On Wed, 2011-08-03 at 17:40 -0300, Tatiana Evers wrote:
> Hi Tomas,
>
>
> You said that OpenSSH do not use the FIPS_incore_fingerprint call. But
> it does FIPS_mode_set call and that does FIPS_incore_fingerprint call.
>
>
> int FIPS_mode_set(int onoff)
> {
> int fips_set_owning_thread();
> int fips_clear_owning_thread();
> int ret = 0;
>
>
> fips_w_lock();
> fips_set_started();
> fips_set_owning_thread();
>
>
> if(onoff)
> {
> unsigned char buf[48];
>
>
> fips_selftest_fail = 0;
> ....
>
>
> if(!FIPS_check_incore_fingerprint())
> {
> fips_selftest_fail = 1;
> ret = 0;
> goto end;
> }
> ....
> }
>
>
> Did Red Hat Enterprise Linux OpenSSL and OpenSSH modules modify
> FIPS_mode_set function, and this OpenSSL don't
> use FIPS_check_incore_fingerprint() call ?
Yes, we modified the OpenSSL code and the Red Hat Enterprise Linux
OpenSSL FIPS module is validated independently from the OpenSSL upstream
FIPS module.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
