OpenSSH and FIPS 140-2

Christian S. Perone christian.perone at
Thu Aug 4 02:31:00 EST 2011

Does anyone knows why in some OpenSSH patches for FIPS we have something like:

if (FIPS_mode() && !FIPSCHECK_verify(NULL, NULL)) {
                    "FIPS integrity verification test failed.\n");

This block of code is always in main() soon after starting
service/client. Why are they checking FIPS_mode() if the
FIPS_mode_set() wasn't even called before that ? The
SSLeay_add_all_algorithms() is supposed call FIPS_mode_set() ?
Another question I have is why are they using FIPSCHECK_verify() from
libfipscheck if the FIPS_mode_set() already check the incore
fingerprint when called. Is this another requirement from FIPS 140-2 ?

Great thanks !
"Forgive, O Lord, my little jokes on Thee, and I'll forgive Thy great
big joke on me."

More information about the openssh-unix-dev mailing list