On Tuesday, July 29, 2014 02:48:58 john gloster wrote: > Hi, > > From http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=9f6fd5a > > Did you mean that the following are not FIPS compliant? > > · EVP_aes_256_cbc > > · EVP_aes_192_cbc > > · EVP_aes_128_cbc
I think the problem was that OpenSSL did not like that libssh2 implemented the CTR cipher mode on its own when FIPS mode was enabled. When I switched libssh2 back to use the OpenSSL-provided implementation of those ciphers, it started to work (after fixing the surrounding code to use correct block sizes via commit 5d567fa). Kamil > On Fri, Jul 25, 2014 at 1:59 PM, Kamil Dudka <[email protected]> wrote: > > On Friday, July 25, 2014 10:08:02 Bert Huijben wrote: > > > If I remember correctly there is a compile time flag for libssh2 to > > > > enable a > > > > > strict fips mode. > > > > I do not think so. Did not you mean a compile time flag for OpenSSL? > > > > > I would guess this might break compatibility with some (probably older) > > > > ssh > > > > > implementations that don't implement newer (optional) cyphers. > > > > > > Bert > > > > > > -----Original Message----- > > > From: "john gloster" <[email protected]> > > > Sent: 25-7-2014 09:33 > > > To: "[email protected]" <[email protected]> > > > Subject: FIPS Compliance. > > > > > > Hi, > > > > > > > > > I wanted to know whether libssh2 1.4.2/1.4.3 are compatible with FIPS > > > compliant OpenSSL version openssl-1.0.0-20 ? > > > > I pushed a few FIPS-related patches between 1.4.2 and 1.4.3: > > > > http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=43b730c > > http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=bfbb5a4 > > http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=5d567fa > > http://git.libssh2.org/?p=libssh2.git;a=commitdiff;h=9f6fd5a > > > > > I compiled libssh2 1.4.3 with this particular version of openssl and i > > > > could > > > > > see that my application linking to this libssh crashes. > > > > > > > > > In other cases, my application runs successfully if i compile libssh2 > > > > 1.4.3 > > > > > with openssl-1.0.1e-16. > > > > > > > > > Could some one please shed light on this one? > > > > The basic idea behind those patches is to return a failure if a non-FIPS > > algorithm (such as MD5) is requested by the application. So libssh2 > > should > > no longer crash on its own. Still you need to handle these failures in > > your > > application in order not to crash anyway. > > > > Kamil > > > > > Alternately please let me know whether i can configure libssh2 to use a > > > particular set crypto algorithms supported by the openssl. > > > > > > > > > Thanking you on advance. _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
