#

# Dynamically set FIPS mode, when underlying libcrypto is FIPS capable.

# Limit ciphers and MACs in algorithm negotiation proposal.

#

# This patch is unlikely to be accepted upstream.

#

diff -pur old/cipher.c new/cipher.c

--- old/cipher.c

+++ new/cipher.c

@@ -77,7 +77,34 @@ struct sshcipher {

 #endif

 };

+#ifdef ENABLE_OPENSSL_FIPS

+/* in FIPS mode limit ciphers to FIPS compliant only */

+#define	ciphers (ssh_FIPS_mode() ? ciphers_fips : ciphers_dflt)

+

+static const struct sshcipher ciphers_fips[] = {

+	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },

+	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },

+	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },

+	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },

+	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },

+	{ "[email protected]",

+			SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },

+	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },

+	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },

+	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },

+# ifdef OPENSSL_HAVE_EVPGCM

+	{ "[email protected]",

+			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },

+	{ "[email protected]",

+			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },

+# endif /* OPENSSL_HAVE_EVPGCM */

+	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }

+};

+

+static const struct sshcipher ciphers_dflt[] = {

+#else /* ENABLE_OPENSSL_FIPS */

 static const struct sshcipher ciphers[] = {

+#endif /* ENABLE_OPENSSL_FIPS */

 #ifdef WITH_SSH1

 	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },

 	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },

diff -pur old/digest-openssl.c new/digest-openssl.c

--- old/digest-openssl.c

+++ new/digest-openssl.c

@@ -53,8 +53,22 @@ struct ssh_digest {

 	const EVP_MD *(*mdfunc)(void);

 };

+#ifdef ENABLE_OPENSSL_FIPS

 /* NB. Indexed directly by algorithm number */

+const struct ssh_digest digests_fips[] = {

+	{ SSH_DIGEST_MD5,	"",	 	16,	NULL },

+	{ SSH_DIGEST_RIPEMD160,	"",		20,	NULL },

+	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },

+	{ SSH_DIGEST_SHA256,	"SHA256", 	32,	EVP_sha256 },

+	{ SSH_DIGEST_SHA384,	"SHA384",	48,	EVP_sha384 },

+	{ SSH_DIGEST_SHA512,	"SHA512", 	64,	EVP_sha512 },

+	{ -1,			NULL,		0,	NULL },

+};

+/* NB. Indexed directly by algorithm number */

+const struct ssh_digest digests_dflt[] = {

+#else /* ENABLE_OPENSSL_FIPS */

 const struct ssh_digest digests[] = {

+#endif /* ENABLE_OPENSSL_FIPS */

 	{ SSH_DIGEST_MD5,	"MD5",	 	16,	EVP_md5 },

 	{ SSH_DIGEST_RIPEMD160,	"RIPEMD160",	20,	EVP_ripemd160 },

 	{ SSH_DIGEST_SHA1,	"SHA1",	 	20,	EVP_sha1 },

@@ -67,6 +81,9 @@ const struct ssh_digest digests[] = {

 static const struct ssh_digest *

 ssh_digest_by_alg(int alg)

 {

+#ifdef ENABLE_OPENSSL_FIPS

+	struct ssh_digest *digests = ssh_FIPS_mode() ? digests_fips : digests_dflt;

+#endif

 	if (alg < 0 || alg >= SSH_DIGEST_MAX)

 		return NULL;

 	if (digests[alg].id != alg) /* sanity */

@@ -79,6 +96,9 @@ ssh_digest_by_alg(int alg)

 int

 ssh_digest_alg_by_name(const char *name)

 {

+#ifdef ENABLE_OPENSSL_FIPS

+	struct ssh_digest *digests = ssh_FIPS_mode() ? digests_fips : digests_dflt;

+#endif

 	int alg;

 	for (alg = 0; digests[alg].id != -1; alg++) {

diff -pur old/gss-genr.c new/gss-genr.c

--- old/gss-genr.c

+++ new/gss-genr.c

@@ -100,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup

 	char deroid[2];

 	const EVP_MD *evp_md = EVP_md5();

 	EVP_MD_CTX md;

+	int fips_mode;

 	if (gss_enc2oid != NULL) {

 		for (i = 0; gss_enc2oid[i].encoded != NULL; i++)

@@ -112,6 +113,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup

 	buffer_init(&buf);

+#ifdef ENABLE_OPENSSL_FIPS

+	fips_mode = ssh_FIPS_mode();

+	if (fips_mode) {

+		debug3("Temporarily unsetting FIPS mode to compute MD5 for "

+		    "GSS-API key exchange method names");

+		FIPS_mode_set(0);

+	}

+#endif

 	oidpos = 0;

 	for (i = 0; i < gss_supported->count; i++) {

 		if (gss_supported->elements[i].length < 128 &&

@@ -119,7 +128,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup

 			deroid[0] = SSH_GSS_OIDTYPE;

 			deroid[1] = gss_supported->elements[i].length;

-

 			EVP_DigestInit(&md, evp_md);

 			EVP_DigestUpdate(&md, deroid, 2);

 			EVP_DigestUpdate(&md,

@@ -151,6 +159,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup

 			oidpos++;

 		}

 	}

+#ifdef ENABLE_OPENSSL_FIPS

+	if (fips_mode) {

+		ssh_FIPS_mode_set_if_capable();

+		ssh_FIPS_check_status();

+	}

+#endif

 	gss_enc2oid[oidpos].oid = NULL;

 	gss_enc2oid[oidpos].encoded = NULL;

diff -pur old/mac.c new/mac.c

--- old/mac.c

+++ new/mac.c

@@ -53,8 +53,33 @@ struct macalg {

 	int		len;		/* just for UMAC */

 	int		etm;		/* Encrypt-then-MAC */

 };

+#ifdef ENABLE_OPENSSL_FIPS

+/* in FIPS mode limit macs to FIPS compliant only */

+#define	macs (ssh_FIPS_mode() ? macs_fips : macs_dflt)

+static const struct macalg macs_fips[] = {

+	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */

+	{ "hmac-sha1",				SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },

+	{ "hmac-sha1-96",			SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },

+#ifdef HAVE_EVP_SHA256

+	{ "hmac-sha2-256",			SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },

+	{ "hmac-sha2-512",			SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },

+#endif

+	/* Encrypt-then-MAC variants */

+	{ "[email protected]",		SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },

+	{ "[email protected]",	SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 1 },

+#ifdef HAVE_EVP_SHA256

+	{ "[email protected]",	SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },

+	{ "[email protected]",	SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },

+#endif

+

+	{ NULL,					0, 0, 0, 0, 0, 0 }

+};

+

+static const struct macalg macs_dflt[] = {

+#else /* ENABLE_OPENSSL_FIPS */

 static const struct macalg macs[] = {

+#endif /* ENABLE_OPENSSL_FIPS */

 	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */

 	{ "hmac-sha1",				SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },

 	{ "hmac-sha1-96",			SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },

diff -pur old/misc.c new/misc.c

--- old/misc.c

+++ new/misc.c

 #include <string.h>

 #include <time.h>

 #include <unistd.h>

+#include <dlfcn.h>

 #include <netinet/in.h>

 #include <netinet/in_systm.h>

 #include <netinet/ip.h>

 #include <netinet/tcp.h>

+#include <openssl/crypto.h>

+

 #include <ctype.h>

 #include <errno.h>

 #include <fcntl.h>

 }

+#ifdef ENABLE_OPENSSL_FIPS

+/* is OpenSSL FIPS mode set? */

+int

+ssh_FIPS_mode()

+{

+	return FIPS_mode();

+}

+

+/* store FIPS_mode_set() err code */

+static unsigned long ssh_FIPS_err_code = 0;

+

+#define	MSGBUFSIZ	1024 /* equals log.c:MSGBUFSIZ */

+

+/*

+ * Check and display FIPS mode status. 

+ * Called after ssh_FIPS_mode_set_if_capable() and when logging facility is

+ * available.

+ * If FIPS_mode_failed for FIPS capable libcrypto, exits with 255 code.

+ */

+void 

+ssh_FIPS_check_status()

+{

+	char ebuf[MSGBUFSIZ];

+

+	if (dlsym(RTLD_DEFAULT, "FIPS_module_mode_set") != NULL) {

+		if (ssh_FIPS_mode()) {

+			debug("Running in FIPS mode.");

+		} else {

+			ERR_error_string_n(ssh_FIPS_err_code, ebuf,

+			    sizeof (ebuf));

+			fatal("Setting FIPS mode failed! %s", ebuf);

+		}

+	} else {

+		debug3("Loaded libcrypto is not FIPS capable.");

+	}

+	

+}

+

+/* if underlying libcrypto is FIPS capable, set FIPS_mode to 1 */

+int

+ssh_FIPS_mode_set_if_capable()

+{

+	/* presence of FIPS_module_mode_set indicates FIPS capable OpenSSL */

+	if (dlsym(RTLD_DEFAULT, "FIPS_module_mode_set") != NULL) {

+		/* call the API function FIPS_mode_set*/

+		if (!FIPS_mode_set(1)) {

+			ssh_FIPS_err_code = ERR_get_error();

+			return 1;

+		}

+	}

+	return 0;

+}

+#endif

+

 /* set/unset filedescriptor to non-blocking */

 int

 set_nonblock(int fd)

diff -pur old/misc.h new/misc.h

--- old/misc.h

+++ new/misc.h

@@ -38,6 +38,11 @@ struct ForwardOptions {

 char	*chop(char *);

 char	*strdelim(char **);

+#ifdef ENABLE_OPENSSL_FIPS

+int	 ssh_FIPS_mode();

+int	 ssh_FIPS_mode_set_if_capable();

+void     ssh_FIPS_check_status();

+#endif

 int	 set_nonblock(int);

 int	 unset_nonblock(int);

 void	 set_nodelay(int);

diff -pur old/myproposal.h new/myproposal.h

--- old/myproposal.h

+++ new/myproposal.h

+	"aes128-ctr,aes192-ctr,aes256-ctr" \

+	AESGCM_CIPHER_MODES

+

 	"[email protected]," \

 	"[email protected]," \

+	"[email protected]," \

+	"[email protected]," \

+	"[email protected]," \

+	"hmac-sha2-256," \

+	"hmac-sha2-512," \

+	"hmac-sha1"

+

+

+#ifdef ENABLE_OPENSSL_FIPS

+#endif /* ENABLE_OPENSSL_FIPS */

diff -pur old/ssh-add.1 new/ssh-add.1

--- old/ssh-add.1

+++ new/ssh-add.1

 .Dq sha256 .

 The default is

 .Dq sha256 .

+If OpenSSL is running in FIPS-140 mode, the only supported option is

+.Dq sha256 .

 .It Fl e Ar pkcs11

 Remove keys provided by the PKCS#11 shared library

 .Ar pkcs11 .

diff -pur old/ssh-add.c new/ssh-add.c

--- old/ssh-add.c

+++ new/ssh-add.c

 	__progname = ssh_get_progname(argv[0]);

 	seed_rng();

+#ifdef ENABLE_OPENSSL_FIPS

+	if (ssh_FIPS_mode_set_if_capable()) {

+		fprintf(stderr, "Setting FIPS mode failed!");

+		exit(1);

+	}

+#endif

 #ifdef WITH_OPENSSL

 	OpenSSL_add_all_algorithms();

 #endif

diff -pur old/ssh-agent.1 new/ssh-agent.1

--- old/ssh-agent.1

+++ new/ssh-agent.1

 .Dq sha256 .

 The default is

 .Dq sha256 .

+If OpenSSL is running in FIPS-140 mode, the only supported option is

+.Dq sha256 .

 .It Fl k

 Kill the current agent (given by the

 .Ev SSH_AGENT_PID

diff -pur old/ssh-agent.c new/ssh-agent.c

--- old/ssh-agent.c

+++ new/ssh-agent.c

 	struct timeval *tvp = NULL;

 	size_t len;

 	mode_t prev_mask;

+	int fips_err;

 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */

 	prctl(PR_SET_DUMPABLE, 0);

 #endif

+#ifdef ENABLE_OPENSSL_FIPS

+	fips_err = ssh_FIPS_mode_set_if_capable();

+#endif

 #ifdef WITH_OPENSSL

 	OpenSSL_add_all_algorithms();

 #endif

 		printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,

 		    SSH_AUTHSOCKET_ENV_NAME);

 		printf("echo Agent pid %ld;\n", (long)parent_pid);

+#ifdef ENABLE_OPENSSL_FIPS

+		ssh_FIPS_check_status();

+#endif

 		goto skip;

+#ifdef ENABLE_OPENSSL_FIPS

+	} else {

+		/* we still need to error out on FIPS_mode_set failure */

+		if (fips_err) {

+			fprintf(stderr, "Setting FIPS mode failed!");

+			cleanup_exit(1);

+		}

+#endif

 	}

 	pid = fork();

 	if (pid == -1) {

diff -pur old/ssh-keygen.1 new/ssh-keygen.1

--- old/ssh-keygen.1