[openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

Steve Marquess marquess at openssl.com
Tue Mar 15 22:54:23 UTC 2016

On 03/15/2016 05:24 PM, Satya Das wrote:
> Hello Steve,
> Even if a vendor letter is good for CMVP, how is the vendor supposed
> to know ?

Ummm, because the vendor is the one who created the validated module.
Only that vendor can know for sure how the module was created, because
the FIPS 140-2 requirements have non-technical procedural elements
(think of those as ideological or spiritual elements).

Note that in this context "vendor" refers to the entity that created the
validated module and submitted it for FIPS 140-2 validation. The company
that uses the FIPS module in their product is a "user", not a "vendor",
with respect to the validated module.

> I would say openssl should give such a tool so that vendor and the
> testing Lab can know such things. It is more than critical that the
> applications link to the intended crypto module. This convoluted and
> complex object module linking etc. with 207 page user guide is
> specific to openssl's approach to FIPS, and therefore should be
> addressed by the project. It should not come down to some vendor
> document written in good faith.

But it necessarily always comes down to a vendor document, for *any*
validated module, not just the OpenSSL FIPS module. I've tried and
failed now several times to articulate why that is so and can't think of
any new way to present it, but it is simply not possible to do what you
want; there is no such thing as a magical pixie dust detector. We cannot
make one; no one can.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list