UserGuide-2 0

User Guide
for the OpenSSL FIPS Object Module v2.0

(including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5) OpenSSL Software Foundation
September 2 ! 20"#
User Guide $ OpenSSL FIPS Object Module v2.0
%op&ri'ht (nd )r(dem(r* +otice

!i" docu#ent i" licen"ed under a $reative $o##on" %ttri&ution 3.0 'nported Licen"e (!ttp())creativeco##on".org)licen"e")&*)3.0)) OpenSSL+ i" a regi"tered trade#ar, of t!e OpenSSL Software Foundation, -nc.
Sponsored b&,
Defense Advanced Research Projects Agency (DARPA) Transformative Apps Program
Intersoft International, Inc.
-ep(rtment of .omel(nd Securit& Science (nd )echnolo'& -irector(te
Dell Inc.
sponsor of Beaglebone Black platforms
.age 2 of 1/0
/c*no0led'ments
!e OpenSSL Software Foundation (OSF) "erve" a" t!e 1vendor1 for t!i" validation. .ro2ect #anage#ent coordination for t!i" effort wa" provided &*(
Steve Marquess The OpenSSL Software Foundation 18%& Mount 'phrai (oad )da stown* M+ %171, -S) +1 877-673-6775 arquess!openss"foundation#$o
wit! tec!nical wor, &*(

+r# Stephen .enson / Mona$o 0"a$e* 1est"ands* 2ew$ast"e-under-L3 e Staffordshire# ST5 %5T# 'n6"and* -nited 7in6do )nd3 0o"3a4ov :ha" ers -niversit3 of Te$hno"o63 S'-/1% &6 ;othen<ur6 Sweden Ti .udson 0#O# =o> 638& Fairfie"d ;ardens /1,3 )ustra"ia shenson!openss"foundation#$o shenson!drh-$onsu"tan$3#$o#u4 http899www#drh-$onsu"tan$3#$o#u49 appro!openss"#or6 appro!f3#$ha" ers#se
t?h!$r3ptsoft#$o http899www#$r3ptsoft#$o 9
in coordination wit! t!e OpenSSL tea# at www.open""l.org. 3alidation te"ting wa" perfor#ed &* -nfogard La&oratorie". For infor#ation on validation or revalidation" of "oftware contact(
Mar4 Minno$h F@0S 0ro6ra Mana6er* :@SS0 @nfo;ard La<oratories 7,& Fiero Lane* Suite %5 San Luis O<ispo* :) &3/,1 8,5-783-,81, te" 8,5-783-,88& fa> inno$h!info6ard#$o http899www#info6ard#$o 9
.age 3 of 1/0
4evi"ion 5i"tor*
!i" docu#ent will &e revi"ed over ti#e a" new infor#ation &eco#e" availa&le6 c!ec, !ttp())www.open""l.org)doc")fip") for t!e late"t ver"ion. Sugge"tion" for addition", correction", or i#prove#ent are welco#e and will &e gratefull* ac,nowledged6 plea"e "end docu#ent error report" or "ugge"tion" to u"erguide7open""lfoundation.co#. Date 201380/82/ 201380/813 2013802802 2013801824 2013801810 201380180/ 2013801800 2012812802 201281182/ 2012811801 2012810825 201280/80@ 201280@81@ 201280@803 201280:820 2012805815 201280480/ 2012803815 2012802821 201180/80@ Description Fi9ed t*po in "ection : (t!an," to ,aranpopali7g#ail.co#) %dded $r*pt"oft ac,nowledg#ent, update for 2.0.5, note effective di"a&ling of ;ual <$ ;4=> ;ocu#ented F-.S;-4 in Section 4.2 Fi9ed i""ue wit! iOS and 3%L-;?%4$5S v" %4$5S $larified iOS procedure" %dded infor#ation on F-.S?#odule?#ode() Spelling correction" and flow i#prove#ent" $!anged 1vendor affir#ed1 reference" to 1u"er affir#ed1 $orrection" to in"truction" for iOS &uilding %ddition" to "ection : %ddition" to "ection 5.3, new %ppendic <.3 %dded new "ection on >A%$ %dded iOS to %ppendi9 < $orrect t*pograp!ical error", update ac,nowledg#ent 'pdate wit! certificate nu#&er ;i"cu""ion of t!e new 1"ecure in"tallation1 reBuire#ent. 'pdated and rena#e t!e 1fip"?!#ac1 "a#ple application6 added "ection :.5 .latfor# li"t and cro""8reference, and additional di"cu""ion of platfor# i""ue" %dditional di"cu""ion of cro""8co#pilation -nitial draft for open""l8fip"82.0.tar.gC
.age 4 of 1/0
)(ble of %ontents
". I+)1O-U%)IO+.........................................................................................................................2 1.1 F-.S D5% E D5<4< ;O - S %4 E................................................................................................0 1.2 F$5%G>< L< <4H AO;-F-$% -OGS................................................................................................./ 1.3 5< F.4-3% < L%=<LH 3%L-;% -OG................................................................................................./ 2. 3/%4G1OU+-.........................................................................................................................."0 2.1 <4A-GOLO>I.............................................................................................................................11 2.1.1 FIPS 140-2 Specific Terminology.....................................................................................11 2.1.2 General Glossary.............................................................................................................12 2.2 5< F-.S AO;'L< %G; -G <>4- I <S .......................................................................................15 2.3 5< F-.S -G <>4- I <S ...........................................................................................................1: 2. .1 !e"#irement for $%cl#si&e Integrity Test..........................................................................1' 2. .2 !e"#irement for Fi%e( )b*ect +o(e )r(er......................................................................1' 2.4 5< F-L< -G <>4- I $5%-G..........................................................................................................1@ 2.4.1 So#rce File ,B#il( Time- Integrity....................................................................................1. 2.4.2 )b*ect /o(#le ,0ink Time- Integrity................................................................................1. 2.4. 1pplication $%ec#table )b*ect ,!#n Time- Integrity.......................................................12 2.5 4<L% -OGS5-. O 5< O.<GSSL %.-............................................................................................10 2.: F-.S AO;< OF O.<4% -OG..........................................................................................................1/ 2.'.1 FIPS /o(e Initiali3ation..................................................................................................20 2.'.2 1lgorit4ms 1&ailable in FIPS /o(e.................................................................................20 2.@ 4<3-S-OGS OF 5< 2.0 AO;'L<.....................................................................................................21 2.0 .4-O4 F-.S O=J<$ AO;'L<S.....................................................................................................22 2./ F' '4< F-.S O=J<$ AO;'L<S...................................................................................................22 #. %OMP/)I3L5 PL/)FO1MS...................................................................................................26 3.2 KGODG S'..O4 <; .L% FO4AS....................................................................................................25 .2.1 +o(e Pat4s an( +omman( Sets........................................................................................25 .2.2 2 &ers#s '4 Bit 1rc4itect#res.......................................................................................... 2 .2. 1ssembler )ptimi3ations.................................................................................................. 3.3 $4<% -OG OF S5%4<; L-=4%4-<S...................................................................................................34 3.4 $4OSS8$OA.-L% -OG.....................................................................................................................34 6. G5+51/)I+G ).5 FIPS O375%) MO-UL5.....................................................................#8 4.1 ;<L-3<4I OF SO'4$< $O;<..........................................................................................................3@ 4.1.1 +reation of a FIPS )b*ect /o(#le from )t4er So#rce +o(e........................................... 2 4.1.2 6erifying Integrity of 7istrib#tion ,Best Practice-........................................................... 2 4.2 ='-L;-G> %G; -GS %LL-G> 5< F-.S O=J<$ AO;'L< D- 5 O.<GSSL ('G-L)L-G'L).......................41 4.2.1 B#il(ing t4e FIPS )b*ect /o(#le from So#rce................................................................41 4.2.2 Installing an( Protecting t4e FIPS )b*ect /o(#le..........................................................4 4.2. B#il(ing a FIPS +apable )penSS0..................................................................................4
.age 5 of 1/0
4.3 ='-L;-G> %G; -GS %LL-G> 5< F-.S O=J<$ AO;'L< D- 5 O.<GSSL (D-G;ODS)..........................44 4. .1 B#il(ing t4e FIPS )b*ect /o(#le from So#rce................................................................44 4. .2 Installing an( Protecting t4e FIPS )b*ect /o(#le..........................................................44 4. . B#il(ing a FIPS +apable )penSS0..................................................................................48 9. %15/)I+G /PPLI%/)IO+S :.I%. 15F515+%5 ).5 FIPS O375%) MO-UL5...68 5.1 <L$L'S-3< 'S< OF 5< F-.S O=J<$ AO;'L< FO4 $4I. O>4%.5I.................................................4@ 5.2 F-.S AO;< -G- -%L-M% -OG..........................................................................................................4@ 5.3 ><G<4% < %..L-$% -OG <L<$' %=L< O=J<$ .................................................................................4/ 8. .1 0inking #n(er 9ni%:0in#%................................................................................................80 8. .2 0inking #n(er ;in(o<s....................................................................................................82 5.4 %..L-$% -OG -A.L<A<G % -OG 4<$OAA<G;% -OGS..........................................................................53 5.5 ;O$'A<G % -OG %G; 4<$O4;8K<<.-G> 4<$OAA<G;% -OGS.............................................................54 5.: D5<G -S % S<.%4% < F-.S 14082 3%L-;% -OG 4<N'-4<;E.............................................................55 5.@ $OAAOG -SS'<S %G; A-S$OG$<. -OGS..........................................................................................5@ 8...1 7on=t Fig4t It....................................................................................................................8. 8...2 7on=t )&ert4ink It............................................................................................................8. ;. )5%.+I%/L +O)5S.................................................................................................................92 :.1 ;4=>S.....................................................................................................................................50 '.1.1 )&er&ie<...........................................................................................................................82 '.1.2 T4e 7!BG 1PI.................................................................................................................'0 :.2 4OL< =%S<; AO;'L< %' 5<G -$% -OG.........................................................................................:/ :.3 S<LF <S S.................................................................................................................................@3 '. .1 P)ST Tests.........................................................................................................................4 '. .2 +on(itional self tests.........................................................................................................2 :.4 <$;5......................................................................................................................................@/ :.5 <$$ %G; 5< GS% S'=L-$<GS<..................................................................................................00 :.: 5< 1S<$'4< -GS %LL% -OG1 -SS'<...............................................................................................01 '.'.1 ;4at ;on=t ;ork..............................................................................................................22 '.'.2 ;4at /ig4t ;ork..............................................................................................................2 '.'. Still +onf#se(>.................................................................................................................24 :.@ >A%$.....................................................................................................................................05 '...1 +16P 1ction.....................................................................................................................28 '...2 )ptions for 1((ressing.....................................................................................................28 '... Practical Impact...............................................................................................................2' :.0 ;5............................................................................................................................................0@ :./ ;S%.........................................................................................................................................0@ 8. 15F515+%5S............................................................................................................................22 /PP5+-I< / OP5+SSL -IS)1I3U)IO+ SIG+I+G 45=S................................................... 0 /PP5+-I< 3 %M>P )5S) P1O%5-U15................................................................................. "
.age : of 1/0
=.1 ='-L;-G> 5< SOF D%4< 8 L-G'L)'G-L......................................................................................../1 =.2 %L>O4- 5A <S S 8 L-G'L)'G-L................................................................................................./3 =.3 ='-L;-G> 5< SOF D%4< 8 D-G;ODS............................................................................................/4 =.4 %L>O4- 5A <S S 8 D-G;ODS...................................................................................................../5 =.5 F-.S 14082 <S 8 %LL .L% FO4AS............................................................................................/5 =.: <S 3<$ O4 ;% % F-L<S %G; 5< F-.S%L> <S ..L ' -L- I............................................................10: =.: ;O$'A<G % -OG.......................................................................................................................110 /PP5+-I< % 5</MPL5 OP5+SSL 3/S5- /PPLI%/)IO+.............................................""2 $.1 G% -3< $OA.-L% -OG OF S % -$%LLI L-GK<; .4O>4%A................................................................112 $.2 $4OSS8$OA.-L% -OG OF 1F-.S $%.%=L<1 S5%4<; O.<GSSL L-=4%4-<S.........................................115 /PP5+-I< - FIPS /PI -O%UM5+)/)IO+..........................................................................""8 ;.1 F-.S AO;<.............................................................................................................................11@ ;.2 F-.S?AO;<?S< (), F-.S?S<LF <S ()........................................................................................110 ;.3 F-.S?AO;<()..........................................................................................................................11/ ;.4 <44O4 $O;<S..........................................................................................................................120 /PP5+-I< 5 PL/)FO1M SP5%IFI% +O)5S......................................................................."22 <.1 %..L< OS L S'..O4 ...............................................................................................................122 <.2 %..L< -OS S'..O4 ..................................................................................................................123 1c"#ire !e"#ire( Files............................................................................................................12 B#il( t4e Incore 9tility............................................................................................................124 B#il( t4e FIPS )b*ect /o(#le................................................................................................12' B#il( t4e FIPS +apable 0ibrary.............................................................................................12. )penSS0 ?co(e 1pplication....................................................................................................1 0 5.# :I+-O:S %5 SUPPO1)...................................................................................................."#2 /PP5+-I< F 15S)1I%)IO+S O+ ).5 5<PO1) OF %1=P)OG1/P.=......................."#9 F.1 O.<G SO'4$< SOF D%4<............................................................................................................135 F.2 F<L.O4 JO=S, GO $4I. OH.....................................................................................................13: /PP5+-I< G S5%U1I)= POLI%= 511/)/........................................................................"#8 /PP5+-I< . -)1 /+/L=SIS..................................................................................................."#2 /PP5+-I< I /PI 5+)1= POI+)S 3= SOU1%5 FIL5........................................................."#
.age @ of 1/0
1.
Introduction
!i" docu#ent i" a guide to t!e u"e of t!e OpenSSL F-.S O&2ect Aodule, a "oftware co#ponent intended for u"e wit! t!e OpenSSL cr*ptograp!ic li&rar* and tool,it. -t i" a co#panion docu#ent to t!e )penSS0 FIPS 140-2 Sec#rity Policy docu#ent "u&#itted to G-S a" part of t!e F-.S 14082 validation proce"". -t i" intended a" a tec!nical reference for developer" u"ing, and "*"te# ad#ini"trator" in"talling, t!e OpenSSL F-.S "oftware, for u"e in ri", a""e""#ent review" &* "ecurit* auditor", and a" a "u##ar* and overview for progra# #anager". -t i" intended a" a guide for annotation and #ore detailed e9planation of t!e Sec#rity Policy, and not a" a replace#ent. -n t!e event of a perceived conflict or incon"i"tenc* &etween t!i" docu#ent and t!e Sec#rity Policy t!e latter docu#ent i" aut!oritative a" onl* it !a" &een reviewed and approved &* t!e $r*ptograp!ic Aodule 3alidation .rogra# ($A3.), a 2oint '.S. 8 $anadian progra# for t!e validation of cr*ptograp!ic product" (!ttp())c"rc.ni"t.gov)cr*ptval)). Fa#iliarit* wit! t!e OpenSSL di"tri&ution and li&rar* %.- (%pplication .rogra##ing -nterface) i" a""u#ed. !i" docu#ent i" not a tutorial on t!e u"e of OpenSSL and it onl* cover" i""ue" "pecific to t!e F-.S 14082 validation. For #ore infor#ation on t!e u"e of OpenSSL in general "ee t!e #an* ot!er "ource" of infor#ation "uc! a" !ttp())open""l.org)doc") and @et<ork Sec#rity <it4 )penSS0 (4eference 4). !e Sec#rity Policy docu#ent (4eference 1) i" availa&le online at t!e G-S $r*ptograp!ic Aodule 3alidation we&"ite, !ttp())c"rc.ni"t.gov)group")S A)c#vp)docu#ent")14081)140"p)140"p1@4@.pdf. For #ore infor#ation on t!e OpenSSL Software Foundation "ee !ttp())open""lfoundation.co#). For #ore infor#ation on t!e OpenSSL pro2ect "ee !ttp())open""l.org). For #ore infor#ation on G-S and t!e cr*ptograp!ic #odule validation progra#, "ee !ttp())c"rc.ni"t.gov)cr*ptval). For infor#ation and announce#ent" regarding current and future OpenSSL related validation" "ee !ttp())open""l.org)doc")fip")fip"note".!t#l. !at we& page al"o !a" a ver* Buic, introduction e9tracted !ere( 1.1 FIPS What? Where Do I Start?
O,, "o *our co#pan* need" F-.S validated cr*ptograp!* to land a &ig "ale, and *our product currentl* u"e" OpenSSL. Iou !avenOt wor,ed up t!e #otivation to wade t!roug! t!e entire '"er >uide and want t!e Buic, 1e9ecutive "u##ar*1. 5ere i" a gro""l* over"i#plified account( OpenSSL it"elf i" not validated,and never will &e. -n"tead a carefull* defined "oftware co#ponent called t!e OpenSSL F-.S O&2ect Aodule !a" &een created. !e Aodule wa" de"igned for co#pati&ilit* wit! t!e OpenSSL li&rar* "o product" u"ing t!e OpenSSL li&rar* and %.- can &e converted to u"e F-.S 14082 validated cr*ptograp!* wit! #ini#al effort.
.age 0 of 1/0
!e OpenSSL F-.S O&2ect Aodule validation i" uniBue a#ong all F-.S 14082 validation" in t!at t!e product i" 1delivered1 in "ource code for#, #eaning t!at if *ou can u"e it e9actl* a" i" and can &uild it for *our platfor# according to a ver* "pecific "et of in"truction", t!en *ou can u"e it a" validated cr*ptograp!*3. !e OpenSSL li&rar* i" al"o uniBue in t!at *ou can download and u"e it for free. -f *ou reBuire "ource code or &uild proce"" c!ange" for *our intended application, t!en *ou cannot u"e t!e open "ource &a"ed validated #odule P *ou #u"t o&tain *our own validation. !i" "ituation i" co##on6 "ee 1.rivate La&el1 validation, &elow. Gew F-.S 14082 validation" (of an* t*pe) are "low (:812 #ont!" i" t*pical), e9pen"ive ('SQ50,000 i" t*pical for an unco#plicated validation), and unpredicta&le (co#pletion date" are not onl* uncertain w!en fir"t &eginning a validation, &ut re#ain "o during t!e proce""). Gote t!at F-.S 14082 validation i" a co#plicated topic t!at t!e a&ove "u##ar* doe" not adeBuatel* addre"". Iou !ave &een warnedR 1.2 Change Letter Modifications
-f t!e e9i"ting validated OpenSSL F-.S O&2ect Aodule i" almost w!at *ou need, &ut "o#e #inor #odification" are nece""ar* for *our intended u"e, t!en it may &e po""i&le to retroactivel* #odif* t!e original validation to include t!o"e nece""ar* c!ange". !e proce"" &* w!ic! t!i" i" done i" ,nown a" t!e F#aintenance letterH or Fc!ange letterH proce"". % c!ange letter can &e "u&"tantiall* fa"ter and le"" e9pen"ive t!an o&taining a new, independent validation. Aodification" to t!e F-.S #odule to "upport a new platfor# (operating "*"te# or co#piler) are often co#pati&le wit! t!e c!ange letter proce"". 1.3 The Pri ate La!e" #a"idation
!e OSF would prefer to wor, on open "ource &a"ed validation" w!ic! &enefit t!e OpenSSL u"er co##unit* at large. 5owever, we under"tand not all wor, can &enefit t!e co##unit*. De refer to validation" &a"ed directl* on t!e OpenSSL F-.S O&2ect Aodule &ut not availa&le to t!e co##unit* a" 1private la&el1 validation". !e* are al"o "o#eti#e" referred to a" 1coo,ie cutter1 validation". Aan* -S3" and vendor" are intere"ted in private la&el validation", and t!e OSF will a""i"t in "uc! effort" wit! a priced engage#ent. %n -S3 or vendor u"uall* o&tain" a private la&el validation for #ar,eting or ri", #anage#ent purpo"e". For e9a#ple, a co#pan* #a* c!o"e to privatel* retain it" validation to en"ure it" co#petitive advantage, or a co#pan* #ig!t #odif* t!e "ource" and c!o"e to ,eep t!e c!ange" private.
<it!er directl* or via 1'"er %ffir#ation1 w!ic! i" di"cu""ed in 5.5.
.age / of 1/0
OSF !a" perfor#ed nu#erou" private validation" for de",top, "erver, and #o&ile platfor#" wit! ver* co#petitive pricing. Often, t!e pricing i" le"" t!an t!e account "etup fee for clo"ed "ourced and loc,ed8in "olution. rivial and unco#plicated validation" can often &e perfor#ed u"ing fi9ed rate contract" to a""ure co"t con"traint".
2. Background
For t!e purpo"e" of F-.S 14082 validation, t!e OpenSSL F-.S O&2ect Aodule v2.0 i" defined a" a "pecific di"crete unit of &inar* o&2ect code (t!e FFIPS )b*ect /o(#leH) generated fro# a "pecific "et and revi"ion level of "ource file" e#&edded wit!in a "ource di"tri&ution. !e"e platfor# porta&le "ource file" are co#piled to create t!e o&2ect code in an i"olated and "eparate for#. !at o&2ect code i" t!en u"ed to provide a cr*ptograp!ic "ervice" to e9ternal application". !e ter#" FIPS )b*ect /o(#le and FIPS /o(#le el"ew!ere in t!i" docu#ent refer to t!i" )penSS0 FIPS )b*ect /o(#le o&2ect code. !e F-.S O&2ect Aodule provide" an %.- for invocation of F-.S approved cr*ptograp!ic function" fro# calling application", and i" de"igned for u"e in con2unction wit! "tandard OpenSSL 1.0.1 di"tri&ution". !e"e "tandard OpenSSL 1.0.1 "ource di"tri&ution" "upport t!e original non8F-.S %.- a" well a" a FIPS /o(e in w!ic! t!e F-.S approved algorit!#" are i#ple#ented &* t!e F-.S O&2ect Aodule and non8F-.S approved algorit!#" are (isable( &* default. !e"e non8validated algorit!#" include, &ut are not li#ited to, =lowfi"!, $%S , -;<%, 4$8fa#il*, and non8S5% #e""age dige"t and ot!er algorit!#". !e F-.S O&2ect Aodule wa" de"igned and i#ple#ented to #eet F-.S 14082, Level 1 reBuire#ent". !ere are no "pecial "tep" reBuired to en"ure F-.S 14082 co#pliant operation of t!e F-.S O&2ect Aodule, ot!er t!an &uilding, loading, and initialiCing t!e F-.S approved and 5A%$8 S5%81 dige"t verified "ource code. !i" proce"" of generating t!e application e9ecuta&le o&2ect fro# "ource code for all "upported platfor#"1 i" docu#ented in detail at S4 and S5. !e F-.S O&2ect Aodule provide" confidentialit*, integrit* "igning, and verification "ervice". !e F-.S O&2ect Aodule "upport" t!e following algorit!#"( riple ;<S, %<S, $A%$, $$A, 4S% (for digital "ignature"), ;5, ;S%);S%2, <$;S%)<$;S%2, S5%81, S5%8224, S5%825:, S5%8304, S5%8512, and 5A%$8S5%81, 5A%$8S5%8224, 5A%$8S5%825:, 5A%$8S5%8304, 5A%$8 S5%8512. !e F-.S O&2ect Aodule "upport" S. 0008/0 and %GS- L/.31 co#pliant p"eudo8 rando# nu#&er generator". !e F-.S O&2ect Aodule "upport" t!e Suite = cr*ptograp!ic algorit!#" and can &e u"ed wit! Suite = cr*ptograp!* e9clu"ivel*. Suite = reBuire" 1208&it "ecurit* level" and for&id" u"e of LS le""er t!an 1.2 ( LS 1.0 and 1.1 u"e A;5 a" a .4F during ,e* agree#ent).
=* definition, for all platfor#" to w!ic! t!e validation can &e e9tended. .er t!e reBuire#ent" of t!e Sec#rity Policy, an* c!ange to t!e docu#ented &uild proce"" render" t!e re"ult non8F-.S approved.
1
.age 10 of 1/0
!e F-.S O&2ect Aodule v2.0 i" "i#ilar in #an* re"pect" to t!e earlier OpenSSL F-.S O&2ect Aodule v1.2.9. !e v1.2.4 wa" originall* validated in late 2000 wit! validation certificate T10516 t!at original validation !a" &een e9tended "everal ti#e" to incorporate additional platfor#". !e v1.2.9 Aodule i" onl* co#pati&le wit! OpenSSL 0./.0 relea"e", w!ile t!e v2.0 Aodule i" co#pati&le wit! OpenSSL 1.0.1 and later relea"e". !e v2.0 Aodule i" t!e &e"t c!oice for all new "oftware and product develop#ent.
2.1
Terminology
2.1.1 FIPS 140-2 Specific Terminology

;uring t!e cour"e of #ultiple validation" it &eca#e clear t!at "o#e ter#inolog* wa" interpreted differentl* &* OpenSSL developer", cr*ptograp!er", t!e $A3. and F-.S 14082 "peciali"t". -n t!i" "ection "o#e of t!e potential confu"ion" in ter#inolog* are di"cu""ed. %pproved Aode !e F-.S 14082 %pproved Aode of Operation i" t!e operation of t!e F-.S O&2ect Aodule w!en all reBuire#ent" of t!e Sec#rity Policy !ave &een #et and t!e "oftware !a" "ucce""full* perfor#ed t!e power8up and "elf te"t operation (invocation of t!e FIPS_mode_set() function call). -n t!i" docu#ent t!i" %pproved Aode i" referred to "i#pl* a" FIPS mo(e. $r*pto Officer S*"te# ad#ini"trator. !e F-.S 14082 $r*pto Officer4 i" t!e per"on !aving t!e re"pon"i&ilit* and acce"" privilege" to in"tall, configure, and initialiCe t!e cr*ptograp!ic "oftware. 5A%$8S5%81 dige"t % 5A%$8S5%81 dige"t of a file u"ing a "pecific 5A%$ ,e* (t!e %S$-- "tring FetaonrishdlcupfmH). Suc! dige"t" are referred to in t!i" docu#ent a" Fdige"t"H or Ffingerprint"H. !e dige"t" are u"ed for integrit* c!ec,ing to verif* t!at t!e "oftware in Bue"tion !a" not &een #odified or corrupted fro# t!e for# originall* u"ed a" t!e &a"i" of t!e F-.S 14082 validation. Gote t!at t!e .>. or >.> "ignature" traditionall* u"ed to c!ec, t!e integrit* of open "ource "oftware di"tri&ution" are not a co#ponent of an* of t!e F-.S 14082 integrit* c!ec,". Aodule
!e ter# FOfficerH doe" not i#pl* a reBuire#ent for a #ilitar* or govern#ent official, alt!oug! "o#e #ilitar* or govern#ent organiCation" #a* c!oo"e to re"trict t!e perfor#ance of t!i" "*"te# ad#ini"tration role to certain official capacitie".
4
.age 11 of 1/0
!e concept of t!e cr*ptograp!ic #odule i" i#portant for F-.S 14082, and it !a" "u&tle nuance" in t!i" conte9t. $onceptuall* t!e Aodule i" t!e &inar* o&2ect code and data in t!e F-.S O&2ect Aodule for a running proce"". !e Fcr*ptograp!ic #oduleH i" often referred to "i#pl* a" F#oduleH. !at ter# i" capitaliCed in t!i" docu#ent a" a re#inder t!at it !a" a "o#ew!at different #eaning t!an a""u#ed &* "oftware developer" out"ide of a F-.S 14082 conte9t. Gote t!at traditionall* t!e e9ecuta&le (or "!ared li&rar*) file on di", corre"ponding to t!i" Aodule a" a running proce"" i" al"o con"idered to &e a Aodule5 &* t!e $A3.. %n integrit* c!ec, of t!e entire e9ecuta&le file on di", prior to #e#or* #apping i" con"idered accepta&le a" long a" t!at e9ecuta&le file doe" not contain an* e9traneou": "oftware. -n t!i" traditional ca"e t!e "pecific e9ecuta&le file i" "u&#itted for te"ting and t!u" t!e preci"e content (a" a &it "tring) i" ,nown in advance. -n t!e ca"e of t!e F-.S O&2ect Aodule onl* "ource code i" "u&#itted for validation te"ting, "o t!e &it "tring value of t!e &inar* o&2ect code in #e#or* cannot &e ,nown in advance. % c!ain of c!ec," &eginning wit! t!e "ource code and e9tending t!roug! eac! "tep in t!e tran"for#ation of t!e "ource code into a running proce"" wa" e"ta&li"!ed to provide a c!ec, eBuivalent to t!at u"ed &* #ore traditional o&2ect &a"ed validation". !e c!ain of c!ec," wor," &ac,ward" fro# t!e "oftware a" re"ident in #e#or* for a proce"" to t!e e9ecuta&le progra# file fro# w!ic! t!e proce"" wa" created (t!e e9i"ting precedent), t!en to t!e F-.S O&2ect Aodule u"ed to lin, t!e progra# file, and finall* to t!e original "ource file" u"ed to create t!e F-.S O&2ect Aodule. <ac! of t!o"e "tage" can &e t!oug!t of a" antecedent" of t!e Aodule, and t!e integrit* of eac! need" to &e verified to a""ure t!e integrit* of t!e Aodule.
2.1.2 General Glo

