OpenSSL 3.0 FIPS module configuration file

[Dr Paul Dale]

There is nothing stopping cheating.

If you are going to cheat, why bother with FIPS at all?  Just claim 
you're FIPS.


Pauli

On 15/2/22 10:49, Ma Ar wrote:
>
> Maybe a dumb question too, considering that i am admittedly just 
> getting into this field, but I though maybe if I ask I might learn 
> something...is there any method of assurance that the test were then 
> run on the machine they are installed on?
>
> If whatever those tests are attesting to to certify compliance can be 
> falsified by copying over 1 file, what would even be to purpose of 
> those tests?
>
> Or are simply dependency checks?
>
> Thanks for all the effort it must take in answering all these 
> questions every day.
>
> On 2/14/2022 5:31 PM, Dr Paul Dale wrote:
>> Yes, this has to do with the FIPS standards.  I forget which standard 
>> it is but the self tests are mandated to be run on each device 
>> independently.
>>
>> The fipsinstall process runs the self tests before generating the 
>> configuration file.  If the self tests fail, the module doesn't 
>> install.  Copying the configuration file across avoids the self tests 
>> and therefore isn't compliant.
>>
>>
>> Pauli
>>
>>
>> On 15/2/22 02:25, Richard Dymond wrote:
>>> Hi
>>>
>>> Probably a dumb question, but why must the FIPS module configuration 
>>> file for OpenSSL 3.0 be generated on every machine that it is to be 
>>> used on (i.e. must not be copied from one machine to another)?
>>>
>>> I just ran 'openssl fipsinstall' on two different machines with the 
>>> same FIPS module and it produced exactly the same output each time, 
>>> so presumably the reason has nothing to do with the config file 
>>> being unique to the machine.
>>>
>>> Does it have something to do with the FIPS standard itself?
>>>
>>> Richard
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220215/d85c841f/attachment.htm>