Mailing List Archive: FIPS compliance efforts in Fedora and RHEL

FIPS compliance efforts in Fedora and RHEL

Apr 18, 2023, 2:05 AM

Post #1 of 11 (579 views)

Hi OpenSSH mailing list,

I would like to announce the newly introduced patch in Fedora rawhide [0]
for

FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9

version.

The patch targets OpenSSL support of OpenSSH, specifically the usage of

old low level API. The new OpenSSL version 3.0 introduces a FIPS

module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)

which can be used with the new EVP API to state OpenSSH being FIPS

compliant (using OpenSSL). The problem is, the old API does not use the FIPS

module, therefore the change is needed for the new API.

What does this mean in practice? Critical cryptographic operations should

be changed to the new EVP API to ensure FIPS compatibility. The affected

operations are: key generation, signatures creation and Diffie-Hellman style

shared secret calculation.

To achieve that, the key structures needed to be changed from RSA, EC, DH to

EVP_PKEY, but this change would be very costly as a lot of code should

have been rewritten to align the function calls using these structures.

Therefore a different approach was implemented: keep the old key structures

and wrap the affected operations with EVP_PKEY API (importing the

key to EVP_PKEY from old structures, execute the cryptographic operation and

convert the output back to the old API if needed). This approach is not

perfect, but a lot more maintainable as a downstream patch. If there would

be any interest for rework the OpenSSL support to the 3.0 version in
upstream,

that would be much appreciated.

The patch doesn’t cover the PKCS#11 OpenSSH implementation which is a

separate issue blocked by support in OpenSSL 3.0.

[0] -
https://src.fedoraproject.org/rpms/openssh/c/b63272d9eb8efef881524b2fed0d658780b197a7?branch=rawhide

Regards
Norbert Pócs
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

demiobenour at gmail

Apr 18, 2023, 2:21 PM

Post #2 of 11 (578 views)

Permalink

On 4/18/23 05:05, Norbert Pocs wrote:
> Hi OpenSSH mailing list,
>
> I would like to announce the newly introduced patch in Fedora rawhide [0]
> for FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
> version.

Why does Fedora care about FIPS 140? To me, this seems like it
should be specific to RHEL and maybe CentOS Stream, not Fedora.
My understanding is that Fedora will never be FIPS 140 complaint
anyway so there is no point in even trying, not least because
the FIPS validated version will generally be _less_ secure than
the non-FIPS version. To give just one example, OpenSSH defaults
to a post-quantum key exchange that FIPS does not allow.
--
Sincerely,
Demi Marie Obenour (she/her/hers)

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

nkadel at gmail

Apr 18, 2023, 8:07 PM

Post #3 of 11 (578 views)

Permalink

On Tue, Apr 18, 2023 at 5:27?PM Demi Marie Obenour
<demiobenour@gmail.com> wrote:
>
> On 4/18/23 05:05, Norbert Pocs wrote:
> > Hi OpenSSH mailing list,
> >
> > I would like to announce the newly introduced patch in Fedora rawhide [0]
> > for FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
> > version.
>
> Why does Fedora care about FIPS 140? To me, this seems like it
> should be specific to RHEL and maybe CentOS Stream, not Fedora.
> My understanding is that Fedora will never be FIPS 140 complaint
> anyway so there is no point in even trying, not least because
> the FIPS validated version will generally be _less_ secure than
> the non-FIPS version. To give just one example, OpenSSH defaults
> to a post-quantum key exchange that FIPS does not allow.

Because Fedora is the alpha platform for RHEL, and Red Hat pays a lot
of their bills, both in cash and in development. In theory, leading or
bleeding edge work happens in Fedora first, and the folks who use
bleeding edge software pay for it by being the first to detect
incompatibilities and the first to need to hammer out backwards
compatibility.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

djm at mindrot

Apr 18, 2023, 10:11 PM

Post #4 of 11 (578 views)

Permalink

On Tue, 18 Apr 2023, Norbert Pocs wrote:

> Hi OpenSSH mailing list,
>
> I would like to announce the newly introduced patch in Fedora rawhide [0]
> for
>
> FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
>
> version.
>
> The patch targets OpenSSL support of OpenSSH, specifically the usage of
>
> old low level API. The new OpenSSL version 3.0 introduces a FIPS
>
> module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)
>
> which can be used with the new EVP API to state OpenSSH being FIPS
>
> compliant (using OpenSSL). The problem is, the old API does not use the FIPS
>
> module, therefore the change is needed for the new API.

While I'm sure this is good for RHEL/rawhide users who care about FIPS,
Portable OpenSSH won't be able to merge this. We explictly aim to support
LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
I'd describe as "best effort").

If this changes we can look again.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

dbelyavs at redhat

Apr 19, 2023, 12:44 AM

Post #5 of 11 (578 views)

Permalink

Dear Damien,

On Wed, Apr 19, 2023 at 7:13?AM Damien Miller <djm@mindrot.org> wrote:
>
> On Tue, 18 Apr 2023, Norbert Pocs wrote:
>
> > Hi OpenSSH mailing list,
> >
> > I would like to announce the newly introduced patch in Fedora rawhide [0]
> > for
> >
> > FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
> >
> > version.
> >
> > The patch targets OpenSSL support of OpenSSH, specifically the usage of
> >
> > old low level API. The new OpenSSL version 3.0 introduces a FIPS
> >
> > module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)
> >
> > which can be used with the new EVP API to state OpenSSH being FIPS
> >
> > compliant (using OpenSSL). The problem is, the old API does not use the FIPS
> >
> > module, therefore the change is needed for the new API.
>
> While I'm sure this is good for RHEL/rawhide users who care about FIPS,
> Portable OpenSSH won't be able to merge this. We explictly aim to support
> LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
> OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
> I'd describe as "best effort").
>
> If this changes we can look again.

Yes, we understand and respect your choice.
Would it be acceptable in any form being wrapped in necessary #ifdefs ?

--
Dmitry Belyavskiy

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

djm at mindrot

Apr 19, 2023, 12:55 AM

Post #6 of 11 (578 views)

Permalink

On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote:

> > While I'm sure this is good for RHEL/rawhide users who care about FIPS,
> > Portable OpenSSH won't be able to merge this. We explictly aim to support
> > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
> > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
> > I'd describe as "best effort").
> >
> > If this changes we can look again.
>
> Yes, we understand and respect your choice.
> Would it be acceptable in any form being wrapped in necessary #ifdefs ?

No, I think it would be too intrusive.

IMO if we have to support both the new API and the libressl/1.1.1 API
then the only likely acceptable way would be to reimplement the new
API using the old, similar to what we did when moving to the OpenSSL
1.1.x opaque structs while still supporting the 1.0.x API.

I have no idea whether this is even possible, and we wouldn't have the
luxury of being able to use OpenSSL code to do it (as we did last time)
as the license has changed to one that we don't want to accept in the
OpenSSH codebase.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

dbelyavs at redhat

Apr 19, 2023, 1:01 AM

Post #7 of 11 (578 views)

Permalink

Dear Damien,

On Wed, Apr 19, 2023 at 9:55?AM Damien Miller <djm@mindrot.org> wrote:
>
> On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote:
>
> > > While I'm sure this is good for RHEL/rawhide users who care about FIPS,
> > > Portable OpenSSH won't be able to merge this. We explictly aim to support
> > > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
> > > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
> > > I'd describe as "best effort").
> > >
> > > If this changes we can look again.
> >
> > Yes, we understand and respect your choice.
> > Would it be acceptable in any form being wrapped in necessary #ifdefs ?
>
> No, I think it would be too intrusive.
>
> IMO if we have to support both the new API and the libressl/1.1.1 API
> then the only likely acceptable way would be to reimplement the new
> API using the old, similar to what we did when moving to the OpenSSL
> 1.1.x opaque structs while still supporting the 1.0.x API.
>
> I have no idea whether this is even possible, and we wouldn't have the
> luxury of being able to use OpenSSL code to do it (as we did last time)
> as the license has changed to one that we don't want to accept in the
> OpenSSH codebase.

I think it's doable if libressl has 1.1.1-style EVP API. It is
possible to assign RSA/EC/DH to EVP_PKEY object and use EVP API
afterwards in 1.1.1 and use the OSSL_PARAM_BLD for 3.0

--
Dmitry Belyavskiy

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

npocs at redhat

Apr 19, 2023, 1:21 AM

Post #8 of 11 (578 views)

Permalink

Dear Damien,

On Wed, Apr 19, 2023 at 10:01?AM Dmitry Belyavskiy <dbelyavs@redhat.com>
wrote:

> Dear Damien,
>
> On Wed, Apr 19, 2023 at 9:55?AM Damien Miller <djm@mindrot.org> wrote:
> >
> > On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote:
> >
> > > > While I'm sure this is good for RHEL/rawhide users who care about
> FIPS,
> > > > Portable OpenSSH won't be able to merge this. We explictly aim to
> support
> > > > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports
> the
> > > > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for
> that
> > > > I'd describe as "best effort").
> > > >
> > > > If this changes we can look again.
>

Filed an issue on libressl [0] asking for support for OSSL_* API. Adding it
here as
a tracker.

[0] - https://github.com/libressl/portable/issues/846

Regards
Norbert Pócs
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

openssh at roumenpetrov

Apr 19, 2023, 11:55 AM

Post #9 of 11 (578 views)

Permalink

Dmitry Belyavskiy wrote:
> [SNIP]
> I think it's doable if libressl has 1.1.1-style EVP API. It is
> possible to assign RSA/EC/DH to EVP_PKEY object and use EVP API
> afterwards in 1.1.1 and use the OSSL_PARAM_BLD for 3.0
1.1.1 API !??!?!?!
PKIX-SSH uses EVP_PKEY and work-fine with even with ancient OpenSSL 0.9.7.

EVP_PKEY is core functionality and so OpenSSL forks compatible with 1.0.2 API support such functionality as well!!!!!!!
Note EVP_PKEY is SSLea , i.e. pre OpenSSL functionality!

All outside EVP functionality was deprecated in OpenSSL 1.0.0 API.

So who cares for 1.1.1 API?
One day, perhaps in 2187 year, OpenBSD implementation will stop to use API deprecated in 1.0.0.

Regards,
Roumen Petrov

--
Advanced secure shell implementation with X.509 certificate support
http://roumenpetrov.info/secsh/

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

dbelyavs at redhat

Apr 19, 2023, 12:50 PM

Post #10 of 11 (578 views)

Permalink

Dear Damien,

On Wed, Apr 19, 2023 at 10:01?AM Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
>
> Dear Damien,
>
> On Wed, Apr 19, 2023 at 9:55?AM Damien Miller <djm@mindrot.org> wrote:
> >
> > On Wed, 19 Apr 2023, Dmitry Belyavskiy wrote:
> >
> > > > While I'm sure this is good for RHEL/rawhide users who care about FIPS,
> > > > Portable OpenSSH won't be able to merge this. We explictly aim to support
> > > > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the
> > > > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that
> > > > I'd describe as "best effort").
> > > >
> > > > If this changes we can look again.
> > >
> > > Yes, we understand and respect your choice.
> > > Would it be acceptable in any form being wrapped in necessary #ifdefs ?
> >
> > No, I think it would be too intrusive.
> >
> > IMO if we have to support both the new API and the libressl/1.1.1 API
> > then the only likely acceptable way would be to reimplement the new
> > API using the old, similar to what we did when moving to the OpenSSL
> > 1.1.x opaque structs while still supporting the 1.0.x API.
> >
> > I have no idea whether this is even possible, and we wouldn't have the
> > luxury of being able to use OpenSSL code to do it (as we did last time)
> > as the license has changed to one that we don't want to accept in the
> > OpenSSH codebase.
>
> I think it's doable if libressl has 1.1.1-style EVP API. It is
> possible to assign RSA/EC/DH to EVP_PKEY object and use EVP API
> afterwards in 1.1.1 and use the OSSL_PARAM_BLD for 3.0

Will the patch providing compat layer in style
=====
EVP_PKEY *EVP_PKEY_from_DH
{
#ifdef LIBRESSL
return EVP_PKEY_set0_DH
#else
#if OPENSSL_30
... PARAM_BLD..
#endif
#endif
}
=====
and making the crypto operations using EVP API in main files be acceptable?

--
Dmitry Belyavskiy

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: FIPS compliance efforts in Fedora and RHEL [ In reply to ]

philipp_subx at redfish-solutions

Apr 24, 2023, 10:20 AM

Post #11 of 11 (539 views)

Permalink

I think the better approach would have been the EVP native rewrite. It's cleaner and inevitable.

I had to do a similar rewrite for Asterisk recently.

Probably less painful, but took me about 16 man hours to write and test (including adding bundled tests).

> On Apr 18, 2023, at 3:05 AM, Norbert Pocs <npocs@redhat.com> wrote:
>
> Hi OpenSSH mailing list,
>
> I would like to announce the newly introduced patch in Fedora rawhide [0]
> for
>
> FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9
>
> version.
>
> The patch targets OpenSSL support of OpenSSH, specifically the usage of
>
> old low level API. The new OpenSSL version 3.0 introduces a FIPS
>
> module (going through FIPS 140-2 validation and to be FIPS 140-3 validated)
>
> which can be used with the new EVP API to state OpenSSH being FIPS
>
> compliant (using OpenSSL). The problem is, the old API does not use the FIPS
>
> module, therefore the change is needed for the new API.
>
> What does this mean in practice? Critical cryptographic operations should
>
> be changed to the new EVP API to ensure FIPS compatibility. The affected
>
> operations are: key generation, signatures creation and Diffie-Hellman style
>
> shared secret calculation.
>
> To achieve that, the key structures needed to be changed from RSA, EC, DH to
>
> EVP_PKEY, but this change would be very costly as a lot of code should
>
> have been rewritten to align the function calls using these structures.
>
> Therefore a different approach was implemented: keep the old key structures
>
> and wrap the affected operations with EVP_PKEY API (importing the
>
> key to EVP_PKEY from old structures, execute the cryptographic operation and
>
> convert the output back to the old API if needed). This approach is not
>
> perfect, but a lot more maintainable as a downstream patch. If there would
>
> be any interest for rework the OpenSSL support to the 3.0 version in
> upstream,
>
> that would be much appreciated.
>
> The patch doesn’t cover the PKCS#11 OpenSSH implementation which is a
>
> separate issue blocked by support in OpenSSL 3.0.
>
> [0] -
> https://src.fedoraproject.org/rpms/openssh/c/b63272d9eb8efef881524b2fed0d658780b197a7?branch=rawhide
>
> Regards
> Norbert Pócs
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Mailing List Archive

Mailing List Archive

Attached Files: