Discussion:
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
(too old to reply)
security veteran
2015-12-04 02:26:05 UTC
Permalink
Hi All:

I tried to rebuild openssl with the FIPS modules, and then install the new
openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.

After that I noticed it seemed to break OpenSSH: I couldn't login to the
box using ssh, and couldn't run the client command like ssh-keygen either.

My questions are:

1. Does OpenSSH support FIPS mode?

2. Or does OpenSSH support with OpenSSL FIPS modules?

3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?

4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?



Thanks.
Tomas Kuthan
2015-12-04 08:39:47 UTC
Permalink
Post by security veteran
I tried to rebuild openssl with the FIPS modules, and then install the new
openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
After that I noticed it seemed to break OpenSSH: I couldn't login to the
box using ssh, and couldn't run the client command like ssh-keygen either.
1. Does OpenSSH support FIPS mode?
2. Or does OpenSSH support with OpenSSL FIPS modules?
3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?
4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?
Hi security veteran,

vanilla OpenSSH doesn't support running OpenSSL in FIPS-140 mode. Some
downstream providers patch OpenSSH they deliver with their distributions
with changes to enable FIPS-140 mode.

In general, an application that wants to run a FIPS-140 capable OpenSSL
library in FIPS-140 mode, needs to call FIPS_mode_set() first. Otherwise
it runs OpenSSL in default mode with non-FIPS algorithms available. From
my experience this works, but is not FIPS-140 compliant.
Post by security veteran
2.6
FIPS Mode of Operation
Applications that utilize FIPS mode must call the FIPS_mode_set() function. After successful
FIPS mode initialization, the non-FIPS algorithms will be disabled by default.
The FIPS Object Module together with a compatible version of the OpenSSL product can be used
in the generation of both FIPS mode and conventional applications. In this sense, the combination
of the FIPS Object Module and the usual OpenSSL libraries constitutes a “FIPS capable API”, and
provide both FIP approved algorithms and non-FIPS algorithms.
Vanilla OpenSSH obviously doesn't call FIPS_mode_set(). If switching
underlying OpenSSL libcrypto to FIPS-140 capable instance precludes you
from running ssh, most probably there is something wrong with the
FIPS-140 capable OpenSSL you built.

Tomas

[1] https://openssl.org/docs/fips/UserGuide-2.0.pdf
Jakub Jelen
2015-12-04 12:26:36 UTC
Permalink
Post by security veteran
3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?
4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?
Yes, what we ship in RHEL is open-source. You can pick up sources that
are actually used in RHEL version in CentOS repository:
https://git.centos.org/summary/?r=rpms/openssh

So as said before, upstream openssh is not FIPS-140 ready and we carry
the patches downstream. I am not sure if there was initiative to provide
patches upstream or if there would be some interest in them here, since
it is quite special use case.
--
Jakub Jelen
Security Technologies
Red Hat
security veteran
2015-12-04 15:38:22 UTC
Permalink
Hi Tomas,

Thanks for your answers!

So based on your answers:

1. Since Vanilla OpenSSH doesn't call FIPS_mode_set() function, it should
work just fine even if the OpenSSL libcrypto.so library has already been
changed to the FIPS version. Is that correct?

2. Looks like there is no such a flag in OpenSSH source to allow you
rebuild it and turn it into FIPS compliant mode, is that correct? In that
case is there a way to re-build OpenSSH server and client (somehow in both
the RedHat and Ubuntu, the OpenSSH is split into two (openssh-server and
openssl-client) packages, so that the non-FIPS compliant functions can be
disabled?


