finalubuntutweak

UserGuidefortheOpenSSLFIPSObjectModulev2.
0(forvalidations#1747,#2398,and#2473includingrevisionsv2.
0.
1,v2.
0.
2,v2.
0.
3,v2.
0.
4,v2.
0.
5,v2.
0.
6,v2.
0.
7,2.
0.
8,2.
0.
9,2.
0.
10,2.
0.
11,2.
0.
12)OpenSSLValidationServices,Inc.
(formerlyOpenSSLSoftwareFoundation)March14,2017UserGuide-OpenSSLFIPSObjectModulev2.
0CopyrightandTrademarkNoticeThisdocumentislicensedunderaCreativeCommonsAttribution3.
0UnportedLicense(http://creativecommons.
org/licenses/by/3.
0/)OpenSSLisaregisteredtrademarkoftheOpenSSLSoftwareFoundation.
Sponsoredby:DefenseAdvancedResearchProjectsAgency(DARPA)TransformativeAppsProgramIntersoftInternational,Inc.
DepartmentofHomelandSecurityScienceandTechnologyDirectoratePage2of225UserGuide-OpenSSLFIPSObjectModulev2.
0Sponsoredby:DellInc.
Page3of225sponsorofBeagleboneBlackplatformsUserGuide-OpenSSLFIPSObjectModulev2.
0AcknowledgmentsOpenSSLValidationServices(OVS)servesasthe"vendor"forthisvalidation.
Projectmanagementcoordinationforthiseffortwasprovidedby:SteveMarquess+1301-874-2571OpenSSLValidationServices,Inc.
marquess@openssl.
com1829MountEphraimRoadAdamstown,MD21710USAwithtechnicalworkby:Dr.
StephenHenson4MonacoPlace,shenson@openssl.
comWestlands,Newcastle-under-Lymeshenson@drh-consultancy.
co.
ukStaffordshire.
ST52QT.
England,UnitedKingdomhttp://www.
drh-consultancy.
co.
uk/AndyPolyakovChalmersUniversityofTechnologyappro@openssl.
orgSE-41296Gothenburgappro@fy.
chalmers.
seSwedenTimHudsonP.
O.
Box6389tjh@cryptsoft.
comFairfieldGardens4103Australiahttp://www.
cryptsoft.
com/incoordinationwiththeOpenSSLteamatwww.
openssl.
org.
ValidationtestingwasperformedbyInfogardLaboratories.
Forinformationonvalidationorrevalidationsofsoftwarecontact:MarcIreland805-783-0810telFIPSProgramManager,CISSP805-783-0889faxInfoGard,aULCompanyMarc.
Ireland@ul.
com709FieroLane,Suite25http://www.
infogard.
com/SanLuisObispo,CA93401Page4of225UserGuide-OpenSSLFIPSObjectModulev2.
0RevisionHistoryThisdocumentwillberevisedovertimeasnewinformationbecomesavailable;checkhttp://www.
openssl.
org/docs/fips/forthelatestversion.
Suggestionsforadditions,corrections,orimprovementarewelcomeandwillbegratefullyacknowledged;pleasesenddocumenterrorreportsorsuggestionstouserguide@openssl.
com.
DateDescription2017-03-14Updatedfor2.
0.
152017-03-08Fixedtypos(thankstoPeteBrennanpete.
brennan@ngc.
com)2016-05-10Addednewsection2.
10,discussionofAlternativeScenario1A/1Bclonevalidations2016-04-12UpdatesreferencestoOpenSSL1.
0.
1(thankstoJeremiahR.
Niebuhrjeremiah.
niebuhr.
ctr@us.
af.
mil)2016-02-10Updateforrevision2.
0.
12,noteOpenSSLValidationServicesnamechange2016-02-05Fixedseveraltypos(thankstoTiStrgawearyofallthiscrap@gmail.
com)2016-02-03Section6.
1.
1,clarifydiscussionoftheentropycallback2015-11-05Fixtypoinsection4.
1.
22015-09-30Section6.
1.
1,expandeddiscussionoftheentropycallback(thankstoLeeDGibbinsldgibbons@avaya.
com)2015-09-16Section6.
7,correctedfourtypos(thankstoConradGerhartWellingCONRAD.
GERHART.
WELLING@leidos.
com)Addednewsection6.
10,"CCM".
2015-09-05Referencethe2.
0.
10revisionFixedtypoinsection6.
5(thankstoConradGerhartWellingCONRAD.
GERHART.
WELLING@leidos.
com)2015-06-09UpdateteamGPG/PGPkeysinAppendixA,notednew2.
0.
8,2.
0.
9platformsinsection2.
72015-04-16Multipletypographicalcorrections(thankstoMikeCardenmike.
carden@au.
ngc.
com)2014-09-02FixedtypoinSection4.
3.
3,addednewplatformsinSection32014-07-21Referencethe2.
0.
6and2.
0.
7revisions2013-12-04AppendixB:Updatedfootnotereferencingspecialcasesinfips_algvs2013-11-01AddedCitrixacknowledgment2013-10-31UpdateURLinsection5.
6(thankstomscriven@sdisw.
com)2013-09-29Fixedtypoinsection6(thankstokaranpopali@gmail.
com)2013-09-13AddedCryptsoftacknowledgment,updatefor2.
0.
5,noteeffectivedisablingofDualECDRBG2013-02-02DocumentedFIPSDIRinSection4.
22013-01-24FixedissuewithiOSandVALID_ARCHSvsARCHS2013-01-10ClarifiediOSprocedures2013-01-09AddedinformationonFIPS_module_mode()Page5of225UserGuide-OpenSSLFIPSObjectModulev2.
02013-01-08Spellingcorrectionsandflowimprovements2012-12-02Changed"vendoraffirmed"referencesto"useraffirmed"2012-11-29CorrectionstoinstructionsforiOSbuilding2012-11-01Additionstosection62012-10-25Additionstosection5.
3,newAppendicE.
32012-09-07AddednewsectiononGMAC2012-07-17AddediOStoAppendixE2012-07-03Correcttypographicalerrors,updateacknowledgment2012-06-28Updatewithcertificatenumber2012-05-15Discussionofthenew"secureinstallation"requirement.
2012-04-09Updatedandrenamethe"fips_hmac"sampleapplication;addedsection6.
52012-03-15Platformlistandcross-reference,andadditionaldiscussionofplatformissues2012-02-21Additionaldiscussionofcross-compilation2011-09-07Initialdraftforopenssl-fips-2.
0.
tar.
gzPage6of225UserGuide-OpenSSLFIPSObjectModulev2.
0TableofContents1.
INTRODUCTION.
101.
1FIPSWHATWHEREDOISTART101.
2"CHANGELETTER"MODIFICATIONS.
111.
3THE"PRIVATELABEL"VALIDATION.
112.
BACKGROUND.
122.
1TERMINOLOGY.
132.
1.
1FIPS140-2SpecificTerminology.
132.
1.
2GeneralGlossary.
142.
2THEFIPSMODULEANDINTEGRITYTEST.
172.
3THEFIPSINTEGRITYTEST.
182.
3.
1RequirementforExclusiveIntegrityTest.
182.
3.
2RequirementforFixedObjectCodeOrder.
182.
4THEFILEINTEGRITYCHAIN.
192.
4.
1SourceFile(BuildTime)Integrity.
192.
4.
2ObjectModule(LinkTime)Integrity.
202.
4.
3ApplicationExecutableObject(RunTime)Integrity.
202.
5RELATIONSHIPTOTHEOPENSSLAPI.
202.
6FIPSMODEOFOPERATION.
222.
6.
1FIPSModeInitialization.
222.
6.
2AlgorithmsAvailableinFIPSMode.
222.
7REVISIONSOFTHE2.
0MODULE.
232.
8PRIORFIPSOBJECTMODULES.
262.
9FUTUREFIPSOBJECTMODULES.
262.
10CLONEVALIDATIONS.
273.
COMPATIBLEPLATFORMS.
413.
1BUILDENVIRONMENTREQUIREMENTS.
413.
2KNOWNSUPPORTEDPLATFORMS.
423.
2.
1CodePathsandCommandSets.
463.
2.
232versus64BitArchitectures.
523.
2.
3AssemblerOptimizations.
533.
3CREATIONOFSHAREDLIBRARIES.
543.
4CROSS-COMPILATION.
544.
GENERATINGTHEFIPSOBJECTMODULE.
574.
1DELIVERYOFSOURCECODE.
574.
1.
1CreationofaFIPSObjectModulefromOtherSourceCode.
584.
1.
2VerifyingIntegrityofDistribution(BestPractice)584.
2BUILDINGANDINSTALLINGTHEFIPSOBJECTMODULEWITHOPENSSL(UNIX/LINUX)614.
2.
1BuildingtheFIPSObjectModulefromSource.
61Page7of225UserGuide-OpenSSLFIPSObjectModulev2.
04.
2.
2InstallingandProtectingtheFIPSObjectModule.
634.
2.
3BuildingaFIPSCapableOpenSSL.
634.
3BUILDINGANDINSTALLINGTHEFIPSOBJECTMODULEWITHOPENSSL(WINDOWS)644.
3.
1BuildingtheFIPSObjectModulefromSource.
644.
3.
2InstallingandProtectingtheFIPSObjectModule.
644.
3.
3BuildingaFIPSCapableOpenSSL.
655.
CREATINGAPPLICATIONSWHICHREFERENCETHEFIPSOBJECTMODULE.
.
.
675.
1EXCLUSIVEUSEOFTHEFIPSOBJECTMODULEFORCRYPTOGRAPHY.
675.
2FIPSMODEINITIALIZATION.
675.
3GENERATEAPPLICATIONEXECUTABLEOBJECT.
695.
3.
1LinkingunderUnix/Linux.
705.
3.
2LinkingunderWindows.
725.
4APPLICATIONIMPLEMENTATIONRECOMMENDATIONS.
735.
5DOCUMENTATIONANDRECORD-KEEPINGRECOMMENDATIONS.
745.
6WHENISASEPARATEFIPS140-2VALIDATIONREQUIRED755.
7COMMONISSUESANDMISCONCEPTIONS.
775.
7.
1Don'tFightIt.
775.
7.
2Don'tOverthinkIt.
776.
TECHNICALNOTES.
786.
1DRBGS.
786.
1.
1Overview.
786.
1.
2TheDRBGAPI.
816.
2ROLEBASEDMODULEAUTHENTICATION.
906.
3SELFTESTS.
946.
3.
1POSTTests.
956.
3.
2Conditionalselftests.
996.
4ECDH.
1006.
5ECCANDTHENSASUBLICENSE.
1016.
6THE"SECUREINSTALLATION"ISSUE.
1026.
6.
1WhatWon'tWork.
1036.
6.
2WhatMightWork.
1046.
6.
3StillConfused1056.
7GMAC.
1066.
7.
1CAVPAction.
1066.
7.
2OptionsforAddressing.
1066.
7.
3PracticalImpact.
1076.
8DH.
1086.
9DSA.
1086.
10CCM.
1087.
REFERENCES.
110Page8of225UserGuide-OpenSSLFIPSObjectModulev2.
0APPENDIXAOPENSSLDISTRIBUTIONSIGNINGKEYS.
112APPENDIXBCMVPTESTPROCEDURE.
114B.
1BUILDINGTHESOFTWARE-LINUX/UNIX.
114B.
2ALGORITHMTESTS-LINUX/UNIX.
116B.
3BUILDINGTHESOFTWARE-WINDOWS.
117B.
4ALGORITHMTESTS-WINDOWS.
118B.
5FIPS140-2TEST-ALLPLATFORMS.
118B.
6TESTVECTORDATAFILESANDTHEFIPSALGTEST.
PLUTILITY.
129B.
6DOCUMENTATION.
134APPENDIXCEXAMPLEOPENSSLBASEDAPPLICATION.
135C.
1NATIVECOMPILATIONOFSTATICALLYLINKEDPROGRAM.
135C.
2CROSS-COMPILATIONOF"FIPSCAPABLE"SHAREDOPENSSLLIBRARIES.
138APPENDIXDFIPSAPIDOCUMENTATION.
140D.
1FIPSMODE.
140D.
2FIPS_MODE_SET(),FIPS_SELFTEST(141D.
3FIPS_MODE(142D.
4ERRORCODES.
142APPENDIXEPLATFORMSPECIFICNOTES.
144E.
1APPLEOSXSUPPORT.
144E.
2APPLEIOSSUPPORT.
145AcquireRequiredFiles.
145BuildtheIncoreUtility.
146BuildtheFIPSObjectModule.
148BuildtheFIPSCapableLibrary.
149OpenSSLXcodeApplication.
152E.
3WINDOWSCESUPPORT.
154APPENDIXFRESTRICTIONSONTHEEXPORTOFCRYPTOGRAPHY.
157F.
1OPENSOURCESOFTWARE.
157F.
2"EXPORTJOBS,NOTCRYPTO"158APPENDIXGSECURITYPOLICYERRATA.
159APPENDIXHDTRANALYSIS.
160APPENDIXIAPIENTRYPOINTSBYSOURCEFILE.
161Page9of225UserGuide-OpenSSLFIPSObjectModulev2.
01.
IntroductionTableofContentsTableofContents.
71.
INTRODUCTION.
101.
1FIPSWHATWHEREDOISTART141.
2"CHANGELETTER"MODIFICATIONS.
141.
3THE"PRIVATELABEL"VALIDATION.
152.
BACKGROUND.
152.
1TERMINOLOGY.
162.
1.
1FIPS140-2SpecificTerminology.
162.
1.
2GeneralGlossary.
182.
2THEFIPSMODULEANDINTEGRITYTEST.
212.
3THEFIPSINTEGRITYTEST.
212.
3.
1RequirementforExclusiveIntegrityTest.
212.
3.
2RequirementforFixedObjectCodeOrder.
222.
4THEFILEINTEGRITYCHAIN.
222.
4.
1SourceFile(BuildTime)Integrity.
232.
4.
2ObjectModule(LinkTime)Integrity.
232.
4.
3ApplicationExecutableObject(RunTime)Integrity.
242.
5RELATIONSHIPTOTHEOPENSSLAPI.
242.
6FIPSMODEOFOPERATION.
252.
6.
1FIPSModeInitialization.
252.
6.
2AlgorithmsAvailableinFIPSMode.
262.
7REVISIONSOFTHE2.
0MODULE.
262.
8PRIORFIPSOBJECTMODULES.
292.
9FUTUREFIPSOBJECTMODULES.
302.
10CLONEVALIDATIONS.
303.
COMPATIBLEPLATFORMS.
453.
1BUILDENVIRONMENTREQUIREMENTS.
453.
2KNOWNSUPPORTEDPLATFORMS.
463.
2.
1CodePathsandCommandSets.
503.
2.
232versus64BitArchitectures.
563.
2.
3AssemblerOptimizations.
573.
3CREATIONOFSHAREDLIBRARIES.
583.
4CROSS-COMPILATION.
584.
GENERATINGTHEFIPSOBJECTMODULE.
614.
1DELIVERYOFSOURCECODE.
61Page10of225UserGuide-OpenSSLFIPSObjectModulev2.
04.
1.
1CreationofaFIPSObjectModulefromOtherSourceCode.
624.
1.
2VerifyingIntegrityofDistribution(BestPractice)624.
2BUILDINGANDINSTALLINGTHEFIPSOBJECTMODULEWITHOPENSSL(UNIX/LINUX)654.
2.
1BuildingtheFIPSObjectModulefromSource.
654.
2.
2InstallingandProtectingtheFIPSObjectModule.
674.
2.
3BuildingaFIPSCapableOpenSSL.
674.
3BUILDINGANDINSTALLINGTHEFIPSOBJECTMODULEWITHOPENSSL(WINDOWS)684.
3.
1BuildingtheFIPSObjectModulefromSource.
684.
3.
2InstallingandProtectingtheFIPSObjectModule.
684.
3.
3BuildingaFIPSCapableOpenSSL.
695.
CREATINGAPPLICATIONSWHICHREFERENCETHEFIPSOBJECTMODULE.
.
.
715.
1EXCLUSIVEUSEOFTHEFIPSOBJECTMODULEFORCRYPTOGRAPHY.
715.
2FIPSMODEINITIALIZATION.
715.
3GENERATEAPPLICATIONEXECUTABLEOBJECT.
735.
3.
1LinkingunderUnix/Linux.
745.
3.
2LinkingunderWindows.
765.
4APPLICATIONIMPLEMENTATIONRECOMMENDATIONS.
77ProvideanIndicationofFIPSMode.
77GracefulAvoidanceofNon-FIPSAlgorithms.
775.
5DOCUMENTATIONANDRECORD-KEEPINGRECOMMENDATIONS.
785.
6WHENISASEPARATEFIPS140-2VALIDATIONREQUIRED795.
7COMMONISSUESANDMISCONCEPTIONS.
815.
7.
1Don'tFightIt.
815.
7.
2Don'tOverthinkIt.
816.
TECHNICALNOTES.
826.
1DRBGS.
826.
1.
1Overview.
826.
1.
2TheDRBGAPI.
856.
2ROLEBASEDMODULEAUTHENTICATION.
946.
3SELFTESTS.
986.
3.
1POSTTests.
996.
3.
1.
1IntegrityTest.
996.
3.
1.
2DRBGSelfTest.
996.
3.
1.
3X9.
31PRNGSelfTest.
996.
3.
1.
4DigestTest.
1006.
3.
1.
5HMACTest.
1006.
3.
1.
6CMACTest.
1006.
3.
1.
7CipherSelfTests.
1016.
3.
1.
8GCMSelfTest.
1016.
3.
1.
9CCMSelfTest.
1026.
3.
1.
10XTSSelfTest.
1026.
3.
1.
11SignatureAlgorithmTests.
102Page11of225UserGuide-OpenSSLFIPSObjectModulev2.
06.
3.
12ECDHSelfTests.
1036.
3.
2Conditionalselftests.
1036.
3.
2.
1PairwiseconsistencyTest.
1036.
3.
2.
2ContinuousPRNGTest.
1036.
4ECDH.
1046.
5ECCANDTHENSASUBLICENSE.
1056.
6THE"SECUREINSTALLATION"ISSUE.
1066.
6.
1WhatWon'tWork.
1076.
6.
2WhatMightWork.
1086.
6.
3StillConfused1096.
7GMAC.
1106.
7.
1CAVPAction.
1106.
7.
2OptionsforAddressing.
1106.
7.
3PracticalImpact.
1116.
8DH.
1126.
9DSA.
1126.
10CCM.
1127.
REFERENCES.
114APPENDIXAOPENSSLDISTRIBUTIONSIGNINGKEYS.
116OpenSSLCoreTeamPGPKeys.
116APPENDIXBCMVPTESTPROCEDURE.
118B.
1BUILDINGTHESOFTWARE-LINUX/UNIX.
118B.
2ALGORITHMTESTS-LINUX/UNIX.
120B.
3BUILDINGTHESOFTWARE-WINDOWS.
121B.
4ALGORITHMTESTS-WINDOWS.
122B.
5FIPS140-2TEST-ALLPLATFORMS.
122B.
6TESTVECTORDATAFILESANDTHEFIPSALGTEST.
PLUTILITY.
133B.
6DOCUMENTATION.
138APPENDIXCEXAMPLEOPENSSLBASEDAPPLICATION.
139C.
1NATIVECOMPILATIONOFSTATICALLYLINKEDPROGRAM.
139Makefile.
139SourceFile.
140C.
2CROSS-COMPILATIONOF"FIPSCAPABLE"SHAREDOPENSSLLIBRARIES.
142APPENDIXDFIPSAPIDOCUMENTATION.
144D.
1FIPSMODE.
144D.
2FIPS_MODE_SET(),FIPS_SELFTEST(145D.
3FIPS_MODE(146D.
4ERRORCODES.
146Page12of225UserGuide-OpenSSLFIPSObjectModulev2.
0APPENDIXEPLATFORMSPECIFICNOTES.
148E.
1APPLEOSXSUPPORT.
148E.
2APPLEIOSSUPPORT.
149AcquireRequiredFiles.
149BuildtheIncoreUtility.
150BuildtheFIPSObjectModule.
152BuildtheFIPSCapableLibrary.
153OpenSSLXcodeApplication.
156E.
3WINDOWSCESUPPORT.
158APPENDIXFRESTRICTIONSONTHEEXPORTOFCRYPTOGRAPHY.
161F.
1OPENSOURCESOFTWARE.
161F.
2"EXPORTJOBS,NOTCRYPTO"162APPENDIXGSECURITYPOLICYERRATA.
163APPENDIXHDTRANALYSIS.
164APPENDIXIAPIENTRYPOINTSBYSOURCEFILE.
165ThisdocumentisaguidetotheuseoftheOpenSSLFIPSObjectModule,asoftwarecomponentintendedforusewiththeOpenSSLcryptographiclibraryandtoolkit.
ItisacompaniondocumenttotheOpenSSLFIPS140-2SecurityPolicydocumentsubmittedtoNISTaspartoftheFIPS140-2validationprocess.
Itisintendedasatechnicalreferencefordevelopersusing,andsystemadministratorsinstalling,theOpenSSLFIPSsoftware,foruseinriskassessmentreviewsbysecurityauditors,andasasummaryandoverviewforprogrammanagers.
ItisintendedasaguideforannotationandmoredetailedexplanationoftheSecurityPolicy,andnotasareplacement.
IntheeventofaperceivedconflictorinconsistencybetweenthisdocumentandtheSecurityPolicythelatterdocumentisauthoritativeasonlyithasbeenreviewedandapprovedbytheCryptographicModuleValidationProgram(CMVP),ajointU.
S.
-Canadianprogramforthevalidationofcryptographicproducts(http://csrc.
nist.
gov/groups/STM/cmvp/).
FamiliaritywiththeOpenSSLdistributionandlibraryAPI(ApplicationProgrammingInterface)isassumed.
ThisdocumentisnotatutorialontheuseofOpenSSLanditonlycoversissuesspecifictotheFIPS140-2validation.
FormoreinformationontheuseofOpenSSLingeneralseethemanyothersourcesofinformationsuchashttp://openssl.
org/docs/andNetworkSecuritywithOpenSSL(Reference4).
TheSecurityPolicydocument(Reference1)isavailableonlineattheNISTCryptographicModuleValidationwebsite,http://csrc.
nist.
gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.
pdf.
Page13of225UserGuide-OpenSSLFIPSObjectModulev2.
0FormoreinformationonOpenSSLValidationServicesandtheOpenSSLSoftwareFoundationseehttp://openssl.
com/.
FormoreinformationontheOpenSSLprojectseehttp://openssl.
org/.
FormoreinformationonNISTandthecryptographicmodulevalidationprogram,seehttp://csrc.
nist.
gov/groups/STM/cmvp/.
ForinformationandannouncementsregardingcurrentandfutureOpenSSLrelatedvalidationsseehttp://openssl.
org/docs/fips/fipsnotes.
html.
Thatwebpagealsohasaveryquickintroductionextractedhere:1.
1FIPSWhatWhereDoIStartOk,soyourcompanyneedsFIPSvalidatedcryptographytolandabigsale,andyourproductcurrentlyusesOpenSSL.
Youhaven'tworkedupthemotivationtowadethroughtheentireUserGuideandwantthequick"executivesummary".
Hereisagrosslyoversimplifiedaccount:OpenSSLitselfisnotvalidated,andneverwillbe.
InsteadacarefullydefinedsoftwarecomponentcalledtheOpenSSLFIPSObjectModulehasbeencreated.
TheModulewasdesignedforcompatibilitywiththeOpenSSLlibrarysoproductsusingtheOpenSSLlibraryandAPIcanbeconvertedtouseFIPS140-2validatedcryptographywithminimaleffort.
TheOpenSSLFIPSObjectModulevalidationisuniqueamongallFIPS140-2validationsinthattheproductis"delivered"insourcecodeform,meaningthatifyoucanuseitexactlyasisandcanbuilditforyourplatformaccordingtoaveryspecificsetofinstructions,thenyoucanuseitasvalidatedcryptography3.
TheOpenSSLlibraryisalsouniqueinthatyoucandownloadanduseitforfree.
Ifyourequiresourcecodeorbuildprocesschangesforyourintendedapplication,thenyoucannotusetheopensourcebasedvalidatedmodule–youmustobtainyourownvalidation.
Thissituationiscommon;see"PrivateLabel"validation,below.
NewFIPS140-2validations(ofanytype)areslow(6-12monthsistypical),expensive(US$50,000istypicalforanuncomplicatedvalidation),andunpredictable(completiondatesarenotonlyuncertainwhenfirstbeginningavalidation,butremainsoduringtheprocess).
NotethatFIPS140-2validationisacomplicatedtopicthattheabovesummarydoesnotadequatelyaddress.
Youhavebeenwarned!
1.
2"ChangeLetter"ModificationsIftheexistingvalidatedOpenSSLFIPSObjectModuleisalmostwhatyouneed,butsomeminormodificationsarenecessaryforyourintendeduse,thenitmaybepossibletoretroactivelymodify3Eitherdirectlyorvia"UserAffirmation"whichisdiscussedin§5.
5.
Page14of225UserGuide-OpenSSLFIPSObjectModulev2.
0theoriginalvalidationtoincludethosenecessarychanges.
Theprocessbywhichthisisdoneisknownasthe"maintenanceletter"or"changeletter"process.
Achangelettercanbesubstantiallyfasterandlessexpensivethanobtaininganew,independentvalidation.
ModificationstotheFIPSmoduletosupportanewplatform(operatingsystemorcompiler)areoftencompatiblewiththechangeletterprocess.
1.
3The"PrivateLabel"ValidationOVSwouldprefertoworkonopensourcebasedvalidationswhichbenefittheOpenSSLusercommunityatlarge.
However,weunderstandnotallworkcanbenefitthecommunity.
WerefertovalidationsbaseddirectlyontheOpenSSLFIPSObjectModulebutnotavailabletothecommunityas"privatelabel"validations.
Theyarealsosometimesreferredtoas"cookiecutter"validations.
ManyISVsandvendorsareinterestedinprivatelabelvalidations,andOVSwillassistinsucheffortswithapricedengagement.
AnISVorvendorusuallyobtainsaprivatelabelvalidationformarketingorriskmanagementpurposes.
Forexample,acompanymaychoosetoprivatelyretainitsvalidationtoensureitscompetitiveadvantage,oracompanymightmodifythesourcesandchoosetokeepthechangesprivate.
OVShasperformednumerousprivatevalidationsfordesktop,server,andmobileplatformswithverycompetitivepricing.
Often,thepricingislessthantheaccountsetupfeeforclosedsourcedandlocked-insolution.
Trivialanduncomplicatedvalidationscanoftenbeperformedusingfixedratecontractstoassurecostconstraints.
2.
BackgroundForthepurposesofFIPS140-2validation,theOpenSSLFIPSObjectModulev2.
0isdefinedasaspecificdiscreteunitofbinaryobjectcode(the"FIPSObjectModule")generatedfromaspecificsetandrevisionlevelofsourcefilesembeddedwithinasourcedistribution.
Theseplatformportablesourcefilesarecompiledtocreatetheobjectcodeinanisolatedandseparateform.
Thatobjectcodeisthenusedtoprovideacryptographicservicestoexternalapplications.
ThetermsFIPSObjectModuleandFIPSModuleelsewhereinthisdocumentrefertothisOpenSSLFIPSObjectModuleobjectcode.
TheFIPSObjectModuleprovidesanAPIforinvocationofFIPSapprovedcryptographicfunctionsfromcallingapplications,andisdesignedforuseinconjunctionwithstandardOpenSSL1.
0.
1and1.
0.
2distributions.
ThesestandardOpenSSL1.
0.
1/1.
0.
2sourcedistributionssupporttheoriginalnon-FIPSAPIaswellasaFIPSModeinwhichtheFIPSapprovedalgorithmsareimplementedbytheFIPSObjectModuleandnon-FIPSapprovedalgorithmsaredisabledbydefault.
Thesenon-validatedalgorithmsinclude,butarenotlimitedto,Blowfish,CAST,IDEA,RC-family,andnon-SHAmessagedigestandotheralgorithms.
Page15of225UserGuide-OpenSSLFIPSObjectModulev2.
0TheFIPSObjectModulewasdesignedandimplementedtomeetFIPS140-2,Level1requirements.
TherearenospecialstepsrequiredtoensureFIPS140-2compliantoperationoftheFIPSObjectModule,otherthanbuilding,loading,andinitializingtheFIPSapprovedandHMAC-SHA-1digestverifiedsourcecode.
Thisprocessofgeneratingtheapplicationexecutableobjectfromsourcecodeforallsupportedplatforms1isdocumentedindetailat§4and§5.
TheFIPSObjectModuleprovidesconfidentiality,integritysigning,andverificationservices.
TheFIPSObjectModulesupportsthefollowingalgorithms:TripleDES,AES,CMAC,CCM,RSA(fordigitalsignatures),DH,DSA/DSA2,ECDSA/ECDSA2,SHA-1,SHA-224,SHA-256,SHA-384,SHA-512,andHMAC-SHA-1,HMAC-SHA-224,HMAC-SHA-256,HMAC-SHA-384,HMAC-SHA-512.
TheFIPSObjectModulesupportsSP800-90andANSIX9.
31compliantpseudo-randomnumbergenerators.
TheFIPSObjectModulesupportstheSuiteBcryptographicalgorithmsandcanbeusedwithSuiteBcryptographyexclusively.
SuiteBrequires128-bitsecuritylevelsandforbidsuseofTLSlesserthan1.
2(TLS1.
0and1.
1useMD5asaPRFduringkeyagreement).
TheFIPSObjectModulev2.
0issimilarinmanyrespectstotheearlierOpenSSLFIPSObjectModulev1.
2.
x.
Thev1.
2.
4wasoriginallyvalidatedinlate2008withvalidationcertificate#1051;thatoriginalvalidationhasbeenextendedseveraltimestoincorporateadditionalplatforms.
Thev1.
2.
xModuleisonlycompatiblewithOpenSSL0.
9.
8releases,whilethev2.
0ModuleiscompatiblewithOpenSSL1.
0.
1and1.
0.
2releases.
Thev2.
0Moduleisthebestchoiceforallnewsoftwareandproductdevelopment.
2.
1Terminology2.
1.
1FIPS140-2SpecificTerminologyDuringthecourseofmultiplevalidationsitbecameclearthatsometerminologywasinterpreteddifferentlybyOpenSSLdevelopers,cryptographers,theCMVPandFIPS140-2specialists.
Inthissectionsomeofthepotentialconfusionsinterminologyarediscussed.
ApprovedModeTheFIPS140-2ApprovedModeofOperationistheoperationoftheFIPSObjectModulewhenallrequirementsoftheSecurityPolicyhavebeenmetandthesoftwarehassuccessfullyperformedthepower-upandselftestoperation(invocationoftheFIPS_mode_set()functioncall).
InthisdocumentthisApprovedModeisreferredtosimplyasFIPSmode.
CryptoOfficer1Bydefinition,forallplatformstowhichthevalidationcanbeextended.
PertherequirementsoftheSecurityPolicy,anychangetothedocumentedbuildprocessrenderstheresultnon-FIPSapproved.
Page16of225UserGuide-OpenSSLFIPSObjectModulev2.
0Systemadministrator.
TheFIPS140-2CryptoOfficer4isthepersonhavingtheresponsibilityandaccessprivilegestoinstall,configure,andinitializethecryptographicsoftware.
HMAC-SHA-1digestAHMAC-SHA-1digestofafileusingaspecificHMACkey(theASCIIstring"etaonrishdlcupfm").
Suchdigestsarereferredtointhisdocumentas"digests"or"fingerprints".
ThedigestsareusedforintegritycheckingtoverifythatthesoftwareinquestionhasnotbeenmodifiedorcorruptedfromtheformoriginallyusedasthebasisoftheFIPS140-2validation.
NotethatthePGPorGPGsignaturestraditionallyusedtochecktheintegrityofopensourcesoftwaredistributionsarenotacomponentofanyoftheFIPS140-2integritychecks.
ModuleTheconceptofthecryptographicmoduleisimportantforFIPS140-2,andithassubtlenuancesinthiscontext.
ConceptuallytheModuleisthebinaryobjectcodeanddataintheFIPSObjectModuleforarunningprocess.
The"cryptographicmodule"isoftenreferredtosimplyas"module".
ThattermiscapitalizedinthisdocumentasareminderthatithasasomewhatdifferentmeaningthanassumedbysoftwaredevelopersoutsideofaFIPS140-2context.
Notethattraditionallytheexecutable(orsharedlibrary)fileondiskcorrespondingtothisModuleasarunningprocessisalsoconsideredtobeaModule5bytheCMVP.
Anintegritycheckoftheentireexecutablefileondiskpriortomemorymappingisconsideredacceptableaslongasthatexecutablefiledoesnotcontainanyextraneous6software.
Inthistraditionalcasethespecificexecutablefileissubmittedfortestingandthustheprecisecontent(asabitstring)isknowninadvance.
InthecaseoftheFIPSObjectModuleonlysourcecodeissubmittedforvalidationtesting,sothebitstringvalueofthebinaryobjectcodeinmemorycannotbeknowninadvance.
Achainofchecksbeginningwiththesourcecodeandextendingthrougheachstepinthetransformationofthesourcecodeintoarunningprocesswasestablishedtoprovideacheckequivalenttothatusedbymoretraditionalobjectbasedvalidations.
4Theterm"Officer"doesnotimplyarequirementforamilitaryorgovernmentofficial,althoughsomemilitaryorgovernmentorganizationsmaychoosetorestricttheperformanceofthissystemadministrationroletocertainofficialcapacities.
5Presumablybecausethetransformationsofthediskresidentfilecontentsperformedbytheruntimeloaderareconsideredtobewellunderstoodandsufficientlyminimal.
6Thedefinitionofwhatconstitutes"extraneous"isnotformallyspecifiedandsubjecttointerpretation.
Page17of225UserGuide-OpenSSLFIPSObjectModulev2.
0Thechainofchecksworksbackwardsfromthesoftwareasresidentinmemoryforaprocesstotheexecutableprogramfilefromwhichtheprocesswascreated(theexistingprecedent),thentotheFIPSObjectModuleusedtolinktheprogramfile,andfinallytotheoriginalsourcefilesusedtocreatetheFIPSObjectModule.
EachofthosestagescanbethoughtofasantecedentsoftheModule,andtheintegrityofeachneedstobeverifiedtoassuretheintegrityoftheModule.
2.
1.
2GeneralGlossaryABIApplicationBinaryInterfaceAESAdvancedEncryptionStandardAES-NIAESNewInstructionsARMaprocessorinstructionsetarchitecturedevelopedbyARMHoldingsAPIApplicationProgrammingInterfaceBlowfishAcryptographicalgorithmnotallowedinFIPSmodeCASTAcryptographicalgorithmnotallowedinFIPSmodeCCCommonCriteriaCCMCounterwithCipherBlockChaining-MessageAuthenticationCode,amodeofoperationforcryptographicblockciphersCDHCofactorDiffie-Hellman,aDiscreteLogarithmCryptography(DLC)primitive,seeSP800-56ACAVPCryptographicAlgorithmValidationProgram,seehttp://csrc.
nist.
gov/groups/STM/cavp/CMACCipher-basedMAC,ablockcipher-basedmessageauthenticationcodealgorithmCMVPCryptographicModuleValidationProgram,seehttp://csrc.
nist.
gov/groups/STM/cmvp/CTRDRBGflavorDHDiffie-Hellman,aFIPSapprovedcryptographicalgorithmDLLDynamicLinkLibrary,asharedlibraryfortheMicrosoftWindowsOSDRBGDeterministicRandomBitGenerator,seeSP800-90DSADigitalSignatureAlgorithm,aFIPSapprovedcryptographichashfunctionDSA2DSAasdefinedinFIPS186-3ECEllipticCurveECCEllipticCurveCryptography(seeEC)ECDHEllipticCurveDiffie–Hellman,avariantofDiffie–HellmanusedasananonymouskeyagreementprotocolPage18of225UserGuide-OpenSSLFIPSObjectModulev2.
0ECDSAEllipticCurveDigitalSignatureAlgorithm,avariantofDSAwhichusesECCECDSA2ECDSAasdefinedinFIPS186-3ELFExecutableandLinkableFormat,thestandardbinaryfileformatforUnix-likesystemsonx86ENGINEAnOpenSSLmechanismforinterfacingwithexternalcryptographicimplementationsEVPENVelopeencryption,anOpenSSLAPIthatprovidesahigh-levelinterfacetocryptographicfunctionsFIPSFederalInformationProcessingStandards,seehttp://www.
itl.
nist.
gov/fipspubs/FIPS140-2Seehttp://csrc.
nist.
gov/publications/fips/fips140-2/fips1402.
pdfFIPSObjectModulethespecialmonolithicobjectmodulebuiltfromthespecialsourcedistribution7identifiedintheSecurityPolicyGCMGalois/CounterMode,amodeofoperationforsymmetrickeycryptographicblockciphersGPGSeePGPGUIGraphicalUserInterfaceHMACHashMessageAuthenticationCode,amechanismformessageauthenticationusingcryptographichashfunctionsIAInformationAssuranceIDEAAcryptographicalgorithmnotallowedinFIPSmodeIKEInternetKeyExchange,aprotocolforexchanginginformationrequiredforsecurecommunication.
IPInternetProtocol,anetworkcommunicationsprotocolIPsecInternetProtocolSecurity,aprotocolsuiteforsecuringIPcommunicationsbyauthenticatingandencryptingeachIPpacketITInformationTechnologyIUTImplementationUnderTestKATKnownAnswerTestMASMTheMicrosoftassembler,nolongersupportedbyOpenSSLMD2AcryptographicalgorithmnotallowedinFIPSmodeNEONanarchitectureextensionforARMCortex-Aseriesprocessors,7Roughlyspeaking,thisspecialsourcedistributionwascreatedfromtheOpenSSLfips2_0stablebranchintheCVSsourcecoderepositorywiththecommandmakeVERSION=fips2.
0TARFILE=opensslfips2.
0.
tarfMakefile.
fipsdist.
Page19of225UserGuide-OpenSSLFIPSObjectModulev2.
0NASMtheopensourceNetwideASseMbler,seehttp://www.
nasm.
us/NIDNameIDentifierforextractinginformationfromacertificateDistinguishedName.
NISTNationalInstituteofScienceandTechnology,seehttp://www.
nist.
gov/OESeeOperationalEnvironmentOperationalEnvironmentTheFIPS140-2termfor"platform",thoughwithasomewhatdifferentmeaningthaninthesoftwareengineeringworldOSOperatingSystemOSFTheOpenSSLSoftwareFoundationOVSOpenSSLValidationServices,Inc.
PCLMULQDQaninstructionforx86processorswhichperformscarry-lessmultiplicationoftwo64-bitoperandsPGPPrettyGoodPrivacy,anencryptedE-mailprogramPKCS#1Public-KeyCryptographyStandard#1PKCS#3Public-KeyCryptographyStandard#3POSTPowerUpSelfTest,aninitializationprocessrequiredbyFIPS140-2PRNGPseudo-RandomNumberGeneratorRNGRandomNumberGeneratorPSSProbabilisticSignatureScheme,aprovablysecurewayofcreatingsignatureswithRSARSARivest-Shamir-Adleman,apublickeycryptographicalgorithmSHASecureHashAlgorithm,acryptographichashfunctionSSE2StreamingSIMDExtension2,anextensionofthex86instructionsetSSHSecureSHell,anetworkprotocolforsecuredatacommunicationSSLSecureSocketLayer,apredecessortotheTLSprotocolSSSE3SupplementalStreamingSIMDExtensions3,anextensionofthex86instructionsetSuiteBasetofcryptographicalgorithmscreatedbytheNationalSecurityAgencyTLSTransportLayerSecurity,acryptographicprotocolprovidingcommunicationsecurityoverIPconnectionsVMSVirtualMemorySystem,anoperatingsystemthatrunsonVAX,AlphaandItanium-basedfamiliesofcomputers(nowobsolete)Page20of225UserGuide-OpenSSLFIPSObjectModulev2.
0x86afamilyofinstructionsetarchitecturesoriginallydefinedbyIntelXTSXEXTweakableBlockCipherwithCiphertextStealingXTS-AESacryptographicalgorithmspecifiedinSP800-38E2.
2TheFIPSModuleandIntegrityTestTheFIPSObjectModuleisgeneratedinbinaryfileformat,withanembeddedpre-calculatedHMAC-SHA-1digestcoveringthemodule8asitisloadedintoapplicationaddressspace.
TheModuleintegritycheckconsistsofrecalculatingthatdigestfromthememoryareasandcomparingittotheembeddedvaluewhichresidesinanareanotincludedinthecalculateddigest9.
This"in-corehashing"integritytestisdesignedtobebothexecutableformatindependentandfail-safe.
ForthisscenariotheModuleisthetextanddatasegmentsasmappedintomemoryfortherunningapplication.
ThetermModuleisalsoused,lessaccurately,todesignatetheantecedentofthatmemorymappedcodeanddata,theFIPSObjectModulefileresidingondisk.
TheFIPSObjectModuleisgeneratedfromsourcecode,sotheintegrityofthatsourcemustalsobeverified.
Thesingleruntimedigestchecktypicalofpre-builtbinaryfilesisreplacedbyachainofdigestchecksinordertovalidatethattherunningcodewasinfactgeneratedfromtheoriginalsourcecode.
AsbeforethetermModuleproperlydesignatesthetextanddatasegmentsmappedintomemory,butisalsomorelooselyusedtoreferenceseverallevelsofantecedents.
Theselevelsarediscussedbelow.
2.
3TheFIPSIntegrityTestTheFIPS140-2standardrequiresanintegritytestoftheModuletoverifyitsintegrityatinitialization.
InadditiontotherequirementthattheintegritytestvalidatethattheFIPSObjectModulecodeanddatahavenotchanged,twoadditionalimplicitrequirementsfortheintegritytestwereidentifiedduringthevalidationprocess.
2.
3.
1RequirementforExclusiveIntegrityTestAnintegritytestthatismerelyguaranteedtofailifanyofthecryptographicmodulesoftwarechangesisnotsufficient.
Itisalsonecessarythattheintegritytestnotfailifthecryptographicmodulesoftwareisnotdirectlycorrupted,eventhoughtheapplicationreferencingthecryptographicmodulemaybedamagedwithunpredictableconsequencesforthecorrect8Specifically,thetextandread-onlydatasegmentswhichconstitutetheinitializedcomponentsofthemodule.
9Ifthedigestvalueresidedinthedataareaincludedinthecalculationofthatdigest,thecalculatedvalueofthedigestwoulditselfbeaninputintothatcalculation.
Page21of225UserGuide-OpenSSLFIPSObjectModulev2.
0functioningofthatapplication.
Anotherwayoflookingatthisisthatasapplicationfailuresareoutofscopeoftheintegritytestthereneedstobesomelevelofassurancethatchangestoapplicationsoftwaredonotaffectthecryptographicmoduleintegritytest10.
Thisrequirementismetwithanin-coreintegritytestthatcarefullyexcludesanyextraneous11objectcodefromthedigestcalculationandverification.
2.
3.
2RequirementforFixedObjectCodeOrderTherelativeorderofallobjectcodecomponentswithinthemodulemustbefixedandinvariant.
Theusuallinkingprocessdoesnotcareabouttherelativeorderofindividualobjectmodules,e.
g.
bothgccorunfilealpha.
obeta.
ogamma.
oandgccorunfilebeta.
oalpha.
ogamma.
oproducefunctionallyidenticalexecutablefiles.
