[Bug 1987] New: FIPS signature verification incompatibility with openssl versions > 0.9.8q

bugzilla-daemon Fri, 24 Feb 2012 09:48:23 -0800

https://bugzilla.mindrot.org/show_bug.cgi?id=1987


             Bug #: 1987
           Summary: FIPS signature verification incompatibility with
                    openssl versions > 0.9.8q
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.9p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: [email protected]
        ReportedBy: [email protected]


Created attachment 2135
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2135
Suggested patch

When building openssh with openssl library with FIPS (specifically
versions newer than openssl 0.9.8q), there is an issue if FIPS mode is
active for openssl.  In ssh-rsa.c on line 243 RSA_public_decrypt is
called, which is disallowed now in openssl (if in FIPS mode).  The
library requires applications to use the EVP API if running in FIPS
mode so it can disallow certain cipher suites and hash algorithms that
are not considered FIPS compliant.  The user experience is that the
scp/ssh client fails because RSA_public_decrypt just returns null if
FIPS mode is active in openssl > 0.9.8q.

The reference below states that there is a patch, but I cannot find it
so I am submitting my own for review.



References:
http://www.mail-archive.com/[email protected]/msg63512.html

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 1987] New: FIPS signature verification incompatibility with openssl versions > 0.9.8q

Reply via email to