Thanks.
Post by Tomas Kuthan
Post by security veteran
I tried to rebuild openssl with the FIPS modules, and then install the new
openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
After that I noticed it seemed to break OpenSSH: I couldn't login to the
box using ssh, and couldn't run the client command like ssh-keygen either.
1. Does OpenSSH support FIPS mode?
2. Or does OpenSSH support with OpenSSL FIPS modules?
3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?
4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?
Hi security veteran,
vanilla OpenSSH doesn't support running OpenSSL in FIPS-140 mode. Some
downstream providers patch OpenSSH they deliver with their distributions
with changes to enable FIPS-140 mode.
In general, an application that wants to run a FIPS-140 capable OpenSSL
library in FIPS-140 mode, needs to call FIPS_mode_set() first. Otherwise it
runs OpenSSL in default mode with non-FIPS algorithms available. From my
experience this works, but is not FIPS-140 compliant.
Post by security veteran
2.6
FIPS Mode of Operation
Applications that utilize FIPS mode must call the FIPS_mode_set()
function. After successful
FIPS mode initialization, the non-FIPS algorithms will be disabled by
default.
The FIPS Object Module together with a compatible version of the OpenSSL
product can be used
in the generation of both FIPS mode and conventional applications. In
this sense, the combination
of the FIPS Object Module and the usual OpenSSL libraries constitutes a
“FIPS capable API”, and
provide both FIP approved algorithms and non-FIPS algorithms.
Vanilla OpenSSH obviously doesn't call FIPS_mode_set(). If switching
underlying OpenSSL libcrypto to FIPS-140 capable instance precludes you
from running ssh, most probably there is something wrong with the FIPS-140
capable OpenSSL you built.
Tomas
[1] https://openssl.org/docs/fips/UserGuide-2.0.pdf
_______________________________________________
openssh-unix-dev mailing list
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
security veteran
2015-12-04 20:58:18 UTC
Permalink
Thanks Jakub.

How does this patch match the OpenSSH source version? Does the patch only
applicable to OpenSSH version 6.6.1, or does other version available as
well?

Thanks.
Post by security veteran
3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?
4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?
Yes, what we ship in RHEL is open-source. You can pick up sources that are
https://git.centos.org/summary/?r=rpms/openssh
So as said before, upstream openssh is not FIPS-140 ready and we carry the
patches downstream. I am not sure if there was initiative to provide
patches upstream or if there would be some interest in them here, since it
is quite special use case.
--
Jakub Jelen
Security Technologies
Red Hat
security veteran
2015-12-04 21:02:17 UTC
Permalink
Hi Jakub,

Another question I have is, are there any changes in this patch RedHat
Linux distribution specific? The reason I ask is, if I port the changes to
other Linux distribution like Debian or Ubuntu, do you see any issues?

Thanks.

On Fri, Dec 4, 2015 at 12:58 PM, security veteran <
Post by security veteran
Thanks Jakub.
How does this patch match the OpenSSH source version? Does the patch only
applicable to OpenSSH version 6.6.1, or does other version available as
well?
Thanks.
Post by Jakub Jelen
Post by security veteran
3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?
4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf
)
also open sourced to the OpenSSH community?
Yes, what we ship in RHEL is open-source. You can pick up sources that
https://git.centos.org/summary/?r=rpms/openssh
So as said before, upstream openssh is not FIPS-140 ready and we carry
the patches downstream. I am not sure if there was initiative to provide
patches upstream or if there would be some interest in them here, since it
is quite special use case.
--
Jakub Jelen
Security Technologies
Red Hat
Roumen Petrov
2015-12-06 09:30:50 UTC
Permalink
Post by security veteran
I tried to rebuild openssl with the FIPS modules, and then install the new
openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
After that I noticed it seemed to break OpenSSH: I couldn't login to the
box using ssh, and couldn't run the client command like ssh-keygen either.
1. Does OpenSSH support FIPS mode?
2. Or does OpenSSH support with OpenSSL FIPS modules?
3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?
4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?
Redhat use different FIPS validation process for OpenSSL. You could
extract fips patch from source package.
Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".

You could try with my version of secure shell. It include OpenSSH but
adds support for public keys algorithms based on X.509 certificates
support and works with FIPS enabled openssl.
It should work with OpenSSL build with FIPS module , RedHat or Solaris
openssl fips enabled library either in fips mode or not.

Regards,
Roumen Petrov
--
Get SSH with X.509 certificate support
http://roumenpetrov.info/openssh/
Jakub Jelen
2015-12-07 15:53:47 UTC
Permalink
Post by security veteran
Hi Jakub,
Another question I have is, are there any changes in this patch RedHat
Linux distribution specific? The reason I ask is, if I port the changes to
other Linux distribution like Debian or Ubuntu, do you see any issues?
I don't think there is something distro-specific. Distro specific parts
are handled in other patches.
Post by security veteran
Thanks.
On Fri, Dec 4, 2015 at 12:58 PM, security veteran <
Post by security veteran
Thanks Jakub.
How does this patch match the OpenSSH source version? Does the patch only
applicable to OpenSSH version 6.6.1, or does other version available as
well?
Thanks.
We were doing certification for openssh-6.6.1 last time, since it is the
thing we ship in our recent system. But we are maintaining similar patch
for current openssh version (though the name is outdated, it is for
7.1p1) for Fedora [1], even though it is not "verified" by
certification, it should fulfill similar requirements.

