On 07/15/2014 09:38 AM, Sadhana wrote: > Hello All, > > I have a requirement to make Openssh FIPS compliant. It would be really > helpful, if you could answer the > below question and correct me if I am wrong. > > I also understand there is a module called as fipscanister.o is introduced > in Openssl. > This ensures, FIPS compliancy. This also, exposes the API FIPS_mode and > FIPS_set_mode. > We have already integrated openssl with fipscanister.o. > > Is there any way by which, Openssh can make use of fipscanister module > directly? > > I understand, Openssh needs to call FIPS_mode, FIPS_set_mode to ensure it > operates in FIPS mode. > I understand, few of the ciphers, MACs, kex algorithms are fips compliant > and few others are not. > Hence, openssh code has to be modified to allow only those which are fips > compliant. > > Are there any more stuff which needs to be done?
Yes. Converting an application to use the "FIPS capable" OpenSSL and qualify as using a FIPS 140-2 validated crypto module *can* be as simple as adding a FIPS_mode_set() call. However, modifying OpenSSH for FIPS 140-2 compliance is non-trivial as OpenSSH implements a number of cryptographic operations outside of OpenSSL. It's not enough that only cryptographic algorithms allowed by FIPS 140-2 are used, those crypto operations must be performed *within* a validated module. Or in other words, an application which hopes to claim to satisfy the USG/DoD requirements for FIPS 140-2 validated cryptography must use validated module(s) for all relevant cryptography. The "FIPS capable" OpenSSL libraries satisfy that requirement but only if OpenSSL is used exclusively. You can find a patch at http://opensslfoundation.com/export/openssh/openssh-6.0p1.fips-revised.patch which adapts a now obsolete version of OpenSSH to use the FIPS capable OpenSSL. New inlined cryptography has been added since then so I suspect additional non-trivial work will be necessary. I haven't been keeping track but other newer patches may be available elsewhere. Also note than in a U.S. DoD context you'll probably need x.509 support as well (this is available in patches from Roumen Petrov). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
