From owner-freebsd-security@FreeBSD.ORG Sun Mar 6 21:38:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 027FB106566B for ; Sun, 6 Mar 2011 21:38:40 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from smtp.fullrate.dk (smtp.fullrate.dk [90.185.1.42]) by mx1.freebsd.org (Postfix) with ESMTP id B46B78FC17 for ; Sun, 6 Mar 2011 21:38:39 +0000 (UTC) Received: from [192.168.4.26] (4304ds2-vlb.1.fullrate.dk [90.184.171.166]) by smtp.fullrate.dk (Postfix) with ESMTP id 975F09D039; Sun, 6 Mar 2011 22:22:18 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: "Simon L. B. Nielsen" In-Reply-To: Date: Sun, 6 Mar 2011 22:22:18 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> References: To: Alexander Sack X-Mailer: Apple Mail (2.1082) Cc: freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2011 21:38:40 -0000 On 3 Mar 2011, at 18:23, Alexander Sack wrote: > On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack = wrote: >> Hello: >>=20 >> I am a bit confused! I am reading the FIPS user guide and the >> following document: >>=20 >> http://www.openssl.org/docs/fips/fipsnotes.html >>=20 >> I quote >>=20 >> "If even the tiniest source code or build process changes are = required >> for your intended application, you cannot use the open source based >> validated module directly. You must obtain your own validation. This >> situation is common; see "Private Label" validation, below. " >>=20 >> Also, the openssl distribution has to match the right PGP keys. >>=20 >> So to those who are more of Openssl/FIPS experts than I, I have some >> basic questions: >>=20 >> 1) I assume if it impossible to make a FIPS capable openssl >> distribution straight out of the FreeBSD source tree without "Private >> Validation" as defined in the document above? (i.e. you can certainly >> build it this way but you are violating the guidelines for FIPS >> Compliance or do the maintainers out of src/crypto/openssl ENSURE = that >> the distro in that tree is equivalent to the openssl distro, even for >> PGP key checks?) [...] > I guess to put things more simply: >=20 > Is the distribution integrated within the FreeBSD source tree been > validated against its PGP keys so it can be built FIPS capable? For all the imports I did of OpenSSL to the FreeBSD base system (which = means any OpenSSL import since FreeBSD 7.0), the PGP key for the source = tar was verified. That said, in the FreeBSD base system totally replace = the OpenSSL build system and 'manually' apply fixes for the OpenSSL = security issues we certainly don't build OpenSSL unmodified. I never had a reason to look at OpenSSL FIPS, so I don't really know if = it's possible to get it working on FreeBSD, but it's possible you can = manually build and install stock OpenSSL by hand. --=20 Simon L. B. Nielsen Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer