Hi Tomas,
You said that OpenSSH do not use the *FIPS_incore_fingerprint* call. But it
does *FIPS_mode_set* call and that does *FIPS_incore_fingerprint* call.
int FIPS_mode_set(int onoff)
{
int fips_set_owning_thread();
int fips_clear_owning_thread();
int ret = 0;
fips_w_lock();
fips_set_started();
fips_set_owning_thread();
if(onoff)
{
unsigned char buf[48];
fips_selftest_fail = 0;
....
if(!FIPS_check_incore_fingerprint())
{
fips_selftest_fail = 1;
ret = 0;
goto end;
}
....
}
Did Red Hat Enterprise Linux OpenSSL and OpenSSH modules modify
FIPS_mode_set function, and this OpenSSL don't
use FIPS_check_incore_fingerprint() call ?
Regards,
Tatiana
2011/8/3 Tomas Mraz <[email protected]>
> On Wed, 2011-08-03 at 15:02 -0300, Tatiana Evers wrote:
> > Hi,
> >
> >
> > I'm a little confused with FIPS integrity test. I'm using openssh and
> > it is using fipscheck library (FIPSCHECK_verify) to verify integrity
> > of its binaries. But FIPS_mode_set function calls
> > FIPS_incore_fingerprint to verify in execution time the integrity of
> > the application. Why do we need an external validation?
> > Isn't FIPS_incore_fingerprint sufficient to verify integrity?
>
> You're mixing the OpenSSL upstream FIPS module with the Red Hat
> Enterprise Linux OpenSSL and OpenSSH modules. They use different
> integrity verification test and they do not use the
> FIPS_incore_fingerprint call.
> --
> Tomas Mraz
> No matter how far down the wrong road you've gone, turn back.
> Turkish proverb
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [email protected]
> Automated List Manager [email protected]
>
