rpms / openssh

Clone
Source Code
GIT

Blame openssh-5.2p1-vendor.patch

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   ed9a890257b0f36ec12480d59c5c8fafb6a59099
  2.   openssh-5.2p1-vendor.patch
Blob History Raw
Jan F. Chadima a3ba41 
diff -up openssh-5.2p1/configure.ac.vendor openssh-5.2p1/configure.ac
Jan F. Chadima a3ba41 
--- openssh-5.2p1/configure.ac.vendor	2009-03-10 03:51:54.862255585 +0100
Jan F. Chadima a3ba41 
+++ openssh-5.2p1/configure.ac	2009-03-10 03:51:55.850215090 +0100
Jan F. Chadima a3ba41 
@@ -3335,11 +3335,25 @@ AC_ARG_WITH(selinux,
Jan F. Chadima a3ba41 
 		AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
Jan F. Chadima a3ba41 
 		    AC_MSG_ERROR(SELinux support requires libselinux library))
Jan F. Chadima a3ba41 
 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
Jan F. Chadima a3ba41 
+		LIBS="$LIBS $LIBSELINUX"
Jan F. Chadima a3ba41 
 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
Jan F. Chadima a3ba41 
+		AC_CHECK_FUNCS(setkeycreatecon)
Jan F. Chadima a3ba41 
 		LIBS="$save_LIBS"
Jan F. Chadima a3ba41 
 	fi ]
Jan F. Chadima a3ba41 
 )
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
+# Check whether user wants Linux audit support
Jan F. Chadima a3ba41 
+LINUX_AUDIT_MSG="no"
Jan F. Chadima a3ba41 
+AC_ARG_WITH(linux-audit,
Jan F. Chadima a3ba41 
+	[  --with-linux-audit   Enable Linux audit support],
Jan F. Chadima a3ba41 
+	[ if test "x$withval" != "xno" ; then
Jan F. Chadima a3ba41 
+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
Jan F. Chadima a3ba41 
+		LINUX_AUDIT_MSG="yes"
Jan F. Chadima a3ba41 
+		AC_CHECK_HEADERS(libaudit.h)
Jan F. Chadima a3ba41 
+		SSHDLIBS="$SSHDLIBS -laudit"
Jan F. Chadima a3ba41 
+	fi ]
Jan F. Chadima a3ba41 
+)
Jan F. Chadima a3ba41 
+
Jan F. Chadima a3ba41 
 # Check whether user wants Kerberos 5 support
Jan F. Chadima a3ba41 
 KRB5_MSG="no"
Jan F. Chadima a3ba41 
 AC_ARG_WITH(kerberos5,
Jan F. Chadima a3ba41 
@@ -3448,6 +3462,20 @@ AC_ARG_WITH(kerberos5,
Jan F. Chadima a3ba41 
 	]
Jan F. Chadima a3ba41 
 )
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
+# Check whether user wants NSS support
Jan F. Chadima a3ba41 
+LIBNSS_MSG="no"
Jan F. Chadima a3ba41 
+AC_ARG_WITH(nss,
Jan F. Chadima a3ba41 
+	[  --with-nss   Enable NSS support],
Jan F. Chadima a3ba41 
+	[ if test "x$withval" != "xno" ; then
Jan F. Chadima a3ba41 
+		AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.])
Jan F. Chadima a3ba41 
+		LIBNSS_MSG="yes"
Jan F. Chadima a3ba41 
+		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"
Jan F. Chadima a3ba41 
+		AC_CHECK_HEADERS(pk11pub.h)
Jan F. Chadima a3ba41 
+		LIBS="$LIBS -lnss3"
Jan F. Chadima a3ba41 
+	fi
Jan F. Chadima a3ba41 
+	])
Jan F. Chadima a3ba41 
+AC_SUBST(LIBNSS)
Jan F. Chadima a3ba41 
+
Jan F. Chadima a3ba41 
 # Looking for programs, paths and files
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
 PRIVSEP_PATH=/var/empty
Jan F. Chadima a3ba41 
@@ -3916,6 +3944,12 @@ AC_ARG_WITH(lastlog,
Jan F. Chadima a3ba41 
 		fi
Jan F. Chadima a3ba41 
 	]
Jan F. Chadima a3ba41 
 )
Jan F. Chadima a3ba41 
+AC_ARG_ENABLE(vendor-patchlevel,
Jan F. Chadima a3ba41 
+  [  --enable-vendor-patchlevel=TAG  specify a vendor patch level],
Jan F. Chadima a3ba41 
+  [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
Jan F. Chadima a3ba41 
+   SSH_VENDOR_PATCHLEVEL="$enableval"],
Jan F. Chadima a3ba41 
+  [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
Jan F. Chadima a3ba41 
+   SSH_VENDOR_PATCHLEVEL=none])
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
 dnl lastlog, [uw]tmpx? detection
Jan F. Chadima a3ba41 
 dnl  NOTE: set the paths in the platform section to avoid the
Jan F. Chadima a3ba41 
@@ -4162,16 +4196,19 @@ echo "                       PAM support
Jan F. Chadima a3ba41 
 echo "                   OSF SIA support: $SIA_MSG"
Jan F. Chadima a3ba41 
 echo "                 KerberosV support: $KRB5_MSG"
Jan F. Chadima a3ba41 
 echo "                   SELinux support: $SELINUX_MSG"
Jan F. Chadima a3ba41 
+echo "               Linux audit support: $LINUX_AUDIT_MSG"
Jan F. Chadima a3ba41 
 echo "                 Smartcard support: $SCARD_MSG"
Jan F. Chadima a3ba41 
 echo "                     S/KEY support: $SKEY_MSG"
Jan F. Chadima a3ba41 
 echo "              TCP Wrappers support: $TCPW_MSG"
Jan F. Chadima a3ba41 
 echo "              MD5 password support: $MD5_MSG"
Jan F. Chadima a3ba41 
 echo "                   libedit support: $LIBEDIT_MSG"
Jan F. Chadima a3ba41 
 echo "  Solaris process contract support: $SPC_MSG"
Jan F. Chadima a3ba41 
+echo "                       NSS support: $LIBNSS_MSG"
Jan F. Chadima a3ba41 
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
Jan F. Chadima a3ba41 
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
Jan F. Chadima a3ba41 
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
Jan F. Chadima a3ba41 
 echo "              Random number source: $RAND_MSG"
Jan F. Chadima a3ba41 
+echo "                Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
Jan F. Chadima a3ba41 
 if test ! -z "$USE_RAND_HELPER" ; then
Jan F. Chadima a3ba41 
 echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
Jan F. Chadima a3ba41 
 fi
Jan F. Chadima a3ba41 
diff -up openssh-5.2p1/servconf.c.vendor openssh-5.2p1/servconf.c
Jan F. Chadima a3ba41 
--- openssh-5.2p1/servconf.c.vendor	2009-01-28 06:31:23.000000000 +0100
Jan F. Chadima a3ba41 
+++ openssh-5.2p1/servconf.c	2009-03-10 03:51:54.956273911 +0100
Jan F. Chadima a3ba41 
@@ -117,6 +117,7 @@ initialize_server_options(ServerOptions
Jan F. Chadima a3ba41 
 	options->max_authtries = -1;
Jan F. Chadima a3ba41 
 	options->max_sessions = -1;
Jan F. Chadima a3ba41 
 	options->banner = NULL;
Jan F. Chadima a3ba41 
+	options->show_patchlevel = -1;
Jan F. Chadima a3ba41 
 	options->use_dns = -1;
Jan F. Chadima a3ba41 
 	options->client_alive_interval = -1;
Jan F. Chadima a3ba41 
 	options->client_alive_count_max = -1;
Jan F. Chadima a3ba41 
@@ -262,6 +263,9 @@ fill_default_server_options(ServerOption
Jan F. Chadima a3ba41 
 	if (options->zero_knowledge_password_authentication == -1)
Jan F. Chadima a3ba41 
 		options->zero_knowledge_password_authentication = 0;
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
+	if (options->show_patchlevel == -1)
Jan F. Chadima a3ba41 
+ 		options->show_patchlevel = 0;
Jan F. Chadima a3ba41 
+
Jan F. Chadima a3ba41 
 	/* Turn privilege separation on by default */
Jan F. Chadima a3ba41 
 	if (use_privsep == -1)
Jan F. Chadima a3ba41 
 		use_privsep = 1;
Jan F. Chadima a3ba41 
@@ -299,7 +303,7 @@ typedef enum {
Jan F. Chadima a3ba41 
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
Jan F. Chadima a3ba41 
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
Jan F. Chadima a3ba41 
 	sMaxStartups, sMaxAuthTries, sMaxSessions,
Jan F. Chadima a3ba41 
-	sBanner, sUseDNS, sHostbasedAuthentication,
Jan F. Chadima a3ba41 
+	sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
Jan F. Chadima a3ba41 
 	sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
Jan F. Chadima a3ba41 
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
Jan F. Chadima a3ba41 
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
Jan F. Chadima a3ba41 
@@ -410,6 +414,7 @@ static struct {
Jan F. Chadima a3ba41 
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
Jan F. Chadima a3ba41 
 	{ "maxsessions", sMaxSessions, SSHCFG_ALL },
Jan F. Chadima a3ba41 
 	{ "banner", sBanner, SSHCFG_ALL },
Jan F. Chadima a3ba41 
+	{ "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
Jan F. Chadima a3ba41 
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
Jan F. Chadima a3ba41 
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
Jan F. Chadima a3ba41 
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
Jan F. Chadima a3ba41 
@@ -1033,6 +1038,10 @@ process_server_config_line(ServerOptions
Jan F. Chadima a3ba41 
 		intptr = &use_privsep;
Jan F. Chadima a3ba41 
 		goto parse_flag;
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
+	case sShowPatchLevel:
Jan F. Chadima a3ba41 
+		intptr = &options->show_patchlevel;
Jan F. Chadima a3ba41 
+		goto parse_flag;
Jan F. Chadima a3ba41 
+
Jan F. Chadima a3ba41 
 	case sAllowUsers:
Jan F. Chadima a3ba41 
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
Jan F. Chadima a3ba41 
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
Jan F. Chadima a3ba41 
@@ -1613,6 +1622,7 @@ dump_config(ServerOptions *o)
Jan F. Chadima a3ba41 
 	dump_cfg_fmtint(sUseLogin, o->use_login);
Jan F. Chadima a3ba41 
 	dump_cfg_fmtint(sCompression, o->compression);
Jan F. Chadima a3ba41 
 	dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
Jan F. Chadima a3ba41 
+	dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
Jan F. Chadima a3ba41 
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
Jan F. Chadima a3ba41 
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
Jan F. Chadima a3ba41 
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
Jan F. Chadima a3ba41 
diff -up openssh-5.2p1/servconf.h.vendor openssh-5.2p1/servconf.h
Jan F. Chadima a3ba41 
--- openssh-5.2p1/servconf.h.vendor	2009-01-28 06:31:23.000000000 +0100
Jan F. Chadima a3ba41 
+++ openssh-5.2p1/servconf.h	2009-03-10 03:51:54.933236643 +0100
Jan F. Chadima a3ba41 
@@ -128,6 +128,7 @@ typedef struct {
Jan F. Chadima a3ba41 
 	int	max_authtries;
Jan F. Chadima a3ba41 
 	int	max_sessions;
Jan F. Chadima a3ba41 
 	char   *banner;			/* SSH-2 banner message */
Jan F. Chadima a3ba41 
+	int	show_patchlevel;	/* Show vendor patch level to clients */
Jan F. Chadima a3ba41 
 	int	use_dns;
Jan F. Chadima a3ba41 
 	int	client_alive_interval;	/*
Jan F. Chadima a3ba41 
 					 * poke the client this often to
Jan F. Chadima a3ba41 
diff -up openssh-5.2p1/sshd_config.0.vendor openssh-5.2p1/sshd_config.0
Jan F. Chadima a3ba41 
--- openssh-5.2p1/sshd_config.0.vendor	2009-03-10 03:51:54.775230993 +0100
Jan F. Chadima a3ba41 
+++ openssh-5.2p1/sshd_config.0	2009-03-10 03:51:54.958364611 +0100
Jan F. Chadima a3ba41 
@@ -467,6 +467,11 @@ DESCRIPTION
Jan F. Chadima a3ba41 
              Defines the number of bits in the ephemeral protocol version 1
Jan F. Chadima a3ba41 
              server key.  The minimum value is 512, and the default is 1024.
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
+     ShowPatchLevel
Jan F. Chadima a3ba41 
+	     Specifies whether sshd will display the specific patch level of
Jan F. Chadima a3ba41 
+	     the binary in the server identification string.  The patch level
Jan F. Chadima a3ba41 
+	     is set at compile-time.  The default is M-bM-^@M-^\noM-bM-^@M-^].
Jan F. Chadima a3ba41 
+
Jan F. Chadima a3ba41 
      StrictModes
Jan F. Chadima a3ba41 
              Specifies whether sshd(8) should check file modes and ownership
Jan F. Chadima a3ba41 
              of the user's files and home directory before accepting login.
Jan F. Chadima a3ba41 
diff -up openssh-5.2p1/sshd_config.5.vendor openssh-5.2p1/sshd_config.5
Jan F. Chadima a3ba41 
--- openssh-5.2p1/sshd_config.5.vendor	2009-03-10 03:51:54.785628316 +0100
Jan F. Chadima a3ba41 
+++ openssh-5.2p1/sshd_config.5	2009-03-10 03:51:54.931352756 +0100
Jan F. Chadima a3ba41 
@@ -814,6 +814,14 @@ This option applies to protocol version
Jan F. Chadima a3ba41 
 .It Cm ServerKeyBits
Jan F. Chadima a3ba41 
 Defines the number of bits in the ephemeral protocol version 1 server key.
Jan F. Chadima a3ba41 
 The minimum value is 512, and the default is 1024.
Jan F. Chadima a3ba41 
+.It Cm ShowPatchLevel
Jan F. Chadima a3ba41 
+Specifies whether
Jan F. Chadima a3ba41 
+.Nm sshd
Jan F. Chadima a3ba41 
+will display the patch level of the binary in the identification string.
Jan F. Chadima a3ba41 
+The patch level is set at compile-time.
Jan F. Chadima a3ba41 
+The default is
Jan F. Chadima a3ba41 
+.Dq no .
Jan F. Chadima a3ba41 
+This option applies to protocol version 1 only.
Jan F. Chadima a3ba41 
 .It Cm StrictModes
Jan F. Chadima a3ba41 
 Specifies whether
Jan F. Chadima a3ba41 
 .Xr sshd 8
Jan F. Chadima a3ba41 
diff -up openssh-5.2p1/sshd_config.vendor openssh-5.2p1/sshd_config
Jan F. Chadima a3ba41 
--- openssh-5.2p1/sshd_config.vendor	2009-03-10 03:51:54.747256884 +0100
Jan F. Chadima a3ba41 
+++ openssh-5.2p1/sshd_config	2009-03-10 03:51:54.960221540 +0100
Jan F. Chadima a3ba41 
@@ -112,6 +112,7 @@ X11Forwarding yes
Jan F. Chadima a3ba41 
 #Compression delayed
Jan F. Chadima a3ba41 
 #ClientAliveInterval 0
Jan F. Chadima a3ba41 
 #ClientAliveCountMax 3
Jan F. Chadima a3ba41 
+#ShowPatchLevel no
Jan F. Chadima a3ba41 
 #UseDNS yes
Jan F. Chadima a3ba41 
 #PidFile /var/run/sshd.pid
Jan F. Chadima a3ba41 
 #MaxStartups 10
Jan F. Chadima a3ba41 
diff -up openssh-5.2p1/sshd.c.vendor openssh-5.2p1/sshd.c
Jan F. Chadima a3ba41 
--- openssh-5.2p1/sshd.c.vendor	2009-01-28 06:31:23.000000000 +0100
Jan F. Chadima a3ba41 
+++ openssh-5.2p1/sshd.c	2009-03-10 03:51:56.224238563 +0100
Jan F. Chadima a3ba41 
@@ -76,6 +76,8 @@
Jan F. Chadima a3ba41 
 #include <openssl/bn.h>
Jan F. Chadima a3ba41 
 #include <openssl/md5.h>
Jan F. Chadima a3ba41 
 #include <openssl/rand.h>
Jan F. Chadima a3ba41 
+#include <openssl/fips.h>
Jan F. Chadima a3ba41 
+#include <fipscheck.h>
Jan F. Chadima a3ba41 
 #include "openbsd-compat/openssl-compat.h"
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
 #ifdef HAVE_SECUREWARE
Jan F. Chadima a3ba41 
@@ -415,7 +417,7 @@ sshd_exchange_identification(int sock_in
Jan F. Chadima a3ba41 
 		minor = PROTOCOL_MINOR_1;
Jan F. Chadima a3ba41 
 	}
Jan F. Chadima a3ba41 
 	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
Jan F. Chadima a3ba41 
-	    SSH_VERSION, newline);
Jan F. Chadima a3ba41 
+	   (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
Jan F. Chadima a3ba41 
 	server_version_string = xstrdup(buf);
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
 	/* Send our protocol version identification. */
Jan F. Chadima a3ba41 
@@ -590,6 +592,10 @@ privsep_preauth_child(void)
Jan F. Chadima a3ba41 
 	/* Demote the private keys to public keys. */
Jan F. Chadima a3ba41 
 	demote_sensitive_data();
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
+	/* Open the syslog permanently so the chrooted process still
Jan F. Chadima a3ba41 
+	   can write to syslog. */
Jan F. Chadima a3ba41 
+	open_log();
Jan F. Chadima a3ba41 
+
Jan F. Chadima a3ba41 
 	/* Change our root directory */
Jan F. Chadima a3ba41 
 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
Jan F. Chadima a3ba41 
 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
Jan F. Chadima a3ba41 
@@ -1256,6 +1262,12 @@ main(int ac, char **av)
Jan F. Chadima a3ba41 
 	(void)set_auth_parameters(ac, av);
Jan F. Chadima a3ba41 
 #endif
Jan F. Chadima a3ba41 
 	__progname = ssh_get_progname(av[0]);
Jan F. Chadima a3ba41 
+
Jan F. Chadima a3ba41 
+        SSLeay_add_all_algorithms();
Jan F. Chadima a3ba41 
+        if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
Jan F. Chadima a3ba41 
+                fatal("FIPS integrity verification test failed.");
Jan F. Chadima a3ba41 
+        }
Jan F. Chadima a3ba41 
+
Jan F. Chadima a3ba41 
 	init_rng();
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
Jan F. Chadima a3ba41 
@@ -1408,8 +1420,6 @@ main(int ac, char **av)
Jan F. Chadima a3ba41 
 	else
Jan F. Chadima a3ba41 
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
-	SSLeay_add_all_algorithms();
Jan F. Chadima a3ba41 
-
Jan F. Chadima a3ba41 
 	/*
Jan F. Chadima a3ba41 
 	 * Force logging to stderr until we have loaded the private host
Jan F. Chadima a3ba41 
 	 * key (unless started from inetd)
Jan F. Chadima a3ba41 
@@ -1483,7 +1493,8 @@ main(int ac, char **av)
Jan F. Chadima a3ba41 
 		exit(1);
Jan F. Chadima a3ba41 
 	}
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
-	debug("sshd version %.100s", SSH_RELEASE);
Jan F. Chadima a3ba41 
+	debug("sshd version %.100s",
Jan F. Chadima a3ba41 
+	      (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
Jan F. Chadima a3ba41
Jan F. Chadima a3ba41 
 	/* Store privilege separation user for later use if required. */
Jan F. Chadima a3ba41 
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
Jan F. Chadima a3ba41 
@@ -1894,6 +1905,9 @@ main(int ac, char **av)
Jan F. Chadima a3ba41 
 		restore_uid();
Jan F. Chadima a3ba41 
 	}
Jan F. Chadima a3ba41 
 #endif
Jan F. Chadima a3ba41 
+#ifdef WITH_SELINUX
Jan F. Chadima a3ba41 
+	ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
Jan F. Chadima a3ba41 
+#endif
Jan F. Chadima a3ba41 
 #ifdef USE_PAM
Jan F. Chadima a3ba41 
 	if (options.use_pam) {
Jan F. Chadima a3ba41 
 		do_pam_setcred(1);
Jan F. Chadima a3ba41 
@@ -2174,6 +2188,9 @@ do_ssh2_kex(void)
Jan F. Chadima a3ba41 
 	if (options.ciphers != NULL) {
Jan F. Chadima a3ba41 
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
Jan F. Chadima a3ba41 
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
Jan F. Chadima a3ba41 
+	} else if (FIPS_mode()) {
Jan F. Chadima a3ba41 
+		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
Jan F. Chadima a3ba41 
+		myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_FIPS_ENCRYPT;
Jan F. Chadima a3ba41 
 	}
Jan F. Chadima a3ba41 
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
Jan F. Chadima a3ba41 
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
Jan F. Chadima a3ba41 
@@ -2183,6 +2200,9 @@ do_ssh2_kex(void)
Jan F. Chadima a3ba41 
 	if (options.macs != NULL) {
Jan F. Chadima a3ba41 
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
Jan F. Chadima a3ba41 
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
Jan F. Chadima a3ba41 
+	} else if (FIPS_mode()) {
Jan F. Chadima a3ba41 
+		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
Jan F. Chadima a3ba41 
+		myproposal[PROPOSAL_MAC_ALGS_STOC] = KEX_FIPS_MAC;
Jan F. Chadima a3ba41 
 	}
Jan F. Chadima a3ba41 
 	if (options.compression == COMP_NONE) {
Jan F. Chadima a3ba41 
 		myproposal[PROPOSAL_COMP_ALGS_CTOS] =

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation