From darrenm@sac.sfbay.sun.com Tue Sep 22 05:39:32 2009 Received: from sunmail2sca.sfbay.sun.com (sunmail2sca.SFBay.Sun.COM [129.145.155.234]) by sac.sfbay.sun.com (8.13.8+Sun/8.13.8) with ESMTP id n8MCdWjs023948 for ; Tue, 22 Sep 2009 05:39:32 -0700 (PDT) Received: from nwk-avmta-1.SFBay.Sun.COM (nwk-avmta-1.SFBay.Sun.COM [129.146.11.74]) by sunmail2sca.sfbay.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.4) with ESMTP id n8MCdV2r022665; Tue, 22 Sep 2009 05:39:31 -0700 (PDT) Received: from pmxchannel-daemon.nwk-avmta-1.sfbay.Sun.COM by nwk-avmta-1.sfbay.Sun.COM (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) id <0KQD0070RHTVRI00@nwk-avmta-1.sfbay.Sun.COM>; Tue, 22 Sep 2009 05:39:31 -0700 (PDT) Received: from dm-sfbay-01.sfbay.sun.com ([129.145.155.118]) by nwk-avmta-1.sfbay.Sun.COM (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) with ESMTP id <0KQD00N2DHTU2C70@nwk-avmta-1.sfbay.Sun.COM>; Tue, 22 Sep 2009 05:39:30 -0700 (PDT) Received: from sac.sfbay.sun.com (sac.SFBay.Sun.COM [129.146.226.132]) by dm-sfbay-01.sfbay.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n8MCdRug050455; Tue, 22 Sep 2009 05:39:27 -0700 (PDT) Received: from sac.sfbay.sun.com (localhost [127.0.0.1]) by sac.sfbay.sun.com (8.13.8+Sun/8.13.8) with ESMTP id n8MCdP9Y023943; Tue, 22 Sep 2009 05:39:25 -0700 (PDT) Received: (from darrenm@localhost) by sac.sfbay.sun.com (8.13.8+Sun/8.13.8/Submit) id n8MCdPw0023939; Tue, 22 Sep 2009 05:39:25 -0700 (PDT) Date: Tue, 22 Sep 2009 05:39:25 -0700 (PDT) From: Darren J Moffat Subject: FIPS Capable OpenSSL [PSARC/2009/507 FastTrack timeout 09/29/2009] To: PSARC-ext@sun.com Cc: openssl-iteam@sun.com Message-id: <200909221239.n8MCdPw0023939@sac.sfbay.sun.com> Content-transfer-encoding: 7BIT X-PMX-Version: 5.4.1.325704 Status: RO Content-Length: 10024 Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI This information is Copyright 2009 Sun Microsystems 1. Introduction 1.1. Project/Component Working Name: FIPS Capable OpenSSL 1.2. Name of Document Author/Supplier: Author: Mark Phalan 1.3 Date of This Document: 22 September, 2009 4. Technical Description FIPS Capable OpenSSL =================== Project Summary: Include a FIPS Capable OpenSSL in Solaris. This will allow people to build and run applications which use the FIPS approved algorithms from OpenSSL. Government configuration requirements (NIST, OMB, FISMA, ...) require use of approved (FIPS) algorithms and tools. Background: OpenSSL FIPS Object Module v1.2 --- The OpenSSL project[1] offers a FIPS 140-2 validated object module[2] which provides FIPS 140-2 approved cryptographic functions. The validation is somewhat unique as it applies to the executable code built on any platform as long as the unmodified source code is built in accordance with the security policy[3]. The FIPS Object Module, fipscanister.o, once built, can then be incorporated directly into applications or libraries. The FIPS Object Module API is designed for use with the OpenSSL API and offers a subset of that API in addition to a FIPS specific API. Version 1.2 is compatible with the latest stable version of OpenSSL - 0.9.8k. FIPS Capable OpenSSL --- OpenSSL can be built in such a way so as to link the FIPS object module directly into the regular OpenSSL libcrypto library ("fips" is added when running Configure) thus making the FIPS Object Module available to consumers of OpenSSL. The implementations of the cryptographic functions are taken from fipscanister.o and replace those from the regular OpenSSL libcrypto. When OpenSSL is built in this way it is known as a "FIPS Capable OpenSSL". The resulting OpenSSL can be used as a fully-compatible (see caveat in man page below) drop-in replacement for a non-FIPS Capable OpenSSL and in addition can be put into FIPS mode when FIPS compliance is desired. Usually the reverse is not true, applications built against the FIPS Capable OpenSSL which use FIPS mode cannot use the regular non-FIPS Capable OpenSSL as the FIPS specific function calls are not present. More information about the OpenSSL FIPS Object Module and FIPS Capable OpenSSL can be found in the OpenSSL FIPS 