From owner-freebsd-security@FreeBSD.ORG Sun Mar 6 22:38:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F3AA106564A for ; Sun, 6 Mar 2011 22:38:23 +0000 (UTC) (envelope-from jw011235@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0E59B8FC0A for ; Sun, 6 Mar 2011 22:38:22 +0000 (UTC) Received: by iyj12 with SMTP id 12so4033314iyj.13 for ; Sun, 06 Mar 2011 14:38:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; bh=snj1wZEqiIWCXxq84jjXjPxAJafDz8W49vWQB8SMx8A=; b=TJatiInisECGtBdwTLCw02tuG8cnDx1pprgtMsxSveIi4E01M+UkGR35HEQDIjwPtH Nuqlwi5rGKZedfzTGJzwWjLvfBiAeEGnglPe3rfJeeXYitWVq1k9Tn/Yy8wBLnLzwvap duH6ke/PwjqAxQYPriGEVvdeEByXI70Kw8qZw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=rdzijpT2smsik6xzMW3bX5RM4Eoo7Ph0tY0z7PzZUSqRqDTA2sWfPrpfuT9nHDvhx5 juzsuXlZ0I+BXZoCbtI2vIDk5EMnepN0TGwco0Rtd0uqKepsoOAde0cYObD7xwTwKge+ SLKYnoPXzL8tEFvSCXP7QUYMEdwXyEft+4Vis= Received: by 10.43.60.206 with SMTP id wt14mr3843230icb.399.1299449765186; Sun, 06 Mar 2011 14:16:05 -0800 (PST) Received: from [192.168.12.102] ([65.183.165.31]) by mx.google.com with ESMTPS id i2sm1906235icv.3.2011.03.06.14.16.03 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 06 Mar 2011 14:16:04 -0800 (PST) Message-Id: <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> From: jw011235 To: Simon L. B. Nielsen In-Reply-To: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Sun, 6 Mar 2011 17:16:00 -0500 References: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> X-Mailer: Apple Mail (2.936) Cc: Alexander Sack , freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2011 22:38:23 -0000 On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote: > > On 3 Mar 2011, at 18:23, Alexander Sack wrote: > >> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack >> wrote: >>> Hello: >>> >>> I am a bit confused! I am reading the FIPS user guide and the >>> following document: >>> >>> http://www.openssl.org/docs/fips/fipsnotes.html >>> >>> I quote >>> >>> "If even the tiniest source code or build process changes are >>> required >>> for your intended application, you cannot use the open source based >>> validated module directly. You must obtain your own validation. This >>> situation is common; see "Private Label" validation, below. " >>> >>> Also, the openssl distribution has to match the right PGP keys. >>> >>> So to those who are more of Openssl/FIPS experts than I, I have some >>> basic questions: >>> >>> 1) I assume if it impossible to make a FIPS capable openssl >>> distribution straight out of the FreeBSD source tree without >>> "Private >>> Validation" as defined in the document above? (i.e. you can >>> certainly >>> build it this way but you are violating the guidelines for FIPS >>> Compliance or do the maintainers out of src/crypto/openssl ENSURE >>> that >>> the distro in that tree is equivalent to the openssl distro, even >>> for >>> PGP key checks?) > [...] >> I guess to put things more simply: >> >> Is the distribution integrated within the FreeBSD source tree been >> validated against its PGP keys so it can be built FIPS capable? > > For all the imports I did of OpenSSL to the FreeBSD base system > (which means any OpenSSL import since FreeBSD 7.0), the PGP key for > the source tar was verified. That said, in the FreeBSD base system > totally replace the OpenSSL build system and 'manually' apply fixes > for the OpenSSL security issues we certainly don't build OpenSSL > unmodified. > > I never had a reason to look at OpenSSL FIPS, so I don't really know > if it's possible to get it working on FreeBSD, but it's possible you > can manually build and install stock OpenSSL by hand. > > -- > Simon L. B. Nielsen > Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " I've been running OpenSSL FIPS for several years now on FreeBSD so it's certainly possible. It's not terribly hard to compile but I wouldn't do it through the ports. Download the source ( I used the 0.9 source ) and FIPS instructions and compile by hand. Certifying your installation through NIST is an entirely different matter. My company elected to put off the process until we had a contract to justify the expense and time involved. You'll have to dig for it, but the NIST website has details on the process. Best of luck, Jason Williams