Thanks Roumen. >Openssl os open source. The method FIPS_mode_set will call FIPS_module_mode_set (located in FIPS module) . Please see its code. You may review code of apps/openssl.c. I meant, did your OpenSSH patch actually invoke these functions (FIPS_mode_set and FIPS_selftest)? If that's the case, when were these functions invoked? e.g. for client application such as ssh-keygen does it always call these functions first? Thanks. On Mon, Dec 7, 2015 at 12:52 PM, Roumen Petrov <openssh@xxxxxxxxxxxxxxxxx> wrote: > security veteran wrote: > >> Thanks Roumen. >> >> Lets assume that application use OpenSSL FIPS validated module. FIPS mode >>> >> is activated in openssl command if environment variable OPENSSL_FIPS is >> set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS >> mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. >> >> Did you mean the FIPS patched OpenSSH server and client (such as >> ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if >> the FIPS mode is activated? >> Also I think for the applications which need to use OpenSSL FIPS mode will >> also need to run the FIPS self tests functions (also provided by the >> OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests? >> > Openssl os open source. The method FIPS_mode_set will call > FIPS_module_mode_set (located in FIPS module) . Please see its code. > You may review code of apps/openssl.c. > > [SNIP] > > Roumen > > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev