diff --git a/openssh-5.2p1-fips.patch b/openssh-5.2p1-fips.patch index 8462301..7866fb8 100644 --- a/openssh-5.2p1-fips.patch +++ b/openssh-5.2p1-fips.patch @@ -1,43 +1,6 @@ -diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c ---- openssh-5.2p1/ssh-agent.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/ssh-agent.c 2009-03-13 11:23:15.000000000 +0100 -@@ -51,6 +51,8 @@ - - #include - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" - - #include -@@ -200,9 +202,9 @@ confirm_key(Identity *id) - char *p; - int ret = -1; - -- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); -- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", -- id->comment, p)) -+ p = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); -+ if (ask_permission("Allow use of key %s?\nKey %sfingerprint %s.", -+ id->comment, FIPS_mode() ? "SHA1 " : "", p)) - ret = 0; - xfree(p); - -@@ -1196,6 +1198,11 @@ main(int ac, char **av) - #endif - - SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } - - __progname = ssh_get_progname(av[0]); - init_rng(); diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c ---- openssh-5.2p1/auth2-pubkey.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/auth2-pubkey.c 2009-03-13 11:23:15.000000000 +0100 +--- openssh-5.2p1/auth2-pubkey.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/auth2-pubkey.c 2009-04-17 14:52:11.000000000 +0200 @@ -33,6 +33,7 @@ #include #include @@ -55,179 +18,83 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c verbose("Found matching %s key: %s", key_type(found), fp); xfree(fp); -diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c ---- openssh-5.2p1/ssh.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/ssh.c 2009-03-13 11:23:15.000000000 +0100 -@@ -71,6 +71,8 @@ +diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c +--- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100 ++++ openssh-5.2p1/cipher.c 2009-04-17 14:52:11.000000000 +0200 +@@ -40,6 +40,7 @@ + #include - #include - #include + #include +#include -+#include - #include "openbsd-compat/openssl-compat.h" - #include "openbsd-compat/sys-queue.h" - -@@ -220,6 +222,10 @@ main(int ac, char **av) - sanitise_stdfd(); - - __progname = ssh_get_progname(av[0]); -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fatal("FIPS integrity verification test failed."); -+ } - init_rng(); - - /* -@@ -550,7 +556,6 @@ main(int ac, char **av) - if (!host) - usage(); - -- SSLeay_add_all_algorithms(); - ERR_load_crypto_strings(); - - /* Initialize the command to execute on remote host. */ -diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c ---- openssh-5.2p1/sshconnect2.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/sshconnect2.c 2009-03-13 11:23:15.000000000 +0100 -@@ -44,6 +44,8 @@ - #include - #endif -+#include -+ - #include "openbsd-compat/sys-queue.h" + #include + #include +@@ -93,6 +94,22 @@ struct Cipher { + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } + }; - #include "xmalloc.h" -@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = -+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; ++struct Cipher fips_ciphers[] = { ++ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, ++ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, + - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_MAC_ALGS_CTOS] = -+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; - } ++ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, ++ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, ++ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, ++ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, ++ { "rijndael-cbc@lysator.liu.se", ++ SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, ++ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, ++ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, ++ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, ++ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } ++}; + - if (options.hostkeyalgorithms != NULL) - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = - options.hostkeyalgorithms; -@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t - key->type, pktype); - goto done; - } -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -- debug2("input_userauth_pk_ok: fp %s", fp); -+ fp = key_fingerprint(key, SSH_FP_SHA1, SSH_FP_HEX); -+ debug2("input_userauth_pk_ok: SHA1 fp %s", fp); - xfree(fp); - - /* -diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in ---- openssh-5.2p1/Makefile.in.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/Makefile.in 2009-03-13 11:23:15.000000000 +0100 -@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS) - $(RANLIB) $@ - - ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) -- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS) - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o - $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o -- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o -- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o -- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o -- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o -- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) - - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c ---- openssh-5.2p1/sshd.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/sshd.c 2009-03-13 11:23:15.000000000 +0100 -@@ -76,6 +76,8 @@ - #include - #include - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" + /*--*/ - #ifdef HAVE_SECUREWARE -@@ -1260,6 +1262,12 @@ main(int ac, char **av) - (void)set_auth_parameters(ac, av); + u_int +@@ -135,7 +152,7 @@ Cipher * + cipher_by_name(const char *name) + { + Cipher *c; +- for (c = ciphers; c->name != NULL; c++) ++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) + if (strcmp(c->name, name) == 0) + return c; + return NULL; +@@ -145,7 +162,7 @@ Cipher * + cipher_by_number(int id) + { + Cipher *c; +- for (c = ciphers; c->name != NULL; c++) ++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) + if (c->number == id) + return c; + return NULL; +@@ -189,7 +206,7 @@ cipher_number(const char *name) + Cipher *c; + if (name == NULL) + return -1; +- for (c = ciphers; c->name != NULL; c++) ++ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) + if (strcasecmp(c->name, name) == 0) + return c->number; + return -1; +diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c +--- openssh-5.2p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200 ++++ openssh-5.2p1/cipher-ctr.c 2009-04-17 23:23:06.000000000 +0200 +@@ -140,7 +140,8 @@ evp_aes_128_ctr(void) + aes_ctr.do_cipher = ssh_aes_ctr; + #ifndef SSH_OLD_EVP + aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | +- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; ++ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV | ++ EVP_CIPH_FLAG_FIPS; #endif - __progname = ssh_get_progname(av[0]); -+ -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fatal("FIPS integrity verification test failed."); -+ } -+ - init_rng(); - - /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ -@@ -1412,8 +1420,6 @@ main(int ac, char **av) - else - closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); - -- SSLeay_add_all_algorithms(); -- - /* - * Force logging to stderr until we have loaded the private host - * key (unless started from inetd) -@@ -2182,6 +2188,9 @@ do_ssh2_kex(void) - if (options.ciphers != NULL) { - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = -+ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; - } - myproposal[PROPOSAL_ENC_ALGS_CTOS] = - compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2191,6 +2200,9 @@ do_ssh2_kex(void) - if (options.macs != NULL) { - myproposal[PROPOSAL_MAC_ALGS_CTOS] = - myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; -+ } else if (FIPS_mode()) { -+ myproposal[PROPOSAL_MAC_ALGS_CTOS] = -+ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; - } - if (options.compression == COMP_NONE) { - myproposal[PROPOSAL_COMP_ALGS_CTOS] = + return (&aes_ctr); + } diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c --- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200 -+++ openssh-5.2p1/mac.c 2009-03-13 11:23:15.000000000 +0100 ++++ openssh-5.2p1/mac.c 2009-04-17 14:52:11.000000000 +0200 @@ -28,6 +28,7 @@ #include @@ -277,63 +144,65 @@ diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c for (i = 0; macs[i].name; i++) { if (strcmp(name, macs[i].name) == 0) { -diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c ---- openssh-5.2p1/ssh-keygen.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/ssh-keygen.c 2009-03-13 11:23:15.000000000 +0100 -@@ -21,6 +21,8 @@ +diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in +--- openssh-5.2p1/Makefile.in.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/Makefile.in 2009-04-17 14:52:11.000000000 +0200 +@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS) + $(RANLIB) $@ - #include - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" + ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) +- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - #include -@@ -537,7 +539,7 @@ do_fingerprint(struct passwd *pw) - enum fp_type fptype; - struct stat st; + sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS) -- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; -+ fptype = print_bubblebabble ? SSH_FP_SHA1 : FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5; - rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - if (!have_identity) -@@ -1125,6 +1127,12 @@ main(int argc, char **argv) - __progname = ssh_get_progname(argv[0]); + ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o +- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } -+ - log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o +- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - init_rng(); -@@ -1506,14 +1514,15 @@ passphrase_again: - fclose(f); + ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o +- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - if (!quiet) { -- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); -- char *ra = key_fingerprint(public, SSH_FP_MD5, -+ int fips_on = FIPS_mode(); -+ char *fp = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); -+ char *ra = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, - SSH_FP_RANDOMART); - printf("Your public key has been saved in %s.\n", - identity_file); -- printf("The key fingerprint is:\n"); -+ printf("The key %sfingerprint is:\n", fips_on ? "SHA1 " : ""); - printf("%s %s\n", fp, comment); -- printf("The key's randomart image is:\n"); -+ printf("The key's %srandomart image is:\n", fips_on ? "SHA1 " :""); - printf("%s\n", ra); - xfree(ra); - xfree(fp); + ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o +- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ++ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o +- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ++ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + + sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o + $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h +--- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 ++++ openssh-5.2p1/myproposal.h 2009-04-17 14:52:11.000000000 +0200 +@@ -53,7 +53,12 @@ + "hmac-sha1-96,hmac-md5-96" + #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" + #define KEX_DEFAULT_LANG "" +- ++#define KEX_FIPS_ENCRYPT \ ++ "aes128-ctr,aes192-ctr,aes256-ctr," \ ++ "aes128-cbc,3des-cbc," \ ++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" ++#define KEX_FIPS_MAC \ ++ "hmac-sha1" + + static char *myproposal[PROPOSAL_MAX] = { + KEX_DEFAULT_KEX, diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c ---- openssh-5.2p1/nsskeys.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/nsskeys.c 2009-03-13 11:23:15.000000000 +0100 +--- openssh-5.2p1/nsskeys.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/nsskeys.c 2009-04-17 14:52:11.000000000 +0200 @@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k) break; } @@ -345,49 +214,9 @@ diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c xfree(p); return 0; -diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c ---- openssh-5.2p1/ssh-add.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/ssh-add.c 2009-03-13 11:23:15.000000000 +0100 -@@ -42,6 +42,8 @@ - #include - - #include -+#include -+#include - #include "openbsd-compat/openssl-compat.h" - - #ifdef HAVE_LIBNSS -@@ -254,7 +256,7 @@ list_identities(AuthenticationConnection - key = ssh_get_next_identity(ac, &comment, version)) { - had_identities = 1; - if (do_fp) { -- fp = key_fingerprint(key, SSH_FP_MD5, -+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, - SSH_FP_HEX); - printf("%d %s %s (%s)\n", - key_size(key), fp, comment, key_type(key)); -@@ -463,11 +465,16 @@ main(int argc, char **argv) - sanitise_stdfd(); - - __progname = ssh_get_progname(argv[0]); -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); -+ } -+ - init_rng(); - seed_rng(); - -- SSLeay_add_all_algorithms(); -- - /* At first, get a connection to the authentication agent. */ - ac = ssh_get_authentication_connection(); - if (ac == NULL) { diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c --- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200 -+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-03-13 11:23:15.000000000 +0100 ++++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-04-17 14:52:11.000000000 +0200 @@ -39,6 +39,7 @@ static int rc4_ready = 0; static RC4_KEY rc4; @@ -429,145 +258,187 @@ diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbs #endif /* !HAVE_ARC4RANDOM */ #ifndef ARC4RANDOM_BUF -diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h ---- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100 -+++ openssh-5.2p1/myproposal.h 2009-03-13 11:27:49.000000000 +0100 -@@ -53,7 +53,12 @@ - "hmac-sha1-96,hmac-md5-96" - #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" - #define KEX_DEFAULT_LANG "" -- -+#define KEX_FIPS_ENCRYPT \ -+ "aes128-ctr,aes192-ctr,aes256-ctr," \ -+ "aes128-cbc,3des-cbc," \ -+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" -+#define KEX_FIPS_MAC \ -+ "hmac-sha1" +diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c +--- openssh-5.2p1/ssh-add.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/ssh-add.c 2009-04-17 14:52:11.000000000 +0200 +@@ -42,6 +42,8 @@ + #include - static char *myproposal[PROPOSAL_MAX] = { - KEX_DEFAULT_KEX, -diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c ---- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200 -+++ openssh-5.2p1/ssh-keysign.c 2009-03-13 11:23:15.000000000 +0100 -@@ -38,6 +38,8 @@ #include - #include - #include +#include +#include + #include "openbsd-compat/openssl-compat.h" - #include "xmalloc.h" - #include "log.h" -@@ -175,6 +177,11 @@ main(int argc, char **argv) - - permanently_set_uid(pw); + #ifdef HAVE_LIBNSS +@@ -254,7 +256,7 @@ list_identities(AuthenticationConnection + key = ssh_get_next_identity(ac, &comment, version)) { + had_identities = 1; + if (do_fp) { +- fp = key_fingerprint(key, SSH_FP_MD5, ++ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, + SSH_FP_HEX); + printf("%d %s %s (%s)\n", + key_size(key), fp, comment, key_type(key)); +@@ -463,10 +465,19 @@ main(int argc, char **argv) + sanitise_stdfd(); -+ SSLeay_add_all_algorithms(); -+ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fatal("FIPS integrity verification test failed"); -+ } + __progname = ssh_get_progname(argv[0]); ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fprintf(stderr, ++ "FIPS integrity verification test failed.\n"); ++ exit(3); ++ } + init_rng(); seed_rng(); - arc4random_stir(); -@@ -194,7 +201,6 @@ main(int argc, char **argv) - if (key_fd[0] == -1 && key_fd[1] == -1) - fatal("could not open any host key"); - SSLeay_add_all_algorithms(); - for (i = 0; i < 256; i++) - rnd[i] = arc4random(); - RAND_seed(rnd, sizeof(rnd)); -diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c ---- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100 -+++ openssh-5.2p1/cipher.c 2009-03-13 11:23:15.000000000 +0100 -@@ -40,6 +40,7 @@ - #include ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } + + /* At first, get a connection to the authentication agent. */ + ac = ssh_get_authentication_connection(); +diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c +--- openssh-5.2p1/ssh-agent.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/ssh-agent.c 2009-04-17 14:52:11.000000000 +0200 +@@ -51,6 +51,8 @@ + #include #include +#include ++#include + #include "openbsd-compat/openssl-compat.h" - #include - #include -@@ -93,6 +94,22 @@ struct Cipher { - { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } - }; + #include +@@ -200,9 +202,9 @@ confirm_key(Identity *id) + char *p; + int ret = -1; -+struct Cipher fips_ciphers[] = { -+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null }, -+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, -+ -+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc }, -+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc }, -+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc }, -+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, -+ { "rijndael-cbc@lysator.liu.se", -+ SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc }, -+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr }, -+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr }, -+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr }, -+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL } -+}; -+ - /*--*/ +- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); +- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", +- id->comment, p)) ++ p = key_fingerprint(id->key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); ++ if (ask_permission("Allow use of key %s?\nKey %sfingerprint %s.", ++ id->comment, FIPS_mode() ? "SHA1 " : "", p)) + ret = 0; + xfree(p); - u_int -@@ -135,7 +152,7 @@ Cipher * - cipher_by_name(const char *name) - { - Cipher *c; -- for (c = ciphers; c->name != NULL; c++) -+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) - if (strcmp(c->name, name) == 0) - return c; - return NULL; -@@ -145,7 +162,7 @@ Cipher * - cipher_by_number(int id) - { - Cipher *c; -- for (c = ciphers; c->name != NULL; c++) -+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) - if (c->number == id) - return c; - return NULL; -@@ -189,7 +206,7 @@ cipher_number(const char *name) - Cipher *c; - if (name == NULL) - return -1; -- for (c = ciphers; c->name != NULL; c++) -+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) - if (strcasecmp(c->name, name) == 0) - return c->number; - return -1; -diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c ---- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100 -+++ openssh-5.2p1/ssh-keyscan.c 2009-03-13 11:23:15.000000000 +0100 -@@ -19,6 +19,8 @@ - #include +@@ -1196,6 +1198,11 @@ main(int ac, char **av) + #endif + + SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fprintf(stderr, ++ "FIPS integrity verification test failed.\n"); ++ exit(3); ++ } + + __progname = ssh_get_progname(av[0]); + init_rng(); +@@ -1356,6 +1363,10 @@ main(int ac, char **av) + /* child */ + log_init(__progname, SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0); - #include ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + if (setsid() == -1) { + error("setsid: %s", strerror(errno)); + cleanup_exit(1); +diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c +--- openssh-5.2p1/ssh.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/ssh.c 2009-04-17 14:52:11.000000000 +0200 +@@ -71,6 +71,8 @@ + + #include + #include +#include +#include + #include "openbsd-compat/openssl-compat.h" + #include "openbsd-compat/sys-queue.h" - #include - #include -@@ -731,6 +733,13 @@ main(int argc, char **argv) - extern char *optarg; +@@ -220,6 +222,10 @@ main(int ac, char **av) + sanitise_stdfd(); - __progname = ssh_get_progname(argv[0]); + __progname = ssh_get_progname(av[0]); + SSLeay_add_all_algorithms(); + if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { -+ fprintf(stderr, -+ "FIPS integrity verification test failed.\n"); -+ exit(3); ++ fatal("FIPS integrity verification test failed."); + } -+ init_rng(); + + /* +@@ -550,7 +556,6 @@ main(int ac, char **av) + if (!host) + usage(); + +- SSLeay_add_all_algorithms(); + ERR_load_crypto_strings(); + + /* Initialize the command to execute on remote host. */ +@@ -635,6 +640,10 @@ main(int ac, char **av) + seed_rng(); - TAILQ_INIT(&tq); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + if (options.user == NULL) + options.user = xstrdup(pw->pw_name); + +diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c +--- openssh-5.2p1/sshconnect2.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/sshconnect2.c 2009-04-17 14:52:11.000000000 +0200 +@@ -44,6 +44,8 @@ + #include + #endif + ++#include ++ + #include "openbsd-compat/sys-queue.h" + + #include "xmalloc.h" +@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho + if (options.ciphers != NULL) { + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; ++ } else if (FIPS_mode()) { ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; ++ + } + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); +@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho + if (options.macs != NULL) { + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; ++ } else if (FIPS_mode()) { ++ myproposal[PROPOSAL_MAC_ALGS_CTOS] = ++ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; + } ++ + if (options.hostkeyalgorithms != NULL) + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = + options.hostkeyalgorithms; +@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t + key->type, pktype); + goto done; + } +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); +- debug2("input_userauth_pk_ok: fp %s", fp); ++ fp = key_fingerprint(key, SSH_FP_SHA1, SSH_FP_HEX); ++ debug2("input_userauth_pk_ok: SHA1 fp %s", fp); + xfree(fp); + + /* diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c ---- openssh-5.2p1/sshconnect.c.fips 2009-03-13 11:23:15.000000000 +0100 -+++ openssh-5.2p1/sshconnect.c 2009-03-13 11:23:15.000000000 +0100 +--- openssh-5.2p1/sshconnect.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/sshconnect.c 2009-04-17 14:52:11.000000000 +0200 @@ -40,6 +40,8 @@ #include #include @@ -654,3 +525,211 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c error("Please contact your system administrator."); xfree(fp); +diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c +--- openssh-5.2p1/sshd.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/sshd.c 2009-04-17 14:52:11.000000000 +0200 +@@ -76,6 +76,8 @@ + #include + #include + #include ++#include ++#include + #include "openbsd-compat/openssl-compat.h" + + #ifdef HAVE_SECUREWARE +@@ -1260,6 +1262,12 @@ main(int ac, char **av) + (void)set_auth_parameters(ac, av); + #endif + __progname = ssh_get_progname(av[0]); ++ ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fatal("FIPS integrity verification test failed."); ++ } ++ + init_rng(); + + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ +@@ -1412,8 +1420,6 @@ main(int ac, char **av) + else + closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); + +- SSLeay_add_all_algorithms(); +- + /* + * Force logging to stderr until we have loaded the private host + * key (unless started from inetd) +@@ -1655,6 +1661,10 @@ main(int ac, char **av) + /* Initialize the random number generator. */ + arc4random_stir(); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + /* Chdir to the root directory so that the current disk can be + unmounted if desired. */ + chdir("/"); +@@ -2182,6 +2192,9 @@ do_ssh2_kex(void) + if (options.ciphers != NULL) { + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; ++ } else if (FIPS_mode()) { ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT; + } + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); +@@ -2191,6 +2204,9 @@ do_ssh2_kex(void) + if (options.macs != NULL) { + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; ++ } else if (FIPS_mode()) { ++ myproposal[PROPOSAL_MAC_ALGS_CTOS] = ++ myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC; + } + if (options.compression == COMP_NONE) { + myproposal[PROPOSAL_COMP_ALGS_CTOS] = +diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c +--- openssh-5.2p1/ssh-keygen.c.fips 2009-04-17 14:52:11.000000000 +0200 ++++ openssh-5.2p1/ssh-keygen.c 2009-04-17 14:52:11.000000000 +0200 +@@ -21,6 +21,8 @@ + + #include + #include ++#include ++#include + #include "openbsd-compat/openssl-compat.h" + + #include +@@ -537,7 +539,7 @@ do_fingerprint(struct passwd *pw) + enum fp_type fptype; + struct stat st; + +- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; ++ fptype = print_bubblebabble ? SSH_FP_SHA1 : FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + + if (!have_identity) +@@ -1125,11 +1127,21 @@ main(int argc, char **argv) + __progname = ssh_get_progname(argv[0]); + + SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fprintf(stderr, ++ "FIPS integrity verification test failed.\n"); ++ exit(3); ++ } ++ + log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); + + init_rng(); + seed_rng(); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + /* we need this for the home * directory. */ + pw = getpwuid(getuid()); + if (!pw) { +@@ -1506,14 +1518,15 @@ passphrase_again: + fclose(f); + + if (!quiet) { +- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); +- char *ra = key_fingerprint(public, SSH_FP_MD5, ++ int fips_on = FIPS_mode(); ++ char *fp = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX); ++ char *ra = key_fingerprint(public, fips_on ? SSH_FP_SHA1 : SSH_FP_MD5, + SSH_FP_RANDOMART); + printf("Your public key has been saved in %s.\n", + identity_file); +- printf("The key fingerprint is:\n"); ++ printf("The key %sfingerprint is:\n", fips_on ? "SHA1 " : ""); + printf("%s %s\n", fp, comment); +- printf("The key's randomart image is:\n"); ++ printf("The key's %srandomart image is:\n", fips_on ? "SHA1 " :""); + printf("%s\n", ra); + xfree(ra); + xfree(fp); +diff -up openssh-5.2p1/ssh-keyscan.c.fips openssh-5.2p1/ssh-keyscan.c +--- openssh-5.2p1/ssh-keyscan.c.fips 2009-01-28 06:31:23.000000000 +0100 ++++ openssh-5.2p1/ssh-keyscan.c 2009-04-17 14:52:11.000000000 +0200 +@@ -19,6 +19,8 @@ + #include + + #include ++#include ++#include + + #include + #include +@@ -731,6 +733,13 @@ main(int argc, char **argv) + extern char *optarg; + + __progname = ssh_get_progname(argv[0]); ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fprintf(stderr, ++ "FIPS integrity verification test failed.\n"); ++ exit(3); ++ } ++ + init_rng(); + seed_rng(); + TAILQ_INIT(&tq); +@@ -812,6 +821,10 @@ main(int argc, char **argv) + + log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1); + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + maxfd = fdlim_get(1); + if (maxfd < 0) + fatal("%s: fdlim_get: bad value", __progname); +diff -up openssh-5.2p1/ssh-keysign.c.fips openssh-5.2p1/ssh-keysign.c +--- openssh-5.2p1/ssh-keysign.c.fips 2006-09-01 07:38:37.000000000 +0200 ++++ openssh-5.2p1/ssh-keysign.c 2009-04-17 14:52:11.000000000 +0200 +@@ -38,6 +38,8 @@ + #include + #include + #include ++#include ++#include + + #include "xmalloc.h" + #include "log.h" +@@ -175,6 +177,11 @@ main(int argc, char **argv) + + permanently_set_uid(pw); + ++ SSLeay_add_all_algorithms(); ++ if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) { ++ fatal("FIPS integrity verification test failed"); ++ } ++ + init_rng(); + seed_rng(); + arc4random_stir(); +@@ -183,6 +190,10 @@ main(int argc, char **argv) + log_init("ssh-keysign", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0); + #endif + ++ if (FIPS_mode()) { ++ logit("FIPS mode initialized"); ++ } ++ + /* verify that ssh-keysign is enabled by the admin */ + initialize_options(&options); + (void)read_config_file(_PATH_HOST_CONFIG_FILE, "", &options, 0); +@@ -194,7 +205,6 @@ main(int argc, char **argv) + if (key_fd[0] == -1 && key_fd[1] == -1) + fatal("could not open any host key"); + +- SSLeay_add_all_algorithms(); + for (i = 0; i < 256; i++) + rnd[i] = arc4random(); + RAND_seed(rnd, sizeof(rnd)); diff --git a/openssh.spec b/openssh.spec index 3477cdb..03a49a8 100644 --- a/openssh.spec +++ b/openssh.spec @@ -63,7 +63,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.2p1 -Release: 3%{?dist}%{?rescue_rel} +Release: 4%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc @@ -474,6 +474,10 @@ fi %endif %changelog +* Mon Apr 20 2009 Tomas Mraz - 5.2p1-4 +- log if FIPS mode is initialized +- make aes-ctr cipher modes work in the FIPS mode + * Fri Apr 3 2009 Jan F. Chadima - 5.2p1-3 - fix logging after chroot - enable non root users to use chroot %%h in internal-sftp