RE: FIPS 140-2 OpenSSL(2007) patches

Part 2

--- openssh-4.7p1/sshd.c Mon Dec 31 05:14:10 2007
+++ openssh-4.7p1/sshd.c Mon Dec 31 17:25:36 2007
@@ -75,6 +75,12 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
#include <openssl/rand.h>
+#ifdef OPENSSL_FIPS
+#include <fips.h>
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#endif
+
#ifdef HAVE_SECUREWARE
#include <sys/security.h>
#include <prot.h>
@@ -136,6 +142,14 @@

extern char *__progname;

+/* FIPS mode operation indicator */
+#ifdef OPENSSL_FIPS
+ int fips_mode = 1; //refined later
+#else
+ int fips_mode = 0;
+#endif
+
+
/* Server configuration options. */
ServerOptions options;

@@ -419,7 +433,11 @@
major = PROTOCOL_MAJOR_1;
minor = PROTOCOL_MINOR_1;
}
+#ifndef OPENSSL_FIPS
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
SSH_VERSION);
+#else
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s FIPS\n", major, minor,
SSH_VERSION);
+#endif
server_version_string = xstrdup(buf);

/* Send our protocol version identification. */
@@ -582,15 +600,24 @@
privsep_preauth_child(void)
{
u_int32_t rnd[256];
+ u_char* buf=(u_char*)rnd;
gid_t gidset[1];
int i;

/* Enable challenge-response authentication for privilege separation
*/
privsep_challenge_enable();

+#ifndef OPENSSL_FIPS
for (i = 0; i < 256; i++)
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
+#else
+ for (i = 0; i < 6; i++)
+ rnd[i] = arc4random();
+ FIPS_set_prng_key(buf,buf+8);
+ FIPS_rand_seed(buf+16,8);
+ debug2("FIPS rand reseeded");
+#endif

/* Demote the private keys to public keys. */
demote_sensitive_data();
@@ -621,12 +648,22 @@
{
int status;
pid_t pid;
+#ifdef OPENSSL_FIPS
+ u_char buf[24];
+#endif

/* Set up unprivileged child process to deal with network data */
pmonitor = monitor_init();
/* Store a pointer to the kex for later rekeying */
pmonitor->m_pkex = &xxx_kex;

+#ifdef OPENSSL_FIPS
+ if(RAND_bytes(buf,sizeof buf) <= 0) {
+ ERR_load_crypto_strings();
+ ERR_print_errors_fp(stderr);
+ fatal("privsep_preauth: RAND_bytes failed");
+ }
+#endif
pid = fork();
if (pid == -1) {
fatal("fork of unprivileged child failed");
@@ -648,6 +685,13 @@
return (1);
} else {
/* child */
+#ifdef OPENSSL_FIPS
+ FIPS_rand_method()->cleanup();
+ /* Always automagically seed PRNG */
+ FIPS_set_prng_key(buf,buf+8);
+ FIPS_rand_seed(buf+16,8);
+ debug2("FIPS rand reseeded");
+#endif

close(pmonitor->m_sendfd);

@@ -662,6 +706,9 @@
static void
privsep_postauth(Authctxt *authctxt)
{
+#ifdef OPENSSL_FIPS
+ u_char buf[24];
+#endif
#ifdef DISABLE_FD_PASSING
if (1) {
#else
@@ -675,6 +722,13 @@
/* New socket pair */
monitor_reinit(pmonitor);

+#ifdef OPENSSL_FIPS
+ if(RAND_bytes(buf,sizeof buf) <= 0) {
+ ERR_load_crypto_strings();
+ ERR_print_errors_fp(stderr);
+ fatal("privsep_postauth: RAND_bytes failed");
+ }
+#endif
pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1)
fatal("fork of unprivileged child failed");
@@ -687,7 +741,13 @@
/* NEVERREACHED */
exit(0);
}
-
+#ifdef OPENSSL_FIPS
+ FIPS_rand_method()->cleanup();
+ /* Always automagically seed PRNG */
+ FIPS_set_prng_key(buf,buf+8);
+ FIPS_rand_seed(buf+16,8);
+ debug2("FIPS rand reseeded");
+#endif
close(pmonitor->m_sendfd);

/* Demote the private keys to public keys. */
@@ -1015,6 +1075,9 @@
struct sockaddr_storage from;
socklen_t fromlen;
pid_t pid;
+#ifdef OPENSSL_FIPS
+ u_char buf[24];
+#endif

