Red Hat was founded in 1993, received first FIPS 140 validation in 2007 with Sun Microsystems with NSS (Network Security Services), which was designed to be FIPS 140 compliant from the start.We spent a lot of effort in Red Hat Linux to get everything to use NSS (cURL, RPM, OpenLDAP, OpenSWAN), but could not convert everything. Too many differences in APIs.
So, changed to “validate everything” mode! OpenSSL based on the original FIPS module from OpenSSL, but partially evolved for Red Hat. For OpenSSH, did their own independent FIPS work. Libgcrypt, hired a community developer to integrate FIPS support upstream. For OpenSWAN and later libreswan, hired the community developer to port to NSS and then get FIPS support. DM-crypt first had its own crypto, but later switched to use libgcrypt. GnuTLS was done after Red Hat hired the main developer of the project.
Highlights – we were able to do this at all. We could do it quite quickly with existing modules, and we never included Dual-EC DRBG so avoided big issues there. Some small implementation bus were found by CAVs testing.
Lowlights – process is still to slow and expensive to be able to revalidate everything we release, creating a conflict between fixing bugs and security issues and the need to have the software validated. Sometimes new crypto has to be disabled in the FIPS mode (even though its security is well established, like ChaCha20-Poly1305, Curve 25519 DH). Some of the requirements really are for hardware, and don’t make sense for software and implementing them does not improve the software.
Lowlights – more! The restrictions are too tight on the operating environment. HW requirements are ignored by customers and other products built upon RHEL are marketing under a different name – confusing! The open source community does not care about government customers, so call it nonsense, silliness and garbage.
We needed to make the process of turning on FIPS mode, so it would not interfere with regular customers that don't care about FIPS mode at all. This is all more restricted in containers as well (both host and container must be RHEL, for example).
In libgcrypt, non-approved algorithms are blocked, things like MD5, annoying to customers.
In the future, want to continue to work with NIST to improve the process and continue to work on the ACVP project, to speed up revalidations. We may have more or less crypto modules, less if we can get more utilities to use our validated libraries (like move SSH from using OpenSSH crypto to OpenSSL).