Openssl FIPS 186-4 Patch

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl FIPS 186-4 Patch

Murugesh
Hi All,

I am looking for the FIPS 186-4 patch. I see it is not yet implemented
in openssl FIPS 2.0

I see many vendors have implemented their own fix for FIPS 186-4
compliance. I am looking for the patch which i can reuse. Looks like
redhat too has its own patch.

Kindly share any pointers for the (open license for reuse) patch for
FIPS 186-4 compliance.
I am using openssl FIPS ECP 2.0.16.

Thanks,
Murugesh P.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl FIPS 186-4 Patch

Jakob Bohm-7
On 05/10/2017 13:51, murugesh pitchaiah wrote:
> Hi All,
>
> I am looking for the FIPS 186-4 patch. I see it is not yet implemented
> in openssl FIPS 2.0
I assume FIPS 186-4 is the updated SHA standard that adds the SHA-3
specification.

In that case, that would be something that OpenSSL would first add to the
basic OpenSSL library (perhaps in version 1.1.x).

Once that is working as secure and tested (but not government "validated"),
OpenSSL could incorporate that into their upcoming FIPS-validation (which I
guess will become the "FIPS module 3.0").

The "FIPS validation" bureaucracy is such that even basic bug fixes are
very
expensive and time consuming to get approved, thus adding new algorithms or
other new features inside the "boundary" of the FIPS module is not
something
done under normal circumstances, and certainly not just to add another
algorithm that isn't used by many people yet to a FIPS module that is only
used by the OpenSSL 1.0.x library that they are trying to discontinue.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl FIPS 186-4 Patch

Murugesh
Hi Jacob,

Thanks for looking into this.
This FIPS186-4 is not just about SHA. It basically about the key
generation parameters. Especially I am looking for RSA key generation
parameters wrt FIPS 186-4.

Thanks,
Murugesh P.


On 10/5/17, Jakob Bohm <[hidden email]> wrote:

> On 05/10/2017 13:51, murugesh pitchaiah wrote:
>> Hi All,
>>
>> I am looking for the FIPS 186-4 patch. I see it is not yet implemented
>> in openssl FIPS 2.0
> I assume FIPS 186-4 is the updated SHA standard that adds the SHA-3
> specification.
>
> In that case, that would be something that OpenSSL would first add to the
> basic OpenSSL library (perhaps in version 1.1.x).
>
> Once that is working as secure and tested (but not government "validated"),
> OpenSSL could incorporate that into their upcoming FIPS-validation (which I
> guess will become the "FIPS module 3.0").
>
> The "FIPS validation" bureaucracy is such that even basic bug fixes are
> very
> expensive and time consuming to get approved, thus adding new algorithms or
> other new features inside the "boundary" of the FIPS module is not
> something
> done under normal circumstances, and certainly not just to add another
> algorithm that isn't used by many people yet to a FIPS module that is only
> used by the OpenSSL 1.0.x library that they are trying to discontinue.
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl FIPS 186-4 Patch

OpenSSL - User mailing list
➢ This FIPS186-4 is not just about SHA. It basically about the key
    generation parameters. Especially I am looking for RSA key generation
    parameters wrt FIPS 186-4.
   
I do not know how you got the opinion that OpenSSL has 186-4 support. It does not.  Perhaps other people have written patches.  If you find them, ask them to share with us (

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl FIPS 186-4 Patch

Murugesh
Hi,

Thanks for the comment.

I know that openSSL is not 186-4 compliant. That is why I am looking
for anybody have the patch for the same.

I see there are some works in Fedora:
http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-fips.patch

Thanks,
Murugesh P.

On 10/6/17, Salz, Rich via openssl-users <[hidden email]> wrote:

> ➢ This FIPS186-4 is not just about SHA. It basically about the key
>     generation parameters. Especially I am looking for RSA key generation
>     parameters wrt FIPS 186-4.
>
> I do not know how you got the opinion that OpenSSL has 186-4 support. It
> does not.  Perhaps other people have written patches.  If you find them, ask
> them to share with us (
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Openssl FIPS 186-4 Patch

Marcus Meissner
Hi,

On Mon, Oct 09, 2017 at 05:24:17PM +0530, murugesh pitchaiah wrote:
> Hi,
>
> Thanks for the comment.
>
> I know that openSSL is not 186-4 compliant. That is why I am looking
> for anybody have the patch for the same.
>
> I see there are some works in Fedora:
> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-fips.patch

Yes, the FIPS 140-2 patches done by Redhat provide a FIPS 186-3 or 186-4 enabled
keygeneration.

There are some small adjustments that could be merged back into the generic
e.g. RSA key generation.

Ciao, Marcus

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Openssl FIPS 186-4 Patch

Murugesh
Hi,

That Redhat/Fedora patch is based on openssl library alone.
But I am using the fips canister approach where i use both openssl and
openssl-fips-ecp libraries.

Though the redhat/fedora patch is OK, it is not straight forward
portable to the canister model.

Any idea of patches available for this kind of fips canister usage ?

Thanks,
Murugesh P.

On 10/10/17, Marcus Meissner <[hidden email]> wrote:

> Hi,
>
> On Mon, Oct 09, 2017 at 05:24:17PM +0530, murugesh pitchaiah wrote:
>> Hi,
>>
>> Thanks for the comment.
>>
>> I know that openSSL is not 186-4 compliant. That is why I am looking
>> for anybody have the patch for the same.
>>
>> I see there are some works in Fedora:
>> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-fips.patch
>
> Yes, the FIPS 140-2 patches done by Redhat provide a FIPS 186-3 or 186-4
> enabled
> keygeneration.
>
> There are some small adjustments that could be merged back into the generic
> e.g. RSA key generation.
>
> Ciao, Marcus
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users