Package: openssl-provider-fips
Version: 3.4.0-2
Severity: important
Bug #1050210 requested addition of the OpenSSL FIPS provider to Debian
since a FIPS validation certificate is available:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282
There are several issues with this new openssl-provider-fips package:
1. It is based on OpenSSL 3.4.0 while the certificate is only valid for
versions 3.0.8 and 3.0.9.
2. The sources are patched, rendering the result non-compliant. Per
Appendix B of the certificate, "compliance is maintained for other
versions of the respective operational environments and compilers
provided the module source code is unchanged."
This is reiterated in the installation instructions:
https://github.com/openssl/openssl/blob/master/README-FIPS.md#installing-the-fips-provider
Due to these issues, the current package is not really FIPS compliant
and could mislead users into believing otherwise. I therefore suggest
dropping this package.
Alternatively, the openssl-provider-fips package needs to be built from
its own source package, satisfying the specific version requirements
and build instructions from the linked certificate above.
Versions 3.0.8 and 3.0.9 of the OpenSSL FIPS provider is compatible with
OpenSSL 3.4 according to https://openssl-library.org/source/
> Please follow the Security Policy instructions to download, build and
> install a validated OpenSSL FIPS provider. Other OpenSSL Releases MAY
> use the validated FIPS provider, but MUST NOT build and use their own
> FIPS provider. For example you can build OpenSSL 3.4 and use the
> OpenSSL 3.0.9 FIPS provider with it.
>
> Information about how to configure and use the FIPS provider in your
> applications is available on the FIPS module man page. You must also
> read the module security policy and follow the specific build and
> installation instructions included in it.
