openssh unix dev - Jun 2004 - Patch for FIPS 140 mode - take 3

Greetings.

(Third try at sending this, the first two seemed to disappear without a 
trace.
Perhaps use of MS Outlook was the problem, even though in plain text...?  Or
attachment too big (22Kb)?  Would like to know...)

The final source code and documentation package for a FIPS 140 validated 
mode
of OpenSSL was recently submitted.  Once the final certification is 
awarded by
NIST, in a month or two hopefully, it will be possible to build FIPS 140
validated applications with the FIPS mode OpenSSL library.

Ben Laurie and I have developed the attached patch that adapts OpenSSH-3.8p1
for use with the FIPS mode OpenSSL library.  This patch as minimal as 
possible,
to serve as a model for "FIPS-izing" applications and to satisfy the 
immediate
needs of my client that co-sponsored the bulk of the validation effort.

Some notes:

1) For practical purposes only static linking with the FIPS library is
supported.  The configure checks for static linking may not be portable 
to all
platforms.

2) FIPS mode is enabled at runtime for ssh and sshd only.  Properly speaking
the auxiliary commands (ssh-keygen, ssh-add, etc.) should do so as well.

3) MD5 is not allowed in FIPS mode.  For the specific case of shadow 
password
support I enabled MD5 using a special API call intended for use with 
TLS.  FIPS
140 will permit that since the shadow passwords are generated and maintained
entirely outside of OpenSSH.  However, the use of MD5 for passphrases is not
allowed.  As-is this patch will allow keys to be used only with null 
passphrases,
and FIPS 140 doesn't allow that either (all keys input or output from an
application must be encrypted with a FIPS 140 approved algorithm).  So,
passwords only and no keys.

How about a SHA1 passphrase encryption option...?

4) The OpenSSL source code used to generate the FIPS mode library is, or 
soon
will be, in the OpenSSL_0_9_7_stable branch.  The documentation 
describing the
building and use of the FIPS library has not been released yet pending 
approval
by NIST, but will be included in the OpenSSL source distributions.

5) This patch has been tested on Linux RH 9.0 and HP-UX 11.0 only

6) The FIPS_mode_set() call tries to self-seed using the non-FIPS PRNG, but
doesn't get enough entropy on HP-UX (no EGD or /dev/urandom).  So for 
ssh.c I
moved the seed_rng() call forwards quite a bit, that may cause other 
problems.
Also, the PRNG is awkwardly re-seeded for the child process with a new 
PID.  Ben
Laurie has suggested a helper function in OpenSSL to simplify those 
steps, but
it isn't done yet.

-Steve M.

Steve Marquess
DMLSS Technical Manager    
JMLFDC, 623 Porter Street, Ft. Detrick, MD  21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
steve.marquess at det.amedd.army.mil

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Patch
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040604/64d4d87c/attachment.ksh

Hi All,

Steve, patch look very nice and simple.

Markus, what is you opinion about FIPS support in OpenSSH ?


My suggestions about patch are as follows:

1.) What about to allow fips mode to be set in config files or with -o 
command line option ?

2.) File fips.h is only one line.
Instead of '#include "fips.h"' we can put 'extern int
fips_mode;' in
mac.c, cipher.c and etc.

3.) Where is best plase to put variable fips_mode ? Might is better to 
put it in cipher.c ?

4.1.) What about when config files or command line explicitly set macs 
option and FIPS is disabled from command line or config file{s} ?
Sample: ssh{d} ... -o macs=... -y ...
I cannot agree with changes in myproposal.h/mac.c/readconf.c/servconf.c.
Steve, in ssh.c/sshd.c/ you must check allowed macs after 
fill_default_[server_]options.
Might is better to check at end of the fill methods.
Only in fips mode when option.macs is NULL you musts set explicitly to 
"hmac-sha1,hmac-sha1-96".

4.2)  Same as 5.1. for ciphers.

Proposed solution is to add fips_mode to option structures(readconf.h 
rservconf.h).
a.) Initialize it as to -1.
b.) Use lines like following
#ifdef OPENSSL_FIPS
{ "fipsmode", {s|o}FipsMode }
#else
{ "fipsmode", {s|o}Unsupported }
#endif
c.) in fill_default .... methods
    if (options->fipsmode == -1)
#ifdef OPENSSL_FIPS
        options->fipsmode = 1;
#else
        options->fipsmode = 0;
#endif
    fipsmode = options->fipsmode;
d.) at end of fill... methods to validate macs and ciphers and to set 
them explicitly to non-NULL only in fipsmode.

5.) What hapen with key fingerprints when MD5 is disabled ?

6.) Should ssh-keyscan be FIPS 140 aware and when yes what's happen when 
server has rsa1 key ?

