upstream/oracle/userland-gate: components/openssh/patches/035-fips.patch@3e0b5da5d4d1 (annotated)

5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	1	#
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	2	# Dynamically set FIPS mode, when underlying libcrypto is FIPS capable.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	3	# Limit ciphers and MACs in algorithm negotiation proposal.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	4	#
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	5	# This patch is unlikely to be accepted upstream.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	6	#
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	7	diff -pur old/cipher.c new/cipher.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	8	--- old/cipher.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	9	+++ new/cipher.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	10	@@ -77,7 +77,34 @@ struct sshcipher {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	11	#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	12	};
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	13
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	14	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	15	+/* in FIPS mode limit ciphers to FIPS compliant only */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	16	+#define ciphers (ssh_FIPS_mode() ? ciphers_fips : ciphers_dflt)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	17	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	18	+static const struct sshcipher ciphers_fips[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	19	+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	20	+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	21	+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	22	+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	23	+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	24	+ { "[email protected]",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	25	+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	26	+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	27	+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	28	+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	29	+# ifdef OPENSSL_HAVE_EVPGCM
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	30	+ { "[email protected]",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	31	+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	32	+ { "[email protected]",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	33	+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	34	+# endif /* OPENSSL_HAVE_EVPGCM */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	35	+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	36	+};
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	37	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	38	+static const struct sshcipher ciphers_dflt[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	39	+#else /* ENABLE_OPENSSL_FIPS */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	40	static const struct sshcipher ciphers[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	41	+#endif /* ENABLE_OPENSSL_FIPS */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	42	#ifdef WITH_SSH1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	43	{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	44	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	45	diff -pur old/digest-openssl.c new/digest-openssl.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	46	--- old/digest-openssl.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	47	+++ new/digest-openssl.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	48	@@ -31,6 +31,7 @@
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	49	#include "sshbuf.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	50	#include "digest.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	51	#include "ssherr.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	52	+#include "misc.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	53
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	54	#ifndef HAVE_EVP_RIPEMD160
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	55	# define EVP_ripemd160 NULL
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	56	@@ -53,8 +54,22 @@ struct ssh_digest {
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	57	const EVP_MD (mdfunc)(void);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	58	};
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	59
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	60	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	61	/* NB. Indexed directly by algorithm number */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	62	+const struct ssh_digest digests_fips[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	63	+ { SSH_DIGEST_MD5, "", 16, NULL },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	64	+ { SSH_DIGEST_RIPEMD160, "", 20, NULL },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	65	+ { SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	66	+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	67	+ { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	68	+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	69	+ { -1, NULL, 0, NULL },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	70	+};
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	71	+/* NB. Indexed directly by algorithm number */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	72	+const struct ssh_digest digests_dflt[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	73	+#else /* ENABLE_OPENSSL_FIPS */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	74	const struct ssh_digest digests[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	75	+#endif /* ENABLE_OPENSSL_FIPS */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	76	{ SSH_DIGEST_MD5, "MD5", 16, EVP_md5 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	77	{ SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	78	{ SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 },
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	79	@@ -67,6 +82,9 @@ const struct ssh_digest digests[] = {
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	80	static const struct ssh_digest *
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	81	ssh_digest_by_alg(int alg)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	82	{
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	83	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	84	+ struct ssh_digest *digests = ssh_FIPS_mode() ? digests_fips : digests_dflt;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	85	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	86	if (alg < 0 \|\| alg >= SSH_DIGEST_MAX)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	87	return NULL;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	88	if (digests[alg].id != alg) /* sanity */
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	89	@@ -79,6 +97,9 @@ ssh_digest_by_alg(int alg)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	90	int
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	91	ssh_digest_alg_by_name(const char *name)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	92	{
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	93	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	94	+ struct ssh_digest *digests = ssh_FIPS_mode() ? digests_fips : digests_dflt;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	95	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	96	int alg;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	97
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	98	for (alg = 0; digests[alg].id != -1; alg++) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	99	diff -pur old/gss-genr.c new/gss-genr.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	100	--- old/gss-genr.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	101	+++ new/gss-genr.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	102	@@ -44,6 +44,7 @@
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	103	#include "cipher.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	104	#include "key.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	105	#include "kex.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	106	+#include "misc.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	107	#include <openssl/evp.h>
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	108
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	109	#include "ssh-gss.h"
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	110	@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	111	char deroid[2];
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	112	const EVP_MD *evp_md = EVP_md5();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	113	EVP_MD_CTX md;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	114	+ int fips_mode;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	115
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	116	if (gss_enc2oid != NULL) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	117	for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	118	@@ -112,6 +114,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	119
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	120	buffer_init(&buf);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	121
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	122	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	123	+ fips_mode = ssh_FIPS_mode();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	124	+ if (fips_mode) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	125	+ debug3("Temporarily unsetting FIPS mode to compute MD5 for "
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	126	+ "GSS-API key exchange method names");
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	127	+ FIPS_mode_set(0);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	128	+ }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	129	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	130	oidpos = 0;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	131	for (i = 0; i < gss_supported->count; i++) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	132	if (gss_supported->elements[i].length < 128 &&
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	133	@@ -119,7 +129,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	134
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	135	deroid[0] = SSH_GSS_OIDTYPE;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	136	deroid[1] = gss_supported->elements[i].length;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	137	-
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	138	EVP_DigestInit(&md, evp_md);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	139	EVP_DigestUpdate(&md, deroid, 2);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	140	EVP_DigestUpdate(&md,
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	141	@@ -151,6 +160,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	142	oidpos++;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	143	}
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	144	}
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	145	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	146	+ if (fips_mode) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	147	+ ssh_FIPS_mode_set_if_capable();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	148	+ ssh_FIPS_check_status();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	149	+ }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	150	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	151	gss_enc2oid[oidpos].oid = NULL;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	152	gss_enc2oid[oidpos].encoded = NULL;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	153
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	154	diff -pur old/kex.c new/kex.c
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	155	--- old/kex.c
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	156	+++ new/kex.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	157	@@ -90,7 +90,43 @@ struct kexalg {
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	158	int ec_nid;
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	159	int hash_alg;
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	160	};
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	161	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	162	+#ifdef ENABLE_OPENSSL_FIPS
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	163	+/* in FIPS mode limit kexalgs to FIPS compliant only */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	164	+#define kexalgs (ssh_FIPS_mode() ? kexalgs_fips : kexalgs_dflt)
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	165	+static const struct kexalg kexalgs_fips[] = {
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	166	+#ifdef WITH_OPENSSL
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	167	+ { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	168	+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	169	+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	170	+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	171	+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	172	+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	173	+#ifdef HAVE_EVP_SHA256
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	174	+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	175	+#endif /* HAVE_EVP_SHA256 */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	176	+#ifdef OPENSSL_HAS_ECC
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	177	+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	178	+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	179	+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	180	+ SSH_DIGEST_SHA384 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	181	+# ifdef OPENSSL_HAS_NISTP521
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	182	+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	183	+ SSH_DIGEST_SHA512 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	184	+# endif /* OPENSSL_HAS_NISTP521 */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	185	+#endif /* OPENSSL_HAS_ECC */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	186	+#endif /* WITH_OPENSSL */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	187	+#ifdef GSSAPI
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	188	+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	189	+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	190	+ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	191	+#endif
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	192	+ { NULL, -1, -1, -1},
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	193	+};
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	194	+static const struct kexalg kexalgs_dflt[] = {
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	195	+#else
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	196	static const struct kexalg kexalgs[] = {
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	197	+#endif
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	198	#ifdef WITH_OPENSSL
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	199	{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	200	{ KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	201	diff -pur old/mac.c new/mac.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	202	--- old/mac.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	203	+++ new/mac.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	204	@@ -53,8 +53,33 @@ struct macalg {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	205	int len; /* just for UMAC */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	206	int etm; /* Encrypt-then-MAC */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	207	};
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	208	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	209	+/* in FIPS mode limit macs to FIPS compliant only */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	210	+#define macs (ssh_FIPS_mode() ? macs_fips : macs_dflt)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	211
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	212	+static const struct macalg macs_fips[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	213	+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	214	+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	215	+ { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	216	+#ifdef HAVE_EVP_SHA256
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	217	+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	218	+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	219	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	220	+ /* Encrypt-then-MAC variants */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	221	+ { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	222	+ { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 1 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	223	+#ifdef HAVE_EVP_SHA256
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	224	+ { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	225	+ { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	226	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	227	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	228	+ { NULL, 0, 0, 0, 0, 0, 0 }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	229	+};
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	230	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	231	+static const struct macalg macs_dflt[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	232	+#else /* ENABLE_OPENSSL_FIPS */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	233	static const struct macalg macs[] = {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	234	+#endif /* ENABLE_OPENSSL_FIPS */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	235	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	236	{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	237	{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	238	diff -pur old/misc.c new/misc.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	239	--- old/misc.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	240	+++ new/misc.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	241	@@ -39,12 +39,16 @@
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	242	#include <string.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	243	#include <time.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	244	#include <unistd.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	245	+#include <dlfcn.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	246
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	247	#include <netinet/in.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	248	#include <netinet/in_systm.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	249	#include <netinet/ip.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	250	#include <netinet/tcp.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	251
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	252	+#include <openssl/crypto.h>
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	253	+#include <openssl/err.h>
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	254	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	255	#include <ctype.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	256	#include <errno.h>
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	257	#include <fcntl.h>
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	258	@@ -78,6 +82,60 @@ chop(char *s)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	259
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	260	}
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	261
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	262	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	263	+/* is OpenSSL FIPS mode set? */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	264	+int
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	265	+ssh_FIPS_mode()
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	266	+{
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	267	+ return FIPS_mode();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	268	+}
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	269	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	270	+/* store FIPS_mode_set() err code */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	271	+static unsigned long ssh_FIPS_err_code = 0;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	272	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	273	+#define MSGBUFSIZ 1024 /* equals log.c:MSGBUFSIZ */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	274	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	275	+/*
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	276	+ * Check and display FIPS mode status.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	277	+ * Called after ssh_FIPS_mode_set_if_capable() and when logging facility is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	278	+ * available.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	279	+ * If FIPS_mode_failed for FIPS capable libcrypto, exits with 255 code.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	280	+ */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	281	+void
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	282	+ssh_FIPS_check_status()
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	283	+{
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	284	+ char ebuf[MSGBUFSIZ];
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	285	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	286	+ if (dlsym(RTLD_DEFAULT, "FIPS_module_mode_set") != NULL) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	287	+ if (ssh_FIPS_mode()) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	288	+ debug("Running in FIPS mode.");
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	289	+ } else {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	290	+ ERR_error_string_n(ssh_FIPS_err_code, ebuf,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	291	+ sizeof (ebuf));
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	292	+ fatal("Setting FIPS mode failed! %s", ebuf);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	293	+ }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	294	+ } else {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	295	+ debug3("Loaded libcrypto is not FIPS capable.");
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	296	+ }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	297	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	298	+}
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	299	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	300	+/* if underlying libcrypto is FIPS capable, set FIPS_mode to 1 */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	301	+int
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	302	+ssh_FIPS_mode_set_if_capable()
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	303	+{
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	304	+ /* presence of FIPS_module_mode_set indicates FIPS capable OpenSSL */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	305	+ if (dlsym(RTLD_DEFAULT, "FIPS_module_mode_set") != NULL) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	306	+ /* call the API function FIPS_mode_set*/
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	307	+ if (!FIPS_mode_set(1)) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	308	+ ssh_FIPS_err_code = ERR_get_error();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	309	+ return 1;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	310	+ }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	311	+ }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	312	+ return 0;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	313	+}
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	314	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	315	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	316	/* set/unset filedescriptor to non-blocking */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	317	int
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	318	set_nonblock(int fd)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	319	diff -pur old/misc.h new/misc.h
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	320	--- old/misc.h
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	321	+++ new/misc.h
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	322	@@ -40,6 +40,11 @@ struct ForwardOptions {
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	323
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	324	char chop(char );
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	325	char strdelim(char *);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	326	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	327	+int ssh_FIPS_mode();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	328	+int ssh_FIPS_mode_set_if_capable();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	329	+void ssh_FIPS_check_status();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	330	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	331	int set_nonblock(int);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	332	int unset_nonblock(int);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	333	void set_nodelay(int);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	334	diff -pur old/myproposal.h new/myproposal.h
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	335	--- old/myproposal.h
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	336	+++ new/myproposal.h
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	337	@@ -88,21 +88,33 @@
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	338	# else
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	339	# define KEX_CURVE25519_METHODS ""
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	340	# endif
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	341	-#define KEX_COMMON_KEX \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	342	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	343	+#define KEX_COMMON_KEX_DFLT \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	344	KEX_CURVE25519_METHODS \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	345	KEX_ECDH_METHODS \
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	346	KEX_SHA2_METHODS
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	347
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	348	-#define KEX_SERVER_KEX KEX_COMMON_KEX \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	349	+#define KEX_SERVER_KEX_DFLT KEX_COMMON_KEX_DFLT \
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	350	KEX_SHA2_GROUP14 \
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	351	"diffie-hellman-group14-sha1" \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	352
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	353	-#define KEX_CLIENT_KEX KEX_COMMON_KEX \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	354	+#define KEX_CLIENT_KEX_DFLT KEX_COMMON_KEX_DFLT \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	355	"diffie-hellman-group-exchange-sha1," \
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	356	KEX_SHA2_GROUP14 \
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	357	"diffie-hellman-group14-sha1"
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	358
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	359	-#define KEX_DEFAULT_PK_ALG \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	360	+#define KEX_COMMON_KEX_FIPS \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	361	+ KEX_ECDH_METHODS \
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	362	+ KEX_SHA2_METHODS
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	363	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	364	+#define KEX_SERVER_KEX_FIPS KEX_COMMON_KEX_FIPS \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	365	+ "diffie-hellman-group14-sha1" \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	366	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	367	+#define KEX_CLIENT_KEX_FIPS KEX_COMMON_KEX_FIPS \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	368	+ "diffie-hellman-group-exchange-sha1," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	369	+ "diffie-hellman-group14-sha1"
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	370	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	371	+#define KEX_DEFAULT_PK_ALG_DFLT \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	372	HOSTKEY_ECDSA_CERT_METHODS \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	373	"[email protected]," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	374	"[email protected]," \
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	375	@@ -112,17 +124,32 @@
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	376	"rsa-sha2-256," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	377	"ssh-rsa"
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	378
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	379	+#define KEX_DEFAULT_PK_ALG_FIPS \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	380	+ HOSTKEY_ECDSA_CERT_METHODS \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	381	+ "[email protected]," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	382	+ HOSTKEY_ECDSA_METHODS \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	383	+ "rsa-sha2-512," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	384	+ "rsa-sha2-256," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	385	+ "ssh-rsa"
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	386	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	387	/* the actual algorithms */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	388
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	389	-#define KEX_SERVER_ENCRYPT \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	390	+#define KEX_SERVER_ENCRYPT_DFLT \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	391	"[email protected]," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	392	"aes128-ctr,aes192-ctr,aes256-ctr" \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	393	AESGCM_CIPHER_MODES
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	394
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	395	-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	396	+#define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	397	+ "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	398	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	399	+#define KEX_SERVER_ENCRYPT_FIPS \
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	400	+ "aes128-ctr,aes192-ctr,aes256-ctr" \
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	401	+ AESGCM_CIPHER_MODES
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	402	+
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	403	+#define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	404	"aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	405
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	406	-#define KEX_SERVER_MAC \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	407	+#define KEX_SERVER_MAC_DFLT \
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	408	"[email protected]," \
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	409	"[email protected]," \
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	410	"[email protected]," \
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	411	@@ -134,7 +161,42 @@
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	412	"hmac-sha2-512," \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	413	"hmac-sha1"
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	414
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	415	-#define KEX_CLIENT_MAC KEX_SERVER_MAC
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	416	+#define KEX_CLIENT_MAC_DFLT KEX_SERVER_MAC_DFLT
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	417	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	418	+#define KEX_SERVER_MAC_FIPS \
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	419	+ "[email protected]," \
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	420	+ "[email protected]," \
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	421	+ "[email protected]," \
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	422	+ "hmac-sha2-256," \
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	423	+ "hmac-sha2-512," \
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	424	+ "hmac-sha1"
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	425	+
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	426	+#define KEX_CLIENT_MAC_FIPS KEX_SERVER_MAC_FIPS
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	427	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	428	+#ifdef ENABLE_OPENSSL_FIPS
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	429	+ #define KEX_SERVER_KEX \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	430	+ (ssh_FIPS_mode() ? (KEX_SERVER_KEX_FIPS) : (KEX_SERVER_KEX_DFLT) )
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	431	+ #define KEX_CLIENT_KEX \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	432	+ (ssh_FIPS_mode() ? (KEX_CLIENT_KEX_FIPS) : (KEX_CLIENT_KEX_DFLT) )
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	433	+ #define KEX_DEFAULT_PK_ALG \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	434	+ (ssh_FIPS_mode() ? (KEX_DEFAULT_PK_ALG_FIPS) : (KEX_DEFAULT_PK_ALG_DFLT) )
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	435	+ #define KEX_SERVER_ENCRYPT \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	436	+ (ssh_FIPS_mode() ? (KEX_SERVER_ENCRYPT_FIPS) : (KEX_SERVER_ENCRYPT_DFLT))
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	437	+ #define KEX_CLIENT_ENCRYPT \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	438	+ (ssh_FIPS_mode() ? (KEX_CLIENT_ENCRYPT_FIPS) : (KEX_CLIENT_ENCRYPT_DFLT))
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	439	+ #define KEX_SERVER_MAC \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	440	+ (ssh_FIPS_mode() ? (KEX_SERVER_MAC_FIPS) : (KEX_SERVER_MAC_DFLT) )
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	441	+ #define KEX_CLIENT_MAC \
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	442	+ (ssh_FIPS_mode() ? (KEX_CLIENT_MAC_FIPS) : (KEX_CLIENT_MAC_DFLT) )
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	443	+#else /* ENABLE_OPENSSL_FIPS */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	444	+ #define KEX_SERVER_KEX KEX_SERVER_KEX_DFLT
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	445	+ #define KEX_CLIENT_KEX KEX_CLIENT_KEX_DFLT
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	446	+ #define KEX_DEFAULT_PK_ALG KEX_DEFAULT_PK_ALG_DFLT
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	447	+ #define KEX_SERVER_ENCRYPT KEX_SERVER_ENCRYPT_DFLT
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	448	+ #define KEX_CLIENT_ENCRYPT KEX_CLIENT_ENCRYPT_DFLT
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	449	+ #define KEX_SERVER_MAC KEX_SERVER_MAC_DFLT
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	450	+ #define KEX_CLIENT_MAC KEX_CLIENT_MAC_DFLT
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	451	+#endif /* ENABLE_OPENSSL_FIPS */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	452
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	453	#else /* WITH_OPENSSL */
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	454
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	455	diff -pur old/ssh-add.1 new/ssh-add.1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	456	--- old/ssh-add.1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	457	+++ new/ssh-add.1
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	458	@@ -116,6 +116,8 @@ and
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	459	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	460	The default is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	461	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	462	+If OpenSSL is running in FIPS-140 mode, the only supported option is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	463	+.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	464	.It Fl e Ar pkcs11
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	465	Remove keys provided by the PKCS#11 shared library
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	466	.Ar pkcs11 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	467	diff -pur old/ssh-add.c new/ssh-add.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	468	--- old/ssh-add.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	469	+++ new/ssh-add.c
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	470	@@ -488,6 +488,12 @@ main(int argc, char **argv)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	471	__progname = ssh_get_progname(argv[0]);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	472	seed_rng();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	473
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	474	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	475	+ if (ssh_FIPS_mode_set_if_capable()) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	476	+ fprintf(stderr, "Setting FIPS mode failed!");
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	477	+ exit(1);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	478	+ }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	479	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	480	#ifdef WITH_OPENSSL
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	481	OpenSSL_add_all_algorithms();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	482	#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	483	diff -pur old/ssh-agent.1 new/ssh-agent.1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	484	--- old/ssh-agent.1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	485	+++ new/ssh-agent.1
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	486	@@ -117,6 +117,8 @@ and
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	487	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	488	The default is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	489	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	490	+If OpenSSL is running in FIPS-140 mode, the only supported option is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	491	+.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	492	.It Fl k
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	493	Kill the current agent (given by the
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	494	.Ev SSH_AGENT_PID
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	495	diff -pur old/ssh-agent.c new/ssh-agent.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	496	--- old/ssh-agent.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	497	+++ new/ssh-agent.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	498	@@ -1196,6 +1196,7 @@ main(int ac, char **av)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	499	struct timeval *tvp = NULL;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	500	size_t len;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	501	mode_t prev_mask;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	502	+ int fips_err;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	503
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	504	ssh_malloc_init(); /* must be called before any mallocs */
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	505	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	506	@@ -1207,6 +1208,9 @@ main(int ac, char **av)
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	507
31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	508	platform_disable_tracing(0); /* strict=no */
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	509
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	510	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	511	+ fips_err = ssh_FIPS_mode_set_if_capable();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	512	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	513	#ifdef WITH_OPENSSL
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	514	OpenSSL_add_all_algorithms();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	515	#endif
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	516	@@ -1337,8 +1341,19 @@ main(int ac, char **av)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	517	printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	518	SSH_AUTHSOCKET_ENV_NAME);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	519	printf("echo Agent pid %ld;\n", (long)parent_pid);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	520	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	521	+ ssh_FIPS_check_status();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	522	+#endif
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	523	fflush(stdout);
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	524	goto skip;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	525	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	526	+ } else {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	527	+ /* we still need to error out on FIPS_mode_set failure */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	528	+ if (fips_err) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	529	+ fprintf(stderr, "Setting FIPS mode failed!");
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	530	+ cleanup_exit(1);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	531	+ }
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	532	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	533	}
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	534	pid = fork();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	535	if (pid == -1) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	536	diff -pur old/ssh-keygen.1 new/ssh-keygen.1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	537	--- old/ssh-keygen.1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	538	+++ new/ssh-keygen.1
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	539	@@ -284,6 +284,8 @@ and
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	540	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	541	The default is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	542	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	543	+If OpenSSL is running in FIPS-140 mode, the only supported option is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	544	+.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	545	.It Fl e
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	546	This option will read a private or public OpenSSH key file and
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	547	print to stdout the key in one of the formats specified by the
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	548	diff -pur old/ssh-keygen.c new/ssh-keygen.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	549	--- old/ssh-keygen.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	550	+++ new/ssh-keygen.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	551	@@ -2273,11 +2273,18 @@ main(int argc, char **argv)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	552
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	553	__progname = ssh_get_progname(argv[0]);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	554
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	555	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	556	+ ssh_FIPS_mode_set_if_capable();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	557	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	558	#ifdef WITH_OPENSSL
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	559	OpenSSL_add_all_algorithms();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	560	#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	561	log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	562
