Discussion:
OpenSSL FIPS Object Module 1.2.4 support for Apple iOS and OS X
(too old to reply)
Alex Chen
2012-07-03 23:35:30 UTC
Permalink
I assume this module will work with both OpenSSL 1.0.0 and 1.0.1?
The OpenSSL FIPS Object Module 1.2 has been extended to include support
for the iOS and Mac OS X operating systems, as the newly released
revision 1.2.4. This new support was made possible by a collaboration
with Thursby Software Systems, Inc, (http://www.thursby.com/), a leading
vendor of commercial Apple enterprise integration products.
This module corresponds to the FIPS 140-2 validation certificate
#1051, see
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051
http://openssl.org/source/openssl-fips-1.2.4.tar.gz
An update to the 1.2 User Guide document should be forthcoming in a few
http://openssl.org/docs/fips/UserGuide-1.2.pdf
Note "UserGuide.pdf" is currently a symlink to "UserGuide-1.2.pdf", but
will soon reference the new User Guide 2.0 document for the upcoming
OpenSSL FIPS Object Module 2.0.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Steve Marquess
2012-07-04 13:05:35 UTC
Permalink
Post by Alex Chen
I assume this module will work with both OpenSSL 1.0.0 and 1.0.1?
No, the OpenSSL FIPS Object Module 1.2.4 is only compatible with OpenSSL
0.9.8.

We do expect to be adding support for iOS to the 2.0 FIPS module in the
near future. The 2.0 FIPS module is compatible with OpenSSL 1.0.1.

There are no current plans to add Mac OS X to the 2.0 FIPS module (no
sponsors).

-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
***@opensslfoundation.com
***@openssl.com


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Alex Chen
2012-07-05 16:43:50 UTC
Permalink
Thanks for the information, Steve. I do have some questions about the FIPS
module.

1. What does 'support' mean? Does it involve source code change or is it
simple changes in the configure script to make the code compile correctly
in a specific OS and generate the proper library?

2. Since the FIPS module 2.0 has already been certified will it require a
new certification if iOS support is added? Or is it going to fall into the
'Change Letter' modification category?

3. From what is currently available, if a user wants to use OpenSSL FIPS
module for MacOS, the only option seems to be FIPS module 1.2.4 (and
implicitly OpenSSL 0.9.8)?

4. It seems there is a sponsor for FIPS module 1.2.4 for MacOS but not in
FIPS module 2.0. What is involved in a 'sponsorship'?

5. If we take the source code and create an Xcode project to build the
library instead of using the configure script but use the same flags and
defines specified in the Makefile, will the resulting library still be
consider valid, assuming it passes all the tests that come with the source
code?


Alex
Post by Steve Marquess
Post by Alex Chen
I assume this module will work with both OpenSSL 1.0.0 and 1.0.1?
No, the OpenSSL FIPS Object Module 1.2.4 is only compatible with OpenSSL
0.9.8.
We do expect to be adding support for iOS to the 2.0 FIPS module in the
near future. The 2.0 FIPS module is compatible with OpenSSL 1.0.1.
There are no current plans to add Mac OS X to the 2.0 FIPS module (no
sponsors).
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Steve Marquess
2012-07-06 23:36:10 UTC
Permalink
Post by Alex Chen
Thanks for the information, Steve. I do have some questions about the FIPS
module.
1. What does 'support' mean? Does it involve source code change or is it
simple changes in the configure script to make the code compile correctly
in a specific OS and generate the proper library?
In this context it means we expect to be adding iOS to the OpenSSL FIPS
Object Module 2.0 (#1747) validation as a formally tested platform
("Operational Environment"), which will mean that module can be used on
iOS where FIPS 140-2 validation is required.
Post by Alex Chen
2. Since the FIPS module 2.0 has already been certified will it require a
new certification if iOS support is added? Or is it going to fall into the
'Change Letter' modification category?
Yes, iOS will be added to the existing #1747 validation via a "change
letter" process.
Post by Alex Chen
3. From what is currently available, if a user wants to use OpenSSL FIPS
module for MacOS, the only option seems to be FIPS module 1.2.4 (and
implicitly OpenSSL 0.9.8)?
Correct.
Post by Alex Chen
4. It seems there is a sponsor for FIPS module 1.2.4 for MacOS but not in
FIPS module 2.0. What is involved in a 'sponsorship'?
Money (always!) and sometimes the provision of suitable platforms to
test on. In the case of Mac OS X we will need access to appropriate
hardware for the duration of the testing process (several weeks).
Post by Alex Chen
5. If we take the source code and create an Xcode project to build the
library instead of using the configure script but use the same flags and
defines specified in the Makefile, will the resulting library still be
consider valid, assuming it passes all the tests that come with the source
code?
Only the FIPS module itself (the fipscanister object file) is validated.
That must be generated *exactly* as documented in the Security Policy,
and the documented process does not use Xcode for OS X. Once that is
done there are essentially no restrictions on how you subsequently link
it with your application code.

So, you're stuck with the config/Configure scripts for the module build;
no room for creativity there. We used Xcode to build the test programs
used for the OS X and iOS validation testing.

-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
***@opensslfoundation.com
***@openssl.com


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Alex Chen
2012-07-07 00:12:26 UTC
Permalink
Thanks, Steve.

Alex
Post by Steve Marquess
Post by Alex Chen
Thanks for the information, Steve. I do have some questions about the
FIPS
module.
1. What does 'support' mean? Does it involve source code change or is
it
simple changes in the configure script to make the code compile
correctly
in a specific OS and generate the proper library?
In this context it means we expect to be adding iOS to the OpenSSL FIPS
Object Module 2.0 (#1747) validation as a formally tested platform
("Operational Environment"), which will mean that module can be used on
iOS where FIPS 140-2 validation is required.
Post by Alex Chen
2. Since the FIPS module 2.0 has already been certified will it require
a
new certification if iOS support is added? Or is it going to fall into
the
'Change Letter' modification category?
Yes, iOS will be added to the existing #1747 validation via a "change
letter" process.
Post by Alex Chen
3. From what is currently available, if a user wants to use OpenSSL FIPS
module for MacOS, the only option seems to be FIPS module 1.2.4 (and
implicitly OpenSSL 0.9.8)?
Correct.
Post by Alex Chen
4. It seems there is a sponsor for FIPS module 1.2.4 for MacOS but not
in
FIPS module 2.0. What is involved in a 'sponsorship'?
Money (always!) and sometimes the provision of suitable platforms to
test on. In the case of Mac OS X we will need access to appropriate
hardware for the duration of the testing process (several weeks).
Post by Alex Chen
5. If we take the source code and create an Xcode project to build the
library instead of using the configure script but use the same flags and
defines specified in the Makefile, will the resulting library still be
consider valid, assuming it passes all the tests that come with the
source
code?
Only the FIPS module itself (the fipscanister object file) is validated.
That must be generated *exactly* as documented in the Security Policy,
and the documented process does not use Xcode for OS X. Once that is
done there are essentially no restrictions on how you subsequently link
it with your application code.
So, you're stuck with the config/Configure scripts for the module build;
no room for creativity there. We used Xcode to build the test programs
used for the OS X and iOS validation testing.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Loading...