OpenSSH FIPS 140-2 support using OpenSSL FIPS modules?

[security veteran]

Hi All:

I tried to rebuild openssl with the FIPS modules, and then install the new
openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.

After that I noticed it seemed to break OpenSSH: I couldn't login to the
box using ssh, and couldn't run the client command like ssh-keygen either.

My questions are:

1. Does OpenSSH support FIPS mode?

2. Or does OpenSSH support with OpenSSL FIPS modules?

3. Is there a way to re-compile OpenSSH by turning on/off some flags to
make it FIPS complaint?

4. Does the RedHat OpenSSH FIPS modules (
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
also open sourced to the OpenSSH community?



Thanks.
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Tomas Kuthan]

On 12/ 4/15 03:26 AM, security veteran wrote:
> Hi All:
>
> I tried to rebuild openssl with the FIPS modules, and then install the new
> openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
>
> After that I noticed it seemed to break OpenSSH: I couldn't login to the
> box using ssh, and couldn't run the client command like ssh-keygen either.
>
> My questions are:
>
> 1. Does OpenSSH support FIPS mode?
>
> 2. Or does OpenSSH support with OpenSSL FIPS modules?
>
> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to
> make it FIPS complaint?
>
> 4. Does the RedHat OpenSSH FIPS modules (
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
> also open sourced to the OpenSSH community?

Hi security veteran,

vanilla OpenSSH doesn't support running OpenSSL in FIPS-140 mode. Some
downstream providers patch OpenSSH they deliver with their distributions
with changes to enable FIPS-140 mode.

In general, an application that wants to run a FIPS-140 capable OpenSSL
library in FIPS-140 mode, needs to call FIPS_mode_set() first. Otherwise
it runs OpenSSL in default mode with non-FIPS algorithms available. From
my experience this works, but is not FIPS-140 compliant.

User Guide for the OpenSSL FIPS Object Module v2.0 [1]:
> 2.6
> FIPS Mode of Operation
> Applications that utilize FIPS mode must call the FIPS_mode_set() function. After successful
> FIPS mode initialization, the non-FIPS algorithms will be disabled by default.
> The FIPS Object Module together with a compatible version of the OpenSSL product can be used
> in the generation of both FIPS mode and conventional applications. In this sense, the combination
> of the FIPS Object Module and the usual OpenSSL libraries constitutes a “FIPS capable API”, and
> provide both FIP approved algorithms and non-FIPS algorithms.

Vanilla OpenSSH obviously doesn't call FIPS_mode_set(). If switching
underlying OpenSSL libcrypto to FIPS-140 capable instance precludes you
from running ssh, most probably there is something wrong with the
FIPS-140 capable OpenSSL you built.

Tomas

[1] https://openssl.org/docs/fips/UserGuide-2.0.pdf

[Jakub Jelen]

On 12/04/2015 03:26 AM, security veteran wrote:
> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to
> make it FIPS complaint?
>
> 4. Does the RedHat OpenSSH FIPS modules (
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
> also open sourced to the OpenSSH community?

Yes, what we ship in RHEL is open-source. You can pick up sources that
are actually used in RHEL version in CentOS repository:
https://git.centos.org/summary/?r=rpms/openssh

So as said before, upstream openssh is not FIPS-140 ready and we carry
the patches downstream. I am not sure if there was initiative to provide
patches upstream or if there would be some interest in them here, since
it is quite special use case.

--
Jakub Jelen
Security Technologies
Red Hat

[security veteran]

Hi Tomas,

Thanks for your answers!

So based on your answers:

1. Since Vanilla OpenSSH doesn't call FIPS_mode_set() function, it should
work just fine even if the OpenSSL libcrypto.so library has already been
changed to the FIPS version. Is that correct?

2. Looks like there is no such a flag in OpenSSH source to allow you
rebuild it and turn it into FIPS compliant mode, is that correct? In that
case is there a way to re-build OpenSSH server and client (somehow in both
the RedHat and Ubuntu, the OpenSSH is split into two (openssh-server and
openssl-client) packages, so that the non-FIPS compliant functions can be
disabled?

Thanks.

On Fri, Dec 4, 2015 at 12:39 AM, Tomas Kuthan <tomas....@oracle.com>
wrote:

> On 12/ 4/15 03:26 AM, security veteran wrote:
>
>> Hi All:
>>
>> I tried to rebuild openssl with the FIPS modules, and then install the new
>> openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
>>
>> After that I noticed it seemed to break OpenSSH: I couldn't login to the
>> box using ssh, and couldn't run the client command like ssh-keygen either.
>>
>> My questions are:
>>
>> 1. Does OpenSSH support FIPS mode?
>>
>> 2. Or does OpenSSH support with OpenSSL FIPS modules?
>>

>> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to
>> make it FIPS complaint?
>>
>> 4. Does the RedHat OpenSSH FIPS modules (
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
>> also open sourced to the OpenSSH community?
>>
>

[security veteran]

Thanks Jakub.

How does this patch match the OpenSSH source version? Does the patch only
applicable to OpenSSH version 6.6.1, or does other version available as
well?

Thanks.


On Fri, Dec 4, 2015 at 4:26 AM, Jakub Jelen <jje...@redhat.com> wrote:

>
> On 12/04/2015 03:26 AM, security veteran wrote:
>
>> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to
>> make it FIPS complaint?
>>
>> 4. Does the RedHat OpenSSH FIPS modules (
>> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
>> also open sourced to the OpenSSH community?
>>

> Yes, what we ship in RHEL is open-source. You can pick up sources that are
> actually used in RHEL version in CentOS repository:
> https://git.centos.org/summary/?r=rpms/openssh
>
> So as said before, upstream openssh is not FIPS-140 ready and we carry the
> patches downstream. I am not sure if there was initiative to provide
> patches upstream or if there would be some interest in them here, since it
> is quite special use case.
>
> --
> Jakub Jelen
> Security Technologies
> Red Hat
>
>

[security veteran]

Hi Jakub,

Another question I have is, are there any changes in this patch RedHat
Linux distribution specific? The reason I ask is, if I port the changes to
other Linux distribution like Debian or Ubuntu, do you see any issues?

Thanks.

[Roumen Petrov]

security veteran wrote:
> Hi All:
>
> I tried to rebuild openssl with the FIPS modules, and then install the new
> openssl libs (lib crypto.so to be specific) on my Ubuntu 12.04 box.
>
> After that I noticed it seemed to break OpenSSH: I couldn't login to the
> box using ssh, and couldn't run the client command like ssh-keygen either.
>
> My questions are:
>
> 1. Does OpenSSH support FIPS mode?
>
> 2. Or does OpenSSH support with OpenSSL FIPS modules?
>

> 3. Is there a way to re-compile OpenSSH by turning on/off some flags to
> make it FIPS complaint?
>
> 4. Does the RedHat OpenSSH FIPS modules (
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1791.pdf)
> also open sourced to the OpenSSH community?
>

Redhat use different FIPS validation process for OpenSSL. You could
extract fips patch from source package.
Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".

You could try with my version of secure shell. It include OpenSSH but
adds support for public keys algorithms based on X.509 certificates
support and works with FIPS enabled openssl.
It should work with OpenSSL build with FIPS module , RedHat or Solaris
openssl fips enabled library either in fips mode or not.

Regards,
Roumen Petrov

--
Get SSH with X.509 certificate support
http://roumenpetrov.info/openssh/

[Jakub Jelen]

On 12/04/2015 10:02 PM, security veteran wrote:
> Hi Jakub,
>
> Another question I have is, are there any changes in this patch RedHat
> Linux distribution specific? The reason I ask is, if I port the changes to
> other Linux distribution like Debian or Ubuntu, do you see any issues?

I don't think there is something distro-specific. Distro specific parts
are handled in other patches.

> Thanks.
>
> On Fri, Dec 4, 2015 at 12:58 PM, security veteran <
> security...@gmail.com> wrote:
>
>> Thanks Jakub.
>>
>> How does this patch match the OpenSSH source version? Does the patch only
>> applicable to OpenSSH version 6.6.1, or does other version available as
>> well?
>>
>> Thanks.

We were doing certification for openssh-6.6.1 last time, since it is the
thing we ship in our recent system. But we are maintaining similar patch
for current openssh version (though the name is outdated, it is for
7.1p1) for Fedora [1], even though it is not "verified" by
certification, it should fulfill similar requirements.

[1]
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch

--
Jakub Jelen
Security Technologies
Red Hat

[security veteran]

Thanks Roumen.

I have few more questions below:

1. What version of OpenSSH can the patch be applied to? What branch should
I check out the patch?

2.

>Impact is not only for source code. Build process has to be updated as
well. Red Hat is based on "fipscheck".

What build process should be changed? What is fipscheck?

3. My understanding any application (such as OpenSSH) which need to use the
OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function
first, otherwise the OpenSSL library will be operating as the non-FIPS
version.
My question is, how and when does OpenSSH server invoke the FIPS function?

Thanks.




On Sun, Dec 6, 2015 at 1:30 AM, Roumen Petrov <ope...@roumenpetrov.info>
wrote:

[Roumen Petrov]

security veteran wrote:
> Thanks Roumen.
>
> I have few more questions below:
>
> 1. What version of OpenSSH can the patch be applied to? What branch should
> I check out the patch?

There is no separate patch but I offer file with all differences to
openssh - see link (diff) on download page
http://roumenpetrov.info/openssh/download.html

> 2.
>> Impact is not only for source code. Build process has to be updated as
> well. Red Hat is based on "fipscheck".
> What build process should be changed? What is fipscheck?

I different way to check integrity of files(executables) -
https://fedorahosted.org / fipscheck/ .

> 3. My understanding any application (such as OpenSSH) which need to use the
> OpenSSL FIPS module will need to invoke the "FIPS_mode_set()" function
> first, otherwise the OpenSSL library will be operating as the non-FIPS
> version.
> My question is, how and when does OpenSSH server invoke the FIPS function?

Lets assume that application use OpenSSL FIPS validated module. FIPS
mode is activated in openssl command if environment variable
OPENSSL_FIPS is set. Similarly I use OPENSSL_FIPS environment variable
to activate FIPS mode. Code will call FIPS_mode_set(1) if crypto module
is not FIPS mode.


[SNIP]

Roumen

[security veteran]

Thanks Roumen.

>Lets assume that application use OpenSSL FIPS validated module. FIPS mode
is activated in openssl command if environment variable OPENSSL_FIPS is
set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.

Did you mean the FIPS patched OpenSSH server and client (such as
ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
the FIPS mode is activated?
Also I think for the applications which need to use OpenSSL FIPS mode will
also need to run the FIPS self tests functions (also provided by the
OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?

Thanks.

On Mon, Dec 7, 2015 at 11:39 AM, Roumen Petrov <ope...@roumenpetrov.info>
wrote:

[security veteran]

Thanks Jakub.

If I want to build the FIPS supported OpenSSH, do I just need to apply this
one single patch
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch

to the vanilla OpenSSH source code?

I saw there are few other patches for OpenSSH version 6.7p1 under the same
folder http://pkgs.fedoraproject.org/cgit/openssh.git/tree/.
Do I need these other patches?

Thanks.

[Roumen Petrov]

security veteran wrote:
> Thanks Roumen.
>

>> Lets assume that application use OpenSSL FIPS validated module. FIPS mode
> is activated in openssl command if environment variable OPENSSL_FIPS is
> set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
> mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.
>
> Did you mean the FIPS patched OpenSSH server and client (such as
> ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
> the FIPS mode is activated?
> Also I think for the applications which need to use OpenSSL FIPS mode will
> also need to run the FIPS self tests functions (also provided by the
> OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?

Openssl os open source. The method FIPS_mode_set will call
FIPS_module_mode_set (located in FIPS module) . Please see its code.
You may review code of apps/openssl.c.

[SNIP]

Roumen

[Roumen Petrov]

security veteran wrote:
> Thanks Roumen.
>

>> Openssl os open source. The method FIPS_mode_set will call
> FIPS_module_mode_set (located in FIPS module) . Please see its code.
> You may review code of apps/openssl.c.
>

> I meant, did your OpenSSH patch actually invoke these functions (FIPS_mode_set
> and FIPS_selftest)? If that's the case, when were these functions invoked?
> e.g. for client application such as ssh-keygen does it always call these
> functions first?
Yes - see code of method ssh_OpenSSL_startup .
$ grep -lw ssh_OpenSSL_startup *.c
ssh-add.c
ssh-agent.c
ssh.c
sshd.c
ssh-keygen.c
ssh-keysign.c

[security veteran]

Thanks Roumen.

>Openssl os open source. The method FIPS_mode_set will call
FIPS_module_mode_set (located in FIPS module) . Please see its code.
You may review code of apps/openssl.c.

I meant, did your OpenSSH patch actually invoke these functions (FIPS_mode_set
and FIPS_selftest)? If that's the case, when were these functions invoked?
e.g. for client application such as ssh-keygen does it always call these
functions first?

Thanks.



On Mon, Dec 7, 2015 at 12:52 PM, Roumen Petrov <ope...@roumenpetrov.info>
wrote:

> security veteran wrote:
>
>> Thanks Roumen.
>>

>> Lets assume that application use OpenSSL FIPS validated module. FIPS mode
>>>
>> is activated in openssl command if environment variable OPENSSL_FIPS is
>> set. Similarly I use OPENSSL_FIPS environment variable to activate FIPS
>> mode. Code will call FIPS_mode_set(1) if crypto module is not FIPS mode.
>>
>> Did you mean the FIPS patched OpenSSH server and client (such as
>> ssh-keygen) always check the environmental variable OPENSSL_FIPS to see if
>> the FIPS mode is activated?
>> Also I think for the applications which need to use OpenSSL FIPS mode will
>> also need to run the FIPS self tests functions (also provided by the
>> OpenSSL FIPS modules). Does the patched OpenSSH also run these self tests?
>>

> Openssl os open source. The method FIPS_mode_set will call
> FIPS_module_mode_set (located in FIPS module) . Please see its code.
> You may review code of apps/openssl.c.
>

> [SNIP]

[Jakub Jelen]

On 12/07/2015 09:21 PM, security veteran wrote:
> Thanks Jakub.
>
> If I want to build the FIPS supported OpenSSH, do I just need to apply this
> one single patch
> http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.7p1-fips.patch
>
> to the vanilla OpenSSH source code?
>
> I saw there are few other patches for OpenSSH version 6.7p1 under the same
> folder http://pkgs.fedoraproject.org/cgit/openssh.git/tree/.
> Do I need these other patches?

It should be enough to add that one, directly related to FIPS. There
were other unused patches, which I cleaned up now.

--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat