On 7/18/2013 12:14 PM, Steve Marquess wrote:
On 07/18/2013 12:53 PM, Nou Dadoun wrote:
Just as a short comment, our fips/non-fips usage could probably
satisfy this requirement; we wrap openssl in an external api that
routes through a function pointer table. Then at run-time we can
fill in the function pointers with the fips functions or the non-fips
functions depending on which mode is desired; it wouldn't take much
modification to delay loading the fips function pointers until the
POST is complete as long as the client code doesn't choke on a "not
ready yet" return code.
Not per the understanding that we have, and the test labs we're
coordinating with. The "FIPS capable" OpenSSL already does the same
thing, manipulating function pointers.
The essence of the new requirement is that the application developers
must not *be able* to code an application that calls the crypto module
prior to the POST, not that they *refrain* from doing so.
As noted in the fairly detailed discussion I put online,
http://opensslfoundation.com/fips/ig95.html, the OpenSSL FIPS Object
Module could be recoded to satisfy this new requirement, but the result
will be an ugly mess. If some sponsor(s) want to fund that effort we'll
consider it, though always with the concern that we'll be hit with yet
more new requirements during the protracted process of obtaining a new
open source based validation.
-Steve M.
I'm not seeing anywhere in the Q&A where it might suggest how much
funding would be required to meet the financial goals of upgrading
OpenSSL FIPS. Based on the "as low as" private label price tag of
$35,000 located elsewhere on the site, I'll assume "not cheap". But
even a ballpark figure would be helpful for those organizations that
might be willing to sponsor the effort.
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI and Win32 OpenSSL.
http://www.slproweb.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org