[openssl-users] FIPS Object Module v2.0 and openssl security patches

Kyle Hamilton aerowolf at gmail.com
Tue Feb 9 20:47:40 UTC 2016



On 2/9/2016 12:29 PM, Steve Marquess wrote:
> On 02/09/2016 03:19 PM, cloud force wrote:
>> Hello everyone,
>>
>> Would the FIPS Object Module v2.0 supposed to only work with the vanilla
>> openssl library? If I apply the security patches to the openssl library,
>> should the FIPS Object Module v2.0 still work without problems?
> You should patch OpenSSL whether you use it with the FIPS module or not.
>
> From the perspective of the FIPS 140-2 validation, stock OpenSSL is just
> application code and is out of scope. So you can patch/hack OpenSSL
> proper as much as you want; as long as the intact FIPS module is built
> per the mandated process its FIPS-ness is unaffected by OpenSSL.
>
> -Steve M.
>

...with the caveat that you cannot patch the stock OpenSSL in such a way
that any crypto operations are done by anything other than the FIPS
module, if you want to maintain the FIPS-ness of the systems you build
using it.  Formatting and processing of (including memory management
for) data that is encrypted or decrypted by the FIPS module is fair
game, which includes pretty much all of the security holes that have
happened to date in the OpenSSL library.

-Kyle H


More information about the openssl-users mailing list