Discussion:
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
(too old to reply)
security veteran
2016-01-28 02:12:04 UTC
Permalink
Hi Jakub,

I have one question regarding the FIPS patch in
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
:

I assume somewhere from within the OpenSSH code it should invoke
FIPS_set_mode API, but all I saw was FIPS_mode().
Does FIPS_mode() serve the same purposes as FIPS_set_mode()?

Also the patch is for OpenSSH 7.0. Is there a patch for OpenSSH 6.6?

Thanks.
Thanks Jakub.
If I want to build the FIPS supported OpenSSH, do I just need to apply
this
one single patch
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
to the vanilla OpenSSH source code?
I saw there are few other patches for OpenSSH version 6.7p1 under the same
folder http://pkgs.fedoraproject.org/cgit/openssh.git/tree/.
Do I need these other patches?
It should be enough to add that one, directly related to FIPS. There were
other unused patches, which I cleaned up now.
--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
Jakub Jelen
2016-01-28 08:12:24 UTC
Permalink
Post by security veteran
I have one question regarding the FIPS patch in
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
I assume somewhere from within the OpenSSH code it should invoke
FIPS_set_mode API, but all I saw was FIPS_mode().
Does FIPS_mode() serve the same purposes as FIPS_set_mode()?
FIPS_mode() is openssl function [1]. As manual page says, it determines
if the FIPS mode is enabled. The other function FIPS_mode_set() [2] is
used to modify FIPS status (enables/disables).

Openssh itself should not change the FIPS mode. It should behave
according to the system setup (FIPS mode should be set up system-wide).
Post by security veteran
Also the patch is for OpenSSH 7.0. Is there a patch for OpenSSH 6.6?
You should be able to go back in the git history to 6.6 version or put
hands on CentOS patches [3], where we use 6.6 version.

[1] https://wiki.openssl.org/index.php/FIPS_mode%28%29
[2] https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
[3]
https://git.centos.org/blob/rpms!openssh/6745269c7b486c1c096ca27e0c1aa97fe8b03c60/SOURCES!openssh-6.6p1-fips.patch;jsessionid=f8qjnilsd281oo2uwua8fm17

Regards,
--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
security veteran
2016-01-28 10:25:52 UTC
Permalink
Thanks Jakub.

With this patch, would both the SSH server side (e.g. sshd) and client side
(e.g. ssh, scp, ssh-keygen) applications be operating with OpenSSL FIPS
mode?

Thanks a lot for your answers.
Post by security veteran
I have one question regarding the FIPS patch in
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
I assume somewhere from within the OpenSSH code it should invoke
FIPS_set_mode API, but all I saw was FIPS_mode().
Does FIPS_mode() serve the same purposes as FIPS_set_mode()?
FIPS_mode() is openssl function [1]. As manual page says, it determines if
the FIPS mode is enabled. The other function FIPS_mode_set() [2] is used to
modify FIPS status (enables/disables).
Openssh itself should not change the FIPS mode. It should behave according
to the system setup (FIPS mode should be set up system-wide).
Post by security veteran
Also the patch is for OpenSSH 7.0. Is there a patch for OpenSSH 6.6?
You should be able to go back in the git history to 6.6 version or put
hands on CentOS patches [3], where we use 6.6 version.
[1] https://wiki.openssl.org/index.php/FIPS_mode%28%29
[2] https://wiki.openssl.org/index.php/FIPS_mode_set%28%29
[3]
https://git.centos.org/blob/rpms!openssh/6745269c7b486c1c096ca27e0c1aa97fe8b03c60/SOURCES!openssh-6.6p1-fips.patch;jsessionid=f8qjnilsd281oo2uwua8fm17
Regards,
--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
_______________________________________________
openssh-unix-dev mailing list
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Loading...