Likewise,theorderofobjectmodulesinastaticlinklibraryisirrelevant:arrlibxxx.
aalpha.
obeta.
ogamma.
oandarrlibxxx.
abeta.
oalpha.
ogamma.
oproduceinterchangeablelinklibraries,andagivenapplicationmaynotincorporatealloftheobjectmodulescontainedwiththelinklibrarywhenresolvingreferences.
FortheFIPSObjectModuleitwasrequiredthatanysuchomissionorrearrangementoftheModuleobjectmodulesduringtheapplicationcreationprocessnotoccur.
Thisrequirementissatisfiedbysimplycompilingallthesourcecodeintoasinglemonolithicobjectmodule:ldrofipscanister.
ofips_start.
o.
.
.
fips_end.
owithalltheobjectmodulesbetweenthefips_start.
oandfips_end.
omodulesthatdefinethelowandhighboundariesofamonolithicobjectmodule.
Allsubsequentreferencetothismonolithicobjectmodulewillpreservetherelativeorder,andpresence,oftheoriginalobjectcodecomponents.
2.
4TheFileIntegrityChain10ThisassurancewasgivenbyshowingduringtestingthatcorruptionofcodeordataoutsideofthememoryareacontainingtheFIPSObjectModuledidnotresultinanintegritytestfailure.
11Thedefinitionofwhatconstitutes"extraneous"isnotformallyspecifiedandthussubjecttointerpretation.
Page22of225UserGuide-OpenSSLFIPSObjectModulev2.
0Mostvalidatedproductsconsistingofapre-builtbinaryexecutableimplementthemoduleintegritycheckasadigestcheckoverportionsofthatexecutablefileorthecorrespondingmemorymappedimage.
FortheFIPSObjectModulethemoduleintegritycheckinsteadtakestheformofachainofdigestchecksbeginningwiththesourcefilesusedfortheCMVPvalidationtesting.
Notethatwhilethischainofchecksismorecomplex,itprovidesmuchmorevisibilityforindependentverificationcomparedtothecaseofvalidatedpre-builtbinaryexecutables.
WiththeFIPSObjectModuletheprospectiveusercanindependentlyverifythattheruntimeexecutabledoesindeeddirectlyderivefromthesamesourcethatwasthebasisofthevalidation.
2.
4.
1SourceFile(BuildTime)Integrity"Buildtime"iswhentheFIPSObjectModuleiscreatedfromtheOpenSSLFIPSsourcedistribution,inaccordancewiththeSecurityPolicy.
ThefirstfileintegritycheckoccursatbuildtimewhentheHMAC-SHA-1digestofthedistributionfileiscalculatedandcomparedtothestoredvaluepublishedintheSecurityPolicy(AppendixB).
Becausethesourcefilesresideinthisspecificdistributionandcannotbemodifiedthesesourcefilesarereferredtoassequesteredfiles.
NotethatameanstocalculatetheHMAC-SHA-1digestisrequiredinordertoperformthisintegritycheck.
A"bootstrap"standaloneHMAC-SHA-1utility,fips_standalone_sha1,isincludedinthedistribution.
Thisutilityisgeneratedfirstbeforethesequesteredfilesarecompiledinordertoperformtheintegritycheck.
AppendixCgivesanexampleofanequivalentutility.
2.
4.
2ObjectModule(LinkTime)Integrity"Linktime"iswhentheapplicationislinkedwiththepreviouslybuiltandinstalledFIPSObjectModuletogenerateanexecutableprogram.
ThebuildprocessdescribedintheSecurityPolicyresultsinthecreationofanobjectmodule,fipscanister.
o,andamatchingdigestfile,fipscanister.
o.
sha1.
ThisFIPSObjectModulecontainstheobjectcodecorrespondingtothesequesteredsourcefiles(objectcodeforFIPSspecificfunctionssuchasFIPS_mode_set()andforthealgorithmimplementations).
ThelinktimeintegritycheckoccurswhentheFIPSObjectModuleisusedtocreateanapplicationexecutableobject(binaryexecutableorsharedlibrary).
Thedigeststoredintheinstalledfilefipscanister.
o.
sha1mustmatchthedigestcalculatedforthefipscanister.
ofile.
NotethatexceptinthemostunusualcircumstancestheFIPSObjectModuleitself(fipscanister.
o)isnotlinkeddirectlywithapplicationcode.
InsteadtheFIPSObjectModuleisembeddedintheOpenSSLlibcryptolibrary(libcrypto.
a/libcrypto.
so)whichisthenreferencedinPage23of225UserGuide-OpenSSLFIPSObjectModulev2.
0theusualwaybytheapplicationcode.
Thatcombinationisknownasa"FIPScapable"OpenSSLlibraryandisdiscussedinmoredetailinsection2.
5.
2.
4.
3ApplicationExecutableObject(RunTime)IntegrityApplication"runtime"occurswhenthepreviouslybuiltandinstalledapplicationprogramisinvoked.
Unlikethepreviousstepthisinvocationisusuallyperformedrepeatedly.
TheruntimeintegritycheckoccurswhentheapplicationattemptstoenableFIPSmodeviatheFIPS_mode_set()functioncall.
Thedigestembeddedwithintheobjectcodefromfipscanister.
omustmatchthedigestcalculatedforthememorymappedtextanddataareas.
2.
5RelationshiptotheOpenSSLAPITheFIPSObjectModuleisdesignedforindirectuseviatheOpenSSLAPI.
Applicationslinkedwiththe"FIPScapable"OpenSSLlibrariescanuseboththeFIPSvalidatedcryptographicfunctionsoftheFIPSObjectModuleandthehighlevelfunctionsofOpenSSL.
TheFIPSObjectModuleshouldnotbeconfusedwithOpenSSLlibraryandtoolkitoranyspecificofficialOpenSSLdistributionrelease.
AversionoftheOpenSSLproductthatissuitableforusewiththeFIPSObjectModuleisaFIPSCompatibleOpenSSL.
WhentheFIPSObjectModuleandaFIPScompatibleOpenSSLareseparatelybuiltandinstalledonasystem,withtheFIPSObjectModuleembeddedwithintheOpenSSLlibraryaspartoftheOpenSSLbuildprocess,thecombinationisreferredtoasaFIPScapableOpenSSL.
SummaryofdefinitionsTheFIPSObjectModuleistheFIPS140-2validatedmoduledescribedintheSecurityPolicyAFIPScompatibleOpenSSLisaversionoftheOpenSSLproductthatisdesignedforcompatibilitywiththeFIPSObjectModuleAPIAFIPScapableOpenSSListhecombinationoftheseparatelyinstalledFIPSObjectModulealongwithaFIPScompatibleOpenSSL.
Table2.
5TheOpenSSLlibraries,whenbuiltfromastandardOpenSSLdistributionwiththe"fips"configurationoptionforusewiththeFIPSObjectModule,willcontaintheusualnon-FIPSalgorithmsandnon-cryptographicsupportingfunctions,andthenon-FIPSalgorithmdisablingrestrictions.
Page24of225UserGuide-OpenSSLFIPSObjectModulev2.
0NotethatuseofindividualobjectmodulescomprisingthemonolithicFIPSObjectModuleisspecificallyforbiddenbyFIPS140-2andtheCMVP12.
IntheabsenceofthatrestrictiontheindividualobjectmoduleswouldjustbeincorporateddirectlyintheOpenSSLlibcrypto.
alibrary.
ThemonolithicFIPSObjectModulemustbeusedinitsentirelyandcannotbeeditedtoaccommodatesizeconstraints.
Variousnon-FIPSalgorithmssuchasBlowfish,IDEA,CAST,MD2,etc.
areincludedintheOpenSSLlibraries(dependingonthe.
/configoptionsspecifiedinadditiontofips).
ForapplicationsthatdonotutilizeFIPS140-2cryptography,theresultinglibrariesaredrop-incompatiblewiththelibrariesgeneratedwithoutthefipsoption(adeliberatedesigndecisiontoencouragewideravailabilityanduseofFIPS140-2validatedalgorithms).
Theconverseisnottrue:anon-FIPSOpenSSLlibrarycannotbesubstitutedfortheFIPSCompatiblelibrarybecausetheFIPSspecificfunctioncallswillnotbepresent(suchasFIPS_mode_set()).
2.
6FIPSModeofOperationApplicationsthatutilizeFIPSmodemustcalltheFIPS_mode_set()function.
AftersuccessfulFIPSmodeinitialization,thenon-FIPSalgorithmswillbedisabledbydefault.
TheFIPSObjectModuletogetherwithacompatibleversionoftheOpenSSLproductcanbeusedinthegenerationofbothFIPSmodeandconventionalapplications.
Inthissense,thecombinationoftheFIPSObjectModuleandtheusualOpenSSLlibrariesconstitutesa"FIPScapableAPI",andprovidebothFIPapprovedalgorithmsandnon-FIPSalgorithms.
2.
6.
1FIPSModeInitializationOnlyoneinitializationcall,FIPS_mode_set(),isrequiredtooperatetheFIPSObjectModuleinaFIPS140-2Approvedmode,referredtohereinas"FIPSmode".
WhentheFIPSObjectModuleisinFIPSmodeallsecurityfunctionsandcryptographicalgorithmsareperformedinApprovedmode.
UseoftheFIPS_mode_set()functioncallisdescribedin§5.
Apower-upself-testisperformedautomaticallybytheFIPS_mode_set()call,oroptionallyatanytimebytheFIPS_selftest()call(seeAppendixD).
Ifanypower-upself-testfailsthe12Actually,toencourageuseoffipscanister.
oeveninnon-FIPSmodeapplications,acopyisincorporatedintolibcrypto.
a,butspecialcareistakentoprecludeitsusageinFIPSenabledapplications.
ThefipsldutilityprovidedintheFIPScompatibleOpenSSLdistributionspreventsthatusageasfollows.
Instaticlinkcontextthatisachievedbyreferencingtheofficialfipscanister.
ofirstonthecommandline.
,andindynamiclinkcontextbytemporarilyremovingitfromlibcrypto.
a.
Thisremovalisnecessarybecausedynamiclinkingiscommonlyaccompaniedby–wholearchive,whichwouldforcebothcopiesoffipscanister.
ointothesharedlibrary.
Notetheintegritycheckisdesignedasafailsafeprecautionintheeventoflinkerrors--eveniftwocopiesareincludedintotheapplicationinerror,theintegritycheckwillpreventtheuseofonecopyfortheintegritytestandtheotherfortheactualimplementationofcryptography.
Inotherwords,ifboththeofficialfipscanister.
oandtheunvalidatedversionthatisembeddedinlibcrypto.
abothendupinanexecutablebinary,andifFIPS_mode_set()returnssuccess,theunvalidatedcopywillnotbeusedforcryptography.
Page25of225UserGuide-OpenSSLFIPSObjectModulev2.
0internalglobalerrorflagFIPS_selftest_failissetandsubsequentlytestedtopreventinvocationofanycryptographicfunctioncalls.
TheinternalglobalflagFIPS_modeissettoFALSEindicatingnon-FIPSmodebydefault.
TheFIPS_mode_set()functionverifiestheintegrityoftheruntimeexecutableusingaHMAC-SHA-1digestcomputedatbuildtime.
Ifthedigestsmatch,thepower-upself-testisthenperformed.
Ifthepower-upself-testissuccessfulFIPS_mode_set()setstheFIPS_modeflagtoTRUEandtheFIPSObjectModuleisinFIPSmode.
2.
6.
2AlgorithmsAvailableinFIPSModeOnlythealgorithmslistedintables4aand4boftheSecurityPolicyareallowedinFIPSmode.
NotethatDiffie-HellmanandRSAareallowedinFIPSmodeforkeyagreementandkeyestablishmenteventhoughtheyare"Non-Approved"forthatpurpose.
RSAforsignandverifyis"Approved"andhencealsoallowed,alongwithalltheotherApprovedalgorithmslistedinthattable.
TheOpenSSLlibraryattemptstodisablenon-FIPSalgorithms.
wheninFIPSmode.
ThedisablingoccursontheEVP_*APIsandmostlowlevelfunctioncalls.
Failuretocheckthereturncodefromlowlevelfunctionscouldresultinunexpectedbehavior.
NotealsothatsufficientlycreativeorunusualuseoftheAPImaystillallowtheuseofnon-FIPSalgorithms.
Thenon-FIPSalgorithmdisablingisintendedasanaidtothedeveloperinpreventingtheaccidentaluseofnon-FIPSalgorithmsinFIPSmode,andnotasanabsoluteguarantee.
ItistheresponsibilityoftheapplicationdevelopertoensurethatonlyFIPSalgorithmsareusedwheninFIPSmode.
OpenSSLprovidesmechanismsforinterfacingwithexternalcryptographicdevices,suchasacceleratorcards,via"ENGINES.
"ThismechanismisnotdisabledinFIPSmode.
Ingeneral,ifaFIPSvalidatedcryptographicdeviceisusedwithOpenSSLinFIPSmodesothatallcryptographicoperationsareperformedeitherbythedeviceortheFIPSObjectModule,thentheresultisstillFIPSvalidatedcryptography.
However,ifanycryptographicoperationsareperformedbyanon-FIPSvalidateddevice,theresultisuseofnon-validatedcryptography.
ItistheresponsibilityoftheapplicationdevelopertoensurethatENGINESusedduringFIPSmodeofoperationarealsoFIPSvalidated.
2.
7Revisionsofthe2.
0ModuleExistingFIPS140-2validationscanberetroactivelymodified,withindefinedlimits,viathe"maintenanceletter"or"changeletter"process.
Changelettermodificationsaretypicallydonetocorrectminor"non-cryptographicallysignificant"bugsor,mostcommonly,toaddsupportfornewplatforms.
Changeletteractionsareusuallylessexpensiveandfasterthanafullvalidation;andareanattractiveoptiontothesoftwarevendordesiringtousetheFIPSmoduleforaplatformnotcurrentlycoveredbythevalidation.
Page26of225UserGuide-OpenSSLFIPSObjectModulev2.
0SeveralchangelettermodificationswereinprocesspriortotheformalawardoftheinitialOpenSSLFIPSObjectModulev2.
0validation.
Morechangelettersareanticipatedoverthelifetimeofthevalidation.
Forallpastvalidationswehavealwaysbeencarefultointroduceanychangesinawaythatwillnotimpactanypreviouslytestedplatforms,sothatthemostrecentrevisionofthemodulecanbeusedfornewdeploymentsonanyplatform.
Thehistoryofnewrevisionsinclude:2.
0.
1AdditionofAppleiOS5.
1onARMv72.
0.
1AdditionofWinCE5.
0onARMv72.
0.
1AdditionofLinux2.
6onPowerPC32-e500(PPC)2.
0.
1AdditionofDSPMediaFramework1.
4onTIC64x+2.
0.
1AdditionofWinCE6.
0onARMv72.
0.
1AdditionofAndroid4.
0onOMAP3(ARMv7)2.
0.
2AdditionofNetBSD5.
1onPowerPC32-e500(PPC)2.
0.
2AdditionofNetBSD5.
1onIntelXeon5500(x86)2.
0.
3AdditionofWin2008onXeonE3-1220v2(x86)2.
0.
3AdditionofRHEL32/64bitonXeonE3-1220v2(x86)undervSphere2.
0.
3AdditionofWin7onIntelCorei5-2430M(x86)withAES-NI2.
0.
3AdditionofAndroid4.
1/4.
2onNvidiaTegra3(ARMv7)with/withoutNEON2.
0.
3AdditionofWinEC7onFreescalei.
MX53xD(ARMv7)with/withoutNEON2.
0.
3AdditionofAndroid4.
0onQualcommSnapdragonAPQ8060(ARMv7)2.
0.
3AdditionofVMwareHorizonModuleonQualcommMSM8X60(ARMv7)2.
0.
3AdditionofAppleOSX10.
7onIntelCorei7-3615QM(x86)2.
0.
3AdditionofAppleiOS5.
0onARMCortexA8(ARMv7)2.
0.
4AdditionofOpenWRT2.
6onMIPS24Kc2.
0.
5AdditionofQNX6.
4onFreescalei.
MX25(ARMv4)2.
0.
5AdditionofAppleiOS6.
1onAppleA6XSoC(ARMv7s)2.
0.
5AdditionofeCos3onFreescalei.
MX27926ejs(ARMv5TEJ)2.
0.
5AdditionofVMwareHorizonWorkspace1.
5undervSphereonIntelXeonE3-1220(x86)with/withoutAES-NI2.
0.
5AdditionofUbuntu13.
04onAM335xCortex-A8(ARMv7)with/withoutNEON2.
0.
5AdditionofLinux3.
8onARM926(ARMv5TEJ)2.
0.
5AdditionofLinux3.
4underCitrixXenServeronIntelXeonE5-2430L(x86)with/withoutAES-NI2.
0.
5AdditionofLinux3.
4underVMwareESXonIntelXeonE5-2430L(x86)with/withoutAES-NI2.
0.
5AdditionofLinux3.
4underMicrosoftHyper-VonIntelXeonE5-2430L(x86)with/withoutAES-NI2.
0.
5AdditionofAppleiOS6.
0onAppleA5/ARMCortex-A9with/withoutNEON2.
0.
6RemovalofDualECDRBG(noplatforms)2.
0.
7AdditionofLinux2.
6onFreescalee500v2(PPC)Page27of225UserGuide-OpenSSLFIPSObjectModulev2.
02.
0.
7AdditionofAcanOS1.
0onIntelCorei7-3612QE(x86)2.
0.
7AdditionofAcanOS1.
0onIntelCorei7-3612QE(x86)withAES-NI2.
0.
7AdditionofAcanOS1.
0onFeroceon88FR131(ARMv5)2.
0.
7AdditionofFreeBSD8.
4onIntelXeonE5440(x86)2.
0.
7AdditionofFreeBSD9.
1onXeonE5-2430L(x86)2.
0.
7AdditionofFreeBSD9.
1onXeonE5-2430L(x86)withAES-NI2.
0.
7AdditionofArbOS5.
3onXeonE5645(x86)2.
0.
7AdditionofLinuxORACLESP2.
6onASPEEDAST2100(ARMv5)2.
0.
7AdditionofLinuxORACLESP2.
6onServerEnginesPILOT3(ARMv5)2.
0.
8AdditionofLinuxORACLESP2.
6onASPEEDAST-Series(ARMv5)2.
0.
8AdditionofLinuxORACLESP2.
6onEmulexPILOT3(ARMv5)2.
0.
8AdditionofFreeBSD9.
2onXeonE5-2430L(x86)with-withoutAES-NI2.
0.
8AdditionofFreeBSD10.
0onXeonE5-2430L(x86)with/withoutAES-NI2.
0.
8AdditionofFreeBSD8.
432-bitonXeonE5440(x86)2.
0.
9AdditionofVMwareHorizonWorkspace2.
1x86undervSphereESXi5.
5onIntelXeonE3-1220(x86)with/withoutAES-NI2.
0.
9AdditionofQNX6.
5onARMv4Freescalei.
MX25(ARMv4)2.
0.
9AdditionofAppleiOS7.
164-bitonARMv8AppleA7(ARMv8)with/withoutNEON2.
0.
9AdditionofTS-Linux2.
4onARMv42.
0.
10AdditionofiOS8.
164-bitonAppleA7(ARMv8)with/withoutNEONandCryptoExtensions2.
0.
10AdditionofVxWorks6.
9onFreescaleP2020(PPC)2.
0.
10AdditionofiOS8.
132-bitonAppleA7(ARMv8)with/withoutNEON2.
0.
10AdditionofAndroid5.
032-bitonQualcommAPQ8084(ARMv7)with/withoutNEON2.
0.
10AdditionofAndroid5.
064-bitonSAMSUNGExynos7420(ARMv8)with/withoutNEONandCryptoExtensions2.
0.
11AdditionofVxWorks6.
7onIntelCore2Duo(x86)2.
0.
11AdditionofAIX6.
132bitPower7(PPC)2.
0.
11AdditionofAIX6.
164bitPower7(PPC)2.
0.
11AdditionofAIX7.
132bitPower7(PPC)2.
0.
11AdditionofAIX7.
164bitPower7(PPC)2.
0.
11AdditionofDataGravityDiscoverySeriesOSV2.
0IntelXeonE52420(x86)with/withoutAES_NI2.
0.
11AdditionofAIX6.
132bitPower7(PPC)with/withoutoptimizations2.
0.
11AdditionofUbuntu12.
04IntelXeonE52430L(x86)with/withoutAES-NI2.
0.
12AdditionofLinux3.
10IntelAtomE3845(x86)with/withoutAES-NI2.
0.
13AdditionofAIX7.
132bitonPPC2.
0.
13AdditionofAIX7.
164bitonPPCwithoptimizations2.
0.
13AdditionofAIX7.
132bitonPPCwithoptimizations2.
0.
13AdditionofAIX7.
164bitonPPC2.
0.
13AdditionofAIX7.
232bitonPPCPage28of225UserGuide-OpenSSLFIPSObjectModulev2.
02.
0.
13AdditionofAIX7.
232bitonPPCwithoptimizations2.
0.
13AdditionofAIX7.
264bitonPPC2.
0.
13AdditionofAIX7.
264bitonPPCwithoptimizations2.
0.
13AdditionofAIX7.
232bitonPPC2.
0.
13AdditionofAIX7.
264bitonPPC2.
0.
14AdditionofExtremeXOSLinux3.
1onMIPS2.
0.
15SurfWare7.
2onTIc64DSPRevisions2.
0.
6and2.
0.
7constituteanunfortunateperversity.
The2.
0.
6revisionremovedtheDualECDRBGimplementationwhichatthetimeofsubmissionoftheofficialpaperwork(MaintenanceLetter)onJanuary20,2014hadalreadybeenofficiallyrepudiatedbyNIST.
However,approvalofthe2.
0.
6revisionlanguishedformorethansixmonths.
Inthemeantimeeleven13newplatformsweretestedusingthemostrecentofficiallyapprovedrevision,2.
0.
5,plusplatformspecificmodifications,resultinginrevision2.
0.
7whichstillincludedtheDualECDRBGimplementation14.
Theofficialpaperworkforthe2.
0.
7revisionwassubmittedmonthsafter2.
0.
6butbothrevisionswereapprovedwiththespanofasingleweek,withthepreverseresultthatthe2.
0.
7revisionoftheOpenSSLFIPSObjectModulestillcontainedthedeprecatedanddisgracedDualECDRBG.
Itwasagain(andpermanently)removedwithrevision2.
0.
8.
Notethat2.
0.
10willbethelastrevisionforthe#1747validation,duetotheriskofanew"hostage"situation(seehttp://openssl.
com/fips/aftermath.
html).
2.
8PriorFIPSObjectModulesThe2.
0versionoftheFIPSObjectModuleisthelatestinaseriesofopensourcebasedvalidatedmodulesderivedfromtheOpenSSLproduct.
Aswiththosepriormodulesthisversionisdeliveredinsourcecodeformandresultsinastaticallylinkedobjectmodule.
Therearesomedifferenceswithrespecttothepreviousversion1.
2.
xseriesofmoduleswhichhavebeenwidelyused,bothdirectlyasvalidatedforcertificate#1051,andindirectlyasmodelsforseparate"privatelabel"validation.
Someofthekeydifferencesare:1.
Thesourcecodedistributionforthe1.
2.
xFIPSmoduleswasamodifiedOpenSSLdistributionthatcontainedaconsiderableamountofcodesuperfluoustothegenerationoftheFIPSmodule.
The2.
0FIPSmoduleisprovidedinaseparatededicatedsourcedistributioncontainingfarlessextraneouscode.
13Onlytennewplatformsacuallyappearedwiththe2.
0.
7revisionduetoanunexplained"paperworkerror"attheCAVPwhichrequiredrepeatingsomeofthealgorithmtestsfortheeleventhplatformwhichwasthusomittedfromthe2.
0.
7revision.
Theeleventhplatformwillbeincludedinafuturerevision.
14ApprovaloftheremovalofDualECDRBGimplementationwasfarfromcertain;severalinterestedpartiesincludingoneaccreditedtestlabwereabsolutelycertainitwouldnotbepermitted.
WhilethatissuewaspendingwedidnotwanttoputtheelevennewplatformsatriskbytestingonarevisionthatomittedDualECDRBG.
Asitwastheunfortunatesponsorsofthosenewplatformshadtowaituptosixmonthsforfinalofficialapproval.
Page29of225UserGuide-OpenSSLFIPSObjectModulev2.
02.
The1.
2.
xFIPSmoduleswerecompatibleonlywiththe"FIPScapable"0.
9.
8baseline.
The2.
0FIPSmoduleiscompatiblewiththe"FIPScapable"1.
0.
1/1.
0.
2baseline,butwillnotremainusablewithfutureOpenSSLversions(1.
1.
0andlater).
3.
The2.
0FIPSmodulehasasignificantlyfasterPOSTperformance.
TheslowPOSTforthe1.
2.
xmoduleswasasignificantimpedimenttouseonsomelow-poweredprocessors.
4.
The2.
0FIPSmodulecontainsseveraladditionalcryptographicalgorithms,includingallofSuiteB.
5.
The2.
0FIPSmodulemoredirectlyaccommodatescross-compilation,asbothnativeandcross-compilationnowusethesametechniquefordeterminingthemoduleintegritydigestatbuildtime.
2.
9FutureFIPSObjectModulesTheopensourcebasedOpenSSLFIPSObjectModulevalidationsaredifficultandexpensive,andasaresulthavebeendoneinfrequently.
Thelongintervalsbetweenvalidationscompoundthedifficultyofobtainingeachnewvalidation:1.
ThecompanionOpenSSLproductchangessignificantly,requiringsignificantreworktoboththatproductandthenewFIPSmoduleforthe"FIPScapable"functionality;2.
AnumberofnewandrelativelyuntriedalgorithmtestsareintroducedbytheCAVP;3.
NewvalidationrequirementsareintroducedbytheCMVP.
Theresultisaviciouscycle:thenewvalidationtakesmuchmoreeffortandtime,duringwhichthesefactorscontinuetomount(theCMVPcananddoesintroducenewrequirementsinthecourseofanongoingvalidation).
Thatcostanddifficultybecomesanintimidatingfactorforplanning,andsolicitingfundingand/orcollaborationfor,thenextvalidation.
InordertotryandbypassthiscycleOVSwouldliketoperformopensourcebasedvalidationsmorefrequently,ideallyasoftenastheintervalrequiredtoobtainavalidationwhichisaboutayear.
Thatwouldmeanthatatanypointintimetherewillbearelativelycurrentcompletedvalidationandanewvalidationinprocess.
Newfeaturesormodificationsthatwouldadverselyimpacttheongoingvalidationcanthenbedeferredtothenextupcomingone.
Newrequirementsandalgorithmtestscanbeaddressedafewatatimeinsteadofallatonceinahugeonslaught.
Potentialsponsorsofsuchaneffortarewelcome,andareinvitedtocontactOVStoexpresstheirinterest.
Page30of225UserGuide-OpenSSLFIPSObjectModulev2.
02.
10CloneValidationsSectionG.
8oftheImplementationGuidancedocument(reference3)definesanoddtypeofcloneorcopycatvalidation,the"AlternativeScenario1A"or"AlternativeScenario1B"validation.
Basicallytheseclonevalidationsallowavendortocopyanexistingvalidationwithminimalcosmeticchanges.
Sincemostvalidatedcryptographicmodulesarebasedonproprietarysoftware,suchclonevalidationsaremostfeasibleforcopyingthevalidationsbasedonopensourcelicensedmodules,whichistosaytheOpenSSLFIPSObjectModulevalidations.
AndindeedanumberofvendorshavetakenadvantageoftheAlternativeScenario1A/1Bprovisiontocreateclonevalidations.
Thesevalidationsareoftenreferredtoas"re-brands"bythetestlabs,astheybasicallyconsistofchangingthetitlepageoftheSecurityPolicydocumentandsupplyingaproprietarybrandnameforwhatisstilltheOpenSSLFIPSObjectModulesoftware.
Theknownclonevalidations15are:Validation#RebrandedModuleNameModuleRevision(s)Notes2631IntelOpenSSLFIPSObjectModule2.
0.
5,2.
0.
812575CellcryptSecureCore3FIPS140-2Module2.
0.
102473OpenSSLFIPSObjectModule2.
0.
9-2.
0.
1022454LogRhythmFIPSObjectModuleVersion6.
3.
42.
0.
9andprior2422NimbleStorageOpenSSLFIPSObjectModule2.
0.
9andprior12412CellTrustCryptographicModule(CTCM)2.
0.
52398OpenSSLFIPSObjectModule2.
0.
9-2.
0.
1222391HPTippingPointCryptoCoreOpenSSL2.
0.
82096WatchDoxCryptoModuleunknown31747OpenSSLFIPSObjectModule2.
0.
10andpriorTable2.
10aNote1:theuseoftheOpenSSLnameconflictswiththeOpenSSLlicenseandtrademark.
OpenSSLcurrentlylacksthefinancialandlegalresourcestopursuesuchviolations,whichareregretablycommon.
ThepreferredtermforathirdpartyproductbasedonOpenSSLis".
.
.
forOpenSSL",asin"AcmeCoFIPSObjectModuleforOpenSSL".
15Knownandcurrentlyvalid;anumberofclonevalidationweredelistedbytheRNGtransitionofJanuary2016.
Page31of225UserGuide-OpenSSLFIPSObjectModulev2.
0Note2:thesetwoclonevalidationsweredonebyOpenSSL,forreasonstootediouslyandperverselydrearytopermitsuccinctexplanationhere.
Forbackgroundseethe"hostage"situationtrilogyconcludingwiththedicsussionathttp://openssl.
com/fips/aftermath.
html.
Note3:thisvalidationisclearlybasedontheOpenSSLFIPSObjectModule,butthereferencerevisionisunknownandtheSecurityPolicyomitsanymentionofOpenSSL,themoduletarball,orthesecuredistributionrequirementimposedonotherOpenSSLrelatedvalidations.
SincetheseclonevalidationsarebasedonthesameOpenSSLObjectModulesoftware,whichisavailableunderano-costopensourcelicense,theformallytestedplatforms("OperationalEnvironments")fortheseclonevalidationsareavailableforusebyanyone.
SomeoftheclonevalidationsmerelycopyplatformsfromtheoriginalOpenSSLFIPSObjectModulevalidations,butsomeaddnewplatforms.
Thus,thelistofformallytestedplatformsfortheprospectiveuseroftheOpenSSLFIPSObjectModuleistheunionofallplatformsfortheoriginal#1747validationplusallclonevalidations.
Thisunionisshowninthefollowingtable(currentasofMay10,2016andsubjecttochange).
NotethistablewasconstructedfromtheplatformdescriptionsasshownontheNISTCMVPwebsite(http://csrc.
nist.
gov/groups/STM/cmvp/documents/140-1/140val-all.
htm),andthosedescriptionshavebeenknowntocontainerrors.
Thistablehas346entries,ofwhichonly178areuniqueduetoduplicationamongmultiplevalidations.
IMPORTANTNOTE:thelatestrevisionoftheOpenSSLFIPSObjectModule,foranyvalidation,willbuildandexecutecorrectlyforanyplatforminthistable(e.
g.
revision2.
0.
13formopenssl-fips-2.
0.
12.
tar.
gz).
Thisisbecauseeachsuccessiverevisioniscarefullydesignedtoretainfullsupportforallpreviouslyformallytestedplatforms.
However,anygivenplatforminthistablemaynotberighteouswithrespecttoFIPS140-2,asitmayonlybelistedinavalidationthannamesmodulerevision(s)earlierthanthemostcurrentrevision.
So,besuretocheckeachofthevalidation(s)listedfortheplatformofinteresttobesurethemodulerevisionyouareusingislistedbyatleastoneofthosevalidations.
Ifnotyouwillneedtoregresstoanearlierrevisioneventhoughthemodulebuildfromthelaterrevisionisfullyfunctionallyequivalent.
PlatformValidationAcanOS1.
0runningonFeroceon88FR131(ARMv5)(gccCompilerVersion4.
5.
3)1747AcanOS1.
0runningonFeroceon88FR131(ARMv5)(gccCompilerVersion4.
5.
3)2391AcanOS1.
0runningonFeroceon88FR131(ARMv5)(gccCompilerVersion4.
5.
3)2454AcanOS1.
0runningonIntelCorei7-3612QE(x86)withAES-NI(gccCompilerVersion4.
6.
2)1747AcanOS1.
0runningonIntelCorei7-3612QE(x86)withAES-NI(gccCompilerVersion4.
6.
2)2391AcanOS1.
0runningonIntelCorei7-3612QE(x86)withAES-NI(gccCompilerVersion4.
6.
2)2454AcanOS1.
0runningonIntelCorei7-3612QE(x86)withoutAES-NI(gccCompilerVersion4.
6.
2)1747Page32of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationAcanOS1.
0runningonIntelCorei7-3612QE(x86)withoutAES-NI(gccCompilerVersion4.
6.
2)2391AcanOS1.
0runningonIntelCorei7-3612QE(x86)withoutAES-NI(gccCompilerVersion4.
6.
2)2454AIX6.
132-bitrunningonIBMPOWER7(PPC)(IBMXLC/C++forAIXCompilerVersionV13.
1)2398AIX6.
132-bitrunningonIBMPOWER7(PPC)withoptimizations(IBMXLC/C++forAIXCompilerVersionV10.
1)2398AIX6.
164-bitrunningonIBMPOWER7(PPC)(IBMXLC/C++forAIXCompilerVersionV13.
1)2398AIX6.
164-bitrunningonIBMPOWER7(PPC)withoptimizations(IBMXLC/C++forAIXCompilerVersionV10.
1)2398AIX7.
132-bitrunningonIBMPOWER7(PPC)(IBMXLC/C++forAIXCompilerVersionV13.
1)2398AIX7.
164-bitrunningonIBMPOWER7(PPC)(IBMXLC/C++forAIXCompilerVersionV13.
1)2398Android2.
2(gccCompilerVersion4.
4.
0)2391Android2.
2runningonOMAP3530(ARMv7)withNEON(gccCompilerVersion4.
1.
0)1747Android2.
2runningonOMAP3530(ARMv7)withNEON(gccCompilerVersion4.
1.
0)2391Android2.
2runningonOMAP3530(ARMv7)withNEON(gccCompilerVersion4.
1.
0)2454Android2.
2runningonQualcommQSD8250(ARMv7)withNEON(gccCompilerVersion4.
4.
0)1747Android2.
2runningonQualcommQSD8250(ARMv7)withNEON(gccCompilerVersion4.
4.
0)2391Android2.
2runningonQualcommQSD8250(ARMv7)withNEON(gccCompilerVersion4.
4.
0)2454Android2.
2runningonQualcommQSD8250(ARMv7)withoutNEON(gccCompilerVersion4.
4.
0)1747Android2.
2runningonQualcommQSD8250(ARMv7)withoutNEON(gccCompilerVersion4.
4.
0)2454Android3.
0(gccCompilerVersion4.
4.
0)2391Android3.
0runningonNVIDIATegra250T20(ARMv7)(gccCompilerVersion4.
4.
0)1747Android3.
0runningonNVIDIATegra250T20(ARMv7)(gccCompilerVersion4.
4.
0)2454Android4.
0(gccCompilerVersion4.
4.
3)2391Android4.
0runningonNVIDIATegra250T20(ARMv7)(gccCompilerVersion4.
4.
3)1747Android4.
0runningonNVIDIATegra250T20(ARMv7)(gccCompilerVersion4.
4.
3)2454Android4.
0runningonQualcommSnapdragonAPQ8060(ARMv7)withNEON(gcccompilerVersion4.
4.
3)1747Android4.
0runningonQualcommSnapdragonAPQ8060(ARMv7)withNEON(gcccompilerVersion4.
4.
3)2391Android4.
0runningonQualcommSnapdragonAPQ8060(ARMv7)withNEON(gcccompilerVersion4.
4.
3)2454Android4.
0runningonTIOMAP3(ARMv7)withNEON(gccCompilerVersion4.
4.
3)1747Android4.
0runningonTIOMAP3(ARMv7)withNEON(gccCompilerVersion4.
4.
3)2391Android4.
0runningonTIOMAP3(ARMv7)withNEON(gccCompilerVersion4.
4.
3)2454Android4.
1runningonTIDM3730(ARMv7)(gccCompilerVersion4.
6)2391Android4.
1runningonTIDM3730(ARMv7)withNEON(gccComplierVersion4.
6)1747Page33of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationAndroid4.
1runningonTIDM3730(ARMv7)withNEON(gccComplierVersion4.
6)2391Android4.
1runningonTIDM3730(ARMv7)withNEON(gccComplierVersion4.
6)2454Android4.
1runningonTIDM3730(ARMv7)withoutNEON(gccCompilerVersion4.
6)1747Android4.
1runningonTIDM3730(ARMv7)withoutNEON(gccCompilerVersion4.
6)2454Android4.
2runningonNvidiaTegra3(ARMv7)(gccCompilerVersion4.
6)2391Android4.
2runningonNvidiaTegra3(ARMv7)withNEON(gccCompilerVersion4.
6)1747Android4.
2runningonNvidiaTegra3(ARMv7)withNeon(gccCompilerVersion4.
6)2391Android4.
2runningonNvidiaTegra3(ARMv7)withNEON(gccCompilerVersion4.
6)2454Android4.
2runningonNvidiaTegra3(ARMv7)withoutNEON(gccCompilerVersion4.
6)1747Android4.
2runningonNvidiaTegra3(ARMv7)withoutNEON(gccCompilerVersion4.
6)2454Android5.
032-bitrunningonQualcommAPQ8084(ARMv7)withNEON(gccCompilerVersion4.
9)1747Android5.
032-bitrunningonQualcommAPQ8084(ARMv7)withNEON(gccCompilerVersion4.
9)2398Android5.
032-bitrunningonQualcommAPQ8084(ARMv7)withNEON(gccCompilerVersion4.
9)2473Android5.
032-bitrunningonQualcommAPQ8084(ARMv7)withNEON(gccCompilerVersion4.
9)2575Android5.
032-bitrunningonQualcommAPQ8084(ARMv7)withoutNEON(gccCompilerVersion4.
9)1747Android5.
032-bitrunningonQualcommAPQ8084(ARMv7)withoutNEON(gccCompilerVersion4.
9)2398Android5.
032-bitrunningonQualcommAPQ8084(ARMv7)withoutNEON(gccCompilerVersion4.
9)2473Android5.
032-bitrunningonQualcommAPQ8084(ARMv7)withoutNEON(gccCompilerVersion4.
9)2575Android5.
064-bitrunningonSAMSUNGExynos7420(ARMv8)withNEONandCryptoExtensions(gccCompilerVersion4.
9)1747Android5.
064-bitrunningonSAMSUNGExynos7420(ARMv8)withNEONandCryptoExtensions(gccCompilerVersion4.
9)2398Android5.
064-bitrunningonSAMSUNGExynos7420(ARMv8)withNEONandCryptoExtensions(gccCompilerVersion4.
9)2473Android5.
064-bitrunningonSAMSUNGExynos7420(ARMv8)withNEONandCryptoExtensions(gccCompilerVersion4.
9)2575Android5.
064-bitrunningonSAMSUNGExynos7420(ARMv8)withoutNEONandCryptoExtensions(gccCompilerVersion4.
9)1747Android5.
064-bitrunningonSAMSUNGExynos7420(ARMv8)withoutNEONandCryptoExtensions(gccCompilerVersion4.
9)2398Android5.
064-bitrunningonSAMSUNGExynos7420(ARMv8)withoutNEONandCrypto2473Page34of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationExtensions(gccCompilerVersion4.
9)Android5.
064-bitrunningonSAMSUNGExynos7420(ARMv8)withoutNEONandCryptoExtensions(gccCompilerVersion4.
9)2575AppleiOS5.
0runningonARMCortexA8(ARMv7)withNEON(gccCompilerVersion4.
2.
1)1747AppleiOS5.
0runningonARMCortexA8(ARMv7)withNEON(gccCompilerVersion4.
2.
1)2391AppleiOS5.
0runningonARMCortexA8(ARMv7)withNEON(gccCompilerVersion4.
2.
1)2454AppleiOS5.
1(gccCompilerVersion4.
2.
1)2391AppleiOS5.
1runningonARMv7(gccCompilerVersion4.
2.
1)1747AppleiOS5.
1runningonARMv7(gccCompilerVersion4.
2.
1)2454AppleiOS6.
1runningonAppleA6XSoC(ARMv7s)(gccCompilerVersion4.
2.
1)1747AppleiOS6.
1runningonAppleA6XSoC(ARMv7s)(gccCompilerVersion4.
2.
1)2391AppleiOS6.
1runningonAppleA6XSoC(ARMv7s)(gccCompilerVersion4.
2.
1)2454AppleiOS7.
164-bitrunningonAppleA7(ARMv8)withNEON(clangCompilerVersion5.
1)1747AppleiOS7.
164-bitrunningonAppleA7(ARMv8)withNEON(clangCompilerVersion5.
1)2454AppleiOS7.
164-bitrunningonAppleA7(ARMv8)withNEON(clangCompilerVersion5.
1)2575AppleiOS7.
164-bitrunningonAppleA7(ARMv8)withoutNEON(clangCompilerVersion5.
1)1747AppleiOS7.
164-bitrunningonAppleA7(ARMv8)withoutNEON(clangCompilerVersion5.
1)2454AppleiOS7.
164-bitrunningonAppleA7(ARMv8)withoutNEON(clangCompilerVersion5.
1)2575AppleOSX10.
7runningonIntelCorei7-3615QM(AppleLLVMversion4.
2)1747AppleOSX10.
7runningonIntelCorei7-3615QM(AppleLLVMversion4.
2)2391AppleOSX10.
7runningonIntelCorei7-3615QM(AppleLLVMversion4.
2)2454AppleOSX10.
7runningonIntelCorei7-3615QM(AppleLLVMversion4.
2)2575ArbOS5.
3runningonXeonE5645(x86)withAES-NI(gccCompilerVersion4.
1.
2)1747ArbOS5.
3runningonXeonE5645(x86)withAES-NI(gccCompilerVersion4.
1.
2)2391ArbOS5.
3runningonXeonE5645(x86)withAES-NI(gccCompilerVersion4.
1.
2)2454ArbOS5.
3runningonXeonE5645(x86)withoutAES-NI(gccCompilerVersion4.
1.
2)1747ArbOS5.
3runningonXeonE5645(x86)withoutAES-NI(gccCompilerVersion4.
1.
2)2391ArbOS5.
3runningonXeonE5645(x86)withoutAES-NI(gccCompilerVersion4.
1.
2)2454CascadeOS6.
1(32bit)(gccCompilerVersion4.
4.
5)2391CascadeOS6.
1(32bit)runningonIntelPentiumT4200(gccCompilerVersion4.
4.
5)1747CascadeOS6.
1(32bit)runningonIntelPentiumT4200(gccCompilerVersion4.
4.
5)2454CascadeOS6.
1(64bit)(gccCompilerVersion4.
4.
5)2391CascadeOS6.
1(64bit)runningonIntelPentiumT4200(gccCompilerVersion4.
4.
5)1747CascadeOS6.
1(64bit)runningonIntelPentiumT4200(gccCompilerVersion4.
4.
5)2454Page35of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationCentOS5.
664-bitrunningonIntelXeonE5-2620v3(gccCompilerVersion4.
1.
