Subject: Re: FIPS Compliance.

Re: FIPS Compliance.

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Wed, 30 Jul 2014 12:46:12 +0200

On Tuesday, July 29, 2014 02:48:58 john gloster wrote:
> Hi,
>
> From http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=9f6fd5a
>
> Did you mean that the following are not FIPS compliant?
>
> · EVP_aes_256_cbc
>
> · EVP_aes_192_cbc
>
> · EVP_aes_128_cbc

I think the problem was that OpenSSL did not like that libssh2 implemented
the CTR cipher mode on its own when FIPS mode was enabled. When I switched
libssh2 back to use the OpenSSL-provided implementation of those ciphers, it
started to work (after fixing the surrounding code to use correct block sizes
via commit 5d567fa).

Kamil

> On Fri, Jul 25, 2014 at 1:59 PM, Kamil Dudka <kdudka_at_redhat.com> wrote:
> > On Friday, July 25, 2014 10:08:02 Bert Huijben wrote:
> > > If I remember correctly there is a compile time flag for libssh2 to
> >
> > enable a
> >
> > > strict fips mode.
> >
> > I do not think so. Did not you mean a compile time flag for OpenSSL?
> >
> > > I would guess this might break compatibility with some (probably older)
> >
> > ssh
> >
> > > implementations that don't implement newer (optional) cyphers.
> > >
> > > Bert
> > >
> > > -----Original Message-----
> > > From: "john gloster" <glosterj9_at_gmail.com>
> > > Sent: ‎25-‎7-‎2014 09:33
> > > To: "libssh2-devel_at_cool.haxx.se" <libssh2-devel_at_cool.haxx.se>
> > > Subject: FIPS Compliance.
> > >
> > > Hi,
> > >
> > >
> > > I wanted to know whether libssh2 1.4.2/1.4.3 are compatible with FIPS
> > > compliant OpenSSL version openssl-1.0.0-20 ?
> >
> > I pushed a few FIPS-related patches between 1.4.2 and 1.4.3:
> >
> > http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=43b730c
> > http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=bfbb5a4
> > http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=5d567fa
> > http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=9f6fd5a
> >
> > > I compiled libssh2 1.4.3 with this particular version of openssl and i
> >
> > could
> >
> > > see that my application linking to this libssh crashes.
> > >
> > >
> > > In other cases, my application runs successfully if i compile libssh2
> >
> > 1.4.3
> >
> > > with openssl-1.0.1e-16.
> > >
> > >
> > > Could some one please shed light on this one?
> >
> > The basic idea behind those patches is to return a failure if a non-FIPS
> > algorithm (such as MD5) is requested by the application. So libssh2
> > should
> > no longer crash on its own. Still you need to handle these failures in
> > your
> > application in order not to crash anyway.
> >
> > Kamil
> >
> > > Alternately please let me know whether i can configure libssh2 to use a
> > > particular set crypto algorithms supported by the openssl.
> > >
> > >
> > > Thanking you on advance.

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2014-07-30