similar to: OpenSSH and FIPS 140-2

Hi, I am happy to (re)send a set of patches for compiling OpenSSH 4.7p1 with FIPS 140-2 OpenSSL. These are based on previously reported patches by Steve Marquess <marquess at ieee.org> and Ben Laurie <ben at algroup.co.uk>, for ver. OpenSSH 3.8. Note that these patches are NOT OFFICIAL, and MAY be used freely by anyone. Issues [partially] handled: SSL FIPS Self test. RC4,

Does anyone knows if there is a patch for OpenSSH in order to make it work with 0.9.8r OpenSSL in FIPS Mode ? I'm having problem with the RSA_public_decrypt() function that is failing in FIPS Mode, I changed it to use RSA_verify instead and setting the flag "RSA_FLAG_NON_FIPS_ALLOW", and it's working fine now, but I'm not sure if this is allowed in FIPS Mode, does anyone

You're right, that probably won't have very good performance. What we (unladen-swallow) do is to call getPointerToFunction which gives a function pointer of type (void*)(void*) which we then cast to the appropriate function type and then call from C/C++. That way the C/C++ compiler for your application can codegen the function call once instead having the JIT do it many times. Reid On

Thanks Roumen. >Lets assume that application use OpenSSL FIPS validated module. FIPS mode is activated in openssl command if environment variable OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. Did you mean the FIPS patched OpenSSH server and client (such as ssh-keygen) always

Hello, I'm using the llvm-c bindings for C, but I'm getting some problems, the LLVMCreateExecutionEngine is returning 1 but the error message is an empty string (it's !=NULL). The steps I'm doing is to create the module, then I call LLVMVerifyModule to verify and it works fine, later I call LLVMCreateModuleProviderForExistingModule and it returns !=NULL MP, so it's ok, but

Hello, I'm new to LLVM and I had a question about it: when we call the JIT::runFunction, since llvm doesn't has a full FFI, there are some cases in which the JIT needs to codegen a stub function to call the function we are interested, my question is: this stub function will remains in the module until when ? What are the most efficient way to remove it from the module and memory ? For a

Greetings. (Third try at sending this, the first two seemed to disappear without a trace. Perhaps use of MS Outlook was the problem, even though in plain text...? Or attachment too big (22Kb)? Would like to know...) The final source code and documentation package for a FIPS 140 validated mode of OpenSSL was recently submitted. Once the final certification is awarded by NIST, in a month or

I am trying to install dotnet20 in 0.9.58 with sh winetricks dotnet20 It hangs after extracting a file with sh winetricks dotnet20 Using system libcrypto, version 90709F DLSYM: Failed to resolve FIPS_mode_set: 127 DLSYM: Failed to resolve FIPS_mode: 127 DLSYM: Failed to resolve SHA256: 127 DLSYM: Failed to resolve SHA512: 127 DLSYM: Failed to resolve EVP_sha224: 127 DLSYM: Failed to

Thanks Roumen. I have few more questions below: 1. What version of OpenSSH can the patch be applied to? What branch should I check out the patch? 2. >Impact is not only for source code. Build process has to be updated as well. Red Hat is based on "fipscheck". What build process should be changed? What is fipscheck? 3. My understanding any application (such as OpenSSH) which need

Hello, I'm facing some problems while building LLVM 2.8 shared libraries from source using CMake: cmake -DBUILD_SHARED_LIBS=true .. This is the output error: CMake Error: The inter-target dependency graph contains the following strongly connected component (cycle): "LLVMARMCodeGen" of type SHARED_LIBRARY depends on "LLVMARMAsmPrinter"

The patch to enable FIPS mode for openssh 6.0p1 missed two instances of the ssh client trying to use MD5. It causes pubkey-based authentication to fail in FIPS mode. I have copied the missing changes from auth2-pubkey.c into sshconnect2.c. Here is a patch: diff -cr openssh-6.0p1/sshconnect2.c openssh-6.0p1-patched/sshconnect2.c *** openssh-6.0p1/sshconnect2.c Sun May 29 07:42:34 2011 ---

Dear team The API FIPS_selftest() is failing . The content of the file /proc/sys/crypto/fips_enabled is 1 I have executed the below mentioned code The code is #include "stdio.h" int main() { int ret=0; ret=FIPS_mode(); printf("\nFIPS_mode = %u \n",ret); ret=FIPS_selftest(); printf("\nFIPS_selftest=%u \n",ret); ERR_print_errors_fp(stderr); }

Hi All: I tried to rebuild openssl with the FIPS modules, and then install the new openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box. After that I noticed it seemed to break OpenSSH: I couldn't login to the box using ssh, and couldn't run the client command like ssh-keygen either. My questions are: 1. Does OpenSSH support FIPS mode? 2. Or does OpenSSH support with

I am confused on how ssh_SSLeay_add_all_algorithms() get used in the ssh applications for openssh-5.7p1 and later releases. I don't see any of the applications making calls to ssh_SSLeay_add_all_algorithms(). There is a macro that redefines SSLeay_add_all_algorithms() to ssh_SSLeay_add_all_algorithms() but I don't see any code calling SSLeay_add_all_algorithms(). In openssh-5.6p1 and

Hi all, i have an * version: Asterisk SVN-branch-1.2-r45691, I need to register a linksys 922 phone thru internet and when I make sip debug command i see this debug information: -- SIP read from x.x.x.x:1024: REGISTER sip:mysipserver.com SIP/2.0 Via: SIP/2.0/UDP x.x.x.x:1025;branch=z9hG4bK-839856dc From: "SPA922" <sip:5403@mysipserver.com>;tag=685bbad1fae3325do0 To:

Hello, I am looking into the ssh sources. I couldn't get docs for SSLeay_add_all_algorithms. I tried for this in openssl.org. Can someone give some pointers for documents, which can tell how to use the SSL functions used in the ssh sources and what they do?? thanks kapil

I'm in the process of installing OpenSSH-2.5.1p1 on a cluster of machines. One of the aspects of a previous (non-OpenSSH) version of ssh that I had been using was its ability to tolerate soft links to it. Thus, one could set up # ln -s /usr/bin/ssh /usr/local/bin/machine and thereafter type just 'machine' to connect to that host. This version of OpenSSH doesn't appear to

Hi all. While on the subject of the OpenSSL interface, this patch optionally enables OpenSSL's ENGINE support at build time. Apply to a snapshot, autoreconf and "./configure --with-ssl-engine". Testing (esp. with a real hardware engine) would be appreciated. Index: INSTALL =================================================================== RCS file:

https://bugzilla.mindrot.org/show_bug.cgi?id=1437 Summary: OpenSSL engine support not enabled Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: Other OS/Version: Mac OS X Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: bitbucket at

Hi, I am trying to install tinc-1.0pre8 on my RH 9.0 (kernel 2.4.20-13.9) system. I have already installed Openssl (v0.9.7a). When i try to run the ./configure script, it stops at the follwing check ---SNIP-- checking openssl/pem.h presence... yes checking for openssl/pem.h... yes checking for SHA1_version in -lcrypto... yes checking for RAND_pseudo_bytes... yes checking for