[1]
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
--
Jakub Jelen
Security Technologies
Red Hat
security veteran
2015-12-07 15:44:44 UTC
Permalink
Thanks Roumen.

I have few more questions below:

1. What version of OpenSSH can the patch be applied to? What branch should
I check out the patch?

2.
Post by Roumen Petrov
Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".
What build process should be changed? What is fipscheck?

3. My understanding any application (such as OpenSSH) which need to use the
OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function
first, otherwise the OpenSSL library will be operating as the non-FIPS
version.
My question is, how and when does OpenSSH server invoke the FIPS function?

Thanks.
Post by Roumen Petrov
Post by security veteran
I tried to rebuild openssl with the FIPS modules, and then install the new
openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
After that I noticed it seemed to break OpenSSH: I couldn't login to the
box using ssh, and couldn't run the client command like ssh-keygen either.
1. Does OpenSSH support FIPS mode?
2. Or does OpenSSH support with OpenSSL FIPS modules?
3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?
4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?
Redhat use different FIPS validation process for OpenSSL. You could
extract fips patch from source package.
Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".
You could try with my version of secure shell. It include OpenSSH but adds
support for public keys algorithms based on X.509 certificates support and
works with FIPS enabled openssl.
It should work with OpenSSL build with FIPS module , RedHat or Solaris
openssl fips enabled library either in fips mode or not.
Regards,
Roumen Petrov
--
Get SSH with X.509 certificate support
http://roumenpetrov.info/openssh/
Roumen Petrov
2015-12-07 19:39:42 UTC
Permalink
Post by security veteran
Thanks Roumen.
1. What version of OpenSSH can the patch be applied to? What branch should
I check out the patch?
There is no separate patch but I offer file with all differences to
openssh - see link (diff) on download page
http://roumenpetrov.info/openssh/download.html
Post by security veteran
2.
Post by Roumen Petrov
Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".
What build process should be changed? What is fipscheck?
I different way to check integrity of files(executables) -
https://fedorahosted.org / fipscheck/ .
Post by security veteran
3. My understanding any application (such as OpenSSH) which need to use the
OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function
first, otherwise the OpenSSL library will be operating as the non-FIPS
version.
My question is, how and when does OpenSSH server invoke the FIPS function?
Lets assume that application use OpenSSL FIPS validated module. FIPS
mode is activated in openssl command if environment variable
OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable
to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module
is not FIPS mode.


[SNIP]

Roumen
security veteran
2015-12-07 20:15:33 UTC
Permalink
Thanks Roumen.
Lets assume that application use OpenSSL FIPS validated module. FIPS mode
is activated in openssl command if environment variable OPENSSL_FIPS is
set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.

Did you mean the FIPS patched OpenSSH server and client (such as
ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
the FIPS mode is activated?
Also I think for the applications which need to use OpenSSL FIPS mode will
also need to run the FIPS self tests functions (also provided by the
OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?

Thanks.
Post by security veteran
Thanks Roumen.
1. What version of OpenSSH can the patch be applied to? What branch should
I check out the patch?
There is no separate patch but I offer file with all differences to
openssh - see link (diff) on download page
http://roumenpetrov.info/openssh/download.html
2.
Post by security veteran
Post by Roumen Petrov
Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".
What build process should be changed? What is fipscheck?
I different way to check integrity of files(executables) -
https://fedorahosted.org / fipscheck/ .
3. My understanding any application (such as OpenSSH) which need to use the
Post by security veteran
OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function
first, otherwise the OpenSSL library will be operating as the non-FIPS
version.
My question is, how and when does OpenSSH server invoke the FIPS function?
Lets assume that application use OpenSSL FIPS validated module. FIPS mode
is activated in openssl command if environment variable OPENSSL_FIPS is
set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.
[SNIP]
Roumen
security veteran
2015-12-07 20:21:29 UTC
Permalink
Thanks Jakub.

If I want to build the FIPS supported OpenSSH, do I just need to apply this
one single patch
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch

to the vanilla OpenSSH source code?

