Re: End of the line for OpenSSL Fips?

Thu, 18 Jul 2013 19:31:11 -0700 

On 7/18/2013 12:14 PM, Steve Marquess wrote:

On 07/18/2013 12:53 PM, Nou Dadoun wrote:

Just as a short comment, our fips/non-fips usage could probably
satisfy this requirement; we wrap openssl in an external api that
routes through a function pointer table.  Then at run-time we can
fill in the function pointers with the fips functions or the non-fips
functions depending on which mode is desired; it wouldn't take much
modification to delay loading the fips function pointers until the
POST is complete as long as the client code doesn't choke on a "not
ready yet" return code.


Not per the understanding that we have, and the test labs we're
coordinating with. The "FIPS capable" OpenSSL already does the same
thing, manipulating function pointers.

The essence of the new requirement is that the application developers
must not *be able* to code an application that calls the crypto module
prior to the POST, not that they *refrain* from doing so.

As noted in the fairly detailed discussion I put online,
http://opensslfoundation.com/fips/ig95.html, the OpenSSL FIPS Object
Module could be recoded to satisfy this new requirement, but the result
will be an ugly mess. If some sponsor(s) want to fund that effort we'll
consider it, though always with the concern that we'll be hit with yet
more new requirements during the protracted process of obtaining a new
open source based validation.

-Steve M.



I'm not seeing anywhere in the Q&A where it might suggest how much 
funding would be required to meet the financial goals of upgrading 
OpenSSL FIPS.  Based on the "as low as" private label price tag of 
$35,000 located elsewhere on the site, I'll assume "not cheap".  But 
even a ballpark figure would be helpful for those organizations that 
might be willing to sponsor the effort.


--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI and Win32 OpenSSL.
http://www.slproweb.com/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to