openssh bugs - Apr 2019 - [Bug 2995] New: Use SSH KDF from OpenSSL

https://bugzilla.mindrot.org/show_bug.cgi?id=2995

            Bug ID: 2995
           Summary: Use SSH KDF from OpenSSL
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 3264
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3264&action=edit
Use SSH KDF from OpenSSL

The new OpenSSL 1.1.1b implements the SSH KDF [1], which should be
preferably used in (portable) OpenSSH instead of the internal
implementation.

The attached patch implements alternative derive_key() function inside
of kex.c, which is compiled in when the new KDF API in OpenSSL is
detected during build time.

[1] https://www.openssl.org/docs/manmaster/man7/EVP_KDF_SSHKDF.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2995

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I don't see any advantages to using an external implementation of a
core piece of the SSH protocol.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2995

Francois <flamoureux at rsa.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |flamoureux at rsa.com

--- Comment #2 from Francois <flamoureux at rsa.com> ---
One big advantage to having the option to offload SSH KDF to OpenSSL is
potential easier FIPS compliance.

Assuming OpenSSL goes through FIPS validation where its SSH KDF
implementation is FIPS validated, then if OpenSSH was to offloads its
KDF to OpenSSL one could claim "FIPS Inside" for OpenSSH.

As of today this is not possible because key derivation is done by
OpenSSH, not by OpenSSL.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2995

Mark D Baushke <mdb at juniper.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mdb at juniper.net

--- Comment #3 from Mark D Baushke <mdb at juniper.net> ---
A general solution would be to put the cryptographic primitives used
by OpenSSH into their own shared library so that someone who desires
to create a cryptographic boundary around it would be able to do so.

In this way, an OpenSSH built with --without-openssl could still be
functional and become a stand-alone cryptographic module.

I fully expect that NIST FIPS 186-5 will be published soon and will
provide for a number of new algorithms which will also include
ed25519, ed448 and chacha20-poly1305 in addition to the current set.
The future may also hold curve25519 and curve448 even though they
seem not to be in the next set of FIPS documents.

Making these algorithms easy to test via the

Automated Cryptographic Validation Testing
URL:
https://csrc.nist.gov/Projects/Automated-Cryptographic-Validation-Testing

would seem to be generally useful to me in the long run as it would
provide for fully exercising the cryptographic primitive
implementations. 

Isolation of the algorithms from the SSH protocol may also allow for
better optimization of these primitives and include the possibility of
using acceleration instructions like AES (AES-NI) and SHA (SHA-NI)
instructions available for some kinds of CPU (AMD, ARM, Intel, etc.)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2995

--- Comment #4 from Francois <francois.lamoureux at dell.com> ---
Just as an fyi, for those watching this enhancement request, some Linux
vendors have started using SSHKDF from OpenSSL.

Source:
https://www.suse.com/support/update/announcement/2020/suse-ru-20200581-1/

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2995

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.