7.) Might in FIPS mode ssh protocol version 1 must be always disabled ?
Please see sshd.c and servconf.c.

8.) Should we clear datafellows flag SSH_BUG_RSASIGMD5 in method 
compat_datafellows from compat.c or when flag is set should we accept 
connection ?
Please see ssh-rsa.c.

9.) What about to use configure option --with-ssl-static(fips build 
request must set implicitly static_crypto_lib="yes") ?
As example in configure.ac we can use (note following lines are writen 
from scratch):
================================================....
#request explicit link with static crypto lib.
static_crypto_lib="no"
AC_ARG_WITH(ssl-static,
    [  --with-ssl-static         <FIXME: appropriate message>],
    [
        if test "x$withval" != "xno" ; then   
            static_crypto_lib="yes"
        fi
    ]
)
....
if test "x$ac_cv_fips" = "xyes" ; then
    static_crypto_lib="yes"
fi
if  "x$static_crypto_lib="xyes"; then
case "$host" in
*-*-hpux11*)   
    LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-Bstatic -lcrypto 
-Wl,-Bdynamic /'`
    ;;
*-*-linux*)
    LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-aarchive -lcrypto 
-Wl,-adefault /'`
    ;;
*)
    AC_MSG_ERROR([FIXME: crypto lib static linking])
esac
fi
....
================================================
10.) At end of configure is good to show that FIPS is enabled.


Steve Marquess wrote:
> Greetings.
>
> (Third try at sending this, the first two seemed to disappear without 
> a trace.
> Perhaps use of MS Outlook was the problem, even though in plain 
> text...?  Or
> attachment too big (22Kb)?  Would like to know...)
>
> The final source code and documentation package for a FIPS 140 
> validated mode
> of OpenSSL was recently submitted.  Once the final certification is 
> awarded by
> NIST, in a month or two hopefully, it will be possible to build FIPS 140
> validated applications with the FIPS mode OpenSSL library.
>
> Ben Laurie and I have developed the attached patch that adapts 
> OpenSSH-3.8p1
> for use with the FIPS mode OpenSSL library.  This patch as minimal as 
> possible,
> to serve as a model for "FIPS-izing" applications and to satisfy
the
> immediate
> needs of my client that co-sponsored the bulk of the validation effort.
>
> Some notes:
>
> 1) For practical purposes only static linking with the FIPS library is
> supported.  The configure checks for static linking may not be 
> portable to all
> platforms.
>
> 2) FIPS mode is enabled at runtime for ssh and sshd only.  Properly 
> speaking
> the auxiliary commands (ssh-keygen, ssh-add, etc.) should do so as well.
>
> 3) MD5 is not allowed in FIPS mode.  For the specific case of shadow 
> password
> support I enabled MD5 using a special API call intended for use with 
> TLS.  FIPS
> 140 will permit that since the shadow passwords are generated and 
> maintained
> entirely outside of OpenSSH.  However, the use of MD5 for passphrases 
> is not
> allowed.  As-is this patch will allow keys to be used only with null 
> passphrases,
> and FIPS 140 doesn't allow that either (all keys input or output from
an
> application must be encrypted with a FIPS 140 approved algorithm).  So,
> passwords only and no keys.
>
> How about a SHA1 passphrase encryption option...?
>
> 4) The OpenSSL source code used to generate the FIPS mode library is, 
> or soon
> will be, in the OpenSSL_0_9_7_stable branch.  The documentation 
> describing the
> building and use of the FIPS library has not been released yet pending 
> approval
> by NIST, but will be included in the OpenSSL source distributions.
>
> 5) This patch has been tested on Linux RH 9.0 and HP-UX 11.0 only
>
> 6) The FIPS_mode_set() call tries to self-seed using the non-FIPS 
> PRNG, but
> doesn't get enough entropy on HP-UX (no EGD or /dev/urandom).  So for 
> ssh.c I
> moved the seed_rng() call forwards quite a bit, that may cause other 
> problems.
> Also, the PRNG is awkwardly re-seeded for the child process with a new 
> PID.  Ben
> Laurie has suggested a helper function in OpenSSL to simplify those 
> steps, but
> it isn't done yet.
>
> -Steve M.
>
> Steve Marquess
> DMLSS Technical Manager    JMLFDC, 623 Porter Street, Ft. Detrick, MD  
> 21702
> DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
> steve.marquess at det.amedd.army.mil
>
>[SNIP]
>

