OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?

Roumen Petrov openssh at roumenpetrov.info
Tue Dec 8 08:17:40 AEDT 2015


security veteran wrote:
> Thanks Roumen.
>
>> Openssl os open source. The method FIPS_mode_set will call
> FIPS_module_mode_set (located in FIPS module) . Please see its code.
> You may review code of apps/openssl.c.
>
> I meant, did your OpenSSH patch actually invoke these functions (FIPS_mode_set
> and FIPS_selftest)? If that's the case, when were these functions invoked?
> e.g. for client application such as ssh-keygen does it always call these
> functions first?
Yes - see code of method ssh_OpenSSL_startup .
$ grep  -lw ssh_OpenSSL_startup *.c
ssh-add.c
ssh-agent.c
ssh.c
sshd.c
ssh-keygen.c
ssh-keysign.c

Roumen


More information about the openssh-unix-dev mailing list