AW: AES-cipher offload to engine in openssl-fips

Dr. Matthias St. Pierre Matthias.St.Pierre at ncp-e.com
Wed Feb 27 22:34:23 UTC 2019


> -----Ursprüngliche Nachricht-----
> > >    I always understood "FIPS-capable OpenSSL" to refer specifically to an
> >     OpenSSL compiled with the options to incorporate the FIPS canister
> >     module, not just any OpenSSL build that might be used in FIPS compliant
> >     applications (as that would be any OpenSSL at all).
> >
> > Yes, that is historically correct.  I don't believe the project uses
> > the term "FIPS-capable OpenSSL" any more.  Instead, the design and
> > such talk about a FIPS module which OpenSSL can use.
> 
> Correct.

I disagree: The term "FIPS Capable OpenSSL" is a technical term from the OpenSSL FIPS 2.0
User Guide (https://www.openssl.org/docs/fips/UserGuide-2.0.pdf) and has a very clear and
precise meaning:

It refers to an OpenSSL 1.0.2 (or 1.0.1) library configured and built with `./configure fips ...`
in order to integrate the FIPS Object Module. Until FIPS 3.0 has been released and FIPS 2.0
is history, we should stick to that definition and not confuse FIPS users by reinterpreting it
or pretend that it is not used anymore or has a different meaning nowadays.

Matthias

--

You find the details in Sections 4.2.3 resp. 4.3.3 of  https://www.openssl.org/docs/fips/UserGuide-2.0.pdf.

    4.2.3 Building a FIPS Capable OpenSSL  (Unix/Linux)
    4.3.3 Building a FIPS Capable OpenSSL  (Windows)

Here a brief excerpt:

Once the validated FIPS Object Module has been generated it is usually combined with an
OpenSSL distribution in order to provide the standard OpenSSL API. Any 1.0.1 or 1.0.2 release
can be used for this purpose. The commands
	./config fips <...other options...>
	make <...options...>
	make install
will build and install the new OpenSSL without overwriting the validated FIPS Object Module
files. The FIPSDIR environment variable or the --with­fipsdir command line option can
be used to explicitly reference the location of the FIPS Object Module (fipscanister.o).

The combination of the validated FIPS Object Module plus an OpenSSL distribution built in this
way is referred to as a FIPS capable OpenSSL, as it can be used either as a drop-in replacement for
a non-FIPS OpenSSL or for use in generating FIPS mode applications.




More information about the openssl-users mailing list