Patch for FIPS 140 mode - take 3

Wed Jun 16 21:39:09 EST 2004

Hi All,

Steve, patch look very nice and simple.

Markus, what is you opinion about FIPS support in OpenSSH ?

My suggestions about patch are as follows:

1.) What about to allow fips mode to be set in config files or with -o 
command line option ?

2.) File fips.h is only one line.
Instead of '#include "fips.h"' we can put 'extern int fips_mode;' in 
mac.c, cipher.c and etc.

3.) Where is best plase to put variable fips_mode ? Might is better to 
put it in cipher.c ?

4.1.) What about when config files or command line explicitly set macs 
option and FIPS is disabled from command line or config file{s} ?
Sample: ssh{d} ... -o macs=... -y ...
I cannot agree with changes in myproposal.h/mac.c/readconf.c/servconf.c.
Steve, in ssh.c/sshd.c/ you must check allowed macs after 
fill_default_[server_]options.
Might is better to check at end of the fill methods.
Only in fips mode when option.macs is NULL you musts set explicitly to 
"hmac-sha1,hmac-sha1-96".

4.2)  Same as 5.1. for ciphers.

Proposed solution is to add fips_mode to option structures(readconf.h 
rservconf.h).
a.) Initialize it as to -1.
b.) Use lines like following
#ifdef OPENSSL_FIPS
{ "fipsmode", {s|o}FipsMode }
#else
{ "fipsmode", {s|o}Unsupported }
#endif
c.) in fill_default .... methods
    if (options->fipsmode == -1)
#ifdef OPENSSL_FIPS
        options->fipsmode = 1;
#else
        options->fipsmode = 0;
#endif
    fipsmode = options->fipsmode;
d.) at end of fill... methods to validate macs and ciphers and to set 
them explicitly to non-NULL only in fipsmode.

5.) What hapen with key fingerprints when MD5 is disabled ?

6.) Should ssh-keyscan be FIPS 140 aware and when yes what's happen when 
server has rsa1 key ?

7.) Might in FIPS mode ssh protocol version 1 must be always disabled ?
Please see sshd.c and servconf.c.

8.) Should we clear datafellows flag SSH_BUG_RSASIGMD5 in method 
compat_datafellows from compat.c or when flag is set should we accept 
connection ?
Please see ssh-rsa.c.

9.) What about to use configure option --with-ssl-static(fips build 
request must set implicitly static_crypto_lib="yes") ?
As example in configure.ac we can use (note following lines are writen 
from scratch):
=================================================
....
#request explicit link with static crypto lib.
static_crypto_lib="no"
AC_ARG_WITH(ssl-static,
    [  --with-ssl-static         <FIXME: appropriate message>],
    [
        if test "x$withval" != "xno" ; then   
            static_crypto_lib="yes"
        fi
    ]
)
....
if test "x$ac_cv_fips" = "xyes" ; then
    static_crypto_lib="yes"
fi
if  "x$static_crypto_lib="xyes"; then
case "$host" in
*-*-hpux11*)   
    LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-Bstatic -lcrypto 
-Wl,-Bdynamic /'`
    ;;
*-*-linux*)
    LIBS=`echo $LIBS | sed 's/-lcrypto /-Wl,-aarchive -lcrypto 
-Wl,-adefault /'`
    ;;
*)
    AC_MSG_ERROR([FIXME: crypto lib static linking])
esac
fi
....
=================================================

10.) At end of configure is good to show that FIPS is enabled.

Steve Marquess wrote:

> Greetings.
>
> (Third try at sending this, the first two seemed to disappear without 
> a trace.
> Perhaps use of MS Outlook was the problem, even though in plain 
> text...?  Or
> attachment too big (22Kb)?  Would like to know...)
>
> The final source code and documentation package for a FIPS 140 
> validated mode
> of OpenSSL was recently submitted.  Once the final certification is 
> awarded by
> NIST, in a month or two hopefully, it will be possible to build FIPS 140
> validated applications with the FIPS mode OpenSSL library.
>
> Ben Laurie and I have developed the attached patch that adapts 
> OpenSSH-3.8p1
> for use with the FIPS mode OpenSSL library.  This patch as minimal as 
> possible,
> to serve as a model for "FIPS-izing" applications and to satisfy the 
> immediate
> needs of my client that co-sponsored the bulk of the validation effort.
>
> Some notes:
>
> 1) For practical purposes only static linking with the FIPS library is
> supported.  The configure checks for static linking may not be 
> portable to all
> platforms.
>
> 2) FIPS mode is enabled at runtime for ssh and sshd only.  Properly 
> speaking
> the auxiliary commands (ssh-keygen, ssh-add, etc.) should do so as well.
>
> 3) MD5 is not allowed in FIPS mode.  For the specific case of shadow 
> password
> support I enabled MD5 using a special API call intended for use with 
> TLS.  FIPS
> 140 will permit that since the shadow passwords are generated and 
> maintained
> entirely outside of OpenSSH.  However, the use of MD5 for passphrases 
> is not
> allowed.  As-is this patch will allow keys to be used only with null 
> passphrases,
> and FIPS 140 doesn't allow that either (all keys input or output from an
> application must be encrypted with a FIPS 140 approved algorithm).  So,
> passwords only and no keys.
>
> How about a SHA1 passphrase encryption option...?
>
> 4) The OpenSSL source code used to generate the FIPS mode library is, 
> or soon
> will be, in the OpenSSL_0_9_7_stable branch.  The documentation 
> describing the
> building and use of the FIPS library has not been released yet pending 
> approval
> by NIST, but will be included in the OpenSSL source distributions.
>
> 5) This patch has been tested on Linux RH 9.0 and HP-UX 11.0 only
>
> 6) The FIPS_mode_set() call tries to self-seed using the non-FIPS 
> PRNG, but
> doesn't get enough entropy on HP-UX (no EGD or /dev/urandom).  So for 
> ssh.c I
> moved the seed_rng() call forwards quite a bit, that may cause other 
> problems.
> Also, the PRNG is awkwardly re-seeded for the child process with a new 
> PID.  Ben
> Laurie has suggested a helper function in OpenSSL to simplify those 
> steps, but
> it isn't done yet.
>
> -Steve M.
>
> Steve Marquess
> DMLSS Technical Manager    JMLFDC, 623 Porter Street, Ft. Detrick, MD  
> 21702
> DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
> steve.marquess at det.amedd.army.mil
>
>[SNIP]
>