upstream/oracle/userland-gate: components/openssh/patches/035-fips.patch@165bf092aa9c (annotated)

6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	1	#
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	2	# Dynamically set FIPS mode, when underlying libcrypto is FIPS capable.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	3	# Limit ciphers and MACs in algorithm negotiation proposal.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	4	#
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	5	# This patch is unlikely to be accepted upstream.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	6	#
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	7	diff -pur old/cipher.c new/cipher.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	8	--- old/cipher.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	9	+++ new/cipher.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	10	@@ -86,7 +86,34 @@ struct sshcipher {
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	11	#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	12	};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	13
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	14	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	15	+/* in FIPS mode limit ciphers to FIPS compliant only */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	16	+#define ciphers (ssh_FIPS_mode() ? ciphers_fips : ciphers_dflt)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	17	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	18	+static const struct sshcipher ciphers_fips[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	19	+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	20	+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	21	+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	22	+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	23	+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	24	+ { "[email protected]",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	25	+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	26	+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	27	+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	28	+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	29	+# ifdef OPENSSL_HAVE_EVPGCM
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	30	+ { "[email protected]",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	31	+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	32	+ { "[email protected]",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	33	+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	34	+# endif /* OPENSSL_HAVE_EVPGCM */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	35	+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	36	+};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	37	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	38	+static const struct sshcipher ciphers_dflt[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	39	+#else /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	40	static const struct sshcipher ciphers[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	41	+#endif /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	42	#ifdef WITH_SSH1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	43	{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	44	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	45	diff -pur old/digest-openssl.c new/digest-openssl.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	46	--- old/digest-openssl.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	47	+++ new/digest-openssl.c
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	48	@@ -31,6 +31,7 @@
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	49	#include "sshbuf.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	50	#include "digest.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	51	#include "ssherr.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	52	+#include "misc.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	53
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	54	#ifndef HAVE_EVP_RIPEMD160
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	55	# define EVP_ripemd160 NULL
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	56	@@ -53,8 +54,22 @@ struct ssh_digest {
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	57	const EVP_MD (mdfunc)(void);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	58	};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	59
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	60	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	61	/* NB. Indexed directly by algorithm number */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	62	+const struct ssh_digest digests_fips[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	63	+ { SSH_DIGEST_MD5, "", 16, NULL },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	64	+ { SSH_DIGEST_RIPEMD160, "", 20, NULL },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	65	+ { SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	66	+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	67	+ { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	68	+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	69	+ { -1, NULL, 0, NULL },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	70	+};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	71	+/* NB. Indexed directly by algorithm number */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	72	+const struct ssh_digest digests_dflt[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	73	+#else /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	74	const struct ssh_digest digests[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	75	+#endif /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	76	{ SSH_DIGEST_MD5, "MD5", 16, EVP_md5 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	77	{ SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	78	{ SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 },
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	79	@@ -67,6 +82,9 @@ const struct ssh_digest digests[] = {
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	80	static const struct ssh_digest *
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	81	ssh_digest_by_alg(int alg)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	82	{
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	83	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	84	+ struct ssh_digest *digests = ssh_FIPS_mode() ? digests_fips : digests_dflt;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	85	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	86	if (alg < 0 \|\| alg >= SSH_DIGEST_MAX)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	87	return NULL;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	88	if (digests[alg].id != alg) /* sanity */
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	89	@@ -79,6 +97,9 @@ ssh_digest_by_alg(int alg)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	90	int
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	91	ssh_digest_alg_by_name(const char *name)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	92	{
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	93	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	94	+ struct ssh_digest *digests = ssh_FIPS_mode() ? digests_fips : digests_dflt;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	95	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	96	int alg;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	97
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	98	for (alg = 0; digests[alg].id != -1; alg++) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	99	diff -pur old/gss-genr.c new/gss-genr.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	100	--- old/gss-genr.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	101	+++ new/gss-genr.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	102	@@ -43,6 +43,7 @@
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	103	#include "cipher.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	104	#include "key.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	105	#include "kex.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	106	+#include "misc.h"
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	107	#include <openssl/evp.h>
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	108
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	109	#include "ssh-gss.h"
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	110	@@ -99,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	111	char deroid[2];
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	112	const EVP_MD *evp_md = EVP_md5();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	113	EVP_MD_CTX md;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	114	+ int fips_mode;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	115
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	116	if (gss_enc2oid != NULL) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	117	for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	118	@@ -111,6 +113,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	119
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	120	buffer_init(&buf);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	121
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	122	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	123	+ fips_mode = ssh_FIPS_mode();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	124	+ if (fips_mode) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	125	+ debug3("Temporarily unsetting FIPS mode to compute MD5 for "
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	126	+ "GSS-API key exchange method names");
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	127	+ FIPS_mode_set(0);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	128	+ }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	129	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	130	oidpos = 0;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	131	for (i = 0; i < gss_supported->count; i++) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	132	if (gss_supported->elements[i].length < 128 &&
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	133	@@ -118,7 +128,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	134
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	135	deroid[0] = SSH_GSS_OIDTYPE;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	136	deroid[1] = gss_supported->elements[i].length;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	137	-
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	138	EVP_DigestInit(&md, evp_md);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	139	EVP_DigestUpdate(&md, deroid, 2);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	140	EVP_DigestUpdate(&md,
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	141	@@ -150,6 +159,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	142	oidpos++;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	143	}
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	144	}
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	145	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	146	+ if (fips_mode) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	147	+ ssh_FIPS_mode_set_if_capable();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	148	+ ssh_FIPS_check_status();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	149	+ }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	150	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	151	gss_enc2oid[oidpos].oid = NULL;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	152	gss_enc2oid[oidpos].encoded = NULL;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	153
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	154	diff -pur old/kex.c new/kex.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	155	--- old/kex.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	156	+++ new/kex.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	157	@@ -89,7 +89,43 @@ struct kexalg {
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	158	int ec_nid;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	159	int hash_alg;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	160	};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	161	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	162	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	163	+/* in FIPS mode limit kexalgs to FIPS compliant only */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	164	+#define kexalgs (ssh_FIPS_mode() ? kexalgs_fips : kexalgs_dflt)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	165	+static const struct kexalg kexalgs_fips[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	166	+#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	167	+ { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	168	+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	169	+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	170	+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	171	+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	172	+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	173	+#ifdef HAVE_EVP_SHA256
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	174	+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	175	+#endif /* HAVE_EVP_SHA256 */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	176	+#ifdef OPENSSL_HAS_ECC
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	177	+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	178	+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	179	+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	180	+ SSH_DIGEST_SHA384 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	181	+# ifdef OPENSSL_HAS_NISTP521
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	182	+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	183	+ SSH_DIGEST_SHA512 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	184	+# endif /* OPENSSL_HAS_NISTP521 */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	185	+#endif /* OPENSSL_HAS_ECC */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	186	+#endif /* WITH_OPENSSL */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	187	+#ifdef GSSAPI
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	188	+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	189	+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	190	+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	191	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	192	+ { NULL, -1, -1, -1},
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	193	+};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	194	+static const struct kexalg kexalgs_dflt[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	195	+#else
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	196	static const struct kexalg kexalgs[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	197	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	198	#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	199	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	200	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	201	diff -pur old/mac.c new/mac.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	202	--- old/mac.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	203	+++ new/mac.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	204	@@ -53,8 +53,33 @@ struct macalg {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	205	int len; /* just for UMAC */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	206	int etm; /* Encrypt-then-MAC */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	207	};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	208	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	209	+/* in FIPS mode limit macs to FIPS compliant only */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	210	+#define macs (ssh_FIPS_mode() ? macs_fips : macs_dflt)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	211
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	212	+static const struct macalg macs_fips[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	213	+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	214	+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	215	+ { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	216	+#ifdef HAVE_EVP_SHA256
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	217	+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	218	+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	219	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	220	+ /* Encrypt-then-MAC variants */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	221	+ { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	222	+ { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	223	+#ifdef HAVE_EVP_SHA256
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	224	+ { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	225	+ { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	226	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	227	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	228	+ { NULL, 0, 0, 0, 0, 0, 0 }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	229	+};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	230	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	231	+static const struct macalg macs_dflt[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	232	+#else /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	233	static const struct macalg macs[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	234	+#endif /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	235	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	236	{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	237	{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	238	diff -pur old/misc.c new/misc.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	239	--- old/misc.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	240	+++ new/misc.c
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	241	@@ -39,12 +39,16 @@
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	242	#include <string.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	243	#include <time.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	244	#include <unistd.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	245	+#include <dlfcn.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	246
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	247	#include <netinet/in.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	248	#include <netinet/in_systm.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	249	#include <netinet/ip.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	250	#include <netinet/tcp.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	251
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	252	+#include <openssl/crypto.h>
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	253	+#include <openssl/err.h>
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	254	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	255	#include <ctype.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	256	#include <errno.h>
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	257	#include <fcntl.h>
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	258	@@ -78,6 +82,60 @@ chop(char *s)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	259
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	260	}
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	261
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	262	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	263	+/* is OpenSSL FIPS mode set? */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	264	+int
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	265	+ssh_FIPS_mode()
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	266	+{
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	267	+ return FIPS_mode();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	268	+}
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	269	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	270	+/* store FIPS_mode_set() err code */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	271	+static unsigned long ssh_FIPS_err_code = 0;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	272	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	273	+#define MSGBUFSIZ 1024 /* equals log.c:MSGBUFSIZ */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	274	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	275	+/*
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	276	+ * Check and display FIPS mode status.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	277	+ * Called after ssh_FIPS_mode_set_if_capable() and when logging facility is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	278	+ * available.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	279	+ * If FIPS_mode_failed for FIPS capable libcrypto, exits with 255 code.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	280	+ */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	281	+void
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	282	+ssh_FIPS_check_status()
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	283	+{
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	284	+ char ebuf[MSGBUFSIZ];
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	285	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	286	+ if (dlsym(RTLD_DEFAULT, "FIPS_module_mode_set") != NULL) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	287	+ if (ssh_FIPS_mode()) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	288	+ debug("Running in FIPS mode.");
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	289	+ } else {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	290	+ ERR_error_string_n(ssh_FIPS_err_code, ebuf,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	291	+ sizeof (ebuf));
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	292	+ fatal("Setting FIPS mode failed! %s", ebuf);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	293	+ }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	294	+ } else {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	295	+ debug3("Loaded libcrypto is not FIPS capable.");
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	296	+ }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	297	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	298	+}
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	299	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	300	+/* if underlying libcrypto is FIPS capable, set FIPS_mode to 1 */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	301	+int
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	302	+ssh_FIPS_mode_set_if_capable()
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	303	+{
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	304	+ /* presence of FIPS_module_mode_set indicates FIPS capable OpenSSL */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	305	+ if (dlsym(RTLD_DEFAULT, "FIPS_module_mode_set") != NULL) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	306	+ /* call the API function FIPS_mode_set*/
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	307	+ if (!FIPS_mode_set(1)) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	308	+ ssh_FIPS_err_code = ERR_get_error();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	309	+ return 1;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	310	+ }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	311	+ }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	312	+ return 0;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	313	+}
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	314	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	315	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	316	/* set/unset filedescriptor to non-blocking */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	317	int
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	318	set_nonblock(int fd)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	319	diff -pur old/misc.h new/misc.h
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	320	--- old/misc.h
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	321	+++ new/misc.h
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	322	@@ -44,6 +44,11 @@ struct ForwardOptions {
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	323
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	324	char chop(char );
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	325	char strdelim(char *);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	326	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	327	+int ssh_FIPS_mode();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	328	+int ssh_FIPS_mode_set_if_capable();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	329	+void ssh_FIPS_check_status();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	330	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	331	int set_nonblock(int);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	332	int unset_nonblock(int);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	333	void set_nodelay(int);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	334	diff -pur old/myproposal.h new/myproposal.h
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	335	--- old/myproposal.h
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	336	+++ new/myproposal.h
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	337	@@ -90,21 +90,33 @@
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	338	# else
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	339	# define KEX_CURVE25519_METHODS ""
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	340	# endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	341	-#define KEX_COMMON_KEX \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	342	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	343	+#define KEX_COMMON_KEX_DFLT \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	344	KEX_CURVE25519_METHODS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	345	KEX_ECDH_METHODS \
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	346	KEX_SHA2_METHODS
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	347
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	348	-#define KEX_SERVER_KEX KEX_COMMON_KEX \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	349	+#define KEX_SERVER_KEX_DFLT KEX_COMMON_KEX_DFLT \
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	350	KEX_SHA2_GROUP14 \
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	351	"diffie-hellman-group14-sha1" \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	352
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	353	-#define KEX_CLIENT_KEX KEX_COMMON_KEX \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	354	+#define KEX_CLIENT_KEX_DFLT KEX_COMMON_KEX_DFLT \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	355	"diffie-hellman-group-exchange-sha1," \
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	356	KEX_SHA2_GROUP14 \
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	357	"diffie-hellman-group14-sha1"
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	358
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	359	-#define KEX_DEFAULT_PK_ALG \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	360	+#define KEX_COMMON_KEX_FIPS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	361	+ KEX_ECDH_METHODS \
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	362	+ KEX_SHA2_METHODS
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	363	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	364	+#define KEX_SERVER_KEX_FIPS KEX_COMMON_KEX_FIPS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	365	+ "diffie-hellman-group14-sha1" \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	366	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	367	+#define KEX_CLIENT_KEX_FIPS KEX_COMMON_KEX_FIPS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	368	+ "diffie-hellman-group-exchange-sha1," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	369	+ "diffie-hellman-group14-sha1"
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	370	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	371	+#define KEX_DEFAULT_PK_ALG_DFLT \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	372	HOSTKEY_ECDSA_CERT_METHODS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	373	"[email protected]," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	374	"[email protected]," \
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	375	@@ -114,17 +126,32 @@
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	376	"rsa-sha2-256," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	377	"ssh-rsa"
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	378
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	379	+#define KEX_DEFAULT_PK_ALG_FIPS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	380	+ HOSTKEY_ECDSA_CERT_METHODS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	381	+ "[email protected]," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	382	+ HOSTKEY_ECDSA_METHODS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	383	+ "rsa-sha2-512," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	384	+ "rsa-sha2-256," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	385	+ "ssh-rsa"
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	386	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	387	/* the actual algorithms */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	388
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	389	-#define KEX_SERVER_ENCRYPT \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	390	+#define KEX_SERVER_ENCRYPT_DFLT \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	391	"[email protected]," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	392	"aes128-ctr,aes192-ctr,aes256-ctr" \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	393	AESGCM_CIPHER_MODES
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	394
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	395	-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	396	+#define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	397	+ "aes128-cbc,aes192-cbc,aes256-cbc"
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	398	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	399	+#define KEX_SERVER_ENCRYPT_FIPS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	400	+ "aes128-ctr,aes192-ctr,aes256-ctr" \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	401	+ AESGCM_CIPHER_MODES
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	402	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	403	+#define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	404	"aes128-cbc,aes192-cbc,aes256-cbc"
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	405
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	406	-#define KEX_SERVER_MAC \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	407	+#define KEX_SERVER_MAC_DFLT \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	408	"[email protected]," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	409	"[email protected]," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	410	"[email protected]," \
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	411	@@ -136,7 +163,42 @@
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	412	"hmac-sha2-512," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	413	"hmac-sha1"
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	414
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	415	-#define KEX_CLIENT_MAC KEX_SERVER_MAC
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	416	+#define KEX_CLIENT_MAC_DFLT KEX_SERVER_MAC_DFLT
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	417	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	418	+#define KEX_SERVER_MAC_FIPS \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	419	+ "[email protected]," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	420	+ "[email protected]," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	421	+ "[email protected]," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	422	+ "hmac-sha2-256," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	423	+ "hmac-sha2-512," \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	424	+ "hmac-sha1"
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	425	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	426	+#define KEX_CLIENT_MAC_FIPS KEX_SERVER_MAC_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	427	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	428	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	429	+ #define KEX_SERVER_KEX \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	430	+ (ssh_FIPS_mode() ? (KEX_SERVER_KEX_FIPS) : (KEX_SERVER_KEX_DFLT) )
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	431	+ #define KEX_CLIENT_KEX \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	432	+ (ssh_FIPS_mode() ? (KEX_CLIENT_KEX_FIPS) : (KEX_CLIENT_KEX_DFLT) )
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	433	+ #define KEX_DEFAULT_PK_ALG \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	434	+ (ssh_FIPS_mode() ? (KEX_DEFAULT_PK_ALG_FIPS) : (KEX_DEFAULT_PK_ALG_DFLT) )
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	435	+ #define KEX_SERVER_ENCRYPT \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	436	+ (ssh_FIPS_mode() ? (KEX_SERVER_ENCRYPT_FIPS) : (KEX_SERVER_ENCRYPT_DFLT))
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	437	+ #define KEX_CLIENT_ENCRYPT \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	438	+ (ssh_FIPS_mode() ? (KEX_CLIENT_ENCRYPT_FIPS) : (KEX_CLIENT_ENCRYPT_DFLT))
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	439	+ #define KEX_SERVER_MAC \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	440	+ (ssh_FIPS_mode() ? (KEX_SERVER_MAC_FIPS) : (KEX_SERVER_MAC_DFLT) )
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	441	+ #define KEX_CLIENT_MAC \
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	442	+ (ssh_FIPS_mode() ? (KEX_CLIENT_MAC_FIPS) : (KEX_CLIENT_MAC_DFLT) )
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	443	+#else /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	444	+ #define KEX_SERVER_KEX KEX_SERVER_KEX_DFLT
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	445	+ #define KEX_CLIENT_KEX KEX_CLIENT_KEX_DFLT
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	446	+ #define KEX_DEFAULT_PK_ALG KEX_DEFAULT_PK_ALG_DFLT
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	447	+ #define KEX_SERVER_ENCRYPT KEX_SERVER_ENCRYPT_DFLT
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	448	+ #define KEX_CLIENT_ENCRYPT KEX_CLIENT_ENCRYPT_DFLT
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	449	+ #define KEX_SERVER_MAC KEX_SERVER_MAC_DFLT
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	450	+ #define KEX_CLIENT_MAC KEX_CLIENT_MAC_DFLT
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	451	+#endif /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	452
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	453	#else /* WITH_OPENSSL */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	454
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	455	diff -pur old/ssh-add.1 new/ssh-add.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	456	--- old/ssh-add.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	457	+++ new/ssh-add.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	458	@@ -116,6 +116,8 @@ and
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	459	.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	460	The default is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	461	.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	462	+If OpenSSL is running in FIPS-140 mode, the only supported option is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	463	+.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	464	.It Fl e Ar pkcs11
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	465	Remove keys provided by the PKCS#11 shared library
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	466	.Ar pkcs11 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	467	diff -pur old/ssh-add.c new/ssh-add.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	468	--- old/ssh-add.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	469	+++ new/ssh-add.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	470	@@ -488,6 +488,12 @@ main(int argc, char **argv)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	471	__progname = ssh_get_progname(argv[0]);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	472	seed_rng();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	473
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	474	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	475	+ if (ssh_FIPS_mode_set_if_capable()) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	476	+ fprintf(stderr, "Setting FIPS mode failed!");
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	477	+ exit(1);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	478	+ }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	479	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	480	#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	481	OpenSSL_add_all_algorithms();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	482	#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	483	diff -pur old/ssh-agent.1 new/ssh-agent.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	484	--- old/ssh-agent.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	485	+++ new/ssh-agent.1
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	486	@@ -118,6 +118,8 @@ and
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	487	.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	488	The default is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	489	.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	490	+If OpenSSL is running in FIPS-140 mode, the only supported option is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	491	+.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	492	.It Fl k
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	493	Kill the current agent (given by the
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	494	.Ev SSH_AGENT_PID
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	495	diff -pur old/ssh-agent.c new/ssh-agent.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	496	--- old/ssh-agent.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	497	+++ new/ssh-agent.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	498	@@ -1214,6 +1214,7 @@ main(int ac, char **av)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	499	struct timeval *tvp = NULL;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	500	size_t len;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	501	mode_t prev_mask;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	502	+ int fips_err;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	503
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	504	ssh_malloc_init(); /* must be called before any mallocs */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	505	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	506	@@ -1225,6 +1226,9 @@ main(int ac, char **av)
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	507
edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	508	platform_disable_tracing(0); /* strict=no */
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	509
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	510	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	511	+ fips_err = ssh_FIPS_mode_set_if_capable();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	512	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	513	#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	514	OpenSSL_add_all_algorithms();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	515	#endif
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	516	@@ -1363,8 +1367,19 @@ main(int ac, char **av)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	517	printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	518	SSH_AUTHSOCKET_ENV_NAME);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	519	printf("echo Agent pid %ld;\n", (long)parent_pid);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	520	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	521	+ ssh_FIPS_check_status();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	522	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	523	fflush(stdout);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	524	goto skip;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	525	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	526	+ } else {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	527	+ /* we still need to error out on FIPS_mode_set failure */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	528	+ if (fips_err) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	529	+ fprintf(stderr, "Setting FIPS mode failed!");
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	530	+ cleanup_exit(1);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	531	+ }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	532	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	533	}
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	534	pid = fork();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	535	if (pid == -1) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	536	diff -pur old/ssh-keygen.1 new/ssh-keygen.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	537	--- old/ssh-keygen.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	538	+++ new/ssh-keygen.1
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	539	@@ -284,6 +284,8 @@ and
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	540	.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	541	The default is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	542	.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	543	+If OpenSSL is running in FIPS-140 mode, the only supported option is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	544	+.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	545	.It Fl e
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	546	This option will read a private or public OpenSSH key file and
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	547	print to stdout the key in one of the formats specified by the
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	548	diff -pur old/ssh-keygen.c new/ssh-keygen.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	549	--- old/ssh-keygen.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	550	+++ new/ssh-keygen.c
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	551	@@ -2273,11 +2273,18 @@ main(int argc, char **argv)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	552
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	553	__progname = ssh_get_progname(argv[0]);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	554
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	555	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	556	+ ssh_FIPS_mode_set_if_capable();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	557	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	558	#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	559	OpenSSL_add_all_algorithms();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	560	#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	561	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	562
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	563	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	564	+ ssh_FIPS_check_status();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	565	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	566	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	567	seed_rng();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	568
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	569	/* we need this for the home * directory. */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	570	diff -pur old/ssh-keysign.c new/ssh-keysign.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	571	--- old/ssh-keysign.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	572	+++ new/ssh-keysign.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	573	@@ -178,6 +178,7 @@ main(int argc, char **argv)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	574	u_char signature, data, rver;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	575	char host, fp;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	576	size_t slen, dlen;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	577	+ int fips_err;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	578	#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	579	u_int32_t rnd[256];
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	580	#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	581	@@ -228,6 +229,16 @@ main(int argc, char **argv)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	582	if (found == 0)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	583	fatal("could not open any host key");
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	584
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	585	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	586	+ fips_err = ssh_FIPS_mode_set_if_capable();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	587	+#ifdef DEBUG_SSH_KEYSIGN
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	588	+ ssh_FIPS_check_status();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	589	+#else
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	590	+ /* we still need to error out on FIPS_mode_set failure */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	591	+ if (fips_err)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	592	+ fatal("Setting FIPS mode failed!");
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	593	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	594	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	595	#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	596	OpenSSL_add_all_algorithms();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	597	arc4random_buf(rnd, sizeof(rnd));
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	598	diff -pur old/ssh.1 new/ssh.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	599	--- old/ssh.1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	600	+++ new/ssh.1
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	601	@@ -92,6 +92,9 @@ If
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	602	is specified,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	603	it is executed on the remote host instead of a login shell.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	604	.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	605	+If ssh links with FIPS-capable OpenSSL, ssh runs in FIPS-140 mode.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	606	+In FIPS-140 mode non-FIPS approved ciphers, MACs and digests are disabled.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	607	+.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	608	The options are as follows:
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	609	.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	610	.Bl -tag -width Ds -compact
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	611	diff -pur old/ssh.c new/ssh.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	612	--- old/ssh.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	613	+++ new/ssh.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	614	@@ -606,6 +606,11 @@ main(int ac, char **av)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	615	*/
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	616	initialize_options(&options);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	617
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	618	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	619	+ /* determine FIPS mode early to limit ciphers and macs */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	620	+ ssh_FIPS_mode_set_if_capable();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	621	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	622	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	623	/* Parse command-line arguments. */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	624	host = NULL;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	625	use_syslog = 0;
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	626	@@ -1027,6 +1032,10 @@ main(int ac, char **av)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	627	#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	628	);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	629
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	630	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	631	+ ssh_FIPS_check_status();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	632	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	633	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	634	/* Parse the configuration files */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	635	process_config_files(host_arg, pw, 0);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	636
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	637	diff -pur old/ssh_api.c new/ssh_api.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	638	--- old/ssh_api.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	639	+++ new/ssh_api.c
7320 edeb951aa980 24525860 upgrade OpenSSH to 7.3p1 Jan Parcel <jan.parcel@oracle.com> parents: 6079 diff changeset	640	@@ -79,6 +79,10 @@ ssh_init(struct ssh **sshp, int is_serve
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	641	int r;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	642
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	643	if (!called) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	644	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	645	+ ssh_FIPS_mode_set_if_capable();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	646	+ ssh_FIPS_check_status();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	647	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	648	#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	649	OpenSSL_add_all_algorithms();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	650	#endif /* WITH_OPENSSL */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	651	diff -pur old/ssh_config.5 new/ssh_config.5
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	652	--- old/ssh_config.5
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	653	+++ new/ssh_config.5
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	654	@@ -442,6 +442,13 @@ [email protected],aes256-gcm@openss
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	655	aes128-cbc,aes192-cbc,aes256-cbc
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	656	.Ed
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	657	.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	658	+The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	659	+.Bd -literal -offset indent
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	660	+aes128-ctr,aes192-ctr,aes256-ctr,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	661	[email protected],[email protected],
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	662	+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	663	+.Ed
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	664	+.Pp
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	665	The list of available ciphers may also be obtained using
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	666	.Qq ssh -Q cipher .
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	667	.It Cm ClearAllForwardings
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	668	@@ -665,6 +672,8 @@ Valid options are:
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	669	and
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	670	.Cm sha256
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	671	(the default).
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	672	+In FIPS-140 mode the only supported option is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	673	+.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	674	.It Cm ForwardAgent
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	675	Specifies whether the connection to the authentication agent (if any)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	676	will be forwarded to the remote machine.
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	677	@@ -1129,6 +1138,16 @@ [email protected],[email protected]
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	678	hmac-sha2-256,hmac-sha2-512,hmac-sha1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	679	.Ed
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	680	.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	681	+The following MACs are FIPS-140 approved and are supported in FIPS-140 mode:
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	682	+.Bd -literal -offset indent
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	683	[email protected],
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	684	[email protected],
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	685	+hmac-sha2-256,hmac-sha2-512,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	686	[email protected],
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	687	[email protected]
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	688	+hmac-sha1,hmac-sha1-96
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	689	+.Ed
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	690	+.Pp
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	691	The list of available MAC algorithms may also be obtained using
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	692	.Qq ssh -Q mac .
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	693	.It Cm NoHostAuthenticationForLocalhost
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	694	diff -pur old/sshconnect.c new/sshconnect.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	695	--- old/sshconnect.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	696	+++ new/sshconnect.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	697	@@ -529,8 +529,14 @@ send_client_banner(int connection_out, i
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	698	{
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	699	/* Send our own protocol version identification. */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	700	if (compat20) {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	701	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	702	+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	703	+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	704	+ ssh_FIPS_mode() ? " FIPS" : "");
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	705	+#else
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	706	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	707	PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	708	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	709	} else {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	710	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	711	PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	712	diff -pur old/sshd.8 new/sshd.8
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	713	--- old/sshd.8
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	714	+++ new/sshd.8
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	715	@@ -84,6 +84,9 @@ rereads its configuration file when it r
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	716	by executing itself with the name and options it was started with, e.g.\&
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	717	.Pa /usr/sbin/sshd .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	718	.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	719	+If sshd links with FIPS-capable OpenSSL, sshd runs in FIPS-140 mode.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	720	+In FIPS-140 mode non-FIPS approved ciphers, MACs and digests are disabled.
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	721	+.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	722	The options are as follows:
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	723	.Bl -tag -width Ds
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	724	.It Fl 4
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	725	diff -pur old/sshd.c new/sshd.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	726	--- old/sshd.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	727	+++ new/sshd.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	728	@@ -366,10 +366,18 @@ sshd_exchange_identification(struct ssh
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	729	char buf[256]; /* Must not be larger than remote_version. */
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	730	char remote_version[256]; /* Must be at least as big as buf. */
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	731
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	732	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	733	+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	734	+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	735	+ ssh_FIPS_mode() ? " FIPS" : " ",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	736	+ *options.version_addendum == '\0' ? "" : " ",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	737	+ options.version_addendum, newline);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	738	+#else
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	739	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	740	PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	741	*options.version_addendum == '\0' ? "" : " ",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	742	options.version_addendum, newline);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	743	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	744
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	745	/* Send our protocol version identification. */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	746	if (atomicio(vwrite, sock_out, server_version_string,
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	747	@@ -1395,6 +1403,10 @@ main(int ac, char **av)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	748	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	749	sanitise_stdfd();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	750
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	751	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	752	+ ssh_FIPS_mode_set_if_capable();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	753	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	754	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	755	/* Initialize configuration options to their default values. */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	756	initialize_server_options(&options);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	757
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	758	@@ -1541,6 +1553,10 @@ main(int ac, char **av)
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	759	SYSLOG_FACILITY_AUTH : options.log_facility,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	760	log_stderr \|\| !inetd_flag);
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	761
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	762	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	763	+ ssh_FIPS_check_status();
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	764	+#endif
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	765	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	766	/*
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	767	* Unset KRB5CCNAME, otherwise the user's session may inherit it from
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	768	* root's environment
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	769	diff -pur old/sshd_config.5 new/sshd_config.5
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	770	--- old/sshd_config.5
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	771	+++ new/sshd_config.5
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	772	@@ -478,6 +478,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	773	[email protected],[email protected]
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	774	.Ed
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	775	.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	776	+The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	777	+.Bd -literal -offset indent
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	778	+aes128-ctr,aes192-ctr,aes256-ctr,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	779	[email protected],[email protected],
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	780	+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	781	+.Ed
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	782	+.Pp
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	783	The list of available ciphers may also be obtained using
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	784	.Qq ssh -Q cipher .
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	785	.It Cm ClientAliveCountMax
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	786	@@ -576,6 +583,8 @@ and
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	787	.Cm sha256 .
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	788	The default is
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	789	.Cm sha256 .
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	790	+In FIPS-140 mode the only supported option is
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	791	+.Dq sha256 .
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	792	.It Cm ForceCommand
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	793	Forces the execution of the command specified by
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	794	.Cm ForceCommand ,
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	795	@@ -1006,6 +1015,16 @@ [email protected],[email protected]
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	796	hmac-sha2-256,hmac-sha2-512,hmac-sha1
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	797	.Ed
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	798	.Pp
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	799	+The following MACs are FIPS-140 approved and are supported in FIPS-140 mode:
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	800	+.Bd -literal -offset indent
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	801	[email protected],
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	802	[email protected],
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	803	+hmac-sha2-256,hmac-sha2-512,
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	804	[email protected],
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	805	[email protected]
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	806	+hmac-sha1,hmac-sha1-96
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	807	+.Ed
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	808	+.Pp
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	809	The list of available MAC algorithms may also be obtained using
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	810	.Qq ssh -Q mac .
165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	811	.It Cm Match
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	812	diff -pur old/sshkey.c new/sshkey.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	813	--- old/sshkey.c
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	814	+++ new/sshkey.c
7946 165bf092aa9c PSARC/2017/022 OpenSSH 7.4 Jan Parcel <jan.parcel@oracle.com> parents: 7320 diff changeset	815	@@ -84,7 +84,46 @@ struct keytype {
6079 f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	816	int cert;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	817	int sigonly;
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	818	};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	819	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	820	+#ifdef ENABLE_OPENSSL_FIPS
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	821	+/* in FIPS mode limit keytypes to FIPS compliant only */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	822	+#define keytypes (ssh_FIPS_mode() ? keytypes_fips : keytypes_dflt)
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	823	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	824	+static const struct keytype keytypes_fips[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	825	+#ifdef WITH_OPENSSL
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	826	+ { NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	827	+ { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	828	+ { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	829	+ { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	830	+ { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	831	+# ifdef OPENSSL_HAS_ECC
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	832	+ { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	833	+ { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	834	+# ifdef OPENSSL_HAS_NISTP521
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	835	+ { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	836	+# endif /* OPENSSL_HAS_NISTP521 */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	837	+# endif /* OPENSSL_HAS_ECC */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	838	+ { "[email protected]", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	839	+ { "[email protected]", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	840	+# ifdef OPENSSL_HAS_ECC
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	841	+ { "[email protected]", "ECDSA-CERT",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	842	+ KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	843	+ { "[email protected]", "ECDSA-CERT",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	844	+ KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	845	+# ifdef OPENSSL_HAS_NISTP521
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	846	+ { "[email protected]", "ECDSA-CERT",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	847	+ KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	848	+# endif /* OPENSSL_HAS_NISTP521 */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	849	+# endif /* OPENSSL_HAS_ECC */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	850	+#endif /* WITH_OPENSSL */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	851	+ { "null", "null", KEY_NULL, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	852	+ { NULL, NULL, -1, -1, 0, 0 }
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	853	+};
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	854	+
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	855	+static const struct keytype keytypes_dflt[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	856	+#else /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	857	static const struct keytype keytypes[] = {
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	858	+#endif /* ENABLE_OPENSSL_FIPS */
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	859	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	860	{ "[email protected]", "ED25519-CERT",
f56832f5f1be 22051483 Dynamically enabling FIPS mode in OpenSSH Zdenek Kotala <Zdenek.Kotala@oracle.com> parents: diff changeset	861	KEY_ED25519_CERT, 0, 1, 0 },

author	Jan Parcel <jan.parcel@oracle.com>
	Tue, 25 Apr 2017 15:08:28 -0700
branch	s11u3-sru
changeset 7946	165bf092aa9c
parent 7320	edeb951aa980
permissions	-rw-r--r--