/* setup fd set for accept */
fdset = NULL;
@@ -1147,6 +1210,13 @@
break;
}

+#ifdef OPENSSL_FIPS
+ if(RAND_bytes(buf,sizeof buf) <= 0) {
+ ERR_load_crypto_strings();
+ ERR_print_errors_fp(stderr);
+ fatal("server_accept_loop: RAND_bytes failed");
+ }
+#endif
/*
* Normal production daemon. Fork, and have
* the child process the connection. The
@@ -1163,6 +1233,13 @@
* the connection.
*/
platform_post_fork_child();
+#ifdef OPENSSL_FIPS
+ FIPS_rand_method()->cleanup();
+ /* Always automagically seed PRNG */
+ FIPS_set_prng_key(buf,buf+8);
+ FIPS_rand_seed(buf+16,8);
+ debug2("FIPS rand reseeded");
+#endif
startup_pipe = startup_p[1];
close_startup_pipes();
close_listen_socks();
@@ -1421,6 +1498,36 @@
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);

+#ifdef OPENSSL_FIPS
+/*
+ Priority setting:
+ env OPENSSH_FIPS
+ !env OPENSSH_NO_FIPS
+ sshd_config options (default: false)
+*/
+ if (fips_mode) {
+ if (getenv("OPENSSH_FIPS")) { /* env OPENSSH_FIPS */
+ }
+ else if (getenv("OPENSSH_NO_FIPS")) { /* !env
OPENSSH_NO_FIPS */
+ fips_mode = 0;
+ }
+ else if (options.fips_mode == 0) { /* sshd_config
options */
+ fips_mode = 0;
+ }
+ }
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors_fp(stderr);
+ exit(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
+
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
@@ -1572,9 +1679,24 @@
#ifdef TIOCNOTTY
int fd;
#endif /* TIOCNOTTY */
+#ifdef OPENSSL_FIPS
+ u_char buf[24];
+ if(RAND_bytes(buf,sizeof buf) <= 0) {
+ ERR_load_crypto_strings();
+ ERR_print_errors_fp(stderr);
+ fatal("privsep_preauth: RAND_bytes failed");
+ }
+#endif
if (daemon(0, 0) < 0)
fatal("daemon() failed: %.200s", strerror(errno));

+#ifdef OPENSSL_FIPS
+ FIPS_rand_method()->cleanup();
+ /* Always automagically seed PRNG */
+ FIPS_set_prng_key(buf,buf+8);
+ FIPS_rand_seed(buf+16,8);
+ debug2("FIPS rand reseeded");
+#endif
/* Disconnect from the controlling tty. */
#ifdef TIOCNOTTY
fd = open(_PATH_TTY, O_RDWR | O_NOCTTY);



--- openssh-4.7p1/ssh-keygen.c Tue Dec 18 02:43:34 2007
+++ openssh-4.7p1/ssh-keygen.c Wed Dec 26 17:38:59 2007
@@ -47,6 +47,14 @@
#include "match.h"
#include "hostfile.h"
#include "dns.h"
+#include "fips.h"
+
+/*
+ * FIPS mode operation
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif

#ifdef SMARTCARD
#include "scard.h"
@@ -1067,6 +1075,14 @@
extern int optind;
extern char *optarg;

+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (getenv("OPENSSH_FIPS")) fips_mode = 1;
+ if (fips_mode) {
+ dgst_type = SSH_FP_SHA1;
+ }
+#endif
+
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

@@ -1435,7 +1451,7 @@
fclose(f);

if (!quiet) {
- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
+ char *fp = key_fingerprint(public, dgst_type, SSH_FP_HEX);
printf("Your public key has been saved in %s.\n",
identity_file);
printf("The key fingerprint is:\n");

--- openssh-4.7p1/ssh-keysign.c Tue Dec 18 02:43:37 2007
+++ openssh-4.7p1/ssh-keysign.c Wed Dec 26 18:07:17 2007
@@ -52,6 +52,15 @@
#include "pathnames.h"
#include "readconf.h"
#include "uidswap.h"
+#include "fips.h"
+
+/*
+ * FIPS operational mode
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif
+

/* XXX readconf.c needs these */
uid_t original_real_uid;
@@ -158,6 +167,10 @@
u_int slen, dlen;
u_int32_t rnd[256];

