main(int ac, char **av) + if (!host) + usage(); + +- SSLeay_add_all_algorithms(); + ERR_load_crypto_strings(); + + /* Initialize the command to execute on remote host. */ +@@ -635,6 +640,10 @@ main(int ac, char **av) + + seed_rng(); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + if (options.user == NULL) + options.user = xstrdup(pw->pw_name); + +diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c +--- openssh-5.2p1/sshconnect2.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/sshconnect2.c 2009-04-17 14:52:11.000000000 +0200 +@@ -44,6 +44,8 @@ + #include + #endif + ++#include ++ + #include "openbsd-compat/sys-queue.h" + + #include "xmalloc.h" +@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho + if (options.ciphers != NULL) { + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; ++ } else if (FIPS_mode()) { ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; ++ + } + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); +@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho + if (options.macs != NULL) { + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; ++ } else if (FIPS_mode()) { ++ myproposal[PROPOSAL_MAC_ALGS_CTOS] = ++ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; + } ++ + if (options.hostkeyalgorithms != NULL) + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + options.hostkeyalgorithms; +@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t + key->type, pktype); + goto done; + } +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); +- debug2("input_userauth_pk_ok: fp %s", fp); ++ fp = key_fingerprint(key, SSH_FP_SHA1, SSH_FP_HEX); ++ debug2("input_userauth_pk_ok: SHA1 fp %s", fp); + xfree(fp); + + /* diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c ---- openssh-5.2p1/sshconnect.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/sshconnect.c 2009-03-13 11:23:15.000000000 +0100 +--- openssh-5.2p1/sshconnect.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/sshconnect.c 2009-04-17 14:52:11.000000000 +0200 @@ -40,6 +40,8 @@ #include #include @@ -654,3 +525,211 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c error("Please contact your system administrator."); xfree(fp); +diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c +--- openssh-5.2p1/sshd.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/sshd.c 2009-04-17 14:52:11.000000000 +0200 +@@ -76,6 +76,8 @@ + #include + #include + #include ++#include ++#include + #include "openbsd-compat/openssl-compat.h" + + #ifdef HAVE_SECUREWARE +@@ -1260,6 +1262,12 @@ main(int ac, char **av) + (void)set_auth_parameters(ac, av); + #endif + __progname = ssh_get_progname(av[0]); ++ ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fatal("FIPS integrity verification test failed."); ++ } ++ + init_rng(); + + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ +@@ -1412,8 +1420,6 @@ main(int ac, char **av) + else + closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); + +- SSLeay_add_all_algorithms(); +- + /* + * Force logging to stderr until we have loaded the private host + * key (unless started from inetd) +@@ -1655,6 +1661,10 @@ main(int ac, char **av) + /* Initialize the random number generator. */ + arc4random_stir(); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + /* Chdir to the root directory so that the current disk can be + unmounted if desired. */ + chdir("/"); +@@ -2182,6 +2192,9 @@ do_ssh2_kex(void) + if (options.ciphers != NULL) { + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; ++ } else if (FIPS_mode()) { ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; + } + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); +@@ -2191,6 +2204,9 @@ do_ssh2_kex(void) + if (options.macs != NULL) { + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; ++ } else if (FIPS_mode()) { ++ myproposal[PROPOSAL_MAC_ALGS_CTOS] = ++ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; + } + if (options.compression == COMP_NONE) { + myproposal[PROPOSAL_COMP_ALGS_CTOS] = +diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c +--- openssh-5.2p1/ssh-keygen.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/ssh-keygen.c 2009-04-17 14:52:11.000000000 +0200 +@@ -21,6 +21,8 @@ + + #include + #include ++#include ++#include + #include "openbsd-compat/openssl-compat.h" + + #include +@@ -537,7 +539,7 @@ do_fingerprint(struct passwd *pw) + enum fp_type fptype; + struct stat st; + +- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; ++ fptype = print_bubblebabble ? SSH_FP_SHA1 : FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + + if (!have_identity) +@@ -1125,11 +1127,21 @@ main(int argc, char **argv) + __progname = ssh_get_progname(argv[0]); + + SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fprintf(stderr, ++ "FIPS integrity verification test failed.\n"); ++ exit(3); ++ } ++ + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + + init_rng(); + seed_rng(); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + /* we need this for the home * directory. */ + pw = getpwuid(getuid()); + if (!pw) { +@@ -1506,14 +1518,15 @@ passphrase_again: + fclose(f); + + if (!quiet) { +- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); +- char *ra = key_fingerprint(public, SSH_FP_MD5, ++ int fips_on = FIPS_mode(); ++ char *fp = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); ++ char *ra = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, + SSH_FP_RANDOMART); + printf("Your public key has been saved in %s.\n", + identity_file); +- printf("The key fingerprint is:\n"); ++ printf("The key %sfingerprint is:\n", fips_on ? "SHA1 " : ""); + printf("%s %s\n", fp, comment); +- printf("The key's randomart image is:\n"); ++ printf("The key's %srandomart image is:\n", fips_on ? "SHA1 " :""); + printf("%s\n", ra); + xfree(ra); + xfree(fp); +diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c +--- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100 ++++ openssh-5.2p1/ssh-keyscan.c 2009-04-17 14:52:11.000000000 +0200 +@@ -19,6 +19,8 @@ + #include + + #include ++#include ++#include + + #include + #include +@@ -731,6 +733,13 @@ main(int argc, char **argv) + extern char *optarg; + + __progname = ssh_get_progname(argv[0]); ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fprintf(stderr, ++ "FIPS integrity verification test failed.\n"); ++ exit(3); ++ } ++ + init_rng(); + seed_rng(); + TAILQ_INIT(&tq); +@@ -812,6 +821,10 @@ main(int argc, char **argv) + + log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + maxfd = fdlim_get(1); + if (maxfd < 0) + fatal("%s: fdlim_get: bad value", __progname); +diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c +--- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200 ++++ openssh-5.2p1/ssh-keysign.c 2009-04-17 14:52:11.000000000 +0200 +@@ -38,6 +38,8 @@ + #include + #include + #include ++#include ++#include + + #include "xmalloc.h" + #include "log.h" +@@ -175,6 +177,11 @@ main(int argc, char **argv) + + permanently_set_uid(pw); + ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fatal("FIPS integrity verification test failed"); ++ } ++ + init_rng(); + seed_rng(); + arc4random_stir(); +@@ -183,6 +190,10 @@ main(int argc, char **argv) + log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); + #endif + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + /* verify that ssh-keysign is enabled by the admin */ + initialize_options(&options); + (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0); +@@ -194,7 +205,6 @@ main(int argc, char **argv) + if (key_fd[0] == -1 && key_fd[1] == -1) + fatal("could not open any host key"); + +- SSLeay_add_all_algorithms(); + for (i = 0; i < 256; i++) + rnd[i] = arc4random(); + RAND_seed(rnd, sizeof(rnd)); diff --git a/openssh.spec b/openssh.spec index 3477cdb..03a49a8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.2p1 -Release: 3%{?dist}%{?rescue_rel} +Release: 4%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -474,6 +474,10 @@ fi %endif %changelog +* Mon Apr 20 2009 Tomas Mraz - 5.2p1-4 +- log if FIPS mode is initialized +- make aes-ctr cipher modes work in the FIPS mode + * Fri Apr 3 2009 Jan F. Chadima - 5.2p1-3 - fix logging after chroot - enable non root users to use chroot %%h in internal-sftp