I saw there are few other patches for OpenSSH version 6.7p1 under the same
folder http://pkgs.fedoraproject.org/cgit/openssh.git/tree/.
Do I need these other patches?

Thanks.
Post by Jakub Jelen
Post by security veteran
Hi Jakub,
Another question I have is, are there any changes in this patch RedHat
Linux distribution specific? The reason I ask is, if I port the changes to
other Linux distribution like Debian or Ubuntu, do you see any issues?
I don't think there is something distro-specific. Distro specific parts
are handled in other patches.
Thanks.
Post by security veteran
On Fri, Dec 4, 2015 at 12:58 PM, security veteran <
Thanks Jakub.
Post by security veteran
How does this patch match the OpenSSH source version? Does the patch only
applicable to OpenSSH version 6.6.1, or does other version available as
well?
Thanks.
We were doing certification for openssh-6.6.1 last time, since it is the
thing we ship in our recent system. But we are maintaining similar patch
for current openssh version (though the name is outdated, it is for 7.1p1)
for Fedora [1], even though it is not "verified" by certification, it
should fulfill similar requirements.
[1]
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
--
Jakub Jelen
Security Technologies
Red Hat
Roumen Petrov
2015-12-07 20:52:32 UTC
Permalink
Post by security veteran
Thanks Roumen.
Lets assume that application use OpenSSL FIPS validated module. FIPS mode
is activated in openssl command if environment variable OPENSSL_FIPS is
set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.
Did you mean the FIPS patched OpenSSH server and client (such as
ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
the FIPS mode is activated?
Also I think for the applications which need to use OpenSSL FIPS mode will
also need to run the FIPS self tests functions (also provided by the
OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?
Openssl os open source. The method FIPS_mode_set will call
FIPS_module_mode_set (located in FIPS module) . Please see its code.
You may review code of apps/openssl.c.

[SNIP]

Roumen
Roumen Petrov
2015-12-07 21:17:40 UTC
Permalink
Post by security veteran
Thanks Roumen.
Post by Roumen Petrov
Openssl os open source. The method FIPS_mode_set will call
FIPS_module_mode_set (located in FIPS module) . Please see its code.
You may review code of apps/openssl.c.
I meant, did your OpenSSH patch actually invoke these functions (FIPS_mode_set
and FIPS_selftest)? If that's the case, when were these functions invoked?
e.g. for client application such as ssh-keygen does it always call these
functions first?
Yes - see code of method ssh_OpenSSL_startup .
$ grep -lw ssh_OpenSSL_startup *.c
ssh-add.c
ssh-agent.c
ssh.c
sshd.c
ssh-keygen.c
ssh-keysign.c

Roumen
security veteran
2015-12-07 21:11:08 UTC
Permalink
Thanks Roumen.
Post by Roumen Petrov
Openssl os open source. The method FIPS_mode_set will call
FIPS_module_mode_set (located in FIPS module) . Please see its code.
You may review code of apps/openssl.c.

I meant, did your OpenSSH patch actually invoke these functions (FIPS_mode_set
and FIPS_selftest)? If that's the case, when were these functions invoked?
e.g. for client application such as ssh-keygen does it always call these
functions first?

Thanks.
Post by Roumen Petrov
Post by security veteran
Thanks Roumen.
Lets assume that application use OpenSSL FIPS validated module. FIPS mode
is activated in openssl command if environment variable OPENSSL_FIPS is
set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.
Did you mean the FIPS patched OpenSSH server and client (such as
ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
the FIPS mode is activated?
Also I think for the applications which need to use OpenSSL FIPS mode will
also need to run the FIPS self tests functions (also provided by the
OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?
Openssl os open source. The method FIPS_mode_set will call
FIPS_module_mode_set (located in FIPS module) . Please see its code.
You may review code of apps/openssl.c.
[SNIP]
Roumen
Jakub Jelen
2015-12-08 13:27:52 UTC
Permalink
Post by security veteran
Thanks Jakub.
If I want to build the FIPS supported OpenSSH, do I just need to apply this
one single patch
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
to the vanilla OpenSSH source code?
I saw there are few other patches for OpenSSH version 6.7p1 under the same
folder http://pkgs.fedoraproject.org/cgit/openssh.git/tree/.
Do I need these other patches?
It should be enough to add that one, directly related to FIPS. There
were other unused patches, which I cleaned up now.
--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
Loading...