Re: OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

security veteran wrote:

Thanks Roumen.


Lets assume that application use OpenSSL FIPS validated module. FIPS mode

is activated in openssl command if environment variable OPENSSL_FIPS is
set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.

Did you mean the FIPS patched OpenSSH server and client (such as
ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
the FIPS mode is activated?
Also I think for the applications which need to use OpenSSL FIPS mode will
also need to run the FIPS self tests functions (also provided by the
OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?
Openssl os open source. The method FIPS_mode_set will call FIPS_module_mode_set (located in FIPS module) . Please see its code. 
You may review code of apps/openssl.c.

[SNIP]

Roumen

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux