OpenSSH key verification fails in FIPS mode with 0.9.8q + FIPS
We recently built FIPS compliant openssl 0.9.8q. Earlier we were using 0.9.8l . With ssh binaries linked to FIPS compliant OpenSSL 0.9.8q, when running the OpenSSH client, connection setup fails during verification of the server key. We did not not run into this SSH issue with 0.9.8l. Has anything changed between 0.9.8l and 0.9.8q that would cause this? The call to OpenSSL that ultimately fails is RSA_public_decrypt(). Has it somehow been tightened up . Below is the snippet of SSH debug logs debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'vos-cm130' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:2 debug2: bits set: 1020/2048 bad decrypted len: 0 != 20 + 15 debug1: ssh_rsa_verify: signature incorrect key_verify failed for server_host_key Any help would be greatly appreciated. Thanks Anamitra
Re: OpenSSH key verification fails in FIPS mode with 0.9.8q + FIPS
On Wed, Feb 23, 2011, anmajumd wrote: We recently built FIPS compliant openssl 0.9.8q. Earlier we were using 0.9.8l . With ssh binaries linked to FIPS compliant OpenSSL 0.9.8q, when running the OpenSSH client, connection setup fails during verification of the server key. We did not not run into this SSH issue with 0.9.8l. Has anything changed between 0.9.8l and 0.9.8q that would cause this? The call to OpenSSL that ultimately fails is RSA_public_decrypt(). Has it somehow been tightened up . Yes, you aren't allowed to call RSA_public_decrypt() directly in FIPS mode: instead you have to use the EVP interface for EVP_Verify*(). There is a patch which changes the ssh code to use EVP instead (while still being compatible with other versions of OpenSSL). Due to a bug the restriction wasn't enforced in some versions of OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSH key verification fails in FIPS mode with 0.9.8q + FIPS
Thanks for your prompt response . Do you have the name of the patch to share with us? Thanks Anamitra On 2/23/11 1:42 PM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Feb 23, 2011, anmajumd wrote: We recently built FIPS compliant openssl 0.9.8q. Earlier we were using 0.9.8l . With ssh binaries linked to FIPS compliant OpenSSL 0.9.8q, when running the OpenSSH client, connection setup fails during verification of the server key. We did not not run into this SSH issue with 0.9.8l. Has anything changed between 0.9.8l and 0.9.8q that would cause this? The call to OpenSSL that ultimately fails is RSA_public_decrypt(). Has it somehow been tightened up . Yes, you aren't allowed to call RSA_public_decrypt() directly in FIPS mode: instead you have to use the EVP interface for EVP_Verify*(). There is a patch which changes the ssh code to use EVP instead (while still being compatible with other versions of OpenSSL). Due to a bug the restriction wasn't enforced in some versions of OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org