<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
These instructions appear to suggest there are no CVEs within
version 3.0.0 of the FIPS provider itself but I'm having a hard time
evaluating this. Taking CVE-2022-0778 as an example and looking at
the commit history, I see that this particular CVE was fixed in
a466912611aa which modified a single file: crypto/bn/bn_sqrt.c. This
filename appears in providers/fips.module.sources. Does that mean
this particular CVE does in fact impact version 3.0.0 of the FIPS
provider or do I misunderstand what the FIPS provider actually
contains?<br>
<br>
<br>
Thanks,<br>
Tom.III<br>
<br>
<br>
<div class="moz-cite-prefix">On 2/8/23 13:10, Dr Paul Dale wrote:<br>
</div>
<blockquote type="cite" cite="mid:fe77fa59-6d5a-61ab-1d41-04d44a1c488a@openssl.org">
You need to do this:<br>
<br>
1. Configure, build and install OpenSSL 3.0.0 as per the security
policy. This gives you a FIPS provider that is compliant.<br>
<br>
2. Configure, build and install the later version of OpenSSL
*without* the `enable-fips' option. This gives you the security
and bug fixes.<br>
<br>
3. Run the later version of OpenSSL with the 3.0.0 FIPS provider.
You now have FIPS compliant cryptographic algorithms and the
fixes.<br>
<br>
The intention has always been to support different versions of the
FIPS provider just working across different releases (both earlier
and later).<br>
<br>
<br>
As for additional options during configuration, in step 2 above,
these pose no problem since it's not FIPS related. In step 1 it
might be problematic & I'd suggest talking to a FIPS lab or
auditor about any specifics. However, there really isn't much
need to tweak the build in the step 1.<br>
<br>
<br>
Pauli<br>
<br>
<br>
<div class="moz-cite-prefix">On 9/2/23 06:58, Afshin Pir wrote:<br>
</div>
<blockquote type="cite" cite="mid:SY2PR01MB2778148A5455802A27CA977094D89@SY2PR01MB2778.ausprd01.prod.outlook.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regarding FIPS compliance, I read
following statement in your README-FIPS.md:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If you need a FIPS validated module then
you must ONLY generate a FIPS provider using OpenSSL
versions that have valid FIPS certificates. A FIPS
certificate contains a link to a Security Policy, and you
MUST follow the instructions in the Security Policy in order
to be FIPS compliant.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I check security policy, I need to use
<a href="https://urldefense.com/v3/__https://www.openssl.org/source/openssl-3.0.0.tar.gz__;!!ACWV5N9M2RV99hQ!M_PkApZprcGffV2CcnA1C51MNzYutdzXweQo74pyO0asRydLUTBLEAHSPRO7irPivC4JhojrfCoyMTU_$" moz-do-not-send="true" class="moz-txt-link-freetext">
https://www.openssl.org/source/openssl-3.0.0.tar.gz</a>
and configure it with ‘enable-fips’ option only. Now I have
2 questions: What does happen if a security hole is seen on
OpenSSL? If I build FIPS module using newer source codes
that resolve that security hole, my module will not have
FIPS compliance? My second question is if compiling code
with other options (like no-deprecated or no-engine) will
also break FIPS compliance or not. Any idea?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards,<o:p></o:p></p>
<p class="MsoNormal">Afshin<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<hr> This email is confidential and may contain information
subject to legal privilege. If you are not the intended
recipient please advise us of our error by return e-mail then
delete this email and any attached files. You may not copy,
disclose or use the contents in any way. The views expressed in
this email may not be those of Gallagher Group Ltd or subsidiary
companies thereof.
<hr> </blockquote>
<br>
</blockquote>
<br>
</body>
</html>