Roumen Petrov wrote:
> Hi All,
>
> Steve, patch look very nice and simple.
Thanks for taking the time to look it over.  I write it knowing there 
would be
room for improvement, hoping to stimulate discussion by those more familiar
with OpenSSH than I.  All of your suggestions look good to me; more detailed
comments follow.
> My suggestions about patch are as follows:
>
> 1.) What about to allow fips mode to be set in config files or with -o 
> command line option ?
Works for me.  Usually there would be no no reason to run sshd in a 
non-FIPS mode
if you need FIPS mode at all, but it wouldn't hurt.
>
> 2.) File fips.h is only one line.
> Instead of '#include "fips.h"' we can put 'extern int
fips_mode;' in
> mac.c, cipher.c and etc.
>
> 3.) Where is best plase to put variable fips_mode ? Might is better to 
> put it in cipher.c ?
I wasn't sure of the cleanest way to implement fips_mode, so just went 
for the obvious.
> 4.1.) What about when config files or command line explicitly set macs 
> option and FIPS is disabled from command line or config file{s} ?
> Sample: ssh{d} ... -o macs=... -y ...
> I cannot agree with changes in myproposal.h/mac.c/readconf.c/servconf.c.
> Steve, in ssh.c/sshd.c/ you must check allowed macs after 
> fill_default_[server_]options.
> Might is better to check at end of the fill methods.
> Only in fips mode when option.macs is NULL you musts set explicitly to 
> "hmac-sha1,hmac-sha1-96".
>
> 4.2)  Same as 5.1. for ciphers.
>
> Proposed solution is to add fips_mode to option structures(readconf.h 
> rservconf.h).
> a.) Initialize it as to -1.
> b.) Use lines like following
> #ifdef OPENSSL_FIPS
> { "fipsmode", {s|o}FipsMode }
> #else
> { "fipsmode", {s|o}Unsupported }
> #endif
> c.) in fill_default .... methods
>    if (options->fipsmode == -1)
> #ifdef OPENSSL_FIPS
>        options->fipsmode = 1;
> #else
>        options->fipsmode = 0;
> #endif
>    fipsmode = options->fipsmode;
> d.) at end of fill... methods to validate macs and ciphers and to set 
> them explicitly to non-NULL only in fipsmode.
Looks like a cleaner approach.
> 5.) What hapen with key fingerprints when MD5 is disabled ?
MD5 is a problem; NIST doesn't like it.  MD5 can be used only where 
plain text would be
allowable.  It is permitted in TLS, for example, because SHA1 is used in 
addition to MD5.
The passphrases for keys can't be used in FIPS mode, for example.

The simple generation and display of MD5 fingerprints isn't necessarily 
forbidden, but the
_use_ of the result for any security related function is.

Ideally I'd like to see a SHA1 option for passphrases and fingerprints.  
That's a big and
intrusive mod worthy of more discussion.  Any chance it could happen?
> 6.) Should ssh-keyscan be FIPS 140 aware and when yes what's happen 
> when server has rsa1 key ?
Probably, as should ssh-add and ssh-keygen.  I was being lazy there, 
plus my immediate
requirement is for ssh and sshd only.
> 7.) Might in FIPS mode ssh protocol version 1 must be always disabled ?
> Please see sshd.c and servconf.c.
Well, I considered protocol version 2 only because version 1 is 
essentially forbidden
for government use, i.e. wherever you would care about FIPS mode.
> 8.) Should we clear datafellows flag SSH_BUG_RSASIGMD5 in method 
> compat_datafellows from compat.c or when flag is set should we accept 
> connection ?
> Please see ssh-rsa.c.
Over my head, I'll have to study this one.
> 9.) What about to use configure option --with-ssl-static(fips build 
> request must set implicitly static_crypto_lib="yes") ?
> As example in configure.ac we can use (note following lines are writen 
> from scratch):
> ================================================> ....
> #request explicit link with static crypto lib.
> static_crypto_lib="no"
> AC_ARG_WITH(ssl-static,
>    [  --with-ssl-static         <FIXME: appropriate message>],
>    [
>        if test "x$withval" != "xno" ; then
> static_crypto_lib="yes"
>        fi
>    ]
> )
> ....
> if test "x$ac_cv_fips" = "xyes" ; then
>    static_crypto_lib="yes"
> fi
> if  "x$static_crypto_lib="xyes"; then
> case "$host" in
> *-*-hpux11*)      LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-Bstatic 
> -lcrypto -Wl,-Bdynamic /'`
>    ;;
> *-*-linux*)
>    LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-aarchive -lcrypto 
> -Wl,-adefault /'`
>    ;;
> *)
>    AC_MSG_ERROR([FIXME: crypto lib static linking])
> esac
> fi
> ....
> ================================================
Yep, looks cleaner.
> 10.) At end of configure is good to show that FIPS is enabled.
Agreed!

Guys, please let me know if you'd like me to work some more on cleaning 
up my
patch, or if someone else would like to take this and run with it.

Thanks,

-Steve M.