www.libssh2.org | Daily snapshots | Mailing list archive | Docs | Examples | github

Archive Index This month's Index

Subject: Re: building libssh2 on FIPS enabled system

Re: building libssh2 on FIPS enabled system

From: Ján Osuský <Jan.Osusky_at_iblsoft.com>
Date: Mon, 12 Aug 2013 16:07:19 +0200


I used libssh2 1.4.2.
The failure happened in kex.c in function "diffie_hellman_sha1" there is part of code:
             libssh2_md5_ctx fingerprint_ctx;

             libssh2_md5_update(fingerprint_ctx, session->server_hostkey,
             libssh2_md5_final(fingerprint_ctx, session->server_hostkey_md5);

which must not be called when MD5 is not available. That's why I concentrated on setting properly the "LIBSSH2_MD5".


On Mon, 12 Aug 2013 15:49:36 +0200, Kamil Dudka <kdudka_at_redhat.com> wrote:

> On Monday, August 12, 2013 15:00:04 Ján Osuský wrote:
>> Hi,
>> I tried to build libssh2 on FIPS 140-2 compliant RedHat Linux. The build
>> succeeded but the actual connections failed during key exchange phase. I
>> noticed that it was related to use of non-FIPS compliant algorithms (namely
>> MD5) which are not available in libcrypto when in FIPS mode. I fixed it by
>> patching "src/openssl.h". If there is a better way, let me know. Anyhow, my
>> patch is attached, have fun.
> Thanks for heads up! Could you please provide more details on how you
> triggered the failure, what version of libssh2 you were using, and what
> application you were running on top of libssh2?
> The patch does not seem to be right because it disables the algorithms
> at compile time. The decision about which algorithm to use should be
> postponed to the run time IMO.
> Kamil

Ján Osuský (Jan.Osusky_at_iblsoft.com)
IBL Software Engineering, http://www.iblsoft.com
Galvaniho 17/C, 82104 Bratislava, Slovakia
Tel: +421-2-32662111, fax: +421-2-32662110
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2013-08-12

the libssh2 team