Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request for FIPS-Validated netty-tcnative release #799

Open
k-raina opened this issue Jul 12, 2023 · 4 comments
Open

Request for FIPS-Validated netty-tcnative release #799

k-raina opened this issue Jul 12, 2023 · 4 comments

Comments

@k-raina
Copy link
Contributor

k-raina commented Jul 12, 2023

Currently, users must fork the repository and rebuild with the FIPS-validated boringSSL tar to achieve FIPS compliance.

Considering the growing demand for FIPS compliance in security-sensitive environments, an official netty-tcnative release supporting FIPS validation would greatly benefit the open-source community. This would simplify integration and provide a reliable, community-supported solution.

I'm willing to contribute by raising a pull request (PR) to help implement the FIPS-validated release.

@normanmaurer
Copy link
Member

I have no idea what this would entail at all, so if it's not too much work maybe do a PR and we can have a look ?

normanmaurer added a commit that referenced this issue Oct 5, 2023
#821)

### Motivation:
As discussed in
[issue](#799), considering
the growing demand for FIPS compliance in security-sensitive
environments, an official netty-tcnative release supporting FIPS
validation would greatly benefit the open-source community. This would
simplify integration and provide a reliable, community-supported
solution.

### Setup Configurations:
Tools: cmake 3.20, ninja build 1.10.0, clang-12, golang, java 11, maven
3.6.3, libapr1, automake, autoconf, libtool, libunwind-dev, pkg-config

Fips validated BoringSSL commit used is
853ca1ea1168dff08011e5d42d94609cc0ca2e27

### Build Steps: 

- Run Maven 
```
 mvn clean install -f boringssl-static/pom.xml -Pfips-boringssl-static
```

- While build is running you should see in logs:
```
...
Boringssl is fips compliant
...
```
- After build steps are completed you should see Jars eg.
```
.m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.61.Final/netty-tcnative-boringssl-static-2.0.61.Final.jar
.m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.61.Final/netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar
```

### Modifications:
- Added pom profile `fips-boringssl-static` for fips compliant


### Tested on: 
Tested on linux AMD and ARM machine, which are supported as per FIPS
security document attached in reference.
Output:
https://drive.google.com/file/d/1eAFUIrHLbB7xiTpxHPs__N3Ha_Ltli76/view?usp=sharing

### Reference: 
Guidance on how to build FIPS validated modules:
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf

---------

Co-authored-by: Norman Maurer <[email protected]>
@k-raina
Copy link
Contributor Author

k-raina commented Oct 6, 2023

@normanmaurer Is there anyway we can help to include #821 in build process?

@k-raina
Copy link
Contributor Author

k-raina commented Dec 4, 2023

@normanmaurer Gentle nudge for above request. TIA

@kolargol
Copy link

In FIPS topic. I think to make FIPS mode to work, fipsModeSet need to be set (1) (https://javadoc.io/doc/io.netty/netty-tcnative/2.0.35.Final/io/netty/internal/tcnative/SSL.html#fipsModeSet-int-). But this seems to not be configurable option, so if someone want to use FIPS mode must set it in code. Am I right?

If so, can we make that option user configurable when lib is initiated?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants