Patch for FIPS 140 mode - take 3

Steve Marquess marquess at veridicalsystems.com
Fri Jun 4 22:45:57 EST 2004 

Greetings.

(Third try at sending this, the first two seemed to disappear without a 
trace.
Perhaps use of MS Outlook was the problem, even though in plain text...?  Or
attachment too big (22Kb)?  Would like to know...)

The final source code and documentation package for a FIPS 140 validated 
mode
of OpenSSL was recently submitted.  Once the final certification is 
awarded by
NIST, in a month or two hopefully, it will be possible to build FIPS 140
validated applications with the FIPS mode OpenSSL library.

Ben Laurie and I have developed the attached patch that adapts OpenSSH-3.8p1
for use with the FIPS mode OpenSSL library.  This patch as minimal as 
possible,
to serve as a model for "FIPS-izing" applications and to satisfy the 
immediate
needs of my client that co-sponsored the bulk of the validation effort.

Some notes:

1) For practical purposes only static linking with the FIPS library is
supported.  The configure checks for static linking may not be portable 
to all
platforms.

2) FIPS mode is enabled at runtime for ssh and sshd only.  Properly speaking
the auxiliary commands (ssh-keygen, ssh-add, etc.) should do so as well.

3) MD5 is not allowed in FIPS mode.  For the specific case of shadow 
password
support I enabled MD5 using a special API call intended for use with 
TLS.  FIPS
140 will permit that since the shadow passwords are generated and maintained
entirely outside of OpenSSH.  However, the use of MD5 for passphrases is not
allowed.  As-is this patch will allow keys to be used only with null 
passphrases,
and FIPS 140 doesn't allow that either (all keys input or output from an
application must be encrypted with a FIPS 140 approved algorithm).  So,
passwords only and no keys.

How about a SHA1 passphrase encryption option...?

4) The OpenSSL source code used to generate the FIPS mode library is, or 
soon
will be, in the OpenSSL_0_9_7_stable branch.  The documentation 
describing the
building and use of the FIPS library has not been released yet pending 
approval
by NIST, but will be included in the OpenSSL source distributions.

5) This patch has been tested on Linux RH 9.0 and HP-UX 11.0 only

6) The FIPS_mode_set() call tries to self-seed using the non-FIPS PRNG, but
doesn't get enough entropy on HP-UX (no EGD or /dev/urandom).  So for 
ssh.c I
moved the seed_rng() call forwards quite a bit, that may cause other 
problems.
Also, the PRNG is awkwardly re-seeded for the child process with a new 
PID.  Ben
Laurie has suggested a helper function in OpenSSL to simplify those 
steps, but
it isn't done yet.

-Steve M.

Steve Marquess
DMLSS Technical Manager    
JMLFDC, 623 Porter Street, Ft. Detrick, MD  21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
steve.marquess at det.amedd.army.mil

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Patch
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040604/64d4d87c/attachment.ksh

More information about the openssh-unix-dev mailing list