OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
security veteran
security.veteran at gmail.com
Tue Dec 8 08:11:08 AEDT 2015
Thanks Roumen.
>Openssl os open source. The method FIPS_mode_set will call
FIPS_module_mode_set (located in FIPS module) . Please see its code.
You may review code of apps/openssl.c.
I meant, did your OpenSSH patch actually invoke these functions (FIPS_mode_set
and FIPS_selftest)? If that's the case, when were these functions invoked?
e.g. for client application such as ssh-keygen does it always call these
functions first?
Thanks.
On Mon, Dec 7, 2015 at 12:52 PM, Roumen Petrov <openssh at roumenpetrov.info>
wrote:
> security veteran wrote:
>
>> Thanks Roumen.
>>
>> Lets assume that application use OpenSSL FIPS validated module. FIPS mode
>>>
>> is activated in openssl command if environment variable OPENSSL_FIPS is
>> set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
>> mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.
>>
>> Did you mean the FIPS patched OpenSSH server and client (such as
>> ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
>> the FIPS mode is activated?
>> Also I think for the applications which need to use OpenSSL FIPS mode will
>> also need to run the FIPS self tests functions (also provided by the
>> OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?
>>
> Openssl os open source. The method FIPS_mode_set will call
> FIPS_module_mode_set (located in FIPS module) . Please see its code.
> You may review code of apps/openssl.c.
>
> [SNIP]
>
> Roumen
>
>
More information about the openssh-unix-dev
mailing list