First, terminology: The 1.1.* series of FIPS-validated modules will only operate with the 0.9.7 series. The 1.2.0-test module will operate with 0.9.8.
You are correct, the 1.2.0 module has not yet been validated, and there's no way that anyone can predict when it will be. "It is done when it is done" seems to be the prevailing attitude. Only the module itself needs to be FIPS-validated. The code that goes with it does not. To retain the FIPS validation of the module, it must be built according to the security policy, and then linked with the openssl code according to the security policy, and then run only in the bounds specified by the security policy. This means that the FIPS sources themselves cannot under any circumstances in any way be modified from how they are distributed -- if they are modified, at all, it loses its FIPS-validation status. This should not be an issue, though it may perhaps be -- but remember, the build process is specified in the security policy. You MUST build the module as specified, or the result is not FIPS-validated. Once you have the module built, though, it retains its validation even if you build all the other parts of the openssl library with proprietary makefiles. You just need to be aware of what the 'fips' target does to the build process, and know how to call fipsld instead of ld or the generic gcc linking capability for any executable that you're trying to generate -- not just the library. My understanding at this point is that if you build from the source code which generates a validated module, the result is considered validated even if it's compiled on a different host platform, as long as the code takes any differences in endianness into account (i.e., it operates properly on the platform for which it's compiled). You should check with the FIPS implementation guide available from the CSRC (http://www.csrc.nist.gov/). Dr Henson has already answered about the FIPS changes having been merged into the 0.9.8 code line -- it's my thought that 0.9.8j will likely be released no later than when the final fips-1.2.0 tarball is released. -Kyle H On Fri, Nov 7, 2008 at 2:12 AM, Roger No-Spam <[EMAIL PROTECTED]> wrote: > Hi, > We have included openssl in our product, a proprietary OS and development > environment. Customers have requested that we include the FIPS validated > version of openssl. We have included the openssl 0.9.8 base line and I am > now trying to clarify what the implications are of including the 0.9.8 FIPS > module. > > As understand it, the 0.9.8 FIPS module have been submitted for validation > but when the validation will be completed is unknown. This is based on the > following email from Steve Marquess > http://markmail.org/message/56dmutf7gkdhy7ib#query:OpenSSL%20FIPS%20Object%20Module%20v1.2%20order%3Adate-backward+page:1+mid:fsqhbhzfg2nkpeot+state:results > > Furthermore, there seems to be FIPS changes required in openssl outside the > FIPS module. This is my conclusion after having studied the FIPS_098_TEST_8 > branch in openssl's cvs server. When are these changes scheduled to be > merged into the main 0.9.8 branch and be released? > > We make some minor modifications to openssl in order to port it to our > enviroment. It may not be necessary to modify the FIPS module files. And we > use proprietary makefiles to build all openssl files. As I understand it, > these changes compared to the openssl FIPS tar ball, would void the FIPS > validation in our case. In this FAQ > (http://oss-institute.org/fips-faq.html#a26) a cost figure (USD 10-50K) is > stated for a re-validation for an additional OS. Would that cost figure be > applicable in our case. What steps are required in order to re-validate for > an additional OS? > > To summarize, these are the steps needed: > - wait for FIPS validation for openssl 0.9.8 > - wait for new openssl-0.9.8 release that includes FIPS changes > - FIPS re-validate our product > > Is this summary correct? Am I missing anything? > > /Roger > > > > ________________________________ > Långtråkigt? Mängder av sköna spel att fördriva tiden med! MSN Spelhallen
