Re: FIPS fail

Thu, 09 Oct 2008 04:43:42 -0700 

Kyle Hamilton wrote:

Okay.  Let's see if I can piece together everything I've learned about
the FIPS experience so far...

FIPS-1.1.2 only generates a static fipscanister, which can only be
used to generate a static library.  (except on Windows, where it can
be built into a shared library.)
The fipscanister.o for v1.1.2 is generated with position independent code or not depending on the default build options borrowed from the 0.9.7 baseline at the time. On Windows it happens that position independent code is generated automatically, hence that object module can be incorporated in shared code. On Linux and some other platforms that isn't the case.
Note we were originally going to test both shared and non-shared builds, but ran out of money for the test lab fees (each such "platform" variation drives up the price).
For v1.2 we decided to just force position independent code generation universally. 


...

FIPS-1.1.2 is the most recent validated fipscanister.  1.2.0 is
currently submitted for review, but there is no timeframe (other than
'it could take until the end of the next ice age') for its validation.
The latest info I've heard is that there is a new reviewer (new hire) who has decided to revisit the entire history of the original validation from the beginning, i.e. effectively second guessing the CMVP reviewers of those prior validations. That first validation took five years, an Internet ice age indeed. 


If you want to test the functionality of FIPS-1.2.0, you need to
download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from
the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz
from the same location.

If you want a currently-validated solution, you need
openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz.

Anyone got any comments on whether I've gotten this right?


You did.

-Steve M.

--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to