FIPS 140-2 patch for openssh 6.3.p1

Joseph, Binny Kallarackal (MCOU) binny.joseph at hp.com
Fri Oct 25 00:12:17 EST 2013


Hi,

As per the FIPS patch http://www.openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch

, the cipher_set_key_string() in cipher.c replaces MD5 calls with  EVP_Digest() as given below:

                 "if (EVP_Digest(passphrase, strlen(passphrase), digest, NULL, EVP_md5(), NULL) <= 0)"

Since OpenSSL does not support EVP_md5() in FIPS mode, should this be replaced with EVP_sha1() or another FIPS compliant call inside the above EVP_Digest() ?

Thanks and Regards,
Binny.




More information about the openssh-unix-dev mailing list