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	563	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	564	+ ssh_FIPS_check_status();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	565	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	566	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	567	seed_rng();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	568
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	569	/* we need this for the home * directory. */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	570	diff -pur old/ssh-keysign.c new/ssh-keysign.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	571	--- old/ssh-keysign.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	572	+++ new/ssh-keysign.c
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	573	@@ -178,6 +178,7 @@ main(int argc, char **argv)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	574	u_char signature, data, rver;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	575	char host, fp;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	576	size_t slen, dlen;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	577	+ int fips_err;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	578	#ifdef WITH_OPENSSL
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	579	u_int32_t rnd[256];
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	580	#endif
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	581	@@ -228,6 +229,16 @@ main(int argc, char **argv)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	582	if (found == 0)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	583	fatal("could not open any host key");
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	584
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	585	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	586	+ fips_err = ssh_FIPS_mode_set_if_capable();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	587	+#ifdef DEBUG_SSH_KEYSIGN
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	588	+ ssh_FIPS_check_status();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	589	+#else
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	590	+ /* we still need to error out on FIPS_mode_set failure */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	591	+ if (fips_err)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	592	+ fatal("Setting FIPS mode failed!");
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	593	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	594	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	595	#ifdef WITH_OPENSSL
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	596	OpenSSL_add_all_algorithms();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	597	arc4random_buf(rnd, sizeof(rnd));
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	598	diff -pur old/ssh.1 new/ssh.1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	599	--- old/ssh.1
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	600	+++ new/ssh.1
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	601	@@ -92,6 +92,9 @@ If
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	602	is specified,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	603	it is executed on the remote host instead of a login shell.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	604	.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	605	+If ssh links with FIPS-capable OpenSSL, ssh runs in FIPS-140 mode.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	606	+In FIPS-140 mode non-FIPS approved ciphers, MACs and digests are disabled.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	607	+.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	608	The options are as follows:
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	609	.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	610	.Bl -tag -width Ds -compact
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	611	diff -pur old/ssh.c new/ssh.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	612	--- old/ssh.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	613	+++ new/ssh.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	614	@@ -609,6 +609,11 @@ main(int ac, char **av)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	615	*/
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	616	initialize_options(&options);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	617
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	618	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	619	+ /* determine FIPS mode early to limit ciphers and macs */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	620	+ ssh_FIPS_mode_set_if_capable();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	621	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	622	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	623	/* Parse command-line arguments. */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	624	host = NULL;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	625	use_syslog = 0;
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	626	@@ -1028,6 +1033,10 @@ main(int ac, char **av)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	627	#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	628	);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	629
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	630	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	631	+ ssh_FIPS_check_status();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	632	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	633	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	634	/* Parse the configuration files */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	635	process_config_files(host_arg, pw, 0);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	636
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	637	diff -pur old/ssh_api.c new/ssh_api.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	638	--- old/ssh_api.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	639	+++ new/ssh_api.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	640	@@ -79,6 +79,10 @@ ssh_init(struct ssh **sshp, int is_serve
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	641	int r;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	642
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	643	if (!called) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	644	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	645	+ ssh_FIPS_mode_set_if_capable();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	646	+ ssh_FIPS_check_status();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	647	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	648	#ifdef WITH_OPENSSL
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	649	OpenSSL_add_all_algorithms();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	650	#endif /* WITH_OPENSSL */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	651	diff -pur old/ssh_config.5 new/ssh_config.5
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	652	--- old/ssh_config.5
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	653	+++ new/ssh_config.5
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	654	@@ -489,6 +489,13 @@ [email protected],aes256-gcm@openss
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	655	aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	656	.Ed
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	657	.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	658	+The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	659	+.Bd -literal -offset indent
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	660	+aes128-ctr,aes192-ctr,aes256-ctr,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	661	[email protected],[email protected],
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	662	+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	663	+.Ed
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	664	+.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	665	The list of available ciphers may also be obtained using the
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	666	.Fl Q
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	667	option of
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	668	@@ -738,6 +745,8 @@ and
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	669	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	670	The default is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	671	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	672	+In FIPS-140 mode the only supported option is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	673	+.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	674	.It Cm ForwardAgent
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	675	Specifies whether the connection to the authentication agent (if any)
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	676	will be forwarded to the remote machine.
