Bugzilla – Bug 1165158
openssh: several patches are of dubious use or snake oil
Last modified: 2023-05-30 10:42:01 UTC
openssh ships a number of patches, some of dubious use openssh-7.7p1-fips.patch, openssh-7.7p1-fips_checks.patch :openssl 1.1.x does not have a FIPS module, fips_mode() always returns false.the compiler does not know that fact and cannot optimize it out. openssh-7.7p1-seed-prng.patch: always snake oil but now with the addition that in current linus tree /dev/urandom and /dev/random are backed by exactly the same code and the latter only blocks if the CRNG has not been initialised. In most systems it will never block. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=acd77500aa8a337baa6d853568c4b55aca48e20f Also openssl 1.1.x uses a FIPS approved rng by default.
Thanks. I still need to establish what to do about the first one, but the RNG one will be dropped on the 8.3 update.
(In reply to Hans Petter Jansson from comment #1) > Thanks. I still need to establish what to do about the first one, but the > RNG one will be dropped on the 8.3 update. It is my understanding that you will have to redo all of this since the FIPS provider in openSSL 3.x is a completely different beast.