AES-cipher offload to engine in openssl-fips

Richard Levitte levitte at openssl.org
Wed Feb 27 22:53:53 UTC 2019 

Uhm, I'm confused. I thought we were talking about 3.0?

"Dr. Matthias St. Pierre" <Matthias.St.Pierre at ncp-e.com> skrev: (27 februari 2019 23:34:23 CET)
>
>> -----Ursprüngliche Nachricht-----
>> > >    I always understood "FIPS-capable OpenSSL" to refer
>specifically to an
>> >     OpenSSL compiled with the options to incorporate the FIPS
>canister
>> >     module, not just any OpenSSL build that might be used in FIPS
>compliant
>> >     applications (as that would be any OpenSSL at all).
>> >
>> > Yes, that is historically correct.  I don't believe the project
>uses
>> > the term "FIPS-capable OpenSSL" any more.  Instead, the design and
>> > such talk about a FIPS module which OpenSSL can use.
>> 
>> Correct.
>
>I disagree: The term "FIPS Capable OpenSSL" is a technical term from
>the OpenSSL FIPS 2.0
>User Guide (https://www.openssl.org/docs/fips/UserGuide-2.0.pdf) and
>has a very clear and
>precise meaning:
>
>It refers to an OpenSSL 1.0.2 (or 1.0.1) library configured and built
>with `./configure fips ...`
>in order to integrate the FIPS Object Module. Until FIPS 3.0 has been
>released and FIPS 2.0
>is history, we should stick to that definition and not confuse FIPS
>users by reinterpreting it
>or pretend that it is not used anymore or has a different meaning
>nowadays.
>
>Matthias
>
>--
>
>You find the details in Sections 4.2.3 resp. 4.3.3 of 
>https://www.openssl.org/docs/fips/UserGuide-2.0.pdf.
>
>    4.2.3 Building a FIPS Capable OpenSSL  (Unix/Linux)
>    4.3.3 Building a FIPS Capable OpenSSL  (Windows)
>
>Here a brief excerpt:
>
>Once the validated FIPS Object Module has been generated it is usually
>combined with an
>OpenSSL distribution in order to provide the standard OpenSSL API. Any
>1.0.1 or 1.0.2 release
>can be used for this purpose. The commands
>	./config fips <...other options...>
>	make <...options...>
>	make install
>will build and install the new OpenSSL without overwriting the
>validated FIPS Object Module
>files. The FIPSDIR environment variable or the --with­fipsdir command
>line option can
>be used to explicitly reference the location of the FIPS Object Module
>(fipscanister.o).
>
>The combination of the validated FIPS Object Module plus an OpenSSL
>distribution built in this
>way is referred to as a FIPS capable OpenSSL, as it can be used either
>as a drop-in replacement for
>a non-FIPS OpenSSL or for use in generating FIPS mode applications.

-- 
Skickat från min Android-enhet med K-9 Mail. Ursäkta min fåordighet.

More information about the openssl-users mailing list