OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?

Roumen Petrov openssh at roumenpetrov.info
Tue Dec 8 07:52:32 AEDT 2015


security veteran wrote:
> Thanks Roumen.
>
>> Lets assume that application use OpenSSL FIPS validated module. FIPS mode
> is activated in openssl command if environment variable OPENSSL_FIPS is
> set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
> mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.
>
> Did you mean the FIPS patched OpenSSH server and client (such as
> ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
> the FIPS mode is activated?
> Also I think for the applications which need to use OpenSSL FIPS mode will
> also need to run the FIPS self tests functions (also provided by the
> OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?
Openssl os open source. The method FIPS_mode_set will call 
FIPS_module_mode_set (located in FIPS module) . Please see its code.
You may review code of apps/openssl.c.

[SNIP]

Roumen



More information about the openssh-unix-dev mailing list