Hi OpenSSH mailing list, I would like to announce the newly introduced patch in Fedora rawhide [0] for FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 version. The patch targets OpenSSL support of OpenSSH, specifically the usage of old low level API. The new OpenSSL version 3.0 introduces a FIPS module (going through FIPS 140-2 validation and to be FIPS 140-3 validated) which can be used with the new EVP API to state OpenSSH being FIPS compliant (using OpenSSL). The problem is, the old API does not use the FIPS module, therefore the change is needed for the new API. What does this mean in practice? Critical cryptographic operations should be changed to the new EVP API to ensure FIPS compatibility. The affected operations are: key generation, signatures creation and Diffie-Hellman style shared secret calculation. To achieve that, the key structures needed to be changed from RSA, EC, DH to EVP_PKEY, but this change would be very costly as a lot of code should have been rewritten to align the function calls using these structures. Therefore a different approach was implemented: keep the old key structures and wrap the affected operations with EVP_PKEY API (importing the key to EVP_PKEY from old structures, execute the cryptographic operation and convert the output back to the old API if needed). This approach is not perfect, but a lot more maintainable as a downstream patch. If there would be any interest for rework the OpenSSL support to the 3.0 version in upstream, that would be much appreciated. The patch doesn?t cover the PKCS#11 OpenSSH implementation which is a separate issue blocked by support in OpenSSL 3.0. [0] - https://src.fedoraproject.org/rpms/openssh/c/b63272d9eb8efef881524b2fed0d658780b197a7?branch=rawhide Regards Norbert P?cs
On 4/18/23 05:05, Norbert Pocs wrote:> Hi OpenSSH mailing list, > > I would like to announce the newly introduced patch in Fedora rawhide [0] > for FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > version.Why does Fedora care about FIPS 140? To me, this seems like it should be specific to RHEL and maybe CentOS Stream, not Fedora. My understanding is that Fedora will never be FIPS 140 complaint anyway so there is no point in even trying, not least because the FIPS validated version will generally be _less_ secure than the non-FIPS version. To give just one example, OpenSSH defaults to a post-quantum key exchange that FIPS does not allow. -- Sincerely, Demi Marie Obenour (she/her/hers) -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xB288B55FFF9C22C1.asc Type: application/pgp-keys Size: 4885 bytes Desc: OpenPGP public key URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230418/ba312b53/attachment-0001.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230418/ba312b53/attachment-0001.asc>
On Tue, 18 Apr 2023, Norbert Pocs wrote:> Hi OpenSSH mailing list, > > I would like to announce the newly introduced patch in Fedora rawhide [0] > for > > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > > version. > > The patch targets OpenSSL support of OpenSSH, specifically the usage of > > old low level API. The new OpenSSL version 3.0 introduces a FIPS > > module (going through FIPS 140-2 validation and to be FIPS 140-3 validated) > > which can be used with the new EVP API to state OpenSSH being FIPS > > compliant (using OpenSSL). The problem is, the old API does not use the FIPS > > module, therefore the change is needed for the new API.While I'm sure this is good for RHEL/rawhide users who care about FIPS, Portable OpenSSH won't be able to merge this. We explictly aim to support LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that I'd describe as "best effort"). If this changes we can look again. -d
I think the better approach would have been the EVP native rewrite. It's cleaner and inevitable. I had to do a similar rewrite for Asterisk recently. Probably less painful, but took me about 16 man hours to write and test (including adding bundled tests).> On Apr 18, 2023, at 3:05 AM, Norbert Pocs <npocs at redhat.com> wrote: > > Hi OpenSSH mailing list, > > I would like to announce the newly introduced patch in Fedora rawhide [0] > for > > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 > > version. > > The patch targets OpenSSL support of OpenSSH, specifically the usage of > > old low level API. The new OpenSSL version 3.0 introduces a FIPS > > module (going through FIPS 140-2 validation and to be FIPS 140-3 validated) > > which can be used with the new EVP API to state OpenSSH being FIPS > > compliant (using OpenSSL). The problem is, the old API does not use the FIPS > > module, therefore the change is needed for the new API. > > What does this mean in practice? Critical cryptographic operations should > > be changed to the new EVP API to ensure FIPS compatibility. The affected > > operations are: key generation, signatures creation and Diffie-Hellman style > > shared secret calculation. > > To achieve that, the key structures needed to be changed from RSA, EC, DH to > > EVP_PKEY, but this change would be very costly as a lot of code should > > have been rewritten to align the function calls using these structures. > > Therefore a different approach was implemented: keep the old key structures > > and wrap the affected operations with EVP_PKEY API (importing the > > key to EVP_PKEY from old structures, execute the cryptographic operation and > > convert the output back to the old API if needed). This approach is not > > perfect, but a lot more maintainable as a downstream patch. If there would > > be any interest for rework the OpenSSL support to the 3.0 version in > upstream, > > that would be much appreciated. > > The patch doesn?t cover the PKCS#11 OpenSSH implementation which is a > > separate issue blocked by support in OpenSSL 3.0. > > [0] - > https://src.fedoraproject.org/rpms/openssh/c/b63272d9eb8efef881524b2fed0d658780b197a7?branch=rawhide > > Regards > Norbert P?cs > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev