[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem when working using libssh with openssl fips support


Hi Yaron,

FIPS mode in libssh is not supported and seem not to work. Unfortunately
no volunteer-based f/oss project is going to actively support FIPS
without sponsor, because it makes no sense in a technical or security
point of view, and compliance is only required for commercial matters.

We didn't inspect the changes and tweaks to libssh needed to be FIPS
compatible yet. I suggest you find a way to avoid using FIPS openssl if
possible.
If that's really important for your use case, please send us an email at
support@xxxxxxxxxx and we'll work together on a quote for the required work.

Best regards,

Aris

Le 15/07/15 15:46, yaron nisimov a écrit :
> Hi,
>
> I've build the latest LIBSSh version 0.7.1 with openssl 1.0.1p.
> When working in fips mode I'm receiving a SIGABRT (call to
> ssh_connect, see stack trace):
>
> ################
> Program received signal SIGABRT, Aborted.
> 0x00b9d425 in __kernel_vsyscall ()
> (gdb) bt
> #0  0x00b9d425 in __kernel_vsyscall ()
> #1  0x00422b11 in raise () from /lib/libc.so.6
> #2  0x004243ea in abort () from /lib/libc.so.6
> #3  0x08d342d2 in OpenSSLDie (file=0x8f9d806 "sha_locl.h", line=128,
> assertion=0x8f9d7cc "Low level API call to digest SHA1 forbidden in
> FIPS mode!")
>     at cryptlib.c:963
> #4  0x08f9d7cc in SHA1_version ()
> #5  0x0923896c in ?? ()
> #6  0x08c5f8be in make_sessionid (session=0xf3f11f00) at
> /home/prod/CABuilds/libssh-0.7.1/src/dh.c:646
> #7  0x08c6c867 in ssh_packet_newkeys (session=0xf3f11f00, type=21
> '\025', packet=0xf3f0eff0, user=0xf3f11f00)
>     at /home/prod/CABuilds/libssh-0.7.1/src/packet_cb.c:157
> #8  0x08c6bef7 in ssh_packet_process (session=0xf3f11f00, type=21
> '\025') at /home/prod/CABuilds/libssh-0.7.1/src/packet.c:428
> #9  0x08c6bbb2 in ssh_packet_socket_callback (data=0xf3f0cea8,
> receivedlen=16, user=0xf3f11f00) at
> /home/prod/CABuilds/libssh-0.7.1/src/packe
> #10 0x08c6bc17 in ssh_packet_socket_callback (data=0xf3f0cb68,
> receivedlen=848, user=0xf3f11f00) at
> /home/prod/CABuilds/libssh-0.7.1/src/pack
> #11 0x08c74a54 in ssh_socket_pollcallback (p=0xf3f12cf8, fd=164,
> revents=1, v_s=0xf3f0f810) at
> /home/prod/CABuilds/libssh-0.7.1/src/socket.c:
> #12 0x08c729a4 in ssh_poll_ctx_dopoll (ctx=0xf3f12d18, timeout=29949)
> at /home/prod/CABuilds/libssh-0.7.1/src/poll.c:632
> #13 0x08c73f5f in ssh_handle_packets (session=0xf3f11f00,
> timeout=29949) at /home/prod/CABuilds/libssh-0.7.1/src/session.c:613
> #14 0x08c74046 in ssh_handle_packets_termination (session=0xf3f11f00,
> timeout=30000, fct=0x8c5e35e <ssh_connect_termination>, user=0xf3f11f00
>     at /home/prod/CABuilds/libssh-0.7.1/src/session.c:675
> #15 0x08c5e737 in ssh_connect (session=0xf3f11f00) at
> /home/prod/CABuilds/libssh-0.7.1/src/client.c:549
> ################
>
> Is it possible that the current LIBSSh version is not compliant to
> work in fips mode?
> Any idea how I can solve this?
>
> Thanks,
> Yaron
>


References:
Problem when working using libssh with openssl fips supportyaron nisimov <yaron.nisimov@xxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org