> From: openssl-users On Behalf Of Matt
> Caswell
> Sent: Tuesday, 5 January, 2021 09:35
>
> On 05/01/2021 11:41, y vasavi wrote:
> >
> > We currently FOM 2.0 module for FIPS certification.
> > It doesn't have support for RSA Key generation(186-4)
> >
> > Are there any patches available ?
>
> Definitely there are no official ones (I'm also not aware of any
> unofficial ones).
And such a patched module would no longer be FIPS 140 validated.
I know of at least one commercial, proprietary fork of the OpenSSL FOM 2.0 with
186-4 support. It has its own validations, obtained by the vendor. It's part of
a commercial software package and not available for use by other software.
If memory serves, SUSE also implemented 186-4 when they ported the FOM 2.0 to
OpenSSL 1.1.1. SUSE open-sourced their changes - you can find the diffs on one
of the SUSE sites - but again, they had to get a new validation. It applies
only to their module when used on SLES. (Red Hat similarly did their own ports
and got their own validations for RHEL. I don't know whether they published
their changes.)
So it's possible, but as usual with FIPS 140, you have the time and expense of
validation. That's even more complicated now than it has been in past years,
thanks in part to the transition from FIPS 140-2 to 140-3. I've heard from
people with contacts in the CMVP that "the queue is full" for the year, and
anyone not already in line will be waiting even longer than usual for a
validation.
--
Michael Wojcik