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	677	@@ -1249,6 +1258,16 @@ [email protected],[email protected]
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	678	hmac-sha2-256,hmac-sha2-512,hmac-sha1
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	679	.Ed
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	680	.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	681	+The following MACs are FIPS-140 approved and are supported in FIPS-140 mode:
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	682	+.Bd -literal -offset indent
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	683	[email protected],
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	684	[email protected],
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	685	+hmac-sha2-256,hmac-sha2-512,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	686	[email protected],
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	687	[email protected]
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	688	+hmac-sha1,hmac-sha1-96
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	689	+.Ed
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	690	+.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	691	The list of available MAC algorithms may also be obtained using the
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	692	.Fl Q
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	693	option of
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	694	diff -pur old/sshconnect.c new/sshconnect.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	695	--- old/sshconnect.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	696	+++ new/sshconnect.c
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	697	@@ -530,8 +530,14 @@ send_client_banner(int connection_out, i
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	698	{
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	699	/* Send our own protocol version identification. */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	700	if (compat20) {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	701	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	702	+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	703	+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	704	+ ssh_FIPS_mode() ? " FIPS" : "");
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	705	+#else
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	706	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	707	PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	708	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	709	} else {
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	710	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	711	PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	712	diff -pur old/sshd.8 new/sshd.8
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	713	--- old/sshd.8
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	714	+++ new/sshd.8
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	715	@@ -86,6 +86,9 @@ rereads its configuration file when it r
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	716	by executing itself with the name and options it was started with, e.g.\&
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	717	.Pa /usr/sbin/sshd .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	718	.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	719	+If sshd links with FIPS-capable OpenSSL, sshd runs in FIPS-140 mode.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	720	+In FIPS-140 mode non-FIPS approved ciphers, MACs and digests are disabled.
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	721	+.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	722	The options are as follows:
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	723	.Bl -tag -width Ds
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	724	.It Fl 4
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	725	diff -pur old/sshd.c new/sshd.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	726	--- old/sshd.c
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	727	+++ new/sshd.c
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	728	@@ -431,10 +431,18 @@ sshd_exchange_identification(struct ssh
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	729	minor = PROTOCOL_MINOR_1;
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	730	}
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	731
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	732	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	733	+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	734	+ major, minor, SSH_VERSION,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	735	+ ssh_FIPS_mode() ? " FIPS" : " ",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	736	+ *options.version_addendum == '\0' ? "" : " ",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	737	+ options.version_addendum, newline);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	738	+#else
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	739	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	740	major, minor, SSH_VERSION,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	741	*options.version_addendum == '\0' ? "" : " ",
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	742	options.version_addendum, newline);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	743	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	744
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	745	/* Send our protocol version identification. */
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	746	if (atomicio(vwrite, sock_out, server_version_string,
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	747	@@ -1562,6 +1570,10 @@ main(int ac, char **av)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	748	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	749	sanitise_stdfd();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	750
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	751	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	752	+ ssh_FIPS_mode_set_if_capable();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	753	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	754	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	755	/* Initialize configuration options to their default values. */
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	756	initialize_server_options(&options);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	757
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	758	@@ -1712,6 +1724,10 @@ main(int ac, char **av)
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	759	SYSLOG_FACILITY_AUTH : options.log_facility,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	760	log_stderr \|\| !inetd_flag);
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	761
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	762	+#ifdef ENABLE_OPENSSL_FIPS
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	763	+ ssh_FIPS_check_status();
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	764	+#endif
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	765	+
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	766	/*
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	767	* Unset KRB5CCNAME, otherwise the user's session may inherit it from
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	768	* root's environment
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	769	diff -pur old/sshd_config.5 new/sshd_config.5
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	770	--- old/sshd_config.5
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	771	+++ new/sshd_config.5
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	772	@@ -489,6 +489,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	773	[email protected],[email protected]
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	774	.Ed
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	775	.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	776	+The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	777	+.Bd -literal -offset indent
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	778	+aes128-ctr,aes192-ctr,aes256-ctr,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	779	[email protected],[email protected],
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	780	+aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	781	+.Ed
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	782	+.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	783	The list of available ciphers may also be obtained using the
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	784	.Fl Q
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	785	option of
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	786	@@ -585,6 +592,8 @@ and
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	787	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	788	The default is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	789	.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	790	+In FIPS-140 mode the only supported option is
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	791	+.Dq sha256 .
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	792	.It Cm ForceCommand
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	793	Forces the execution of the command specified by
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	794	.Cm ForceCommand ,
6930 31ef2580c45d 24525860 upgrade OpenSSH to 7.3p1 Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5819 diff changeset	795	@@ -1034,6 +1043,16 @@ [email protected],[email protected]
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	796	hmac-sha2-256,hmac-sha2-512,hmac-sha1
5310 a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	797	.Ed
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	798	.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	799	+The following MACs are FIPS-140 approved and are supported in FIPS-140 mode:
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	800	+.Bd -literal -offset indent
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	801	[email protected],
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	802	[email protected],
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	803	+hmac-sha2-256,hmac-sha2-512,
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	804	[email protected],
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	805	[email protected]
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	806	+hmac-sha1,hmac-sha1-96
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	807	+.Ed
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	808	+.Pp
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	809	The list of available MAC algorithms may also be obtained using the
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	810	.Fl Q
a06a01eef195 22051483 Dynamically enabling FIPS mode in OpenSSH Tomas Kuthan <tomas.kuthan@oracle.com> parents: diff changeset	811	option of
5819 c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	812	diff -pur old/sshkey.c new/sshkey.c
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	813	--- old/sshkey.c
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	814	+++ new/sshkey.c
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	815	@@ -85,7 +85,46 @@ struct keytype {
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	816	int cert;
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	817	int sigonly;
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	818	};
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	819	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	820	+#ifdef ENABLE_OPENSSL_FIPS
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	821	+/* in FIPS mode limit keytypes to FIPS compliant only */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	822	+#define keytypes (ssh_FIPS_mode() ? keytypes_fips : keytypes_dflt)
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	823	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	824	+static const struct keytype keytypes_fips[] = {
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	825	+#ifdef WITH_OPENSSL
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	826	+ { NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	827	+ { "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	828	+ { "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	829	+ { "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	830	+ { "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	831	+# ifdef OPENSSL_HAS_ECC
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	832	+ { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	833	+ { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	834	+# ifdef OPENSSL_HAS_NISTP521
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	835	+ { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	836	+# endif /* OPENSSL_HAS_NISTP521 */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	837	+# endif /* OPENSSL_HAS_ECC */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	838	+ { "[email protected]", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	839	+ { "[email protected]", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	840	+# ifdef OPENSSL_HAS_ECC
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	841	+ { "[email protected]", "ECDSA-CERT",
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	842	+ KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	843	+ { "[email protected]", "ECDSA-CERT",
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	844	+ KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	845	+# ifdef OPENSSL_HAS_NISTP521
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	846	+ { "[email protected]", "ECDSA-CERT",
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	847	+ KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	848	+# endif /* OPENSSL_HAS_NISTP521 */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	849	+# endif /* OPENSSL_HAS_ECC */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	850	+#endif /* WITH_OPENSSL */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	851	+ { "null", "null", KEY_NULL, 0, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	852	+ { NULL, NULL, -1, -1, 0, 0 }
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	853	+};
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	854	+
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	855	+static const struct keytype keytypes_dflt[] = {
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	856	+#else /* ENABLE_OPENSSL_FIPS */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	857	static const struct keytype keytypes[] = {
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	858	+#endif /* ENABLE_OPENSSL_FIPS */
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	859	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	860	{ "[email protected]", "ED25519-CERT",
c5f05bd2a9bc PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates Tomas Kuthan <tomas.kuthan@oracle.com> parents: 5310 diff changeset	861	KEY_ED25519_CERT, 0, 1, 0 },

author	Danek Duvall <danek.duvall@oracle.com>
	Tue, 18 Oct 2016 14:50:56 -0700
changeset 7124	3e0b5da5d4d1
parent 6930	31ef2580c45d
child 7649	69d7508f0d66
permissions	-rw-r--r--