Subject: Re: building libssh2 on FIPS enabled system

Re: building libssh2 on FIPS enabled system

From: Ján Osuský <Jan.Osusky_at_iblsoft.com>
Date: Mon, 12 Aug 2013 16:07:19 +0200

Hi,

I used libssh2 1.4.2.
The failure happened in kex.c in function "diffie_hellman_sha1" there is part of code:
#if LIBSSH2_MD5
         {
             libssh2_md5_ctx fingerprint_ctx;

             libssh2_md5_init(&fingerprint_ctx);
             libssh2_md5_update(fingerprint_ctx, session->server_hostkey,
                                session->server_hostkey_len);
             libssh2_md5_final(fingerprint_ctx, session->server_hostkey_md5);
         }

which must not be called when MD5 is not available. That's why I concentrated on setting properly the "LIBSSH2_MD5".

JanO

On Mon, 12 Aug 2013 15:49:36 +0200, Kamil Dudka <kdudka_at_redhat.com> wrote:

> On Monday, August 12, 2013 15:00:04 Ján Osuský wrote:
>> Hi,
>>
>> I tried to build libssh2 on FIPS 140-2 compliant RedHat Linux. The build
>> succeeded but the actual connections failed during key exchange phase. I
>> noticed that it was related to use of non-FIPS compliant algorithms (namely
>> MD5) which are not available in libcrypto when in FIPS mode. I fixed it by
>> patching "src/openssl.h". If there is a better way, let me know. Anyhow, my
>> patch is attached, have fun.
>
> Thanks for heads up! Could you please provide more details on how you
> triggered the failure, what version of libssh2 you were using, and what
> application you were running on top of libssh2?
>
> The patch does not seem to be right because it disables the algorithms
> at compile time. The decision about which algorithm to use should be
> postponed to the run time IMO.
>
> Kamil
>

-- 
Ján Osuský (Jan.Osusky_at_iblsoft.com)
IBL Software Engineering, http://www.iblsoft.com
Galvaniho 17/C, 82104 Bratislava, Slovakia
Tel: +421-2-32662111, fax: +421-2-32662110
_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2013-08-12