FIPS 140-2 OpenSSL(2007) patches

Oren Nechushtan oren at forescout.com
Tue Apr 22 02:08:18 EST 2008


--- openssh-4.7p1/sshd.c Mon Dec 31 05:14:10 2007
+++ openssh-4.7p1/sshd.c Mon Dec 31 17:25:36 2007
@@ -75,6 +75,12 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 #include <openssl/rand.h>
+#ifdef OPENSSL_FIPS
+#include <fips.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#endif
+
 #ifdef HAVE_SECUREWARE
 #include <sys/security.h>
 #include <prot.h>
@@ -136,6 +142,14 @@
 
 extern char *__progname;
 
+/* FIPS mode operation indicator */
+#ifdef OPENSSL_FIPS
+       int fips_mode = 1; //refined later
+#else
+       int fips_mode = 0;
+#endif
+
+
 /* Server configuration options. */
 ServerOptions options;
 
@@ -419,7 +433,11 @@
   major = PROTOCOL_MAJOR_1;
   minor = PROTOCOL_MINOR_1;
  }
+#ifndef OPENSSL_FIPS
  snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
SSH_VERSION);
+#else
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s FIPS\n", major, minor,
SSH_VERSION);
+#endif
  server_version_string = xstrdup(buf);
 
  /* Send our protocol version identification. */
@@ -582,15 +600,24 @@
 privsep_preauth_child(void)
 {
  u_int32_t rnd[256];
+ u_char* buf=(u_char*)rnd;
  gid_t gidset[1];
  int i;
 
  /* Enable challenge-response authentication for privilege separation
*/
  privsep_challenge_enable();
 
+#ifndef OPENSSL_FIPS
  for (i = 0; i < 256; i++)
   rnd[i] = arc4random();
  RAND_seed(rnd, sizeof(rnd));
+#else
+ for (i = 0; i < 6; i++)
+  rnd[i] = arc4random();
+ FIPS_set_prng_key(buf,buf+8);
+ FIPS_rand_seed(buf+16,8);
+ debug2("FIPS rand reseeded");
+#endif
 
  /* Demote the private keys to public keys. */
  demote_sensitive_data();
@@ -621,12 +648,26 @@
 {
  int status;
  pid_t pid;
+#ifdef OPENSSL_FIPS
+// u_int32_t rnd[6], i;
+// u_char* buf=(u_char*)rnd;
+ u_char buf[24];
+#endif
 
  /* Set up unprivileged child process to deal with network data */
  pmonitor = monitor_init();
  /* Store a pointer to the kex for later rekeying */
  pmonitor->m_pkex = &xxx_kex;
 
+#ifdef OPENSSL_FIPS
+ if(RAND_bytes(buf,sizeof buf) <= 0) {
+             ERR_load_crypto_strings();
+             ERR_print_errors_fp(stderr);
+  fatal("privsep_preauth: RAND_bytes failed");
+ }
+// for (i = 0; i < 6; i++)
+//  rnd[i] = arc4random();
+#endif
  pid = fork();
  if (pid == -1) {
   fatal("fork of unprivileged child failed");
@@ -648,6 +689,13 @@
   return (1);
  } else {
   /* child */
+#ifdef OPENSSL_FIPS
+  FIPS_rand_method()->cleanup();
+  /* Always automagically seed PRNG */
+  FIPS_set_prng_key(buf,buf+8);
+  FIPS_rand_seed(buf+16,8);
+  debug2("FIPS rand reseeded");
+#endif
 
   close(pmonitor->m_sendfd);
 
@@ -662,6 +710,11 @@
 static void
 privsep_postauth(Authctxt *authctxt)
 {
+#ifdef OPENSSL_FIPS
+// u_int32_t rnd[6], i;
+// u_char* buf=(u_char*)rnd;
+ u_char buf[24];
+#endif
 #ifdef DISABLE_FD_PASSING
  if (1) {
 #else
@@ -675,6 +728,15 @@
  /* New socket pair */
  monitor_reinit(pmonitor);
 
+#ifdef OPENSSL_FIPS
+ if(RAND_bytes(buf,sizeof buf) <= 0) {
+             ERR_load_crypto_strings();
+             ERR_print_errors_fp(stderr);
+  fatal("privsep_postauth: RAND_bytes failed");
+ }
+// for (i = 0; i < 6; i++)
+//  rnd[i] = arc4random();
+#endif
  pmonitor->m_pid = fork();
  if (pmonitor->m_pid == -1)
   fatal("fork of unprivileged child failed");
@@ -687,7 +749,13 @@
   /* NEVERREACHED */
   exit(0);
  }
-
+#ifdef OPENSSL_FIPS
+  FIPS_rand_method()->cleanup();
+  /* Always automagically seed PRNG */
+  FIPS_set_prng_key(buf,buf+8);
+  FIPS_rand_seed(buf+16,8);
+  debug2("FIPS rand reseeded");
+#endif
  close(pmonitor->m_sendfd);
 
  /* Demote the private keys to public keys. */
@@ -1015,6 +1083,11 @@
  struct sockaddr_storage from;
  socklen_t fromlen;
  pid_t pid;
+#ifdef OPENSSL_FIPS
+// u_int32_t rnd[6], k;
+// u_char* buf=(u_char*)rnd;
+ u_char buf[24];
+#endif
 
  /* setup fd set for accept */
  fdset = NULL;
@@ -1147,6 +1220,15 @@
     break;
    }
 
+#ifdef OPENSSL_FIPS
+   if(RAND_bytes(buf,sizeof buf) <= 0) {
+               ERR_load_crypto_strings();
+               ERR_print_errors_fp(stderr);
+    fatal("server_accept_loop: RAND_bytes failed");
+   }
+//   for (k = 0; k < 6; k++)
+//    rnd[k] = arc4random();
+#endif
    /*
     * Normal production daemon.  Fork, and have
     * the child process the connection. The
@@ -1163,6 +1245,13 @@
      * the connection.
      */
     platform_post_fork_child();
+#ifdef OPENSSL_FIPS
+    FIPS_rand_method()->cleanup();
+    /* Always automagically seed PRNG */
+    FIPS_set_prng_key(buf,buf+8);
+    FIPS_rand_seed(buf+16,8);
+    debug2("FIPS rand reseeded");
+#endif
     startup_pipe = startup_p[1];
     close_startup_pipes();
     close_listen_socks();
@@ -1421,6 +1510,36 @@
  /* Fill in default values for those options not explicitly set. */
  fill_default_server_options(&options);
 
+#ifdef OPENSSL_FIPS
+/*
+        Priority setting:
+                env OPENSSH_FIPS
+                !env OPENSSH_NO_FIPS
+                sshd_config options (default: false)
+*/
+        if (fips_mode) { 
+                if (getenv("OPENSSH_FIPS")) { /* env OPENSSH_FIPS */
+                }
+                else if (getenv("OPENSSH_NO_FIPS")) { /* !env
OPENSSH_NO_FIPS */
+                        fips_mode = 0;
+                }
+                else if (options.fips_mode == 0) { /* sshd_config
options */
+                        fips_mode = 0;
+                }
+        }
+        if(fips_mode)
+        {
+          if(!FIPS_mode_set(1))
+          {
+            ERR_load_crypto_strings();
+            ERR_print_errors_fp(stderr);
+            exit(1);
+          }
+          else
+            fprintf(stderr,"*** IN FIPS MODE ***\n");
+        }
+#endif
+
  /* challenge-response is implemented via keyboard interactive */
  if (options.challenge_response_authentication)
   options.kbd_interactive_authentication = 1;
@@ -1572,9 +1691,28 @@
 #ifdef TIOCNOTTY
   int fd;
 #endif /* TIOCNOTTY */
+#ifdef OPENSSL_FIPS
+// u_int32_t rnd[6], k;
+// u_char* buf=(u_char*)rnd;
+ u_char buf[24];
+ if(RAND_bytes(buf,sizeof buf) <= 0) {
+             ERR_load_crypto_strings();
+             ERR_print_errors_fp(stderr);
+  fatal("privsep_preauth: RAND_bytes failed");
+ }
+// for (i = 0; i < 6; i++)
+//  rnd[i] = arc4random();
+#endif
   if (daemon(0, 0) < 0)
    fatal("daemon() failed: %.200s", strerror(errno));
 
+#ifdef OPENSSL_FIPS
+ FIPS_rand_method()->cleanup();
+ /* Always automagically seed PRNG */
+ FIPS_set_prng_key(buf,buf+8);
+ FIPS_rand_seed(buf+16,8);
+ debug2("FIPS rand reseeded");
+#endif
   /* Disconnect from the controlling tty. */
 #ifdef TIOCNOTTY
   fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);
--- openssh-4.7p1/ssh-keygen.c Tue Dec 18 02:43:34 2007
+++ openssh-4.7p1/ssh-keygen.c Wed Dec 26 17:38:59 2007
@@ -47,6 +47,14 @@
 #include "match.h"
 #include "hostfile.h"
 #include "dns.h"
+#include "fips.h"
+
+/*
+ * FIPS mode operation
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif
 
 #ifdef SMARTCARD
 #include "scard.h"
@@ -1067,6 +1075,14 @@
  extern int optind;
  extern char *optarg;
 
+       enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (getenv("OPENSSH_FIPS")) fips_mode = 1;
+ if (fips_mode) {
+  dgst_type = SSH_FP_SHA1;
+ }
+#endif
+
  /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  sanitise_stdfd();
 
@@ -1435,7 +1451,7 @@
  fclose(f);
 
  if (!quiet) {
-  char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
+  char *fp = key_fingerprint(public, dgst_type, SSH_FP_HEX);
   printf("Your public key has been saved in %s.\n",
       identity_file);
   printf("The key fingerprint is:\n");

--- openssh-4.7p1/ssh-keysign.c Tue Dec 18 02:43:37 2007
+++ openssh-4.7p1/ssh-keysign.c Wed Dec 26 18:07:17 2007
@@ -52,6 +52,15 @@
 #include "pathnames.h"
 #include "readconf.h"
 #include "uidswap.h"
+#include "fips.h"
+
+/*
+ * FIPS operational mode
+*/
+#ifdef OPENSSL_FIPS
+       int fips_mode = 0;
+#endif
+
 
 /* XXX readconf.c needs these */
 uid_t original_real_uid;
@@ -158,6 +167,10 @@
  u_int slen, dlen;
  u_int32_t rnd[256];
 
+#ifdef OPENSSL_FIPS
+ if ( getenv("OPENSSH_FIPS") ) fips_mode = 1;
+#endif
+
  /* Ensure that stdin and stdout are connected */
  if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
   exit(1);
--- openssh-4.7p1/ssh-keyscan.c Tue Dec 18 02:43:36 2007
+++ openssh-4.7p1/ssh-keyscan.c Wed Dec 26 18:05:15 2007
@@ -45,6 +45,14 @@
 #include "atomicio.h"
 #include "misc.h"
 #include "hostfile.h"
+#include "fips.h"
+
+/*
+ * FIPS mode operation
+*/
+#ifdef OPENSSL_FIPS
+       int fips_mode = 0;
+#endif
 
 /* Flag indicating whether IPv4 or IPv6.  This can be set on the
command line.
    Default value is AF_UNSPEC means both IPv4 and IPv6. */
@@ -729,6 +737,10 @@
  extern int optind;
  extern char *optarg;
 
+#ifdef OPENSSL_FIPS
+ if (getenv("OPENSSH_FIPS")) fips_mode = 1;
+#endif
+
  __progname = ssh_get_progname(argv[0]);
  init_rng();
  seed_rng();
--- openssh-4.7p1/fips.h        Tue Dec 18 03:32:54 2007
+++ openssh-4.7p1/fips.h     Tue Dec 18 03:30:50 2007
@@ -0,0 +1,3 @@
+/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
+
+extern int fips_mode;
--- openssh-4.7p1/openbsd-compat/bsd-arc4random.c Thu Dec 20 13:04:50
2007
+++ openssh-4.7p1/openbsd-compat/bsd-arc4random.c Thu Dec 20 16:39:10
2007
@@ -29,6 +29,11 @@
 #include <openssl/rc4.h>
 #include <openssl/err.h>
 
+#ifdef OPENSSL_FIPS
+#include "fips.h"
+#endif
+
+
 /* Size of key to use */
 #define SEED_SIZE 20
 
@@ -45,13 +50,27 @@
  static int first_time = 1;
 
  if (rc4_ready <= 0) {
+#ifndef OPENSSL_FIPS
   if (first_time)
    seed_rng();
+#endif
   first_time = 0;
   arc4random_stir();
  }
 
- RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
+#ifdef OPENSSL_FIPS
+        if (fips_mode) {
+                if (RAND_bytes(&r,sizeof(r)) <= 0) {
+   ERR_load_crypto_strings();
+   ERR_print_errors_fp(stderr);
+   return 1/0;
+                }
+         rc4_ready -= sizeof(r);
+
+         return(r);
+        }
+#endif
+        RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
 
  rc4_ready -= sizeof(r);
  
@@ -64,6 +83,13 @@
  unsigned char rand_buf[SEED_SIZE];
  int i;
 
+#ifdef OPENSSL_FIPS
+       if (fips_mode) {
+               rc4_ready = REKEY_BYTES;
+               return;
+       }
+#endif
+
  memset(&rc4, 0, sizeof(rc4));
  if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
   fatal("Couldn't obtain random bytes (error %ld)",

--- openssh-4.7p1/ssh-rand-helper.c Thu Dec 20 13:15:00 2007
+++ openssh-4.7p1/ssh-rand-helper.c Wed Dec 26 18:10:50 2007
@@ -62,6 +62,14 @@
 #include "atomicio.h"
 #include "pathnames.h"
 #include "log.h"
+#include "fips.h"
+
+/*
+ * FIPS operational mode
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif
 
 /* Number of bytes we write out */
 #define OUTPUT_SEED_SIZE 48
@@ -820,6 +828,10 @@
  extern char *optarg;
  LogLevel ll;
 
+#ifdef OPENSSL_FIPS
+ if ( getenv("OPENSSH_FIPS") ) fips_mode = 1;
+#endif
+
  __progname = ssh_get_progname(argv[0]);
  log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
 
--- openssh-4.7p1/buffer.c Thu Dec 20 12:55:07 2007
+++ openssh-4.7p1/buffer.c Thu Dec 20 12:55:38 2007
@@ -175,7 +175,8 @@
       len, buffer->end - buffer->offset);
   return (-1);
  }
- memcpy(buf, buffer->buf + buffer->offset, len);
+ if (len > 0)
+  memcpy(buf, buffer->buf + buffer->offset, len);
  buffer->offset += len;
  return (0);
 }

--- openssh-4.7p1/sshconnect.c Thu Dec 20 15:23:57 2007
+++ openssh-4.7p1/sshconnect.c Thu Dec 20 15:40:26 2007
@@ -57,6 +57,7 @@
 #include "misc.h"
 #include "dns.h"
 #include "version.h"
+#include "fips.h"
 
 char *client_version_string = NULL;
 char *server_version_string = NULL;
@@ -545,6 +546,12 @@
  char msg[1024];
  int len, host_line, ip_line;
  const char *host_file = NULL, *ip_file = NULL;
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+  dgst_type = SSH_FP_SHA1;
+ }
+#endif
 
  /*
   * Force accepting of the host key for loopback/localhost. The
@@ -708,7 +735,7 @@
    else
     snprintf(msg1, sizeof(msg1), ".");
    /* The default */
-   fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+   fp = key_fingerprint(host_key, dgst_type, SSH_FP_HEX);
    msg2[0] = '\0';
    if (options.verify_host_key_dns) {
     if (matching_host_key_dns)
@@ -999,11 +1006,17 @@
  Key *found;
  char *fp;
  int line, ret;
+        enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+  dgst_type = SSH_FP_SHA1;
+ }
+#endif
 
  found = key_new(keytype);
  if ((ret = lookup_key_in_hostfile_by_type(file, host,
      keytype, found, &line))) {
-  fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+  fp = key_fingerprint(found, dgst_type, SSH_FP_HEX);
   logit("WARNING: %s key found for host %s\n"
       "in %s:%d\n"
       "%s key fingerprint %s.",
@@ -1053,8 +1086,14 @@
 {
  char *fp;
  const char *type = key_type(host_key);
+        enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+  dgst_type = SSH_FP_SHA1;
+ }
+#endif
 
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(host_key, dgst_type, SSH_FP_HEX);
 
  error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
  error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");

--- openssh-4.7p1/sshconnect2.c Mon Dec 24 13:14:28 2007
+++ openssh-4.7p1/sshconnect2.c Mon Dec 24 13:17:06 2007
@@ -64,6 +64,7 @@
 #include "msg.h"
 #include "pathnames.h"
 #include "uidswap.h"
+#include "fips.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -433,6 +434,12 @@
  u_int alen, blen;
  char *pkalg, *fp;
  u_char *pkblob;
+       enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+       if (fips_mode) {
+               dgst_type = SSH_FP_SHA1;
+       }
+#endif
 
  if (authctxt == NULL)
   fatal("input_userauth_pk_ok: no authentication context");
@@ -466,7 +473,7 @@
       key->type, pktype);
   goto done;
  }
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, dgst_type, SSH_FP_HEX);
  debug2("input_userauth_pk_ok: fp %s", fp);
  xfree(fp);
 
--- openssh-4.7p1/auth2-pubkey.c Thu Dec 20 15:18:22 2007
+++ openssh-4.7p1/auth2-pubkey.c Sun Dec 23 21:42:40 2007
@@ -52,6 +52,9 @@
 #endif
 #include "monitor_wrap.h"
 #include "misc.h"
+#ifdef OPENSSL_FIPS
+#include "fips.h"
+#endif
 
 /* import */
 extern ServerOptions options;
@@ -186,6 +189,14 @@
  struct stat st;
  Key *found;
  char *fp;
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+  dgst_type = SSH_FP_SHA1;
+ }
+#endif
+
+
 
  /* Temporarily use the user's uid. */
  temporarily_use_uid(pw);
@@ -250,7 +261,7 @@
    found_key = 1;
    debug("matching key found: file %s, line %lu",
        file, linenum);
-   fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+   fp = key_fingerprint(found, dgst_type, SSH_FP_HEX);
    verbose("Found matching %s key: %s",
        key_type(found), fp);
    xfree(fp);

--- openssh-4.7p1/auth-rsa.c Thu Dec 20 15:18:22 2007
+++ openssh-4.7p1/auth-rsa.c Wed Jan  2 17:01:42 2008
@@ -21,6 +21,7 @@
 
 #include <openssl/rsa.h>
 #include <openssl/md5.h>
+#include <openssl/fips_sha.h>
 
 #include <pwd.h>
 #include <stdio.h>
@@ -47,6 +48,9 @@
 #include "monitor_wrap.h"
 #include "ssh.h"
 #include "misc.h"
+#ifdef OPENSSL_FIPS
+#include "fips.h"
+#endif
 
 /* import */
 extern ServerOptions options;
@@ -88,10 +92,11 @@
 }
 
 int
-auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char
response[16])
+auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char
response[20])
 {
- u_char buf[32], mdbuf[16];
+ u_char buf[40], mdbuf[16], shabuf[20];
  MD5_CTX md;
+ SHA_CTX sha;
  int len;
 
  /* don't allow short keys */
@@ -101,10 +106,37 @@
   return (0);
  }
 
- /* The response is MD5 of decrypted challenge plus session id. */
  len = BN_num_bytes(challenge);
+ if (len <= 0 || len > 40)
+  fatal("auth_rsa_verify_response: bad challenge length %d", len);
+
+ /* The response is SHA1 of decrypted challenge plus session id. */
+ memset(buf, 0, 40);
+ BN_bn2bin(challenge, buf + 40 - len);
+ SHA1_Init(&sha);
+ SHA1_Update(&sha, buf, 40);
+ SHA1_Update(&sha, session_id, 16);
+ SHA1_Final(shabuf, &sha);
+
+ /* Verify that the response is the original challenge. */
+ if (memcmp(response, shabuf, 20) != 0) {
+  /* Wrong answer. */
+#ifdef OPENSSL_FIPS
+  if (fips_mode) {
+   return (0);
+  }
+#endif
+ }
+
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+  return (1);
+ }
+#endif
+
  if (len <= 0 || len > 32)
   fatal("auth_rsa_verify_response: bad challenge length %d", len);
+ /* The response is MD5 of decrypted challenge plus session id. */
  memset(buf, 0, 32);
  BN_bn2bin(challenge, buf + 32 - len);
  MD5_Init(&md);
@@ -131,7 +163,7 @@
 auth_rsa_challenge_dialog(Key *key)
 {
  BIGNUM *challenge, *encrypted_challenge;
- u_char response[16];
+ u_char response[20];
  int i, success;
 
  if ((encrypted_challenge = BN_new()) == NULL)
@@ -153,6 +185,10 @@
  packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
  for (i = 0; i < 16; i++)
   response[i] = (u_char)packet_get_char();
+#ifdef OPENSSL_FIPS
+ for (i = 16; i < 20; i++)
+  response[i] = (u_char)packet_get_char();
+#endif
  packet_check_eom();
 
  success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
@@ -304,6 +340,12 @@
  Key *key;
  char *fp;
  struct passwd *pw = authctxt->pw;
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+  dgst_type = SSH_FP_SHA1;
+ }
+#endif
 
  /* no user given */
  if (!authctxt->valid)
@@ -332,7 +374,7 @@
   * options; this will be reset if the options cause the
   * authentication to be rejected.
   */
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, dgst_type, SSH_FP_HEX);
  verbose("Found matching %s key: %s",
      key_type(key), fp);
  xfree(fp);
--- openssh-4.7p1/contrib/redhat/sshd.init Mon Dec 24 13:44:26 2007
+++ openssh-4.7p1/contrib/redhat/sshd.init Wed Dec 26 13:08:06 2007
@@ -24,7 +24,11 @@
 # Some functions to make the below more readable
 KEYGEN=/usr/bin/ssh-keygen
 SSHD=/usr/sbin/sshd
-RSA1_KEY=/etc/ssh/ssh_host_key
+if [ "$OPENSSH_FIPS" ] ; then
+ EXTRA_SSH_KEYGEN_RSA_FLAGS="-b 2048"
+else
+ RSA1_KEY=/etc/ssh/ssh_host_key
+fi
 RSA_KEY=/etc/ssh/ssh_host_rsa_key
 DSA_KEY=/etc/ssh/ssh_host_dsa_key
 PID_FILE=/var/run/sshd.pid
@@ -32,7 +36,7 @@
 do_rsa1_keygen() {
  if [ ! -s $RSA1_KEY ]; then
   echo -n $"Generating SSH1 RSA host key: "
-  if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
+  if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N ''
$EXTRA_SSH_KEYGEN_RSA_FLAGS >&/dev/null; then
    chmod 600 $RSA1_KEY
    chmod 644 $RSA1_KEY.pub
    if [ -x /sbin/restorecon ]; then
@@ -51,7 +55,7 @@
 do_rsa_keygen() {
  if [ ! -s $RSA_KEY ]; then
   echo -n $"Generating SSH2 RSA host key: "
-  if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
+  if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N ''
$EXTRA_SSH_KEYGEN_RSA_FLAGS >&/dev/null; then
    chmod 600 $RSA_KEY
    chmod 644 $RSA_KEY.pub
    if [ -x /sbin/restorecon ]; then
@@ -70,7 +74,7 @@
 do_dsa_keygen() {
  if [ ! -s $DSA_KEY ]; then
   echo -n $"Generating SSH2 DSA host key: "
-  if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
+  if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N ''
$EXTRA_SSH_KEYGEN_DSA_FLAGS >&/dev/null; then
    chmod 600 $DSA_KEY
    chmod 644 $DSA_KEY.pub
    if [ -x /sbin/restorecon ]; then

--- openssh-4.7p1/ssh-add.c Wed Dec 26 17:25:22 2007
+++ openssh-4.7p1/ssh-add.c Wed Dec 26 17:35:52 2007
@@ -61,10 +61,18 @@
 #include "authfile.h"
 #include "pathnames.h"
 #include "misc.h"
+#include "fips.h"
 
 /* argv0 */
 extern char *__progname;
 
+/*
+ * FIPS mode operation
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif
+
 /* Default files to add */
 static char *default_files[] = {
  _PATH_SSH_CLIENT_ID_RSA,
@@ -337,6 +345,10 @@
  /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  sanitise_stdfd();
 
+#ifdef OPENSSL_FIPS
+ if (getenv("OPENSSH_FIPS")) fips_mode=1;
+#endif
+
  __progname = ssh_get_progname(argv[0]);
  init_rng();
  seed_rng();

--- openssh-4.7p1/ssh-agent.c Wed Dec 26 18:09:26 2007
+++ openssh-4.7p1/ssh-agent.c Wed Dec 26 18:17:05 2007
@@ -74,6 +74,14 @@
 #include "compat.h"
 #include "log.h"
 #include "misc.h"
+#include "fips.h"
+
+/*
+ * FIPS operational mode
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif
 
 #ifdef SMARTCARD
 #include "scard.h"
@@ -1047,6 +1055,10 @@
  char pidstrbuf[1 + 3 * sizeof pid];
  struct timeval *tvp = NULL;
 
+#ifdef OPENSSL_FIPS
+ if (getenv("OPENSSH_FIPS")) fips_mode = 1;
+#endif
+
  /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
  sanitise_stdfd();





More information about the openssh-unix-dev mailing list