use dracut-fips file /etc/system-fips to determine if a FIPS module is installed
This commit is contained in:
parent
2ae5f9ff89
commit
f12afd6496
@ -363,9 +363,9 @@ diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbs
|
|||||||
}
|
}
|
||||||
#endif /* !HAVE_ARC4RANDOM */
|
#endif /* !HAVE_ARC4RANDOM */
|
||||||
|
|
||||||
diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
|
diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
|
||||||
--- openssh-6.2p1/ssh.c.fips 2012-07-06 05:45:01.000000000 +0200
|
--- openssh-6.2p2/ssh.c.fips 2013-04-05 02:22:36.000000000 +0200
|
||||||
+++ openssh-6.2p1/ssh.c 2013-03-27 13:14:49.179683423 +0100
|
+++ openssh-6.2p2/ssh.c 2013-10-08 17:21:26.894761211 +0200
|
||||||
@@ -73,6 +73,8 @@
|
@@ -73,6 +73,8 @@
|
||||||
|
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
@ -375,18 +375,21 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
|
|||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
@@ -253,6 +255,10 @@ main(int ac, char **av)
|
@@ -253,6 +255,13 @@ main(int ac, char **av)
|
||||||
sanitise_stdfd();
|
sanitise_stdfd();
|
||||||
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
+ SSLeay_add_all_algorithms();
|
+ SSLeay_add_all_algorithms();
|
||||||
+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
|
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||||
+ fatal("FIPS integrity verification test failed.");
|
+ if (! FIPSCHECK_verify(NULL, NULL))
|
||||||
+ }
|
+ if (FIPS_mode())
|
||||||
|
+ fatal("FIPS integrity verification test failed.");
|
||||||
|
+ else
|
||||||
|
+ logit("FIPS integrity verification test failed.");
|
||||||
|
|
||||||
#ifndef HAVE_SETPROCTITLE
|
#ifndef HAVE_SETPROCTITLE
|
||||||
/* Prepare for later setproctitle emulation */
|
/* Prepare for later setproctitle emulation */
|
||||||
@@ -329,6 +335,9 @@ main(int ac, char **av)
|
@@ -329,6 +338,9 @@ main(int ac, char **av)
|
||||||
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
|
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
|
||||||
switch (opt) {
|
switch (opt) {
|
||||||
case '1':
|
case '1':
|
||||||
@ -396,7 +399,7 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
|
|||||||
options.protocol = SSH_PROTO_1;
|
options.protocol = SSH_PROTO_1;
|
||||||
break;
|
break;
|
||||||
case '2':
|
case '2':
|
||||||
@@ -632,7 +641,6 @@ main(int ac, char **av)
|
@@ -628,7 +640,6 @@ main(int ac, char **av)
|
||||||
if (!host)
|
if (!host)
|
||||||
usage();
|
usage();
|
||||||
|
|
||||||
@ -404,7 +407,7 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
|
|||||||
ERR_load_crypto_strings();
|
ERR_load_crypto_strings();
|
||||||
|
|
||||||
/* Initialize the command to execute on remote host. */
|
/* Initialize the command to execute on remote host. */
|
||||||
@@ -722,6 +730,10 @@ main(int ac, char **av)
|
@@ -719,6 +730,10 @@ main(int ac, char **av)
|
||||||
|
|
||||||
seed_rng();
|
seed_rng();
|
||||||
|
|
||||||
@ -415,7 +418,7 @@ diff -up openssh-6.2p1/ssh.c.fips openssh-6.2p1/ssh.c
|
|||||||
if (options.user == NULL)
|
if (options.user == NULL)
|
||||||
options.user = xstrdup(pw->pw_name);
|
options.user = xstrdup(pw->pw_name);
|
||||||
|
|
||||||
@@ -790,6 +802,12 @@ main(int ac, char **av)
|
@@ -787,6 +802,12 @@ main(int ac, char **av)
|
||||||
|
|
||||||
timeout_ms = options.connection_timeout * 1000;
|
timeout_ms = options.connection_timeout * 1000;
|
||||||
|
|
||||||
@ -463,9 +466,9 @@ diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c
|
|||||||
if (options.hostkeyalgorithms != NULL)
|
if (options.hostkeyalgorithms != NULL)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||||
options.hostkeyalgorithms;
|
options.hostkeyalgorithms;
|
||||||
diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
