Transcription of User Guide - OpenSSL
1 user Guidefor theOpenSSL FIPS Object module (for validations #1747, #2398, and #2473 including revisions , , , , , , , , , , , ) OpenSSL Validation Services, Inc.(formerly OpenSSL Software Foundation)March 14, 2017 user Guide - OpenSSL FIPS Object module and Trademark NoticeThis document is licensed under a Creative Commons Attribution Unported License ( ) OpenSSL is a registered trademark of the OpenSSL Software by:Defense Advanced Research Projects Agency (DARPA)Transformative Apps ProgramIntersoft International, of Homeland SecurityScience and Technology DirectoratePage 2 of 225 user Guide - OpenSSL FIPS Object module by:Dell 3 of 225sponsor of Beaglebone Black platformsUser Guide - OpenSSL FIPS Object module Validation Services (OVS) serves as the "vendor" for this validation.
2 Project management coordination for this effort was provided by:Steve Marquess+1 301-874-2571 OpenSSL Validation Services, Mount Ephraim RoadAdamstown, MD 21710 USAwith technical work by:Dr. Stephen Henson4 Monaco ST5 , United PolyakovChalmers University of 96 Gothenburg Box Gardens 4103 Australia coordination with the OpenSSL team at Validation testing was performed by Infogard Laboratories. For information on validation or revalidations of software contact:Marc Ireland805-783-0810 telFIPS Program Manager, CISSP805-783-0889 faxInfoGard, a UL Fiero Lane, Suite 25 Luis Obispo, CA 93401 Page 4 of 225 user Guide - OpenSSL FIPS Object module HistoryThis document will be revised over time as new information becomes available; for the latest version.
3 Suggestions for additions, corrections, or improvement are welcome and will be gratefully acknowledged; please send document error reports or suggestions to for typos (thanks to Pete Brennan new section , discussion of Alternative Scenario 1A/1B clone validations2016-04-12 Updates references to OpenSSL (thanks to Jeremiah R. Niebuhr for revision , note OpenSSL Validation Services name change2016-02-05 Fixed several typos (thanks to Ti Strga , clarify discussion of the entropy callback2015-11-05 Fix typo in section , expanded discussion of the entropy callback (thanks to Lee D Gibbins 2015-09-16 Section , corrected four typos (thanks to Conrad Gerhart new section , "CCM".)))))
4 2015-09-05 Reference the revisionFixed typo in section (thanks to Conrad Gerhart team GPG/PGP keys in Appendix A, noted new , platforms in section typographical corrections (thanks to Mike Carden typo in Section , added new platforms in Section 32014-07-21 Reference the and revisions2013-12-04 Appendix B: Updated footnote referencing special cases in fips_algvs2013-11-01 Added Citrix acknowledgment2013-10-31 Update URL in section (thanks to typo in section 6 (thanks to Cryptsoft acknowledgment, update for , note effective disabling of Dual EC DRBG2013-02-02 Documented FIPSDIR in Section issue with iOS and VALID_ARCHS vs ARCHS2013-01-10 Clarified iOS procedures2013-01-09 Added information on FIPS_module_mode()))))
5 Page 5 of 225 user Guide - OpenSSL FIPS Object module corrections and flow improvements2012-12-02 Changed "vendor affirmed" references to " user affirmed"2012-11-29 Corrections to instructions for iOS building2012-11-01 Additions to section 62012-10-25 Additions to section , new Appendic new section on GMAC2012-07-17 Added iOS to Appendix E2012-07-03 Correct typographical errors, update acknowledgment2012-06-28 Update with certificate number2012-05-15 Discussion of the new "secure installation" and rename the "fips_hmac" sample application; added section list and cross-reference, and additional discussion of platform issues2012-02-21 Additional discussion of cross-compilation2011-09-07 Initial draft for 6 of 225 user Guide - OpenSSL FIPS Object module of Contents1.
6 FIPS WHAT? WHERE DO I START?.. CHANGE LETTER THE PRIVATE LABEL FIPS 140-2 Specific General THE FIPS module AND INTEGRITY THE FIPS INTEGRITY Requirement for Exclusive Integrity Requirement for Fixed Object Code THE FILE INTEGRITY Source File (Build Time) Object module (Link Time) Application Executable Object (Run Time) RELATIONSHIP TO THE OpenSSL FIPS MODE OF FIPS Mode Algorithms Available in FIPS REVISIONS OF THE PRIOR FIPS OBJECT FUTURE FIPS OBJECT CLONE COMPATIBLE BUILD ENVIRONMENT KNOWN SUPPORTED Code Paths and Command 32 versus 64 Bit Assembler CREATION OF SHARED GENERATING THE FIPS OBJECT DELIVERY OF SOURCE Creation of a FIPS Object module from Other Source Verifying Integrity of Distribution (Best Practice).
7 BUILDING AND INSTALLING THE FIPS OBJECT module WITH OpenSSL (UNIX/LINUX).. Building the FIPS Object module from 7 of 225 user Guide - OpenSSL FIPS Object module Installing and Protecting the FIPS Object Building a FIPS Capable BUILDING AND INSTALLING THE FIPS OBJECT module WITH OpenSSL (WINDOWS).. Building the FIPS Object module from Installing and Protecting the FIPS Object Building a FIPS Capable CREATING APPLICATIONS WHICH REFERENCE THE FIPS OBJECT EXCLUSIVE USE OF THE FIPS OBJECT module FOR FIPS MODE GENERATE APPLICATION EXECUTABLE Linking under Linking under APPLICATION IMPLEMENTATION DOCUMENTATION AND RECORD-KEEPING WHEN IS A SEPARATE FIPS 140-2 VALIDATION REQUIRED?
8 COMMON ISSUES AND Don't Fight Don't Overthink TECHNICAL The DRBG ROLE BASED module SELF POST Conditional self ECC AND THE NSA THE "SECURE INSTALLATION" What Won't What Might Still Confused?.. CAVP Options for Practical 8 of 225 user Guide - OpenSSL FIPS Object module A OpenSSL DISTRIBUTION SIGNING B CMVP TEST BUILDING THE SOFTWARE - ALGORITHM TESTS - BUILDING THE SOFTWARE - ALGORITHM TESTS - FIPS 140-2 TEST - ALL TESTVECTOR DATA FILES AND THE C EXAMPLE OpenSSL BASED NATIVE COMPILATION OF STATICALLY LINKED CROSS-COMPILATION OF "FIPS CAPABLE" SHARED OpenSSL D FIPS API FIPS FIPS_MODE_SET(), FIPS_SELFTEST().
9 FIPS_MODE().. ERROR E PLATFORM SPECIFIC APPLE OS X APPLE IOS Required the Incore the FIPS Object the FIPS Capable Xcode WINDOWS CE F RESTRICTIONS ON THE EXPORT OF OPEN SOURCE EXPORT JOBS, NOT CRYPTO ..158 APPENDIX G SECURITY POLICY H DTR I API ENTRY POINTS BY SOURCE 9 of 225 user Guide - OpenSSL FIPS Object module of ContentsTable of FIPS WHAT? WHERE DO I START?.. CHANGE LETTER THE PRIVATE LABEL FIPS 140-2 Specific General THE FIPS module AND INTEGRITY THE FIPS INTEGRITY Requirement for Exclusive Integrity Requirement for Fixed Object Code THE FILE INTEGRITY Source File (Build Time) Object module (Link Time) Application Executable Object (Run Time)
10 RELATIONSHIP TO THE OpenSSL FIPS MODE OF FIPS Mode Algorithms Available in FIPS REVISIONS OF THE PRIOR FIPS OBJECT FUTURE FIPS OBJECT CLONE COMPATIBLE BUILD ENVIRONMENT KNOWN SUPPORTED Code Paths and Command 32 versus 64 Bit Assembler CREATION OF SHARED GENERATING THE FIPS OBJECT DELIVERY OF SOURCE 10 of 225 user Guide - OpenSSL FIPS Object module Creation of a FIPS Object module from Other Source Verifying Integrity of Distribution (Best Practice).. BUILDING AND INSTALLING THE FIPS OBJECT module WITH OpenSSL (UNIX/LINUX).. Building the FIPS Object module from Installing and Protecting the FIPS Object Building a FIPS Capable BUILDING AND INSTALLING THE FIPS OBJECT module WITH OpenSSL (WINDOWS).