%=%<S %<S8G%4A %.=lowfi"! $%S $$ $$A
ary
%pplication =inar* -nterface %dvanced <ncr*ption Standard %<S Gew -n"truction" a proce""or in"truction "et arc!itecture developed &* %4A 5olding" %pplication .rogra##ing -nterface % cr*ptograp!ic algorit!# not allowed in F-.S #ode % cr*ptograp!ic algorit!# not allowed in F-.S #ode $o##on $riteria $o#&ined $ip!er Aac!ine, a #ode of operation for cr*ptograp!ic &loc, cip!er"
.re"u#a&l* &ecau"e t!e tran"for#ation" of t!e di", re"ident file content" perfor#ed &* t!e runti#e loader are con"idered to &e well under"tood and "ufficientl* #ini#al. : !e definition of w!at con"titute" Fe9traneou"H i" not for#all* "pecified and "u&2ect to interpretation.
5
.age 12 of 1/0
$;5
$ofactor ;iffie85ell#an, a ;i"crete Logarit!# $r*ptograp!* (;L$) pri#itive, "ee S. 00085:% $%3. $r*ptograp!ic %lgorit!# 3alidation .rogra#, "ee !ttp())c"rc.ni"t.gov)group")S A)cavp) $A%$ $ip!er8&a"ed A%$, a &loc, cip!er8&a"ed #e""age aut!entication code algorit!# $A3. $r*ptograp!ic Aodule 3alidation .rogra#, "ee !ttp())c"rc.ni"t.gov)group")S A)c#vp) $ 4 ;4=> flavor ;5 ;iffie85ell#an, a F-.S approved cr*ptograp!ic algorit!# ;LL ;*na#ic Lin, Li&rar*, a "!ared li&rar* for t!e Aicro"oft Dindow" OS ;4=> ;eter#ini"tic 4ando# =it >enerator, "ee S. 0008/0 ;S% ;igital Signature %lgorit!#, a F-.S approved cr*ptograp!ic !a"! function ;S%2 ;S% a" defined in F-.S 10:83 <$ <lliptic $urve <$$ <lliptic $urve $r*ptograp!* ("ee <$) <$;5 <lliptic $urve ;iffieP5ell#an, a variant of ;iffieP 5ell#an u"ed a" an anon*#ou" ,e* agree#ent protocol <$;S% <lliptic $urve ;igital Signature %lgorit!#, a variant of ;S% w!ic! u"e" <$$ <$;S%2 <$;S% a" defined in F-.S 10:83 <LF <9ecuta&le and Lin,a&le For#at, t!e "tandard &inar* file for#at for 'ni98li,e "*"te#" on 90: <G>-G< %n OpenSSL #ec!ani"# for interfacing wit! e9ternal cr*ptograp!ic i#ple#entation" <3. <G3elope encr*ption, an OpenSSL %.- t!at provide" a !ig!8level interface to cr*ptograp!ic function" F-.S Federal -nfor#ation .roce""ing Standard", "ee !ttp())www.itl.ni"t.gov)fip"pu&") F-.S 14082 See !ttp())c"rc.ni"t.gov)pu&lication")fip")fip"1408 2)fip"1402.pdf F-.S O&2ect Aodule t!e "pecial #onolit!ic o&2ect #odule &uilt fro# t!e "pecial "ource di"tri&ution@ identified in t!e Sec#rity Policy >$A >aloi")$ounter Aode, a #ode of operation for "*##etric ,e* cr*ptograp!ic &loc, cip!er"
4oug!l* "pea,ing, t!i" "pecial "ource di"tri&ution wa" created fro# t!e OpenSSL-fips-2_0-stable &ranc! in t!e $3S "ource code repo"itor* wit! t!e co##and make VERSION=fips-2.0 TARFILE=openssl-fips2.0.tar -f Makefile.fips dist.
@
.age 13 of 1/0
>.> >'5A%$
See .>. >rap!ical '"er -nterface 5a"! Ae""age %ut!entication $ode, a #ec!ani"# for #e""age aut!entication u"ing cr*ptograp!ic !a"! function" -% -nfor#ation %""urance -;<% % cr*ptograp!ic algorit!# not allowed in F-.S #ode -K< -nternet Ke* <9c!ange, a protocol for e9c!anging infor#ation reBuired for "ecure co##unication. -. -nternet .rotocol, a networ, co##unication" protocol -."ec -nternet .rotocol Securit*, a protocol "uite for "ecuring -. co##unication" &* aut!enticating and encr*pting eac! -. pac,et -nfor#ation ec!nolog* I9T -#ple#entation 'nder e"t K% Known %n"wer e"t A%SA !e Aicro"oft a""e#&ler, no longer "upported &* OpenSSL A;2 % cr*ptograp!ic algorit!# not allowed in F-.S #ode G<OG an arc!itecture e9ten"ion for %4A $orte9U8% "erie" proce""or", G%SA t!e open "ource Getwide %S"eA&ler, "ee !ttp())www.na"#.u") G-; Ga#e -;entifier for e9tracting infor#ation fro# a certificate ;i"tingui"!ed Ga#e. G-S Gational -n"titute of Science and ec!nolog*, "ee !ttp())www.ni"t.gov) O< See Operational <nviron#ent Operational <nviron#ent !e F-.S 14082 ter# for 1platfor#1 OS Operating S*"te# OSF !e OpenSSL Software Foundation .$LA'LN;N an in"truction for 90: proce""or" w!ic! perfor#" carr*8le"" #ultiplication of two :48&it operand" .>. .rett* >ood .rivac*, an encr*pted <8#ail progra# .K$ST1 .u&lic8Ke* $r*ptograp!* Standard T1 .K$ST3 .u&lic8Ke* $r*ptograp!* Standard T3 .OS .ower 'p Self e"t, an initialiCation proce"" reBuired &* F-.S 14082 .4G> ."eudo84ando# Gu#&er >enerator 4G> 4ando# Gu#&er >enerator .SS .ro&a&ili"tic Signature Sc!e#e, a prova&l* "ecure wa* of creating "ignature" wit! 4S% 4S% 4ive"t8S!a#ir8%dle#an, a pu&lic ,e* cr*ptograp!ic algorit!#
.age 14 of 1/0
S5% SS<2 SS5 SSL SSS<3 Suite = LS 3AS 90: L S L S8%<S
Secure 5a"! %lgorit!#, a cr*ptograp!ic !a"! function Strea#ing S-A; <9ten"ion 2, an e9ten"ion of t!e 90: in"truction "et Secure S5ell, a networ, protocol for "ecure data co##unication Secure Soc,et La*er, a predece""or to t!e LS protocol Supple#ental Strea#ing S-A; <9ten"ion" 3, an e9ten"ion of t!e 90: in"truction "et a "et of cr*ptograp!ic algorit!#" created &* t!e Gational Securit* %genc* ran"port La*er Securit*, a cr*ptograp!ic protocol providing co##unication "ecurit* over -. connection" 3irtual Ae#or* S*"te#, an operating "*"te# t!at run" on 3%L, %lp!a and -taniu#8&a"ed fa#ilie" of co#puter" (now o&"olete) a fa#il* of in"truction "et arc!itecture" originall* defined &* -ntel L<L wea,a&le =loc, $ip!er wit! $ip!erte9t Stealing a cr*ptograp!ic algorit!# "pecified in S. 000830<
2.2
The FIPS Module and Integrity Test
!e F-.S O&2ect Aodule i" generated in &inar* file for#at, wit! an e#&edded pre8calculated 5A%$8S5%81 dige"t covering t!e #odule0 a" it i" loaded into application addre"" "pace. !e Aodule integrit* c!ec, con"i"t" of recalculating t!at dige"t fro# t!e #e#or* area" and co#paring it to t!e e#&edded value w!ic! re"ide" in an area not included in t!e calculated dige"t/. !i" Fin8 core !a"!ingH integrit* te"t i" de"igned to &e &ot! e9ecuta&le for#at independent and fail8"afe. For t!i" "cenario t!e Aodule i" t!e te9t and data "eg#ent" a" #apped into #e#or* for t!e running application. !e ter# Aodule i" al"o u"ed, le"" accuratel*, to de"ignate t!e antecedent of t!at #e#or* #apped code and data, t!e F-.S O&2ect Aodule file re"iding on di",. !e F-.S O&2ect Aodule i" generated fro# "ource code, "o t!e integrit* of t!at "ource #u"t al"o &e verified. !e "ingle runti#e dige"t c!ec, t*pical of pre8&uilt &inar* file" i" replaced &* a c!ain of dige"t c!ec," in order to validate t!at t!e running code wa" in fact generated fro# t!e original "ource code. %" &efore t!e ter# Aodule properl* de"ignate" t!e te9t and data "eg#ent" #apped
Specificall*, t!e te9t and read8onl* data "eg#ent" w!ic! con"titute t!e initialiCed co#ponent" of t!e #odule. -f t!e dige"t value re"ided in t!e data area included in t!e calculation of t!at dige"t, t!e calculated value of t!e dige"t would it"elf &e an input into t!at calculation.
0 /
.age 15 of 1/0
into #e#or*, &ut i" al"o #ore loo"el* u"ed to reference "everal level" of antecedent". are di"cu""ed &elow.
!e"e level"
2.3
The FIPS Integrity Test
!e F-.S 14082 "tandard reBuire" an integrit* te"t of t!e Aodule to verif* it" integrit* at initialiCation. -n addition to t!e reBuire#ent t!at t!e integrit* te"t validate t!at t!e F-.S O&2ect Aodule code and data !ave not c!anged, two additional i#plicit reBuire#ent" for t!e integrit* te"t were identified during t!e validation proce"".
2.!.1 "e#uirement for $%clu i&e Integrity Te t

%n integrit* te"t t!at i" #erel* guaranteed to fail if an* of t!e cr*ptograp!ic #odule "oftware c!ange" i" not "ufficient. -t i" al"o nece""ar* t!at t!e integrit* te"t not fail if t!e cr*ptograp!ic #odule "oftware i" not directl* corrupted, even t!oug! t!e application referencing t!e cr*ptograp!ic #odule #a* &e da#aged wit! unpredicta&le con"eBuence" for t!e correct functioning of t!at application. %not!er wa* of loo,ing at t!i" i" t!at a" application failure" are out of "cope of t!e integrit* te"t t!ere need" to &e "o#e level of a""urance t!at c!ange" to application "oftware do not affect t!e cr*ptograp!ic #odule integrit* te"t10. !i" reBuire#ent i" #et wit! an in8core integrit* te"t t!at carefull* e9clude" an* e9traneou"11 o&2ect code fro# t!e dige"t calculation and verification.
2.!.2 "e#uirement for Fi%ed '()ect *ode 'rder

!e relative order of all o&2ect code co#ponent" wit!in t!e #odule #u"t &e fi9ed and invariant. !e u"ual lin,ing proce"" doe" not care a&out t!e relative order of individual o&2ect #odule", e.g. &ot! gcc -o runfile alpha.o beta.o gamma.o and gcc -o runfile beta.o alpha.o gamma.o produce functionall* identical e9ecuta&le file". Li,ewi"e, t!e order of o&2ect #odule" in a "tatic lin, li&rar* i" irrelevant( ar r libxxx.a alpha.o beta.o gamma.o and ar r libxxx.a beta.o alpha.o gamma.o
!i" a""urance wa" given &* "!owing during te"ting t!at corruption of code or data out"ide of t!e #e#or* area containing t!e F-.S O&2ect Aodule did not re"ult in an integrit* te"t failure. 11 !e definition of w!at con"titute" 1e9traneou"1 i" not for#all* "pecified and t!u" "u&2ect to interpretation.
10
.age 1: of 1/0
produce interc!angea&le lin, li&rarie", and a given application #a* not incorporate all of t!e o&2ect #odule" contained wit! t!e lin, li&rar* w!en re"olving reference". For t!e F-.S O&2ect Aodule it wa" reBuired t!at an* "uc! o#i""ion or rearrange#ent of t!e Aodule o&2ect #odule" during t!e application creation proce"" not occur. !i" reBuire#ent i" "ati"fied &* "i#pl* co#piling all t!e "ource code into a "ingle #onolit!ic o&2ect #odule( ld -r -o fipscanister.o fips_start.o ... fips_end.o wit! all t!e o&2ect #odule" &etween t!e fips_start.o and fips_end.o #odule" t!at define t!e low and !ig! &oundarie" of a #onolit!ic o&2ect #odule. %ll "u&"eBuent reference to t!i" #onolit!ic o&2ect #odule will pre"erve t!e relative order, and pre"ence, of t!e original o&2ect code co#ponent".
2.4
The File Integrity Chain
Ao"t validated product" con"i"ting of a pre8&uilt &inar* e9ecuta&le i#ple#ent t!e #odule integrit* c!ec, a" a dige"t c!ec, over portion" of t!at e9ecuta&le file or t!e corre"ponding #e#or* #apped i#age. For t!e F-.S O&2ect Aodule t!e #odule integrit* c!ec, in"tead ta,e" t!e for# of a c!ain of dige"t c!ec," &eginning wit! t!e "ource file" u"ed for t!e $A3. validation te"ting. Gote t!at w!ile t!i" c!ain of c!ec," i" #ore co#ple9, it provide" #uc! #ore vi"i&ilit* for independent verification co#pared to t!e ca"e of validated pre8&uilt &inar* e9ecuta&le". Dit! t!e F-.S O&2ect Aodule t!e pro"pective u"er can independentl* verif* t!at t!e runti#e e9ecuta&le doe" indeed directl* derive fro# t!e "a#e "ource t!at wa" t!e &a"i" of t!e validation.
2.4.1 Source File +Build Time, Integrity

F=uild ti#eH i" w!en t!e F-.S O&2ect Aodule i" created fro# t!e OpenSSL F-.S "ource di"tri&ution, in accordance wit! t!e Sec#rity Policy. !e fir"t file integrit* c!ec, occur" at &uild ti#e w!en t!e 5A%$8S5%81 dige"t of t!e di"tri&ution file i" calculated and co#pared to t!e "tored value pu&li"!ed in t!e Sec#rity Policy ,1ppen(i% B-. =ecau"e t!e "ource file" re"ide in t!i" "pecific di"tri&ution and cannot &e #odified t!e"e "ource file" are referred to a" se"#estere( file". Gote t!at a #ean" to calculate t!e 5A%$8S5%81 dige"t i" reBuired in order to perfor# t!i" integrit* c!ec,. % F&oot"trapH "tandalone 5A%$8S5%81 utilit*, fips_standalone_sha1, i" included in t!e di"tri&ution. !i" utilit* i" generated fir"t &efore t!e "eBue"tered file" are co#piled in order to perfor# t!e integrit* c!ec,. %ppendi9 $ give" an e9a#ple of an eBuivalent utilit*.
2.4.2 '()ect -odule +.ink Time, Integrity

FLin, ti#eH i" w!en t!e application i" lin,ed wit! t!e previou"l* &uilt and in"talled F-.S O&2ect Aodule to generate an e9ecuta&le progra#.
.age 1@ of 1/0
!e &uild proce"" de"cri&ed in t!e Sec#rity Policy re"ult" in t!e creation of an o&2ect #odule, fipscanister.o, and a #atc!ing dige"t file, fipscanister.o.sha1. !i" F-.S O&2ect Aodule contain" t!e o&2ect code corre"ponding to t!e "eBue"tered "ource file" (o&2ect code for F-.S "pecific function" "uc! a" FIPS_mode_set()and for t!e algorit!# i#ple#entation"). !e lin, ti#e integrit* c!ec, occur" w!en t!e F-.S O&2ect Aodule i" u"ed to create an application e9ecuta&le o&2ect (&inar* e9ecuta&le or "!ared li&rar*). !e dige"t "tored in t!e in"talled file fipscanister.o.sha1 #u"t #atc! t!e dige"t calculated for t!e fipscanister.o file. Gote t!at e9cept in t!e #o"t unu"ual circu#"tance" t!e F-.S O&2ect Aodule it"elf (fipscanister.o) i" not lin,ed directl* wit! application code. -n"tead t!e F-.S O&2ect Aodule i" e#&edded in t!e OpenSSL li&cr*pto li&rar* (li&cr*pto.a)li&cr*pto."o) w!ic! i" t!en referenced in t!e u"ual wa* &* t!e application code. !at co#&ination i" ,nown a" a 1F-.S capa&le1 OpenSSL li&rar* and i" di"cu""ed in #ore detail in "ection 2.5.
2.4.! /pplication $%ecuta(le '()ect +"un Time, Integrity

%pplication Frun ti#eH occur" w!en t!e previou"l* &uilt and in"talled application progra# i" invo,ed. 'nli,e t!e previou" "tep t!i" invocation i" u"uall* perfor#ed repeatedl*. !e runti#e integrit* c!ec, occur" w!en t!e application atte#pt" to ena&le F-.S #ode via t!e FIPS_mode_set() function call. !e dige"t e#&edded wit!in t!e o&2ect code fro# fipscanister.o #u"t #atc! t!e dige"t calculated for t!e #e#or* #apped te9t and data area".
2.5
Relationship to the
penSS! "PI
!e F-.S O&2ect Aodule i" de"igned for indirect u"e via t!e OpenSSL %.-. %pplication" lin,ed wit! t!e 1F-.S capa&le1 OpenSSL li&rarie" can u"e &ot! t!e F-.S validated cr*ptograp!ic function" of t!e F-.S O&2ect Aodule and t!e !ig! level function" of OpenSSL. !e F-.S O&2ect Aodule "!ould not &e confu"ed wit! OpenSSL li&rar* and tool,it or an* "pecific official OpenSSL di"tri&ution relea"e. % ver"ion of t!e OpenSSL product t!at i" "uita&le for u"e wit! t!e F-.S O&2ect Aodule i" a FIPS +ompatible )penSS0. D!en t!e F-.S O&2ect Aodule and a F-.S co#pati&le OpenSSL are "eparatel* &uilt and in"talled on a "*"te#, wit! t!e F-.S O&2ect Aodule e#&edded wit!in t!e OpenSSL li&rar* a" part of t!e OpenSSL &uild proce"", t!e co#&ination i" referred to a" a FIPS capable )penSS0. Summ(r& of definitions
!e FIPS )b*ect /o(#le i" t!e F-.S 14082 validated #odule de"cri&ed in t!e Sec#rity Policy
.age 10 of 1/0
Summ(r& of definitions
% FIPS compatible )penSS0 i" a ver"ion of t!e OpenSSL product t!at i" de"igned for co#pati&ilit* wit! t!e F-.S O&2ect Aodule %.% FIPS capable )penSS0 i" t!e co#&ination of t!e "eparatel* in"talled FIPS )b*ect /o(#le along wit! a FIPS compatible )penSS0. Table 2.8
!e OpenSSL li&rarie", w!en &uilt fro# a "tandard OpenSSL di"tri&ution wit! t!e FfipsH configuration option for u"e wit! t!e F-.S O&2ect Aodule, will contain t!e u"ual non8F-.S algorit!#" and non8cr*ptograp!ic "upporting function", and t!e non8F-.S algorit!# di"a&ling re"triction". Gote t!at u"e of individual o&2ect #odule" co#pri"ing t!e #onolit!ic F-.S O&2ect Aodule i" "pecificall* for&idden &* F-.S 14082 and t!e $A3.12. -n t!e a&"ence of t!at re"triction t!e individual o&2ect #odule" would 2u"t &e incorporated directl* in t!e OpenSSL libcrypto.a li&rar*. !e #onolit!ic F-.S O&2ect Aodule #u"t &e u"ed in it" entirel* and cannot &e edited to acco##odate "iCe con"traint". 3ariou" non8F-.S algorit!#" "uc! a" =lowfi"!, -;<%, $%S , A;2, etc. are included in t!e OpenSSL li&rarie" (depending on t!e ./config option" "pecified in addition to fips). For application" t!at do not utiliCe F-.S 14082 cr*ptograp!*, t!e re"ulting li&rarie" are drop8in co#pati&le wit! t!e li&rarie" generated wit!out t!e fips option (a deli&erate de"ign deci"ion to encourage wider availa&ilit* and u"e of F-.S 14082 validated algorit!#"). !e conver"e i" not true( a non8F-.S OpenSSL li&rar* cannot &e "u&"tituted for t!e F-.S $o#pati&le li&rar* &ecau"e t!e F-.S "pecific function call" will not &e pre"ent ("uc! a" FIPS_mode_set()).
2.#
FIPS Mode o$
peration
%pplication" t!at utiliCe F-.S #ode #u"t call t!e FIPS_mode_set() function. %fter "ucce""ful F-.S #ode initialiCation, t!e non8F-.S algorit!#" will &e di"a&led &* default. !e F-.S O&2ect Aodule toget!er wit! a co#pati&le ver"ion of t!e OpenSSL product can &e u"ed in t!e generation of &ot! F-.S #ode and conventional application". -n t!i" "en"e, t!e co#&ination
%ctuall*, to encourage u"e of fipscanister.o even in non8F-.S #ode application", a cop* i" incorporated into libcrypto.a, &ut "pecial care i" ta,en to preclude it" u"age in F-.S ena&led application". !e fipsl( utilit* provided in t!e F-.S co#pati&le OpenSSL di"tri&ution" prevent" t!at u"age a" follow". -n "tatic lin, conte9t t!at i" ac!ieved &* referencing t!e official fipscanister.o fir"t on t!e co##and line., and in d*na#ic lin, conte9t &* te#poraril* re#oving it fro# libcrypto.a. !i" re#oval i" nece""ar* &ecau"e d*na#ic lin,ing i" co##onl* acco#panied &* whole-archive, w!ic! would force &ot! copie" of fipscanister.o into t!e "!ared li&rar*. Gote t!e integrit* c!ec, i" de"igned a" a fail"afe precaution in t!e event of lin, error" 88 even if two copie" are included into t!e application in error, t!e integrit* c!ec, will prevent t!e u"e of one cop* for t!e integrit* te"t and t!e ot!er for t!e actual i#ple#entation of cr*ptograp!*. -n ot!er word", if &ot! t!e official fipscanister.o and t!e unvalidated ver"ion t!at i" e#&edded in libcrypto.a &ot! end up in an e9ecuta&le &inar*, and if FIPS_mode_set() return" "ucce"", t!e unvalidated cop* will not &e u"ed for cr*ptograp!*.
12
.age 1/ of 1/0
of t!e F-.S O&2ect Aodule and t!e u"ual OpenSSL li&rarie" con"titute" a FF-.S capa&le %.-H, and provide &ot! F-. approved algorit!#" and non8F-.S algorit!#".
2.0.1 FIPS -ode Initiali1ation