|
||||||
--- openssh-6.2p1/sshd.c.fips 2013-03-27 13:14:49.146683554 +0100
|
--- openssh-6.2p2/sshd.c.fips 2013-10-08 17:14:05.455864248 +0200
|
||||||
+++ openssh-6.2p1/sshd.c 2013-03-27 13:14:49.180683419 +0100
|
+++ openssh-6.2p2/sshd.c 2013-10-08 17:22:15.897527827 +0200
|
||||||
@@ -76,6 +76,8 @@
|
@@ -76,6 +76,8 @@
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
#include <openssl/md5.h>
|
#include <openssl/md5.h>
|
||||||
@ -475,19 +478,22 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
|
||||||
#ifdef HAVE_SECUREWARE
|
#ifdef HAVE_SECUREWARE
|
||||||
@@ -1423,6 +1425,11 @@ main(int ac, char **av)
|
@@ -1423,6 +1425,14 @@ main(int ac, char **av)
|
||||||
#endif
|
#endif
|
||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
|
||||||
+ SSLeay_add_all_algorithms();
|
+ SSLeay_add_all_algorithms();
|
||||||
+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
|
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||||
+ fatal("FIPS integrity verification test failed.");
|
+ if (! FIPSCHECK_verify(NULL, NULL))
|
||||||
+ }
|
+ if (FIPS_mode())
|
||||||
|
+ fatal("FIPS integrity verification test failed.");
|
||||||
|
+ else
|
||||||
|
+ logit("FIPS integrity verification test failed.");
|
||||||
+
|
+
|
||||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||||
saved_argc = ac;
|
saved_argc = ac;
|
||||||
rexec_argc = ac;
|
rexec_argc = ac;
|
||||||
@@ -1571,8 +1578,6 @@ main(int ac, char **av)
|
@@ -1571,8 +1581,6 @@ main(int ac, char **av)
|
||||||
else
|
else
|
||||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||||
|
|
||||||
@ -496,7 +502,7 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||||||
/*
|
/*
|
||||||
* Force logging to stderr until we have loaded the private host
|
* Force logging to stderr until we have loaded the private host
|
||||||
* key (unless started from inetd)
|
* key (unless started from inetd)
|
||||||
@@ -1715,6 +1720,10 @@ main(int ac, char **av)
|
@@ -1715,6 +1723,10 @@ main(int ac, char **av)
|
||||||
debug("private host key: #%d type %d %s", i, key->type,
|
debug("private host key: #%d type %d %s", i, key->type,
|
||||||
key_type(key));
|
key_type(key));
|
||||||
}
|
}
|
||||||
@ -507,7 +513,7 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||||
logit("Disabling protocol version 1. Could not load host key");
|
logit("Disabling protocol version 1. Could not load host key");
|
||||||
options.protocol &= ~SSH_PROTO_1;
|
options.protocol &= ~SSH_PROTO_1;
|
||||||
@@ -1878,6 +1887,10 @@ main(int ac, char **av)
|
@@ -1878,6 +1890,10 @@ main(int ac, char **av)
|
||||||
/* Initialize the random number generator. */
|
/* Initialize the random number generator. */
|
||||||
arc4random_stir();
|
arc4random_stir();
|
||||||
|
|
||||||
@ -518,7 +524,7 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||||||
/* Chdir to the root directory so that the current disk can be
|
/* Chdir to the root directory so that the current disk can be
|
||||||
unmounted if desired. */
|
unmounted if desired. */
|
||||||
(void) chdir("/");
|
(void) chdir("/");
|
||||||
@@ -2420,6 +2433,9 @@ do_ssh2_kex(void)
|
@@ -2420,6 +2436,9 @@ do_ssh2_kex(void)
|
||||||
if (options.ciphers != NULL) {
|
if (options.ciphers != NULL) {
|
||||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||||
@ -528,7 +534,7 @@ diff -up openssh-6.2p1/sshd.c.fips openssh-6.2p1/sshd.c
|
|||||||
}
|
}
|
||||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||||
@@ -2429,6 +2445,9 @@ do_ssh2_kex(void)
|
@@ -2429,6 +2448,9 @@ do_ssh2_kex(void)
|
||||||
if (options.macs != NULL) {
|
if (options.macs != NULL) {
|
||||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||||
|
Loading…
Reference in New Issue
Block a user