140-2 User Guide[4]. Limitations of FIPS Capable OpenSSL --- A FIPS Capable OpenSSL is built in such a way that the FIPS object module provides the cipher implementations. This means that even when the FIPS Capable OpenSSL is not running in FIPS mode, FIPS approved ciphers are being used. This is not a problem per se, however due to the nature of FIPS validation the source code of the FIPS Object Module cannot be changed without requiring re-validation. There are two important consequences of this: * The cryptographic code can become stale over time and is unable to take advantage of any performance improvements made in the regular OpenSSL code. e.g. 64bit OpenSSL 0.9.8k-fips performs AES at about half the speed of OpenSSL 0.9.8k on an Ultra 24. This happens even when not running in FIPS mode. * Security vulnerabilities in the FIPS Object Module code cannot be fixed without losing validation. Note: There are no known security vulnerabilities in the current code. Proposal: Due to the above listed limitations the project team doesn't think it wise to replace the current OpenSSL version with a FIPS Capable one despite it being fully drop-in compatible (see caveat in man page below). Most consumers of OpenSSL won't care about FIPS compliance but would care very much to see large performance regressions. We propose to ship a second compatible libcrypto built from the same sources as the existing libcrypto but which includes the FIPS object module i.e. a FIPS Capable OpenSSL. Header files will also be shipped which will allow third-party applications to make use of the FIPS Capable OpenSSL. The FIPS Capable OpenSSL will be fully binary compatible with the regular OpenSSL (see caveat in man page below). Applications built against the regular OpenSSL will be able to run with the FIPS Capable OpenSSL. Users/administrators can choose at runtime which library they'd like to run with. This can be done on an application-by-application basis using LD_LIBRARY_PATH or the whole system can be switched using crle(1). The default will be to use the regular (high-performance) libcrypto. Merely using the FIPS Capable OpenSSL won't mean an application is running in FIPS mode but it will allow applications to switch to FIPS mode if desired (for more information about running in FIPS mode see [4]). Consumers --- The only consumer of the new FIPS Capable OpenSSL library at the time of integration will be openssl(1openssl). openssl(1openssl) will honor a new environmental variable: OPENSSL_FIPS. When set, and the FIPS Capable libcrypto is used, openssl(1openssl) will run in FIPS mode. If OPENSSL_FIPS is set but the regular libcrypto is used openssl(1openssl) will exit with an error message. Example Demonstrating OpenSSL in FIPS mode (note the version string change): $ LD_LIBRARY_PATH=/lib/openssl/fips-140/ OPENSSL_FIPS=1 openssl version OpenSSL 0.9.8k-fips 25 Mar 2009 (+ security fixes for: CVE-2009-1377 CVE -2009-1378 CVE-2009-1379) $ openssl version OpenSSL 0.9.8k 25 Mar 2009 (+ security fixes for: CVE-2009-1377 CVE-2009 -1378 CVE-2009-1379) We expect other applications to make use of the FIPS Capable OpenSSL over time. A number of open source applications already support (or have been patched to support) a FIPS Capable OpenSSL - stunnel, OpenSSH ... Upstream Discussions --- The project team understands that this is far from an ideal situation and the upstream OpenSSL team have also indicated that they'd like to see a better solution in future (perhaps implementing the FIPS algorithms as an OpenSSL ENGINE[5]). The project team has contacted the upstream developers and they agree that delivering two versions of libcrypto is probably the best solution in the current situation[6]. Interfaces --- Interface Classification Comment --------- -------------- ------- SUNWopenssl-fips-140 Uncommitted Package /lib/openssl/fips-140/64/libcrypto.so.0.9.8 Uncommitted Library /lib/openssl/fips-140/libcrypto.so.0.9.8 Uncommitted Library SUNWopenssl-fips-140-include Uncommitted Package /usr/include/openssl/fips-140/openssl/fips.h Uncommitted Header /usr/include/openssl/fips-140/openssl/fips_rand.h Uncommitted Header /usr/include/openssl/fips-140/openssl/opensslconf.h Uncommitted Header This case seeks patch binding although there is no intention to backport at this time. Man Page diffs --- --- openssl.5 Wed Sep 9 18:53:56 2009 +++ openssl.5.new Wed Sep 16 11:49:03 2009 @@ -70,14 +70,54 @@ Standards, Environments, and Macros openssl(5) + A FIPS Capable OpenSSL is available in /lib/openssl/fips-140. To use + this version of OpenSSL on a per-application basis, LD_LIBRARY_PATH + may be set. crle(1) may be used to select this version of OpenSSL + for all applications. + Example: + + # crle -a /lib/libcrypto.so.0.9.8 -o \ + /usr/lib/openssl/fips-140 + # crle -64 -a /lib/64/libcrypto.so.0.9.8 -o + /usr/lib/openssl/fips-140/64 + + The FIPS Capable libcrypto and the non-FIPS Capable libcrypto are + ABI compatible. One exception to this is the use of the + CRYPTO_NUM_LOCKS preprocessor macro. Instead of using + CRYPTO_NUM_LOCKS, the CRYPTO_num_locks(3openssl) function should + be used instead. + + Note: Even when a FIPS Capable OpenSSL is used applications + cannot automatically claim FIPS compliance. See the OpenSSL + FIPS 140-2 User Guide + (http://openssl.org/docs/fips/UserGuide-1.2.pdf) for more + information. + + openssl(1openssl) can be run in FIPS mode. The environmental + variable, OPENSSL_FIPS, must be set and the FIPS Capable OpenSSL + libraries must be used. + + Example: + + # export LD_LIBRARY_PATH=/lib/openssl/fips-140 + # export OPENSSL_FIPS=1 + # openssl version + OpenSSL 0.9.8k-fips 25 Mar 2009 (+ security fixes for: CVE- + 2009-1377 CVE-2009-1378 CVE-2009-1379) + To build an OpenSSL application, use the following cc com- mand line options: cc [ flag... ] file... -lcrypto -lssl [ library... ] + To build an OpenSSL application which supports a FIPS mode of + operation, use the following cc command line options: + cc -I/usr/include/openssl/fips-140 -L/lib/openssl/fips-140 \ + -R/lib/openssl/fips-140 [ flag... ] file... -lcrypto -lssl \ + [ library... ] + Extensive additional documentation for OpenSSL modules is available in the /usr/share/man/man1openssl, /usr/share/man/man3openssl, /usr/share/man/man5openssl, and @@ -103,7 +143,8 @@ SEE ALSO - cryptoadm(1M), libpkcs11(3LIB), attributes(5) + cryptoadm(1M), libpkcs11(3LIB), attributes(5), crle(1), + openssl(1openssl), CRYPTO_num_locks(3openssl) /usr/share/man/man1openssl/openssl.1openssl, References: [1] http://www.openssl.org [2] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm [3] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf [4] http://openssl.org/docs/fips/UserGuide-1.2.pdf [5] http://www.mail-archive.com/openssl-dev@openssl.org/msg26404.html [6] http://www.mail-archive.com/openssl-dev@openssl.org/msg26423.html 6. Resources and Schedule 6.4. Steering Committee requested information 6.4.1. Consolidation C-team Name: SFW 6.5. ARC review type: FastTrack 6.6. ARC Exposure: open From gdamore@sun.com Tue Sep 22 07:04:21 2009 Received: from sunmail2sca.sfbay.sun.com (sunmail2sca.SFBay.Sun.COM [129.145.155.234]) by sac.sfbay.sun.com (8.13.8+Sun/8.13.8) with ESMTP id n8ME4KJN025242 for ; Tue, 22 Sep 2009 07:04:20 -0700 (PDT) Received: from brm-avmta-1.central.sun.com (brm-avmta-1.Central.Sun.COM [129.147.4.11]) by sunmail2sca.sfbay.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.4) with ESMTP id n8ME4GrM023937; Tue, 22 Sep 2009 07:04:20 -0700 (PDT) Received: from pmxchannel-daemon.brm-avmta-1.central.sun.com by brm-avmta-1.central.sun.com (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) id <0KQD00B31LR6TY00@brm-avmta-1.central.sun.com>; Tue, 22 Sep 2009 08:04:18 -0600 (MDT) Received: from sca-es-mail-2.sun.com ([192.18.43.133]) by brm-avmta-1.central.sun.com (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) with ESMTP id <0KQD0080SLR5BDC0@brm-avmta-1.central.sun.com>; Tue, 22 Sep 2009 08:04:17 -0600 (MDT) Received: from fe-sfbay-09.sun.com ([192.18.43.129]) by sca-es-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n8ME4HJw019368; Tue, 22 Sep 2009 07:04:17 -0700 (PDT) Received: from conversion-daemon.fe-sfbay-09.sun.com by fe-sfbay-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KQD00D00LIHV400@fe-sfbay-09.sun.com>; Tue, 22 Sep 2009 07:04:17 -0700 (PDT) Received: from [192.168.251.11] ([unknown] [76.93.15.33]) by fe-sfbay-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KQD00FWPLR4QG90@fe-sfbay-09.sun.com>; Tue, 22 Sep 2009 07:04:16 -0700 (PDT) Date: Tue, 22 Sep 2009 07:04:15 -0700 From: "Garrett D'Amore" Subject: Re: FIPS Capable OpenSSL [PSARC/2009/507 FastTrack timeout 09/29/2009] In-reply-to: <200909221239.n8MCdPw0023939@sac.sfbay.sun.com> Sender: Garrett.Damore@sun.com To: Darren J Moffat Cc: PSARC-ext@sun.com, openssl-iteam@sun.com Message-id: <4AB8D95F.7020208@sun.com> MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII; format=flowed Content-transfer-encoding: 7BIT X-PMX-Version: 5.4.1.325704 References: <200909221239.n8MCdPw0023939@sac.sfbay.sun.com> User-Agent: Thunderbird 2.0.0.18 (X11/20081201) Status: RO Content-Length: 11205 I'm assuming that this will also have External stability level? It would appear that at some point in the future, it might be possible to provide a single binary that can satisfy both performance and FIPS considerations, even if not at the same time, by triggering on the OPENSSL_FIPS environment variable. Its my hope that when the upstream addresses this dichotomy, they do so in a way that triggers just on the environment variable, so that we don't have to have apps change in the future. (E.g. to change to using a special Engine interface or somesuch.) At that point, hopefully this FIPS compliant library can just become a symlink to the real one. In the meantime, +1. - Garrett Darren J Moffat wrote: > Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI > This information is Copyright 2009 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > FIPS Capable OpenSSL > 1.2. Name of Document Author/Supplier: > Author: Mark Phalan > 1.3 Date of This Document: > 22 September, 2009 > 4. Technical Description > > FIPS Capable OpenSSL > =================== > > Project Summary: > > Include a FIPS Capable OpenSSL in Solaris. This will allow people to > build and run applications which use the FIPS approved algorithms from > OpenSSL. Government configuration requirements (NIST, OMB, FISMA, ...) > require use of approved (FIPS) algorithms and tools. > > > Background: > > OpenSSL FIPS Object Module v1.2 > --- > The OpenSSL project[1] offers a FIPS 140-2 validated object module[2] > which provides FIPS 140-2 approved cryptographic functions. The > validation is somewhat unique as it applies to the executable code built > on any platform as long as the unmodified source code is built in > accordance with the security policy[3]. The FIPS Object Module, > fipscanister.o, once built, can then be incorporated directly into > applications or libraries. The FIPS Object Module API is designed for > use with the OpenSSL API and offers a subset of that API in addition to > a FIPS specific API. Version 1.2 is compatible with the latest stable > version of OpenSSL - 0.9.8k. > > FIPS Capable OpenSSL > --- > OpenSSL can be built in such a way so as to link the FIPS object module > directly into the regular OpenSSL libcrypto library ("fips" is added when > running Configure) thus making the FIPS Object Module available to > consumers of OpenSSL. The implementations of the cryptographic functions > are taken from fipscanister.o and replace those from the regular OpenSSL > libcrypto. When OpenSSL is built in this way it is known as a "FIPS > Capable OpenSSL". The resulting OpenSSL can be used as a > fully-compatible (see caveat in man page below) drop-in replacement for > a non-FIPS Capable OpenSSL and in addition can be put into FIPS mode > when FIPS compliance is desired. Usually the reverse is not true, > applications built against the FIPS Capable OpenSSL which use FIPS mode > cannot use the regular non-FIPS Capable OpenSSL as the FIPS specific > function calls are not present. > > More information about the OpenSSL FIPS Object Module and FIPS Capable > OpenSSL can be found in the OpenSSL FIPS 140-2 User Guide[4]. > > Limitations of FIPS Capable OpenSSL > --- > A FIPS Capable OpenSSL is built in such a way that the FIPS object > module provides the cipher implementations. This means that even when > the FIPS Capable OpenSSL is not running in FIPS mode, FIPS approved > ciphers are being used. This is not a problem per se, however due to the > nature of FIPS validation the source code of the FIPS Object Module > cannot be changed without requiring re-validation. There are two > important consequences of this: > > * The cryptographic code can become stale over time and is unable to > take advantage of any performance improvements made in the regular > OpenSSL code. e.g. 64bit OpenSSL 0.9.8k-fips performs AES at about > half the speed of OpenSSL 0.9.8k on an Ultra 24. This happens > even when not running in FIPS mode. > > * Security vulnerabilities in the FIPS Object Module code cannot be > fixed without losing validation. > Note: There are no known security vulnerabilities in the current code. > > > Proposal: > > Due to the above listed limitations the project team doesn't think it > wise to replace the current OpenSSL version with a FIPS Capable one > despite it being fully drop-in compatible (see caveat in man page > below). Most consumers of OpenSSL won't care about FIPS compliance but > would care very much to see large performance regressions. > > We propose to ship a second compatible libcrypto built from the same > sources as the existing libcrypto but which includes the FIPS object > module i.e. a FIPS Capable OpenSSL. Header files will also be shipped > which will allow third-party applications to make use of the FIPS > Capable OpenSSL. > The FIPS Capable OpenSSL will be fully binary compatible with the > regular OpenSSL (see caveat in man page below). Applications built > against the regular OpenSSL will be able to run with the FIPS Capable > OpenSSL. Users/administrators can choose at runtime which library > they'd like to run with. This can be done on an > application-by-application basis using LD_LIBRARY_PATH or the whole > system can be switched using crle(1). The default will be to use the > regular (high-performance) libcrypto. Merely using the FIPS Capable > OpenSSL won't mean an application is running in FIPS mode but it will > allow applications to switch to FIPS mode if desired (for more > information about running in FIPS mode see [4]). > > Consumers > --- > The only consumer of the new FIPS Capable OpenSSL library at the time of > integration will be openssl(1openssl). openssl(1openssl) will honor a > new environmental variable: OPENSSL_FIPS. When set, and the FIPS Capable > libcrypto is used, openssl(1openssl) will run in FIPS mode. If > OPENSSL_FIPS is set but the regular libcrypto is used openssl(1openssl) > will exit with an error message. > > Example Demonstrating OpenSSL in FIPS mode (note the version string > change): > > $ LD_LIBRARY_PATH=/lib/openssl/fips-140/ OPENSSL_FIPS=1 openssl version > OpenSSL 0.9.8k-fips 25 Mar 2009 (+ security fixes for: CVE-2009-1377 CVE > -2009-1378 CVE-2009-1379) > > $ openssl version > OpenSSL 0.9.8k 25 Mar 2009 (+ security fixes for: CVE-2009-1377 CVE-2009 > -1378 CVE-2009-1379) > > We expect other applications to make use of the FIPS Capable OpenSSL > over time. A number of open source applications already support (or have > been patched to support) a FIPS Capable OpenSSL - stunnel, OpenSSH ... > > > Upstream Discussions > --- > The project team understands that this is far from an ideal situation > and the upstream OpenSSL team have also indicated that they'd like to > see a better solution in future (perhaps implementing the FIPS > algorithms as an OpenSSL ENGINE[5]). The project team has contacted > the upstream developers and they agree that delivering two versions of > libcrypto is probably the best solution in the current situation[6]. > > Interfaces > --- > > Interface Classification Comment > --------- -------------- ------- > SUNWopenssl-fips-140 Uncommitted Package > /lib/openssl/fips-140/64/libcrypto.so.0.9.8 Uncommitted Library > /lib/openssl/fips-140/libcrypto.so.0.9.8 Uncommitted Library > > SUNWopenssl-fips-140-include Uncommitted Package > /usr/include/openssl/fips-140/openssl/fips.h Uncommitted Header > /usr/include/openssl/fips-140/openssl/fips_rand.h > Uncommitted Header > /usr/include/openssl/fips-140/openssl/opensslconf.h > Uncommitted Header > > This case seeks patch binding although there is no intention to > backport at this time. > > > Man Page diffs > --- > > --- openssl.5 Wed Sep 9 18:53:56 2009 > +++ openssl.5.new Wed Sep 16 11:49:03 2009 > @@ -70,14 +70,54 @@ > Standards, Environments, and Macros openssl(5) > > > + A FIPS Capable OpenSSL is available in /lib/openssl/fips-140. To use > + this version of OpenSSL on a per-application basis, LD_LIBRARY_PATH > + may be set. crle(1) may be used to select this version of OpenSSL > + for all applications. > > + Example: > + > + # crle -a /lib/libcrypto.so.0.9.8 -o \ > + /usr/lib/openssl/fips-140 > + # crle -64 -a /lib/64/libcrypto.so.0.9.8 -o > + /usr/lib/openssl/fips-140/64 > + > + The FIPS Capable libcrypto and the non-FIPS Capable libcrypto are > + ABI compatible. One exception to this is the use of the > + CRYPTO_NUM_LOCKS preprocessor macro. Instead of using > + CRYPTO_NUM_LOCKS, the CRYPTO_num_locks(3openssl) function should > + be used instead. > + > + Note: Even when a FIPS Capable OpenSSL is used applications > + cannot automatically claim FIPS compliance. See the OpenSSL > + FIPS 140-2 User Guide > + (http://openssl.org/docs/fips/UserGuide-1.2.pdf) for more > + information. > + > + openssl(1openssl) can be run in FIPS mode. The environmental > + variable, OPENSSL_FIPS, must be set and the FIPS Capable OpenSSL > + libraries must be used. > + > + Example: > + > + # export LD_LIBRARY_PATH=/lib/openssl/fips-140 > + # export OPENSSL_FIPS=1 > + # openssl version > + OpenSSL 0.9.8k-fips 25 Mar 2009 (+ security fixes for: CVE- > + 2009-1377 CVE-2009-1378 CVE-2009-1379) > + > To build an OpenSSL application, use the following cc com- > mand line options: > > cc [ flag... ] file... -lcrypto -lssl [ library... ] > > + To build an OpenSSL application which supports a FIPS mode of > + operation, use the following cc command line options: > > + cc -I/usr/include/openssl/fips-140 -L/lib/openssl/fips-140 \ > + -R/lib/openssl/fips-140 [ flag... ] file... -lcrypto -lssl \ > + [ library... ] > > + > Extensive additional documentation for OpenSSL modules is > available in the /usr/share/man/man1openssl, > /usr/share/man/man3openssl, /usr/share/man/man5openssl, and > @@ -103,7 +143,8 @@ > > > SEE ALSO > - cryptoadm(1M), libpkcs11(3LIB), attributes(5) > + cryptoadm(1M), libpkcs11(3LIB), attributes(5), crle(1), > + openssl(1openssl), CRYPTO_num_locks(3openssl) > > > /usr/share/man/man1openssl/openssl.1openssl, > > > > > References: > > [1] http://www.openssl.org > [2] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2008.htm > [3] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.pdf > [4] http://openssl.org/docs/fips/UserGuide-1.2.pdf > [5] http://www.mail-archive.com/openssl-dev@openssl.org/msg26404.html > [6] http://www.mail-archive.com/openssl-dev@openssl.org/msg26423.html > > 6. Resources and Schedule > 6.4. Steering Committee requested information > 6.4.1. Consolidation C-team Name: > SFW > 6.5. ARC review type: FastTrack > 6.6. ARC Exposure: open > > From Darren.Moffat@sun.com Tue Sep 22 07:18:18 2009 Received: from newsunmail1brm.central.sun.com (newsunmail1brm.Central.Sun.COM [129.147.62.245]) by sac.sfbay.sun.com (8.13.8+Sun/8.13.8) with ESMTP id n8MEIInD025342 for ; Tue, 22 Sep 2009 07:18:18 -0700 (PDT) Received: from brm-avmta-1.central.sun.com (brm-avmta-1.Central.Sun.COM [129.147.4.11]) by newsunmail1brm.central.sun.com (8.13.7+Sun/8.13.7/ENSMAIL,v2.2) with ESMTP id n8MEIG6n045999; Tue, 22 Sep 2009 08:18:17 -0600 (MDT) Received: from pmxchannel-daemon.brm-avmta-1.central.sun.com by brm-avmta-1.central.sun.com (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) id <0KQD00D1JMEG2T00@brm-avmta-1.central.sun.com>; Tue, 22 Sep 2009 08:18:16 -0600 (MDT) Received: from gmp-eb-inf-2.sun.com ([192.18.6.24]) by brm-avmta-1.central.sun.com (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) with ESMTP id <0KQD00CHTMEEHY00@brm-avmta-1.central.sun.com>; Tue, 22 Sep 2009 08:18:15 -0600 (MDT) Received: from fe-emea-10.sun.com (gmp-eb-lb-1-fe1.eu.sun.com [192.18.6.7] (may be forged)) by gmp-eb-inf-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n8MEIEVs024863; Tue, 22 Sep 2009 14:18:14 +0000 (GMT) Received: from conversion-daemon.fe-emea-10.sun.com by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KQD00100LSHAH00@fe-emea-10.sun.com>; Tue, 22 Sep 2009 15:17:52 +0100 (BST) Received: from [192.168.1.105] (cpc2-rdng20-2-0-cust917.15-3.cable.virginmedia.com [86.28.167.150]) by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KQD00F49MDQCR80@fe-emea-10.sun.com>; Tue, 22 Sep 2009 15:17:51 +0100 (BST) Date: Tue, 22 Sep 2009 15:17:49 +0100 From: Darren J Moffat Subject: Re: FIPS Capable OpenSSL [PSARC/2009/507 FastTrack timeout 09/29/2009] In-reply-to: <4AB8D95F.7020208@sun.com> Sender: Darren.Moffat@sun.com To: "Garrett D'Amore" Cc: Darren J Moffat , PSARC-ext@sun.com, openssl-iteam@sun.com Message-id: <4AB8DC8D.5000500@Sun.COM> MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII; format=flowed Content-transfer-encoding: 7BIT X-PMX-Version: 5.4.1.325704 References: <200909221239.n8MCdPw0023939@sac.sfbay.sun.com> <4AB8D95F.7020208@sun.com> User-Agent: Thunderbird 2.0.0.22 (X11/20090818) Status: RO Content-Length: 167 Garrett D'Amore wrote: > I'm assuming that this will also have External stability level? Same stability level as the existing non FIPS ones yes. -- Darren J Moffat From Mark.Phalan@Sun.COM Tue Sep 22 07:18:24 2009 Received: from sunmail5.uk.sun.com (sunmail5.UK.Sun.COM [129.156.85.165]) by sac.sfbay.sun.com (8.13.8+Sun/8.13.8) with ESMTP id n8MEINiL025356 for ; Tue, 22 Sep 2009 07:18:23 -0700 (PDT) Received: from nwk-avmta-2.sfbay.sun.com (nwk-avmta-2.SFBay.Sun.COM [129.145.155.6]) by sunmail5.uk.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n8MEIIwi021377; Tue, 22 Sep 2009 15:18:22 +0100 (BST) Received: from pmxchannel-daemon.nwk-avmta-2.sfbay.sun.com by nwk-avmta-2.sfbay.sun.com (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) id <0KQD0080DMEKN800@nwk-avmta-2.sfbay.sun.com>; Tue, 22 Sep 2009 07:18:20 -0700 (PDT) Received: from gmp-eb-inf-1.sun.com ([192.18.6.21]) by nwk-avmta-2.sfbay.sun.com (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) with ESMTP id <0KQD006MWMEIQE20@nwk-avmta-2.sfbay.sun.com>; Tue, 22 Sep 2009 07:18:19 -0700 (PDT) Received: from fe-emea-09.sun.com (gmp-eb-lb-1-fe1.eu.sun.com [192.18.6.7] (may be forged)) by gmp-eb-inf-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n8MEIG6X000358; Tue, 22 Sep 2009 14:18:18 +0000 (GMT) Received: from conversion-daemon.fe-emea-09.sun.com by fe-emea-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KQD00K00LM3NU00@fe-emea-09.sun.com>; Tue, 22 Sep 2009 15:18:17 +0100 (BST) Received: from [10.18.138.124] ([unknown] [10.18.138.124]) by fe-emea-09.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KQD002DYMEGH9A0@fe-emea-09.sun.com>; Tue, 22 Sep 2009 15:18:16 +0100 (BST) Date: Tue, 22 Sep 2009 16:16:47 +0200 From: Mark Phalan Subject: Re: FIPS Capable OpenSSL [PSARC/2009/507 FastTrack timeout 09/29/2009] In-reply-to: <4AB8D95F.7020208@sun.com> Sender: Mark.Phalan@Sun.COM To: "Garrett D'Amore" Cc: Darren J Moffat , PSARC-ext@Sun.COM, openssl-iteam@Sun.COM Message-id: <4AB8DC4F.5050405@Sun.COM> MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII; format=flowed Content-transfer-encoding: 7BIT X-PMX-Version: 5.4.1.325704 References: <200909221239.n8MCdPw0023939@sac.sfbay.sun.com> <4AB8D95F.7020208@sun.com> User-Agent: Thunderbird 2.0.0.22 (X11/20090818) Status: RO Content-Length: 206 On 09/22/09 04:04 PM, Garrett D'Amore wrote: > I'm assuming that this will also have External stability level? Yes, the FIPS Capable OpenSSL will have the same stability level as the regular OpenSSL. -M From Darren.Moffat@sun.com Tue Oct 13 02:30:36 2009 Received: from sunmail5.uk.sun.com (sunmail5.UK.Sun.COM [129.156.85.165]) by sac.sfbay.sun.com (8.13.8+Sun/8.13.8) with ESMTP id n9D9UZGS022959 for ; Tue, 13 Oct 2009 02:30:36 -0700 (PDT) Received: from nwk-avmta-1.SFBay.Sun.COM (nwk-avmta-1.SFBay.Sun.COM [129.146.11.74]) by sunmail5.uk.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n9D9URLr005865 for <@sunmail2sca.sfbay.sun.com:PSARC-EXT@sun.com>; Tue, 13 Oct 2009 10:30:35 +0100 (BST) Received: from pmxchannel-daemon.nwk-avmta-1.sfbay.Sun.COM by nwk-avmta-1.sfbay.Sun.COM (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) id <0KRG0090352X1U00@nwk-avmta-1.sfbay.Sun.COM> for PSARC-EXT@sun.com (ORCPT PSARC-EXT@sun.com); Tue, 13 Oct 2009 02:30:33 -0700 (PDT) Received: from gmp-eb-inf-2.sun.com ([192.18.6.24]) by nwk-avmta-1.sfbay.Sun.COM (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) with ESMTP id <0KRG000JC52W9T50@nwk-avmta-1.sfbay.Sun.COM> for PSARC-EXT@sun.com (ORCPT PSARC-EXT@sun.com); Tue, 13 Oct 2009 02:30:33 -0700 (PDT) Received: from fe-emea-10.sun.com (gmp-eb-lb-1-fe1.eu.sun.com [192.18.6.7] (may be forged)) by gmp-eb-inf-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n9D9UUcp012374 for ; Tue, 13 Oct 2009 09:30:31 +0000 (GMT) Received: from conversion-daemon.fe-emea-10.sun.com by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KRG00E002ZYS100@fe-emea-10.sun.com> for PSARC-EXT@sun.com (ORCPT PSARC-EXT@sun.com); Tue, 13 Oct 2009 10:30:28 +0100 (BST) Received: from [192.168.1.105] (cpc2-rdng20-2-0-cust917.15-3.cable.virginmedia.com [86.28.167.150]) by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KRG004NY52RV230@fe-emea-10.sun.com> for PSARC-EXT@sun.com (ORCPT PSARC-EXT@sun.com); Tue, 13 Oct 2009 10:30:27 +0100 (BST) Date: Tue, 13 Oct 2009 10:30:27 +0100 From: Darren J Moffat Subject: PSARC/2009/507 usr/lib links for OpenSSL Sender: Darren.Moffat@sun.com To: PSARC-ext@sun.com Message-id: <4AD448B3.50602@Sun.COM> MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII; format=flowed Content-transfer-encoding: 7BIT X-PMX-Version: 5.4.1.325704 User-Agent: Thunderbird 2.0.0.22 (X11/20090818) Status: RO Content-Length: 50 This case is closed approved. -- Darren J Moffat From Darren.Moffat@sun.com Tue Oct 13 02:31:58 2009 Received: from sunmail5.uk.sun.com (sunmail5.UK.Sun.COM [129.156.85.165]) by sac.sfbay.sun.com (8.13.8+Sun/8.13.8) with ESMTP id n9D9VvX9023017 for ; Tue, 13 Oct 2009 02:31:58 -0700 (PDT) Received: from nwk-avmta-2.sfbay.sun.com (nwk-avmta-2.SFBay.Sun.COM [129.145.155.6]) by sunmail5.uk.sun.com (8.13.8+Sun/8.13.8/ENSMAIL,v2.2) with ESMTP id n9D9Vtst006992 for <@sunmail2sca.sfbay.sun.com:PSARC-EXT@sun.com>; Tue, 13 Oct 2009 10:31:57 +0100 (BST) Received: from pmxchannel-daemon.nwk-avmta-2.sfbay.sun.com by nwk-avmta-2.sfbay.sun.com (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) id <0KRG00D01557O500@nwk-avmta-2.sfbay.sun.com> for PSARC-EXT@sun.com (ORCPT PSARC-EXT@sun.com); Tue, 13 Oct 2009 02:31:55 -0700 (PDT) Received: from gmp-eb-inf-1.sun.com ([192.18.6.21]) by nwk-avmta-2.sfbay.sun.com (Sun Java System Messaging Server 6.2-3.04 (built Jul 15 2005)) with ESMTP id <0KRG003R5556WDE0@nwk-avmta-2.sfbay.sun.com> for PSARC-EXT@sun.com (ORCPT PSARC-EXT@sun.com); Tue, 13 Oct 2009 02:31:55 -0700 (PDT) Received: from fe-emea-10.sun.com (gmp-eb-lb-1-fe1.eu.sun.com [192.18.6.7] (may be forged)) by gmp-eb-inf-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n9D9Vrcw018038 for ; Tue, 13 Oct 2009 09:31:54 +0000 (GMT) Received: from conversion-daemon.fe-emea-10.sun.com by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KRG00E002ZYS100@fe-emea-10.sun.com> for PSARC-EXT@sun.com (ORCPT PSARC-EXT@sun.com); Tue, 13 Oct 2009 10:31:31 +0100 (BST) Received: from [192.168.1.105] (cpc2-rdng20-2-0-cust917.15-3.cable.virginmedia.com [86.28.167.150]) by fe-emea-10.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KRG004Q5543V230@fe-emea-10.sun.com> for PSARC-EXT@sun.com (ORCPT PSARC-EXT@sun.com); Tue, 13 Oct 2009 10:31:15 +0100 (BST) Date: Tue, 13 Oct 2009 10:31:15 +0100 From: Darren J Moffat Subject: PSARC/2009/507 FIPS Capable OpenSSL Sender: Darren.Moffat@sun.com To: PSARC-ext@sun.com Message-id: <4AD448E3.101@Sun.COM> MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII; format=flowed Content-transfer-encoding: 7BIT X-PMX-Version: 5.4.1.325704 User-Agent: Thunderbird 2.0.0.22 (X11/20090818) Status: RO Content-Length: 51 This case is closed approved. -- Darren J Moffat