Henrik Grindal Bakken wrote:
...
Because the 1.0.x releases don't have any support for FIPS, they
don't implement the FIPS-mandated tests. OpenSSL can't help with
prevalidation now, since its FIPS-validated mode fails new
validation standards compliance in some manner.
You're probably already dealing with having to fork the code (to
prevent any use of non-FIPS-approved algorithms when your hardware
is operating in FIPS-validated mode). This suggests that your best
option might be to import the self-tests from fips-1.2.2 into your
own fork.
It's not really a fork; we do it mostly with a) configuration, and b)
limiting algorithms in our own code. We do have some patches, though,
and I suppose the best way forward is to pull in the tests from the
latest OpenSSL FIPS module and try to fit them into 1.0.0 code.
We have just begun a new open source based validation that will be 1.0.0
compatible. The open source validations tend to take longer than
proprietary validations (more scrutiny), but depending on your timeline
you might be better off just waiting. If you had a Level 1 requirement
we could add your platform to the ongoing validation, but your Level 2
platform will require a separate validation.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
[email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
