search for: fips_mode_set

Thanks Roumen. >Lets assume that application use OpenSSL FIPS validated module. FIPS mode is activated in openssl command if environment variable OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. Did you mean the FIPS patched OpenSSH server and client (such as ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if the FIPS mode is activated? Also I think for the applications which need to use OpenSSL FIPS mode will also need to run...

...ct is not only for source code. Build process has to be updated as well. Red Hat is based on "fipscheck". What build process should be changed? What is fipscheck? 3. My understanding any application (such as OpenSSH) which need to use the OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function first, otherwise the OpenSSL library will be operating as the non-FIPS version. My question is, how and when does OpenSSH server invoke the FIPS function? Thanks. On Sun, Dec 6, 2015 at 1:30 AM, Roumen Petrov <openssh at roumenpetrov.info> wrote: > security veteran w...

Hi All: I tried to rebuild openssl with the FIPS modules, and then install the new openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box. After that I noticed it seemed to break OpenSSH: I couldn't login to the box using ssh, and couldn't run the client command like ssh-keygen either. My questions are: 1. Does OpenSSH support FIPS mode? 2. Or does OpenSSH support with

I am trying to install dotnet20 in 0.9.58 with sh winetricks dotnet20 It hangs after extracting a file with sh winetricks dotnet20 Using system libcrypto, version 90709F DLSYM: Failed to resolve FIPS_mode_set: 127 DLSYM: Failed to resolve FIPS_mode: 127 DLSYM: Failed to resolve SHA256: 127 DLSYM: Failed to resolve SHA512: 127 DLSYM: Failed to resolve EVP_sha224: 127 DLSYM: Failed to resolve EVP_sha256: 127 DLSYM: Failed to resolve EVP_sha384: 127 DLSYM: Failed to resolve EVP_sha512: 127 fixme:to...

...() && !FIPSCHECK_verify(NULL, NULL)) { fprintf(stderr, "FIPS integrity verification test failed.\n"); exit(3); } This block of code is always in main() soon after starting service/client. Why are they checking FIPS_mode() if the FIPS_mode_set() wasn't even called before that ? The SSLeay_add_all_algorithms() is supposed call FIPS_mode_set() ? Another question I have is why are they using FIPSCHECK_verify() from libfipscheck if the FIPS_mode_set() already check the incore fingerprint when called. Is this another requirement from FIPS...

...l be, in the OpenSSL_0_9_7_stable branch. The documentation describing the building and use of the FIPS library has not been released yet pending approval by NIST, but will be included in the OpenSSL source distributions. 5) This patch has been tested on Linux RH 9.0 and HP-UX 11.0 only 6) The FIPS_mode_set() call tries to self-seed using the non-FIPS PRNG, but doesn't get enough entropy on HP-UX (no EGD or /dev/urandom). So for ssh.c I moved the seed_rng() call forwards quite a bit, that may cause other problems. Also, the PRNG is awkwardly re-seeded for the child process with a new PID. Ben...

...if test "x$withval" != "xno" ; then + AC_CACHE_CHECK([for FIPS mode], ac_cv_fips, [ + AC_TRY_COMPILE( + [ #include <openssl/fips.h> ], + [ FIPS_mode_set(1); ], + [ ac_cv_fips="yes" ], + [ ac_cv_fips="no" ] + ) + ]) + fi + ] +) +if test "x$ac_cv_fips" = "xyes" ; th...

https://bugzilla.mindrot.org/show_bug.cgi?id=1991 Bug #: 1991 Summary: openssl version checking needs updating Classification: Unclassified Product: Portable OpenSSH Version: 5.9p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Miscellaneous