Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev
FIPS fix for signature verification in ssh-rsa.c
 

Index | Next | Previous | View Flat


kak at cisco

Feb 23, 2012, 10:25 AM


Views: 477
Permalink
FIPS fix for signature verification in ssh-rsa.c

code version referenced: openssh-5.9p1

Hi all,

When building openssh with openssl (specifically versions newer than openssl 0.9.8q), there is an issue if FIPS mode is active for openssl. In ssh-rsa.c on line 243 RSA_public_decrypt is called, which is disallowed now in openssl (if in FIPS mode). The library requires appliactions to use the EVP API if running in FIPS mode so it can disallow certain cipher suites and hash algorithms that are not considered FIPS compliant. The user experience is that the scp/ssh client fails because RSA_public_decrypt just returns null if FIPS mode is active in openssl > 0.9.8q.

I have a fix, essentially just check for FIPS mode in ssh-rsa.c and appropriately call a new function which uses the EVP API of openssl. I'll be putting this fix in the fedora based rpm we're using in our appliance based product, but also wanted to offer the fix here so it can propogate to future linux distro releases.

This is my first source modification of openssh so I'm not sure what I need to do to get approval/acceptance of the change or how to commit it, please let me know what the process is...

thanks,

Keith



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Subject User Time
FIPS fix for signature verification in ssh-rsa.c kak at cisco Feb 23, 2012, 10:25 AM
    Re: FIPS fix for signature verification in ssh-rsa.c djm at mindrot Feb 29, 2012, 12:31 PM

  Index | Next | Previous | View Flat
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.