Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openssh triggers symcrypt engine init even when FIP is disabled #61

Open
wumiaont opened this issue Jun 27, 2024 · 0 comments
Open

Openssh triggers symcrypt engine init even when FIP is disabled #61

wumiaont opened this issue Jun 27, 2024 · 0 comments
Assignees
@xumia

Comments

@wumiaont
Copy link

Symcrypt engine and provider are only available when FIPS is enabled. It's found that openssh patch src/openssh.patch/microsoft-symcrypt-fips.patch is doing SCOSSL_ENGINE_Initialize() during ssh_libcrypto_init(). Sonic design will take FIPS images when FIPS is supported.

With this design even when FIPS is disabled on the chassis, openssh will still make SCOSSL_ENGINE_Initialize(). It does not seems to break any openssh feature through.

Recommend solution is to remove microsoft-symcrypt-fips.patch from openssh. Openssl already has patches to initialize Symcrypt provider and engine when FIPS is enabled. That should be enough.
@xumia xumia self-assigned this Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xumia xumia

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wumiaont @xumia