+#ifdef OPENSSL_FIPS
+ if ( getenv("OPENSSH_FIPS") ) fips_mode = 1;
+#endif
+
/* Ensure that stdin and stdout are connected */
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
exit(1);
--- openssh-4.7p1/ssh-keyscan.c Tue Dec 18 02:43:36 2007
+++ openssh-4.7p1/ssh-keyscan.c Wed Dec 26 18:05:15 2007
@@ -45,6 +45,14 @@
#include "atomicio.h"
#include "misc.h"
#include "hostfile.h"
+#include "fips.h"
+
+/*
+ * FIPS mode operation
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif

/* Flag indicating whether IPv4 or IPv6. This can be set on the
command line.
Default value is AF_UNSPEC means both IPv4 and IPv6. */
@@ -729,6 +737,10 @@
extern int optind;
extern char *optarg;

+#ifdef OPENSSL_FIPS
+ if (getenv("OPENSSH_FIPS")) fips_mode = 1;
+#endif
+
__progname = ssh_get_progname(argv[0]);
init_rng();
seed_rng();
--- openssh-4.7p1/fips.h Tue Dec 18 03:32:54 2007
+++ openssh-4.7p1/fips.h Tue Dec 18 03:30:50 2007
@@ -0,0 +1,3 @@
+/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
+
+extern int fips_mode;
--- openssh-4.7p1/openbsd-compat/bsd-arc4random.c Thu Dec 20 13:04:50
2007
+++ openssh-4.7p1/openbsd-compat/bsd-arc4random.c Thu Dec 20 16:39:10
2007
@@ -29,6 +29,11 @@
#include <openssl/rc4.h>
#include <openssl/err.h>

+#ifdef OPENSSL_FIPS
+#include "fips.h"
+#endif
+
+
/* Size of key to use */
#define SEED_SIZE 20

@@ -45,13 +50,27 @@
static int first_time = 1;

if (rc4_ready <= 0) {
+#ifndef OPENSSL_FIPS
if (first_time)
seed_rng();
+#endif
first_time = 0;
arc4random_stir();
}

- RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ if (RAND_bytes(&r,sizeof(r)) <= 0) {
+ ERR_load_crypto_strings();
+ ERR_print_errors_fp(stderr);
+ return 1/0;
+ }
+ rc4_ready -= sizeof(r);
+
+ return(r);
+ }
+#endif
+ RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);

rc4_ready -= sizeof(r);

@@ -64,6 +83,13 @@
unsigned char rand_buf[SEED_SIZE];
int i;

+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ rc4_ready = REKEY_BYTES;
+ return;
+ }
+#endif
+
memset(&rc4, 0, sizeof(rc4));
if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
fatal("Couldn't obtain random bytes (error %ld)",

--- openssh-4.7p1/ssh-rand-helper.c Thu Dec 20 13:15:00 2007
+++ openssh-4.7p1/ssh-rand-helper.c Wed Dec 26 18:10:50 2007
@@ -62,6 +62,14 @@
#include "atomicio.h"
#include "pathnames.h"
#include "log.h"
+#include "fips.h"
+
+/*
+ * FIPS operational mode
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif

/* Number of bytes we write out */
#define OUTPUT_SEED_SIZE 48
@@ -820,6 +828,10 @@
extern char *optarg;
LogLevel ll;

+#ifdef OPENSSL_FIPS
+ if ( getenv("OPENSSH_FIPS") ) fips_mode = 1;
+#endif
+
__progname = ssh_get_progname(argv[0]);
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);

--- openssh-4.7p1/buffer.c Thu Dec 20 12:55:07 2007
+++ openssh-4.7p1/buffer.c Thu Dec 20 12:55:38 2007
@@ -175,7 +175,8 @@
len, buffer->end - buffer->offset);
return (-1);
}
- memcpy(buf, buffer->buf + buffer->offset, len);
+ if (len > 0)
+ memcpy(buf, buffer->buf + buffer->offset, len);
buffer->offset += len;
return (0);
}

--- openssh-4.7p1/sshconnect.c Thu Dec 20 15:23:57 2007
+++ openssh-4.7p1/sshconnect.c Thu Dec 20 15:40:26 2007
@@ -57,6 +57,7 @@
#include "misc.h"
#include "dns.h"
#include "version.h"
+#include "fips.h"

char *client_version_string = NULL;
char *server_version_string = NULL;
@@ -545,6 +546,12 @@
char msg[1024];
int len, host_line, ip_line;
const char *host_file = NULL, *ip_file = NULL;
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ dgst_type = SSH_FP_SHA1;
+ }
+#endif