2)2391CentOS5.
664-bitrunningonIntelXeonE5-2690v3(gccCompilerVersion4.
1.
2)2391DataGravityDiscoverySeriesOSV2.
0runningonIntelXeonE5-2420(x86)withAES-NI(gccCompilerVersion4.
7.
2)2398DataGravityDiscoverySeriesOSV2.
0runningonIntelXeonE5-2420(x86)withoutAES-NI(gccCompilerVersion4.
7.
2)2398DSPMediaFramework1.
4runningonTIC64x+(TMS320C6xC/C++Compilerv6.
0.
13)1747DSPMediaFramework1.
4runningonTIC64x+(TMS320C6xC/C++Compilerv6.
0.
13)2454DSPMediaFramework1.
4(TMS320C6xC/C++Compilerv6.
0.
13)2391eCos3runningonFreescalei.
MX27926ejs(ARMv5TEJ)(gccCompilerVersion4.
3.
2)1747eCos3runningonFreescalei.
MX27926ejs(ARMv5TEJ)(gccCompilerVersion4.
3.
2)2391eCos3runningonFreescalei.
MX27926ejs(ARMv5TEJ)(gccCompilerVersion4.
3.
2)2454Fedora14runningonIntelCorei5withAES-NI(gccCompilerVersion4.
5.
1)1747Fedora14runningonIntelCorei5withAES-NI(gccCompilerVersion4.
5.
1)2391Fedora14runningonIntelCorei5withAES-NI(gccCompilerVersion4.
5.
1)2454Fedora14runningonIntelCorei5withAES-NI(gccCompilerVersion4.
5.
1)2575FreeBSD10.
0runningonXeonE5-2430L(x86)withAES-NI(clangCompilerVersion3.
3)1747FreeBSD10.
0runningonXeonE5-2430L(x86)withAES-NI(clangCompilerVersion3.
3)2391FreeBSD10.
0runningonXeonE5-2430L(x86)withAES-NI(clangCompilerVersion3.
3)2454FreeBSD10.
0runningonXeonE5-2430L(x86)withAES-NI(clangCompilerVersion3.
3)2575FreeBSD10.
0runningonXeonE5-2430L(x86)withoutAES-NI(clangCompilerVersion3.
3)1747FreeBSD10.
0runningonXeonE5-2430L(x86)withoutAES-NI(clangCompilerVersion3.
3)2391FreeBSD10.
0runningonXeonE5-2430L(x86)withoutAES-NI(clangCompilerVersion3.
3)2454FreeBSD10.
0runningonXeonE5-2430L(x86)withoutAES-NI(clangCompilerVersion3.
3)2575FreeBSD10.
2runningonIntelXeonE5-2430L(x86)withAES-NI(clangCompilerVersion3.
4.
1)2473FreeBSD10.
2runningonIntelXeonE5-2430L(x86)withoutAES-NI(clangCompilerVersion3.
4.
1)2473FreeBSD8.
4runningonIntelXeonE5440(x86)32-bit(gccCompilerVersion4.
2.
1)1747FreeBSD8.
4runningonIntelXeonE5440(x86)32-bit(gccCompilerVersion4.
2.
1)2391FreeBSD8.
4runningonIntelXeonE5440(x86)32-bit(gccCompilerVersion4.
2.
1)2454FreeBSD8.
4runningonIntelXeonE5440(x86)withoutAESNI(gccCompilerVersion4.
2.
1)1747FreeBSD8.
4runningonIntelXeonE5440(x86)withoutAES-NI(gccCompilerVersion4.
2.
1)2391FreeBSD8.
4runningonIntelXeonE5440(x86)withoutAESNI(gccCompilerVersion4.
2.
1)2454FreeBSD9.
1runningonXeonE5-2430L(x86)withAES-NI(gccCompilerVersion4.
2.
1)1747FreeBSD9.
1runningonXeonE5-2430L(x86)withAES-NI(gccCompilerVersion4.
2.
1)2391FreeBSD9.
1runningonXeonE5-2430L(x86)withAES-NI(gccCompilerVersion4.
2.
1)2454Page36of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationFreeBSD9.
1runningonXeonE5-2430L(x86)withoutAESNI(gccCompilerVersion4.
2.
1)1747FreeBSD9.
1runningonXeonE5-2430L(x86)withoutAES-NI(gccCompilerVersion4.
2.
1)2391FreeBSD9.
1runningonXeonE5-2430L(x86)withoutAESNI(gccCompilerVersion4.
2.
1)2454FreeBSD9.
2runningonXeonE5-2430L(x86)withAES-NI(gccCompilerVersion4.
2.
1)1747FreeBSD9.
2runningonXeonE5-2430L(x86)withAES-NI(gccCompilerVersion4.
2.
1)2391FreeBSD9.
2runningonXeonE5-2430L(x86)withAES-NI(gccCompilerVersion4.
2.
1)2454FreeBSD9.
2runningonXeonE5-2430L(x86)withoutAES-NI(gccCompilerVersion4.
2.
1)1747FreeBSD9.
2runningonXeonE5-2430L(x86)withoutAES-NI(gccCompilerVersion4.
2.
1)2391FreeBSD9.
2runningonXeonE5-2430L(x86)withoutAES-NI(gccCompilerVersion4.
2.
1)2454HP-UX11i(32bit)(HPC/aC++B3910B)2391HP-UX11i(32bit)runningonIntelItanium2(HPC/aC++B3910B)1747HP-UX11i(32bit)runningonIntelItanium2(HPC/aC++B3910B)2454HP-UX11i(64bit)(HPC/aC++B3910B)2391HP-UX11i(64bit)runningonIntelItanium2(HPC/aC++B3910B)1747HP-UX11i(64bit)runningonIntelItanium2(HPC/aC++B3910B)2454iOS6.
0runningonAppleA5/ARMCortex-A9(ARMv7)withNEON(gccCompilerVersion4.
2.
1)1747iOS6.
0runningonAppleA5/ARMCortex-A9(ARMv7)withNEON(gccCompilerVersion4.
2.
1)2391iOS6.
0runningonAppleA5/ARMCortex-A9(ARMv7)withNEON(gccCompilerVersion4.
2.
1)2454iOS6.
0runningonAppleA5/ARMCortex-A9(ARMv7)withoutNEON(gccCompilerVersion4.
2.
1)1747iOS6.
0runningonAppleA5/ARMCortex-A9(ARMv7)withoutNEON(gccCompilerVersion4.
2.
1)2391iOS6.
0runningonAppleA5/ARMCortex-A9(ARMv7)withoutNEON(gccCompilerVersion4.
2.
1)2454iOS8.
132-bitrunningonAppleA7(ARMv8)withNEON(clangCompilerVersion600.
0.
56)1747iOS8.
132bitrunningonAppleA7(ARMv8)withNEON(clangCompilerVersion600.
0.
56)2398iOS8.
132-bitrunningonAppleA7(ARMv8)withNEON(clangCompilerVersion600.
0.
56)2473iOS8.
132-bitrunningonAppleA7(ARMv8)withNEON(clangCompilerVersion600.
0.
56)2575iOS8.
132-bitrunningonAppleA7(ARMv8)withoutNEON(clangCompilerVersion600.
0.
56)1747iOS8.
132bitrunningonAppleA7(ARMv8)withoutNEON(clangCompilerVersion600.
0.
56)2398iOS8.
132-bitrunningonAppleA7(ARMv8)withoutNEON(clangCompilerVersion600.
0.
56)2473iOS8.
132-bitrunningonAppleA7(ARMv8)withoutNEON(clangCompilerVersion600.
0.
56)2575iOS8.
164-bitrunningonAppleA7(ARMv8)withNEONandCryptoExtensions(clangCompilerVersion600.
0.
56)1747iOS8.
164bitrunningonAppleA7(ARMv8)withNEONandCryptoExtensions(clangCompilerVersion600.
0.
56)2398Page37of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationiOS8.
164-bitrunningonAppleA7(ARMv8)withNEONandCryptoExtensions(clangCompilerVersion600.
0.
56)2473iOS8.
164-bitrunningonAppleA7(ARMv8)withNEONandCryptoExtensions(clangCompilerVersion600.
0.
56)2575iOS8.
164bitrunningonAppleA7(ARMv8)withoutNEONandCryptoExtensions(clangCompilerVersion600.
0.
56)2398iOS8.
164-bitrunningonAppleA7(ARMv8)withoutNEONandCryptoExtensions(clangCompilerVersion600.
0.
56)2473iOS8.
164-bitrunningonAppleA7(ARMv8)withoutNEONandCryptoExtensions(clangCompilerVersion600.
0.
56)2575iOS8.
164-bitrunningonAppleA7(ARMv8)withoutNEONandCryptoExtensions(clangCompilervVersion600.
0.
56)1747Linux2.
6.
27(gccCompilerVersion4.
2.
4)2391Linux2.
6.
27runningonPowerPCe300c3(gccCompilerVersion4.
2.
4)1747Linux2.
6.
27runningonPowerPCe300c3(gccCompilerVersion4.
2.
4)2454Linux2.
6.
32(gccCompilerVersion4.
3.
2)2391Linux2.
6.
32runningonTIAM3703CBP(ARMv7)(gccCompilerVersion4.
3.
2)1747Linux2.
6.
32runningonTIAM3703CBP(ARMv7)(gccCompilerVersion4.
3.
2)2454Linux2.
6.
33(gccCompilerVersion4.
1.
0)2391Linux2.
6.
33runningonPowerPC32e300(gccCompilerVersion4.
1.
0)1747Linux2.
6.
33runningonPowerPC32e300(gccCompilerVersion4.
1.
0)2454Linux2.
6(gccCompilerVersion4.
1.
0)2391Linux2.
6(gccCompilerVersion4.
3.
2)2391Linux2.
6runningonaNimbleStorageCS300withAES-NI2422Linux2.
6runningonaNimbleStorageCS500withAES-NI2422Linux2.
6runningonaNimbleStorageCS700withAES-NI2422Linux2.
6runningonBroadcomBCM11107(ARMv6)(gccCompilerVersion4.
3.
2)1747Linux2.
6runningonBroadcomBCM11107(ARMv6)(gccCompilerVersion4.
3.
2)2454Linux2.
6runningonFreescalee500v2(PPC)(gccCompilerVersion4.
4.
1)1747Linux2.
6runningonFreescalee500v2(PPC)(gccCompilerVersion4.
4.
1)2391Linux2.
6runningonFreescalee500v2(PPC)(gccCompilerVersion4.
4.
1)2454Linux2.
6runningonFreescalePowerPCe500(gccCompilerVersion4.
1.
0)1747Linux2.
6runningonFreescalePowerPCe500(gccCompilerVersion4.
1.
0)2454Linux2.
6runningonTITMS320DM6446(ARMv4)(gccCompilerVersion4.
3.
2)1747Linux2.
6runningonTITMS320DM6446(ARMv4)(gccCompilerVersion4.
3.
2)2454Linux3.
1032-bitrunningonIntelAtomE3845(x86)withAES-NI(gccCompilerVersion4.
8.
1)2398Page38of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationLinux3.
1032-bitrunningonIntelAtomE3845(x86)withoutAES-NI(gccCompilerVersion4.
8.
1)2398Linux3.
10onVMwareESXi6.
00runningonIntelXeonwithAES-NI(gccCompilerVersion4.
8.
3)2631Linux3.
10onVmwareESXi6.
00runningonIntelXeonwithoutAES-NI(gccCompilerVersion4.
8.
3)2631Linux3.
10runningonIntelXeonwithAES-NI(gccCompilerVersion4.
8.
3)2631Linux3.
10runningonIntelXeonwithoutAES-NI(gccCompilerVersion4.
8.
3)2631Linux3.
464-bitunderCitrixXenServerrunningonIntelXeonE5-2430L(x86)withoutAES-NI2422Linux3.
4underCitrixXenServer6.
2runningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)1747Linux3.
4underCitrixXenServer6.
2runningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)2454Linux3.
4underCitrixXenServer6.
2runningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)2575Linux3.
4underCitrixXenServer6.
2runningonIntelXeonE5-2430LwithoutAES-NI(gccCompilerVersion4.
8.
0)1747Linux3.
4underCitrixXenServer6.
2runningonIntelXeonE5-2430LwithoutAES-NI(gccCompilerVersion4.
8.
0)2454Linux3.
4underCitrixXenServer6.
2runningonIntelXeonE5-2430LwithoutAES-NI(gccCompilerVersion4.
8.
0)2575Linux3.
4underMicrosoftWindows2012Hyper-VrunningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)21747Linux3.
4underMicrosoftWindows2012Hyper-VrunningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)22454Linux3.
4underMicrosoftWindows2012Hyper-VrunningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)2575Linux3.
4underMicrosoftWindows2012Hyper-VrunningonIntelXeonE5-2430LwithoutAES-NI(gccCompilerVersion4.
8.
0)1747Linux3.
4underMicrosoftWindows2012Hyper-VrunningonIntelXeonE5-2430LwithoutAES-NI(gccCompilerVersion4.
8.
0)2454Linux3.
4underMicrosoftWindows2012Hyper-VrunningonIntelXeonE5-2430LwithoutAES-NI(gccCompilerVersion4.
8.
0)2575Linux3.
4underVmwareESXi5.
1runningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)1747Linux3.
4underVmwareESXi5.
1runningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)2454Linux3.
4underVmwareESXi5.
1runningonIntelXeonE5-2430LwithAES-NI(gccCompilerVersion4.
8.
0)2575Linux3.
4underVmwareESXi5.
1runningonIntelXeonE5-2430LwithoutAES-NI(gccCompilerVersion4.
8.
0)1747Linux3.
4underVmwareESXi5.
1runningonIntelXeonE5-2430LwithoutAES-NI(gccCompiler2454Page39of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationVersion4.
8.
0)Linux3.
4underVmwareESXi5.
1runningonIntelXeonE5-2430LwithoutAES-NI(gccCompilerVersion4.
8.
0)2575Linux3.
8runningonARM926(ARMv5TEJ)(gccCompilerVersion4.
7.
3)1747Linux3.
8runningonARM926(ARMv5TEJ)(gccCompilerVersion4.
7.
3)2391Linux3.
8runningonARM926(ARMv5TEJ)(gccCompilerVersion4.
7.
3)2454Linux3.
8runningonARM926(ARMv5TEJ)(gccCompilerVersion4.
7.
3)2575LinuxORACLESP2.
6runningonASPEEDAST-Series(ARMv5)(gccCompilerVersion4.
4.
5)1747LinuxORACLESP2.
6runningonASPEEDAST-Series(ARMv5)(gccCompilerVersion4.
4.
5)2391LinuxORACLESP2.
6runningonASPEEDAST-Series(ARMv5)(gccCompilerVersion4.
4.
5)2454LinuxORACLESP2.
6runningonEmulexPILOT3(ARMv5)(gccCompilerVersion4.
4.
5)1747LinuxORACLESP2.
6runningonEmulexPILOT3(ARMv5)(gccCompilerVersion4.
4.
5)2391LinuxORACLESP2.
6runningonEmulexPILOT3(ARMv5)(gccCompilerVersion4.
4.
5)2454MicrosoftWindows7(32bit)(Microsoft32bitC/C++OptimizingCompilerVersion16.
00)2391MicrosoftWindows7(32bit)runningonIntelCeleron(Microsoft32bitC/C++OptimizingCompilerVersion16.
00)1747MicrosoftWindows7(32bit)runningonIntelCeleron(Microsoft32bitC/C++OptimizingCompilerVersion16.
00)2454MicrosoftWindows7(32bit)runningonIntelCeleron(Microsoft32bitC/C++OptimizingCompilerVersion16.
00)2575MicrosoftWindows7(64bit)(MicrosoftC/C++OptimizingCompilerVersion16.
00)2391MicrosoftWindows7(64bit)runningonIntelPentium4(MicrosoftC/C++OptimizingCompilerVersion16.
00)1747MicrosoftWindows7(64bit)runningonIntelPentium4(MicrosoftC/C++OptimizingCompilerVersion16.
00)2454MicrosoftWindows7(64bit)runningonIntelPentium4(MicrosoftC/C++OptimizingCompilerVersion16.
00)2575MicrosoftWindows7runningonIntelCorei5-2430M(64-bit)withAES-NI(MicrosoftC/C++OptimizingCompilerVersion16.
00forx64)1747MicrosoftWindows7runningonIntelCorei5-2430M(64-bit)withAES-NI(MicrosoftC/C++OptimizingCompilerVersion16.
00forx64)2391MicrosoftWindows7runningonIntelCorei5-2430M(64-bit)withAES-NI(MicrosoftC/C++OptimizingCompilerVersion16.
00forx64)2454MicrosoftWindows7runningonIntelCorei5-2430M(64-bit)withAES-NI(MicrosoftC/C++OptimizingCompilerVersion16.
00forx64)2575MicrosoftWindowsCE5.
0(MicrosoftC/C++OptimizingCompilerVersion13.
10forARM)2391MicrosoftWindowsCE5.
0runningonARMv7(MicrosoftC/C++OptimizingCompilerVersion13.
10forARM)1747Page40of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationMicrosoftWindowsCE5.
0runningonARMv7(MicrosoftC/C++OptimizingCompilerVersion13.
10forARM)2454MicrosoftWindowsCE6.
0(MicrosoftC/C++OptimizingCompilerVersion15.
00forARM)2391MicrosoftWindowsCE6.
0runningonARMv5TEJ(MicrosoftC/C++OptimizingCompilerVersion15.
00forARM)1747MicrosoftWindowsCE6.
0runningonARMv5TEJ(MicrosoftC/C++OptimizingCompilerVersion15.
00forARM)2454MicrosoftWindowsServer2008R2runningonanIntelXeonE5-2420(x64)(Microsoft32-bitC/C++OptimizingCompilerVersion16.
00.
40219.
01for80x86)2454NetBSD5.
1(gccCompilerVersion4.
1.
3)2391NetBSD5.
1runningonIntelXeon5500(gccCompilerVersion4.
1.
3)1747NetBSD5.
1runningonIntelXeon5500(gccCompilerVersion4.
1.
3)2454NetBSD5.
1runningonPowerPCe500(gccCompilerVersion4.
1.
3)1747NetBSD5.
1runningonPowerPCe500(gccCompilerVersion4.
1.
3)2454OpenWRT2.
6runningonMIPS24Kc(gccCompilerVersion4.
6.
3)1747OpenWRT2.
6runningonMIPS24Kc(gccCompilerVersion4.
6.
3)2391OpenWRT2.
6runningonMIPS24Kc(gccCompilerVersion4.
6.
3)2454OracleLinux5(64bit)(gccCompilerVersion4.
1.
2)2391OracleLinux5(64bit)runningonIntelXeon5675(gccCompilerVersion4.
1.
2)1747OracleLinux5(64bit)runningonIntelXeon5675(gccCompilerVersion4.
1.
2)2454OracleLinux5runningonIntelXeon5675withAES-NI(gccCompilerVersion4.
1.
2)1747OracleLinux5runningonIntelXeon5675withAES-NI(gccCompilerVersion4.
1.
2)2391OracleLinux5runningonIntelXeon5675withAES-NI(gccCompilerVersion4.
1.
2)2454OracleLinux6(gccCompilerVersion4.
4.
6)2391OracleLinux6runningonIntelXeon5675withAES-NI(gccCompilerVersion4.
4.
6)1747OracleLinux6runningonIntelXeon5675withAES-NI(gccCompilerVersion4.
4.
6)2391OracleLinux6runningonIntelXeon5675withAES-NI(gccCompilerVersion4.
4.
6)2454OracleLinux6runningonIntelXeon5675withoutAES-NI(gccCompilerVersion4.
4.
6)1747OracleLinux6runningonIntelXeon5675withoutAES-NI(gccCompilerVersion4.
4.
6)2454OracleSolaris10(32bit)(gccCompilerVersion3.
4.
3)2391OracleSolaris10(32bit)runningonSPARC-T3(SPARCv9)(gccCompilerVersion3.
4.
3)1747OracleSolaris10(32bit)runningonSPARC-T3(SPARCv9)(gccCompilerVersion3.
4.
3)2454OracleSolaris10(64bit)(gccCompilerVersion3.
4.
3)2391OracleSolaris10(64bit)runningonSPARC-T3(SPARCv9)(gccCompilerVersion3.
4.
3)1747OracleSolaris10(64bit)runningonSPARC-T3(SPARCv9)(gccCompilerVersion3.
4.
3)2454Page41of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationOracleSolaris11(32bit)(gccCompilerVersion4.
5.
2)2391OracleSolaris11(32bit)runningonIntelXeon5675(gccCompilerVersion4.
5.
2)1747OracleSolaris11(32bit)runningonIntelXeon5675(gccCompilerVersion4.
5.
2)2454OracleSolaris11(32bit)runningonSPARC-T3(SPARCv9)(SunCVersion5.
12)1747OracleSolaris11(32bit)runningonSPARC-T3(SPARCv9)(SunCVersion5.
12)2454OracleSolaris11(32bit)(SunCVersion5.
12)2391OracleSolaris11(64bit)(gccCompilerVersion4.
5.
2)2391OracleSolaris11(64bit)runningonIntelXeon5675(gccCompilerVersion4.
5.
2)1747OracleSolaris11(64bit)runningonIntelXeon5675(gccCompilerVersion4.
5.
2)2454OracleSolaris11(64bit)runningonSPARC-T3(SPARCv9)(SunCVersion5.
12)1747OracleSolaris11(64bit)runningonSPARC-T3(SPARCv9)(SunCVersion5.
12)2454OracleSolaris11(64bit)(SunCVersion5.
12)2391OracleSolaris11runningonIntelXeon5675withAESNI(32bit)(gccCompilerVersion4.
5.
2)1747OracleSolaris11runningonIntelXeon5675withAES-NI(32bit)(gccCompilerVersion4.
5.
2)2391OracleSolaris11runningonIntelXeon5675withAESNI(32bit)(gccCompilerVersion4.
5.
2)2454OracleSolaris11runningonIntelXeon5675withAESNI(64bit)(gccCompilerVersion4.
5.
2)1747OracleSolaris11runningonIntelXeon5675withAES-NI(64bit)(gccCompilerVersion4.
5.
2)2391OracleSolaris11runningonIntelXeon5675withAESNI(64bit)(gccCompilerVersion4.
5.
2)2454PexOS1.
0undervSphereESXi5.
1runningonIntelXeonE52430LwithAES-NI(gccCompilerVersion4.
6.
3)31747PexOS1.
0undervSphereESXi5.
1runningonIntelXeonE52430LwithAES-NI(gccCompilerVersion4.
6.
3)32454PexOS1.
0undervSphereESXi5.
1runningonIntelXeonE52430LwithoutAES-NI(gccCompilerVersion4.
6.
3)1747PexOS1.
0undervSphereESXi5.
1runningonIntelXeonE52430LwithoutAES-NI(gccCompilerVersion4.
6.
3)2454QNX6.
4runningonFreescalei.
MX25(ARMv4)(gccCompilerVersion4.
3.
3)1747QNX6.
4runningonFreescalei.
MX25(ARMv4)(gccCompilerVersion4.
3.
3)2391QNX6.
4runningonFreescalei.
MX25(ARMv4)(gccCompilerVersion4.
3.
3)2454QNX6.
5runningonFreescalei.
MX25(ARMv4)(gccCompilerVersion4.
3.
3)1747QNX6.
5runningonFreescalei.
MX25(ARMv4)(gccCompilerVersion4.
3.
3)2391QNX6.
5runningonFreescalei.
MX25(ARMv4)(gccCompilerVersion4.
3.
3)2454TS-Linux2.
4runningonArm920Tid(ARMv4)(gccCompilerVersion4.
3.
2)2398TS-Linux2.
4runningonArm920Tid(ARMv4)(gccCompilerVersion4.
3.
2)2473TS-Linux2.
4runningonArm920Tid(ARMv4)(gccCompilerVersion4.
3.
2)41747Page42of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationUbuntu10.
04(32bit)(gccCompilerVersion4.
1.
3)2391Ubuntu10.
04(32bit)runningonIntelPentiumT4200(gccCompilerVersion4.
1.
3)1747Ubuntu10.
04(32bit)runningonIntelPentiumT4200(gccCompilerVersion4.
1.
3)2454Ubuntu10.
04(64bit)(gccCompilerVersion4.
1.
3)2391Ubuntu10.
04(64bit)runningonIntelPentiumT4200(gccCompilerVersion4.
1.
3)1747Ubuntu10.
04(64bit)runningonIntelPentiumT4200(gccCompilerVersion4.
1.
3)2454Ubuntu10.
04runningonIntelCorei5withAES-NI(32bit)(gccCompilerVersion4.
1.
3)1747Ubuntu10.
04runningonIntelCorei5withAES-NI(32bit)(gccCompilerVersion4.
1.
3)2391Ubuntu10.
04runningonIntelCorei5withAES-NI(32bit)(gccCompilerVersion4.
1.
3)2454Ubuntu10.
04runningonIntelPentiumT4200(gccCompilerVersion4.
1.
3)1747Ubuntu10.
04runningonIntelPentiumT4200(gccCompilerVersion4.
1.
3)2454Ubuntu12.
04runningonIntelXeonE5-2430L(x86)withAES-NI(gccCompilerVersion4.
6.
3)2398Ubuntu12.
04runningonIntelXeonE5-2430L(x86)withoutAES-NI(gccCompilerVersion4.
6.
3)2398Ubuntu13.
04runningonAM335xCortex-A8(ARMv7)(gccCompilerVersion4.
7.
3)2391Ubuntu13.
04runningonAM335xCortex-A8(ARMv7)withNEON(gccCompilerVersion4.
7.
3)1747Ubuntu13.
04runningonAM335xCortex-A8(ARMv7)withNEON(gccCompilerVersion4.
7.
3)2391Ubuntu13.
04runningonAM335xCortex-A8(ARMv7)withNEON(gccCompilerVersion4.
7.
3)2454Ubuntu13.
04runningonAM335xCortex-A8(ARMv7)withNEON(gccCompilerVersion4.
7.
3)2575Ubuntu13.
04runningonAM335xCortex-A8(ARMv7)withoutNEON(gccCompilerVersion4.
7.
3)1747Ubuntu13.
04runningonAM335xCortex-A8(ARMv7)withoutNEON(gccCompilerVersion4.
7.
3)2454Ubuntu13.
04runningonAM335xCortex-A8(ARMv7)withoutNEON(gccCompilerVersion4.
7.
3)2575uCLinux0.
9.
29(gccCompilerVersion4.
2.
1)2391uCLinux0.
9.
29runningonARM922T(ARMv4)(gccCompilerVersion4.
2.
1)1747uCLinux0.
9.
29runningonARM922T(ARMv4)(gccCompilerVersion4.
2.
1)2454VmwareHorizonWorkspace1.
5underVmwareESXi5.
0runningonIntelXeonE3-1220(x86)withAES-NI(gccCompilerVersion4.
5.
1)11747VmwareHorizonWorkspace1.
5underVmwareESXi5.
0runningonIntelXeonE3-1220(x86)withAES-NI(gccCompilerVersion4.
5.
1)12454VmwareHorizonWorkspace1.
5underVmwareESXi5.
0runningonIntelXeonE3-1220(x86)withoutAES-NI(gccCompilerVersion4.
5.
1)1747VmwareHorizonWorkspace1.
5underVmwareESXi5.
0runningonIntelXeonE3-1220(x86)withoutAES-NI(gccCompilerVersion4.
5.
1)2454VmwareHorizonWorkspace2.
1undervSphereESXi5.
5runningonIntelXeonE3-1220(x86)withAES-NI(gccCompilerVersion4.
5.
1)1747VmwareHorizonWorkspace2.
1undervSphereESXi5.
5runningonIntelXeonE3-1220(x86)withAESNI(gccCompilerVersion4.
5.
1)2391Page43of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformValidationVmwareHorizonWorkspace2.
1undervSphereESXi5.
5runningonIntelXeonE3-1220(x86)withAES-NI(gccCompilerVersion4.
5.
1)2454VmwareHorizonWorkspace2.
1undervSphereESXi5.
5runningonIntelXeonE3-1220(x86)withoutAES-NI(gccCompilerVersion4.
5.
1)1747VmwareHorizonWorkspace2.
1undervSphereESXi5.
5runningonIntelXeonE3-1220(x86)withoutAES-NI(gccCompilerVersion4.
5.
1)2391VmwareHorizonWorkspace2.
1undervSphereESXi5.
5runningonIntelXeonE3-1220(x86)withoutAES-NI(gccCompilerVersion4.
5.
1)2454VxWorks6.
7runningonIntelCore2Duo(x86)(gccCompilerVersion4.
1.
2)2398VxWorks6.
8(gccCompilerVersion4.
1.
2)2391VxWorks6.
8runningonTITNETV1050(MIPS)(gccCompilerVersion4.
1.
2)1747VxWorks6.
8runningonTITNETV1050(MIPS)(gccCompilerVersion4.
1.
2)2454VxWorks6.
9runningonFreescaleP2020(PPC)(gccCompilerVersion4.
3.
3)1747VxWorks6.
9runningonFreescaleP2020(PPC)(gccCompilerVersion4.
3.
3)2398VxWorks6.
9runningonFreescaleP2020(PPC)(gccCompilerVersion4.
3.
3)2473WindowsEmbeddedCompact7runningonFreescalei.
MX53xA(ARMv7)withNEON(MicrosoftC/C++OptimizingCompilerVersion15.
00.
20720)1747WindowsEmbeddedCompact7runningonFreescalei.
MX53xA(ARMv7)withNEON(MicrosoftC/C++OptimizingCompilerVersion15.
00.
20720)2391WindowsEmbeddedCompact7runningonFreescalei.
MX53xA(ARMv7)withNEON(MicrosoftC/C++OptimizingCompilerVersion15.
00.
20720)2454WindowsEmbeddedCompact7runningonFreescalei.
MX53xD(ARMv7)withNEON(MicrosoftC/C++OptimizingCompilerVersion15.
00.
20720)1747WindowsEmbeddedCompact7runningonFreescalei.
MX53xD(ARMv7)withNEON(MicrosoftC/C++OptimizingCompilerVersion15.
00.
20720)2391WindowsEmbeddedCompact7runningonFreescalei.
MX53xD(ARMv7)withNEON(MicrosoftC/C++OptimizingCompilerVersion15.
00.
20720)2454Table2.
10bPage44of225UserGuide-OpenSSLFIPSObjectModulev2.
03.
CompatiblePlatformsTheFIPSObjectModuleisdesignedtorunonawiderangeofhardwareandsoftwareplatforms.
AnycomputingplatformthatmeetstheconditionsintheSecurityPolicycanbeusedtohostaFIPS140-2validatedFIPSObjectModuleprovidedthatmoduleisgeneratedinaccordancewiththeSecurityPolicy.
AtthetimetheOpenSSLFIPSObjectModulev2.
0wasdeveloped,allUnix16-likeenvironmentssupportedbythefullOpenSSLdistributionwerealsosupportedbytheFIPSvalidatedsourcefilesincludedintheFIPSObjectModule.
However,successfulcompilationoftheFIPSObjectModuleforallsuchplatformswasnotverified.
IfanyplatformspecificcompilationerrorsoccurthatcanonlybecorrectedbymodificationoftheFIPSdistributionfiles(seeAppendixBoftheSecurityPolicy),thentheFIPSObjectModulewillnotbevalidatedforthatplatform.
Itisalsonotedthataplatformwhichiscurrentlysupported(butuntested)maynotbesupportedinthefutureasrevisionsaremadetotheFIPSvalidatedsources.
Forexample,achangemadeforoneplatformmayadverselyaffectanother,untestedplatform.
Bydefault,theFIPSObjectModulesoftwareutilizesassemblylanguageoptimizationsforsomesupportedplatforms.
Currentlyassemblerlanguagecoderesidingwithinthecryptographicmoduleboundaryisusedforthex86/Intel17ELFandARM18machinearchitectures.
TheFIPSObjectModulebuildprocesswillautomaticallyselectandincludetheseassemblyroutinesbydefaultwhenbuildingonax86platform.
Theassemblylanguagecodewasincludedinthevalidationtesting,soaFIPSObjectModulebuiltusingthex86/IntelassemblylanguageroutineswillresultinaFIPS140-2validatedObjectModule.
AssemblyLanguageandOptimizationsarediscussedindetailinSection3.
2.
3AssemblerOptimizations.
3.
1BuildEnvironmentRequirementsTheplatformportabilityoftheFIPSObjectModulesourcecodeiscontingentonseveralbasicassumptionsaboutthebuildenvironment:1.
Theenvironmentiseithera)"Unix-like"withamakecommandandaldcommandwitha"r"(or"i")option,orMicrosoftWindows.
CreationofthemonolithicFIPSObjectModulefipscanister.
orequiresalinkercapableofmergingseveralobjectmodulesintoone.
ThisrequirementisknowntobeaproblemwithVMSandsomeolderversionsofLD.
EXEunderWindows.
16UNIXisaregisteredtrademarkofTheOpenGroup17IntelisaregisteredtrademarkoftheIntelCorporation18ARMisatrademarkofARMLimited.
Page45of225UserGuide-OpenSSLFIPSObjectModulev2.
02.
Thecompilerisrequiredtoplacevariablesdeclaredwiththeconstqualifierinaread-onlysegment.
Thisbehavioristrueofalmostallmoderncompilers.
Ifthecompilerfailstodosotheconditionwillbedetectedatrun-timeandthein-corehashingintegritycheckwillfail.
3.
Theplatformsupportsexecutionofcompiledcodeonthebuildsystem(i.
e.
buildhostandtargetarebinarycompatible);oranappropriate"incore"utilityisavailabletocalculatethedigestfromtheon-diskresidentobjectcode.
Seefurtherdiscussionofcross-compilationin§3.
4.
4.
Cross-compilationusesatechniquefordeterminingtheintegritycheckdigestthatmaynotworkforallcross-compilationenvironments,soeachsuchnewenvironmentmustbeanalyzedforsuitability.
Seefurtherdiscussionofcross-compilationin§3.
4.
3.
2KnownSupportedPlatformsThegenerationofamonolithicobjectmoduleandthein-corehashingintegritytesthavebeenverifiedtoworkwithbothstaticandsharedbuildsonthefollowingplatforms(notethe.
/config"shared"optionisforbiddenbythetermsofthevalidationwhenbuildingaFIPSvalidatedmodule,butthefipscanister.
oobjectmodulecanbeusedinasharedlibrary19).
NoteasuccessfulbuildoftheFIPSmodulemaybepossibleonotherplatforms;onlythefollowingwereexplicitlytestedasofthedatethisdocumentwaslastupdated:Android20onARMv72132bitAndroidonARMv7withNEON32bitHP-UX22,onIA64with32and64bitLinux23onARMv6,ARMv732bitLinuxonx86-6432and64bitLinuxonx86-6432withSSE2and64bitLinuxonx86-64withAES-NI32and64bitLinuxonPowerPC24Solaris25onx86-64with32and64bitSolarisonSPARCv926with32and64bitSolarisonx86-64withSSE232and64bitWindowsonx86-64withSSE232and64bit19Aconvenientwayofgeneratingasharedlibrarycontainingfipscanister.
oisdiscussedinAppendixB20AndroidisatrademarkofGoogleInc.
21ARM,isatrademarkorregisteredtrademarkofARMLtdoritssubsidiaries.
22HP-UXisaregisteredtrademarkofHewlett-PackardCompany.
23LinuxistheregisteredtrademarkofLinusTorvaldsintheU.
S.
andothercountries.
24PowerPCisatrademarkofInternationalBusinessMachinesCorporationintheUnitedStates,othercountries,orboth.
25SolarisisaregisteredtrademarkofOracleand/oritsaffiliates.
26SPARCisaregisteredtrademarkofSPARCInternational,Inc.
Page46of225UserGuide-OpenSSLFIPSObjectModulev2.
0uClinux27onARMv4VxWorks28onMIPS29DSPMediaFramework1.
4onTI30C64x+Apple31iOSonARMv7WindowsCEonARMv7NetBSD32onPowerPCNetBSDonx86-64AmongtheplatformsknowntonotbesupportedareWindowsonx86-64withAES-NI,VMS33,MacOSX34.
PlatformCrossReferenceOperatingSystemProcessorAndroid2.
2,4.
0HP-UX11iLinux2.
6Solaris10Solaris11Windows7uCLinux0.
9VxWorks6.
8WindowsCENetBSDAppleA6(ARMv7andARMv7s)AppleA5(ARMv6andARMv7)ARMv4ARMv627uClinuxisaregisteredtrademarkofArcturusNetworksInc.
28VxWorksisaregisteredtrademarksofWindRiverSystems,Inc.
29MIPSisatrademarkorregisteredtrademarkofMIPSTechnologies,Inc.
intheUnitedStatesandothercountries.
30TIisaregisteredtrademarkofTexasInstrumentsIncorporated31AppleandiOSareregisteredtrademarksofAppleInc.
32NetBSDisaregisteredtrademarkofTheNetBSDFoundation,Inc.
33VMSisaregisteredtrademarkofDigitalEquipmentCorporation.
34MacOSXisaregisteredtrademarkofApple,Inc.
Page47of225UserGuide-OpenSSLFIPSObjectModulev2.
0PlatformCrossReferenceARMv7ARMv7NEONIA6432bitIA6464bitMIPSPowerPCSPARCv932bitSPARCv964bitx86-6432bitx86-6464bitx86-64SSE232bitx86-64SSE264bitx86-64AES-NI32bitx86-64AES-NI64bitTable3.
2Acommonlyaskedquestionis"doesthisvalidationextendtomyspecificplatformX"Forinstance:"isuseoftheModulevalidatedonCentOSx86-64whenCentOSwasnotformallytestedbutFedorawas"Or"isusewithLinuxkernel2.
6.
35validatedwhenonly2.
6.
33wasformallytested"Unfortunatelythereisnohardandfastanswertosuchquestions.
Basedonextensivediscussionsovertheyearswehavedevelopedsomeinformalrulesofthumbtodeterminewhenagiventargetplatformcorrespondswithaformallytestedplatform(OperationalEnvironment)Rulesofthumb:Page48of225ImportantDisclaimerOnlytheCMVPcanprovideauthoritativeanswerstoquestionsaboutFIPS140-2.
Thefollowingdiscussionrepresentstheun-enlightenedandnon-authoritativeopinionsofpersonsandinstitutionslackinganyofficialstandingtointerpretthemeaningorintentofFIPS140-2orthevalidationprocess.
CMVPguidancealwaystakesprecedenceoveranystatementsinthisdocument.
UserGuide-OpenSSLFIPSObjectModulev2.
01.
Doesthetargetsystem"codepath"(seefollowingsection)correspondwiththatofaformallytestedplatform2.
Doanyrun-timeselectableoptimizations(seesection§3.
2.
3)correspondwiththoseofaformallytestedplatform3.
Willabinarymodulethatbuildsandrunsononeoftheformallytestedplatforms(orwasbuiltonthebuild-timesystemforaformallytestedcross-compiledplatform)runas-isonthetargetsystem4.
Doestheprocessor"core"(ARMv6versusARMv7,forinstance)correspondtothatofaformallytestedplatformHeretheconsiderationisABIcompatibility--twoprocessorswhichcaninterchangeablyexecutethesamesetofmachineinstructionsareeffectivelyequivalent.
5.
Doesthe"major"OSversion(e.
g.
Solaris10versusSolaris11)correspondtothatofaformallytestedplatformThe"major"versionisgenerallytakentobethefullrevisionlabelforOS'susingonlyoneortwo"dot"levels(e.
g.
,Android2.
2orSolaris10,11),andthefirsttwo"dot"levelsforOS'susingmorethantwo"dot"levels(e.
g.
,Linux2.
6.
37,uCLinux0.
9.
29)35.
Iftheanswertoallofthesequestionsis"yes"then--ingeneral--theprospectivetargetplatformcaningeneralbereasonablyconsideredasequivalenttoaformallytestedplatform.
Argumentsbasedonapparent"commonsense"considerationsshouldbeusedcautiouslywhereFIPS140-2isconcerned,butwheregeneralpurposevalidatedsoftwaremodulesareconcernedalittlethoughtshowsthatstrictinsistenceonanexactmatchbetweentargetplatformsandformallytestedOperationalEnvironmentswouldmakeiteffectivelyimpossibletowidelydeployvalidatedsoftwarethroughmostenterprises.
Forinstance,oneoftheformallytestedplatformswas"Android2.
2.
20.
A995"onan"ARMv7rev2v71"processor.
Ifaformallytestedplatformhadtocorrespondatthatlevelofdetailthenprovisionofvalidatedmoduleswouldbeverydifficult,astheextensiveamountoftimerequiredtoobtainaFIPS140-2validationmeansthatthespecificplatformusedfortestingwillbeupdatedorobsoletebythetimethevalidationiscompleted.
TheroleofthecompilerusedforbuildingthevalidatedModulehasneverbeenfullydelineated.
Thegeneral–andunofficial–consensusoftheFIPS140-2userandtestlabcommunitiesappearstobethatthepreciseversionofthecompilerneednotcorrespondexactlywiththatusedforthegenerationoftheformallytestedModule(forinstance,gcc4.
4.
1versus4.
4.
7).
Ifareviewdeterminesthatnoformallytestedplatformcorrespondstothetargetplatformofinterest,thereareseveraloptions:35NotethisruleofthumbhasimplicationsfortherecentandmoreorlessarbitraryjumpoftheLinuxkernelversionnumberfrom2.
6.
xto3.
0.
x.
Page49of225UserGuide-OpenSSLFIPSObjectModulev2.
01.
Vendororuser"affirmation"persectionG.
5oftheImplementationGuidancedocument(Reference3).
Thistopicisdiscussedinmoredetailin§5.
5.
2.
A"changeletter"modificationtoextendanexistingvalidationtoincludetheplatformofinterest.
Thechangeletterprocesscanoftenbeperformedinafewweekswithapricetaginthelowfivefigures,asopposedtothemanymonthsandhighfivefiguretolowsixfigurepricetagofaconventionalfullvalidation.
3.
AfullvalidationleveragingthesourcecodeanddocumentationfromtheOpenSSLFIPSObjectModulevalidation.
Sucha"privatelabel"validationwillstilltakemanymonthsbutistypicallymuchlessexpensivethananunrelatedvalidation.
Anadvantageofthe"privatelabel"validationisthatuponformallyengaginganaccreditedtestlabthevendorbecomeseligible36tohavetheprospectivemodulelistedonthe"ModulesInProcess"list37(http://csrc.
nist.
gov/groups/STM/cmvp/documents/140-1/140InProcess.
pdf).
ThepresenceofavendormoduleonthatlistisasufficientconditionforcompletionofmanyprocurementactionsintheU.
S.
DepartmentofDefenseandfederalgovernment.
3.
2.
1CodePathsandCommandSetsForthepurposesofthevalidationtestinga"platform"isauniquecombinationofsourcecodeandthespecificbuild-timeoptionsusedtoturnthatsourcecodeintobinarycode.
Thebuild-timeinclusionofassembleroptimizationseffectivelychangesthesourcecode,andsourcecodeselectionsvarybasedonthetargetarchitecturewordsizeof32or64bits.
DuetobudgetandscheduleconstraintsonlysomeassembleroptimizationsforARMandx86-64weretested,soonlythoseoptimizationsareavailableforbuildingtheFIPSObjectModule.
TwoseparatesetsofsourcecodewereidentifiedtocoverplainC(noassembler)forx86-64Linux32and64bits.
EventhoughthesamesourcecodeisusedforbothLinux/UnixandWindowsoperatingsystems,thebuildinstructionsaresufficientlyuniquetoeachofthetwoOSfamiliesthatthedecisionwasmadetotesteachcodepathforbothOSfamilies.
Theresultingtestcasescanberepresentedinthefollowingtables:CodePathCommandSetLinux/UnixWindowsRepresentativePlatformLinux/UnixWindowspureC32bitU1W1u1w136Strictlyspeakingthetestlabmustalsobeinpossessionofdraftsofallrequireddocumentation.
InthecaseofprivatelabelvalidationscloselymodeledonanOpenSSLFIPSObjectModulevalidationthatisreadilyaccomplished,usuallybeforetheformalcontractwiththetestlabisexecuted.
37The"ModuleinProcess"listisoftenreferredtoasthe"pre-val"list.
Page50of225UserGuide-OpenSSLFIPSObjectModulev2.
0CodePathCommandSetLinux/UnixWindowsRepresentativePlatformLinux/UnixWindowspureC64bitU2W2u1w2x86assemblerU3W3u2w3x86-64assemblerU4W4u2w4Table3.
2.
1a-CodePathsandCommandSetswherethecommandsetsareCommandSetNameBuildCommandsU1Linux/Unix,pureC.
/confignoasmmakemakeinstallU2Linux/Unixwithx86/x86-64optimizations.
/configmakemakeinstallW1Windows,pureCms\do_fipsnoasmW2Windowswithx86/x86-64optimizationsms\do_fips3.
2.
1b-CommandSetsTheactualrepresentativesystemstestedforthevalidationwere:GenericSystemActualSystemOS-Processor-Optimization1Android2.
2onARMv7withNEONAndroid2.
2(HTCDesire)QualcommQSD8250(ARMv7)NEON1Android2.
2onARMv7withNEONAndroid2.
2(HTCDesire)QualcommQSD8250(ARMv7)NEON2Android2.
2onARMv7Android2.
2(DellStreak)QualcommQSD8250(ARMv7)None3Windowsx8632bitMicrosoftWindows732bitIntelCeleron(x86)None4uCLinuxonARMv4uClinux0.
9.
29ARM922T(ARMv4)NonePage51of225UserGuide-OpenSSLFIPSObjectModulev2.
0GenericSystemActualSystemOS-Processor-Optimization5Linux2.
6onx86withAES-NI64bitFedora14IntelCorei5(x86)AES-NI6HP-UX11onIA6432bitHP-UX11i(hpux-ia64-cc,32bitmode)IntelItanium2(IA64)None7HP-UX11onIA6464bitHP-UX11i(hpux64-ia64-cc,64bitmode)IntelItanium2(IA64)None8Linuxonx8632bitUbuntu10.
04IntelPentiumT4200(x86)None9Android2.
2onARMv7(duplicateofplatform2)Android2.
2(MotorolaXoom)NVIDIATegra250T20(ARMv7)None10Linux2.
6onPPCLinux2.
6.
27PowerPCe300c3(PPC)None11Windowsonx8664bitMicrosoftWindows764bitIntelPentium4(x86)None12Linux2.
6onx86withAES-NI32bitUbuntu10.
0432bitIntelCorei5(x86)AES-NI13Linux2.
6onPPC(duplicateofplatform10)Linux2.
6.
33PowerPC32e300(PPC)None16Android2.
2onARMv7withNEON(duplicateofplatform1)Android2.
2OMAP3530(ARMv7)NEON17C64x+DSPDSPMediaFramework1.
4TIC64x+None19VxWorks6.
8onMIPSVxWorks6.
8TITNETV1050(MIPS)None20Linux2.
6onARMv6Linux2.
6BroadcomBCM11107(ARMv6)None21Linux2.
6onARMv7Linux2.
6TITMS320DM6446(ARMv4)None22Linux2.
6onARMv7Linux2.
6.
32TIAM3703CBP(ARMv7)None23Solaris10onSPARCv932bitSolaris1032bitSPARC-T3(SPARCv9)None24Solaris10onSPARCv932bitSolaris1064bitSPARC-T3(SPARCv9)None25Solaris11onx86-6432bitSolaris1132bitIntelXeon5260(x86)None26Solaris11onx86-6464bitSolaris1164bitIntelXeon5260(x86)None27Solaris11onx86-64withAES-NI32bitSolaris1132bitIntelXeon5260(x86)AES-NIPage52of225UserGuide-OpenSSLFIPSObjectModulev2.
0GenericSystemActualSystemOS-Processor-Optimization28Solaris11onx86-64withAES-NI64bitSolaris1164bitIntelXeon5260(x86)AES-NI29OracleLinux5onx86-6464bitOracleLinux564bitIntelXeon5260(x86)None30CascadeOS6.
13onx8632bitCascadeOS6.
132bitIntelPentiumT4200(x86)None31CascadeOS6.
13onx8664bitCascadeOS6.
164bitIntelPentiumT4200(x86)None32Linux2.
6onx86-6432bitUbuntu10.
0432bitIntelPentiumT4200(x86)None33Linux2.
6onx86-6464bitUbuntu10.
0464bitIntelPentiumT4200(x86)None34OracleLinux5onx86-64withAES-NIOracleLinux5IntelXeon5675(x86)AES-NI35OracleLinux6onx86-64OracleLinux6IntelXeon5675(x86)None36OracleLinux6onx86-64withAES-NIOracleLinux6IntelXeon5675(x86)AES-NI37Solaris1132bitonSPARCv9Solaris1132bitSPARC-T3(SPARCv9)None38Solaris1164bitonSPARCv9Solaris1164bitSPARC-T3(SPARCv9)None39Android4.
0onARMv7Android4.
0(MotorolaXoom)NVIDIATegra250T20None40Linux2.
6onPPCLinux2.
6FreescalePowerPC-e500None41AppleiOS5.
1onARMv7AppleiOS5.
1ARMv7None42WinCE6.
0onARMv5TEJWinCE6.
0ARMv5TEJNone43WinCE5.
0onARMv7WinCE5.
0ARMv7None44Android4.
0onARMv7Android4.
0OMAP3NEON45NetBSD5.
1onPPCNetBSD5.
1PowerPC-e500None46NetBSD5.
1onx86-64NetBSD5.
1IntelXeon5500(x86)None47Windows200832-bitundervSphereonx86-64Windows2008XeonE3-1220v2(x86)None48Windows200864-bitundervSphereonx86-64Windows2008XeonE3-1220v2(x86)None49RHEL632-bitonx86-64RHEL6XeonE3-1220v2(x86)None50RHEL664-bitonx86-64RHEL6XeonE3-1220v2(x86)NonePage53of225UserGuide-OpenSSLFIPSObjectModulev2.
0GenericSystemActualSystemOS-Processor-Optimization51Windows764-bitonx86-64withAES-NIWindows7IntelCorei5-2430M(x86)AES-NI52Android4.
1onARMv7Android4.
1TIDM3730(ARMv7)None53Android4.
1onARMv7withNEONAndroid4.
1TIDM3730(ARMv7)NEON54Android4.
2onARMv7Android4.
2NvidiaTegra3(ARMv7)None55Android4.
2onARMv7withNEONAndroid4.
2NvidiaTegra3(ARMv7)NEON56WindowsEmbeddedCompact7onARMv7withNEONWindowsEmbeddedCompact7Freescalei.
MX53xA(ARMv7)NEON57WindowsEmbeddedCompact7onARMv7withNEONWindowsEmbeddedCompact7Freescalei.
MX53xA(ARMv7)NEON58Android4.
0onARMv7withNEONAndroid4.
0QualcommSnapdragonAPQ8060(ARMv7)NEON59VMwareHorizonMobile1.
3underVMwareunderAndroid4.
0onARMv7withNEONVMwareHorizonMobile1.
3underVMwareunderAndroid4.
0QualcommMSM8X60(ARMv7)NEON60AppleOSX10.
7onx86-64AppleOSX10.
7IntelCorei7-3615QM(x86)None61AppleiOS5.
0onARMv7withNEONAppleiOS5.
0ARMCortexA8(ARMv7)NEON62OpenWRT2.
6onMIPSOpenWRT2.
6MIPS24KcNone63QNX6.
4onARMv4QNX6.
4Freescalei.
MX25(ARMv4)None64AppleiOS6.
1onARMv7sAppleiOS6.
1AppleA6XSoC(ARMv7s)None65eCos3onARMv5TEJeCos3Freescalei.
MX27926ejs(ARMv5TEJ)None66VMwareHorizonWorkspace1.
5undervSphereonx86-64VMwareHorizonWorkspace1.
5undervSphereIntelXeonE3-1220(x86)None67VMwareHorizonWorkspace1.
5undervSphereonx86-64withAES-NIVMwareHorizonWorkspace1.
5undervSphereIntelXeonE3-1220(x86)AES-NI68Ubuntu13.
04onARMv7Ubuntu13.
04AM335xCortex-A8(ARMv7)NonePage54of225UserGuide-OpenSSLFIPSObjectModulev2.
0GenericSystemActualSystemOS-Processor-Optimization69Ubuntu13.
04onARMv7withNEONUbuntu13.
04AM335xCortex-A8(ARMv7)NEON70Linux3.
8onARMv5TEJLinux3.
8ARM926(ARMv5TEJ)None71Linux3.
4underCitrixXenServeronx86-64Linux3.
4underCitrixXenServerIntelXeonE5-2430L(x86)None72Linux3.
4underCitrixXenServeronx86-64withAES-NILinux3.
4underCitrixXenServerIntelXeonE5-2430L(x86)AES-NI73Linux3.
4underVMwareESXonx86-64Linux3.
4underVMwareESXIntelXeonE5-2430L(x86)None74Linux3.
4underVMwareESXonx86-64withAES-NILinux3.
4underVMwareESXIntelXeonE5-2430L(x86)AES-NI75Linux3.
4underMicrosoftHyper-Vonx86-64Linux3.
4underMicrosoftHyper-VIntelXeonE5-2430L(x86)None76Linux3.
4underMicrosoftHyper-Vonx86-64withAES-NILinux3.
4underMicrosoftHyper-VIntelXeonE5-2430L(x86)AES-NI77AppleiOS6.
0onARMv7AppleiOS6.
0AppleA5/ARMCortex-A9(ARMv7)None78AppleiOS6.
0onARMv7withNEONAppleiOS6.
0AppleA5/ARMCortex-A9(ARMv7)NEON79PexOS1.
0undervSphereonx86-64PexOS1.
0undervSphereIntelXeonE5-2430L(x86)None80PexOS1.
0undervSphereonx86-64withAES-NIPexOS1.
0undervSphereIntelXeonE5-2430L(x86)AES-NI81Linux2.
6onPPCLinux2.
6Freescalee500v2(PPC)None82AcanOS1.
0onx86-64AcanOS1.
0ntelCorei7-3612QE(x86)None83AcanOS1.
0onx86-64withAES-NIAcanOS1.
0IntelCorei7-3612QE(x86)AES-NI84AcanOS1.
0onARMv5AcanOS1.
0IntelCorei7-3612QE(x86)None85FreeBSD8.
4onx86-64FreeBSD8.
4IntelXeonE5440(x86)None86FreeBSD9.
1onx86-64FreeBSD9.
1XeonE5-2430L(x86)NonePage55of225UserGuide-OpenSSLFIPSObjectModulev2.
0GenericSystemActualSystemOS-Processor-Optimization87FreeBSD9.
1onx86-64withAES-NIFreeBSD9.
1XeonE5-2430L(x86)AES-NI88ArbOS5.
3onx86-64ArbOS5.
3XeonE5645(x86)None89ArbOS5.
3onx86-64withAES-NIArbOS5.
3XeonE5645(x86)AES-NI90LinuxORACLESP2.
6onARMv5LinuxORACLESP2.
6ASPEEDAST-Series(ARMv5)None91LinuxORACLESP2.
6onARMv5LinuxORACLESP2.
6EmulexPILOT3(ARMv5)None92FreeBSD9.
2onx86-64FreeBSD9.
2XeonE5-2430L(x86)None93FreeBSD9.
2onx86-64withAES-NIFreeBSD9.
2XeonE5-2430L(x86)AES-NI94FreeBSD10.
0onx86-64FreeBSD10.
0XeonE5-2430L(x86)None95FreeBSD10.
0onx86-64withAES-NIFreeBSD10.
0XeonE5-2430L(x86)AEs-NI96979899100Table3.
2.
1c-RepresentativeSystems3.
2.
232versus64BitArchitecturesMany64bitplatformsprovidebackwardcompatiblesupportfor32bitcodeviahardwareorsoftwareemulation.
Softwarebuiltona32bitversionofaspecificoperatingsystemwillgenerallyrunas-isontheequivalent64bitversionofthatoperatingsystem.
Softwarebuiltona64bitoperatingsystemcanbeeither32bitor64bitcodedependingonvendorbuildenvironmentdefaultsandexplicitbuildtimeoptions.
Anysuch64bitcodewillnotrunona32bitequivalentoperatingsystem,socaremustbetakenwhencompilingcodefordistributiontoboth32and64bitsystems.
BydefaulttheFIPSObjectModulebuildprocesswillgenerate64bitcodeon64bitsystems.
Page56of225UserGuide-OpenSSLFIPSObjectModulev2.
0Sincethecommandsetsincludedinthevalidationtestingdonotpermittheexplicitspecificationofthecompiletimeoptionsthatwouldotherwisebeusedtospecifythegenerationof32or64bitcode,itmaybenecessaryforsomeplatformstobuilda32bitFIPSObjectModuleona32bitsystem,andconverselyfor64bit.
Itisalsopossibleonmost64-bitplatformstoinstalla32-bitbuildenvironmentwhichwouldbesupported.
Detailsastohowtoconfiguresuchanenvironmentarebeyondthescopeofthisdocument.
3.
2.
3AssemblerOptimizationsTheonlyoptionforprocessorarchitecturesotherthanx86/x86-64andARMistousethepureClanguageimplementationandnotanyofthehand-codedperformanceoptimizedassembleraseachassemblerimplementationrequiresseparateFIPStesting.
Forexample,anItaniumorPowerPCsystemcanonlybuildandusethepureClanguagemodule.
Forthex86/x86-64andARMprocessorsseverallevelsofoptimizationaresupportedbythecode.
Notethatmostsuchoptimizations,ifcompiledintoexecutablecode,areselectivelyenabledatruntimedependingonthecapabilitiesofthetargetprocessor.
IftheModuleisbuiltandexecutedonthesameplatform(thebuild-timeandrun-timesystemsarethesame)thentheappropriateoptimizationwillautomaticallybeutilized(assumingthatthebuild+targetsystemcorrespondstoaformallytestedplatform).
Forx86-64therearethreepossibleoptimizationlevels:1.
Nooptimization(plainC)2.
SSE2optimization3.
AES-NI+PCLMULQDQ+SSSE3optimizationNotethatothertheoreticallypossiblecombinations(e.
g.
AES-NIonly,orSSE3only)arenotaddressedindividually,sothataprocessorwhichdoesnotsupportallthreeofAES-NI,PCLMULQDQ,andSSSE3willfallbacktoonlySSE2optimization.
TheruntimeenvironmentvariableOPENSSL_ia32cap=~0x200000200000000disablesuseofAES-NI,PCLMULQDQ,andSSSE3optimizationsforx86-64.
ForARMtherearetwopossibleoptimizationlevels:1.
WithoutNEON2.
WithNEON(ARM7only)TheruntimevariableOPENSSL_armcap=0disablesuseofNEONoptimizationsforARM.
Page57of225UserGuide-OpenSSLFIPSObjectModulev2.
0Ifalloptimizationlevelshavenotbeenformallytestedforagivenplatform,caremustbetakentoverifythattheoptimizationsenabledatrun-timeonanytargetsystemscorrespondtoaformallytestedplatform.
Forinstance,if"Windowsonx8632-bit"wasformallytestedbut"Windowsonx86withAES-NI32-bit"wasnot38thentheModulewouldbevalidatedwhenexecutedonanon-AES-NIcapabletargetprocessor,butwouldnotbevalidatedwhenexecutedonanAES-NIcapablesystem.
Notetheprocessoroptimizationcapabilitieswilloftennotbeobvioustoadministratorsorendusersinstallingsoftware.
Whenthetargetplatformsarenotknowntohavecapabilitiescorrespondingtotestedplatformsthentheriskofinadvertentlyutilizingtheunvalidatedoptimizationsatrun-timecancanbeavoidedbysettingtheappropriateenvironmentvariablesatrun-time39:Disablingrun-timeselectableoptimizationsPlatformEnvironmentVariableValuex86/x86-64OPENSSL_ia32cap~0x200000200000000ARMOPENSSL_armcap03.
3CreationofSharedLibrariesTheFIPSObjectModuleisnotdirectlyusableasasharedlibrary,butitcanbelinkedintoanapplicationthatisasharedlibrary.
A"FIPScompatible"OpenSSLdistributionwillautomaticallyincorporateanavailableFIPSObjectModuleintothelibcryptosharedlibrarywhenbuiltusingthefipsoption(see§4.
2.
3).
3.
4Cross-compilationCompilersandlinkersareseparateprogramswhichworktogethertogenerateobjectcodeforatargetsystem.
Theyarealsoprogramscomposedofobjectcodethatisexecutedonthebuildsystem.
Whenthebuildandtargetsystemsarethesamewesaytheprocessisreferredtoasa"native"build;whentheyaredifferentitisreferredtoasa"cross-compilation"build.
Manycompilersandlinkers(orbuildenvironmentscontainingcompilersandlinkers)arecapableofcreatingobjectcodeformultipletargetplatforms.
Forthecaseofthenativebuildthe.
/configcommand40automaticallydeterminesthetargetsystemfromthecharacteristicsofthebuildsystem.
Thisdeterminationismadebysettingaseriesofvariablesthatareusedtoselectan38ThiswasthecaseasoftheinitialOpenSSLFIPSObjectModule2.
0validation,thoughsuchplatformsmaybeaddedbysubsequentmodifications.
39AnalternativeistosponsortheadditionoftheunsupportedplatformoptimizationtothevalidatedModule40MicrosoftWindowsplatformsarehandledsomewhatdifferentlyandarediscussedelsewhere.
Page58of225UserGuide-OpenSSLFIPSObjectModulev2.
0arbitraryarchitecturelabeldefinedinthe.
/Configurecommandthatisinvokedby.
/config.
Thisarchitecturelabelcanbedisplayedwiththe"t"commandlineoption:$.
/configtOperatingsystem:i686whateverlinux2Configuringforlinuxelf/usr/bin/perl.
/Configurelinuxelfmarch=pentiumWa,noexecstack$Inthisexamplethearchitecturetargetis"linux-elf"andthe.
/Configurecommandwillbeinvokedwiththeadditionalarguments"march=pentiumWa,noexecstack".
Thisimplicitdeterminationofthetargetarchitecturecanbeoverriddenbymanuallyspecifyingtheappropriateenvironmentvariables.
Thisexplicitdeterminationisoptionalandunnecessaryfornativebuilds,butrequiredforcross-compilation.
Atypicalexampleisshownhereforcross-compilationfortheAndroidARMtargetplatform:#!
/bin/sh#EditthistowhereveryouunpackedtheNDKexportANDROID_NDK="$PWD"#EdittowhereveryouputincorescriptexportFIPS_SIG="$PWD/incore"#Shouldn'tneedtoeditanythingpasthere.
PATH=$ANDROID_NDK/androidndkr4b/build/prebuilt/linuxx86/armeabi4.
4.
0/bin:$PATH;exportPATHexportMACHINE=armv7lexportRELEASE=2.
6.
32.
GMUexportSYSTEM=androidexportARCH=armexportCROSS_COMPILE="armeabi"exportANDROID_DEV="$ANDROID_NDK/androidndkr4b/build/platforms/android8/archarm/usr"exportHOSTCC=gccWiththoseenvironmentvariablesspecifiedonaLinuxx86systemthe.
/confignowselectsadifferenttargetarchitecture:$.
/configtOperatingsystem:armv7lwhateverandroidConfiguringforandroidarmv7Page59of225UserGuide-OpenSSLFIPSObjectModulev2.
0/usr/bin/perl.
/Configureandroidarmv7Wa,noexecstack$Whenbuildingusingcross-compilationadifferenttechniquemustbeusedtodeterminetheembeddedintegritycheckdigestvalue.
Fornativebuildsaninterimexecutableiscreatedandexecutedtocalculatethisdigestfromlivememory,inthesamewaythatthedigestiscalculatedatruntimeduringthePOSTintegritytest.
Whencross-compilingthattechniquecannotbeusedbecausethecross-compiledexecutablescannot(ingeneral)berunonthebuildhost.
Insteadofbuildingandexecutinganinterimexecutable,aspecialpurposeutilityisusedtocalculatethedigestbyexaminingthecross-compiledobjectcodeasitresidesondisk.
Onesuchutility,incore,isprovidedtohandleELFformats.
EventhoughthisutilityiseffectivelyplatformneutralonmostLinux-likeoperatingsystems,theprocessasawholeisnotdesignedtoworkwitharbitraryELFcodeandcanbereliedononlyforexplicitlyverifiedcross-compilecasesasreflectedinfips/fips_canister.
c.
Accommodationofnewcross-compilationtargetsislikelytobetrivialbutwillstillrequireseparatevalidation.
Thus,althoughtheincoreutilityistheoreticallycapableofhandlingarbitraryELFbinarycode(nativeornot),itisnotusedinnon-cross-compile/nativecases.
Cross-compilednon-ELFplatformswouldrequiredifferentutilitiesandseparatevalidation.
IngeneraltheCcompilerisrequiredtosegregateconstantdatainacontiguousarea(e.
g.
byplacingitinadedicatedsegment)tocompiletheFIPSmodule.
Somecompilerswerefoundtofailtomeettheconstdatasegmentrequirement.
Inthecaseswheretheerrantbehaviorwasobserved,thecompilerwasinstructedtogenerateposition-independentcode41.
Insuchcasesitmightbepossibletorectifytheproblembydefiningthe__fips_constsegmacroinfips/fipssyms.
handharmonizingthatdefinitionwithdeclarationofFIPS_rodata_startandFIPS_rodata_endinfips/fips_canister.
c.
Unfortunately,suchanapproachwillrequireaseparateFIPS140-2validation,however.
41TheprimaryreasonforcompilingtheFIPS2.
0modulewith-fPICisforversatility,sothatthefipscanisterobjectmodulewillbeusableineitherthecontextofastatically-linkedapplicationordynamiclibrary.
Useofnon-PICcodeisinappropriateinadynamiclibrary,butlinkingPICstaticallywasproventoworkonalltestedplatforms.
Thus,wheresuchversatilityisnotofinterestthen-fPICcouldbedroppedtotargetstatically-linkedapplicationsonly.
Aseparatevalidationwillberequired,ofcourse.
Page60of225UserGuide-OpenSSLFIPSObjectModulev2.
04.
GeneratingtheFIPSObjectModuleThissectiondescribesthecreationofaFIPSObjectModuleforsubsequentusebyanapplication.
TheSecurityPolicyprovidesproceduresforacquiring,verifying,building,installing,protecting,andinitializingtheFIPSObjectModule.
IncaseofdiscrepanciesbetweentheUserGuideandtheSecurityPolicy,theSecurityPolicyshouldbeused.
Finally,recallfromSection2.
4.
2,ObjectModule(LinkTime)Integrity,thatapplicationslinkagainstlibcrypto.
soorlibcrypto.
a,andnotdirectlytofipscanister.
o.
4.
1DeliveryofSourceCodeTheOpenSSLFIPSObjectModulesoftwareisonlyavailableinsourceformat.
Thespecificsourcecodedistributionscanbefoundathttp://www.
openssl.
org/source/42.
asfileswithnamesoftheformopenssl-fip-2.
0.
N.
tar.
gzwheretherevisionnumberNreflectssuccessiveextensionsoftheFIPSObjectModuletosupportadditionalplatforms:http://www.
openssl.
org/source/openssl-fips-2.
0.
tar.
gzhttp://www.
openssl.
org/source/openssl-fips-2.
0.
1.
tar.
gzhttp://www.
openssl.
org/source/openssl-fips-2.
0.
2.
tar.
gzThelatestrevisionwillbesuitableforalltestedplatforms,whereasearlierrevisionswillworkonlyfortheplatformstestedasofthatrevision.
TheCMVPintroducedsignificantnewrequirementsforverificationofthe2.
0sourcecodedistribution.
Thisrequirementisdiscussedinmoredetailin§4.
1.
3;butinsummary,itcannolongerbedownloadedandusedasbefore.
A"trustedpath"mustbeusedfortransferofthesourcecodedistribution.
Atpresenttheonemethodknowntosatisfythe"trustedpath"requirementisobtainthesourcecodedistributionfromthevendorofrecord(OVS)onphysicalmedia(CD).
ForinstructionsonrequestingthisCDseehttp://openssl.
com/fips/verify.
html.
TheOpenSSLFIPSObjectModulesoftwarewasdeliveredtotheFIPS140-2testinglaboratoryinsourceformasthiscompleteOpenSSLdistribution,andwasbuiltbythetestinglaboratoryusingthestandardbuildprocedureasdescribedintheSecurityPolicydocumentandreproducedbelowandinAppendixB.
42CloselyrelateddistributionslackingbinarycurveECC,opensl-fips-ecp-2.
0.
N.
tar.
gz,arealsoavailable;see§6.
5.
Page61of225UserGuide-OpenSSLFIPSObjectModulev2.
0Foreachoftheopensslfips2.
0.
N.
tar.
gzdistributionsthereisalsoadistributionfilewiththenameoftheformopensslfipsecp2.
0.
N.
tar.
gz.
These"ecp"distributionsarethesameasthecorresponding2.
0.
NdistributionswithbinarycurveECComitted(seeSection6.
5).
Note:OVSrecommendsthatthedownloadedtarballsbeconsidereduntrustedforanypurposeuntilverifiedasdescribedin§4.
1.
2.
4.
1.
1CreationofaFIPSObjectModulefromOtherSourceCodeManyOpenSSLdistributionsotherthanthespecificdistributionsusedforthevalidationcanbeusedtobuildafipscanister.
oobjectusingundocumentedbuild-timeoptions.
ThereaderisremindedthatanysuchobjectcodecannotbeusedorrepresentedasFIPS140-2validated.
TheSecurityPolicydocumentisveryclearonthatpoint.
4.
1.
2VerifyingIntegrityofDistribution(BestPractice)ThisstepisoptionalandnotmandatedbytheFIPS140-2validation.
ItisalsonotrecognizedashavinganyvaluebytheCMVP,butisconsideredabestpracticebytheOpenSSLteamforallsoftwaredownloadsfromOpenSSL.
TheintegrityandauthenticityofthecompleteOpenSSLdistributionshouldbevalidatedmanuallywiththePGPsignatures43publishedbytheOpenSSLteamwiththedistributions(ftp://ftp.
openssl.
org/source/)toguardagainstacorruptedsourcedistribution.
NotethischeckisseparateanddistinctfromtheCMVPmandatedFIPS140-2sourcefileintegritycheck(§4.
1.
3).
ThePGPsignaturesarecontainedinthefileopensslfips2.
0.
tar.
gz.
ascThisdigitalsignatureofthedistributionfilecanbeverifiedagainsttheOpenSSLPGPpublickeybyusingthePGPorGPGapplications(GPGcanbeobtainedfreeofchargefromhttp://www.
gnupg.
org/)44.
ThisvalidationconsistsofconfirmingthatthedistributionwassignedbyaknowntrustedkeyasidentifiedinAppendixA,"OpenSSLDistributionSigningKeys".
First,findoutwhichkeywasusedtosignthedistribution.
Anyofseveraldifferentvalidkeysmayhavebeenusedforthispurpose.
The"hexadecimalkeyid",anidentifierusedforlocatingkeysonthekeystoreservers,isdisplayedwhenattemptingtoverifythedistribution.
Ifthesigningkeyisnotalreadyinyourkeyringthehexadecimalkeyidoftheunknownkeywillstillbedisplayed:43NotethisPGP/GPGsignaturecheckisnotrelatedtoanyoftheFIPSintegritychecks!
44NotethatalthoughPGPandGPGarefunctionallyinteroperable,someversionsofPGParecurrentlyFIPS140-2validatedandnoversionsofGPGare.
ForthepurposesofFIPS140-2validationavalidatedversionofPGPmustbeused.
TheexamplesgivenhereareapplicabletobothGPGandPGP.
Page62of225$gpgopenssl1.
0.
1z.
tar.
gz.
ascgpg:SignaturemadeTueSep3009:00:372009usingRSAkeyID49A563D9gpg:Can'tchecksignature:publickeynotfound$UserGuide-OpenSSLFIPSObjectModulev2.
0Example4.
1.
2a-FindIdofSigningKeyInthisexamplethekeyidis0x49A563D9.
NextseeifthiskeyidbelongstooneoftheOpenSSLcoreteammembersauthorizedtosigndistributions.
TheauthorizedkeysarelistedinAppendixA.
Notethatsomeolderversionsofgpgwillnotdisplaythekeyidofanunknownpublickey;eitherupgradetoanewerversionorloadalloftheauthorizedkeys.
IfthehexadecimalkeyidmatchesoneoftheknownvalidOpenSSLcoreteamkeysthendownloadandimportthekey.
PGPkeyscanbedownloadedinteractivelyfromakeyserverwebinterfaceordirectlybythepgporgpgcommands.
Thehexadecimalkeyidoftheteammemberkey(forexample,thesearchstring"0x49A563D9"canbeusedtodownloadtheOpenSSLPGPkeyfromapublickeyserver(http://www.
keyserver.
net/,http://pgp.
mit.
edu,orothers).
Keyscanbedownloadedinteractivelytoanintermediatefileordirectlybythepgporgpgprogram.
Oncedownloadedtoanintermediatefile,markcox.
keyinthisexample,thekeycanbeimportedwiththecommand:Example4.
1.
2b-ImportingaKeyfromaDownloadedfileTheseexamplesassumethepgporgpgsoftwareisinstalled.
Thekeymayalsobeimporteddirectlyintoyourkeyring:Example4.
1.
2c-PGPKeyImportNotethatatthispointwehavenotyetestablishedthatthekeyisauthenticorthatthedistributionwassignedwiththatkey;akeythatmightbeauthentichasbeenobtainedinaformwhereitcanbeutilizedforfurthervalidation.
Page63of225$gpgkeyserverpgp.
mit.
edurecvkey49a563d9gpg:key49A563D9:publickey"MarkCox"importedgpg:Totalnumberprocessed:1gpg:imported:1(RSA:1)$gpgimportmarkcox.
keygpg:key49A563D9:publickey"MarkCox"importedgpg:Totalnumberprocessed:1gpg:imported:1(RSA:1)$UserGuide-OpenSSLFIPSObjectModulev2.
0Toverifythatthedistributionfilewassignedbytheimportedkeyusethepgporgpgcommandwiththesignaturefileastheargument,withthedistributionfilealsopresentinthesamedirectory:Example4.
1.
2d-PGPFileSignatureVerificationInthisexamplethevalidityofthefilesignaturewithrespecttothekeywasverified.
Thatis,thetargetfileopensslfips2.
0.
tar.
gzwassignedbythekeywithid49A563D9.
Thewarningmessageinthisexampleisalertingthekeyisnotpartofthe"weboftrust",arelationalrankingsystembasedonmanuallyassignedconfidencelevels.
Insteadofrelyingontheweboftrustwhichwilldifferfromoneusertoanother,thekeyshouldbematcheddirectlytoalistofknownvalidkeys.
Thefinalstepofverificationistoestablishthatthesigningkeyisauthentic.
Todoso,confirmthekeyfingerprintofthekeywhichsignedthedistributionisoneofthevalidOpenSSLcoreteamkeyslistedinAppendixA,"OpenSSLDistributionSigningKeys".
Inthisexample,7B7919FA716B87250E7721E552D983BFisinfactauthenticaccordingtoAppendixA.
4.
1.
3VerifyingIntegrityoftheFullDistributionfortheFIPSObjectModuleIMPORTANTNOTE:Thisstephaschangedfrompriorvalidations,andisrequiredpertheOpenSSLSecurityPolicy!
Thevalidationnowincludesarequirementfor"secureinstallation.
"Inpracticethatmeansthedistributionfileshouldbeobtaineddirectlyfromthevendor(OVS)onphysicalmedia.
Amorecompletediscussionofthisrequirementincludingtheelaboratestepsneededwhenthedistributionisnotobtainedonphysicalmediacanbefoundin§6.
6.
PhysicalmediacanberequestedfromOVSat:OpenSSLValidationServices,Inc.
1829MountEphraimRoadAdamstown,MD21710Page64of225$gpg/work/build/openssl/openssl1.
0.
1.
tar.
gz.
ascgpg:SignaturemadeTueSep3009:00:372009usingRSAkeyID49A563D9gpg:Goodsignaturefrom"MarkCox"gpg:aka"MarkCox"gpg:aka"MarkCox"gpg:aka"MarkCox"gpg:aka"MarkCox"gpg:aka"MarkCox"gpg:WARNING:Thiskeyisnotcertifiedwithatrustedsignature!
gpg:Thereisnoindicationthatthesignaturebelongstotheowner.
Primarykeyfingerprint:7B7919FA716B87250E7721E552D983BF$UserGuide-OpenSSLFIPSObjectModulev2.
0USA(+1301-874-2447)verifycd@openssl.
comAnE-mailcontainingthefullpostaladdressisthepreferredpointofcontact.
ItisourintentiontoprovidetheseCDsatnocostaslongasweareable.
WeaskthatyouonlyrequestthisCDifyouplantouseitforgenerationofFIPS140-2validatedcryptographyinacontextthatrequiressuchcompliance.
Foranyotherpurposesthedownloadedfilesarebit-for-bitidenticalandwillgenerateexactlythesameresults.
ThesimplerverificationrequirementforpriorOpenSSLFIPSObjectModulevalidations,namely:TheHMAC-SHA-1digestofthedistributionfileispublishedinAppendixBoftheSecurityPolicy.
TheSecurityPolicycanbefoundatNIST,http://csrc.
nist.
gov/groups/STM/cmvp/documents/140-1/140sp/140sp1051.
pdf.
Thisdigestshouldbecalculatedandcomparedagainstthepublishedvalue,asin:$envOPENSSL_FIPS=1opensslsha1-hmacetaonrishdlcupfmopenssl-fips-2.
0.
tar.
gzwheretheopensslcommandisfromarecentversionofOpenSSLthatsupportsthehmacoption45.
Ifyoudon'thavetheopensslcommandyetitwillbegeneratedbythebuildprocess.
.
.
.
isnowspecificallydisallowed.
Withthenewrequirementuseoftheopensslcommand,evenfromanotherversionoftheOpenSSLFIPSObjectModule,isnolongerpermittedasingeneralitwillnothavebeenobtainedviaa"secureinstallation".
4.
2BuildingandInstallingtheFIPSObjectModulewithOpenSSL(Unix/Linux)Duetosignificantdifferencesinthetwobasicoperatingsystemfamilies,Unix/LinuxandMicrosoftWindowsplatformsarediscussedseparately.
InstructionsforWindowsaregivenin§4.
3.
Inaddition,aMacOSXexampleisofferedatE.
1AppleOSXSupport;andaniOSexampleisgiveninError:Referencesourcenotfound.
4.
2.
1BuildingtheFIPSObjectModulefromSourceNextbuildtheFIPSObjectModulefromsource.
TheFIPS140-2validationspecificcodeisincorporatedintotheresultingFIPSObjectModulewhenthefipsconfigurationoptionis45TheOPENSSL_FIPS=1environmentvariablewillenableFIPSmodeforanopensslcommandbuiltfromaFIPScapableOpenSSLdistribution.
Page65of225UserGuide-OpenSSLFIPSObjectModulev2.
0specified.
PertheconditionsoftheFIPS140-2validationonlytwoconfigurationcommandsmaybeused:.
/configor.
/confignoasmwherethespecificoptionuseddependsontheplatform(see§3.
2.
1).
Notethat"fipscanister"isimplied,sothereisnoneedforeither.
/configfipscanisterbuildor.
/configfips.
TheenvironmentvariableFIPSDIR,ifpresent,pointstothepathnameofthelocationwherethevalidatedmodulewillbeinstalled.
Thislocationdefaultsto/usr/local/ssl/fips2.
0.
Thespecificationofanyotheroptionsonthecommandline,suchas.
/configsharedisnotpermitted.
Notethatinthecaseofthe"shared"optionpositionindependentcodeisgeneratedbydefaultsothegeneratedFIPSObjectModulecanbeincludedinasharedlibrary46.
NotethatasaconditionoftheFIPS140-2validationnootheruserspecifiedconfigurationoptionsmaybespecified.
Thisrestrictionmeansthatanoptionalinstallprefixcannotbespecified–however,thereisnorestrictiononsubsequentmanualrelocationofthegeneratedfilestothedesiredfinallocation.
Then:maketogeneratetheFIPSObjectModulefilefipscanister.
o,thedigestfortheFIPSObjectModulefile,fipscanister.
o.
sha1,andthesourcefileusedtogeneratetheembeddeddigest,fips_premain.
c.
Thefipscanister.
o,fipscanister.
o.
sha1,andfips_premain.
cfilesareintermediatefiles(i.
e.
,usedinthegenerationofanapplicationbutnotreferencedbythatapplicationatruntime).
Theobjectcodeinthefipscanister.
ofileisincorporatedintotheruntimeexecutableapplicationatthetimethebinaryexecutableisgenerated.
Thisshouldalsobeobvious,butmodificationstoanyoftheintermediatefilesgeneratedbythe".
/config"or"make"commandsarenotpermitted.
Iftheoriginaldistributionismodified,orifanythingotherthanthosethreespecifiedcommandsareused,orifanyintermediatefilesaremodified,theresultisnotFIPSvalidated.
46IfnotfortheFIPSvalidationprohibition,onmostbutnotallplatformsthe"shared"optioncouldsafelybechosenregardlessoftheintendeduse.
SeeAppendixEforoneknownexception.
Page66of225UserGuide-OpenSSLFIPSObjectModulev2.
04.
2.
2InstallingandProtectingtheFIPSObjectModuleThesystemadministratorshouldinstallthegeneratedfipscanister.
o,fipscanister.
o.
sha1,andfips_premain.
cfilesinalocationprotectedbythehostoperatingsystemsecurityfeatures.
Theseprotectionsshouldallowwriteaccessonlytoauthorizedsystemadministrators(FIPS140-2CryptoOfficers)andreadaccessonlytoauthorizedusers.
ForUnixbasedorLinuxsystemsthisprotectionusuallytakestheformofrootownershipandpermissionsof0755orlessforthosefilesandallparentdirectories.
Whenallsystemusersarenotalsoauthorizeduserstheworld(public)readandexecutepermissionsshouldberemovedfromthesefiles.
Theusualmakeinstallwillinstallthefipscanister.
o,fipscanister.
o.
sha1,fips_premain.
c,andfips_premain.
c.
sha1filesinthetargetlocation(typically/usr/local/ssl/fips2.
0/lib/forUnixbasedorLinuxsystems,orasspecifiedbytheFIPSDIRenvironmentvariable)withtheappropriatepermissionstosatisfythesecurityrequirement.
ThesefourfilesconstitutethevalidatedFIPSObjectModule;theotherfilesalsoinstalledbythiscommandarenotvalidated.
Notethatitisalsopermissibletoinstallthesefilesinotherlocationsbyothermeans,providedthattheyareprotectedwithappropriatepermissionsasnotedabove:cpfipscanister.
ofipscanister.
o.
sha1cpfips_premain.
cfips_premain.
c.
sha1Notethatfipscanister.
ocaneitherbestaticallylinkedintoanapplicationbinaryexecutable,orstaticallylinkedintoasharedlibrary.
4.
2.
3BuildingaFIPSCapableOpenSSLOncethevalidatedFIPSObjectModulehasbeengenerateditisusuallycombinedwithanOpenSSLdistributioninordertoprovidethestandardOpenSSLAPI.
Any1.
0.
1or1.
0.
2releasecanbeusedforthispurpose.
Thecommands.
/configfipsmakemakeinstallPage67of225UserGuide-OpenSSLFIPSObjectModulev2.
0willbuildandinstallthenewOpenSSLwithoutoverwritingthevalidatedFIPSObjectModulefiles.
TheFIPSDIRenvironmentvariableorthe--withfipsdircommandlineoptioncanbeusedtoexplicitlyreferencethelocationoftheFIPSObjectModule(fipscanister.
o).
ThecombinationofthevalidatedFIPSObjectModuleplusanOpenSSLdistributionbuiltinthiswayisreferredtoasaFIPScapableOpenSSL,asitcanbeusedeitherasadrop-inreplacementforanon-FIPSOpenSSLorforuseingeneratingFIPSmodeapplications.
NotethatastandardOpenSSLdistributionbuiltforusewiththeFIPSObjectModulemusthavethe.
/configfipsoptionspecified.
Otherconfigurationoptionsmaybespecifiedinadditiontofips,butomissionofthefipsoptionwillcauseerrorswhenusingtheOpenSSLlibrarieswiththeFIPSObjectModule.
4.
3BuildingandInstallingtheFIPSObjectModulewithOpenSSL(Windows)ThebuildprocedureforWindowsissimilartothatfortheregularOpenSSLproduct,usingMSVCandNASMforcompilation.
NoteMASMisnotsupported.
ThesecondstageusesVC++tolinkOpenSSL1.
0.
1or1.
0.
2againsttheinstalledFIPSmodule,toobtainthecompleteFIPScapableOpenSSL.
Bothstaticandsharedlibrariesaresupported.
4.
3.
1BuildingtheFIPSObjectModulefromSourceBuildtheFIPSObjectModulefromsource:ms\do_fips[noasm]wherethenoasmoptionmayormaynotbepresentdependingontheplatform(see§3.
2.
1).
NotethatasaconditionoftheFIPS140-2validationnootheruserspecifiedconfigurationoptionsmaybespecified.
4.
3.
2InstallingandProtectingtheFIPSObjectModuleThesystemadministratorshouldinstallthegeneratedfipscanister.
lib,fipscanister.
lib.
sha1,andfips_premain.
cfilesinalocationprotectedbythehostoperatingsystemsecurityfeatures.
Theseprotectionsshouldallowwriteaccessonlytoauthorizedsystemadministrators(FIPS140-2CryptoOfficers)andreadaccessonlytoauthorizedusers.
Page68of225UserGuide-OpenSSLFIPSObjectModulev2.
0ForMicrosoftWindowsbasedsystemsthisprotectioncanbeprovidedbyACLslimitingwriteaccesstotheadministratorgroup.
WhenallsystemusersarenotauthorizeduserstheEveryone(public)readandexecutepermissionsshouldberemovedfromthesefiles.
4.
3.
3BuildingaFIPSCapableOpenSSLThefinalstageisVC++compilationofastandardOpenSSLdistributiontobereferencedinconjunctionwiththepreviouslybuiltandinstalledFIPSObjectModule.
DownloadanOpenSSL1.
0.
1or1.
0.
2distribution.
FollowthestandardWindowsbuildprocedureexceptthatinsteadofthecommand:perlConfigureVCWIN32do:perlConfigureVCWIN32fipswithfipsdir=c:\fips\pathwhere"c:\fips\path"iswherevertheFIPSmodulefromthefirststagewasinstalled.
Staticandsharedlibrarybuildsaresupported.
