FIPS compliant openssl possible within the FreeBSD build
systems?
Simon L. B. Nielsen
simon at nitro.dk
Sun Mar 6 21:38:40 UTC 2011
On 3 Mar 2011, at 18:23, Alexander Sack wrote:
> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <pisymbol at gmail.com> wrote:
>> Hello:
>>
>> I am a bit confused! I am reading the FIPS user guide and the
>> following document:
>>
>> http://www.openssl.org/docs/fips/fipsnotes.html
>>
>> I quote
>>
>> "If even the tiniest source code or build process changes are required
>> for your intended application, you cannot use the open source based
>> validated module directly. You must obtain your own validation. This
>> situation is common; see "Private Label" validation, below. "
>>
>> Also, the openssl distribution has to match the right PGP keys.
>>
>> So to those who are more of Openssl/FIPS experts than I, I have some
>> basic questions:
>>
>> 1) I assume if it impossible to make a FIPS capable openssl
>> distribution straight out of the FreeBSD source tree without "Private
>> Validation" as defined in the document above? (i.e. you can certainly
>> build it this way but you are violating the guidelines for FIPS
>> Compliance or do the maintainers out of src/crypto/openssl ENSURE that
>> the distro in that tree is equivalent to the openssl distro, even for
>> PGP key checks?)
[...]
> I guess to put things more simply:
>
> Is the distribution integrated within the FreeBSD source tree been
> validated against its PGP keys so it can be built FIPS capable?
For all the imports I did of OpenSSL to the FreeBSD base system (which means any OpenSSL import since FreeBSD 7.0), the PGP key for the source tar was verified. That said, in the FreeBSD base system totally replace the OpenSSL build system and 'manually' apply fixes for the OpenSSL security issues we certainly don't build OpenSSL unmodified.
I never had a reason to look at OpenSSL FIPS, so I don't really know if it's possible to get it working on FreeBSD, but it's possible you can manually build and install stock OpenSSL by hand.
--
Simon L. B. Nielsen
Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer
More information about the freebsd-security
mailing list