/*
* Force accepting of the host key for loopback/localhost. The
@@ -708,7 +735,7 @@
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(host_key, dgst_type, SSH_FP_HEX);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
@@ -999,11 +1006,17 @@
Key *found;
char *fp;
int line, ret;
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ dgst_type = SSH_FP_SHA1;
+ }
+#endif

found = key_new(keytype);
if ((ret = lookup_key_in_hostfile_by_type(file, host,
keytype, found, &line))) {
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(found, dgst_type, SSH_FP_HEX);
logit("WARNING: %s key found for host %s\n"
"in %s:%d\n"
"%s key fingerprint %s.",
@@ -1053,8 +1086,14 @@
{
char *fp;
const char *type = key_type(host_key);
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ dgst_type = SSH_FP_SHA1;
+ }
+#endif

- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(host_key, dgst_type, SSH_FP_HEX);

error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");

--- openssh-4.7p1/sshconnect2.c Mon Dec 24 13:14:28 2007
+++ openssh-4.7p1/sshconnect2.c Mon Dec 24 13:17:06 2007
@@ -64,6 +64,7 @@
#include "msg.h"
#include "pathnames.h"
#include "uidswap.h"
+#include "fips.h"

#ifdef GSSAPI
#include "ssh-gss.h"
@@ -433,6 +434,12 @@
u_int alen, blen;
char *pkalg, *fp;
u_char *pkblob;
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ dgst_type = SSH_FP_SHA1;
+ }
+#endif

if (authctxt == NULL)
fatal("input_userauth_pk_ok: no authentication context");
@@ -466,7 +473,7 @@
key->type, pktype);
goto done;
}
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, dgst_type, SSH_FP_HEX);
debug2("input_userauth_pk_ok: fp %s", fp);
xfree(fp);

--- openssh-4.7p1/auth2-pubkey.c Thu Dec 20 15:18:22 2007
+++ openssh-4.7p1/auth2-pubkey.c Sun Dec 23 21:42:40 2007
@@ -52,6 +52,9 @@
#endif
#include "monitor_wrap.h"
#include "misc.h"
+#ifdef OPENSSL_FIPS
+#include "fips.h"
+#endif

/* import */
extern ServerOptions options;
@@ -186,6 +189,14 @@
struct stat st;
Key *found;
char *fp;
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ dgst_type = SSH_FP_SHA1;
+ }
+#endif
+
+

/* Temporarily use the user's uid. */
temporarily_use_uid(pw);
@@ -250,7 +261,7 @@
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(found, dgst_type, SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(found), fp);
xfree(fp);

--- openssh-4.7p1/auth-rsa.c Thu Dec 20 15:18:22 2007
+++ openssh-4.7p1/auth-rsa.c Wed Jan 2 17:01:42 2008
@@ -21,6 +21,7 @@

#include <openssl/rsa.h>
#include <openssl/md5.h>
+#include <openssl/fips_sha.h>

#include <pwd.h>
#include <stdio.h>
@@ -47,6 +48,9 @@
#include "monitor_wrap.h"
#include "ssh.h"
#include "misc.h"
+#ifdef OPENSSL_FIPS
+#include "fips.h"
+#endif

/* import */
extern ServerOptions options;
@@ -88,10 +92,11 @@
}

int
-auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char
response[16])
+auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char
response[20])
{
- u_char buf[32], mdbuf[16];
+ u_char buf[40], mdbuf[16], shabuf[20];
MD5_CTX md;
+ SHA_CTX sha;
int len;

/* don't allow short keys */
@@ -101,10 +106,37 @@
return (0);
}

- /* The response is MD5 of decrypted challenge plus session id. */
len = BN_num_bytes(challenge);
+ if (len <= 0 || len > 40)
+ fatal("auth_rsa_verify_response: bad challenge length %d", len);
+
+ /* The response is SHA1 of decrypted challenge plus session id. */
+ memset(buf, 0, 40);
+ BN_bn2bin(challenge, buf + 40 - len);
+ SHA1_Init(&sha);
+ SHA1_Update(&sha, buf, 40);
+ SHA1_Update(&sha, session_id, 16);
+ SHA1_Final(shabuf, &sha);
+
+ /* Verify that the response is the original challenge. */
+ if (memcmp(response, shabuf, 20) != 0) {
+ /* Wrong answer. */
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ return (0);
+ }
+#endif
+ }
+
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ return (1);
+ }
+#endif
+
if (len <= 0 || len > 32)
fatal("auth_rsa_verify_response: bad challenge length %d", len);
+ /* The response is MD5 of decrypted challenge plus session id. */
memset(buf, 0, 32);
BN_bn2bin(challenge, buf + 32 - len);
MD5_Init(&md);
@@ -131,7 +163,7 @@
auth_rsa_challenge_dialog(Key *key)
{
BIGNUM *challenge, *encrypted_challenge;
- u_char response[16];
+ u_char response[20];
int i, success;

if ((encrypted_challenge = BN_new()) == NULL)
@@ -153,6 +185,10 @@
packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
for (i = 0; i < 16; i++)
response[i] = (u_char)packet_get_char();
+#ifdef OPENSSL_FIPS
+ for (i = 16; i < 20; i++)
+ response[i] = (u_char)packet_get_char();
+#endif
packet_check_eom();

success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
@@ -304,6 +340,12 @@
Key *key;
char *fp;
struct passwd *pw = authctxt->pw;
+ enum fp_type dgst_type = SSH_FP_MD5;
+#ifdef OPENSSL_FIPS
+ if (fips_mode) {
+ dgst_type = SSH_FP_SHA1;
+ }
+#endif

/* no user given */
if (!authctxt->valid)
@@ -332,7 +374,7 @@
* options; this will be reset if the options cause the
* authentication to be rejected.
*/
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(key, dgst_type, SSH_FP_HEX);
verbose("Found matching %s key: %s",
key_type(key), fp);
xfree(fp);
--- openssh-4.7p1/contrib/redhat/sshd.init Mon Dec 24 13:44:26 2007
+++ openssh-4.7p1/contrib/redhat/sshd.init Wed Dec 26 13:08:06 2007
@@ -24,7 +24,11 @@
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
-RSA1_KEY=/etc/ssh/ssh_host_key
+if [ "$OPENSSH_FIPS" ] ; then
+ EXTRA_SSH_KEYGEN_RSA_FLAGS="-b 2048"
+else
+ RSA1_KEY=/etc/ssh/ssh_host_key
+fi
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
@@ -32,7 +36,7 @@
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
- if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
+ if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N ''
$EXTRA_SSH_KEYGEN_RSA_FLAGS >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
@@ -51,7 +55,7 @@
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
- if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
+ if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N ''
$EXTRA_SSH_KEYGEN_RSA_FLAGS >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
@@ -70,7 +74,7 @@
do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
- if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
+ if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N ''
$EXTRA_SSH_KEYGEN_DSA_FLAGS >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then

--- openssh-4.7p1/ssh-add.c Wed Dec 26 17:25:22 2007
+++ openssh-4.7p1/ssh-add.c Wed Dec 26 17:35:52 2007
@@ -61,10 +61,18 @@
#include "authfile.h"
#include "pathnames.h"
#include "misc.h"
+#include "fips.h"

/* argv0 */
extern char *__progname;

+/*
+ * FIPS mode operation
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif
+
/* Default files to add */
static char *default_files[] = {
_PATH_SSH_CLIENT_ID_RSA,
@@ -337,6 +345,10 @@
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

+#ifdef OPENSSL_FIPS
+ if (getenv("OPENSSH_FIPS")) fips_mode=1;
+#endif
+
__progname = ssh_get_progname(argv[0]);
init_rng();
seed_rng();

--- openssh-4.7p1/ssh-agent.c Wed Dec 26 18:09:26 2007
+++ openssh-4.7p1/ssh-agent.c Wed Dec 26 18:17:05 2007
@@ -74,6 +74,14 @@
#include "compat.h"
#include "log.h"
#include "misc.h"
+#include "fips.h"
+
+/*
+ * FIPS operational mode
+*/
+#ifdef OPENSSL_FIPS
+ int fips_mode = 0;
+#endif

#ifdef SMARTCARD
#include "scard.h"
@@ -1047,6 +1055,10 @@
char pidstrbuf[1 + 3 * sizeof pid];
struct timeval *tvp = NULL;

+#ifdef OPENSSL_FIPS
+ if (getenv("OPENSSH_FIPS")) fips_mode = 1;
+#endif
+
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev