Beth E. Okun wrote:
Hi,
I'm wondering about integrating fips into openssl-0.9.8g. We were
previously using openssl-0.9.7m, and have noted that the fips1.0
directory is absent in the 0.9.8g release, and also that the
"./Configure" script does not contain any of the fips functionality.
I did note in some of the documentation that there is an
openssl-0.9.8 fips build, I'm wondering if this is currently
validated? Also, is this a build that anyone can download?
Thank you so much for your time.
Sincerely,
Beth E. Okun
You must have just missed the post from Steve Henson:
The version currently under test is essentially:
ftp://ftp.openssl.org/snapshot/openssl-fips-test-1.2.0.tar.gz
Though there are no guarantees it wont change before validation is
finalised.
The snapshots such as:
ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-20080526.tar.gz
are based on more recent versions of OpenSSL 0.9.8. They can be
linked against the 1.2 module (when available) in a similar way to
0.9.7 and the 1.1.2 module.
Note that the OpenSSL FIPS Object Module (the special validated code) is
*not* contained in each and every version of standard OpenSSL. It can't
be, because a key aspect of the FIPS 140-2 voodoo is that validated
software cannot change at all, and of course the regular OpenSSL
releases do change. The FIPS Object Module also has but a small subset
of the functionality of regular OpenSSL. It is a separate and distinct,
and very specialized, entity.
Because the FIPS Object Module has limited functionality, few will want
to use it directly. Instead it is designed to be used in conjunction
with certain "FIPS capable" versions of the full OpenSSL product. The
FIPS Object Module provides the validated low level cryptography while
the FIPS capable OpenSSL provides the familiar OpenSSL API, internally
redirecting as appropriate to the FIPS Object Module.
So you want the validated FIPS Object Module v.1.2, which won't be
available for a month (or two, or three...) and a FIPS capable 0.9.8
OpenSSL. There is (will be) only one version of the former, while the
"FIPS capable" support will be carried forward in future 0.9.8 releases.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]