From owner-freebsd-security@FreeBSD.ORG Mon Mar 7 00:20:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A79D106566B for ; Mon, 7 Mar 2011 00:20:33 +0000 (UTC) (envelope-from pisymbol@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id EF25F8FC18 for ; Mon, 7 Mar 2011 00:20:32 +0000 (UTC) Received: by qwj8 with SMTP id 8so3099134qwj.13 for ; Sun, 06 Mar 2011 16:20:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=m2R2x82fcNISnxPYhopo9BrHMMWu6KqhMjTQZZuJpBE=; b=a22SCr4lTEjE3hsUOEPbGDT1i6OxYCK2bYiUpj4qAF7UlQUhYEoI5esCS9Id2ZXLn7 +I9qpmt5Sm/PpyX053IwgjVwWFTQ9nzaDg58cugZdmPD1WBQmiyxYRGjiF2KU6edd4lT ICcNxXpECUE2B+o38UdJBx84WN2pK0x46VMsw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Dz8fE/OY1MD/NV6Fp2fYY8XVbQz+5NVdBtcH+8rICUl2NOr4FtJYfnIBM50/oVbHiL /lsdrX0eKIP/n6ezy+97Iy+OmE0FXqUIon2KGsECH0wcnYHxPTuXyG7ALnxU2ir3+Yem /mMG2CLp8ZH14KNwjk25/zT9L1+hv1qAWe67A= MIME-Version: 1.0 Received: by 10.229.1.209 with SMTP id 17mr2446504qcg.92.1299457232124; Sun, 06 Mar 2011 16:20:32 -0800 (PST) Received: by 10.229.221.131 with HTTP; Sun, 6 Mar 2011 16:20:32 -0800 (PST) In-Reply-To: <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> References: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> Date: Sun, 6 Mar 2011 19:20:32 -0500 Message-ID: From: Alexander Sack To: jw011235 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "Simon L. B. Nielsen" , freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 00:20:33 -0000 On Sun, Mar 6, 2011 at 5:16 PM, jw011235 wrote: > > On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote: > >> >> On 3 Mar 2011, at 18:23, Alexander Sack wrote: >> >>> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack >>> wrote: >>>> >>>> Hello: >>>> >>>> I am a bit confused! =A0I am reading the FIPS user guide and the >>>> following document: >>>> >>>> http://www.openssl.org/docs/fips/fipsnotes.html >>>> >>>> I quote >>>> >>>> "If even the tiniest source code or build process changes are required >>>> for your intended application, you cannot use the open source based >>>> validated module directly. You must obtain your own validation. This >>>> situation is common; see "Private Label" validation, below. " >>>> >>>> Also, the openssl distribution has to match the right PGP keys. >>>> >>>> So to those who are more of Openssl/FIPS experts than I, I have some >>>> basic questions: >>>> >>>> 1) =A0I assume if it impossible to make a FIPS capable openssl >>>> distribution straight out of the FreeBSD source tree without "Private >>>> Validation" as defined in the document above? (i.e. you can certainly >>>> build it this way but you are violating the guidelines for FIPS >>>> Compliance or do the maintainers out of src/crypto/openssl ENSURE that >>>> the distro in that tree is equivalent to the openssl distro, even for >>>> PGP key checks?) >> >> [...] >>> >>> I guess to put things more simply: >>> >>> Is the distribution integrated within the FreeBSD source tree been >>> validated against its PGP keys so it can be built FIPS capable? >> >> For all the imports I did of OpenSSL to the FreeBSD base system (which >> means any OpenSSL import since FreeBSD 7.0), the PGP key for the source = tar >> was verified. That said, in the FreeBSD base system totally replace the >> OpenSSL build system and 'manually' apply fixes for the OpenSSL security >> issues we certainly don't build OpenSSL unmodified. >> >> I never had a reason to look at OpenSSL FIPS, so I don't really know if >> it's possible to get it working on FreeBSD, but it's possible you can >> manually build and install stock OpenSSL by hand. >> >> -- >> Simon L. B. Nielsen >> Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > > I've been running OpenSSL FIPS for several years now on FreeBSD so it's > certainly possible. It's not terribly hard to compile but I wouldn't do i= t > through the ports. Download the source ( I used the 0.9 source ) and FIPS > instructions and compile by hand. > > Certifying your installation through NIST is an entirely different matter= . > My company elected to put off the process until we had a contract to just= ify > the expense and time involved. You'll have to dig for it, but the NIST > website has details on the process. Wait, is NIST cert required to be FIPS capable? I don't think so. -aps