Re: [openssl-users] FIPS Object Module v2.0 and openssl security patches
On 2/9/2016 12:29 PM, Steve Marquess wrote: > On 02/09/2016 03:19 PM, cloud force wrote: >> Hello everyone, >> >> Would the FIPS Object Module v2.0 supposed to only work with the vanilla >> openssl library? If I apply the security patches to the openssl library, >> should the FIPS Object Module v2.0 still work without problems? > You should patch OpenSSL whether you use it with the FIPS module or not. > > From the perspective of the FIPS 140-2 validation, stock OpenSSL is just > application code and is out of scope. So you can patch/hack OpenSSL > proper as much as you want; as long as the intact FIPS module is built > per the mandated process its FIPS-ness is unaffected by OpenSSL. > > -Steve M. > ...with the caveat that you cannot patch the stock OpenSSL in such a way that any crypto operations are done by anything other than the FIPS module, if you want to maintain the FIPS-ness of the systems you build using it. Formatting and processing of (including memory management for) data that is encrypted or decrypted by the FIPS module is fair game, which includes pretty much all of the security holes that have happened to date in the OpenSSL library. -Kyle H -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS Object Module v2.0 and openssl security patches
On 02/09/2016 03:19 PM, cloud force wrote: > Hello everyone, > > Would the FIPS Object Module v2.0 supposed to only work with the vanilla > openssl library? If I apply the security patches to the openssl library, > should the FIPS Object Module v2.0 still work without problems? You should patch OpenSSL whether you use it with the FIPS module or not. >From the perspective of the FIPS 140-2 validation, stock OpenSSL is just application code and is out of scope. So you can patch/hack OpenSSL proper as much as you want; as long as the intact FIPS module is built per the mandated process its FIPS-ness is unaffected by OpenSSL. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS Object Module v2.0 and openssl security patches
Hello everyone, Would the FIPS Object Module v2.0 supposed to only work with the vanilla openssl library? If I apply the security patches to the openssl library, should the FIPS Object Module v2.0 still work without problems? Thanks, Rich -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