Thiscommandisfollowedbytheusualms\do_nasmandnmakefms\ntdll.
maktobuildthesharedlibrariesonly,ornmakefms\nt.
maktobuildtheOpenSSLstaticlibraries.
ThestandardOpenSSLbuildwiththefipsoptionwilluseabaseaddressforlibeay32.
dllof0xFB00000bydefault.
Thisvaluewaschosenbecauseitisunlikelytoconflictwithotherdynamicallyloadedlibraries.
Intheeventofaclashwithanotherdynamicallyloadedlibrarywhichwilltriggerruntimerelocationoflibeay32.
dll,theintegritycheckwillfailwiththeerrorFIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATEDAbaseaddressconflictcanberesolvedbyshufflingtheotherDLLsorre-compilingOpenSSLwithanalternativebaseaddressspecifiedwiththe--withbaseaddr=option.
Page69of225UserGuide-OpenSSLFIPSObjectModulev2.
0NotethatthedevelopercanidentifywhichDLLsarerelocatedwiththeProcessExplorerutilityfromhttp://www.
microsoft.
com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.
mspx.
TheresultingFIPScapableOpenSSLcanbeusedforsharedorstaticlinking.
Thesharedlibrarybuilt(whenms\ntdll.
makisusedastheMakefile)linksfipscanister.
libintolibeay32.
dllusingfipslink.
plinaccordancewiththerequirementsoftheSecurityPolicy.
Page70of225UserGuide-OpenSSLFIPSObjectModulev2.
05.
CreatingApplicationsWhichReferencetheFIPSObjectModuleOnlyminormodificationsareneededtoadaptmostapplicationsthatcurrentlyuseOpenSSLforcryptographytousetheFIPScapableOpenSSLwiththeFIPSObjectModule.
ThechecklistinFigure4summarizesthemodificationswhicharecoveredinmoredetailinthefollowingdiscussion:Figure4-ApplicationChecklistAppendixCcontainsasimplebutcompletesampleapplicationutilizingtheFIPSObjectModulewithOpenSSLasdescribedinthissection.
5.
1ExclusiveUseoftheFIPSObjectModuleforCryptographyInorderforthereferencingapplicationtoclaimFIPS140-2validation,allcryptographicfunctionsutilizedbytheapplicationmustbeprovidedexclusivelybytheFIPSObjectModule.
TheOpenSSLAPIusedinconjunctionwiththeFIPSObjectModuleinFIPSmodeisdesignedtoautomaticallydisableallnon-FIPScryptographicalgorithms.
5.
2FIPSModeInitializationSomewhereveryearlyintheexecutionoftheapplicationFIPSmodemustbeenabled.
ThisshouldbedonebyinvocationoftheFIPS_mode_set()functioncall,eitherdirectlyorindirectlyasinthesefollowingexamples.
NotethatitispermittedtonotenableFIPSmode,inwhichcaseOpenSSLshouldfunctionasitalwayshas.
Theapplicationwillnot,ofcourse,beoperatinginvalidatedmode.
TheFIPS_mode_set()functioncallwheninvokedwithanypositiveargumentwillenabletheFIPSmodeofoperation.
Dependingontheargumentitmayalsoenableadditionalrestrictions.
Forexample,anargumentof1willenablethebasicFIPSmodewhereallFIPSapprovedalgorithmsareavailable.
AnargumentofFIPS_SUITEB(2)willrestricttheavailablealgorithmstothoseallowedbytheSuiteBspecification.
Option1:DirectcalltoFIPS_mode_set()Page71of225qUsetheFIPSObjectModuleforallcryptographyqInitializeFIPSmodewithFIPS_mode_set()qGenerateapplicationexecutableobjectwithembeddedFIPSObjectModuledigestqProtectcriticalsecurityparametersUserGuide-OpenSSLFIPSObjectModulev2.
0Option2:IndirectcallviaOPENSSL_config()TheOPENSSL_config()callcanbeusedtoenableFIPSmodeviathestandardopenssl.
confconfigurationfile:Page72of225#ifdefOPENSSL_FIPSif(options.
no_fips:$(OBJS)$(CC)$($CFLAGS)o$@$(OBJS)$(LIBCRYPTO).
.
.
SettingCC=fipsldisappropriatewhenthelinkrulesrelyon$(CC)insteadofldtoproducetheexecutableimages,butinsomecasesitmaybedesirableornecessarytonotredefinethe$(CC)macrovariable.
Atypicalmakefilerulereferencingfipslddirectlyforthelinkstepwouldlooksomethinglike47:OPENSSLDIR=/usr/local/ssl/fips2.
0FIPSMODULE=$(OPENSSLDIR)/lib/fipscanister.
o.
.
.
:$(OBJS)$(FIPSMODULE)envFIPSLD_CC=$(CC)fipsld$(CFLAGS)o$@$(OBJS)\$(LIBS)$(LIBCRYPTO)Eventhoughthefipsldcommandnameimpliesuseasareplacementfortheldcommand,italsoinvokestheCcompilerbetweenthetwolinkstages,hencefipsldcanalsoreplace$(CC)inrulesproducing.
oobjectfiles,replacingbothcompilationandlinkingstepsfortheentireMakefile,i.
e.
:.
o:.
c$(CC)$(CFLAGS)c.
c.
.
.
:$(OBJS)ldo$@$(OBJS)$(LIBCRYPTO).
.
.
becomes47TheuseofenvisactuallyredundantinaMakefilecontext,butisspecifiedheretogiveacommandlinealsovalidfornon-Bourneshells.
Page75of225UserGuide-OpenSSLFIPSObjectModulev2.
0:.
cenvFIPSLD_CC=$(CC)fipsld$(CFLAGS)o$@$@.
c\$(LIBCRYPTO).
.
.
LargersoftwareprojectsarelikelytoprefertomodifyonlytheMakefilerule(s)linkingtheapplicationitself,leavingotherMakefilerulesintact.
ForthesemorecomplicatedMakefilestheindividualrulescanbemodifiedtosubstitutefipsldforjusttherelevantcompilationlinkingsteps.
Thefipsldcommandisdesignedtolocatefipscanister.
oautomatically.
ItwillverifythattheHMAC-SHA-1digestinfilefipscanister.
o.
sha1matchesthedigestgeneratedfromfipscanister.
o,andwillthencreatethefilecontainingtheobjectcodefromfipscanister.
o,andembeddedwithinthatthedigestcalculatedfromtheobjectcodeanddatainfipscanister.
o.
AtruntimetheFIPS_mode_set()functioncomparestheembeddedHMAC-SHA-1digestwithadigestgeneratedfromthetextanddataareas.
Thisdigestisthefinallinkinthechainofvalidationfromtheoriginalsourcetotheapplicationexecutableobjectfile.
5.
3.
2LinkingunderWindowsForasharedlibraryapplicationjustlinkingwiththeDLLissufficient.
Linkinganapplicationwiththestaticlibrariesinvolvesabitmorework,andcanbecomplicatedbythefactthatGUIbasedtoolsareoftenusedforsuchlinking.
FortheWindowsenvironmentaperlscriptfipslink.
plisprovidedwhichperformsafunctionsimilartofipsldforUnix/Linux.
Severalenvironmentvariablesneedtobeset:FIPS_LINKisthelinkername,normally"link"FIPS_CCistheCcompilername,normally"cl"FIPS_CC_ARGSisastringofCcompilerargumentsforcompilingfips_premain.
cPREMAIN_DSO_EXEshouldbesettothepathtofips_premain_dso.
exeifaDLLisbeinglinked(canbeomittedotherwise)PREMAIN_SHA1_EXEisthefullpathtofips_standalone_sha1.
exeFIPS_TARGETisthepathofthetargetexecutableorDLLfilePage76of225UserGuide-OpenSSLFIPSObjectModulev2.
0FIPSLIB_DisthepathtothedirectorycontainingtheinstalledFIPSmoduleWhenthesevariablesarespecifiedfipslink.
plcanbecalledinthesamewayasthestandardlinker.
Itwillautomaticallycheckthehashes,linkthetarget,generatethetargetin-corehash,andlinkasecondtimetoembedthehashinthetargetfile.
ThestaticlibraryMakefilems\nt.
makintheOpenSSLdistributiongivesanexampleoftheusageoffipslink.
pl.
5.
4ApplicationImplementationRecommendationsThissectiondescribesadditionalstepsnotstrictlyrequiredforFIPS140-2validationbutrecommendedasgoodpractice.
ProvideanIndicationofFIPSModeSecurityandriskassessmentauditorswillwanttoverifythatanapplicationutilizingcryptographyisusingFIPS140-2validatedsoftwareinaFIPScompliantmode.
Manysuchapplicationswillsuperficiallyappeartofunctionthesamewhetherbuiltwithanon-FIPSOpenSSL,whenbuiltwiththeFIPSObjectModuleandrunninginnon-FIPSmode,andwhenbuiltwiththeFIPSObjectModuleandrunninginFIPSmode.
AsanaidtosuchreviewstheapplicationdesignershouldprovideareadilyvisibleindicationthattheapplicationhasinitializedtheFIPSObjectModuletoFIPSmode,afterasuccessfulreturnfromtheFIPS_mode_set()APIcall.
Theindicationcantaketheformofattyorstdoutmessage,asyslogentry,oranadditiontoaprotocolgreetingbanner.
ForexampleaSSHservercouldprintaprotocolbanneroftheform:SSH2.
0OpenSSH_3.
7.
1p2FIPStoprovideaneasilyreferencedindicationthattheserverwasproperlyinitializedtoFIPSmode.
GracefulAvoidanceofNon-FIPSAlgorithmsManyapplicationsallowenduserand/orsystemadministratorconfigurablespecificationofcryptographicalgorithms.
TheOpenSSLAPIusedwiththeFIPSObjectModuleinFIPSmodeisdesignedtoreturnerrorconditionswhenanattemptismadetouseanon-FIPSalgorithmviatheOpenSSLAPI.
Theseerrorsmayresultinunexpectedfailureoftheapplication,includingfatalasserterrorsforalgorithmfunctioncallslackingatestablereturncode.
However,thereisnoguaranteethattheOpenSSLAPIwillalwaysreturnanerrorconditionineverypossiblepermutationorsequenceofAPIcallsthatmightinvokecoderelatingtonon-FIPSalgorithms.
Inanycase,itistheresponsibilityoftheapplicationprogrammertoavoidtheuseofnon-FIPSalgorithms.
Unexpectedrun-timeerrorscanbeavoidediftheciphersuitesorotheralgorithmselectionoptionsPage77of225UserGuide-OpenSSLFIPSObjectModulev2.
0aredefaultedtoFIPSapprovedalgorithms,andifwarningorerrormessagesaregeneratedforanyenduserselectionofnon-FIPSalgorithms.
5.
5DocumentationandRecord-keepingRecommendationsThesupplierordeveloperofaproductbasedontheFIPSObjectModulecannotclaimthattheproductitselfisFIPS140-2validatedundercertificate#1747.
Insteadastatementsimilartothefollowingisrecommended:ProductXXXXusesanembeddedFIPS140-2-validatedcryptographicmodule(Certificate#1747)runningonaYYYYplatformperFIPS140-2ImplementationGuidancesectionG.
5guidelines.
whereXXXXistheproductname("CryptomagicalEnfabulatorv3.
1")andYYYYisthehostoperatingsystem("Solaris10").
Thisstatementasserts"useraffirmation"ofthevalidationperSectionG.
5oftheImplementationGuidancedocument.
WhilenotstrictlyrequiredbytheSecurityPolicyorFIPS140-2,awrittenrecorddocumentingcompliancewiththeSecurityPolicywouldbeaprudentprecautionforanypartygeneratingandusingordistributinganapplicationthatwillbesubjecttoFIPS140-2compliancerequirements.
Thisrecordshoulddocumentthefollowing:FortheFIPSObjectModulegeneration:1.
Wheretheopensslfips2.
0.
tar.
gzdistributionfilewasobtainedfrom,andhowtheHMACSHA-1digestofthatfilewasverifiedperAppendixBoftheSecurityPolicy.
2.
Thehostplatformonwhichthefipscanister.
o,fipscanister.
o.
sha1,fips_premain.
c,andfips_premain.
c.
sha1filesweregenerated.
Thisplatformidentificationataminimumshouldnotetheprocessorarchitecture("x86","PA-RISC",.
.
.
),theoperatingsystem("Solaris10","WindowsXP",.
.
.
),andthecompiler("gcc3.
4.
3",.
.
.
).
3.
Anassertionthatthefipscanister.
omodulewasgeneratedwiththethreecommands.
/config[noasm]makemakeinstallandspecificallythatnootherbuild-timeoptionswerespecified.
4.
ArecordoftheHMACSHA-1digestofthefipscanister.
o(thecontentsofthefipscanister.
o.
sha1file).
ThatdigestidentifiesthisspecificFIPSObjectModule;Page78of225UserGuide-OpenSSLFIPSObjectModulev2.
0ifyouimmediatelybuildanothermoduleitwillhaveadifferentdigestandisadifferentFIPSObjectModule.
5.
Anassertionthatthecontentsofthedistributionfilewerenotmanuallymodifiedinanywayatanytimeduringthebuildprocess.
FortheapplicationinwhichtheFIPSObjectModuleisembedded:1.
ArecordoftheHMACSHA-1digestofthefipscanister.
othatwasembeddedintheapplication.
2.
AnassertionthattheapplicationdoesnotutilizeanycryptographicimplementationsotherthatthoseprovidedbytheFIPSObjectModuleorcontainedintheFIPScapableOpenSSL1.
0.
1or1.
0.
2libraries(wherenon-FIPSalgorithmsaredisabledinFIPSmode).
3.
AdescriptionofhowtheapplicationclearlyindicateswhenFIPSmodeisenabled(assumingthatFIPSmodeisaruntimeselectableoption).
NotethattheapplicationmustcallFIPS_mode_set(),whetherthatcallistriggeredbyruntimeoptionsornot.
5.
6WhenisaSeparateFIPS140-2ValidationRequiredWhenadecisionismadeonwhetheraparticularITsolutionisFIPS140-2compliant,multiplefactorsneedtobetakenintoaccount,includingtheFIPSPub140-2standard,FIPS140-2DerivedTestRequirements,CMVPFAQandImplementationGuidance.
TheultimateauthorityinthisprocessbelongstotheCMVP.
TheCMVPprovidesitscurrentinterpretationsandguidelinesastotheinterpretationoftheFIPS140-2standardandtheconformancetesting/validationprocessonitspublicwebsitehttp://csrc.
nist.
gov/groups/STM/cmvp/.
Inparticular,theonlyofficialdocumentknowntouswhichdiscussesuseofembeddedcryptographicmodulesistheCMVPFAQavailableathttp://csrc.
nist.
gov/groups/STM/cmvp/documents/CMVPFAQ.
pdf.
ThisFAQ(FrequentlyAskedQuestionsdocument)discussesincorporationofanothervendor'scryptographicmodulesinasubsectionofSection2.
2.
1entitled"CanIincorporateanothervendor'svalidatedcryptographicmodule".
Inparticular,thefollowingisspecified:"Yes.
AcryptographicmodulethathasalreadybeenissuedaFIPS140-1orFIPS140-2validationcertificatemaybeincorporatedorembeddedintoanotherproduct.
ThenewproductmayreferencetheFIPS140-1orFIPS140-2validatedcryptographicmodulesolongasthenewproductdoesnotaltertheoriginalvalidatedcryptographicmodule.
Aproductwhichusesanembeddedvalidatedcryptographicmodulecannotclaimitselftobevalidated;onlythatitutilizesanembeddedvalidatedcryptographicmodule.
Thereisnoassurancethataproductiscorrectlyutilizinganembeddedvalidatedcryptographicmodule-thisisoutsidethescopeoftheFIPS140-1orFIPS140-2validation.
"Page79of225UserGuide-OpenSSLFIPSObjectModulev2.
0NotethattheCMVPFAQdoesspecifythataFIPS140-1/2validatedmodulemaybeincorporatedintoanotherproduct.
ItthenspecifiesthatmakingadecisiononwhetheraproductiscorrectlyutilizinganembeddedmoduleisoutsideofthescopeoftheFIPS140-1orFIPS140-2validation.
AsubsectionofSection2.
1oftheCMVPFAQentitled"Avendorissellingmeacryptosolution-whatshouldIask"states:"Verifywiththevendorthattheapplicationorproductthatisbeingofferediseitheravalidatedcryptographicmoduleitself(e.
g.
VPN,SmartCard,etc)ortheapplicationorproductusesanembeddedvalidatedcryptographicmodule(toolkit,etc).
Askthevendortosupplyasignedletterstatingtheirapplication,productormoduleisavalidatedmoduleorincorporatesavalidatedmodule,themoduleprovidesallthecryptographicservicesinthesolution,andreferencethemodulesvalidationcertificatenumber.
"Itisspecifiedthatthemoduleprovides"allthecryptographicservicesinthesolution".
Itisnotspecifiedthatthemoduleprovides"allthesecurity-relevantservicesinthesolution".
AtypicalITproductmayprovideavarietyofservices,bothcryptographicandnon-cryptographic.
AnetworkprotocolsuchasSSHorTLSprovidesbothcryptographicservicessuchasencryptionandnetworkservicessuchastransmissionofdatapackets,packetfragmentation,etc.
TheFIPS140-2standardisfocusedonthecryptography.
Therearemanygenericsecurityrelevantfunctionalitiessuchasanti-virusprotection,firewalling,IPS/IDSandotherswhicharenotcurrentlycoveredbytheFIPS140-2standard.
Ananti-virussolutionwhichusesacryptographicmoduleforitsoperationscansatisfyrequirementsoftheFIPS140-2bydelegatingitscryptographicfunctionstoanembeddedFIPS140-2validatedmodule.
Includingtheentireanti-virussolutionintheFIPS140-2validationwouldhardlyimprovetheoverallsecuritysinceFIPS140-2doesnotcurrentlyhaverequirementsinthefieldofanti-virusprotection.
Inasimilarfashion,theFIPS140-2standarddoesnotcurrentlyhaverequirementsrelatedtonetworkvulnerabilitiesordenialofserviceattacks.
Validatedmodulestypicallyprovidealgorithmimplementationsonly,nonetworkfunctionalitysuchasIPSec,SSH,TLSetc.
Thisdoesnot,forexample,preventMicrosoftWindowsfromprovidingIPSec/IKEandTLS/SSLfunctionality.
Therefore,forexample,anOpenSSHbasedproductproperlyusingtheOpenSSLFIPSObjectModulewouldnotdifferfromMicrosoftusingitsMicrosoftKernelModeCryptoProviderinMicrosoftIPSec/IKEclientwhichisshippedwitheverycopyofWindows.
IfanapplicationproductdelegatesallcryptographicservicestoavalidatedmoduletheentireproductwillbeFIPScompliant.
SincetheCMVPdoesnothaveaformalprogramforvalidationofITsolutionswithembeddedFIPS140-2modules,thequestionisoneofhowtheactualcompliance/non-complianceisdetermined.
Inpracticethecomplianceisdeterminedbythefederalagency/buyerselectingthesolution.
DuringtheprocessthecustomermaycontacttheCMVP,testinglabsorsecurityexpertsforanopinion.
Inmanycases,though,thebuyersmakesuchdecisionsindependently.
HereitPage80of225UserGuide-OpenSSLFIPSObjectModulev2.
0shouldbenotedthatFIPS140-2isonlyabaselineandeachfederalagencymayestablishitsownrequirementsexceedingtherequirementsofFIPS140-2.
Intheparticularexampleofnetworkprotocolsfederalagenciesgenerallydoacceptnetworkingproducts(IPSec/TLS/SSHetc.
)withembeddedFIPS140-2validatedcryptographicsoftwaremodulesorhardwarecardsasFIPS140-2compliant.
Forthosevendorsdesiringa"sanitycheck"ofthecompliancestatusoftheirOpenSSLFIPSObjectModulebasedproduct,OpenSSLValidationServices(OVS)canperformareviewandprovideanopinionletterstatingwhether,basedoninformationprovidedbythevendor,thatproductappearstoOVStosatisfytherequirementsoftheOpenSSLFIPSObjectModuleSecurityPolicy.
ThisopinionlettercanincludeareviewbyoneormoreCMVPtestlabsand/oraOpenSSLteammemberasappropriate.
ThisopinionletterclearlystatesthatonlytheCMVPcanprovideanauthoritativerulingonFIPS140-2compliance.
5.
7CommonIssuesandMisconceptionsIntheyearssincethefirstversionsoftheOpenSSLFIPSObjectModulewerevalidatedwe'veseennewusersoftheFIPSmodulestrugglewithsomeofthesameissuesoverandoveragain.
Hereweattempttooffersomepossiblyusefuladvice:5.
7.
1Don'tFightItRightlyorwrongly,theSecurityPolicyveryclearlymandatesspecificfixedbuildcommands.
Normalandnaturalpracticeinothercontextsistousebuild-timeconfigurationoptionstocontrolaspectsofthebuildprocess,butthatisnotanoptionhere.
Insteadthinkabouttheendresultyouwanttoaccomplishandwhetherthatcanbedonebyanyothermeans.
Forinstance,thedefaultinstalllocationcan'tbespecifiedbytheusual--prefix=build-timeconfigurationoption.
But,oncecreatedviathecanonicalcommandsyoucancopythefipscanister.
oandassociatedfilessomewhereelse.
So,oneoptionistocreateanewbuildsystem,buildtheFIPSmodulewithwhateverpermissionsnecessarytowritetothedefault--prefixlocation,copyfromtheretothedesireddestination,andthendiscardthebuildsystem.
Yes,that'sasillywasteoftimefromatechnicalsoftwaredeveloperobjective,butyouwouldn'tbeusingtheFIPSmoduleinthefirstplaceonpurelytechnicalconsiderations.
5.
7.
2Don'tOverthinkItWehaveseenquiteafewsoftwarevendorsmakethemistakeoftryingtoforcetheFIPSmodulebuildprocessintoanin-houseconfigurationmanagementscheme.
Ourrecommendation:don'tdothat.
ThereisnopointintryingtomanagetheindividualsourcefilesoftheFIPSmodulesourcetarballbecausethecanonicalbuildprocessmandatesthatyoustartwiththeoriginaltarball,openssl-fips-2.
0.
tar.
gz,whichhasafixeddigestandcannotbemodified.
LikewisethereisnopointinconstantlyrebuildingtheFIPSmodulefromsource.
Whilelegal,aslongastheSecurityPolicybuildprocessisfollowed,thereisnobenefittobegainedfromthegenerationofmultiplebinarymodules.
Thesourcecodecanneverchange(theusualreasonforaPage81of225UserGuide-OpenSSLFIPSObjectModulev2.
0structuredbuild-from-sourceprocess),andpertherecommendationsin§5.
5eachdistinctbinaryFIPSmoduleshouldbeseparatelytracked.
InlieuoftryingtojamthemandatedFIPSmodulebuildprocessintoanexistingelaboratein-houseconfigurationmanagementprocess,werecommendthatthebinaryFIPSmodulebegeneratedbyhandonetimeonly(perdistinctplatform)inasolemndocumentedceremony,andthattheresultingbinaryfilesbemanagedthroughtheformalsource/version/configurationcontrolprocess.
6.
TechnicalNotesThissectionhastechnicaldetailsofprimaryinteresttotheFIPSmoduledevelopersandmoreadvancedusers.
Thetypicalapplicationdeveloperwillnotneedtoreferencethismaterial.
6.
1DRBGsWithveryrareexceptionstheinternalfunctioningoftheDRBGsisirrelevanttotheenduserandapplicationsoftware.
InFIPSmodeDRBGsaretransparentlyusedbytheOpenSSLRANDAPIandapplicationswillautomaticallyusethem.
Randomnumbersarecriticalfortheproperoperationofcryptographicsoftwareandhardware.
TheDRBGorDeterministicRandomBitGeneratorisintendedasahigherqualityreplacementfortheearlierPRNGsorPseudo-RandomNumberGeneratorsandisdefinedbySP800-90A.
6.
1.
1OverviewThewayentropyisgatheredandusedfortheDRBGispartoftheFIPScapableOpenSSLsoitcanbemodifiedoutsidethecontextoftheFIPS140-2validation.
Thecurrentversionisincrypto/rand/rand_lib.
c.
Thereisa"defaultDRBG"whosecontextisaccessedusingFIPS_get_default_drbg().
ThisdefaultDRBGismappedtotheRAND_*()calls.
Bydefault,theFIPSObjectModulewillusetheAES/CTRgeneratorfromSP800-90A,Section10.
2,DRBGMechanismsBasedonBlockCiphers.
ThedefaultgeneratorcanbeoverriddenbythecallingapplicationatruntimeviathefunctionRAND_set_fips_drbg_type().
ThedefaultisequivalenttoCTR_DRBGusingAESwitha256bitkeyandaderivationfunction.
TheactualdefaultDRBGtypecanalsobespecifiedviaapreprocessormacrowhenthe"FIPScapable"OpenSSLisbuilt:#ifndefOPENSSL_DRBG_DEFAULT_TYPE#defineOPENSSL_DRBG_DEFAULT_TYPENID_aes_256_ctr#endif#ifndefOPENSSL_DRBG_DEFAULT_FLAGSPage82of225UserGuide-OpenSSLFIPSObjectModulev2.
0#defineOPENSSL_DRBG_DEFAULT_FLAGSDRBG_FLAG_CTR_USE_DF#endifThismightbeusefulinenvironmentswheresomeDRBGtypeismandatedbylocalpolicy.
Forexample,tousetheHMACDRBGwithsha256bydefault:.
/config-DOPENSSL_DRBG_DEFAULT_TYPE=NID_hmacWithSHA256\-DOPENSSL_DRBG_DEFAULT_FLAGS=0(otheroptions)TheRAND_add()functionjustseedstheOpenSSLnon-standardPRNGanddoesnotfeedintotheDRBGdirectly.
HoweverthatfunctionwouldbeusediftheDRBGwasreseeded.
ThereasonitdoesthisisthattheDRBGdesigndoesnotpermittheadditionof"outofband"entropy;theadditionofentropyneedstobecombinedwithagenerateoperation(additionalinput)orafullreseed/reinstantiate(whichwouldrequiretheminimumentropy).
Environmentswithabettersourceofentropy(e.
g.
fasthardwareRNG)coulddofarbetter.
Theentropycallbacksarecompletelyunderapplicationcontrolsothecallingapplicationcanoverridetheonesprovidedbydefault.
TheycanbesetbysupplyingacallbackfunctiontoFIPS_drbg_set_callbacks()aftercallingOPENSSL_init().
ThiscallbackfunctionisinvokedwhenevertheDRBGrequiresadditionalentropy:size_t(*get_entropy)(DRBG_CTX*ctx,unsignedchar**pout,intentropy,size_tmin_len,size_tmax_len)Acalltothisfunctionrequestsentropybitsofentropyinabufferofbetweenmin_lenandmax_lensizebytesinclusive.
ThevaluesofthesearemechanismspecificandtakenfromSP800-90tables.
Thiscallbackshouldthenreturntheamountofdatainthebuffer*poutandthelengthinthereturnvalue,orzeroincaseofbeingunabletoretrievesufficiententropy.
Fewapplicationsprovideexternalentropycallbacks;thosethatdodefinea(*get_entropy)()callbackwhichshouldreturnatleasttwofull"blocks"ofentropywherea"block"referstotheentropysourceblocklengthspecifiedinFIPS_drbg_set_callbacks().
ThisisbecausetheFIPS140-2mandatedcontinuousPRNGtesthastobeappliedtotheentropysource.
Ithastocompareconsecutiveblocks(discardingthefirst)whichmeanstheentropysourceneedstosupplyamultipleoftheblocksize.
Duetoabuginthecallbackcodethe"entropy"valuepassedisnotcorrect,butasaworkaroundapplicationscandetermineanappropriateentropyvalueforthemselves.
Thesolutionisn'tobvioussoadetaileddiscussonfollows.
FIPS_drbg_get_strength()returnsthestrengthoftheDRBGcontextwhichisthenumberofbitsofentropyneededtoseedtheDRBGwithoutthecontinuousPRNGtest.
WhenanapplicationaddsitsownentropycallbacksithastotelltheFIPSmodulewhattheblocklengthoftheentropysourceis.
Page83of225UserGuide-OpenSSLFIPSObjectModulev2.
0SoarguablytheentropyparameterwiththecontinuousPRNGtestis:FIPS_drbg_get_strength(dctx)+block_length*8But,thatcalculationdeterminesamaximumvalueandanentropysourcecouldconceivablysupplyless.
Forinstance,supposewewant256bitsofentropyandthecallbacksuppliesitashighgradeentropyuniformlyina32bytebuffer(theabsoluteminimum)andhasa16byteblocklength.
AnextrablockisneededforthePRNGtestsoweshouldsupplya48bytebuffer(threeblocks)andeffectively384bitsofentropy.
Nowsupposewehavealowgradeentropysourcewhichprovidesjust1bitofentropyperbyte.
Againassumeitisuniform(e.
g.
wedon'tget8bitsofentropyinbyte1andnothinginthenext7).
Againletshaveablocksizeof16bytes.
Thistimetoget256bitsofentropythesourcemustprovidesitina256bytebuffer.
Anextrablockisrequiredwhichmakes272bytesbutbecauseweonlyhave1bitofentropyperbyteitjustneedstosupply272bitsofentropy.
OncethiscallcompletessuccessfullytheDRBGisinstantiatedattheappropriate(maximum)securitystrengthagaintakingvaluesfromSP800-90andSP800-57.
WerequestrandomdatafromthecallerofsufficiententropyforthesecurityleveloftheDRBG.
Whenasymmetricalgorithmsareused(keygeneration,parametergenerationandindeedsigningforDSA/ECDSA)wecheckthattheRNGhassufficientsecuritystrength(asdictatedbytherelevantstandards)toperformtheoperation.
Insufficientsecuritystrengthisanerrorandtheoperationcannotbeperformed.
Thereisamechanism,"entropydraining",whichcausestheDRBGtoautomaticallyreseedafteracertainnumberofuses.
SeeSP800-90fordetailsofhowthisoperates.
ThefunctionFIPS_drbg_set_reseed_interval()canbeusedtomodifythenumberofcallsbeforeautoreseeding.
ThefunctionFIPS_rand_strength()returnsthesecuritystrengthofthedefaultRNG(theoneusedforkeygenerationet.
al.
).
Individualoperations(forexamplekeygeneration)thencheckthesecuritystrengthoftheRNGandreturnafatalerrorifthereisinsufficientsecuritystrengthtocompletetheoperation.
ThevaluesusedarefromSP800-57.
Thischeckisperformedbythefollowingfunctions:fips_check_dsa_prng()fips_check_rsa_prng()Page84of225UserGuide-OpenSSLFIPSObjectModulev2.
0fips_check_ec_prng()CurrentlythereisnoequivalentforDH.
Onecouldbeaddedifrequiredbutitisn'tclearhowthestrengthsshouldbecomparedwhenPKCS#3DHisused.
ThereisnoversionforECDHeitherbuttheonlyoperationperformedbythatcode(sharedsecretcomputation)doesnotmakeuseoftheRNG.
Bydefaultthehealthchecksareautomaticallyperformedevery224generateoperations;thiscountcanbemodified(upordown)bythecallingapplicationviatheFIPS_drbg_set_check_interval()function.
IfaDRBGhealthcheckfailsthentheDRBGisplacedinanerrorstatethatcanbeclearedbyuninstantiatingandreinstantiatingtheDRBG.
FortheCTRDRBGaflagallowstheoptionaluseofaderivationfunction.
NotetheDRBGisalwaysinstantiatedatmaximumsecurity.
6.
1.
2TheDRBGAPIAllDRBGoperationsareperformedthroughanopaqueDRBG_CTXstructurewhichcorrespondstoanSP800-90"instance".
ThefunctionDRBG_CTX*FIPS_drbg_new(inttype,unsignedintflags);allocatesandinitializesanewDRBG_CTXstructureforDRBG.
The"type"and"flags"parametersdeterminethemechanismandprimitivesusedandthesecuritystrength.
Onlythemaximumsecuritystrengthissupportedforeachtype:i.
e.
itisnotpossibletoinstantiatetheDRBGatlowerthanthemaximumstrength.
Inadditiontotypespecificvaluesthe"flags"fieldcanbesettoDRBG_FLAG_TESTtoenable"testmode".
ThismodedisablesperiodichealthchecksandthecontinuousPRNGtest.
Itisusedforinternalpurposesandtosupportalgorithmvalidationtesting.
ThisflagMUSTNOTbesetforaliveinstance.
BeforeavalidDRBG_CTXisreturnedtotheapplicationanextensivehealthcheckisperformedonaDRBGusingthesamemechanismandprimitives.
Ifthecheckfailsanerrorisreturned.
Ifthetypeparameterissetto0anuninitializedDRBGstructureisreturned.
ThisstructuremaybeinitializedbycallingFIPS_drbg_init().
ThisfunctionreturnsavalidDRBG_CTXstructureifitsucceedsorNULLifitfails(forexampleainvalidtypeparameter).
DRBGCharacteristicsPage85of225UserGuide-OpenSSLFIPSObjectModulev2.
0AllfourDRBGsdefinedbySP800-90areimplemented.
Themechanisms,parametersandstrengtharesummarizedbelow:HashDRBGThetypeparametersNID_sha1,NID_sha224,NID_sha256,NID_sha384andNID_sha512selectthehashDRBGandthecorrespondinghashprimitive.
TheSHA1HashDRBGhasasecuritystrengthof128bits,theSHA224DRBGhasasecuritystrengthof192bitsandallothers256bits.
HMACDRBGThetypeparametersNID_hmacWithSHA1,NID_hmacWithSHA224,NID_hmacWithSHA256,NID_hmacWithSHA384andNID_hmacWithSHA512selecttheHMACDRBGmechanismandassociatedhashprimitive.
SecuritystrengthsarethesameasfortheHashDRBG.
CTRDRBGThetypeparametersNID_aes_128_ctr,NID_aes_192_ctrandNID_aes_256_ctrselecttheCTRDRBGtypeusingAESandtheappropriatekeylength.
TDESisnotsupported.
Thesecuritystrengthmatchesthenumberofbitsinthekey.
ForthisDRBGtypetheflagDRBG_FLAG_CTR_USE_DFissupportedwhichenablestheuseofaderivationfunction.
Ifthisflagisnotsetaderivationfunctionisnotused.
DualECDRBGThetypeparameterisoftheform(curve|opensslsha1hmacAtruntimethecallingapplicationinvokesFIPS_module_mode_set(1,password).
InternallythisfunctiongeneratesthedigestHMAC(FIPS_AUTH_KEY,password)andcheckstoseeifthatvaluematcheseitherofFIPS_AUTH_CRYPTO_OFFICERorFIPS_AUTH_CRYPTO_USER.
IfthepassworddoesnotmatchtheerroristreatedthesameasafatalPOSTerror.
ValidationTestingForusebythetestlabintestingtherolebasedauthenticationthefollowingcommandlineoptionsaredefinedforthefips_test_suiteutility,tospecifythepasswordvaluetobepassedtoFIPS_module_mode_set():noneNullpasswordbadInvalidpasswordofsufficientlengthuserTheFIPS_AUTH_CRYPTO_USERpasswordofficerTheFIPS_AUTH_CRYPTO_OFFICERpasswordIfnoneofthosecommandlineoptionsaregiventheFIPS_AUTH_CRYPTO_USERpasswordisused.
Page97of225UserGuide-OpenSSLFIPSObjectModulev2.
0Supportinthe"FIPScapable"OpenSSLAmeansisprovidedinthe"FIPScapable"OpenSSL(whichisjustanotherapplicationfromtheperspectiveoftheFIPSmodule)tospecifynon-defaultpasswords:.
/configDFIPS_AUTH_USER_PASS="\".
.
.
password.
.
.
\""Pleasenotethisisnotsomethinglikelytobeofvalueinanyreal-worldcontext,andaFIPSmodulebuiltwithnon-defaultpasswordsisalikelysourceofproblems.
6.
3SelfTestsAsrequiredbyFISP140-2theFIPSmoduleimplementsnumerousselftests.
Typicallyatleastoneselftestisrequiredforeachcryptographicalgorithm.
Eachtestasitisperformedcanbeexaminedthroughanoptionalcallback:int(*fips_post_cb)(intop,intid,intsubid,void*ex);Unlessotherwisestatedbelowthecallbackshouldalwaysreturn1.
The"op"parameterindicatestheoperationbeingperformedandcanbeoneof:FIPS_POST_BEGIN:indicatesthattestinghasbegunbutnotestshavebeenperformedyet.
FIPS_POST_END:indicatesalltestshavebeencompleted.
The"id"parameterindicatestheoverallstatusoftests.
Itis1ifalltestscompletedsuccessfullyand0ifatleastonetestfailed.
Fortheremaining"op"valuesthe"id","subid"and"exstr"parametersindicatedetailsofthespecifictestbeingperformed.
Seecompletedescriptionsofeachtesttypeforthemeaningoftheseparameters.
FIPS_POST_STARTED:indicatesanindividualtesthasstarted.
FIPS_POST_SUCCESS:individualselftestwassuccessful.
FIPS_POST_FAIL:individualselftestfailed.
FIPS_POST_CORRUPT:aqueryastowhetherselftestfailuremodeshouldbeset.
Ifthecallbackreturns0afailureissimulatedforthereferencedselftest.
Themethodusedtosimulatefailureisdocumentedagainsteachtest.
Page98of225UserGuide-OpenSSLFIPSObjectModulev2.
06.
3.
1POSTTestsThetestsperformedduringPOSTaredescribedbelow,alongwiththecorrespondingfips_test_suiteoption(s)totriggerthetest(seeAppendixB.
5).
6.
3.
1.
1IntegrityTestTheidfieldissettoFIPS_TEST_INTEGRITY.
Theremainingparametersarenotused.
Thisisindicatedwhileincoreintegritytestingofthemoduleitselfisbeingperformed.
ThisoperationperformsanHMACoversectionsofincoredataandchecksthevalueagainstanexpectedvaluesetwhentheapplicationiscompiled[see§2.
2foramorecomprehensivedescriptionofthisoperation].
IffailureisbeingsimulatedanadditionalbyteisHMACedinadditiontotheincoredatatoproduceanHMACvaluewhichwilldifferfromthestoredvalue.
Triggeredbytheintegrityoptiontofips_test_suite.
6.
3.
1.
2DRBGSelfTestTheidfieldissettoFIPS_TEST_DRBG.
ThesubidfieldissettotheNIDoftheDRBGbeingtestedandthe"exstr"fieldisoftype(int*)whichpointstotheDRBGflagsbeingtested.
AnabbreviatedKATonlytest(notafullhealthcheck)isperformedoneachsupportedDRBGmechanism.
Specifically,itisinitializedintestmode,instantiatedusingknownparameters,outputisgeneratedandtheresultcomparedwithknowngoodvalues.
Iffailureisbeingsimulatedthe"additionalinput"parametertothegenerateoperationisperturbedbysettingittoashorterlengththantheKATvalue.
Thiswillresultindatabeinggeneratedwhichdoesnotmatchtheexpectedvalue.
CurrentlythefollowingDRBGmechanismsandprimitivesaretestedaspartofthePOST:a)CTRDRBGusing256bitAESandaderivationfunction.
b)CTRDRBGusing256bitAESwithoutaderivationfunction.
c)HashDRBGusingSHA256.
d)HMACDRBGusingSHA256.
e)DualECDRBGusingP-256andSHA-256.
Triggeredbythedrbgoptiontofips_test_suite.
6.
3.
1.
3X9.
31PRNGSelfTestPage99of225UserGuide-OpenSSLFIPSObjectModulev2.
0TheidfieldissettoFIPS_TEST_X931.
ThesubidfieldissettothekeylengthofthePRNGinbytes.
ForthetestthePRNGissetupintestmode.
Aknownkey,V(seed)andDT(datetimevector)issuppliedandthegeneratedoutput(R)comparedtoanexpectedvalue.
IffailureisbeingsimulatedtheknownVvalueiscorruptedbyincrementingthefirstbyte.
Thiswillresultingenerateddatawhichdoesnotmatchtheexpectedvalue.
CurrentlythePOSTteststheX9.
31PRNGusing128,192and256bitkeylengths.
Triggeredbytherngoptiontofips_test_suite.
6.
3.
1.
4DigestTestTheidfieldissettoFIPS_TEST_DIGEST.
ThesubidfieldissettothedigestNIDbeingtested.
The"ex"argumentisnotused.
CurrentlyonlySHA1istestedinthisway.
Knowndataisdigestedandtheresultinghashcomparedtoaknowngoodvalue.
Iffailureisbeingsimulatedanextrabyteisdigestedinadditiontotheknowndatawhichwillresultinadigestwhichdoesnotmatchtheexpectedvalue.
Triggeredbythesha1optiontofips_test_suite.
6.
3.
1.
5HMACTestTheidfieldissettoFIPS_TEST_HMAC.
ThesubidfieldissettotheassociatedigestNIDbeingtested.
The"ex"argumentisnotused.
KnowndataisHMACedandtheresultinghashcomparedtoaknowngoodvalue.
IffailureisbeingsimulatedanextrabyteisHMACedinadditiontotheknowndatawhichwillresultinanHMACwhichdoesnotmatchtheexpectedvalue.
ThedigestsSHA1,SHA224,SHA256,SHA384andSHA512aretestedinthisway.
Triggeredbythehmacoptiontofips_test_suite.
6.
3.
1.
6CMACTestTheidfieldissettoFIPS_TEST_CMAC.
ThesubidfieldissettotheassociatedcipherNIDbeingtested.
The"ex"argumentisnotused.
Page100of225UserGuide-OpenSSLFIPSObjectModulev2.
0KnowndataisCMACedandtheresultingCMACcomparedtoaknowngoodvalue.
IffailureisbeingsimulatedanextrabyteisCMACedinadditiontotheknowndatawhichwillresultinanHMACwhichdoesnotmatchtheexpectedvalue.
ThetripleDEScipherandAESusing128,192and256bytesistestedforCMAC.
Triggeredbythecmacoptiontofips_test_suite.
6.
3.
1.
7CipherSelfTestsTheidfieldissettoFIPS_TEST_CIPHER.
ThesubidfieldissettotheNIDofthecipherbeingtested,"ex"isnotused.
Aknownkey,IVandplaintextisencryptedandtheoutputciphertextcomparedtoaknowngoodvalue.
TheciphertextisthendecryptedusingthesamekeyandIVandtheresultcomparedtotheoriginalplaintext.
Ifafailureisbeingsimulatedtheciphertextiscorrupted(firstbyteXORedwith0x1)beforethedecryptiontest.
AESinECBmodewitha128bitkeyandtripleDESinECBmodearetested.
Triggeredbytheaes,desoptionstofips_test_suite.
6.
3.
1.
8GCMSelfTestTheidisfieldissettoFIPS_TEST_GCM.
ThesubidfieldissettotheNIDofthecipherbeingtested,"ex"isnotused.
Aknownkey,IV,AADandplaintextisencryptedandtheoutputciphertextandtagcomparedtoknowngoodvalues.
Theciphertextandtakeisthendecryptedusingthesamekey,IV,AADandexpectedtagandtheresultcomparedtotheoriginalplaintext.
Ifafailureisbeingsimulatedthetagiscorrupted(firstbyteXORedwith0x1)beforethedecryptiontest.
AESinGCMmodewitha256keyistested.
Page101of225UserGuide-OpenSSLFIPSObjectModulev2.
0Triggeredbytheaesgcmoptiontofips_test_suite.
6.
3.
1.
9CCMSelfTestTheidfieldissettoFIPS_TEST_CCM.
ThesubidfieldissettotheNIDofthecipherbeingtested,"ex"isnotused.
ThetestisotherwiseidenticaltotheCCMtest.
AESinCCMmodewitha192bitkeyistested.
Triggeredbytheaesccmoptiontofips_test_suite.
6.
3.
1.
10XTSSelfTestTheidfieldissettoFIPS_TEST_XTS.
Thetestisotherwiseidenticaltotheciphertests.
AESinXTSmodewitha128anda256bitkeyistested.
Triggeredbytheaesxtsoptiontofips_test_suite.
6.
3.
1.
11SignatureAlgorithmTestsTheidfieldissettoFIPS_TEST_SIGNATURE.
ThesubidfieldissettotheNIDoftheassociateddigest.
The"ex"fieldissettotheEVP_PKEYstructureofthekeybeingusedintheKAT.
Byexaminingexstrthetypeofkeybeingtestedcanbedetermined.
Asignatureiscalculatedusingaknownprivatekeyanddatatobesigned.
Fordeterministicsignaturealgorithms(i.
e.
RSAinsomepaddingmodes)thesignatureiscomparedtoaknowngoodvalue.
Thesignatureisthenverifiedusingthesamedatausedtocreatethesignature.
Iffailureisbeingsimulatedanextrabyteisdigestedinadditiontotheknowndataforsignaturecreationonly.
Thiswillresultinasignaturewhichdoesnotmatchtheexpectedvalue(ifthistestisbeingperformed)ortheverificationwillfail.
Thefollowingalgorithmsaretested:a)RSAusingPSSpaddingandSHA256witha2048bitkey.
b)ECDSAusingP-224andSHA512.
c)ECDSAusingK-233andSHA512ifbinaryfieldsaresupported.
d)DSAusingSHA384anda2048bitkey.
Page102of225UserGuide-OpenSSLFIPSObjectModulev2.
0Triggeredbythedsa,ecdsa,rsaoptiontofips_test_suite.
6.
3.
12ECDHSelfTestsTheidfieldissettoFIPS_TEST_ECDH.
ThesubidfieldissettotheNIDofthecurveused.
The"ex"fieldisnotused.
KnownprivateandpublicECDHkeysareusedtocomputeasharedsecret(Z)value.
Thisiscomparedtoaknowngoodvalue.
Iffailureisbeingsimulatedthecomputedsharedsecretiscorruptedaftergeneration.
Thiswillresultinamismatchwiththeexpectedvalue.
Triggeredbytheecdhoptiontofips_test_suite.
6.
3.
2Conditionalselftests.
6.
3.
2.
1PairwiseconsistencyTestWhenanasymmetricsignaturekeyisgeneratedasignaturetestidenticaltothePOSTsignaturetestsisperformedonthegeneratedkey.
TheonlydifferenceistheidfieldissettoFIPS_TEST_PAIRWISE.
InthecaseofRSAkeysaconsistencytestisalsoperformedusinganRSAPKCS#1paddingencryptionanddecryptionoperation:thisoperationisnotregisteredwiththecallback.
Specifically:knowndataisencrypted,theciphertextcheckeditdoesnotmatchtheplaintextandthendecrypted.
Thedecryptedvalueischeckedagainsttheoriginalplaintext.
ForRSAkeystheSHA256digestisusedandthreetestsperformedPKCS#1,X931andPSSpadding.
ForDSAandECDSAkeysonetestusingSHA256isperformed.
Triggeredbythedsakeygenandrsakeygenoptionstofips_test_suite.
6.
3.
2.
2ContinuousPRNGTestWhennotintestmode(i.
e.
anoperational"live"PRNG)theoutputofthePRNGisputthroughthecontinuousPRNGtestforFIPS140-2.
Thecallbackisnotusedforthisoperation.
Page103of225UserGuide-OpenSSLFIPSObjectModulev2.
0IfthefunctionFIPS_x931_stick()iscalledthentheX9.
31PRNGoutputiscopiedtothestoredlastblocktoensurethetestwillfailonthenextgenerateoperation.
IfthefunctionFIPS_drbg_stick()iscalledthentheX9.
31PRNGoutputiscopiedtothestoredlastblocktoensurethetestwillfailonthenextgenerateoperation.
ThecontinuousPRNGtestforthePRNGitselfistriggeredbythedrbgstickandrngstickoptionstofips_test_suite.
ThecontinuousPRNGtestfortheentropysourceistriggeredbythedrbgentstickoptiontofips_test_suite.
6.
4ECDHTheCAVPdefinesatestforECDHintheformof"ECCCDHPrimitive"tests:http://csrc.
nist.
gov/groups/STM/cavp/#09WhenthisECDHtestingwasintroducedforFIPS140-2weinitiallyassumedthatwiththegrowinguseofECDHinTLStheintentwastoensurethatusagewascoveredbyanapprovedalgorithm.
Thatturnsoutnottobethecase.
Thealgorithmnowavailablefortestingis"cofactorECDH"(formallyknownasECCCDH)whichisNOTthesameasregularECDH(formallyknownasastheECKAS-DH1scheme)usedwithTLS--itisavariantofECDHthatisnotthesameasthatcommonlyusedinactualapplications.
Thedifferencesbetweenthetwoalgorithmsaresmallbutenoughtomakethetwoincompatibleinsubtleways.
ForregularECDHthesharedsecretZisthexcomponentofthevaluedQwheredisonesidesprivatekey(aninteger)andQtheothersidespublickey(anellipticcurvepoint).
ForcofactorECDHthesharedsecretZisthexcomponentofthevaluehdQwherethenewvaluehissomethingcalledthecofactor(anotherinteger)whichisapropertyofthecurve.
Formostprimes48curvesh=1whereasformanybinarycurvesh≠1.
Soformanyprimecurves(butnotall)thetwoalgorithmsyieldthesameresult.
Forbinarycurvestheydonot.
NotethattheadditionofafewlinestotheECDHalgorithmimplementationchangesittocofactorECDHatwhichpointitpassestheCAVPECCCDHPrimitivetest.
However,ifwechangeourECDHimplementationtounconditionallyusecofactorECDHthenitwillnotbeinteroperablewithTLSusingbinarycurves.
48Thestandardtestedprimecurvesalluseh=1exceptingonenonstandardprimecurvewithh!
=1;thatisa128bitcurveandsoforbiddeninapprovedmode.
Effectivelythismeansthatforanimplementationonlycheckingprimecurves(asmanydo)thenthediscrepancywouldneverbeapparent.
FIPS140-2doesallownon-standardcurvessotwo"tested"algorithmscouldyieldthedifferentresults.
Page104of225UserGuide-OpenSSLFIPSObjectModulev2.
0EventhoughtheuseofcofactorECDHisrareatpresent,therecouldconceivablybeaneedatsomepoint.
InordertoaccommodatethatpossibilitywhilepreservingcompatibilitywithexistingapplicationsweaddedaflagtotheEC_KEYstructuretoenablecofactorECDHforusewiththeFIPS140-2algorithmtests.
ThisflagissetwiththeEC_KEY_set_flags()function:EC_KEY_set_flags(key,EC_FLAG_COFACTOR_ECDH);IfthisflagitisnotexplicitlysetthentheECKAS-DH1(TLScompatible)schemeisused.
6.
5ECCandtheNSASublicenseWhyaretheretwoversionsoftheOpenSSLFIPSObjectModule2.
0AtleastsomeimplementationsofEllipticCurveCryptography(ECC)areperceivedtobeencumberedintheUnitedStatesbyacomplexsetofpatents.
ConcernaboutthepossiblerisksofpatentinfringementhavebeenasignificantdisincentivetomorewidespreaduseofECC.
InordertocountersuchconcernsfortheECCnecessarytoimplementtheSuiteBalgorithms,theNSAestablishedaprocessforsub-licensingthepatentsforthatsubsetofECC(seehttp://www.
nsa.
gov/ia/programs/suiteb_cryptography/index.
shtml).
OVShasobtainedsuchasublicense(http://openssl.
com/testing/docs/NSA-PLA.
pdf).
However,thatsublicenseonlycoversthespecificpatentspresumedrelevanttotheprimecurveECCusedforSuiteB.
ItdoesnotcoverotherpossibletypesofECCsuchasbinarycurveswhichareimplementedinOpenSSL.
Judgingtherisksofapatentinfringementlawsuitisdifficult,andnotonlybecausethepatentsthemselvesareusuallyincomprehensibletothesoftwaredeveloper.
Themerethreatofapatentlawsuitcanbecripplingtoevenamediumsizedenterprise,regardlessofthelegitimacyoftheaccusationofinfringement.
ItisthebeliefoftheOpenSSLteamthattheimplementationofECCinOpenSSL,bothprimaryandbinarycurve,doesnotinfringeanypatents49.
However,wearen'tlawyersandpatentlawisnotoriouslyperverse.
Somepotentialusersarestillconcernedabouttheriskofpatentlitigation,understandablysogiventheextenttowhichsuchlitigationhasbeenusedasanoffensivecommercialtacticinrecentyears.
FortheOpenSSLsoftwaresuchuserscanusebuild-timeoptionstoomitspecificalgorithmsofconcernfromtheresultingbinarycode.
However,therestrictionsofFIPS140-2preventtheuseofsuchbuild-timeoptionsormodificationofthesourcecode.
Oneofthevalidationsponsorswasconcernedaboutpatentrisksandsoa49AlsonotethatthebulkofthebinarycurveECCimplementationtotheOpenSSLprojectwascontributedbyacorporation,theformerSunMicrosystems,withthelegalresourcestoanalyzesuchrisks.
Page105of225UserGuide-OpenSSLFIPSObjectModulev2.
0separate"patenttroll"sourcedistributionoftheOpenSSLFIPSObjectModule2.
0wascreatedwhichentirelyomitsthebinarycurveECC.
Thatdistribution,opensslfipsecp2.
0.
tar.
gz,isfunctionallyidenticaltothefulldistributionexceptfortheomissionofthosealgorithms,andalldiscussionofthefulldistributionelsewhereinthisdocumentapplies.
Notethatwhenusingthe"ecp"distributionsthecorresponding"FIPScapable"OpenSSLmustbebuiltwiththenoec2moption.
6.
6The"SecureInstallation"IssueThislatestoftheOpenSSLFIPSObjectModule("FIPSmodule")FIPS140-2validationssawtheintroductionofanewrequirementbytheCMVP:Thedistributiontarfile,shallbeverifiedusinganindependentlyacquiredFIPS140-2validatedcryptographicmodule.
.
.
We'retoldthatthisdistributiontarfileverificationrequirementcomesdirectlyfromtheassertionsAS10.
03andAS14.
02oftheDerivedTestRequirementsdocument:AS10.
03:(Levels1,2,3,and4)Documentationshallspecifytheproceduresforsecureinstallation,initialization,andstartupofthecryptographicmodule.
AS14.
02:(Levels1,2,3,and4)Thecryptographicmodulesecuritypolicyshallconsistof:aspecificationofthesecurityrules,underwhichthecryptographicmoduleshalloperate,includingthesecurityrulesderivedfromtherequirementsofthestandardandtheadditionalsecurityrulesimposedbythevendor.
Subsequentdiscussionsmediatedbythetestlabelaboratedthis"secureinstallation"requirementtomeanthatoneofthefollowingconditionsmustbetrue:1)Thedistributionfileisobtainedviaa"trustedpath",whichisoneof:a)Transferviaphysicalmedia(e.
g.
CD-ROMdisk)sentbypostalordeliveryservice(USPS,UPS,FedEx);b)Electronictransferusingcryptography(e.
g.
SSH,HTTPS,IPsec)implementedbyFIPS140-2validatedproducts.
Thatrequirementwasfurtherelaboratedtostatethatthoseproductsmustthemselvesbearesultof"secureinstallation".
2)Thedistributionfileisverified(HMAC-SHA-1digestchecked)usingapre-existingFIPS140-2validatedproductthatisitselftheresultofa"secureinstallation".
Notetherecursivenatureofthe"secureinstallation"requirementrepresentsanon-trivialchallenge;inordertotransferorverifyanewvalidatedproductanexistingsecurelyinstalledvalidatedproductmustalreadybepresent.
We'restillstrugglingtounderstandthescopeandimplicationsofthisrequirement.
TheFIPS140-2scripture(TheFIPS140-2standard[Reference1],theDTR[Reference4],andtheIG[Reference3]documents)doesn'tshedalotoflight--theterm"trustedPage106of225UserGuide-OpenSSLFIPSObjectModulev2.
0path"forinstanceisonlyreferencedinthecontextofLevel3validations.
Notethose"secureinstallation"and"trustedpath"requirementsasexplainedtoussaythatvalidatedsoftwarecannotbedistributedbytraditionalmethods,whichleadstosomeinterestingquestionsabouttheuseofothervalidatedmodules(puzzlementoverwhyallothermodulesaren'tsimilarlyimpactedisalargepartofourconfusion).
Thosequestionsaside,prospectiveusersofthisFIPSmoduleneedtodetermineatleastoneknownvalidwaytosatisfytherequirementforthisspecificvalidation--awaynotatriskofbeingruledinvalidbytheCMVPaftersoftwarehasbeenshippedordeployed.
SofartheCMVPhasdeclinedtoanswerspecificquestionsaboutoptionsforsatisfyingthisrequirement;theyquotetheformaldocumentation(asnotedabove)andreferustothetestlabs.
WehaveactivelydiscussedthisissuewithseveralaccreditedtestlabsandselectedmembersoftheFIPSvalidationcommunity.
Unfortunatelythetestlabsarenotincloseagreement.
Sofarwehavecollectedalotofopinionsbutnotmuchcertainty.
Ifyouhaveexperienceorinsightsdirectlyrelevanttothisissuewe'dlovetohearfromyou50.
VeryImportantNote:TheconclusionspresentedherearestilltentativeastheyhaveneitherbeenconfirmednorrefutedbytheCMVP;theysimplyrepresentourbestunderstandingofthesituationatthispointintime.
TheseconclusionscouldchangedramaticallybasedonrelevantfeedbackfromtheCMVP,ormoreslowlyinresponsetoanaccumulatedconsensusofopinionfromthetestlabsandFIPS140-2communityofinterest.
6.
6.
1WhatWon'tWorkThisnewrequirementdoesn'tsoundsobaduntilyoutrytopindownexactlywhatstepsneedtobetakentosatisfyit.
We'restillworkingonfiguringthisout,butwecaneliminatesomeoptionsthathavebeenconsideredbutwhichapparentlyarenotallowed:Nodelegation:oneentity(OVSforinstance)can'tperformtheverificationofthesourcetarballandthenpostthatverifiedtarballonawebsitefordownloadbyeveryoneelseunlessthedownloadqualifiesasa"trustedpath",whichinpracticewillmeantheuserperformingthedownloadwillneedtoobtainandinstallFIPS140-2validatedclientsoftware(alsothroughatrustedpath.
.
.
whichisacircularproblemformanyusers).
Thenewmoduleitself(whatisbuiltfromthesourcedistribution)cannotbeusedtoperformtheverificationofthesourcedistributionitwasbuiltfrom.
EarlierFIPSmodules(suchasthe1.
2.
3FIPSmodule,validationcertificatenumber#1051)apparentlycannotbeusedtoperformtheverification.
ApparentlythenewtarballverificationrequirementwillberetroactivelyappliedtotheolderOpenSSLFIPSObjectModulevalidations.
Wedonotknowifthatwillmeanthatalldeployedinstancesoftheseoldermoduleswillbedeclaredinvalid(thatwouldhaveahugeimpact),buttheconsensusofourdiscussionsisthattheoldermodulescan'tbeleveragedtoverifythenewmodule.
Useofanearlierbinarymodulevalidation(certificate#1111)wassuggestedbytheCMVP.
Therearetwoproblemswiththatsuggestion;first,thatparticularvalidationtooksolong50http://openssl.
com/contact.
htmlPage107of225UserGuide-OpenSSLFIPSObjectModulev2.
0(witha13monthwaitforCMVPaction)thatithadnoeconomicvaluebythetimeitwasfinallycompleted,andasaresultitwasabandonedandwenolongerhavethecorrespondingbinarymodule;andsecond,perourunderstandingthatbinarymodulewouldneedtobeexecutedonsomeveryobsoleteplatforms(OpenSuSE10.
2,nolongerdownloadablefromthemaintainer,orMicrosoftWindowsXPSP2,nolongersoldbythevendor).
Alsoinmanyenvironments(suchasDoD)useofsuchunsupportedoperatingsystemsisforbiddenbysecuritypolicy.
Oneofourfirstthoughtswastocreate(bysomemeans)anexecutablebinaryutilityprogramtoperformtheverification,thatcouldberunononeormorecommonplatforms(e.
g.
Linux,Windows),andthatwecouldprovidepubliclyforeveryone.
However,itseemswecan'tjustpostthatutilityfordownloadonatypicalwebsiteasthedownloadedfilewouldnothavebeenobtainedthrougha"trustedpath".
OurunderstandingisthatatrustedpathoveranetworkwouldrequireformallyFIPS140-2validatedsoftwareatboththeclientandserverwhichfailstoaddresstheissueofhowtogetvalidatedcryptographyinthefirstplace.
Anothercleverideathatwassuggestedwasforustoprovideautilitybasedonaknowncommoncommercialvalidatedcryptographicimplementation,suchasCryptoAPIinMicrosoftWindows.
Theutilitycouldbefreelydownloadedbecauseitwouldnotcontaintheactualcryptography.
However,manyprospectiveuserswillhaveobtainedthatvalidatedcryptography(theMicrosoftWindowsOSitself)bynon-trustedmeans(theMSDNdownloadofISOimagesdoesnotuseFIPSvalidatedcryptography,nordoestheusualInternetbasedupdateprocess).
LikewiseanNSSbasedutilityforRedHatEnterpriseLinuxwouldhavethesameproblem(non-trustedinstallationandupdate).
EveniftheinitialOSinstallationwasdonewithatrustedpath,thesubsequentroutineupdatesarenot51;soonewouldhavetoinstalltheOSusingavendorsuppliedCD/DVDandthennotsubsequentlyupdateitovertheInternet.
Notethislastpointisdownrightmind-boggling:itamountstoanassertionthatessentiallyallinstallationsofvalidatedsoftwaremodulesareillegitimate.
Manyotheroptionshavebeenconsideredaswell,withoutaclearconsensusfromthoseinthetestlabsandthecommunityofinterestwhowehaveconsulted.
6.
6.
2WhatMightWorkTheoptionsthatwearefairlyconfidentwillsatisfythenewrequirementare:UseofacommercialproprietaryproductusingFIPS140-2validatedcryptography,obtainedviaatrustedpath(e.
g.
snail-mailedCDorDVD),todisplaytheHMAC-SHA-1digestofthesourcetarball.
Thatproductshouldbecapableofperformingtheequivalentof:opensslsha1-hmacetaonrishdlcupfmopenssl-fips-2.
0.
tar.
gz51WewereabletoconnecttobothMicrosoftandRedHatdistributionserverswithnon-allowedcryptographicalgorithms(e.
g.
RC4);hencewecandeducethatthoseserversarenotutilizingFIPS140-2validatedcryptography.
Page108of225UserGuide-OpenSSLFIPSObjectModulev2.
0Asnotedabove,forreasonswedon'tunderstandtheearlierOpenSSLFIPSObjectModulevalidations(e.
g.
#1051)areapparentlynoteligibleforthisrole.
Atthispointwearenotawareofanyspecificcommercialproductsthatperformthisoperationonafile,norhowmuchtheycostorhowtopurchasethem.
However,suchproductsmustexist.
Ifyouknowoforfindasuitableproductpleaseletusknow52thedetails.
UseofasourcecodedistributionthatcanbeobtainedfromOVSonphysicalmedia(aCD-ROMdisk)viasnail-mail(USPS).
Notethisoptionisspecificallydocumented53asacceptableintheSecurityPolicyitself--ahugecomfortfactorforthoseconcernedaboutthelackofclearguidanceinthisarea.
AlsonotethatsomeexperiencedandrespectedcommentatorsintheFIPS140-2communityofinterestthatweconsultedfeltstronglythatphysicalmediashouldnotconstituteatrustedpath.
However,adirectstatementasplacedintheSecurityPolicyandapprovedbytheCMVPtrumpsanysuchconcerns.
UntilandifthepostagecostsgetoutofhandwewillsendthoseCDsonrequestatnocost.
Pleasesendyourrequestincludingafullpostaladdresstoverifycd@openssl.
com.
NotethatthefilesyouwillreceiveontheseCDswillbeidenticalineveryrespect(exceptforFIPS140-2compliance)withthefilesyoucandownloadfromtheopenssl.
orgwebsite,soweaskthatyouonlyrequestthisCDifyouplantouseitforgenerationofFIPS140-2validatedcryptographyinacontextthatrequiressuchcompliance.
Thedownloadedfilesarebit-for-bitidenticalandforanyotherpurposeswillgenerateexactlythesameresults.
6.
6.
3StillConfusedWelcometotheclub.
Aswelearnmoreaboutspecificoptionsthatwillandwon'tsatisfytherequirementwewillpostthatinformationontheOVSwebsiteandinupdatestothisdocument.
InthemeantimetheonlydefinitiveanswerswillhavetocomefromtheCMVPitself,eitherdirectlyorindirectly.
ThebestpointofcontactistheDirectorofNISTCMVP54.
IfyouchoosetocontacttheCMVPthenplease:Keepallinquiriespoliteandrespectful.
RememberthattheCMVPhaveaverydifferentperspectiveoncomputersandsoftwarethantheaverageinformationtechnologypractitioner.
Theydonothaveasoftwaredevelopmentbackground.
Notethattheyarenottheenemy;ifitwastheirintenttoconsciouslyblockorsabotagetheOpenSSLFIPSObjectModulevalidationstheycouldhavedonesoeasilylongagousingawiderangeofbureaucratictactics.
52http://openssl.
com/contact.
html53ThediscussionsleadingtothisstatementintheSecurityPolicywereresponsibleforseveralweeksofdelayinobtainingthevalidation.
Wefelttheissueofhavingonespecificaffirmativelyapprovedprocessforsatisfyingthisnewrequirementwassocriticalastowarrantanynecessarydelay;placementofthatstatementintheSecuritiyPolicyitselfwasessentiallyouronlyopportunitytoobtainadefinitiveresponseonthetopicfromtheCMVP.
54http://csrc.
nist.
gov/groups/STM/cmvp/contacts.
htmlPage109of225UserGuide-OpenSSLFIPSObjectModulev2.
0NotethatifyoudisagreewithwhatyouaretoldbytheDirectorofNISTCMVPyouhavenorecoursetoappealtoanyhigherauthority;hiswordisdefinitiveandfinal(technicallytheCMVPisajointU.
S.
-CanadianprogramwiththeCSE55astheCanadianequivalentofNIST,butforU.
S.
usersatleasttheNISTCMVPopinioniswhatmatters.
CanadianusersmaywanttoconsulttheCSE).
Ifyoulearnanythingofinterestpleaseshareitwithus56and/oroneoftheOpenSSLmailinglists57.
6.
7GMACTheFIPSmodulewasoriginallytestedwith,andawardedanalgorithmvalidationfor,AESGCMincludingGMAC.
TheCAVPsubsequentlyrevisedthealgorithmandretroactivelydesignatedanumberofvalidations,includingours,as"GMACnotsupported".
6.
7.
1CAVPActionWefirstheardofthisinanE-mailforwardedbyourtestlab,atwhichtimetheCAVPandCMVPwebsitelistingshadalreadybeenupdatedtoshow"GMACnotsupported"formultiplevalidations.
TheCAVPnotedthatourGCMimplementationgaveanincorrectanswerwhenazerolengthplaintextisgivenwithanAADinputlengththatisnotamultipleof128bits.
TheoriginalGMACtestonlycheckedinputlengthsthatwereamultipleof128bits.
Notethispreemptiveactionappearstobealittleunusual,typicallytheCAVP/CMPVwillcontactavendortodiscussproblemsbeforetakingunilateralaction.
6.
7.
2OptionsforAddressingThefixisatrivialonelinecodechange,http://cvs.
openssl.
org/chngviewcn=22745,whichhasbeenappliedtotheregularOpenSSLreleases.
However,changestoFIPS140-2validatedsoftware,nomatterhowtrivial,arenoteasilyeffected.
InthiscasetheCAVPinsistedonretestingofallofthe50somepreviouslytestedplatforms.
Retestingwasnoteconomicallyfeasibleduetomultiplefactors:Manytestdeviceshadalreadybeenreturnedtotheplatformsponsors.
Someofthosewereone-offprototypeorevaluationunitsandarrangingwiththesponsorstore-shipthatequipmenttotheOVStestlabwouldhavetakenasubstantialamountoftimeandeffort.
Evenshippingcoststhemselveswerenon-trivial,asOVSpaysreturnshippingforcustomer55http://www.
cse-cst.
gc.
ca/index-eng.
html56http://openssl.
com:/contact.
html57http://openssl.
org/support/community.
htmlPage110of225UserGuide-OpenSSLFIPSObjectModulev2.
0suppliedequipment.
Thosecostsalonewereseveralthousanddollarsfortheinitial2.
0FIPSmoduletesting.
Manyman-weeksofeffortwouldhavebeenrequiredtorepeattheprocessofinstallingandconfiguringeachtestdeviceandthenrunningthesoftwarebuildandexecutionprocess.
Wewouldhavetopaythetestlabforthetesting,averysubstantialcost.
Evenwithnegotiationstotakeintoaccountthefactthatthetestingprocesswasalreadyfullydocumentedandtestedforeachdevice,thatcostwouldprobablyhavebeenatleastUS$50,000.
AlltoldweestimatedthecostofretestingeveryplatformwouldexceedUS$70,000evenwithOVSpersonnelworkingforminimumwage.
FortunatelythepracticalimpactofremovingGMACfromthe2.
0modulevalidationappearstobeminimal,asdiscussedinthefollowingsection.
ThisincidentdoesillustratetheriskofunpredictableandunilateralCAVP/CMVPaction.
Passingalltheformaltestingandreceivingavalidationawardisnoguaranteethatthevalidationwillnotdisappearovernight58.
Thatperceivedriskisalargepartoftheappealofthe"privatelabel"validationsforrisk-adverseclients.
6.
7.
3PracticalImpactTheAES-GCMalgorithmisanauthenticatedencryptionalgorithm.
ItisinsomewaysequivalenttotheseparateHMACandencryptionalgorithmsusedinsomeciphersuites.
Itisanattractivechoicebecauseitdoeseverythingallinonegoandthusisisconsiderablyfasterthantheseparateencryption+MACoperation.
ThefirstwidespreaduseofGCMisinTLS1.
2innewciphersuites.
AES-GCMasitsinputcantake(amongotherthings)someadditionalauthenticateddata(AAD)andplaintext(inencryptmode).
ItsoutputisciphertextandaMAC.
TheAADisusedassomeadditionaldatatothrowintotheMACcalculationbutitdoesnotappearintheoutput.
Theciphertextistheencryptedplaintext.
Ifthereisanyplaintext/ciphertextatallthentheoperationiscalledGCM,withorwithoutAAD.
Ifthereisnociphertext/plaintextandonlyAADthentheoperationiscalledGMAC.
SoGMACisaspecialcaseofGCM.
58Thathashappenedbefore,forinstancetheearlierOpenSSLFIPSObjectModulevalidation#733whichwaseffectivelyrevokedbytheCMVP.
Seehttp://veridicalsystems.
com/blog/index.
htmlp=55.
htmlforadiscussionofthatincident.
Page111of225UserGuide-OpenSSLFIPSObjectModulev2.
0ThebugintheFIPSmoduleGCMimplementationistriggeredwhenGMACisused,i.
e.
thereisnociphertext/plaintextandonlyAAD.
AlsothebugisnotmanifestedunlesstheAADisnotamultipleof16bytes.
SoiftheAADisamultipleof16bytesand/orthereisanyciphertext/plaintextthentheFIPSmoduleimplementationworksjustfine.
DuringnormaloperationoftheTLSprotocolGMACisnotusedbecausethereisalwayssomedatatoencryptordecrypt.
ThedegeneratecaseofazerolengthfragmentwethinkcouldtriggerthisbutOpenSSLneverproducessuchathingandthereisnoreasonforanon-OpenSSLTLSstacktodosoeither.
FurtherreviewmaybeneededtodetermineifaTLS1.
2zerolengthfragmentcaseiseventheoreticallypossible.
Sotosummarize:underanynormalusecasestheOpenSSLTLSimplementationworksinFIPSmodejustfinewithoutGMAC.
6.
8DHTheversionofDHusedbyTLSisavariantonPKCS#3andnottheX9.
42specification,andhenceisnotcompliantwithSP800-56A.
Forexample,therequirement:Eachprivatekeyshallbeunpredictableandshallbegeneratedintherange[1,q-1]usinganApprovedrandombitgenerator.
ForTLSclientsthatrequirementcannotbesatisfiedasstatedbecausetheparameter"q"isnotsentfromservertoclient,onlytheparameter"p".
Clientsgenerateaprivatekeyintherange[1,p-1]instead.
6.
9DSATheDSAprivatekeyvalueiscalculatedasfollows:Thefunctionfips_check_dsa_prng()checksparametersandthatthePRNGstrengthisconsistentwiththemwhenaprivatekeyisgenerated.
Thefunctionfips_ffc_strength()whichtakesthevaluesdirectlyfromSP800-131Aisusedaswell.
6.
10CCMCCMis"CounterwithCipherBlockChaining-MessageAuthenticationCode"perSP800-38C.
TheopensslcipherscommanddoesnotshowanythingforCCMasthatcommandonlyliststheciphersuitesforSSL/TLS.
ForOpenSSL1.
0.
2andearlierCCMmodeisnotsupportedforTLSinOpenSSL:suchsupportwasnotrequestedbyanyvalidationsponsorsanditwasn'tevenafinalisedstandardatthetime.
NewerversionsofOpenSSLdosupportCCMbutthecipherstringisAESCCMbecauseCCMcanapplytootherciphers.
Page112of225UserGuide-OpenSSLFIPSObjectModulev2.
0Page113of225UserGuide-OpenSSLFIPSObjectModulev2.
07.
REFERENCES1.
OpenSSLFIPS140-2SecurityPolicy,Version2.
0,OpenSourceSoftwareInstitute.
Thisdocumentisavailableathttp://csrc.
nist.
gov/groups/STM/cmvp/documents/140-1/140sp/140spNNNN.
pdfandhttp://www.
openssl.
org/docs/fips/.
2.
FIPSPUB140-2,SecurityRequirementsforCryptographicModules,May2001,NationalInstituteofStandardsandTechnology,availableathttp://csrc.
nist.
gov/publications/fips/fips140-2/fips1402.
pdf.
3.
ImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram,NationalInstituteofStandardsandTechnology,availableathttp://csrc.
nist.
gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.
pdf.
4.
DerivedTestRequirements[DTR]forFIPSPUB140-2,SecurityRequirementsforCryptographicModules,January4,2011,NationalInstituteofStandardsandTechnology,availableathttp://csrc.
nist.
gov/groups/STM/cmvp/documents/fips140-2/FIPS1402DTR.
pdf.
5.
NetworkSecuritywithOpenSSL,JohnViegaet.
al.
,15June2002,O'Reilly&Associates6.
NSASuiteBCryptographyhttp://www.
nsa.
gov/ia/programs/suiteb_cryptography/index.
shtml7.
TheTransitioningofCryptographicAlgorithmsandKeySizeshttp://csrc.
nist.
gov/groups/ST/key_mgmt/documents/Transitioning_CryptoAlgos_070209.
pdf8.
DRAFTRecommendationfortheTransitioningofCryptographicAlgorithmsandKeySizeshttp://csrc.
nist.
gov/publications/drafts/800-131/draft-sp800-131_spd-june2010.
pdf9.
FIPS186-3,DigitalSignatureStandard(DSS)http://csrc.
nist.
gov/publications/fips/fips186-3/fips_186-3.
pdf10.
SP800-90,RecommendationforRandomNumberGenerationUsingDeterministicRandomBitGenerators(Revised),http://csrc.
nist.
gov/publications/nistpubs/800-90/SP800-90revised_March2007.
pdf11.
SP800-56A,RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography,http://csrc.
nist.
gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.
pdfPage114of225UserGuide-OpenSSLFIPSObjectModulev2.
012.
SuiteBImplementer'sGuidetoNISTSP800-56A,http://www.
nsa.
gov/ia/_files/SuiteB_Implementer_G-113808.
pdf13.
SP800-56B,RecommendationforPair-WiseKeyEstablishmentSchemesUsingIntegerFactorizationCryptography,http://csrc.
nist.
gov/publications/nistpubs/800-56B/sp800-56B.
pdf14.
SP800-108,RecommendationforKeyDerivationUsingPseudorandomFunctions,http://csrc.
nist.
gov/publications/nistpubs/800-108/sp800-108.
pdf15.
AESKeyWrapSpecificationhttp://csrc.
nist.
gov/groups/ST/toolkit/documents/kms/AES_key_wrap.
pdf16.
May21,2009Army"LettertoIndustry",https://chess.
army.
mil/ascp/commerce/scp/downloads/standardspolicy_files/letter_to_industry.
pdf17.
OpenSSLFIPSObjectModuleUser'sGuide,http://openssl.
org/docs/fips/UserGuide.
pdf18.
TheOpenSSLlicense,http://openssl.
org/source/license.
html19.
AliceinWonderland,LewisCarroll,1865,ISBN978-0486275437,https://www.
gutenberg.
org/files/11/11-pdf.
pdfPage115of225UserGuide-OpenSSLFIPSObjectModulev2.
0AppendixAOpenSSLDistributionSigningKeysInordertobeconsideredFIPS140-2validatedtheFIPSObjectModulemustbederivedfromanOpenSSLdistributionsignedbyoneoftheseauthorizedkeys,asshownbythevalueintheFingerprintrow.
Thesekeysaresubjecttochangeandthelistathttps://openssl.
org/about/willgenerallybemorecurrent.
Theprocedureforverifyingthatasourcedistributionwassignedbyoneofthesekeysisdescribedindetailin§4.
1.
2.
Notethefingerprintformatsareslightlydifferentforthetwodifferenttypesofkeys(RSAandDSA).
OpenSSLCoreTeamPGPKeysKeyIdTeammember0E604491MattCaswellmatt@openssl.
orgfingerprint:8657ABB260F056B1E5190839D9C4D26D0E60449149A563D9MarkJ.
Coxmark@openssl.
orgfingerprint:7B7919FA716B87250E7721E552D983BFViktorDukhovniviktor@openssl.
orgFA40E9E2Dr.
StephenHensonsteve@openssl.
orgfingerprint:62605AA4334AF9F0DDE5D349D3577507FA40E9E241FBF7DDTimHudsontjh@openssl.
orgfingerprint:60A60B21E22DCEDDC50C077306CC497B0EEABFE4BDD52F1CLutzJnickejaenicke@openssl.
orgfingerprint:0A77335AADE74E6BB36CAD8ADFAB592ABDD52F1CEmiliaKsperemilia@openssl.
orgC2118CF83BenLaurieben@openssl.
orgfingerprint:765655DE62E396FF2587EB6C4F6DE1562118CF83Page116of225UserGuide-OpenSSLFIPSObjectModulev2.
06D1892F5SteveMarquessmarquess@openssl.
orgfingerprint:FEAB1FB2653717429B0B894F431711F76D1892F57DF9EE8CRichardLevittelevitte@openssl.
orgSfingerprint:7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C4A397EA2BodoMllerbodo@openssl.
orgfingerprint:3FD2C7DBD3EA28B7B0C61B5DE9A7C8084A397EA21FE8E023AndyPolyakovappro@openssl.
orgfingerprint:B652F27F2B8D1B8DA78D7061BA6CDA461FE8E02341C25E5DKurtRoeckxkurt@openssl.
orgfingerprint:E5E52560DD91C556DDBDA5D02064C53641C25E5D5C51B27CRichSalzrsalz@openssl.
orgfingerprint:D099684DC7C21E02E14A8AFEF23479455C51B27CE18C1C32GeoffThorpegeoff@openssl.
orgfingerprint:1B3DF808C221D2A5ED74172F0833F510E18C1C32Page117of225UserGuide-OpenSSLFIPSObjectModulev2.
0AppendixBCMVPTestProcedureInstructionsforbuildingOpenSSLandperformingtheFIPS140-2andrelatedalgorithmtestsonLinux/UnixMicrosoftWindowsbasedplatformsaregivenhere.
TheseinstructionsareprimarilyofinteresttotheCMVPtestinglaboratoryperformingthevalidationtesting,oranyonewishingtoverifythattheexecutablelibrarygeneratesgeneratesthesameoutputforthealgorithmtestsperformedbythetestinglaboratory.
Notethereisnorequirementforendusersorapplicationdeveloperstorunthesetests;thisdiscussionisincludedforreferencepurposestoillustratethealgorithmtestingperformedbytheCMVPtestlab.
NotethissteprequiresalargedirectorytreeofinputtestdatafilesproducedbythetestinglabusingaNISTprovidedtool(CAVS);severalsetsofinputandresponsevaluescanbefoundhttp://openssl.
com/testing/validation-2.
0/testvectors/.
Thefilehttp://openssl.
com/testing/validation-2.
0/testvectors/tv.
tar.
gzcontainsacompletesetof259testvectorfileswithcorrectresponsesthatcanbeusedforasinglecomprehensivetest.
Notethenumberandformatofthesetestvectorfileschangesovertime,sothissetmaynotcorrespondexactlytowhattheCAVStoolcurrentlyproduces.
B.
1BuildingtheSoftware-Linux/Unix1.
CopytheOpenSSLdistribution(opensslfips2.
0.
tar.
gz)toadirectoryonthetestsystem.
Approximately80Mbfreespaceisneededforthisfileandtheresultingworkarea.
2.
Performthestandardbuild.
Useofascriptfileorcomparablemeansofcapturingtheoutputishighlyrecommended.
gunzipcopensslfips2.
0.
tar.
gz|tarxfcdopenssl.
/config[noasm]make.
.
.
wherethenoasmoptionmayornotbepresentdependingontheplatform.
3.
Runmakebuild_testsPage118of225UserGuide-OpenSSLFIPSObjectModulev2.
0togeneratethestandaloneadditionalprogramstosupportthetestingprocess.
Togenerateasingleprogramthatcontainsthefunctionalityoffips_test_suiteandtheindividualstandalonealgorithmtestprograms,runmakebuild_algvstobuildthefips_algvsprogram.
Thisprogramisnecessaryforsomeplatformsthatdonotprovideasuitablecommandshellandforwhichtheexecutionofmanyseparateprogramsisawkwardordifficult,andmaybeconvenientinothercircumstances.
Thefips_algvsprogramcanbeusedtoexecutespecifictests,forinstancefips_algvfips_test_suitepostfips_algvfips_dssvspqg"tv/req/PQGGen.
req""tv/resp/PQGGen.
rsp"orifgivennocommandlineoptionsitwillprocessthesubcommandsinaminimalshellscriptasgeneratedbyperlfipsalgtest.
pldir=minimalscriptgeneratescript=fipstests.
shperltprefix=whichwillproduceafilefipstests.
shwiththesubcommandscorrespondingtoeachrequestfile,e.
g.
:fips_dssvspqg"tv/req/PQGGen.
req""tv/resp/PQGGen.
rsp"Thefips_algvsprogramsupportsthefollowingcommandlineoptions:quietsuppressanyprogressoutput.
verboseechofullcommandlinesofexecutedcommands(defaultistoomitfilenames)scriptscripttouse,defaultisfipstests.
shInabsenceofanyoptionsitassumesascriptfilefipstests.
shshouldbereadfromthecurrentdirectory.
Ifthefirstargumentdoesn'tbeginwitha'-'itistakenasthenameofasubprogramtorun:fips_aesavsfips_algvsfips_cmactestfips_desmovsfips_dhvsPage119of225UserGuide-OpenSSLFIPSObjectModulev2.
0fips_drbgvsfips_dsatestfips_dssvsfips_ecdhvsfips_ecdsavsfips_gcmtestfips_hmactestfips_randtestfips_rngvsfips_rsagtestfips_rsastestfips_rsavtestfips_shatestfips_test_suiteNotethatforfuturevalidationsthefips_algvsprogramwillprobablyentirelyreplacetheseparatefips_test_suiteandalgorithmtestdriverprograms.
B.
2AlgorithmTests-Linux/Unix4.
Addthesubtreeoftestdatatothedistributionworkarea:cdfipsunzip.
zipdtestvectors5.
RuntheFIPS140-2algorithmtests:perlfipsalgtest.
pldir=testvectorsThissteprunsthealgorithmtestsspecifictotheFIPSmode.
Againalargeamountofoutputwillbegenerated.
Ifanerroroccursprocessingwillbeaborted.
Theoutputfromthecryptographictestswillbecomparedagainsttheresponsefilesalreadypresentinthetestdataandnotpermanentlystored.
Thiscomparisonautomaticallysuppressesthewhitespaceandcommentlinedifferencesandignorestheseventestvectorfilesthatarealwaysdifferent59.
59Duetothenatureofthecryptographicoperationsinvolvedthefollowingresponsesfileswillalwaysbedifferent:KeyPair.
rspDSAPQGGen.
rspDSASigGen.
rspDSASigGen15.
rspRSASigGenPSS.
rspRSASigGenRSA.
rspRSASigGenPSS.
rspRSAThespecialcasecryptographicoperationsarelistedintheassociativearray%verify_specialstinthefipsalgvs.
plperlscript.
Page120of225UserGuide-OpenSSLFIPSObjectModulev2.
06.
Togenerateandpreservenewresponsefilesusethegenerateoption:perlfipsalgtest.
pldir=testvectorsgenerateMany(approximately259)generated*.
rspfileswillbefoundinthe.
/testvectors/directorytreeunder.
/fips/:findtestvectors/name'*.
rsp'7.
Thetreeof*.
rspfilescanalsobeextractedforcomparisonwithanothertree:findtestvectorsname'*.
rsp'|cpiooc>rsp1.
cpio.
.
.
cd/tmpmkdirrsp1rsp2cdrsp1;cpioic#FriFeb2012:21:242004diffr.
/testvectors/aes/resp/CBCGFSbox192.
rsp\.
.
/rsp1/testvectors/aes/resp/CBCGFSbox192.
rsp6c6#FriFeb2012:21:242004.
.
.
B.
3BuildingtheSoftware-WindowsPage121of225UserGuide-OpenSSLFIPSObjectModulev2.
01.
CopytheOpenSSLdistribution(opensslfips2.
0.
tar.
gz)toadirectoryonthetestsystem.
Approximately80Mbfreespaceisneeded.
2.
Performthestandardbuild.
cdopensslms\do_fips[noasm]out32dll\fips_test_suite.
.
.
wherethenoasmoptionmayornotbepresentdependingontheplatform.
B.
4AlgorithmTests-Windows3.
ThisprocedureissimilartothatforLinux/Unix:cdfipsunzip.
zipdtestvectorsperlfipsalgtest.
plwin32dir=testvectors.
\fipstests.
batThereisnobundledzip/unzipcommandformostversionsofMicrosoftWindows,butmanythirdpartyimplementationsareavailable,suchashttp://gnuwin32.
sourceforge.
net/packages/unzip.
htm.
B.
5FIPS140-2Test-AllPlatformsAtestdriverprogramhasbeenprovidedtodemonstratebothsuccessfulandfailedpower-upself-testsandtheinvocationofsomebasiccryptographicoperations.
ThisprogramwasdevelopedduringthecourseoftheFIPS140-2validationasaaidtothetestlabevaluators.
Thistestprogram,fips_test_suite,canbefoundinthe.
/test/subdirectory.
ThisprogrambehavesthesameforLinux/UnixandWindows;forWindowsinvokeas.
\fips_test_suiteinsteadof.
/fips_test_suiteasshowninthisexample.
1.
Whenexecutedwithnoargumentoutputsimilartothefullsuiteofalgorithmtestsisperformed,producingthefollowingoutput:$FIPSmodetestapplicationFIPS2.
0devunvalidatedtestmodulexxXXXxxxxDRBGAES256CTRDFteststartedDRBGAES256CTRDFtestOK1.
NonApprovedcryptographicoperationtest.
.
.
a.
Includedalgorithm(DH).
.
.
.
.
.
successfulPOSTstartedIntegrityteststartedPage122of225UserGuide-OpenSSLFIPSObjectModulev2.
0IntegritytestOKDRBGAES256CTRDFteststartedDRBGAES256CTRDFtestOKDRBGAES256CTRteststartedDRBGAES256CTRtestOKDRBGSHA256teststartedDRBGSHA256testOKDRBGHMACSHA256teststartedDRBGHMACSHA256testOKDRBGP256SHA256teststartedDRBGP256SHA256testOKX9.
31PRNGkeylen=16teststartedX9.
31PRNGkeylen=16testOKX9.
31PRNGkeylen=24teststartedX9.
31PRNGkeylen=24testOKX9.
31PRNGkeylen=32teststartedX9.
31PRNGkeylen=32testOKDigestSHA1teststartedDigestSHA1testOKDigestSHA1teststartedDigestSHA1testOKDigestSHA1teststartedDigestSHA1testOKHMACSHA1teststartedHMACSHA1testOKHMACSHA224teststartedHMACSHA224testOKHMACSHA256teststartedHMACSHA256testOKHMACSHA384teststartedHMACSHA384testOKHMACSHA512teststartedHMACSHA512testOKCMACAES128CBCteststartedCMACAES128CBCtestOKCMACAES192CBCteststartedCMACAES192CBCtestOKCMACAES256CBCteststartedCMACAES256CBCtestOKCMACDESEDE3CBCteststartedCMACDESEDE3CBCtestOKCipherAES128ECBteststartedCipherAES128ECBtestOKCCMteststartedCCMtestOKGCMteststartedGCMtestOKXTSAES128XTSteststartedXTSAES128XTStestOKXTSAES256XTSteststartedPage123of225UserGuide-OpenSSLFIPSObjectModulev2.
0XTSAES256XTStestOKCipherDESEDE3ECBteststartedCipherDESEDE3ECBtestOKCipherDESEDE3ECBteststartedCipherDESEDE3ECBtestOKSignatureRSAteststartedSignatureRSAtestOKSignatureECDSAP224teststartedSignatureECDSAP224testOKSignatureECDSAK233teststartedSignatureECDSAK233testOKSignatureDSAteststartedSignatureDSAtestOKECDHP224teststartedECDHP224testOKPOSTSuccess2.
Automaticpowerupselftest.
.
.
successful3a.
AESencryption/decryption.
.
.
successful3b.
AESGCMencryption/decryption.
.
.
successfulPairwiseConsistencyRSAteststartedPairwiseConsistencyRSAtestOKPairwiseConsistencyRSAteststartedPairwiseConsistencyRSAtestOKPairwiseConsistencyRSAteststartedPairwiseConsistencyRSAtestOK4.
RSAkeygenerationandencryption/decryption.
.
.
successful5.
DESECBencryption/decryption.
.
.
successfulPairwiseConsistencyDSAteststartedPairwiseConsistencyDSAtestOK6.
DSAkeygenerationandsignaturevalidation.
.
.
successful7a.
SHA1hash.
.
.
successful7b.
SHA256hash.
.
.
successful7c.
SHA512hash.
.
.
successful7d.
HMACSHA1hash.
.
.
successful7e.
HMACSHA224hash.
.
.
successful7f.
HMACSHA256hash.
.
.
successful7g.
HMACSHA384hash.
.
.
successful7h.
HMACSHA512hash.
.
.
successful8a.
CMACAES128hash.
.
.
successful8b.
CMACAES192hash.
.
.
successful8c.
CMACAES256hash.
.
.
successful8e.
CMACTDEA3hash.
.
.
successful9.
NonApprovedcryptographicoperationtest.
.
.
a.
Includedalgorithm(DH).
.
.
successfulasexpectedPairwiseConsistencyRSAteststartedPairwiseConsistencyRSAtestOKPairwiseConsistencyRSAteststartedPairwiseConsistencyRSAtestOKPairwiseConsistencyRSAteststartedPairwiseConsistencyRSAtestOKPage124of225UserGuide-OpenSSLFIPSObjectModulev2.
0Generated128byteRSAprivatekeyBNkeybeforeoverwriting:400e460169e1e37d8f415fe50c40fab493185c17e99b76e123bc0f3d7d0c8b1f42881ff7396b3ee388c3b973cece2d7d231109a7202016daf1e26caca9e704b9bffd9bd6151d61ab3050a82e78510abf2e450a6c57e9fb7db8a837f81fc93db0c6c95d090ac6752b8ac4ee51623ffcbd270b0ed281ebbe2e6a3a9d0a4012a991BNkeyafteroverwriting:668d6314da4f25ca496a6f98e2f6986437be60f2d34880e8d08060263dd10a3bde7345ef99ed00e2edeedf43a1bda7053c58b6474051bbaf9c9e5bf70a488a7b94d88c67fc9e16fc9e4bb2318836dc47282c8e41d3c35bc400949cd2d2b5e0ee0bd84ce8dffdb02dfc6c9528d0be43b0d95fce6e979c561070e6da5a05b9e53echarbufferkeybeforeoverwriting:4850f0a33aedd3af6e477f8302b10968charbufferkeyafteroverwriting:788fadb58c8163405e883a63550fd73210.
Zeroization.
.
.
successfulasexpected11.
CompleteDRBGhealthcheck.
.
.
DRBGAES128CTRDFteststartedDRBGAES128CTRDFtestOKDRBGAES192CTRDFteststartedDRBGAES192CTRDFtestOK.
.
.
(verylonglistofDRBGtests).
.
.
DRBGP521SHA384teststartedDRBGP521SHA384testOKDRBGP521SHA512teststartedDRBGP521SHA512testOKsuccessfulasexpected12.
DRBGgenerationcheck.
.
.
DRBGSHA1teststartedDRBGSHA1testOKDRBGSHA1teststartedDRBGSHA1testOK.
.
.
(verylonglistofDRBGtests).
.
DRBGP521SHA512testOKDRBGP521SHA512teststartedDRBGP521SHA512testOKsuccessfulasexpectedAlltestscompletedwith0errorsPage125of225UserGuide-OpenSSLFIPSObjectModulev2.
0ThenodhoptionskipstheglacialandlargelypointlessDHtest.
ThenodrbgoptionskipstheslowfullDRBGtestThefullpostoptiongivesacompletePOSTlistinginsteadofinducedfailureandunexpectederrors.
Theoutputisthenmuchmoreverboseasitcontainseverysuccessfultesttoo.
Thefullerroptionisusefulforcodetracing.
Normallyduringtheinducedfailuretestlibraryerrorsarenotprintedout.
Withthisoptiontheerrorcodescorrespondingtoeachoperationaredisplayedshowingtheexactlineanderrorcodeoutput.
2.
Whenexecutedwiththepostcommandlineoptiononlymoduleinitializationwillbeperformed:$test/fips_test_suitepostFIPSmodetestapplicationFIPS2.
0devunvalidatedtestmodulexxXXXxxxxDRBGAES256CTRDFteststartedDRBGAES256CTRDFtestOKPOSTstartedIntegrityteststartedIntegritytestOKDRBGAES256CTRDFteststartedDRBGAES256CTRDFtestOKDRBGAES256CTRteststartedDRBGAES256CTRtestOKDRBGSHA256teststartedDRBGSHA256testOKDRBGHMACSHA256teststartedDRBGHMACSHA256testOKDRBGP256SHA256teststartedDRBGP256SHA256testOKX9.
31PRNGkeylen=16teststartedX9.
31PRNGkeylen=16testOKX9.
31PRNGkeylen=24teststartedX9.
31PRNGkeylen=24testOKX9.
31PRNGkeylen=32teststartedX9.
31PRNGkeylen=32testOKDigestSHA1teststartedDigestSHA1testOKDigestSHA1teststartedDigestSHA1testOKDigestSHA1teststartedDigestSHA1testOKHMACSHA1teststartedHMACSHA1testOKPage126of225UserGuide-OpenSSLFIPSObjectModulev2.
0HMACSHA224teststartedHMACSHA224testOKHMACSHA256teststartedHMACSHA256testOKHMACSHA384teststartedHMACSHA384testOKHMACSHA512teststartedHMACSHA512testOKCMACAES128CBCteststartedCMACAES128CBCtestOKCMACAES192CBCteststartedCMACAES192CBCtestOKCMACAES256CBCteststartedCMACAES256CBCtestOKCMACDESEDE3CBCteststartedCMACDESEDE3CBCtestOKCipherAES128ECBteststartedCipherAES128ECBtestOKCCMteststartedCCMtestOKGCMteststartedGCMtestOKXTSAES128XTSteststartedXTSAES128XTStestOKXTSAES256XTSteststartedXTSAES256XTStestOKCipherDESEDE3ECBteststartedCipherDESEDE3ECBtestOKCipherDESEDE3ECBteststartedCipherDESEDE3ECBtestOKSignatureRSAteststartedSignatureRSAtestOKSignatureECDSAP224teststartedSignatureECDSAP224testOKSignatureECDSAK233teststartedSignatureECDSAK233testOKSignatureDSAteststartedSignatureDSAtestOKECDHP224teststartedECDHP224testOKPOSTSuccessPowerupselftestsuccessful$Notethisinvocationisusefulforaquickestimationoftheperformanceimpactofmoduleinitialization.
3.
TodemonstratethecorrectfunctioningoftheintegrityandKATtestfailuresasetofcorruptiontestsarerunautomaticallywhentheunqualifiedfips_test_suiteoptionisspecified.
InPage127of225UserGuide-OpenSSLFIPSObjectModulev2.
0theimplementationofthefips_algvsutilitythesetestsarespecifiedinthefail_list_fliststructureandaseriesofin-linetestswhicharetraversedbythestaticfunctiondo_fail_all()atthepointwheretheline13.
Inducedtestfailurecheck.
.
.
isprinted.
EachspecifictestisprecededbyoneofthelinesTestinginducedfailureofXXXXTestingoperationfailurewithXXXXandtheconclusionofallthecorruptiontestsshouldendwiththelinesInducedfailuretestcompletedwith0errorssuccessfulasexpectedNotetheuseofthreestaticvariablesbythefunctiondo_fail_all()tospecifythespecificcorruptionteststobeperformed.
Theindividualtestsintheorderperformedare:IntegrityAESDES3AESGCMAESCCMAESXTSDigestHMACCMACDRBGX9.
31PRNGRSADSAECDSAECDHRSAkeygenDSAkeygenECDSAkeygenDRBGCPRNGDRBGentropyCPRNGX9.
31CPRNGPage128of225UserGuide-OpenSSLFIPSObjectModulev2.
0DRBGentropyfailureThisfullsetofcorruptiontestsshouldappearasfollows:13.
Inducedtestfailurecheck.
.
.
TestinginducedfailureofIntegritytestPOSTstartedIntegritytestfailureinducedIntegritytestfailedasexpectedPOSTFailedTestinginducedfailureofAEStestPOSTstartedCipherAES128ECBtestfailureinducedCipherAES128ECBtestfailedasexpectedPOSTFailedTestinginducedfailureofDES3testPOSTstartedCipherDESEDE3ECBtestfailureinducedCipherDESEDE3ECBtestfailedasexpectedPOSTFailedTestinginducedfailureofAESGCMtestPOSTstartedGCMtestfailureinducedGCMtestfailedasexpectedPOSTFailedTestinginducedfailureofAESCCMtestPOSTstartedCCMtestfailureinducedCCMtestfailedasexpectedPOSTFailedTestinginducedfailureofAESXTStestPOSTstartedXTSAES128XTStestfailureinducedXTSAES128XTStestfailedasexpectedXTSAES256XTStestfailureinducedXTSAES256XTStestfailedasexpectedPOSTFailedTestinginducedfailureofDigesttestPOSTstartedDigestSHA1testfailureinducedDigestSHA1testfailedasexpectedDigestSHA1testfailureinducedPage129of225UserGuide-OpenSSLFIPSObjectModulev2.
0DigestSHA1testfailedasexpectedDigestSHA1testfailureinducedDigestSHA1testfailedasexpectedPOSTFailedTestinginducedfailureofHMACtestPOSTstartedHMACSHA1testfailureinducedHMACSHA1testfailedasexpectedHMACSHA224testfailureinducedHMACSHA224testfailedasexpectedHMACSHA256testfailureinducedHMACSHA256testfailedasexpectedHMACSHA384testfailureinducedHMACSHA384testfailedasexpectedHMACSHA512testfailureinducedHMACSHA512testfailedasexpectedPOSTFailedTestinginducedfailureofCMACtestPOSTstartedCMACAES128CBCtestfailureinducedCMACAES128CBCtestfailedasexpectedCMACAES192CBCtestfailureinducedCMACAES192CBCtestfailedasexpectedCMACAES256CBCtestfailureinducedCMACAES256CBCtestfailedasexpectedCMACDESEDE3CBCtestfailureinducedCMACDESEDE3CBCtestfailedasexpectedPOSTFailedTestinginducedfailureofDRBGtestPOSTstartedDRBGAES256CTRtestfailureinducedDRBGAES256CTRDFtestfailedasexpectedDRBGAES256CTRtestfailureinducedDRBGAES256CTRtestfailedasexpectedDRBGSHA256testfailureinducedDRBGSHA256testfailedasexpectedDRBGHMACSHA256testfailureinducedDRBGHMACSHA256testfailedasexpectedDRBGP256SHA256testfailureinducedDRBGP256SHA256testfailedasexpectedPOSTFailedTestinginducedfailureofX9.
31PRNGtestPage130of225UserGuide-OpenSSLFIPSObjectModulev2.
0POSTstartedX9.
31PRNGkeylen=16testfailureinducedX9.
31PRNGkeylen=16testfailedasexpectedX9.
31PRNGkeylen=24testfailureinducedX9.
31PRNGkeylen=24testfailedasexpectedX9.
31PRNGkeylen=32testfailureinducedX9.
31PRNGkeylen=32testfailedasexpectedPOSTFailedTestinginducedfailureofRSAtestPOSTstartedSignatureRSAtestfailureinducedSignatureRSAtestfailedasexpectedPOSTFailedTestinginducedfailureofDSAtestPOSTstartedSignatureDSAtestfailureinducedSignatureDSAtestfailedasexpectedPOSTFailedTestinginducedfailureofECDSAtestPOSTstartedSignatureECDSAP224testfailureinducedSignatureECDSAP224testfailedasexpectedPOSTFailedTestinginducedfailureofECDHtestPOSTstartedECDHP224testfailureinducedECDHP224testfailedasexpectedPOSTFailedTestinginducedfailureofRSAkeygentestPOSTstartedPOSTSuccessPairwiseConsistencyRSAtestfailureinducedPairwiseConsistencyRSAtestfailedasexpectedRSAkeygenerationfailedasexpected.
TestinginducedfailureofDSAkeygentestPOSTstartedPOSTSuccessPairwiseConsistencyDSAtestfailureinducedPairwiseConsistencyDSAtestfailedasexpectedDSAkeygenerationfailedasexpected.
POSTstartedPOSTSuccessPage131of225UserGuide-OpenSSLFIPSObjectModulev2.
0TestinginducedfailureofECDSAkeygentestPairwiseConsistencyECDSAtestfailureinducedPairwiseConsistencyECDSAtestfailedasexpectedECDSAkeygenerationfailedasexpected.
POSTstartedPOSTSuccessTestinginducedfailureofDRBGCPRNGtestDRBGcontinuousPRNGfailedasexpectedPOSTstartedPOSTSuccessTestinginducedfailureofDRBGentropyCPRNGtestDRBGcontinuousPRNGentropyfailedasexpectedPOSTstartedPOSTSuccessPOSTstartedPOSTSuccessTestinginducedfailureofX9.
31CPRNGtestX9.
31continuousPRNGfailedasexpectedPOSTstartedPOSTSuccessTestingoperationfailurewithDRBGentropyfailureDSAkeygeneratedOKasexpected.
DRBGentropyfailfailedasexpectedDSAsigningfailedasexpectedECDSAkeygenerationfailedasexpected.
Inducedfailuretestcompletedwith0errorssuccessfulasexpectedSo,thepresenceofthelineInducedfailuretestcompletedwith0errorsfortheblockoftestsbeginningwiththeline13.
Inducedtestfailurecheck.
.
.
isareadilyobservedindicationthatallcorruptiontestsperformedasexpected.
4.
TodemonstratethemoduleauthenticationoneoffourcommandlineoptionsmaybegiventospecifythepasswordvaluetobepassedtoFIPS_module_mode_set():nopassNullpasswordPage132of225UserGuide-OpenSSLFIPSObjectModulev2.
0badpassInvalidpasswordofsufficientlengthuserTheFIPS_AUTH_CRYPTO_USERpasswordofficerTheFIPS_AUTH_CRYPTO_OFFICERpasswordIfnoneofthosecommandlineoptionsaregiventheFIPS_AUTH_CRYPTO_USERpasswordisused.
Invocationwithnoneorbadpasswillfail:$test/fips_test_suitebadpassFIPSmodetestapplicationFIPS2.
0devunvalidatedtestmodulexxXXXxxxxDRBGAES256CTRDFteststartedDRBGAES256CTRDFtestOKERROR:2D078097:lib=45,func=120,reason=151:file=fips.
c:line=300Powerupselftestfailed$andinvocationwithuserorofficerwillsuccessfullyperformthePOSTtest.
B.
6TestvectorDataFilesandthefipsalgtest.
plUtilityTheFIPS140-2testlabsuseCAVPprovidedWindowsbasedsoftwareknownasthe"CAVStool"togeneratethetestvectordatafilesusedforthealgorithmtests.
Thealgorithmsdesiredaretypicallyspecifiedusingformsproprietarytothespecifictestlabperformingthetesting.
Non-proprietaryfacsimilesofthoseformsspecifyingthealgorithmstestsfoethe2.
0modulevalidationcanbefoundathttp://openssl.
com/testing/validation-2.
0/forms/.
ThetestlabusestheCAVStoolstogenerateasetof"request"filesforwhichcorresponding"response"filesmustbegeneratedbythemodule(theIUTorImplementationUndertest).
Thesetofrequestfilesistypicallydeliveredinasingleziportarfilecontainingadirectorytreewitharbitrarypathnames.
Theonlyconstantisthenamesoftheactual*.
rspresponsefilesofinputdata.
Sincematchingfilenamesupbyhandquicklybecomestediouswehavedevelopedautility,fipsalgtest.
pl,thatwillsearchthroughadirectoryhierarchyandidentifytherelevanttestvectorfiles.
Fortheinitialvalidationtherewere257uniquefilenameswith2duplicatenames,foratotalof259files:AlgorithmNumberof*.
reqfilesAES108Page133of225UserGuide-OpenSSLFIPSObjectModulev2.
0AlgorithmNumberof*.
reqfilesAES_GCM6CCM15CMAC8DES0DRBG4DSA5DSA25ECDSA4ECDSA24HMAC1KAS1RNG6RSA9SHA15TDES66XTS2Total259Inordertofacilitatetheprocessingoftestvectordataaseriesofutilitiesweredeveloped,culminatinginthefipsalgtest.
plprogram.
Thisprogramsearchesatargetdirectoryfortheknown*.
rspfilesandgeneratesascriptreferencingtheactualpathnamesforthosefiles.
Thatscriptcanthenbeexecutedtoperformthealgorithmteststhatgeneratethe*.
rspresultfiles.
Thefipsalgtest.
plprogramreportsunrecognizedduplicate*.
rspfilesandanyfilesthatwereexpectedbutnotfound.
Testvectordatasetsaregenerallyreceivedas*.
zipfiles,morerarelyas*.
tgz.
Atypicalpathnamestructure(forthisvalidation)isasfollows:.
/OSF_2464_Template.
/OSF_2464_Template/AES.
/OSF_2464_Template/AES/resp.
/OSF_2464_Template/AES/req.
/OSF_2464_Template/AES/req/CBCGFSbox128.
req.
/OSF_2464_Template/AES/req/CFB128MMT192.
req.
/OSF_2464_Template/AES/req/CBCVarKey192.
req.
/OSF_2464_Template/AES/req/CFB1VarTxt256.
req.
/OSF_2464_Template/AES/req/CBCMMT128.
req.
/OSF_2464_Template/AES/req/CBCKeySbox256.
req.
/OSF_2464_Template/AES/req/ECBVarTxt192.
req.
/OSF_2464_Template/AES/req/CFB128VarKey256.
req.
/OSF_2464_Template/AES/req/OFBVarTxt128.
req.
/OSF_2464_Template/AES/req/CFB1MCT192.
reqPage134of225UserGuide-OpenSSLFIPSObjectModulev2.
0.
/OSF_2464_Template/AES/req/CBCVarKey128.
req.
/OSF_2464_Template/AES/req/CFB8VarTxt128.
req.
/OSF_2464_Template/AES/req/ECBMMT128.
req.
/OSF_2464_Template/AES/req/CBCGFSbox192.
req.
/OSF_2464_Template/AES/req/CFB128MCT192.
req.
/OSF_2464_Template/AES/req/OFBMCT128.
req.
/OSF_2464_Template/AES/req/CFB1GFSbox256.
req.
.
.
Notedirectorynamesmaycontainembeddedspaces.
Thedatafileswillgenerally(thoughnotnecessarily)becarriagereturn-linefeeddelimited.
Ifmultipleplatformsareinvolvedinavalidationthetestvectorfilesforseveralplatformsmaybeinterspersedinthesamedirectorytree.
Wehavealsoreceivedtestvectorfilesforasingleplatforminmultipledifferent*.
zipfiles,sothefipsalgtest.
plprogrammustbeabletofiltertherelevant*.
rspfilesoutofmultiplesubdirectories.
Thefollowingfipsalgtest.
ploptionscanbeusedtoaccommodatevariousrepresentationsoftestvectorfiles:fipsalgtest.
pl:generaterunCAVPalgorithmtestsdebugEnabledebugoutputdir=Optionalrootfor*.
reqfilesearchfilter=RegexforinputfilesofinterestonedirAssumeallcomponentsincurrentdirectoryrspdir=Nameofsubdirectoriescontaining*.
rspfiles,default"resp"tprefix=PathnameprefixfordirectorycontainingtestprogramsignorebogusIgnoreduplicateorbogusfilesignoremissingIgnoremissingtestfilesquietShhh.
.
.
.
quietbogusSkipunrecognizedfilewarningsquietmissingSkipmissingrequestfilewarningsgenerateGeneratealgorithmtestoutputgeneratescript=GeneratescripttocallalgorithmprogramsminimalscriptSimplestpossibleoutputforgeneratescriptwin32Win32environmentcompareallVerifyunconditionallyforalltestslisttestsShowindividualtestsmkdir=Specify"mkdir"commandnotestExitbeforerunningtestsrm=Specify"rm"commandscripttprefixPathnameprefixforgeneratescriptoutputenableEnablealgorithmset.
disableDisablealgorithmset.
Wherecanbeoneof:aesccmdisabledbydefault)randaesenabledbydefault)ecdsadisabledbydefault)Page135of225UserGuide-OpenSSLFIPSObjectModulev2.
0hmacenabledbydefault)dhdisabledbydefault)aescfb1disabledbydefault)ecdhdisabledbydefault)des3cfb1disabledbydefault)drbgdisabledbydefault)des3enabledbydefault)dsaenabledbydefault)dsapqgverdisabledbydefault)rsapss0disabledbydefault)shaenabledbydefault)aesenabledbydefault)dsa2disabledbydefault)aesgcmdisabledbydefault)rsapss62enabledbydefault)cmacdisabledbydefault)aesxtsdisabledbydefault)rsaenabledbydefault)v2enabledbydefault)randdes2disabledbydefault)Simplyrunperlfipsalgtest.
pldir=testvectorsgeneratetogeneratethe*.
rspfilesforsubmissiontothetestlab.
Subsequentlyrunningfipsalgtest.
plwithoutthe--generateoptionwillcomparethegeneratedoutputwiththepreviouslyexisting*.
rspfiles,andthusprovidesacomprehensive(thoughunofficial)checkofthealgorithmtests.
Individualalgorithmtestscanbeselectivelyspecifiedwithoptionsoftheform--enablexxxordisablexxxwherexxxisoneofthealgorithmspecificationsTheignorebogusandignoremissingoptionssuppresstheerrorexitifthetargettestvectordirectorycontainsmoreorfewer*.
rspfilesthanexpected(anotuncommonoccurrenceinvalidationtesting.
Fortargetplatformsthatdonotsupportaperlinterpreter,butwhichdoprovideabasiccommandlineshell,asimpleshellscriptcanbegenerated,forinstance:perl.
/fips/fipsalgtest.
plgeneratescript=fipstest.
shtprefix=.
/test/willcreateafilefipstest.
shscriptfilethatsuccessivelyinvokeseachofthealgorithmtestdriverprogramswiththeappropriateinputandoutputfilenames:#!
/bin/shPage136of225UserGuide-OpenSSLFIPSObjectModulev2.
0#Testvectorrunscript#Autogeneratedbyfipsalgtest.
plscript#DonoteditechoRunningAlgorithmTestsRM="rmrf";MKDIR="mkdir";TPREFIX=.
/test/echo"RunningDSAtests"$RM".
/testvectors/tv/OSF_2464_Template/DSA/resp"$MKDIR".
/testvectors/tv/OSF_2464_Template/DSA/resp"echo"runningPQGGentest"${TPREFIX}fips_dssvspqg".
/testvectors/tv/OSF_2464_Template/DSA/req/PQGGen.
req"".
/testvectors/tv/OSF_2464_Template/DSA/resp/PQGGen.
rsp"echo"runningKeyPairtest"${TPREFIX}fips_dssvskeypair".
/testvectors/tv/OSF_2464_Template/DSA/req/KeyPair.
req"".
/testvectors/tv/OSF_2464_Template/DSA/resp/KeyPair.
rsp"echo"runningSigGentest"${TPREFIX}fips_dssvssiggen".
/testvectors/tv/OSF_2464_Template/DSA/req/SigGen.
req"".
/testvectors/tv/OSF_2464_Template/DSA/resp/SigGen.
rsp"echo"runningSigVertest"${TPREFIX}fips_dssvssigver".
/testvectors/tv/OSF_2464_Template/DSA/req/SigVer.
req"".
/testvectors/tv/OSF_2464_Template/DSA/resp/SigVer.
rsp"echo"runningPQGVertest"${TPREFIX}fips_dssvspqgver".
/testvectors/tv/OSF_2464_Template/DSA/req/PQGVer.
req"".
/testvectors/tv/OSF_2464_Template/DSA/resp/PQGVer.
rsp".
.
.
Forverysimpleshellsthe-minimalscriptoptionwillomituseofthermandmkdircommandstomanagetheoutputdirectories,inwhichcasetheemptyreqsubdirectorieswillneedtobecreatedbeforehand.
Toprocessonlyasubsetofthetestvectorsfile,usethefilter=XXXoptiontorecognizeonlycertainpathnamesandthedisableallenablexxxoptionstoenableprocessingofonlythealgorithm(s)inthatselectedsetforfiles.
Forinstance:perl.
/fips/fipsalgtest.
plgeneratescript=fipstestsha.
shtprefix=.
/test/disableallenableshadir=testvectorsfilter=SHAPage137of225UserGuide-OpenSSLFIPSObjectModulev2.
0B.
6DocumentationThissectiondiscussedthemajorcomponentsofthedocumentationsetforaFIPS140-2validation.
FiniteStateModelFIPS140-2validationrequiresaFiniteStateModule(FSM),somethingthatdoesn'tmakemuchsenseforageneralpurposecryptographiclibrary.
Thiscosmeticrequirementissatisfiedbyanarbitrarygenericdiagramandpossiblyanassociatedlistingorspreadsheetofthestatesandtransitions.
Eachtestlabwilltypicallyhaveagenerictemplateorsamplethatcanbeused.
TheFSMusedforthisvalidationcanbefoundinthetwofiles:http://openssl.
com/testing/validation-2.
0/docs/FSM.
pdfhttp://openssl.
com/testing/validation-2.
0/docs/FSM_main.
pdfTheFSMdoesnotcontainanyinformationofactualtechnicalvalue.
VendorEvidenceDocumentThetestlabmustanswertheassertionsintheDerivedTestRequirements(DTR)document(Reference4).
SomelabschosetodosobydirectlylistingalloftheassertionswithcorrespondingresponsesintheorderthoseassertionsappearintheDTR.
Othersrespondtotheassertionsinanalysisdocumentstructuredalongmorefunctionallineswithmanyoftheredundantanoverlappingassertionsgroupedtogetherwithaconsolidatedresponse.
Aswiththeformaltestreport(seefollowingsection)thetestlabwilltypicallywanttoclaimthisdocumentasproprietary.
TherelevantcontentoftheanalysisdocumentforthisvalidationhasbeenextractedasAppendixE.
FormalTestReportThetestlabsubmitsaformaltestreportdocumenttotheCMVP.
Testlabsareuniformlyadversetoreleasingthisdocumentbutcanusuallybepersuadedtodosounderanon-disclosureagreement(suchreleaseshouldbenegotiatedpriortoexecutingacontract).
OSFhasseensometestreportsbutcannotpublishthemduetothenon-disclosurerestrictions.
NotethatthosetestreportswouldbeoflimitedvalueasdifferenttestlabscantakesignificantlydifferentapproachestopresentingthesamemoduletotheCMVP.
FIPS140-2validationisahighlysubjectiveprocessandeachtestlab,andevendifferentreviewersattheCMVP,havedistinctivestyles.
Mixingcomponentsfrommultiplesubmissions,evenofexactlythesamesoftware,wouldresultinsignificantdiscrepanciesandconflicts.
Page138of225UserGuide-OpenSSLFIPSObjectModulev2.
0AppendixCExampleOpenSSLBasedApplicationThisexampleshowsasimpleapplicationusingOpenSSLcryptographywhichwillqualifyasFIPS140-2validatedwhenbuiltandinstalledinaccordancewiththeproceduresin§5.
InthisapplicationallcryptographyisprovidedthroughtheFIPSObjectModuleandtheFIPSmodeinitializationisperformedviatheFIPS_mode_set()call.
ThecommandgeneratesaHMAC-SHA-1digestofaninputstreamorafile,usingthesamearbitrarykeyastheOpenSSLFIPSModulefileintegritycheck:$.
/fips_hmacvfips_hmac.
cFIPSmodeenabled8f2c8e4f60607613471c11287423f8429b068eb2$$.
/hmac#include#includestaticcharlabel[FIPSapprovedSHA1HMAC";staticvoiddofile(FILE*fp){HMAC_CTXctx;unsignedcharhmac_value[EVP_MAX_MD_SIZE];inthmac_len,i;charkey[]="etaonrishdlcupfm";charbuf[256];/*Initialisecontext*/HMAC_CTX_init(&ctx);/*Setdigesttypeandkeyincontext*/HMAC_Init_ex(&ctx,key,strlen(key),EVP_sha1(),NULL);/*Processinputstream*/while(i=fread(buf,sizeof(char),sizeof(buf),fp)){if(!
HMAC_Update(&ctx,buf,i))exit(3);}Page140of225UserGuide-OpenSSLFIPSObjectModulev2.
0/*Generatedigest*/if(!
HMAC_Final(&ctx,hmac_value,&hmac_len))exit(4);HMAC_CTX_cleanup(&ctx);/*Displaydigestinhex*/for(i=0;i\n",argv[0]);puts("Options:");puts("\tc\tUsenonFIPSmode");puts("\tv\tVerboseoutput");exit(1);elsebreak;}/*EnterFIPSmodebydefault*/if(fipsmode){if(FIPS_mode_set(1)){verbose&&fputs("FIPSmodeenabled\n",stderr);else{ERR_load_crypto_strings();ERR_print_errors_fp(stderr);exit(1);}if(i>=argc){dofile(fp);}else{Page141of225UserGuide-OpenSSLFIPSObjectModulev2.
0while(iintFIPS_mode_set(intONOFF)intFIPS_selftest(void)DESCRIPTIONFIPS_mode_set()enablestheFIPSmodeofoperationforapplicationsthathavecompliedwithalltheprovisionsoftheOpenSSLFIPS140-2SecurityPolicy.
Successfulexecutionofthisfunctioncallwithnon-zeroONOFFistheonlywaytoenableFIPSmode.
AfterverifyingtheintegrityoftheexecutableobjectcodeusingthestoreddigestFIPS_mode_set()performsthepower-upself-test.
WheninvokedwithONOFFofzeroFIPS_mode_set()exitsFIPSmode.
Todeterminethemodeofoperationinarunningprogram,anapplicationcancallFIPS_mode(3).
Anon-zeroreturnindicatesFIPSmode;a0indicatesnon-FIPSmode.
FIPS_selftest()canbecalledatanytimetoperformtheFIPSpower-upself-test.
Ifthepower-upself-testfailssubsequentcryptographicoperationsaredisabled.
Theonlypossiblerecoveryisasuccessfulre-invocationofFIPS_mode_set()whichisunlikelytoworkunlesstheoriginalpathwasincorrect.
RETURNVALUESAreturnvalueof1indicatessuccess,0failure.
SEEALSOFIPS_mode(3),ERR_get_error(3)NOTESFIPS_mode_set()andFIPS_selftest()wereformerlyincludedwith.
HISTORYFIPSsupportwasintroducedinversion0.
9ofOpenSSL.
Page145of225UserGuide-OpenSSLFIPSObjectModulev2.
0D.
3FIPS_mode()NAMEFIPS_mode–returnsthecurrentFIPSmodeofoperation.
SYNOPSIS#includeintFIPS_mode()DESCRIPTIONFIPS_mode()isusedtodeterminetheFIPSmodeofoperationoftherunningprogram.
FIPS_mode()currentlyreturns1toindicateFIPSmode.
Futurereturnvaluesmightinclude2toindicateexclusiveuseoftheNSA'sSuiteBalgorithms.
RETURNVALUESAreturncodeofnon-zeroindicatesFIPSmode,0indicatesnon-FIPSmode.
SEEALSOFIPS_mode_set(3)NOTESFIPS_mode()wasformerlyincludedwith.
HISTORYFIPSsupportwasintroducedinversion0.
9ofOpenSSL.
D.
4ErrorCodesInordertominimizethesizeoftheFIPSmoduleonlynumericerrorcodesarereturned.
WhenusedinconjunctionwithaFIPScapableOpenSSLdistributionthesenumericcodeswillautomaticallybeconvertedtotheusualtextformatfordisplay,buttheFIPSspecificstandaloneutilitiesprintoutnumericalerrorcodes.
Thesecanbeinterpretedwiththeopensslerrstrcommandorbycheckingthesourcefileatthereferencedlocation:$.
.
/util/shlib_wrap.
sh.
/fips_shatestERROR:2d06c071:lib=45,func=108,reason=113:file=fips.
c:line=274:1,129d0$$opensslerrstr2d06c071error:2D06C071:FIPSroutines:FIPS_mode_set:unsupportedplatform$Theseerrorcodesaredefinedintheincludefilefips_err.
h.
Page146of225UserGuide-OpenSSLFIPSObjectModulev2.
0TheFIPS_mode_set()callorotherfunctioncallsinFIPSmodecanreturnanyofthefollowingerrors:ReturnCodeMeaningandCommentCRYPTO_R_FIPS_MODE_NOT_SUPPORTED"fipsmodenotsupported"Youlikelylinkedagainstanon-FIPSCapablelibrary.
Ensure`configfips`wasexecutedwhenconfiguring.
FIPS_R_CANNOT_READ_EXE"cannotreadexe"FIPS_R_CANNOT_READ_EXE_DIGEST"cannotreadexedigest"FIPS_R_CONTRADICTING_EVIDENCE"contradictingevidence"FIPS_R_EXE_DIGEST_DOES_NOT_MATCH"exedigestdoesnotmatch"FIPS_R_FINGERPRINT_DOES_NOT_MATCH"fingerprintdoesnotmatch"Theintegritytesthasfailed.
FIPS_R_FINGERPRINT_DOES_NOT_MATCH_-NONPIC_RELOCATED"fingerprintdoesnotmatchnonpicrelocated"ThisMicrosoftWindowsspecificerrorindicatesthattheremightbeaDLLaddressconflictwhichneedstobeaddressedbyre-basingtheoffendingDLL.
FIPS_R_FINGERPRINT_DOES_NOT_MATCH_-SEGMENT_ALIASING"fingerprintdoesnotmatchsegmentaliasing"Thiserrorisreturnedwhenadefectivecompilerhasmerged.
rodata(read-only)and.
data(writable)segments.
Thissituationeffectivelydegradestheread-onlystatusofconstanttablesandleavesthemwithouthardwareprotection,thusjeopardizingtheFIPSmodeofoperation.
FIPS_R_FIPS_MODE_ALREADY_SET"fipsmodealreadyset"FIPS_R_INVALID_KEY_LENGTH"invalidkeylength"FIPS_R_KEY_TOO_SHORT"keytooshort"FIPS_R_NON_FIPS_METHOD"nonfipsmethod"AttemptednonFIPS-compliantDSAusage.
FIPS_R_PAIRWISE_TEST_FAILED"pairwisetestfailed"Oneormoreofthealgorithmpairwiseconsistencytestshasfailed.
FIPS_R_RSA_DECRYPT_ERROR"rsadecrypterror"FIPS_R_RSA_ENCRYPT_ERROR"rsaencrypterror"FIPS_R_SELFTEST_FAILED"selftestfailed"Oneormoreofthealgorithmknownanswertestshasfailed.
FIPS_R_TEST_FAILURE"testfailure"FIPS_R_UNSUPPORTED_PLATFORM"unsupportedplatform"Indicatesthevalidityofthedigesttestisunknownforthecurrentplatform.
Page147of225UserGuide-OpenSSLFIPSObjectModulev2.
0AppendixEPlatformSpecificNotesNote:thematerialpresentinthisappendixforearlierversionsofthisdocumenthasbeenremovedandrelocatedtohttp://www.
openssl.
com/fips/tech/.
E.
1AppleOSXSupportPage148of225UserGuide-OpenSSLFIPSObjectModulev2.
0E.
2AppleiOSSupportOpenSSLfullysupportsbuildingtheFIPSObjectModuleandFIPSCapablelibraryforiOSdevices.
TherearefivelogicalstepstobuildtheOpenSSLFIPSObjectModuleandFIPSCapableLibraryforuseinanXcode/iOSproject.
Thestepsareoutlinedbelow:1.
Acquiretherequiredfiles2.
BuildtheIncoreutility3.
BuildtheFIPSObjectModule4.
BuildtheFIPSCapableLibrary5.
CreateanXcodeProjectTheproceduresforeachlogicalsteparedetailedbelow.
ThesampleXcodeprojectisofferedattheendofthechapter.
AcquireRequiredFilesFirst,obtainthebasefilesfromhttp://www.
openssl.
org/source/:openssl1.
0.
1c.
tar.
gzopensslfips2.
0.
1.
tar.
gzNext,acquiretheauxiliaryfiles,whichcanbeobtainedfromhttp://openssl.
com/fips/2.
0/platforms/ios/:setenvreset.
shsetenvdarwini386.
shsetenvios11.
shiosincore2.
0.
1.
tar.
gzInadditiontotherequiredcorefileslistedabove,http://openssl.
com/fips/2.
0/platforms/ios/includesasampleprogram:fipspi.
tar.
gzopensslfips2.
0.
1.
tar.
gzincludestheFIPSObjectModule.
Page149of225Illustration1:OpenSSLFIPSSampleProgramUserGuide-OpenSSLFIPSObjectModulev2.
0openssl1.
0.
1c.
tar.
gzhastheFIPSCapableOpenSSLlibrary.
iosincore2.
0.
1.
tar.
gzcontainsOSXandiOSspecificIncoreutilitytodeterminetheobjectcodedigest.
setenvdarwini386.
shandsetenvios11.
shareusedtosettheproperenvironmentsforthetaskathand,whilesetenvreset.
shisusedtoresettheenvironment.
Note:asofthiswriting(January,2013),thescriptshaveaPWDdependencyanddonotalerttheuseroffailuressuchasmissingorerrantpaths.
Iwasnotabletogethardened/updatedscriptsplacedonwebfordownload.
Pleaseacceptmysincerestapologies(JW).
Aftercollectingtherequiredfiles,yourworkingdirectorywilllooksimilartobelow.
Illustration2:WorkingDirectoryunderFinderAfteracquiringthefiles,performthefollowingintheworkingdirectorytoremovequarantinebitandensuretheexecutebitisset:$xattrrd"com.
apple.
quarantine"*.
tar.
gz*.
sh$chmod+x*.
shBuildtheIncoreUtilityPage150of225UserGuide-OpenSSLFIPSObjectModulev2.
0TheIncoreutilityisanativeapplicationusedtoembedtheFIPSObjectModule'sfingerprintintheARMlibrary.
BuildingIncoreisatwostepprocess–first,buildanativeversionoflibcrypto.
a,andthenbuildIncoreusingthepreviouslybuiltnativelibcrypto.
a.
Tocompiletheincore_machoutilityforthenativeplatform,performthefollowingsteps:$rmrfopensslfips2.
0.
1/(deleteoldartifacts)$tarxzfopensslfips2.
0.
1.
tar.
gz(unpackfreshfiles)$tarxzfiosincore2.
0.
1.
tar.
gz$.
.
/setenvreset.
sh(notetheleadingdot".
")$.
.
/setenvdarwini386.
sh(notetheleadingdot".
")$cdopensslfips2.
0.
1/(perform`cd`aftersetenv)$.
/config(severalscreensofoutput)$make(buildlibcrypto.
a,lotsofoutput)$cdiOS/(switchtoincore'ssubdirectory)$make(buildincore_macho,lotsofoutput)Note:asofthiswriting(January,2013),setenvdarwini386.
shcouldsilentlyfailduetoPWDdependencies.
Pleaseexecutethe`env`commandandverifythepathsplacedintheenvironmentbythescript.
Confirmtheutilityworks:$.
/incore_machousage:incore_macho[debug][exe|dso]executableIftheutilitydoesnotwork,deletetheopensslfips2.
0.
1/directoryandstartover.
Oncetheutilityhasbeenverifiedonthenativeplatform,installtheincore_machoutilityinalocationonpath,suchas/usr/local/bin.
Theinstructionsbelowofferasecondchoice,andplaceincore_machoinyourhomedirectory.
$mkdir"$HOME/bin"$cpincore_macho"$HOME/bin"$PATH="$HOME/bin":$PATHPage151of225UserGuide-OpenSSLFIPSObjectModulev2.
0Finally,deletetheopensslfips2.
0.
1/directoryinpreparationfortheARMbuildoftheFIPSCapablelibrary.
Thisisdonetokeepcrosscontaminationtoaminimumsinceopensslfips2.
0.
1/isessentiallyreused.
$cd.
.
$rmrfopensslfip2.
0.
1/Thisinstructionsfromthispointassumethebuildenvironmenthasbeenprepared,includingthecreationoftheincore_machoutility,asdocumentedintheprevioussection,andthatincore_machoisonpath.
BuildtheFIPSObjectModuleThissectionofthedocumentwillguideyouthroughthecreationoftheFIPSObjectModule.
TheModuleisgovernedbytheFIPS140-2programrequirementsandyoucannotdeviatefromtheSecurityPolicyduringanystageduringhandling,fromacquisition,throughbuilding,toinstallation.
IncaseofadiscrepancybetweenthisdocumentandtheSecurityPolicy,theSecurityPolicywillprevail.
Whilethesecommandslooksimilartothoserecentlyexecutedforthegenerationoftheincore_machoutility,therearesubtledifferences.
Thistimeyouarecross-compilingfortheaniOSdevice.
Whileitisnotreadilyapparent,theiOStoolsusedviaIOS_TOOLSenvironmentalvariableareavailablefromiosincore2.
0.
1.
tar.
gz,soyoumustunpackitagain.
Thetoolsunpackintoopensslfips2.
0.
1/.
$rmrfopensslfips2.
0.
1/deleteoldartifacts)$tarxzfopensslfips2.
0.
1.
tar.
gz(unpackfreshfiles)$tarxzfiosincore2.
0.
1.
tar.
gz(unpackfreshfiles)$cdopensslfips2.
0.
1/(perform`cd`first)$.
.
.
/setenvreset.
sh(notetheleadingdot".
")$.
.
.
/setenvios11.
sh(notetheleadingdot".
")$llvmgccv(verifyexpectedcompiler)Usingbuiltinspecs.
Target:i686appledarwin10Configuredwith:/private/var/tmp/llvmgcc42_Embedded/llvmgcc42_Embedded2377~4/src/configure.
.
.
Page152of225UserGuide-OpenSSLFIPSObjectModulev2.
0gccversion4.
2.
1(BasedonAppleInc.
build5658)(LLVMbuild2377.
00)Note:asofthiswriting(January,2013),setenvios11.
shcouldsilentlyfailduetoPWDdependencies.
Pleaseexecutethe`env`commandandverifythepathsplacedintheenvironmentbythescript.
Theoutputofinterestfromllvmgccvare(1)llvmgccisonpath;(2)gccversion4.
2.
1;and(3)thecompilerisforanembeddedplatform.
AtthispointyouarereadytocommencethestandardFIPScanisterbuildforthetargetplatform.
Notethat"fipscanister"isimplied,sothereisnoneedforeither.
/configfipscanisterbuildor.
/configfips(norisitallowedbytheSecurityPolicy).
$.
/config(severalscreensofoutput)$make(lotsofoutput)ConfirmthebinariesarefortheiOStargetdevice:$lipoinfo.
/fips/fipscanister.
oNonfatfile:.
/fips/fipscanister.
oisarchitecture:armv7Afterconfirmingthetargetarchitecture,completetheinstallationprocedurebyperforminganinstall:$sudomakeinstallThedefaultinstallationdirectoryis/usr/local/ssl/Releaseiphoneos/.
Afterinstallation,deletetheopensslfips2.
0.
1/directorysinceitsnolongerneeded:$rmrfopensslfips2.
0.
1/RecallfromSection2.
4.
2ObjectModule(LinkTime)Integritythatapplicationslinkagainstlibcrypto.
a,andnotdirectlytofipscanister.
o.
Youwillbuildlibcrypto.
aandlibssl.
anextinBuildtheFIPSCapableLibrary60.
BuildtheFIPSCapableLibraryThissectionofthedocumentwillguideyouthroughthecreationoftheTheFIPSCapableLibrary.
ThecapablelibraryisastandardOpenSSLdistributionthatis"FIPSAware".
The"aware"libraryhandlesallthedetailsofoperationwhileinFIPSmodeafteryousuccessfullycallFIPS_mode_set()(seeD.
2FIPS_mode_set(),FIPS_selftest()).
Ifyoudon'tcall60Thereissomehandwaivinghere,butthedetailsarenotimportantatthemomentfortheseprocedures.
Page153of225UserGuide-OpenSSLFIPSObjectModulev2.
0FIPS_mode_set(),thelibrarywillstilloperateasexpected;butitwillnotbeusingvalidatedcryptography.
RecalltheFIPSObjectModuleisgovernedbytheFIPS140-2programrequirements,andyoucouldnotdeviatefromtheSecurityPolicy.
TheFIPSCapableLibrarydoesnotendurethesamerequirements,andyouarefreetomodifytheenvironmentandsourceswithinreason.
TobuildtheFIPSCapablelibrary,youmustissue.
/configfips,butotheroptionsareuptoyou.
Somesuggestedoptionsforconfigureinclude:OptionComment--openssldirBaseoftheOpenSSLinstallation.
Defaultvalueis--openssldir=/usr/local/ssl/Release-iphoneos--with-fipsdirLocationoffipscanister.
o,ifnotlocatedat/usr/local/ssl/Release-iphoneos/lib.
-no-sslv2DisableSSLv2.
SSLv2isdefective61-no-sslv3DisableSSLv3.
SSLv3isdefective62-no-compDisablecompressionindependentofzlib.
CompressionisknowntoleaksessioninformationviaCRIMEattacks63-no-sharedDisablesharedlibraryoutput.
Appleonlyallowsstaticlinking,anddynamiclinkingisnotsupportedoniOS.
-no-dsoDisabletheOpenSSLDSOAPI(thelibraryoffersasharedobjectabstractionlayer).
iOSonlyusesstaticlinking.
-no-hwDisablehardwaresupport.
-no-enginesDisableenginesupport.
Tobegin,cleanoldartifactsandsettheenvironmentforcrosscompilation.
$rmrfopenssl1.
0.
1c/(deleteoldartifacts)$tarxzfopenssl1.
0.
1c.
tar.
gz(unpackfreshfiles)$cdopensslfips1.
0.
1c/(perform`cd`first)$.
.
.
/setenvreset.
sh(notetheleadingdot".
")$.
.
.
/setenvios11.
sh(notetheleadingdot".
")61BruceSchneierandDavidWagner,AnalysisoftheSSL3.
0Protocol,www.
schneier.
com/paper-ssl-revised.
pdf62LorenWeith,DifferencesBetweenSSLv2,SSLv3,andTLS,http://www.
yaksman.
org/~lweith/ssl.
pdf63Mozilla'sNSSaccidentallydisabledcompressionlongbeforeCRIMEattacksduetocompile/linkconflicts(https://bugzilla.
mozilla.
org/show_bug.
cgiid=580679).
Mozilla'sFirefoxdidnotsupportcompressiononclients.
Manyotherbrowsers,suchasAndroid(com.
android.
browser),didnotsupportcompression.
Page154of225UserGuide-OpenSSLFIPSObjectModulev2.
0Next,configureandmaketheFIPSCapablelibrary,whereyoupickyourfavoriteoptions.
Nooptionsarealsoacceptable:$.
/configfips(severalscreensofoutput)$make(lotsofoutput)ConfirmthebinariesarefortheiOStargetdevice:$lipoinfo.
/libcrypto.
a.
/libssl.
aNonfatfile:.
/libcrypto.
aisarchitecture:armv7Nonfatfile:.
/libssl.
aisarchitecture:armv7Afterconfirmingthetargetarchitecture,completetheinstallationprocedurebyperforminganinstall:$sudomakeinstallThedefaultinstallationdirectoryis/usr/local/ssl/Releaseiphoneos/.
Afterinstallation,deletetheopensslfips2.
0.
1/directorysinceitsnolongerneeded:$rmrfopensslfips1.
0.
1c/Youmightencounterissuesduetotheconfigurationoptions.
Theissueshavebeenclearedintheversioncontrolsystem,butthetarballsmaybedated.
Ifso,theissuesandthefixesarelistedbelow.
RecallyouhavelatitudeinchangingsourcefilesbecausetheOpenSSLFIPSCapableLibraryisoutsidetheCryptographicModule(CM)boundary.
IssueRemedyBuilt-intoolsnotonpathOpensetenvios11.
sh,andchangetheCROSS_COMPILEvariabletoCROSS_COMPILE="$CROSS_CHAIN"NovalidiOSSDKOpenthesetenvios11.
sh,andchangetheforlooptoinclude6.
2,6.
1,and6.
0makedepend:warning:cannotopen"armv7"makedepend:error:.
.
.
OpentheMakefile,andchangeMAKEDEPPROG=makedependtoMAKEDEPPROG=$(CC)MUndefinedsymbolsforarchitecturearmv7:"_ERR_load_COMP_strings"Openerr_all.
c,anddeletealldeclarationsofERR_load_COMP_strings()Page155of225UserGuide-OpenSSLFIPSObjectModulev2.
0OpenSSLXcodeApplicationOpenSSLoffersasampleXcodeprojecttotestyourinstallation.
TheminimalprojectdemonstrateslinkingagainsttheFIPSCapableLibrary,enablingFIPSMode,disablingFIPSmode,displayingtheembeddedandcalculatedfingerprint,anddisplayingcriticalvaluesfromfips_premain.
c.
AscreencapturefromthedeviceisshowninIllustration1:OpenSSLFIPSSampleProgram.
Theessenceofthesamplecodeisshowninthelistingbelow.
ThecodetogglesFIPSmodebywayofFIPS_mode()andFIPS_mode_set();andretrieveserrorinformationviaERR_geterror().
Thefunctionsareavailablefromandrespectively.
Inthecaseofanerror,errorvalueswerediscussedinAppendixDFIPSAPIDocumentation.
intmode=FIPS_mode(),ret=0;unsignedlongerr=0;if(mode==0){ret=FIPS_mode_set(1/*on*/);err=ERR_get_error();}else{ret=FIPS_mode_set(0/*off*/);err=ERR_get_error();}if(1!
=ret)DisplayError("FIPS_mode_setfailed",err);.
.
.
AftercreatinganXcodeproject,youmustaddfips_premain.
ctotheproject.
Copyfips_premain.
cfromitslocationat/usr/local/ssl/Releaseiphoneos/lib/intoyourproject'sworkingdirectory.
SincethefileisoutsidetheCryptographicModule(CM)boundary,youcancheckitintorevisioncontrolandevenmodifyitifdesired(withinreason).
Page156of225UserGuide-OpenSSLFIPSObjectModulev2.
0TheXcodeBuildSettingstocompileanOpenSSLdependentprogramarediscussedbelow.
TheBuildSettingshouldbesetontheProject,andnottheTarget(alltargetsinheritfromtheproject).
ThesampleprojecthasscreencapturesoftherelevantchangesunderXcodeinthetoplevelsettings/directory.
BuildSettingValueArchitectures(ARCHS)armv7(removearmv6and/orarmv7s,unlessyoubuiltforthearchitecture).
AlwaysSearchUserPaths(ALWAYS_SEARCH_USER_PATHS)Yes(dueto#includeinnon-standardlocation)UserheaderSearchPaths(USER_HEADER_SEARCH_PATHS)/usr/local/ssl/Release-iphoneos/include/OtherLinkerFlags(OTHER_LDFLAGS)/usr/local/ssl/Release-iphoneos/libcrypto.
a(usethefullyspecifiedpathname,withoutlorL)BuildSettingValueValidArchitectures(VALID_ARCHS)armv7(removearmv6and/orarmv7s,unlessyoubuiltforthearchitecture).
AlwaysSearchUserPaths(ALWAYS_SEARCH_USER_PATHS)Yes(dueto#includeinnon-standardlocation)UserheaderSearchPaths(USER_HEADER_SEARCH_PATHS)/usr/local/ssl/Release-iphoneos/include/OtherLinkerFlags(OTHER_LDFLAGS)/usr/local/ssl/Release-iphoneos/libcrypto.
a(usethefullyspecifiedfilename,withoutlorL)Page157of225Illustration3:fips_premain.
cUserGuide-OpenSSLFIPSObjectModulev2.
0ThefinalmodificationisaBuildPhaseScriptontheTarget(nottheProject)toembedtheModule'sexpectedsignatureusingincore_macho.
Thefullcommandtoembedthesignatureis/usr/local/bin/incore_machoexe"$CONFIGURATION_BUILD_DIR/$EXECUTABLE_PATH".
E.
3WindowsCESupportNOTE:ThissectionisincompleteTheMicrosoftWindowsmobileoperatingsystemsareamongthemostchallengingplatformfortheFIPSObjectModule,duetothewidevariationamongindividualsystemconfigurations.
RepresentativeBuildTheseinstructionsarenecessarilyonlyrepresentativeofonespecificconfigurationandmayrequiresubstantialmodificationforspecificWindowsCEorECplatforms.
TypicallyaversionofVisualStudiowillbeused.
Inthisrepresentativeexamplethefollowingenvironmentvariablesaredefinedina.
BATfile,setenv-wince6.
bat:@rem@remsetenv_wince.
cmd@rem@remPathsforVisualStudio2008oncommandline(on64bithost)Page158of225Illustration4:XcodeBuildPhaseandIncoreUserGuide-OpenSSLFIPSObjectModulev2.
0@call"c:\ProgramFiles\MicrosoftVisualStudio9.
0\VC\"vcvarsall.
bat@setOSVERSION=WCE600@setPLATFORM=MACKEREL@setTARGETCPU=ARMV4I@setWCECOMPAT=C:\wcecompat@SETMACKERELSDK=C:\ProgramFiles\WindowsCETools\wce600\MackerelSDK@setPATH=%VSINSTALLDIR%\Common7\IDE;%VCINSTALLDIR%\ce\bin\x86_arm;%VCINSTALLDIR%\bin;%NASMINSTALLDIR%;%PATH%@setINCLUDE=%MACKERELSDK%\Include\Armv4i;%VCINSTALLDIR%\ce\include;%INCLUDE%@setLIB=%MACKERELSDK%\Lib\ARMV4I;%VCINSTALLDIR%\ce\lib\armv4i;%LIB%@setLIBPATH=%MACKERELSDK%\Lib\ARMV4I;%VCINSTALLDIR%\ce\lib\armv4i;%LIBPATH%@setFIPS_SHA1_PATH=perl/opensslfips2.
0/util/fips_standalone_sha1@setFIPS_SIG=perl/opensslfips2.
0/util/msincoreOntheWindowsbuildsystem,invokeaDOSCommandPromptandinthatshellenterthefollowing:X:\>setenvwince6X:\>clMicrosoft(R)C/C++OptimizingCompilerVersion15.
00.
20720forARMCopyright(C)MicrosoftCorporation.
Allrightsreserved.
usage:cl[option.
.
.
]filename.
.
.
[/linklinkoption.
.
.
]X:\>X:\>cdopensslfips2.
0X:\opensslfips2.
0>ms\do_fipsX:\opensslfips2.
0>nmakefms\cedll.
makbuild_algvsIneithercasea"Pressanykeytocontinue.
.
.
"promptwillbeseen.
AtthispointtheFIPSObjectModuleandfips_algvsutilityprogramhavebeencreated.
Page159of225UserGuide-OpenSSLFIPSObjectModulev2.
0GeneralConsiderationsDLLspresentonCEversionspriorto6.
0takeawayaportionofprecious32MBaddressspacefromallprocesses64.
Thismeansthatunlike"normal"Windows,whereDLLloadaddressavailabilityisaper-processattribute,it'saper-systemattributeforCEpre-6.
0.
Inmorepracticaltermsthedeterminationoftheloadaddresscanbedependentontheorderinwhichprocessesarestarted.
IngeneralthestaticlinkmethodispreferredonCE,unlesstheDLLisROM-based,anduseofce[dll].
makinsteadofnt[dll].
mak.
Notethatthetwo-steplinkisnotnecessaryforWindows,asuseofthemsincoreutilityafteraconventionallinkissufficient.
Fortheruntimeintegritytest(fingerprintverification)tosucceedabinarymodule,either.
exeor.
dll,mustbeloadedatapredefinedaddressornotcontainanyrelocations.
AsthereisvirtuallynocontrolovertheloadaddressforCE,fingerprintverificationinaDLLwillfail.
TheonlysolutionistostaticallylinktheFIPSObjectModuleintoan.
exeexecutableandnotasaDLL.
ThebuildfortheformallytestedWinCE5platformusedaROM-basedDLLandsomeflagssetinPlatformBuilder.
AnormalDLLwouldnotworkasitignoredtheloadaddressandsetting/FIXEDstoppeditloadingaltogether.
Notethefipslink.
plutilitycanhandleevenstaticallylinkedapplications.
NotethatWindowsandLinuxcannotbecomparedinthiscontext,becauseLinuxcangenerateposition-independentcodewhichmeansweavoidanydifficultieswithbaseaddresses,relocations,etc.
ForWindowsaconsistentloadaddressisneededfortheDLL.
IfthatDLLisn'tROM-basedthenthingsliketheloadordercanresultindifferentaddresseswhichwillresultinaninvalidsignature.
Soone(messy)solutionistosetupplatformbuildertogetthatconsistentloadaddress:aslongasitdoesn'tchangeitdoesn'tmatterwhatitis.
Theprocessviewertoolcanbeusedtochecktheloadaddress.
ThenonceafixedaddresshasbeenestablisheditcanbeusedtobuildtheFIPScapableOpenSSLtoembedthesignature;thisisthewithbaseaddr=optiontoConfigure.
64CEDLLsstealmemoryfromallprocesses,soifonlyoneapplicationneedstooperateinvalidatedmodethenastaticallylinkedmoduleispreferable.
Page160of225UserGuide-OpenSSLFIPSObjectModulev2.
0AppendixFRestrictionsontheExportofCryptographyGovernmentrestrictionsandregulationsontheuse,acquisition,anddistributionofcryptographicproductsareamatterofconcernforsomepotentialusers.
F.
1OpenSourceSoftwareIntheUnitedStatesthecurrentexportregulationsappeartomoreorlessleaveopensourcesoftwareinsourcecodeformatalone,exceptforareportingrequirementtotheBureauofIndustryandSecurity(BIS)oftheU.
S.
DepartmentofCommerce;seehttp://bxa.
doc.
gov/Encryption/pubavailencsourcecodenofify.
html.
Whenindoubtconsultationwithlegalexpertswouldbeappropriate.
AnexampleofanE-mailmessagesenttocomplywiththisreportingrequirementis:To:crypt@bis.
doc.
gov,enc@nsa.
gov,web_site@bis.
doc.
govSubject:TSUNOTIFICATIONSUBMISSIONTYPE:TSUSUBMITTEDBY:SteveMarquessSUBMITTEDFOR:OpenSSLSoftwareFoundation,Inc.
POINTOFCONTACT:SteveMarquessPHONEand/orFAX:8776736775MANUFACTURER:N/APRODUCTNAME/MODEL#:OpenSSLECCN:5D002NOTIFICATION:http://cvs.
openssl.
org/dirEmployee(s),subcontractor(s),and/oragent(s)oftheOpenSSLSoftwareFoundation,Inc.
(OSF)areparticipatinginthedevelopmentofthefreelyavailableopensourceOpenSSLproductbyprovidingfeedbackonnewreleases,byrequestingnewfeatures,bycorrespondenceeithertothedeveloperandusermailinglistsordirectlywiththeproductdevelopers,andbysubcontractingsoftwaredevelopmentservicestooneormoreoftheOpenSSLdevelopers.
Thiscorrespondencemayincludesuggestedsourcecodefragmentsorpatches.
Allversionsofanysuchcontributionsincorporated,orsoftwareimplemented,inanyoftheOpenSSLsoftwarewillbepubliclyaccessibleathttp://cvs.
openssl.
org/dir.
SteveMarquessOpenSSLSoftwareFoundation,Inc.
1829MountEphraimRoadAdamstown,MD21710USA+18776736775Page161of225UserGuide-OpenSSLFIPSObjectModulev2.
0marquess@marquess@openssl.
comNoresponsewasreceived(orexpected).
Otherlinksofinterest:http://bxa.
doc.
gov/Encryption/ChecklistInstr.
htmF.
2"ExportJobs,NotCrypto"Forsoftwareexportedinbinaryformthesituationisfarlesscertain.
Asincredibleandunbelievablyopposedtocommonsenseasitseems,currentU.
S.
exportcontrolsappeartorestricttheexportfromtheU.
S.
ofsoftwareproductsthatusetheOpenSSLproduct,evenifOpensSSLisusedexclusivelyforallcryptographicfunctionality.
Fromwhathasbeenrelayedfromseveralvendorsaffectedbytheseexportrestrictions,exportapprovalforsoftwareutilizingOpenSSLiscontingentonanumberoffactorsincludingthetypeoflinking(staticbuild-timelinkingordynamicrun-timelinking).
Staticlinkingismoredesirable,apparentlysomethingtodowiththeconceptofan"opencryptographicinterface".
Evidentlyaproductwheretheendusercaneasilysubstituteanewcryptographiclibrary(anewerversionofOpenSSL,say)isnotpermissible.
Needlesstosaythewrittenregulationsandexpertcommentaryarevaried,soadviceoflegalcounselisrecommended.
Theonlyothersafecourseofactionwouldbetopaynon-U.
S.
citizenstodevelopthecryptographicsoftwareoverseasandimportitintotheU.
S.
,asimportsarenotrestricted.
ForeignerswhobenefitfinanciallyfromthissituationrefertotheU.
S.
"exportjobs,notcrypto"policy.
Linksofinterest:http://www.
axsmith.
com/Encryption_Law.
htmhttp://library.
findlaw.
com/2000/Jan/1/128443.
htmlhttp://cryptome.
org/bxa-bernstein.
htmPage162of225UserGuide-OpenSSLFIPSObjectModulev2.
0APPENDIXGSecurityPolicyErrataTheformalSecurityPolicy(http://csrc.
nist.
gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.
pdfisacontrolleddocumentandso,aswiththevalidatedsoftwareproper,cannotreadilybechanged.
Thissectionlistsknownerrorsinthatdocument.
Table2:Theoperatingsystemforplatform9islistedas"Android2.
2".
ThatdevicewastheMotorolaXoomrunningAndroid3.
0,theearliestversionofAndroidthatdeviceshippedwith.
DuringtheperiodthevalidationwasinprocessthatversionofAndroidonthatdevicewassupersededbyAndroid4.
0whichwastestedasplatform39,soplatform9isofacademicinterestonly(noteplatformessentially9duplicatesplatform2).
Theerrorwasreportedtothetestlabevenpriortotheformalvalidationaward,butsincecorrectionoferrorsincompletedvalidationsisdifficultweelectednottopresstheissue.
Page163of225UserGuide-OpenSSLFIPSObjectModulev2.
0AppendixHDTRAnalysis[TBD]Page164of225UserGuide-OpenSSLFIPSObjectModulev2.
0AppendixIAPIEntryPointsbySourceFileTheAPIentrypointsintheModulearelistedhere,organizedbysourcefile.
FIPS140-2requiresthatlogicalinterfaceshavetobeidentifiedasoneof"datainput","dataoutput","controlinput",or"statusoutput".
FunctionswithmultipleargumentsandtheClanguageargumentpassingmechanismdonotnaturallymatchthesecategories,especiallywherepointerstostructuresareused.
Thistabledesignateseachfunctionasprimarilyservingoneofthefourpurposes,withtheindividualargumentsalsodesignatedasinput,output,orboth.
Thefunctionnamesareinbold.
InputargumentsarehighlightedinGreyandlistedwitharightpointingarrow(->).
Outputargumentsarelistedwithaleftpointingarrow().
Thefunctionreturnvalueisdenotedinthelistofargumentsas"Return".
NotethatmanyoftheseModuleAPIfunctionscallsarerarelyifeverreferenceddirectlybyapplications,insteadtheyarereferencedfromtheseparateOpenSSLproductbyanon-cryptographicabstractionlayersuchastheEVPinterface(seeReference11).
SomeexternalsymbolsdefinedintheModulebutnotintendedforreferencebycallingapplicationsareomitted.
AlsonotethattheAPIasdocumentedbelowmayvaryslightlybyplatformduetotheuseofassemblylanguageoptimizations.
Somegeneralnotes:ThePOSTcodeiscontainedinthe.
/fips/subdirectory,beginningwiththeFIPS_module_mode_set()functionin.
/fips/fips.
candleadingdirectlyfunctionsdefinedin.
/fips/fips_post.
c.
Thebestwaytotraceeachofthealgorithmimplementationsisfromtherespectivealgorithmtestdrivers,astheystartwiththeCAVStestvectorrequestfiledataandmaketheappropriateAPIcallstoperformthealgorithmprocessing.
Thosearefoundinthe.
/fips/XXX/directories,for"XXX"thealgorithm,andarealsosymlinkedfromthe.
/test/subdirectory:test/fips_aesavs.
c->.
.
/fips/aes/fips_aesavs.
ctest/fips_cmactest.
c->.
.
/fips/cmac/fips_cmactest.
ctest/fips_desmovs.
c->.
.
/fips/des/fips_desmovs.
ctest/fips_dhvs.
c->.
.
/fips/dh/fips_dhvs.
ctest/fips_drbgvs.
c->.
.
/fips/rand/fips_drbgvs.
ctest/fips_dsatest.
c->.
.
/fips/dsa/fips_dsatest.
ctest/fips_dssvs.
c->.
.
/fips/dsa/fips_dssvs.
ctest/fips_ecdhvs.
c->.
.
/fips/ecdh/fips_ecdhvs.
ctest/fips_ecdsavs.
c->.
.
/fips/ecdsa/fips_ecdsavs.
cPage165of225UserGuide-OpenSSLFIPSObjectModulev2.
0test/fips_gcmtest.
c->.
.
/fips/aes/fips_gcmtest.
ctest/fips_hmactest.
c->.
.
/fips/hmac/fips_hmactest.
ctest/fips_randtest.
c->.
.
/fips/rand/fips_randtest.
ctest/fips_rngvs.
c->.
.
/fips/rand/fips_rngvs.
ctest/fips_rsagtest.
c->.
.
/fips/rsa/fips_rsagtest.
ctest/fips_rsastest.
c->.
.
/fips/rsa/fips_rsastest.
ctest/fips_rsavtest.
c->.
.
/fips/rsa/fips_rsavtest.
ctest/fips_shatest.
c->.
.
/fips/sha/fips_shatest.
cNotethealgorithmtestdriversthemselvesarenotpartoftheFIPSmodule.
Symbolrenaming:Somesymbolnamesasdefinedinthesourcecodearedynamicallyredefinedatbuildtime.
ThisAPIdocumentationshowsboththeoriginal(sourcecode)andbuildtime(objectcode)symbolnames,forinstance:FIPS_bn_bn2bin(renamesBN_bn2bin)infile.
/crypto/bn/bn_lib.
[o|c]whichindicatesthattheFIPS_bn_bn2bin()functionasseeninthecompiledcode(.
/crypto/bn/bn_lib.
o)isfoundinthesourcecodeasfunctionBN_bn2bin()insourcefile.
/crypto/bn/bn_lib.
c.
Somefunctionsarenotrenamed,forinstance:FIPS_module_mode_setinfile.
/fips/fips.
[o|c]indicatesthatFIPS_module_mode_set()isdefinedin.
/fips/fips.
cand.
/fips/fips.
owiththesamesymbolname.
Likewise,FIPS_add_lock(reimplementsCRYPTO_add_lock)infile.
/fips/utl/fips_lck.
[o|c]indicatesthatFIPS_add_lock()isdefinedbythatnameinboth.
/fips/utl/fips_lck.
oand.
/fips/utl/fips_lck.
c;the"reimplements"notationreferstotheredefinitionofthisFIPSmodulespecificfunctiontoreplaceasimilarknownfunctionfromtheoriginalOpenSSLdistributionfromwhichtheFIPSmodulewasderived.
Thislistwasproducedbytheapi_list.
pltoolinthe.
/fips/tools/subdirectoryofthesourcecodedistribution,usingsupportingfilesalsointhatdirectory:api_fns.
pmaperlmodulethatforapi_list.
pldeclarations.
datafileofinformationaboutpublicfipssymbolsPage166of225UserGuide-OpenSSLFIPSObjectModulev2.
0Thisutilityattemptsto"directionofuse"foreachfunctionparameter,i.
e.
whetherthatparameterisreferencedasinput,asoutput,orboth.
Thatdeterminationisfarfromclearinsomecases,asforsometypesofparametersthereisnoclearanswer--considerforinstanceapointertoastructurecontainingacallbacktoafunctionthatisonlycalledasanexception.
Inanyeventthatinformationisstoredinthefiledeclarations.
datandcanbemanuallycorrectedbyreplacingthevalueforthekey'direction'wherethevaluecontainsaquestionmark.
Thosevaluescanbechangedasappropriate,tooneof:outputinputbothandthemanuallychangedvalueswillbepreservedinthedeclarations.
datfile.
Theapi_list.
plutilityhasnocommandlineoptionsandisinvokedfromtherootofthesourcecodeworkarea:perlfips/tools/api_list.
pl>TheHTMLformattedcontentsoftheoutputfilecanbelightlyeditedforinclusionindocumentssuchasthisone.
Thisfollowinglistshowsthefunctionsinalphabeticalorderbytheruntimesymbolname.
FIPS_add_error_data(reimplementsERR_add_error_data)infile.
/fips/utl/fips_err.
[o|c]voidFIPS_add_error_data(intnum,.
.
.
)->num->.
.
.
FIPS_add_lock(reimplementsCRYPTO_add_lock)infile.
/fips/utl/fips_lck.
[o|c]intFIPS_add_lock(int*pointer,intamount,inttype,constchar*file,intline)amount->type->file->lines->lenretaaFIPS_bn_clear_free(renamesBN_clear_free)infile.
/crypto/bn/bn_lib.
[o|c]voidFIPS_bn_clear_free(BIGNUM*a)aFIPS_bn_free(renamesBN_free)infile.
/crypto/bn/bn_lib.
[o|c]voidFIPS_bn_free(BIGNUM*a)aFIPS_bn_generate_prime_ex(renamesBN_generate_prime_ex)infile.
/crypto/bn/bn_prime.
[o|c]intFIPS_bn_generate_prime_ex(BIGNUM*ret,intbits,intsafe,constBIGNUM*add,constBIGNUM*rem,BN_GENCB*cb)ret->bits->safe->addPage168of225UserGuide-OpenSSLFIPSObjectModulev2.
0->remcbaa->np->ncheckscbp->nchecksdo_trial_divisioncbalrnd->bits->top->bottomrnd->rangernd->bitsPage170of225UserGuide-OpenSSLFIPSObjectModulev2.
0->top->bottomrnd->rangea->npp1p2->Xp->Xp1->Xp2->ecbpp1p2Xp1Xp2->Xp->ecbXpXq->nbitsin->inlintype->argptrkeylencipher->key->iv->encinkey->keylen->cipherimpldata->dlenfuncFIPS_crypto_thread_id(renamesCRYPTO_thread_id)infile.
/crypto/thr_id.
[o|c]unsignedlongFIPS_crypto_thread_id()idthreadid_funcid->valFIPS_crypto_threadid_set_pointer(renamesCRYPTO_THREADID_set_pointer)infile.
/crypto/thr_id.
[o|c]voidFIPS_crypto_threadid_set_pointer(CRYPTO_THREADID*id,void*ptr)idptrFIPS_des_check_key_parity(renamesDES_check_key_parity)infile.
/crypto/des/set_key.
[o|c]intFIPS_des_check_key_parity(const_DES_cblock*key)->keydhdh->pub_keypub_keydhpub_keydhdhFIPS_dh_generate_key(renamesDH_generate_key)infile.
/crypto/dh/dh_key.
[o|c]intFIPS_dh_generate_key(DH*dh)dhdh->prime_len->generatorcbdata->counttypeimpltyped->cntoutlen->prediction_resistance->adin->adinlentype->flagspers->perslentypePage181of225UserGuide-OpenSSLFIPSObjectModulev2.
0->flagsadin->adinlenapp_dataFIPS_drbg_set_callbacksinfile.
/fips/rand/fips_drbg_lib.
[o|c]intFIPS_drbg_set_callbacks(DRBG_CTX*dctx,size_t(*get_entropy)(DRBG_CTX*ctx,unsignedchar**pout,intentropy,size_tmin_len,size_tmax_len),void(*cleanup_entropy)(DRBG_CTX*ctx,unsignedchar*out,size_tolen),size_tentropy_blocklen,size_t(*get_nonce)(DRBG_CTX*ctx,unsignedchar**pout,intentropy,size_tmin_len,size_tmax_len),void(*cleanup_nonce)(DRBG_CTX*ctx,unsignedchar*out,size_tolen))entropy_blocklenintervalPage182of225UserGuide-OpenSSLFIPSObjectModulev2.
0FIPS_drbg_set_rand_callbacksinfile.
/fips/rand/fips_drbg_lib.
[o|c]intFIPS_drbg_set_rand_callbacks(DRBG_CTX*dctx,size_t(*get_adin)(DRBG_CTX*ctx,unsignedchar**pout),void(*cleanup_adin)(DRBG_CTX*ctx,unsignedchar*out,size_tolen),int(*rand_seed_cb)(DRBG_CTX*ctx,constvoid*buf,intnum),int(*rand_add_cb)(DRBG_CTX*ctx,constvoid*buf,intnum,doubleentropy))rand_seed_cb->rand_add_cbintervalFIPS_drbg_stickinfile.
/fips/rand/fips_drbg_lib.
[o|c]voidFIPS_drbg_stick(intonoff)->onoffFIPS_drbg_uninstantiateinfile.
/fips/rand/fips_drbg_lib.
[o|c]intFIPS_drbg_uninstantiate(DRBG_CTX*dctx)rFIPS_dsa_generate_key(renamesDSA_generate_key)infile.
/crypto/dsa/dsa_key.
[o|c]intFIPS_dsa_generate_key(DSA*a)Page183of225UserGuide-OpenSSLFIPSObjectModulev2.
0adsa->bits->seed->seed_lenh_retcbaFIPS_dsa_sig_new(reimplementsDSA_SIG_new)infile.
/fips/dsa/fips_dsa_lib.
[o|c]DSA_SIG*FIPS_dsa_sig_new()dsa->msg->msglen->mhashdsadsa->dig->dlendsa->msg->msglen->mhashsdsasdsa->dig->dlensr->nitemsgroupFIPS_ec_group_get0_generator(renamesEC_GROUP_get0_generator)infile.
/crypto/ec/ec_lib.
[o|c]constEC_POINT*FIPS_ec_group_get0_generator(constEC_GROUP*group)->groupxgroupgroupcofactorgrouppabgrouppabgroupgroupgroupordergroupmethnidp->a->bp->a->bgroupgroup->flagPage189of225UserGuide-OpenSSLFIPSObjectModulev2.
0FIPS_ec_group_set_curve_gf2m(renamesEC_GROUP_set_curve_GF2m)infile.
/crypto/ec/ec_lib.
[o|c]intFIPS_ec_group_set_curve_gf2m(EC_GROUP*group,constBIGNUM*p,constBIGNUM*a,constBIGNUM*b,BN_CTX*ctx)group->p->a->bgroup->p->a->bgroup->nidFIPS_ec_group_set_generator(renamesEC_GROUP_set_generator)infile.
/crypto/ec/ec_lib.
[o|c]intFIPS_ec_group_set_generator(EC_GROUP*group,constEC_POINT*generator,constBIGNUM*order,constBIGNUM*cofactor)group->generator->order->cofactorgroup->formFIPS_ec_key_check_key(renamesEC_KEY_check_key)infile.
/crypto/ec/ec_key.
[o|c]intFIPS_ec_key_check_key(constEC_KEY*key)->keykey->flagsFIPS_ec_key_copy(renamesEC_KEY_copy)infile.
/crypto/ec/ec_key.
[o|c]EC_KEY*FIPS_ec_key_copy(EC_KEY*dst,constEC_KEY*src)dst->srcsrckeyFIPS_ec_key_generate_key(renamesEC_KEY_generate_key)infile.
/crypto/ec/ec_key.
[o|c]intFIPS_ec_key_generate_key(EC_KEY*key)keykeykeykeykeykeykeykeydup_funcfree_funcclear_free_funckeydatadup_funcfree_funcclear_free_funcFIPS_ec_key_new(renamesEC_KEY_new)infile.
/crypto/ec/ec_key.
[o|c]EC_KEY*FIPS_ec_key_new()nidkeyeckey->asn1_flagFIPS_ec_key_set_conv_form(renamesEC_KEY_set_conv_form)infile.
/crypto/ec/ec_key.
[o|c]voidFIPS_ec_key_set_conv_form(EC_KEY*eckey,point_conversion_form_tcform)eckey->cformFIPS_ec_key_set_enc_flags(renamesEC_KEY_set_enc_flags)infile.
/crypto/ec/ec_key.
[o|c]voidFIPS_ec_key_set_enc_flags(EC_KEY*eckey,unsignedintflags)eckey->flagsFIPS_ec_key_set_flags(renamesEC_KEY_set_flags)infile.
/crypto/ec/ec_key.
[o|c]voidFIPS_ec_key_set_flags(EC_KEY*key,intflags)key->flagsPage194of225UserGuide-OpenSSLFIPSObjectModulev2.
0FIPS_ec_key_set_group(renamesEC_KEY_set_group)infile.
/crypto/ec/ec_key.
[o|c]intFIPS_ec_key_set_group(EC_KEY*key,constEC_GROUP*group)key->groupkey->prvkey->pubkeyxykeymethpointFIPS_ec_point_free(renamesEC_POINT_free)infile.
/crypto/ec/ec_lib.
[o|c]voidFIPS_ec_point_free(EC_POINT*point)pointFIPS_ec_point_get_affine_coordinates_gf2m(renamesEC_POINT_get_affine_coordinates_GF2m)infile.
/crypto/ec/ec_lib.
[o|c]intFIPS_ec_point_get_affine_coordinates_gf2m(constEC_GROUP*group,constEC_POINT*p,BIGNUM*x,BIGNUM*y,BN_CTX*ctx)->group->pxygroup->pxyPage196of225UserGuide-OpenSSLFIPSObjectModulev2.
0group->pxyzgroup->pgroup->pointgrouppointpointgroupr->n->q->mgroupgrouppointgroup->numPage198of225UserGuide-OpenSSLFIPSObjectModulev2.
0pointsout->outlen->pub_keyecdh->KDFsigFIPS_ecdsa_sig_new(reimplementsECDSA_SIG_new)infile.
/fips/ecdsa/fips_ecdsa_lib.
[o|c]ECDSA_SIG*FIPS_ecdsa_sig_new()key->msg->msglen->mhashkeykey->dig->dlenkey->msg->msglen->mhashskeyskey->dig->dlensptrFIPS_get_cipherbynidinfile.
/fips/utl/fips_enc.
[o|c]conststructevp_cipher_st*FIPS_get_cipherbynid(intnid)->nidnidpctrFIPS_hmac(renamesHMAC)infile.
/crypto/hmac/hmac.
[o|c]unsignedchar*FIPS_hmac(constEVP_MD*evp_md,constvoid*key,intkey_len,constunsignedchar*d,size_tn,unsignedchar*md,unsignedint*md_len)->evp_md->key->key_len->d->nflagsFIPS_hmac_final(renamesHMAC_Final)infile.
/crypto/hmac/hmac.
[o|c]__owurintFIPS_hmac_final(HMAC_CTX*ctx,unsignedchar*md,unsignedint*len)key->len->mdkey->len->mdimpldata->lenlenmode->type->file->lineFIPS_malloc(reimplementsCRYPTO_malloc)infile.
/fips/utl/fips_mem.
[o|c]void*FIPS_malloc(intnum,constchar*file,intline)->num->file->lineinonoff->authptr->lenFIPS_openssl_showfatal(renamesOPENSSL_showfatal)infile.
/crypto/cryptlib.
[o|c]voidFIPS_openssl_showfatal(constchar*fmta,.
.
.
)->fmta->.
.
.
FIPS_openssldie(renamesOpenSSLDie)infile.
/crypto/cryptlib.
[o|c]voidFIPS_openssldie(constchar*file,intline,constchar*assertion)->file->line->assertionFIPS_post_set_callbackinfile.
/fips/fips_post.
[o|c]voidFIPS_post_set_callback(int(*post_cb)(intop,intid,intsubid,void*ex))lib->func->reason->file->lineFIPS_rand_add(reimplementsRAND_add)infile.
/fips/rand/fips_rand_lib.
[o|c]voidFIPS_rand_add(constvoid*buf,intnum,doubleentropy)->bufPage213of225UserGuide-OpenSSLFIPSObjectModulev2.
0->num->entropyFIPS_rand_bytes(reimplementsRAND_bytes)infile.
/fips/rand/fips_rand_lib.
[o|c]intFIPS_rand_bytes(unsignedchar*buf,intnum)numnumbuf->numFIPS_rand_set_bitsinfile.
/fips/rand/fips_rand_lib.
[o|c]voidFIPS_rand_set_bits(intnbits)->nbitsFIPS_rand_set_methodinfile.
/fips/rand/fips_rand_lib.
[o|c]intFIPS_rand_set_method(constRAND_METHOD*meth)Page214of225UserGuide-OpenSSLFIPSObjectModulev2.
0->methrsaFIPS_rsa_blinding_on(renamesRSA_blinding_on)infile.
/crypto/rsa/rsa_crpt.
[o|c]intFIPS_rsa_blinding_on(RSA*rsa,BN_CTX*ctx)rsarrPage215of225UserGuide-OpenSSLFIPSObjectModulev2.
0FIPS_rsa_generate_key_ex(renamesRSA_generate_key_ex)infile.
/crypto/rsa/rsa_gen.
[o|c]intFIPS_rsa_generate_key_ex(RSA*rsa,intbits,BIGNUM*e,BN_GENCB*cb)rsa->bitsecbflen->fromrsa->paddingflen->fromrsaPage216of225UserGuide-OpenSSLFIPSObjectModulev2.
0->paddingflen->fromrsa->paddingflen->fromrsa->paddingrsa->msg->msglen->mhash->rsa_pad_mode->saltlen->mgf1Hashrsarsa_pad_mode->saltlen->mgf1Hashrsa->md->md_len->mhash->rsa_pad_mode->saltlen->mgf1Hashrsarsa->msg->msglen->mhash->rsa_pad_mode->saltlen->mgf1Hash->sigbuf->siglenrsarsa_pad_mode->saltlen->mgf1Hash->sigbuf->siglenrsa->dig->diglen->mhash->rsa_pad_mode->saltlen->mgf1Hash->sigbuf->siglenrsap1p2q1q2->Xp1->Xp2->Xp->Xq1->Xq2->Xq->ecbrsa->bits->ecbput_cbfunc->add_cbFIPS_set_malloc_callbacksinfile.
/fips/utl/fips_mem.
[o|c]voidFIPS_set_malloc_callbacks(void*(*malloc_cb)(intnum,constchar*file,intline),void(*free_cb)(void*))->malloc_cbfree_cbFIPS_text_endinfile.
/fips/fips_end.
[o|c]void*FIPS_text_end()outlenbuf->numkey->keylenonoffFIPS_x931_test_modeinfile.
/fips/rand/fips_rand.
[o|c]intFIPS_x931_test_mode()<-ReturnPage225of225