security veteran
2015-Dec-07 15:44 UTC
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
Thanks Roumen. I have few more questions below: 1. What version of OpenSSH can the patch be applied to? What branch should I check out the patch? 2.>Impact is not only for source code. Build process has to be updated aswell. Red Hat is based on "fipscheck". What build process should be changed? What is fipscheck? 3. My understanding any application (such as OpenSSH) which need to use the OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function first, otherwise the OpenSSL library will be operating as the non-FIPS version. My question is, how and when does OpenSSH server invoke the FIPS function? Thanks. On Sun, Dec 6, 2015 at 1:30 AM, Roumen Petrov <openssh at roumenpetrov.info> wrote:> security veteran wrote: > >> Hi All: >> >> I tried to rebuild openssl with the FIPS modules, and then install the new >> openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box. >> >> After that I noticed it seemed to break OpenSSH: I couldn't login to the >> box using ssh, and couldn't run the client command like ssh-keygen either. >> >> My questions are: >> >> 1. Does OpenSSH support FIPS mode? >> >> 2. Or does OpenSSH support with OpenSSL FIPS modules? >> >> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to >> make it FIPS complaint? >> >> 4. Does the RedHat OpenSSH FIPS modules ( >> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf) >> also open sourced to the OpenSSH community? >> >> Redhat use different FIPS validation process for OpenSSL. You could > extract fips patch from source package. > Impact is not only for source code. Build process has to be updated as > well. Red Hat is based on "fipscheck". > > You could try with my version of secure shell. It include OpenSSH but adds > support for public keys algorithms based on X.509 certificates support and > works with FIPS enabled openssl. > It should work with OpenSSL build with FIPS module , RedHat or Solaris > openssl fips enabled library either in fips mode or not. > > Regards, > Roumen Petrov > > -- > Get SSH with X.509 certificate support > http://roumenpetrov.info/openssh/ > >
Roumen Petrov
2015-Dec-07 19:39 UTC
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
security veteran wrote:> Thanks Roumen. > > I have few more questions below: > > 1. What version of OpenSSH can the patch be applied to? What branch should > I check out the patch?There is no separate patch but I offer file with all differences to openssh - see link (diff) on download page http://roumenpetrov.info/openssh/download.html> 2. >> Impact is not only for source code. Build process has to be updated as > well. Red Hat is based on "fipscheck". > What build process should be changed? What is fipscheck?I different way to check integrity of files(executables) - https://fedorahosted.org / fipscheck/ .> 3. My understanding any application (such as OpenSSH) which need to use the > OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function > first, otherwise the OpenSSL library will be operating as the non-FIPS > version. > My question is, how and when does OpenSSH server invoke the FIPS function?Lets assume that application use OpenSSL FIPS validated module. FIPS mode is activated in openssl command if environment variable OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. [SNIP] Roumen
security veteran
2015-Dec-07 20:15 UTC
OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?
Thanks Roumen.>Lets assume that application use OpenSSL FIPS validated module. FIPS modeis activated in openssl command if environment variable OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. Did you mean the FIPS patched OpenSSH server and client (such as ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if the FIPS mode is activated? Also I think for the applications which need to use OpenSSL FIPS mode will also need to run the FIPS self tests functions (also provided by the OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests? Thanks. On Mon, Dec 7, 2015 at 11:39 AM, Roumen Petrov <openssh at roumenpetrov.info> wrote:> security veteran wrote: > >> Thanks Roumen. >> >> I have few more questions below: >> >> 1. What version of OpenSSH can the patch be applied to? What branch should >> I check out the patch? >> > There is no separate patch but I offer file with all differences to > openssh - see link (diff) on download page > http://roumenpetrov.info/openssh/download.html > > 2. >> >>> Impact is not only for source code. Build process has to be updated as >>> >> well. Red Hat is based on "fipscheck". >> What build process should be changed? What is fipscheck? >> > I different way to check integrity of files(executables) - > https://fedorahosted.org / fipscheck/ . > > 3. My understanding any application (such as OpenSSH) which need to use the >> OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function >> first, otherwise the OpenSSL library will be operating as the non-FIPS >> version. >> My question is, how and when does OpenSSH server invoke the FIPS function? >> > Lets assume that application use OpenSSL FIPS validated module. FIPS mode > is activated in openssl command if environment variable OPENSSL_FIPS is > set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS > mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode. > > > [SNIP] > > Roumen >