FIPS compliance efforts in Fedora and RHEL

[Norbert Pocs]

Hi OpenSSH mailing list,

I would like to announce the newly introduced patch in Fedora rawhide [0]
for

FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9

version.

The patch targets OpenSSL support of OpenSSH, specifically the usage of

old low level API. The new OpenSSL version 3.0 introduces a FIPS

module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)

which can be used with the new EVP API to state OpenSSH being FIPS

compliant (using OpenSSL). The problem is, the old API does not use the FIPS

module, therefore the change is needed for the new API.

What does this mean in practice? Critical cryptographic operations should

be changed to the new EVP API to ensure FIPS compatibility. The affected

operations are: key generation, signatures creation and Diffie-Hellman style

shared secret calculation.

To achieve that, the key structures needed to be changed from RSA, EC, DH to

EVP_PKEY, but this change would be very costly as a lot of code should

have been rewritten to align the function calls using these structures.

Therefore a different approach was implemented: keep the old key structures

and wrap the affected operations with EVP_PKEY API (importing the

key to EVP_PKEY from old structures, execute the cryptographic operation and

convert the output back to the old API if needed). This approach is not

perfect, but a lot more maintainable as a downstream patch. If there would

be any interest for rework the OpenSSL support to the 3.0 version in
upstream,

that would be much appreciated.

The patch doesn’t cover the PKCS#11 OpenSSH implementation which is a

separate issue blocked by support in OpenSSL 3.0.

[0] -
https://src.fedoraproject.org/rpms/openssh/c/b63272d9eb8efef881524b2fed0d658780b197a7?branch=rawhide

Regards
Norbert Pócs