Bug 1987

Summary:

FIPS signature verification incompatibility with openssl versions > 0.9.8q

Product:

Portable OpenSSH

Reporter:

kape <kak>

Component:

ssh

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED WONTFIX

Severity:

normal

CC:

djm

Priority:

Version:

5.9p1

Hardware:

All

OS:

All

Attachments:

Description	Flags
Suggested patch	none

Description kape 2012-02-25 04:48:16 AEDT

Created attachment 2135 [details]
Suggested patch

When building openssh with openssl library with FIPS (specifically versions newer than openssl 0.9.8q), there is an issue if FIPS mode is active for openssl.  In ssh-rsa.c on line 243 RSA_public_decrypt is called, which is disallowed now in openssl (if in FIPS mode).  The library requires applications to use the EVP API if running in FIPS mode so it can disallow certain cipher suites and hash algorithms that are not considered FIPS compliant.  The user experience is that the scp/ssh client fails because RSA_public_decrypt just returns null if FIPS mode is active in openssl > 0.9.8q.

The reference below states that there is a patch, but I cannot find it so I am submitting my own for review.



References:
http://www.mail-archive.com/openssl-users@openssl.org/msg63512.html

Comment 1 Damien Miller 2012-03-09 10:14:23 AEDT

OpenSSH doesn't (yet) have support for FIPS OpenSSL. We might one day, but in the meantime you should address this to the developers of one of the FIPS patchsets.

Unfortunately, this approach disables our custom RSA signature-verification code that is designed to save a substantial amount of pre-authentication attack surface from sshd. For this reason it is not going to be accepted for regular OpenSSH,

Comment 2 Damien Miller 2015-08-11 23:03:40 AEST

Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1