Re: OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



security veteran wrote:
Thanks Roumen.

I have few more questions below:

1. What version of OpenSSH can the patch be applied to? What branch should
I check out the patch?
There is no separate patch but I offer file with all differences to openssh - see link (diff) on download page http://roumenpetrov.info/openssh/download.html

2.
Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".
What build process should be changed? What is fipscheck?
I different way to check integrity of files(executables) - https://fedorahosted.org / fipscheck/ .

3. My understanding any application (such as OpenSSH) which need to use the
OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function
first, otherwise the OpenSSL library will be operating as the non-FIPS
version.
My question is, how and when does OpenSSH server invoke the FIPS function?
Lets assume that application use OpenSSL FIPS validated module. FIPS mode is activated in openssl command if environment variable OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.


[SNIP]

Roumen
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux