<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Changes to the FIPS provider are more problematic as they require
review by the accreditation lab and, depending on the changes,
potentially a revalidation. The project's intention has always been
to periodically update the validation to dot release versions and we
are in the process of doing this at the moment. The update will
address the small number of known issues inside the FIPS boundary.
Don't hold your breath waiting, the process is slow and none of the
issues are critical as far as I'm aware.<br>
<br>
The sqrt issue mentioned will be addressed as part of this
revalidation. However, it's rather tricky to trigger it in the FIPS
provider. The problem relates to loading malformed keys and this is
generally done by the base or default providers before transferring
them to the FIPS provider. I.e. the problem will be encountered
before the errant key material reaches the FIPS boundary. With a
fixed librypto, the errant key material never gets far enough to
cause a problem for the FIPS provider.<br>
<br>
<br>
Pauli<br>
<br>
<br>
<div class="moz-cite-prefix">On 9/2/23 10:46, Thomas Dwyer III
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:d1072e3e-f49d-ec55-38d0-e5087346fd89@oracle.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
These instructions appear to suggest there are no CVEs within
version 3.0.0 of the FIPS provider itself but I'm having a hard
time evaluating this. Taking CVE-2022-0778 as an example and
looking at the commit history, I see that this particular CVE was
fixed in a466912611aa which modified a single file:
crypto/bn/bn_sqrt.c. This filename appears in
providers/fips.module.sources. Does that mean this particular CVE
does in fact impact version 3.0.0 of the FIPS provider or do I
misunderstand what the FIPS provider actually contains?<br>
<br>
<br>
Thanks,<br>
Tom.III<br>
<br>
<br>
<div class="moz-cite-prefix">On 2/8/23 13:10, Dr Paul Dale wrote:<br>
</div>
<blockquote type="cite"
cite="mid:fe77fa59-6d5a-61ab-1d41-04d44a1c488a@openssl.org"> You
need to do this:<br>
<br>
1. Configure, build and install OpenSSL 3.0.0 as per the
security policy. This gives you a FIPS provider that is
compliant.<br>
<br>
2. Configure, build and install the later version of OpenSSL
*without* the `enable-fips' option. This gives you the
security and bug fixes.<br>
<br>
3. Run the later version of OpenSSL with the 3.0.0 FIPS
provider. You now have FIPS compliant cryptographic algorithms
and the fixes.<br>
<br>
The intention has always been to support different versions of
the FIPS provider just working across different releases (both
earlier and later).<br>
<br>
<br>
As for additional options during configuration, in step 2 above,
these pose no problem since it's not FIPS related. In step 1 it
might be problematic & I'd suggest talking to a FIPS lab or
auditor about any specifics. However, there really isn't much
need to tweak the build in the step 1.<br>
<br>
<br>
Pauli<br>
<br>
<br>
<div class="moz-cite-prefix">On 9/2/23 06:58, Afshin Pir wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SY2PR01MB2778148A5455802A27CA977094D89@SY2PR01MB2778.ausprd01.prod.outlook.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regarding FIPS compliance, I read
following statement in your README-FIPS.md:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If you need a FIPS validated module
then you must ONLY generate a FIPS provider using OpenSSL
versions that have valid FIPS certificates. A FIPS
certificate contains a link to a Security Policy, and you
MUST follow the instructions in the Security Policy in
order to be FIPS compliant.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I check security policy, I need to
use <a
href="https://urldefense.com/v3/__https://www.openssl.org/source/openssl-3.0.0.tar.gz__;!!ACWV5N9M2RV99hQ!M_PkApZprcGffV2CcnA1C51MNzYutdzXweQo74pyO0asRydLUTBLEAHSPRO7irPivC4JhojrfCoyMTU_$"
moz-do-not-send="true" class="moz-txt-link-freetext">
https://www.openssl.org/source/openssl-3.0.0.tar.gz</a>
and configure it with ‘enable-fips’ option only. Now I
have 2 questions: What does happen if a security hole is
seen on OpenSSL? If I build FIPS module using newer source
codes that resolve that security hole, my module will not
have FIPS compliance? My second question is if compiling
code with other options (like no-deprecated or no-engine)
will also break FIPS compliance or not. Any idea?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Best Regards,<o:p></o:p></p>
<p class="MsoNormal">Afshin<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<hr> This email is confidential and may contain information
subject to legal privilege. If you are not the intended
recipient please advise us of our error by return e-mail then
delete this email and any attached files. You may not copy,
disclose or use the contents in any way. The views expressed
in this email may not be those of Gallagher Group Ltd or
subsidiary companies thereof.
<hr> </blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>