second FIPS patch for openssh 6.0p1, fix pubkey

John E. Krokes mag at netherworld.org
Thu Aug 30 05:52:40 EST 2012


The patch to enable FIPS mode for openssh 6.0p1 missed two instances of
the ssh client trying to use MD5. It causes pubkey-based authentication
to fail in FIPS mode.

I have copied the missing changes from auth2-pubkey.c into sshconnect2.c.

Here is a patch:


 
diff -cr openssh-6.0p1/sshconnect2.c openssh-6.0p1-patched/sshconnect2.c
*** openssh-6.0p1/sshconnect2.c	Sun May 29 07:42:34 2011
--- openssh-6.0p1-patched/sshconnect2.c	Wed Aug 29 14:59:19 2012
***************
*** 77,82 ****
--- 77,88 ----
  #include "ssh-gss.h"
  #endif
  
+ #include <openssl/sha.h>
+ #ifdef OPENSSL_FIPS
+ #include <openssl/fips.h>
+ #endif
+ 
+ 
  /* import */
  extern char *client_version_string;
  extern char *server_version_string;
***************
*** 591,597 ****
  		    key->type, pktype);
  		goto done;
  	}
! 	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
  	debug2("input_userauth_pk_ok: fp %s", fp);
  	xfree(fp);
  
--- 604,611 ----
  		    key->type, pktype);
  		goto done;
  	}
! 	fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
!                             SSH_FP_HEX);
  	debug2("input_userauth_pk_ok: fp %s", fp);
  	xfree(fp);
  
***************
*** 1204,1210 ****
  	int have_sig = 1;
  	char *fp;
  
! 	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
  	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
  	xfree(fp);
  
--- 1218,1225 ----
  	int have_sig = 1;
  	char *fp;
  
! 	fp = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
!                             SSH_FP_HEX);
  	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
  	xfree(fp);
  


-Mag


More information about the openssh-unix-dev mailing list