From owner-freebsd-security@FreeBSD.ORG Thu Mar 3 17:23:14 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B25E106564A for ; Thu, 3 Mar 2011 17:23:14 +0000 (UTC) (envelope-from pisymbol@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id C90E08FC14 for ; Thu, 3 Mar 2011 17:23:13 +0000 (UTC) Received: by qyk35 with SMTP id 35so89056qyk.13 for ; Thu, 03 Mar 2011 09:23:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=55w/ND4BydCEK9DtTVQMrCtG4l7g5m6Bw+TV20ASprc=; b=rFDttMKIIH9N6WTjRn/63/293dvUSEC4+WU3pe+s22/MY94bHDcbLIPAUYNuvffQ+A r08P9XA8ShRjjzWA1PFE5azAFKIh22f94iafbiy8480T9lRE8B6Z/NJ/CSBhNvzAXqU+ 1J5Rj8DQHFsGVxByAVqyGw6sQHAYg/3DBAKBQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=tdQwayOSinv4rQBfU1Usa6ZlaDu+zU281CBYO0vcwvBk/+pGH3PNYFn1P1NZrztMhO wi9IuSOFsvozT5oZWH9v6/C7tm3JoGEWMXpY4SxBO1gL0cX3Dm5bmuOxvtEa5Jhwh8v0 A5v8yPP7XjerLpS7+TwmXC3kBGnu24qSWQoNU= MIME-Version: 1.0 Received: by 10.229.186.212 with SMTP id ct20mr1216552qcb.92.1299172992759; Thu, 03 Mar 2011 09:23:12 -0800 (PST) Received: by 10.229.221.131 with HTTP; Thu, 3 Mar 2011 09:23:12 -0800 (PST) In-Reply-To: References: Date: Thu, 3 Mar 2011 12:23:12 -0500 Message-ID: From: Alexander Sack To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2011 17:23:14 -0000 On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack wrote: > Hello: > > I am a bit confused! =A0I am reading the FIPS user guide and the > following document: > > http://www.openssl.org/docs/fips/fipsnotes.html > > I quote > > "If even the tiniest source code or build process changes are required > for your intended application, you cannot use the open source based > validated module directly. You must obtain your own validation. This > situation is common; see "Private Label" validation, below. " > > Also, the openssl distribution has to match the right PGP keys. > > So to those who are more of Openssl/FIPS experts than I, I have some > basic questions: > > 1) =A0I assume if it impossible to make a FIPS capable openssl > distribution straight out of the FreeBSD source tree without "Private > Validation" as defined in the document above? (i.e. you can certainly > build it this way but you are violating the guidelines for FIPS > Compliance or do the maintainers out of src/crypto/openssl ENSURE that > the distro in that tree is equivalent to the openssl distro, even for > PGP key checks?) > > 2) =A0Can you make a FIPS capable openssl port? > > i.e. use the stock distro, write some script to validate keys, create > a separate FIPS port or part of hte openssl port, etc. case in point, > RHEL I believe has a FIPS compliant RPM which does this in its spec > file. I guess to put things more simply: Is the distribution integrated within the FreeBSD source tree been validated against its PGP keys so it can be built FIPS capable? I really appreciate an official answer from one of the security officers. Thanks! -aps