Onl* one initialiCation call, FIPS_mode_set(), i" reBuired to operate t!e F-.S O&2ect Aodule in a F-.S 14082 %pproved #ode, referred to !erein a" 1F-.S #ode1. D!en t!e F-.S O&2ect Aodule i" in F-.S #ode all "ecurit* function" and cr*ptograp!ic algorit!#" are perfor#ed in %pproved #ode. '"e of t!e FIPS_mode_set() function call i" de"cri&ed in S5. % power8up "elf8te"t i" perfor#ed auto#aticall* &* t!e FIPS_mode_set() call, or optionall* at an* ti#e &* t!e FIPS_selftest() call ("ee %ppendi9 ;). -f an* power8up "elf8te"t fail" t!e internal glo&al error flag FIPS_selftest_fail i" "et and "u&"eBuentl* te"ted to prevent invocation of an* cr*ptograp!ic function call". !e internal glo&al flag FIPS_mode i" "et to F%LS< indicating non8F-.S #ode &* default. !e FIPS_mode_set() function verifie" t!e integrit* of t!e runti#e e9ecuta&le u"ing a 5A%$8 S5%81 dige"t co#puted at &uild ti#e. -f t!e dige"t" #atc!, t!e power8up "elf8te"t i" t!en perfor#ed. -f t!e power8up "elf8te"t i" "ucce""ful FIPS_mode_set() "et" t!e FIPS_mode flag to 4'< and t!e F-.S O&2ect Aodule i" in F-.S #ode.
2.0.2 /lgorit2m /&aila(le in FIPS -ode

Onl* t!e algorit!#" li"ted in ta&le" 4a and 4& of t!e Securit* .olic* are allowed in F-.S #ode. Gote t!at ;iffie85ell#an and 4S% are allo<e( in F-.S #ode for ,e* agree#ent and ,e* e"ta&li"!#ent even t!oug! t!e* are FGon8%pprovedH for t!at purpo"e. 4S% for "ign and verif* i" F%pprovedH and !ence al"o allowed, along wit! all t!e ot!er %pproved algorit!#" li"ted in t!at ta&le. !e OpenSSL li&rar* atte#pt" to di"a&le non8F-.S algorit!#". w!en in F-.S #ode. !e di"a&ling occur" on t!e EVP_* %.-" and #o"t low level function call". Failure to c!ec, t!e return code fro# low level function" could re"ult in une9pected &e!avior. Gote al"o t!at "ufficientl* creative or unu"ual u"e of t!e %.- #a* "till allow t!e u"e of non8F-.S algorit!#". !e non8F-.S algorit!# di"a&ling i" intended a" an aid to t!e developer in preventing t!e accidental u"e of non8F-.S algorit!#" in F-.S #ode, and not a" an a&"olute guarantee. -t i" t!e re"pon"i&ilit* of t!e application developer to en"ure t!at onl* F-.S algorit!#" are u"ed w!en in F-.S #ode. OpenSSL provide" #ec!ani"#" for interfacing wit! e9ternal cr*ptograp!ic device", "uc! a" accelerator card", via F<G>-G<S.H !i" #ec!ani"# i" not di"a&led in F-.S #ode. -n general, if a F-.S validated cr*ptograp!ic device i" u"ed wit! OpenSSL in F-.S #ode "o t!at all cr*ptograp!ic operation" are perfor#ed eit!er &* t!e device or t!e F-.S O&2ect Aodule, t!en t!e re"ult i" "till F-.S validated cr*ptograp!*.
.age 20 of 1/0
5owever, if an* cr*ptograp!ic operation" are perfor#ed &* a non8F-.S validated device, t!e re"ult i" u"e of non8validated cr*ptograp!*. -t i" t!e re"pon"i&ilit* of t!e application developer to en"ure t!at <G>-G<S u"ed during F-.S #ode of operation are al"o F-.S validated.
2.%
Re&isions o$ the 2.' Module
<9i"ting F-.S 14082 validation" can &e retroactivel* #odified, wit!in defined li#it", via t!e 1#aintenance letter1 or 1c!ange letter1 proce"". $!ange letter #odification" are t*picall* done to correct #inor 1non8cr*ptograp!icall* "ignificant1 &ug" or, #o"t co##onl*, to add "upport for new platfor#". $!ange letter action" are u"uall* le"" e9pen"ive and fa"ter t!an a full validation6 and are an attractive option to t!e "oftware vendor de"iring to u"e t!e F-.S #odule for a platfor# not currentl* covered &* t!e validation. Several c!ange letter #odification" were in proce"" prior to t!e for#al award of t!e initial OpenSSL F-.S O&2ect Aodule v2.0 validation. Aore c!ange letter" are anticipated over t!e lifeti#e of t!e validation. For all pa"t validation" we !ave alwa*" &een careful to introduce an* c!ange" in a wa* t!at will not i#pact an* previou"l* te"ted platfor#", "o t!at t!e #o"t recent revi"ion of t!e #odule can &e u"ed for new deplo*#ent" on an* platfor#. !e !i"tor* of new revi"ion" include( 2.0.1 2.0.1 2.0.1 2.0.1 2.0.1 2.0.1 2.0.2 2.0.2 2.0.3 2.0.3 2.0.3 2.0.3 2.0.3 2.0.3 2.0.3 2.0.3 2.0.3 2.0.4 2.0.5 2.0.5 2.0.5 2.0.5 %ddition of %pple iOS 5.1 on %4Av@ %ddition of Din$< 5.0 on %4Av@ %ddition of Linu9 2.: on .ower.$328e500 (..$) %ddition of ;S. Aedia Fra#ewor, 1.4 on - $:49V %ddition of Din$< :.0 on %4Av@ %ddition of %ndroid 4.0 on OA%. 3 (%4Av@) %ddition of Get=S; 5.1 on .ower.$328e500 (..$) %ddition of Get=S; 5.1 on -ntel Leon 5500 (90:) %ddition of Din2000 on Leon <381220v2 (90:) %ddition of 45<L 32):4 &it on Leon <381220v2 (90:) under vSp!ere %ddition of Din@ on -ntel $ore i582430A (90:) wit! %<S8G%ddition of %ndroid 4.1)4.2 on Gvidia egra 3 (%4Av@) wit!)wit!out G<OG %ddition of Din<$@ on Free"cale i.AL539; (%4Av@) wit!)wit!out G<OG %ddition of %ndroid 4.0 on Nualco## Snapdragon %.N00:0 (%4Av@) %ddition of 3Aware 5oriCon Aodule on Nualco## ASA0L:0 (%4Av@) %ddition of %pple OS L 10.@ on -ntel $ore i@83:15NA (90:) %ddition of %pple iOS 5.0 on %4A $orte9 %0 (%4Av@) %ddition of OpenD4 2.: on A-.S 24Kc %ddition of NGL :.4 on Free"cale i.AL25 (%4Av4) %ddition of %pple iOS :.1 on %pple %:L So$ (%4Av@") %ddition of e$o" 3 on Free"cale i.AL2@ /2:e2" (%4Av5 <J) %ddition of 3Aware 5oriCon Dor,"pace 1.5 under vSp!ere on -ntel Leon <381220 (90:) wit!)wit!out %<S8G-
.age 21 of 1/0
2.0.5 2.0.5
%ddition of '&untu 13.04 on %A3359 $orte98%0 (%4Av@) wit!)wit!out G<OG %ddition of Linu9 3.0 on %4A/2: (%4Av5 <J)
2.(
Prior FIPS
)*e+t Modules
!e 2.0 ver"ion of t!e F-.S O&2ect Aodule i" t!e late"t in a "erie" of open "ource &a"ed validated #odule" derived fro# t!e OpenSSL product. %" wit! t!o"e prior #odule" t!i" ver"ion i" delivered in "ource code for# and re"ult" in a "taticall* lin,ed o&2ect #odule. !ere are "o#e difference" wit! re"pect to t!e previou" ver"ion 1.2.9 "erie" of #odule" w!ic! !ave &een widel* u"ed, &ot! directl* a" validated for certificate T1051, and indirectl* a" #odel" for "eparate 1private la&el1 validation. So#e of t!e ,e* difference" are( 1. !e "ource code di"tri&ution for t!e 1.2.9 F-.S #odule" wa" a #odified OpenSSL di"tri&ution t!at contained a con"idera&le a#ount of code "uperfluou" to t!e generation of t!e F-.S #odule. !e 2.0 F-.S #odule i" provided in a "eparate dedicated "ource di"tri&ution containing far le"" e9traneou" code. !e 1.2.9 F-.S #odule" were co#pati&le onl* wit! t!e 1F-.S capa&le1 0./.0 &a"eline. !e 2.0 F-.S #odule i" co#pati&le wit! t!e 1F-.S capa&le1 1.0.1 &a"eline, and will pro&a&l* re#ain u"a&le wit! future OpenSSL ver"ion" (1.1.0 and later). !e 2.0 F-.S #odule !a" a "ignificantl* fa"ter .OS perfor#ance. !e "low .OS for t!e 1.2.9 #odule" wa" a "ignificant i#pedi#ent to u"e on "o#e low8powered proce""or". !e 2.0 F-.S #odule contain" "everal additional cr*ptograp!ic algorit!#", including all of Suite =. !e 2.0 F-.S #odule #ore directl* acco##odate" cro""8co#pilation, a" &ot! native and cro""8co#pilation now u"e t!e "a#e tec!niBue for deter#ining t!e #odule integrit* dige"t at &uild ti#e.
2.
3. 4. 5.
2.,
Future FIPS
)*e+t Modules
!e open "ource &a"ed OpenSSL F-.S O&2ect Aodule validation" are difficult and e9pen"ive, and a" a re"ult !ave &een done infreBuentl*. !e long interval" &etween validation" co#pound t!e difficult* of o&taining eac! new validation( 1. !e co#panion OpenSSL product c!ange" "ignificantl*, reBuiring "ignificant rewor, to &ot! t!at product and t!e new F-.S #odule for t!e 1F-.S capa&le1 functionalit*6
2. % nu#&er of new and relativel* untried algorit!# te"t" are introduced &* t!e $%3.6 3. Gew validation reBuire#ent" are introduced &* t!e $A3..
.age 22 of 1/0
!e re"ult i" a viciou" c*cle( t!e new validation ta,e" #uc! #ore effort and ti#e, during w!ic! t!e"e factor" continue to #ount (t!e $A3. can and doe" introduce new reBuire#ent" in t!e cour"e of an ongoing validation). !at co"t and difficult* &eco#e" an inti#idating factor for planning, and "oliciting funding and)or colla&oration for, t!e ne9t validation. -n order to tr* and &*pa"" t!i" c*cle t!e OSF would li,e to perfor# open "ource &a"ed validation" #ore freBuentl*, ideall* a" often a" t!e interval reBuired to o&tain a validation w!ic! i" a&out a *ear. !at would #ean t!at at an* point in ti#e t!ere will &e a relativel* current co#pleted validation and a new validation in proce"". Gew feature" or #odification" t!at would adver"el* i#pact t!e ongoing validation can t!en &e deferred to t!e ne9t upco#ing one. Gew reBuire#ent" and algorit!# te"t" can &e addre""ed a few at a ti#e in"tead of all at once in a !uge on"laug!t. .otential "pon"or" of "uc! an effort are welco#e, and are invited to contact OSF to e9pre"" t!eir intere"t.
.age 23 of 1/0
!.
*ompati(le Platform
!e F-.S O&2ect Aodule i" de"igned to run on a wide range of !ardware and "oftware platfor#". %n* co#puting platfor# t!at #eet" t!e condition" in t!e Sec#rity Policy can &e u"ed to !o"t a F-.S 14082 validated F-.S O&2ect Aodule provided t!at #odule i" generated in accordance wit! t!e Sec#rity Policy. %t t!e ti#e t!e )penSS0 FIPS )b*ect /o(#le &2.0 wa" developed, all 'ni9+138li,e environ#ent" "upported &* t!e full OpenSSL di"tri&ution were al"o "upported &* t!e F-.S validated "ource file" included in t!e F-.S O&2ect Aodule. 5owever, "ucce""ful co#pilation of t!e F-.S O&2ect Aodule for all "uc! platfor#" wa" not verified. -f an* platfor# "pecific co#pilation error" occur t!at can onl* &e corrected &* #odification of t!e F-.S di"tri&ution file" ("ee %ppendi9 = of t!e Sec#rity Policy), t!en t!e F-.S O&2ect Aodule will not &e validated for t!at platfor#. -t i" al"o noted t!at a platfor# w!ic! i" currentl* "upported (&ut unte"ted) #a* not &e "upported in t!e future a" revi"ion" are #ade to t!e F-.S validated "ource". For e9a#ple, a c!ange #ade for one platfor# #a* adver"el* affect anot!er, unte"ted platfor#. =* default, t!e F-.S O&2ect Aodule "oftware utiliCe" a""e#&l* language opti#iCation" for "o#e "upported platfor#". $urrentl* a""e#&ler language code re"iding wit!in t!e cr*ptograp!ic #odule &oundar* i" u"ed for t!e 90:)-ntel 14 <LF and %4A15 #ac!ine arc!itecture". !e F-.S O&2ect Aodule &uild proce"" will auto#aticall* "elect and include t!e"e a""e#&l* routine" &* default w!en &uilding on a 90: platfor#. !e a""e#&l* language code wa" included in t!e validation te"ting, "o a F-.S O&2ect Aodule &uilt u"ing t!e 90:)-ntel+ a""e#&l* language routine" will re"ult in a F-.S 14082 validated O&2ect Aodule. %""e#&l* Language and Opti#iCation" are di"cu""ed in detail in Section 3.2.3 %""e#&ler Opti#iCation". 3.1 =uild <nviron#ent 4eBuire#ent" !e platfor# porta&ilit* of t!e F-.S O&2ect Aodule "ource code i" contingent on "everal &a"ic a""u#ption" a&out t!e &uild environ#ent( 1. !e environ#ent i" eit!er a) F'ni9+8li,eH wit! a make co##and and a ld co##and wit! a F-rH (or F-iH) option, or Aicro"oft Dindow". $reation of t!e #onolit!ic F-.S O&2ect Aodule fipscanister.o reBuire" a lin,er capa&le of #erging "everal o&2ect #odule" into one. !i" reBuire#ent i" ,nown to &e a pro&le# wit! 3AS and "o#e older ver"ion" of LD.EXE under Dindow"+.
'G-L i" a regi"tered trade#ar, of !e Open >roup -ntel i" a regi"tered trade#ar, of t!e -ntel $orporation 15 %4A i" a trade#ar, of %4A Li#ited.
13 14
.age 24 of 1/0
2.
!e co#piler i" reBuired to place varia&le" declared wit! t!e const Bualifier in a read8onl* "eg#ent. !i" &e!avior i" true of al#o"t all #odern co#piler". -f t!e co#piler fail" to do "o t!e condition will &e detected at run8ti#e and t!e in8core !a"!ing integrit* c!ec, will fail. !e platfor# "upport" e9ecution of co#piled code on t!e &uild "*"te# (i.e. &uild !o"t and target are &inar* co#pati&le)6 or an appropriate 1incore1 utilit* i" availa&le to calculate t!e dige"t fro# t!e on8di", re"ident o&2ect code. See furt!er di"cu""ion of cro""8co#pilation in 3.4.
3.
4. $ro""8co#pilation u"e" a tec!niBue for deter#ining t!e integrit* c!ec, dige"t t!at #a* not wor, for all cro""8co#pilation environ#ent", "o eac! "uc! new environ#ent #u"t &e anal*Ced for "uita&ilit*. See furt!er di"cu""ion of cro""8co#pilation in 3.4.
3.2
-no.n Supported Plat$orms
!e generation of a #onolit!ic o&2ect #odule and t!e in8core !a"!ing integrit* te"t !ave &een verified to wor, wit! &ot! "tatic and "!ared &uild" on t!e following platfor#" (note t!e ./config shared option i" for&idden &* t!e ter#" of t!e validation w!en &uilding a F-.S validated #odule, &ut t!e fipscanister.o o&2ect #odule can &e u"ed in a "!ared li&rar*1:). Gote a "ucce""ful &uild of t!e F-.S #odule #a* &e po""i&le on ot!er platfor#"6 onl* t!e following were e9plicitl* te"ted a" of t!e date t!i" docu#ent wa" la"t updated(

1: 1@
%ndroid+1@ on %4Av@10 32 &it %ndroid+ on %4Av@ wit! G<OG 32 &it 5.8'L+1/, on -%:4 wit! 32 and :4 &it Linu9+20 on %4Av:, %4Av@ 32 &it Linu9 on 90:8:4 32 and :4 &it Linu9 on 90:8:4 32 wit! SS<2 and :4 &it Linu9 on 90:8:4 wit! %<S8G- 32 and :4 &it Linu9 on .ower.$+21 Solari"+22 on 90:8:4 wit! 32 and :4 &it Solari"+ on S.%4$v/23 wit! 32 and :4 &it Solari"+ on 90:8:4 wit! SS<2 32 and :4 &it Dindow"+ on 90:8:4 wit! SS<2 32 and :4 &it
% convenient wa* of generating a "!ared li&rar* containing fipscanister.o i" di"cu""ed in %ppendi9 = %ndroid i" a trade#ar, of >oogle -nc. 10 %4A, i" a trade#ar, or regi"tered trade#ar, of %4A Ltd or it" "u&"idiarie". 1/ 5.8'L i" a regi"tered trade#ar, of 5ewlett8.ac,ard $o#pan*. 20 Linu9 i" t!e regi"tered trade#ar, of Linu" orvald" in t!e '.S. and ot!er countrie". 21 .ower.$ i" a trade#ar, of -nternational =u"ine"" Aac!ine" $orporation in t!e 'nited State", ot!er countrie", or &ot!. 22 Solari" i" a regi"tered trade#ar, of Oracle and)or it" affiliate". 23 S.%4$+ i" a regi"tered trade#ar, of S.%4$ -nternational, -nc.
.age 25 of 1/0
u$linu9+24 on %4Av4 39Dor,"+25 on A-.S+2: ;S. Aedia Fra#ewor, 1.4 on -+2@ $:49V %pple+20 iOS+ on %4Av@ Dindow" $< on %4Av@ Get=S;2/ on .ower.$ Get=S; on 90:8:4
%#ong t!e platfor#" ,nown to not &e "upported are Dindow" on 90:8:4 wit! %<S8G-, 3AS+30, Aac OS L+31. Pl(tform %ross 1eference
Operating S*"te# %ndroid 2.2, 4.0 5.8'L 11i Linu9 2.: Solari" 10 Solari" 11 Dindow" @ u$Linu9 0./ 39Dor," :.0 Dindow" $< Get=S;
.roce""or %pple %: (%4Av@ and %4Av@") %pple %5 (%4Av: and %4Av@) %4Av4 %4Av:
24 25
u$linu9 i" a regi"tered trade#ar, of %rcturu" Getwor," -nc. 39Dor," i" a regi"tered trade#ar," of Dind 4iver S*"te#", -nc. 2: A-.S i" a trade#ar, or regi"tered trade#ar, of A-.S ec!nologie", -nc. in t!e 'nited State" and ot!er countrie". 2@ - i" a regi"tered trade#ar, of e9a" -n"tru#ent" -ncorporated 20 %pple and iOS are regi"tered trade#ar," of %pple -nc. 2/ Get=S;+ i" a regi"tered trade#ar, of !e Get=S; Foundation, -nc. 30 3AS i" a regi"tered trade#ar, of ;igital <Buip#ent $orporation. 31 Aac OS L i" a regi"tered trade#ar, of %pple, -nc.
.age 2: of 1/0
Pl(tform %ross 1eference

%4Av@ %4Av@ G<OG -%:4 32 &it -%:4 :4 &it A-.S .ower.$ S.%4$v/ 32 &it S.%4$v/ :4 &it 90:8:4 32 &it 90:8:4 :4 &it 90:8:4 SS<2 32 &it 90:8:4 SS<2 :4 &it 90:8:4 %<S8G- 32 &it 90:8:4 %<S8G- :4 &it
Table .2
% co##onl* a",ed Bue"tion i" 1doe" t!i" validation e9tend to #* "pecific platfor# L1E For in"tance( Fi" u"e of t!e Aodule validated on $entOS 90:8:4 w!en $entOS wa" not for#all* te"ted &ut Fedora wa"EH Or Fi" u"e wit! Linu9 ,ernel 2.:.35 validated w!en onl* 2.:.33 wa" for#all* te"tedEH 'nfortunatel* t!ere i" no !ard and fa"t an"wer to "uc! Bue"tion". =a"ed on e9ten"ive di"cu""ion" over t!e *ear" we !ave developed "o#e infor#al rule" of t!u#& to deter#ine w!en a given target platfor# corre"pond" wit! a for#all* te"ted platfor# (Operational <nviron#ent) I$%ortant Disc"ai$er )nly t4e +/6P can pro&i(e a#t4oritati&e ans<ers to "#estions abo#t FIPS 140-2. T4e follo<ing (isc#ssion represents t4e #nenlig4tene( an( non-a#t4oritati&e opinions of persons an( instit#tions lacking any official stan(ing to interpret t4e meaning or intent of FIPS 140-2 or t4e &ali(ation process. +/6P g#i(ance al<ays takes prece(ence o&er any statements in t4is (oc#ment. 4ule" of t!u#&(
.age 2@ of 1/0
1. ;oe" t!e target "*"te# 1code pat!1 ("ee following "ection) corre"pond wit! t!at of a for#all* te"ted platfor#E 2. ;o an* run8ti#e "electa&le opti#iCation" ("ee "ection 3.2.3) corre"pond wit! t!o"e of a for#all* te"ted platfor#E 3. Dill a &inar* #odule t!at &uild" and run" on one of t!e for#all* te"ted platfor#" (or wa" &uilt on t!e &uild8ti#e "*"te# for a for#all* te"ted cro""8co#piled platfor#) run a"8i" on t!e target "*"te#E 4. ;oe" t!e proce""or 1core1 (%4Av: ver"u" %4Av@, for in"tance) corre"pond to t!at of a for#all* te"ted platfor#E 5ere t!e con"ideration i" %=- co#pati&ilit* 88 two proce""or" w!ic! can interc!angea&l* e9ecute t!e "a#e "et of #ac!ine in"truction" are effectivel* eBuivalent. 5. ;oe" t!e 1#a2or1 OS ver"ion (e.g. Solari" 10 ver"u" Solari" 11) corre"pond to t!at of a for#all* te"ted platfor#E !e 1#a2or1 ver"ion i" generall* ta,en to &e t!e full revi"ion la&el for OSO" u"ing onl* one or two 1dot1 level" (e.g., %ndroid 2.2 or Solari" 10, 11), and t!e fir"t two 1dot1 level" for OSO" u"ing #ore t!an two 1dot1 level" (e.g., Linu9 2.:.3@, u$Linu9 0./.2/)32. -f t!e an"wer to all of t!e"e Bue"tion" i" 1*e"1 t!en 88 in general 88 t!e pro"pective target platfor# can in general &e rea"ona&l* con"idered a" eBuivalent to a for#all* te"ted platfor#. %rgu#ent" &a"ed on apparent 1co##on "en"e1 con"ideration" "!ould &e u"ed cautiou"l* w!ere F-.S 14082 i" concerned, &ut w!ere general purpo"e validated "oftware #odule" are concerned a little t!oug!t "!ow" t!at "trict in"i"tence on an e9act #atc! &etween target platfor#" and for#all* te"ted Operational <nviron#ent" would #a,e it effectivel* i#po""i&le to widel* deplo* validated "oftware t!roug! #o"t enterpri"e". For in"tance, one of t!e for#all* te"ted platfor#" wa" 1%ndroid 2.2.20.%//51 on an 1%4Av@ rev 2 v@11 proce""or. -f a for#all* te"ted platfor# !ad to corre"pond at t!at level of detail t!en provi"ion of validated #odule" would &e ver* difficult, a" t!e e9ten"ive a#ount of ti#e reBuired to o&tain a F-.S 14082 validation #ean" t!at t!e "pecific platfor# u"ed for te"ting will &e updated or o&"olete &* t!e ti#e t!e validation i" co#pleted. !e role of t!e co#piler u"ed for &uilding t!e validated Aodule !a" never &een full* delineated. !e general P and unofficial P con"en"u" of t!e F-.S 14082 u"er and te"t la& co##unitie" appear" to &e t!at t!e preci"e ver"ion of t!e co#piler need not corre"pond e9actl* wit! t!at u"ed for t!e generation of t!e for#all* te"ted Aodule (for in"tance, gcc 4.4.1 ver"u" 4.4.@). -f a review deter#ine" t!at no for#all* te"ted platfor# corre"pond" to t!e target platfor# of intere"t, t!ere are "everal option"(
Gote t!i" rule of t!u#& !a" i#plication" for t!e recent and #ore or le"" ar&itrar* 2u#p of t!e Linu9 ,ernel ver"ion nu#&er fro# 2.:.9 to 3.0.9.
32
.age 20 of 1/0
1. 3endor or u"er 1affir#ation1 per "ection >.5 of t!e -#ple#entation >uidance docu#ent (4eference 3). !i" topic i" di"cu""ed in #ore detail in 5.5. 2. % 1c!ange letter1 #odification to e9tend an e9i"ting validation to include t!e platfor# of intere"t. !e c!ange letter proce"" can often &e perfor#ed in a few wee," wit! a price tag in t!e low five figure", a" oppo"ed to t!e #an* #ont!" and !ig! five figure to low "i9 figure price tag of a conventional full validation. 3. % full validation leveraging t!e "ource code and docu#entation fro# t!e OpenSSL F-.S O&2ect Aodule validation. Suc! a 1private la&el1 validation will "till ta,e #an* #ont!" &ut i" t*picall* #uc! le"" e9pen"ive t!an an unrelated validation. %n advantage of t!e 1private la&el1 validation i" t!at upon for#all* engaging an accredited te"t la& t!e vendor &eco#e" eligi&le33 to !ave t!e pro"pective #odule li"ted on t!e 1Aodule" -n .roce""1 li"t34 (!ttp())c"rc.ni"t.gov)group")S A)c#vp)docu#ent")14081)140-n.roce"".pdf). !e pre"ence of a vendor #odule on t!at li"t i" a "ufficient condition for co#pletion of #an* procure#ent action" in t!e '.S. ;epart#ent of ;efen"e and federal govern#ent.
!.2.1 *ode Pat2 and *ommand Set

For t!e purpo"e" of t!e validation te"ting a Fplatfor#H i" a uniBue co#&ination of "ource code and t!e "pecific &uild8ti#e option" u"ed to turn t!at "ource code into &inar* code. !e &uild8ti#e inclu"ion of a""e#&ler opti#iCation" effectivel* c!ange" t!e "ource code, and "ource code "election" var* &a"ed on t!e target arc!itecture word "iCe of 32 or :4 &it". ;ue to &udget and "c!edule con"traint" onl* "o#e a""e#&ler opti#iCation" for %4A and 90:8:4 were te"ted, "o onl* t!o"e opti#iCation" are availa&le for &uilding t!e F-.S O&2ect Aodule. wo "eparate "et" of "ource code were identified to cover plain $ (no a""e#&ler) for 90:8:4 Linu9 32 and :4 &it". <ven t!oug! t!e "a#e "ource code i" u"ed for &ot! Linu9)'ni9 and Dindow" operating "*"te#", t!e &uild in"truction" are "ufficientl* uniBue to eac! of t!e two OS fa#ilie" t!at t!e deci"ion wa" #ade to te"t eac! code pat! for &ot! OS fa#ilie". !e re"ulting te"t ca"e" can &e repre"ented in t!e following ta&le"(
%ode P(th pure $ 32 &it pure $ :4 &it
33
%omm(nd Set Linu9)'ni9 '1 '2 Dindow" D1 D2
1epresent(tive Pl(tform Linu9)'ni9 u1 u1 Dindow" w1 w2
Strictl* "pea,ing t!e te"t la& #u"t al"o &e in po""e""ion of draft" of all reBuired docu#entation. -n t!e ca"e of private la&el validation" clo"el* #odeled on an OpenSSL F-.S O&2ect Aodule validation t!at i" readil* acco#pli"!ed, u"uall* &efore t!e for#al contract wit! t!e te"t la& i" e9ecuted. 34 !e 1Aodule in .roce""1 li"t i" often referred to a" t!e 1pre8val1 li"t.
.age 2/ of 1/0
%ode P(th 90: a""e#&ler 90:8:4 a""e#&ler '3
%omm(nd Set Linu9)'ni9 Dindow" D3
1epresent(tive Pl(tform Linu9)'ni9 u2 Dindow" w3 w4
'4 D4 u2 Table .2.1a - +o(e Pat4s an( +omman( Sets
w!ere t!e co##and "et" are %omm(nd Set +(me

'1 Linu9)'ni9, pure $
3uild %omm(nds
./config no-asm make make install ./config make make install ms\do_fips no-asm
'2 Linu9)'ni9 wit! 90:)90:8:4 opti#iCation" D1 Dindow", pure $
D2 Dindow" wit! 90:)90:8:4 opti#iCation"
ms\do_fips
.2.1b - +omman( Sets
!e actual repre"entative "*"te#" te"ted for t!e validation were( &eneric S'ste$
1 1 2 3 4 5 %ndroid 2.2 on %4Av@ wit! G<OG %ndroid 2.2 on %4Av@ wit! G<OG %ndroid 2.2 on %4Av@ Dindow" 90: 32 &it u$Linu9 on %4Av4 %ndroid 2.2 (5 $ ;e"ire) %ndroid 2.2 (5 $ ;e"ire) %ndroid 2.2 (;ell Strea,)
(ct)a" S'ste$ *S + Processor + *%ti$i,ation

Nualco## NS; 0250 (%4Av@) Nualco## NS; 0250 (%4Av@) Nualco## NS; 0250 (%4Av@) G<OG G<OG Gone Gone Gone %<S8G-
Aicro"oft Dindow" @ -ntel $eleron (90:) 32 &it u$linu9 0./.2/ %4A /22 (%4Av4) -ntel $ore i5 (90:)
Linu9 2.: on 90: wit! %<S8G- Fedora 14 :4 &it
.age 30 of 1/0
&eneric S'ste$
: @ 0 / 10 11 12 13 1: 5.8'L 11 on -%:4 32 &it 5.8'L 11 on -%:4 :4 &it Linu9 on 90: 32&it %ndroid 2.2 on %4Av@ (duplicate of platfor# 2) Linu9 2.: on ..$ Dindow" on 90: :4 &it

5.8'L 11i (!pu98 -ntel -taniu# 2 (-%:4) ia:48cc, 32 &it #ode) 5.8'L 11i (!pu9:48 -ntel -taniu# 2 (-%:4) ia:48cc, :4 &it #ode) '&untu 10.04 %ndroid 2.2 (Aotorola Loo#) Linu9 2.:.2@ -ntel .entiu# 4200 (90:) Gone Gone Gone
G3-;-% egra 250 20 (%4Av@) Gone .ower.$ e300c3 (..$) Gone Gone %<S8GGone G<OG
Aicro"oft Dindow" @ -ntel .entiu# 4 (90:) :4 &it -ntel $ore i5 (90:) .ower.$32 e300 (..$) OA%. 3530 (%4Av@)
Linu9 2.: on 90: wit! %<S8G- '&untu 10.04 32 &it 32 &it Linu9 2.: on ..$ (duplicate of Linu9 2.:.33 platfor# 10) %ndroid 2.2 on %4Av@ wit! G<OG (duplicate of platfor# 1) $:49V ;S. 39Dor," :.0 on A-.S Linu9 2.: on %4Av: Linu9 2.: on %4Av@ Linu9 2.: on %4Av@ Solari" 10 on S.%4$v/ 32 &it Solari" 10 on S.%4$v/ 32 &it Solari" 11 on 90:8:4 32 &it Solari" 11 on 90:8:4 :4 &it Solari" 11 on 90:8:4 wit! %<S8G- 32 &it Solari" 11 on 90:8:4 wit! %<S8G- :4 &it Oracle Linu9 5 on 90:8:4 :4 &it %ndroid 2.2 ;S. Aedia Fra#ewor, 1.4 39Dor," :.0 Linu9 2.: Linu9 2.: Linu9 2.:.32 Solari" 10 32&it Solari" 10 :4&it Solari" 11 32&it Solari" 11 :4&it Solari" 11 32&it Solari" 11 :4&it
1@ 1/ 20 21 22 23 24 25 2: 2@ 20 2/
- $:49V - G< 31050 (A-.S) =roadco# =$A1110@ (%4Av:) - AS320;A:44: (%4Av4) - %A3@03$=. (%4Av@) S.%4$8 3 (S.%4$v/) S.%4$8 3 (S.%4$v/) -ntel Leon 52:0 (90:) -ntel Leon 52:0 (90:) -ntel Leon 52:0 (90:) -ntel Leon 52:0 (90:)
Gone Gone Gone Gone Gone Gone Gone Gone Gone %<S8G%<S8GGone
Oracle Linu9 5 :4&it -ntel Leon 52:0 (90:)
.age 31 of 1/0
&eneric S'ste$
30 31 32 33 34 35 3: 3@ 30 3/ 40 41 42 43 44

Gone Gone Gone Gone %<S8GGone %<S8GGone Gone Gone Gone Gone Gone Gone G<OG
$a"cadeOS :.1 3 on 90: 32 &it $a"cadeOS :.1 32&it -ntel .entiu# 4200 (90:) $a"cadeOS :.1 3 on 90: :4 &it $a"cadeOS :.1 :4&it -ntel .entiu# 4200 (90:) Linu9 2.: on 90:8:4 32 &it Linu9 2.: on 90:8:4 :4 &it Oracle Linu9 5 Oracle Linu9 : Oracle Linu9 : Solari" 11 32&it Solari" 11 :4&it %ndroid 4.0 on %4Av@ Linu9 2.: %pple iOS 5.1 Din$< :.0 Din$< 5.0 %ndroid 4.0 '&untu 10.04 32&it '&untu 10.04 :4&it Oracle Linu9 5 Oracle Linu9 : Oracle Linu9 : Solari" 11 32&it Solari" 11 :4&it %ndroid 4.0 (Aotorola Loo#) Linu9 2.: %pple iOS 5.1 Din$< :.0 Din$< 5.0 %ndroid 4.0 -ntel .entiu# 4200 (90:) -ntel .entiu# 4200 (90:) -ntel Leon 5:@5 (90:) -ntel Leon 5:@5 (90:) -ntel Leon 5:@5 (90:) S.%4$8 3 (S.%4$v/) S.%4$8 3 (S.%4$v/) G3-;-% egra 250 20 Free"cale .ower.$8e500 %4Av@ %4Av5 <J %4Av@
OA%. 3 Table .2.1c - !epresentati&e Systems
!.2.2 !2 &er u 04 Bit /rc2itecture

Aan* :4 &it platfor#" provide &ac,ward co#pati&le "upport for 32 &it code via !ardware or "oftware e#ulation. Software &uilt on a 32 &it ver"ion of a "pecific operating "*"te# will generall* run a"8i" on t!e eBuivalent :4 &it ver"ion of t!at operating "*"te#. Software &uilt on a :4 &it operating "*"te# can &e eit!er 32 &it or :4 &it code depending on vendor &uild environ#ent default" and e9plicit &uild ti#e option". %n* "uc! :4 &it code will not run on a 32 &it eBuivalent operating "*"te#, "o care #u"t &e ta,en w!en co#piling code for di"tri&ution to &ot! 32 and :4 &it "*"te#". =* default t!e F-.S O&2ect Aodule &uild proce"" will generate :4 &it code on :4 &it "*"te#". Since t!e co##and "et" included in t!e validation te"ting do not per#it t!e e9plicit "pecification of t!e co#pile ti#e option" t!at would ot!erwi"e &e u"ed to "pecif* t!e generation of 32 or :4 &it
.age 32 of 1/0
code, it #a* &e nece""ar* for "o#e platfor#" to &uild a 32 &it F-.S O&2ect Aodule on a 32 &it "*"te#, and conver"el* for :4 &it. -t i" al"o po""i&le on #o"t :48&it platfor#" to in"tall a 328&it &uild environ#ent w!ic! would &e "upported. ;etail" a" to !ow to configure "uc! an environ#ent are &e*ond t!e "cope of t!i" docu#ent.
!.2.! /
em(ler 'ptimi1ation
!e onl* option for proce""or arc!itecture" ot!er t!an 90:)90:8:4 and %4A i" to u"e t!e pure $ language i#ple#entation and not an* of t!e !and8coded perfor#ance opti#iCed a""e#&ler a" eac! a""e#&ler i#ple#entation reBuire" "eparate F-.S te"ting. For e9a#ple, an -taniu# or .ower.$ "*"te# can onl* &uild and u"e t!e pure $ language #odule. For t!e 90:)90:8:4 and %4A proce""or" "everal level" of opti#iCation are "upported &* t!e code. Gote t!at #o"t "uc! opti#iCation", if co#piled into e9ecuta&le code, are "electivel* ena&led at runti#e depending on t!e capa&ilitie" of t!e target proce""or. -f t!e Aodule i" &uilt and e9ecuted on t!e "a#e platfor# (t!e &uild8ti#e and run8ti#e "*"te#" are t!e "a#e) t!en t!e appropriate opti#iCation will auto#aticall* &e utiliCed (a""u#ing t!at t!e &uildVtarget "*"te# corre"pond" to a for#all* te"ted platfor#). For 90:8:4 t!ere are t!ree po""i&le opti#iCation level"( 1. 2. 3. Go opti#iCation (plain $) SS<2 opti#iCation %<S8G-V.$LA'LN;NVSSS<3 opti#iCation
Gote t!at ot!er t!eoreticall* po""i&le co#&ination" (e.g. %<S8G- onl*, or SS<3 onl*) are not addre""ed individuall*, "o t!at a proce""or w!ic! doe" not "upport all t!ree of %<S8G-, .$LA'LN;N, and SSS<3 will fall &ac, to onl* SS<2 opti#iCation. !e runti#e environ#ent varia&le O.<GSSL?ia32capWX09200000200000000 di"a&le" u"e of %<S8G-, .$LA'LN;N, and SSS<3 opti#iCation" for 90:8:4. For %4A t!ere are two po""i&le opti#iCation level"( 1. 2. Dit!out G<OG Dit! G<OG (%4A@ onl*)
!e runti#e varia&le O.<GSSL?ar#capW0 di"a&le" u"e of G<OG opti#iCation" for %4A. -f all opti#iCation level" !ave not &een for#all* te"ted for a given platfor#, care #u"t &e ta,en to verif* t!at t!e opti#iCation" ena&led at run8ti#e on an* target "*"te#" corre"pond to a for#all* te"ted platfor#. For in"tance, if 1Dindow" on 90: 328&it1 wa" for#all* te"ted &ut 1Dindow" on
.age 33 of 1/0
90: wit! %<S8G- 328&it1 wa" not35 t!en t!e Aodule would &e validated w!en e9ecuted on a non8 %<S8G- capa&le target proce""or, &ut would not &e validated w!en e9ecuted on an %<S8G- capa&le "*"te#. Gote t!e proce""or opti#iCation capa&ilitie" will often not &e o&viou" to ad#ini"trator" or end u"er" in"talling "oftware. D!en t!e target platfor#" are not ,nown to !ave capa&ilitie" corre"ponding to te"ted platfor#" t!en t!e ri", of inadvertentl* utiliCing t!e unvalidated opti#iCation" at run8ti#e can can &e avoided &* "etting t!e appropriate environ#ent varia&le" at run8ti#e3:( -is(blin' run$time select(ble optimi?(tions Pl(tform 90:)90:8:4 %4A 5nvironment >(ri(ble O.<GSSL?ia32cap O.<GSSL?ar#cap 0 >(lue X09200000200000000
3.3
Creation o$ Shared !i)raries
!e F-.S O&2ect Aodule i" not directl* u"a&le a" a "!ared li&rar*, &ut it can &e lin,ed into an application t!at i" a "!ared li&rar*. % FF-.S co#pati&leH OpenSSL di"tri&ution will auto#aticall* incorporate an availa&le F-.S O&2ect Aodule into t!e libcrypto "!ared li&rar* w!en &uilt u"ing t!e fips option ("ee A4.2.3).
3.4
Cross/+ompilation
$o#piler" and lin,er" are "eparate progra#" w!ic! wor, toget!er to generate o&2ect code for a target "*"te#. !e* are al"o progra#" co#po"ed of o&2ect code t!at i" e9ecuted on t!e &uild "*"te#. D!en t!e &uild and target "*"te#" are t!e "a#e we "a* t!e proce"" i" referred to a" a 1native1 &uild6 w!en t!e* are different it i" referred to a" a 1cro""8co#pilation1 &uild. Aan* co#piler" and lin,er" (or &uild environ#ent" containing co#piler" and lin,er") are capa&le of creating o&2ect code for #ultiple target platfor#". For t!e ca"e of t!e native &uild t!e ./config co##and3@ auto#aticall* deter#ine" t!e target "*"te# fro# t!e c!aracteri"tic" of t!e &uild "*"te#. !i" deter#ination i" #ade &* "etting a "erie" of varia&le" t!at are u"ed to "elect an ar&itrar* arc!itecture la&el defined in t!e ./Configure co##and t!at i" invo,ed &* ./config. !i" arc!itecture la&el can &e di"pla*ed wit! t!e 1-t1 co##and line option( $ ./config -t
!i" wa" t!e ca"e a" of t!e initial OpenSSL F-.S O&2ect Aodule 2.0 validation, t!oug! "uc! platfor#" #a* &e added &* "u&"eBuent #odification". 3: %n alternative i" to "pon"or t!e addition of t!e un"upported platfor# opti#iCation to t!e validated Aodule 3@ Aicro"oft Dindow" platfor#" are !andled "o#ew!at differentl* and are di"cu""ed el"ew!ere.
35
.age 34 of 1/0
Operating system: i686-whatever-linux2 Configuring for linux-elf /usr/bin/perl ./Configure linux-elf -march=pentium -Wa,-noexecstack $ -n t!i" e9a#ple t!e arc!itecture target i" 1linu98elf1 and t!e ./Configure co##and will &e invo,ed wit! t!e additional argu#ent" 1-march=pentium -Wa,--noexecstack 1. !i" i#plicit deter#ination of t!e target arc!itecture can &e overridden &* #anuall* "pecif*ing t!e appropriate environ#ent varia&le". !i" e9plicit deter#ination i" optional and unnece""ar* for native &uild", &ut reBuired for cro""8co#pilation. % t*pical e9a#ple i" "!own !ere for cro""8 co#pilation for t!e %ndroid %4A target platfor#( #!/bin/sh # Edit this to wherever you unpacked the NDK export ANDROID_NDK=$PWD # Edit to wherever you put incore script export FIPS_SIG=$PWD/incore # Shouldn't need to edit anything past here. PATH=$ANDROID_NDK/android-ndk-r4b/build/prebuilt/linuxx86/arm-eabi-4.4.0/bin:$PATH ; export PATH export MACHINE=armv7l export RELEASE=2.6.32.GMU export SYSTEM=android export ARCH=arm export CROSS_COMPILE="arm-eabi-" export ANDROID_DEV="$ANDROID_NDK/android-ndkr4b/build/platforms/android-8/arch-arm/usr" export HOSTCC=gcc Dit! t!o"e environ#ent varia&le" "pecified on a Linu9 90: "*"te# t!e ./config now "elect" a different target arc!itecture( $ ./config -t Operating system: armv7l-whatever-android Configuring for android-armv7
.age 35 of 1/0
/usr/bin/perl ./Configure android-armv7 -Wa,--noexecstack $ D!en &uilding u"ing cro""8co#pilation a different tec!niBue #u"t &e u"ed to deter#ine t!e e#&edded integrit* c!ec, dige"t value. For native &uild" an interi# e9ecuta&le i" created and e9ecuted to calculate t!i" dige"t fro# live #e#or*, in t!e "a#e wa* t!at t!e dige"t i" calculated at runti#e during t!e .OS integrit* te"t. D!en cro""8co#piling t!at tec!niBue cannot &e u"ed &ecau"e t!e cro""8co#piled e9ecuta&le" cannot (in general) &e run on t!e &uild !o"t. -n"tead of &uilding and e9ecuting an interi# e9ecuta&le, a "pecial purpo"e utilit* utilit* i" u"ed to calculate t!e dige"t &* e9a#ining t!e cro""8co#piled o&2ect code a" it re"ide" on di",. One "uc! utilit*, incore, i" provided to !andle <LF for#at". <ven t!oug! t!i" utilit* i" effectivel* platfor# neutral on #o"t Linu98li,e operating "*"te#" , t!e proce"" a" a w!ole i" not de"igned to wor, wit! ar&itrar* <LF code and can &e relied on onl* for e9plicitl* verified cro""8co#pile ca"e" a" reflected in fips:fipsAcanister.c. %cco##odation of new cro""8co#pilation target" i" li,el* to &e trivial &ut will "till reBuire "eparate validation. !u", alt!oug! t!e incore utilit* i" t!eoreticall* capa&le of !andling ar&itrar* <LF &inar* code (native or not), it i" not u"ed in non8cro""8co#pile)native ca"e". $ro""8co#piled non8<LF platfor#" would reBuire different utilitie" and "eparate validation. -n general t!e $ co#piler i" reBuired to "egregate con"tant data in a contiguou" area (e.g. &* placing it in a dedicated "eg#ent) to co#pile t!e F-.S #odule. So#e co#piler" were found to fail to #eet t!e con"t data "eg#ent reBuire#ent. -n t!e ca"e" w!ere t!e errant &e!avior wa" o&"erved, t!e co#piler wa" in"tructed to generate po"ition8independent code30. -n "uc! ca"e" it #ig!t &e po""i&le to rectif* t!e pro&le# &* defining t!e AAfipsAconstseg #acro in fips:fipssyms.4 and !ar#oniCing t!at definition wit! declaration of FIPSAro(ataAstart and FIPSAro(ataAen( in fips:fipsAcanister.c. 'nfortunatel*, "uc! an approac! will reBuire a "eparate F-.S 14082 validation, !owever.
!e pri#ar* rea"on for co#piling t!e F-.S 2.0 #odule wit! -fPI+ i" for ver"atilit*, "o t!at t!e fipscanister o&2ect #odule will &e u"a&le in eit!er t!e conte9t of a "taticall*8lin,ed application or d*na#ic li&rar*. '"e of non8.-$ code i" inappropriate in a d*na#ic li&rar*, &ut lin,ing .-$ "taticall* wa" proven to wor, on all te"ted platfor#". !u", w!ere "uc! ver"atilit* i" not of intere"t t!en -fPI+ could &e dropped to target "taticall*8lin,ed application" onl*. % "eparate validation will &e reBuired, of cour"e.
30
.age 3: of 1/0
4.
Generating t2e FIPS '()ect -odule
!i" "ection de"cri&e" t!e creation of a F-.S O&2ect Aodule for "u&"eBuent u"e &* an application. !e Sec#rity Policy provide" procedure" for acBuiring, verif*ing, &uilding, in"talling, protecting, and initialiCing t!e F-.S O&2ect Aodule. -n ca"e of di"crepancie" &etween t!e 9ser G#i(e and t!e Sec#rity Policy, t!e Sec#rity Policy "!ould &e u"ed. Finall*, recall fro# Section 2.4.2, )b*ect /o(#le ,0ink Time- Integrity, t!at application" lin, again"t libcrypto.so or libcrypto.a, and not directl* to fipscanister.o.
4.1
0eli&ery o$ Sour+e Code
!e OpenSSL F-.S O&2ect Aodule "oftware i" onl* availa&le in "ource for#at. !e "pecific "ource code di"tri&ution" can &e found at !ttp())www.open""l.org)"ource)3/. a" file" wit! na#e" of t!e for# openssl-fip-2.0.@.tar.g3 w!ere t!e revi"ion nu#&er @ reflect" "ucce""ive e9ten"ion" of t!e F-.S O&2ect Aodule to "upport additional platfor#"( !ttp())www.open""l.org)"ource)open""l8fip"82.0.tar.gC !ttp())www.open""l.org)"ource)open""l8fip"82.0.1.tar.gC !ttp())www.open""l.org)"ource)open""l8fip"82.0.2.tar.gC !e late"t revi"ion will &e "uita&le for all te"ted platfor#", w!erea" earlier revi"ion" will wor, onl* for t!e platfor#" te"ted a" of t!at revi"ion. !e $A3. introduced "ignificant new reBuire#ent" for verification of t!e 2.0 "ource code di"tri&ution. !i" reBuire#ent i" di"cu""ed in #ore detail in S4.1.36 &ut in "u##ar*, it can no longer &e downloaded and u"ed a" &efore. % 1tru"ted pat!1 #u"t &e u"ed for tran"fer of t!e "ource code di"tri&ution. %t pre"ent t!e one #et!od ,nown to "ati"f* t!e Ftru"ted pat!H reBuire#ent i" o&tain t!e "ource code di"tri&ution fro# t!e vendor of record (OSF) on p!*"ical #edia ($;). For in"truction" on reBue"ting t!i" $; "ee !ttp())open""lfoundation.co#)fip")verif*.!t#l. !e OpenSSL F-.S O&2ect Aodule "oftware wa" delivered to t!e F-.S 14082 te"ting la&orator* in "ource for# a" t!i" co#plete OpenSSL di"tri&ution, and wa" &uilt &* t!e te"ting la&orator* u"ing t!e "tandard &uild procedure a" de"cri&ed in t!e Securit* .olic* docu#ent and reproduced &elow and in %ppendi9 =. For eac! of t!e openssl-fips-2.0.N.tar.gz di"tri&ution" t!ere i" al"o a di"tri&ution file wit! t!e na#e of t!e for# openssl-fips-ecp-2.0.N.tar.gz. !e"e 1ecp1 di"tri&ution"
3/
$lo"el* related di"tri&ution" lac,ing &inar* curve <$$, open"l8fip"8ecp82.0. @.tar.gC, are al"o availa&le6 "ee :.5.
.age 3@ of 1/0
are t!e "a#e a" t!e corre"ponding 2.0.@ di"tri&ution" wit! &inar* curve <$$ o#itted ("ee Section :.5). Gote( OSF reco##end" t!at t!e downloaded tar&all" &e con"idered untru"ted for an* purpo"e until verified a" de"cri&ed in S4.1.2.
4.1.1 *reation of a FIPS '()ect -odule from 't2er Source *ode

Aan* OpenSSL di"tri&ution" ot!er t!an t!e "pecific di"tri&ution" u"ed for t!e validation can &e u"ed to &uild a fipscanister.o o&2ect u"ing undocu#ented &uild8ti#e option". !e reader i" re#inded t!at an* "uc! o&2ect code cannot &e u"ed or repre"ented a" F-.S 14082 validated. !e Securit* .olic* docu#ent i" ver* clear on t!at point.
4.1.2 3erifying Integrity of 4i tri(ution +Be t Practice,

!i" "tep i" optional and not #andated &* t!e F-.S14082 validation. -t i" al"o not recogniCed a" !aving an* value &* t!e $A3., &ut i" con"idered a &e"t practice &* t!e OpenSSL tea# for all "oftware download" fro# OpenSSL. !e integrit* and aut!enticit* of t!e co#plete OpenSSL di"tri&ution "!ould &e validated #anuall* wit! t!e .>. "ignature"40 pu&li"!ed &* t!e OpenSSL tea# wit! t!e di"tri&ution" (ftp())ftp.open""l.org)"ource)) to guard again"t a corrupted "ource di"tri&ution. Gote t!i" c!ec, i" separate an( (istinct fro# t!e $A3. #andated F-.S 14082 "ource file integrit* c!ec, (S4.1.3). !e .>. "ignature" are contained in t!e file openssl-fips-2.0.tar.gz.asc !i" digital "ignature of t!e di"tri&ution file can &e verified again"t t!e OpenSSL .>. pu&lic ,e* &* u"ing t!e .>. or >.> application" (>.> can &e o&tained free of c!arge fro# !ttp())www.gnupg.org))41. !i" validation con"i"t" of confir#ing t!at t!e di"tri&ution wa" "igned &* a ,nown tru"ted ,e* a" identified in %ppendi9 %, F)penSS0 7istrib#tion Signing BeysH. Fir"t, find out w!ic! ,e* wa" u"ed to "ign t!e di"tri&ution. %n* of "everal different valid ,e*" #a* !ave &een u"ed for t!i" purpo"e. !e 1!e9adeci#al ,e* id1, an identifier u"ed for locating ,e*" on t!e ,e*"tore "erver", i" di"pla*ed w!en atte#pting to verif* t!e di"tri&ution. -f t!e "igning ,e* i" not alread* in *our ,e*ring t!e !e9adeci#al ,e* id of t!e un,nown ,e* will "till &e di"pla*ed(
$ gpg openssl-1.0.1z.tar.gz.asc gpg: Signature made Tue Sep 30 09:00:37 2009 using RSA key ID 49A563D9 gpg: Can't check signature: public key not found $ Gote t!i" .>.)>.> "ignature c!ec, i" not related to an* of t!e F-.S integrit* c!ec,"R Gote t!at alt!oug! .>. and >.> are functionall* interopera&le, "o#e ver"ion" of .>. are currentl* F-.S 14082 validated and no ver"ion" of >.> are. For t!e purpo"e" of F-.S 14082 validation a validated ver"ion of .>. #u"t &e u"ed. !e e9a#ple" given !ere are applica&le to &ot! >.> and .>..
40 41
.age 30 of 1/0
<9a#ple 4.1.2a 8 Find -d of Signing Ke*
-n t!i" e9a#ple t!e ,e* id i" 0x49A563D9. Ge9t "ee if t!i" ,e* id &elong" to one of t!e OpenSSL core tea# #e#&er" aut!oriCed to "ign di"tri&ution". !e aut!oriCed ,e*" are li"ted in %ppendi9 %. Gote t!at "o#e older ver"ion" of 6p6 will not di"pla* t!e ,e* id of an un,nown pu&lic ,e*6 eit!er upgrade to a newer ver"ion or load all of t!e aut!oriCed ,e*". -f t!e !e9adeci#al ,e* id #atc!e" one of t!e ,nown valid OpenSSL core tea# ,e*" t!en download and i#port t!e ,e*. .>. ,e*" can &e downloaded interactivel* fro# a ,e*"erver we& interface or directl* &* t!e p6p or 6p6 co##and". !e !e9adeci#al ,e* id of t!e tea# #e#&er ,e* (for e9a#ple, t!e "earc! "tring 10x49A563D91 can &e u"ed to download t!e OpenSSL .>. ,e* fro# a pu&lic ,e*"erver (!ttp())www.,e*"erver.net), !ttp())pgp.#it.edu, or ot!er"). Ke*" can &e downloaded interactivel* to an inter#ediate file or directl* &* t!e p6p or 6p6 progra#. Once downloaded to an inter#ediate file, markco%.key in t!i" e9a#ple, t!e ,e* can &e i#ported wit! t!e co##and(
$ gpg --import markcox.key gpg: key 49A563D9: public key "Mark Cox <mjc@redhat.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) $ <9a#ple 4.1.2& 8 -#porting a Ke* fro# a ;ownloaded file
!e"e e9a#ple" a""u#e t!e pgp or gpg "oftware i" in"talled. directl* into *our ,e*ring(
!e ,e* #a* al"o &e i#ported
$ gpg --keyserver pgp.mit.edu --recv-key 49a563d9 gpg: key 49A563D9: public key "Mark Cox <mjc@redhat.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) <9a#ple 4.1.2c 8 .>. Ke* -#port
Gote t!at at t!i" point we !ave not *et e"ta&li"!ed t!at t!e ,e* i" aut!entic or t!at t!e di"tri&ution wa" "igned wit! t!at ,e*6 a ,e* t!at mig4t &e aut!entic !a" &een o&tained in a for# w!ere it can &e utiliCed for furt!er validation.
.age 3/ of 1/0
o verif* t!at t!e di"tri&ution file wa" "igned &* t!e i#ported ,e* u"e t!e p6p or 6p6 co##and wit! t!e "ignature file a" t!e argu#ent, wit! t!e di"tri&ution file al"o pre"ent in t!e "a#e director*(
$ gpg /work/build/openssl/openssl-1.0.1.tar.gz.asc gpg: Signature made Tue Sep 30 09:00:37 2009 using RSA key ID 49A563D9 gpg: Good signature from "Mark Cox <mjc@redhat.com>" gpg: aka "Mark Cox <mark@awe.com>" gpg: aka "Mark Cox <mark@c2.net>" gpg: aka "Mark Cox <mcox@c2.net>" gpg: aka "Mark Cox <mark@ukweb.com>" gpg: aka "Mark Cox <mjc@apache.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 7B 79 19 FA 71 6B 87 25 0E 77 21 E5 52 D9 83 BF $ <9a#ple 4.1.2d 8 .>. File Signature 3erification
-n t!i" e9a#ple t!e validit* of t!e file "ignature wit! re"pect to t!e ,e* wa" verified. !at i", t!e target file openssl-fips-2.0.tar.gz wa" "igned &* t!e ,e* wit! id /&)563+&# !e warning #e""age in t!i" e9a#ple i" alerting t!e ,e* i" not part of t!e 1we& of tru"t1, a relational ran,ing "*"te# &a"ed on #anuall* a""igned confidence level". -n"tead of rel*ing on t!e we& of tru"t w!ic! will differ fro# one u"er to anot!er, t!e ,e* "!ould &e #atc!ed directl* to a li"t of ,nown valid ,e*". !e final "tep of verification i" to e"ta&li"! t!at t!e "igning ,e* i" aut!entic. o do "o, confir# t!e ,e* fingerprint of t!e ,e* w!ic! "igned t!e di"tri&ution i" one of t!e valid OpenSSL core tea# ,e*" li"ted in %ppendi9 %, F)penSS0 7istrib#tion Signing BeysH. -n t!i" e9a#ple, 7B 79 19 FA 71 6B 87 25 0E 77 21 E5 52 D9 83 BF i" in fact aut!entic according to %ppendi9 %. 4.1.3 3erif*ing -ntegrit* of t!e Full ;i"tri&ution for t!e F-.S O&2ect Aodule -A.O4 %G GO <( !i" "tep !a" c!anged fro# prior validation", and i" reBuired per t!e OpenSSL Securit* .olic*R !e validation now include" a reBuire#ent for F"ecure in"tallation.H -n practice t!at #ean" t!e di"tri&ution file "!ould &e o&tained directl* fro# t!e vendor (OSF) on p!*"ical #edia. % #ore co#plete di"cu""ion of t!i" reBuire#ent including t!e ela&orate "tep" needed w!en t!e di"tri&ution i" not o&tained on p!*"ical #edia can &e found in S:.:. .!*"ical #edia can &e reBue"ted fro# OSF at( OpenSSL Software Foundation, -nc. 102/ Aount <p!rai# 4oad %da#"town, A; 21@10 'S%
.age 40 of 1/0
V1 0@@8O.<GSSL (V1 0@@ :@3 :@@5) verif*cd7open""lfoundation.co# %n <8#ail containing t!e full po"tal addre"" i" t!e preferred point of contact. -t i" our intention to provide t!e"e $;" at no co"t a" long a" we are a&le. De a", t!at *ou onl* reBue"t t!i" $; if *ou plan to u"e it for generation of F-.S 14082 validated cr*ptograp!* in a conte9t t!at reBuire" "uc! co#pliance. For an* ot!er purpo"e" t!e downloaded file" are &it8for8&it identical and will generate e9actl* t!e "a#e re"ult". !e "i#pler verification reBuire#ent for prior OpenSSL F-.S O&2ect Aodule validation", na#el*( !e 5A%$8S5%81 dige"t of t!e di"tri&ution file i" pu&li"!ed in %ppendi9 = of t!e Sec#rity Policy. !e Sec#rity Policy can &e found at G-S , !ttp())c"rc.ni"t.gov)group")S A)c#vp)docu#ent")14081)140"p)140"p1051.pdf. !i" dige"t "!ould &e calculated and co#pared again"t t!e pu&li"!ed value, a" in( Q env O.<GSSL?F-.SW1 open""l "!a1 8!#ac etaonri"!dlcupf# open""l8fip"82.0.tar.gC w!ere t!e openssl co##and i" fro# a recent ver"ion of OpenSSL t!at "upport" t!e -hmac option42. -f *ou donOt !ave t!e openssl co##and *et it will &e generated &* t!e &uild proce"". ...i" now "pecificall* di"allowed. Dit! t!e new reBuire#ent u"e of t!e openssl co##and, even fro# anot!er ver"ion of t!e OpenSSL F-.S O&2ect Aodule, i" no longer per#itted a" in general it will not !ave &een o&tained via a 1"ecure in"tallation1.
4.2 1uilding and Installing the FIPS 23ni45!inu46
)*e+t Module .ith
penSS!
;ue to "ignificant difference" in t!e two &a"ic operating "*"te# fa#ilie", 'ni9+)Linu9+ and Aicro"oft+ Dindow"+ platfor#" are di"cu""ed "eparatel*. -n"truction" for Dindow"+ are given in S4.3. -n addition, a Aac OS L e9a#ple i" offered at <.1 %pple OS L Support6 and an iOS e9a#ple i" given in <rror( 4eference "ource not found.
4.2.1 Building t2e FIPS '()ect -odule from Source

Ge9t &uild t!e F-.S O&2ect Aodule fro# "ource. !e F-.S 14082 validation "pecific code i" incorporated into t!e re"ulting F-.S O&2ect Aodule w!en t!e fips configuration option i"
!e OPENSSL_FIPS=1 environ#ent varia&le will ena&le FIPS #ode for an openssl co##and &uilt fro# a F-.S capa&le OpenSSL di"tri&ution.
42
.age 41 of 1/0
"pecified. .er t!e condition" of t!e F-.S 14082 validation onl* two configuration co##and" #a* &e u"ed( ./config or ./config no-asm w!ere t!e "pecific option u"ed depend" on t!e platfor# ("ee S3.2.1). Gote t!at Ffip" cani"terH i" i#plied, "o t!ere i" no need for eit!er ./config fipscanisterbuild or ./config fips. !e environ#ent varia&le FIPSDIR, if pre"ent, point" to t!e pat!na#e of t!e location w!ere t!e validated #odule will &e in"talled. !i" location default" to /usr/local/ssl/fips-2.0. !e "pecification of an* ot!er option" on t!e co##and line, "uc! a" ./config shared i" not per#itted. Gote t!at in t!e ca"e of t!e FsharedH option po"ition independent code i" generated &* default "o t!e generated F-.S O&2ect Aodule can &e included in a "!ared li&rar*43. Gote t!at a" a condition of t!e F-.S 14082 validation no ot!er u"er "pecified configuration option" #a* &e "pecified. !i" re"triction #ean" t!at an optional in"tall prefi9 cannot &e "pecified P !owever, t!ere i" no re"triction on "u&"eBuent #anual relocation of t!e generated file" to t!e de"ired final location. !en( make to generate t!e F-.S O&2ect Aodule file fipscanister.o, t!e dige"t for t!e F-.S O&2ect Aodule file, fipscanister.o.sha1, and t!e "ource file u"ed to generate t!e e#&edded dige"t, fips_premain.c. !e fipscanister.o, fipscanister.o.sha1, and fips_premain.c file" are inter#ediate file" (i.e., u"ed in t!e generation of an application &ut not referenced &* t!at application at runti#e). !e o&2ect code in t!e fipscanister.o file i" incorporated into t!e runti#e e9ecuta&le application at t!e ti#e t!e &inar* e9ecuta&le i" generated. !i" "!ould al"o &e o&viou", &ut #odification" to an* of t!e inter#ediate file" generated &* t!e F./configH or FmakeH co##and" are not per#itted. -f t!e original di"tri&ution i" #odified, or if an*t!ing ot!er t!an t!o"e t!ree "pecified co##and" are u"ed, or if an* inter#ediate file" are #odified, t!e re"ult i" not F-.S validated.
-f not for t!e F-.S validation pro!i&ition, on #o"t &ut not all platfor#" t!e F sharedH option could "afel* &e c!o"en regardle"" of t!e intended u"e. See %ppendi9 < for one ,nown e9ception.
43
.age 42 of 1/0
4.2.2 In talling and Protecting t2e FIPS '()ect -odule

!e "*"te# ad#ini"trator "!ould in"tall t!e generated fipscanister.o, fipscanister.o.sha1, and fips_premain.c file" in a location protected &* t!e !o"t operating "*"te# "ecurit* feature". !e"e protection" "!ould allow write acce"" onl* to aut!oriCed "*"te# ad#ini"trator" (F-.S 14082 $r*pto Officer") and read acce"" onl* to aut!oriCed u"er". For 'ni9+ &a"ed or Linu9+ "*"te#" t!i" protection u"uall* ta,e" t!e for# of root owner"!ip and per#i""ion" of 0.88 or le"" for t!o"e file" and all parent directorie". D!en all "*"te# u"er" are not al"o aut!oriCed u"er" t!e world (pu&lic) read and e9ecute per#i""ion" "!ould &e re#oved fro# t!e"e file". !e u"ual make install will in"tall t!e fipscanister.o, fipscanister.o.sha1, fips_premain.cC and fips_premain.c.sha1 file" in t!e target location (t*picall* /usr/local/ssl/fips2.0/lib/ for 'ni9+ &a"ed or Linu9+ "*"te#", or a" "pecified &* t!e FIPSDIR environ#ent varia&le) wit! t!e appropriate per#i""ion" to "ati"f* t!e "ecurit* reBuire#ent. !e"e four file" con"titute t!e validated F-.S O&2ect Aodule6 t!e ot!er file" al"o in"talled &* t!i" co##and are not validated. Gote t!at it i" al"o per#i""i&le to in"tall t!e"e file" in ot!er location" &* ot!er #ean", provided t!at t!e* are protected wit! appropriate per#i""ion" a" noted a&ove( cp fipscanister.o fipscanister.o.sha1 <target-directory> cp fips_premain.c fips_premain.c.sha1 <target-directory> Gote t!at fipscanister.o can eit!er &e "taticall* lin,ed into an application &inar* e9ecuta&le, or "taticall* lin,ed into a "!ared li&rar*.
4.2.! Building a FIPS *apa(le 'penSS.

Once t!e validated F-.S O&2ect Aodule !a" &een generated it i" u"uall* co#&ined wit! an OpenSSL di"tri&ution in order to provide t!e "tandard OpenSSL %.-. %n* 1.0.1 relea"e can &e u"ed for t!i" purpo"e. !e co##and" ./config fips <...other options...> make <...options...> make install will &uild and in"tall t!e new OpenSSL wit!out overwriting t!e validated F-.S O&2ect Aodule file". !e FIPSDIR environ#ent varia&le or t!e 88with-fipsdir co##and line option can &e u"ed to e9plicitl* reference t!e location of t!e F-.S O&2ect Aodule (fipscanister.o).
.age 43 of 1/0
!e co#&ination of t!e validated F-.S O&2ect Aodule plu" an OpenSSL di"tri&ution &uilt in t!i" wa* i" referred to a" a FIPS capable )penSS0, a" it can &e u"ed eit!er a" a drop8in replace#ent for a non8F-.S OpenSSL or for u"e in generating F-.S #ode application". Gote t!at a "tandard OpenSSL di"tri&ution &uilt for u"e wit! t!e F-.S O&2ect Aodule #u"t !ave t!e ./config fips option "pecified. Ot!er configuration option" #a* &e "pecified in addition to fips, &ut o#i""ion of t!e fips option will cau"e error" w!en u"ing t!e OpenSSL li&rarie" wit! t!e F-.S O&2ect Aodule.
4.3 1uilding and Installing the FIPS 27indo.s6
)*e+t Module .ith
penSS!
!e &uild procedure for Dindow" i" "i#ilar to t!at for t!e regular OpenSSL product, u"ing AS3$ and G%SA for co#pilation. Gote A%SA i" not "upported. !e "econd "tage u"e" 3$VV to lin, OpenSSL 1.0.1 or later again"t t!e in"talled F-.S #odule, to o&tain t!e co#plete F-.S capa&le OpenSSL. =ot! "tatic and "!ared li&rarie" are "upported.
4.!.1 Building t2e FIPS '()ect -odule from Source

=uild t!e F-.S O&2ect Aodule fro# "ource( ms\do_fips [no-asm] w!ere t!e no-asm option #a* or #a* not &e pre"ent depending on t!e platfor# ("ee S3.2.1). Gote t!at a" a condition of t!e F-.S 14082 validation no ot!er u"er "pecified configuration option" #a* &e "pecified. 6.#.2 Inst(llin' (nd Protectin' the FIPS Object Module !e "*"te# ad#ini"trator "!ould in"tall t!e generated fipscanister.lib, fipscanister.lib.sha1, and fips_premain.c file" in a location protected &* t!e !o"t operating "*"te# "ecurit* feature". !e"e protection" "!ould allow write acce"" onl* to aut!oriCed "*"te# ad#ini"trator" (F-.S 14082 $r*pto Officer") and read acce"" onl* to aut!oriCed u"er". For Aicro"oft+ Dindow"+ &a"ed "*"te#" t!i" protection can &e provided &* %$L" li#iting write acce"" to t!e a(ministrator group. D!en all "*"te# u"er" are not aut!oriCed u"er" t!e <ver*one (pu&lic) read and e9ecute per#i""ion" "!ould &e re#oved fro# t!e"e file".
.age 44 of 1/0
4.!.! Building a FIPS *apa(le 'penSS.

!e final "tage i" 3$VV co#pilation of a "tandard OpenSSL di"tri&ution to &e referenced in con2unction wit! t!e previou"l* &uilt and in"talled F-.S O&2ect Aodule. ;ownload an OpenSSL 1.0.1 di"tri&ution. Follow t!e "tandard Dindow"+ &uild procedure e9cept t!at in"tead of t!e co##and( perl Configure VC-WIN32 do( perl Configure VC-WIN32 fips --with-fipslibdir=c:\fips\path w!ere 1c:\fips\path1 i" w!erever t!e F-.S #odule fro# t!e fir"t "tage wa" in"talled. Static and "!ared li&rar* &uild" are "upported. !i" co##and i" followed &* t!e u"ual ms\do_nasm and nmake -f ms\ntdll.mak to &uild t!e "!ared li&rarie" onl*, or nmake -f ms\nt.mak to &uild t!e OpenSSL "tatic li&rarie". !e "tandard OpenSSL &uild wit! t!e fips option will u"e a &a"e addre"" for libeay32.dll of 0xFB00000 &* default. !i" value wa" c!o"en &ecau"e it i" unli,el* to conflict wit! ot!er d*na#icall* loaded li&rarie". -n t!e event of a cla"! wit! anot!er d*na#icall* loaded li&rar* w!ic! will trigger runti#e relocation of libeay32.dll, t!e integrit* c!ec, will fail wit! t!e error FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELATED % &a"e addre"" conflict can &e re"olved &* "!uffling t!e ot!er ;LL" or re8co#piling OpenSSL wit! an alternative &a"e addre"" "pecified wit! t!e 88with-baseaddr= option. Gote t!at t!e developer can identif* w!ic! ;LL" are relocated wit! t!e .roce"" <9plorer utilit* fro# !ttp())www.#icro"oft.co#)tec!net)"*"internal").roce""e"%nd !read").roce""<9plorer.#"p9.
.age 45 of 1/0
!e re"ulting F-.S capa&le OpenSSL can &e u"ed for "!ared or "tatic lin,ing. !e "!ared li&rar* &uilt (w!en ms\ntdll.mak i" u"ed a" t!e Aa,efile) lin," fipscanister.lib into libeay32.dll u"ing fipslink.pl in accordance wit! t!e reBuire#ent" of t!e Sec#rity Policy.
.age 4: of 1/0
5. *reating /pplication 62ic2 "eference t2e FIPS '()ect -odule

Onl* #inor #odification" are needed to adapt #o"t application" t!at currentl* u"e OpenSSL for cr*ptograp!* to u"e t!e F-.S capa&le OpenSSL wit! t!e F-.S O&2ect Aodule. !e c!ec,li"t in Figure 4 "u##ariCe" t!e #odification" w!ic! are covered in #ore detail in t!e following di"cu""ion(
q q q q
'"e t!e F-.S O&2ect Aodule for all cr*ptograp!* -nitialiCe F-.S #ode wit! FIPS_mode_set() >enerate application e9ecuta&le o&2ect wit! e#&edded F-.S O&2ect Aodule dige"t .rotect critical "ecurit* para#eter"
Fig#re 4 - 1pplication +4ecklist
%ppendi9 $ contain" a "i#ple &ut co#plete "a#ple application utiliCing t!e F-.S O&2ect Aodule wit! OpenSSL a" de"cri&ed in t!i" "ection.
5.1
84+lusi&e 3se o$ the FIPS
)*e+t Module $or Cryptography
-n order for t!e referencing application to clai# F-.S 14082 validation, all cr*ptograp!ic function" utiliCed &* t!e application #u"t &e provided e9clu"ivel* &* t!e F-.S O&2ect Aodule. !e OpenSSL %.- u"ed in con2unction wit! t!e F-.S O&2ect Aodule in F-.S #ode i" de"igned to auto#aticall* di"a&le all non8F-.S cr*ptograp!ic algorit!#".
5.2
FIPS Mode Initiali9ation
So#ew!ere ver* earl* in t!e e9ecution of t!e application F-.S #ode #u"t &e ena&led. !i" "!ould &e done &* invocation of t!e FIPS_mode_set() function call, eit!er directl* or indirectl* a" in t!e"e following e9a#ple". Gote t!at it i" per#itted to not ena&le F-.S #ode, in w!ic! ca"e OpenSSL "!ould function a" it alwa*" !a". !e application will not, of cour"e, &e operating in validated #ode. !e F-.S?#ode?"et() function call w!en invo,ed wit! an* po"itive argu#ent will ena&le t!e F-.S #ode of operation. ;epending on t!e argu#ent it #a* al"o ena&le additional re"triction". For e9a#ple, an argu#ent of 1 will ena&le t!e &a"ic F-.S #ode w!ere all F-.S approved algorit!#" are availa&le. %n argu#ent of FIPS_SUITEB (2) will re"trict t!e availa&le algorit!#" to t!o"e allowed &* t!e Suite = "pecification. Option 1( ;irect call to F-.S?#ode?"et()
.age 4@ of 1/0
#ifdef OPENSSL_FIPS if(options.no_fips <= 0) { if(!FIPS_mode_set(1)) { ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); exit(1); } else fprintf(stderr,"*** IN FIPS MODE ***\n"); } #endif $%ample 8.2a E 7irect In&ocation of FIPSAmo(eAset,-
)ption 2D In(irect call &ia )P$@SS0Aconfig,!e OPENSSL_config() call can &e u"ed to ena&le F-.S #ode via t!e "tandard openssl.conf configuration file(
OPENSSL_config("XXXX_conf") #ifdef OPENSSL_FIPS if (FIPS_mode()) { fprintf(stderr,"*** IN FIPS MODE ***\n"); } #endif $%ample 8.2b E In(irect In&ocation of FIPSAmo(eAset,-
.age 40 of 1/0
# Default section XXXX_conf = XXXX_options ... [ XXXX_options ] alg_section = algs ... [ algs ] fips_mode = yes ... <9a#ple 5.2c P Sa#ple open""l.conf File
!e call to OPENSSL_config("XXXX_conf") will c!ec, t!e "*"te# default OpenSSL configuration file for a "ection XXXX_conf. -f "ection XXXX_conf i" not found t!en t!e "ection default" to openssl_conf. !e re"ulting "ection i" c!ec,ed for an alg_section "pecification na#ing a "ection t!at can contain an optional Ffips_mode = yesH "tate#ent. Gote t!at OPENSSL_config() !a" no return code. -f a configuration error occur" it will write to S ;<44 and forci&l* e9it t!e application. %pplication" t!at want finer control can call t!e underl*ing function" "uc! a" CONF_modules_load_file() directl*.
5.3
:enerate "ppli+ation 84e+uta)le
)*e+t
Gote t!at application" interfacing wit! t!e F-.S O&2ect Aodule are out"ide of t!e cr*ptograp!ic &oundar*. D!en "taticall* lin,ing t!e application wit! t!e F-.S O&2ect Aodule two "tep" are nece""ar*( 1. !e 5A%$8S5%81 dige"t of t!e F-.S O&2ect Aodule file #u"t &e calculated and verified again"t t!e in"talled dige"t to en"ure t!e integrit* of t!e F-.S O&2ect Aodule.
2. % 5A%$8S5%1 dige"t of t!e F-.S O&2ect Aodule code and read8onl* data #u"t &e generated and e#&edded in t!e application e9ecuta&le o&2ect for u"e &* t!e FIPS_mode_set() function at runti#e initialiCation. Gote t!e application t!at "taticall* lin," t!e Aodule can &e a "!ared li&rar* (;LL for Aicro"oft Dindow"). D!en t!e F-.S O&2ect Aodule !a" &een incorporated in a "!ared li&rar* t!en "u&"eBuent d*na#ic lin,ing of an application to t!at "!ared li&rar* i" done t!e u"ual wa* and t!e"e "tep" are irrelevant.
.age 4/ of 1/0
For "tatic lin,ing t!e e#&edding of t!e runti#e dige"t can &e acco#pli"!ed in one of two wa*"( 1. wo Step Lin,ing wit! -nteri# 4unti#e <9ecuta&le <arlier ver"ion" of t!e F-.S O&2ect Aodule "upported onl* t!i" tec!niBue, w!ere an initial lin, i" perfor#ed to create an interi# e9ecuta&le w!ic! i" t!en e9ecuted in t!e target environ#ent to calculate and di"pla* t!e dige"t value. % "econd lin, i" perfor#ed to create t!e final e9ecuta&le wit! t!e e#&edded dige"t value. !i" two "tep proce"" i" t*picall* perfor#ed &* t!e fip"lin,.pl utilit*. !i" two "tep tec!niBue wor," well enoug! for native &uild", w!ere t!e &uild "*"te# and runti#e target "*"te# are t!e "a#e, &ut i" aw,ward at &e"t for cro""8co#pilation due to t!e need to #ove t!e interi# e9ecuta&le to t!e target "*"te#, e9ecute it, and retrieve t!e calculated dige"t. !i" tec!niBue doe" !ave t!e advantage of wor,ing (at lea"t in principle) for all platfor#". 2. -n8place <diting of t!e O&2ect $ode -n order to ea"e t!e ta", of cro""8co#piling t!e F-.S O&2ect Aodule, a new tec!niBue wa" developed. -n"tead of deter#ining t!e runti#e dige"t value &* actual e9ecution on t!e target "*"te#, a utilit* i" u"ed to anal*Ce t!e co#piled o&2ect code on t!e &uild "*"te# and calculate t!e dige"t. !i" utilit* i" platfor# (or o&2ect code for#at) "en"itive. For <LF &inarie" it i" called incore, for Aicro"oft Dindow" msincore, for OS L and iOS incoreAmac4o.
5.!.1 .inking under 7ni%8.inu%

!e OpenSSL di"tri&ution contain" a utilit*, fipsld, w!ic! &ot! perfor#" t!e c!ec, of t!e F-.S O&2ect Aodule and generate" t!e new 5A%$8S5%81 dige"t for t!e application e9ecuta&le. !e fipsld utilit* !a" &een de"igned to act a" a front end for t!e actual co#pilation and lin,ing operation" in order to ea"e t!e ta", of #odif*ing an e9i"ting "oftware pro2ect to incorporate t!e F-.S O&2ect Aodule. -t can &e u"ed to create eit!er &inar* e9ecuta&le" or "!ared li&rarie". !e fipsld co##and reBuire" t!at t!e CC and)or FIPSLD_CC environ#ent varia&le" &e "et, wit! t!e latter ta,ing precedence. !e"e varia&le" allow a t*pical Aa,efile to &e u"ed wit!out #odification &* "pecif*ing a co##and of t!e for# make CC=fipsld FIPSLD_CC=gcc w!ere fipsld i" invo,ed &* make in lieu of t!e original co#piler and lin,er (gcc in t!i" e9a#ple), and in turn invo,e" t!at co#piler w!ere appropriate. Gote t!at CC=fipsld can &e pa""ed to autoconf configure "cript" a" well.
.age 50 of 1/0
!i" t*pe of co##and line #acro overloading will wor, for #an* "#aller "oftware pro2ect". !e #a,efile can al"o &e #odified to ac!ieve t!e "a#e #acro "u&"titution". ;epending on t!e for# of t!e Aa,efile t!i" "u&"titution #a* &e a" "i#ple a" defining FIPSLD_CC to reference t!e actual $ co#piler and redefining t!e CC #acro to reference fipsld( FIPSLD_CC = $(CC) CC = fipsld . . . <application>: $(OBJS) $(CC) $($CFLAGS) -o $@ $(OBJS) $(LIBCRYPTO) ... Setting CC=fipsld i" appropriate w!en t!e lin, rule" rel* on $(CC) in"tead of ld to produce t!e e9ecuta&le i#age", &ut in "o#e ca"e" it #a* &e de"ira&le or nece""ar* to not redefine t!e Q($$) #acro varia&le. % t*pical #a,efile rule referencing fipsld directl* for t!e lin, "tep would loo, "o#et!ing li,e44( OPENSSLDIR = /usr/local/ssl/fips-2.0 FIPSMODULE = $(OPENSSLDIR)/lib/fipscanister.o . . . <application>: $(OBJS) $(FIPSMODULE) env FIPSLD_CC=$(CC) fipsld $(CFLAGS) -o $@ $(OBJS) \ $(LIBS) $(LIBCRYPTO) <ven t!oug! t!e fipsld co##and na#e i#plie" u"e a" a replace#ent for t!e ld co##and, it al"o invo,e" t!e $ co#piler &etween t!e two lin, "tage", !ence fipsld can al"o replace $(CC) in rule" producing .o o&2ect file", replacing &ot! co#pilation and lin,ing "tep" for t!e entire Aa,efile, i.e.( <application>.o: <application>.c $(CC) $(CFLAGS) -c <application>.c ... <application>: $(OBJS) ld -o $@ $(OBJS) $(LIBCRYPTO) ... &eco#e"
!e u"e of env i" actuall* redundant in a Aa,efile conte9t, &ut i" "pecified !ere to give a co##and line al"o valid for non8=ourne "!ell".
44
.age 51 of 1/0
<application>: <application>.c env FIPSLD_CC=$(CC) fipsld $(CFLAGS) -o $@ $@.c \ $(LIBCRYPTO) ... Larger "oftware pro2ect" are li,el* to prefer to #odif* onl* t!e Aa,efile rule(") lin,ing t!e application it"elf, leaving ot!er Aa,efile rule" intact. For t!e"e #ore co#plicated Aa,efile" t!e individual rule" can &e #odified to "u&"titute fipsld for 2u"t t!e relevant co#pilation lin,ing "tep". !e fipsld co##and i" de"igned to locate fipscanister.o auto#aticall*. -t will verif* t!at t!e 5A%$8S5%81 dige"t in file fipscanister.o.sha1 #atc!e" t!e dige"t generated fro# fipscanister.o, and will t!en create t!e file <application> containing t!e o&2ect code fro# fipscanister.oC and e#&edded wit!in t!at t!e dige"t calculated fro# t!e o&2ect code and data in fipscanister.o . %t runti#e t!e FIPS_mode_set() function co#pare" t!e e#&edded 5A%$8S5%81 dige"t wit! a dige"t generated fro# t!e te9t and data area". !i" dige"t i" t!e final lin, in t!e c!ain of validation fro# t!e original "ource to t!e application e9ecuta&le o&2ect file.
5.!.2 .inking under 6indo9

For a "!ared li&rar* application 2u"t lin,ing wit! t!e ;LL i" "ufficient. Lin,ing an application wit! t!e "tatic li&rarie" involve" a &it #ore wor,, and can &e co#plicated &* t!e fact t!at >'- &a"ed tool" are often u"ed for "uc! lin,ing. For t!e Dindow"+ environ#ent a perl "cript fipslink.pl i" provided w!ic! perfor#" a function "i#ilar to fipsld for 'ni9+)Linu9+. Several environ#ent varia&le" need to &e "et( FIPS_LINK i" t!e lin,er na#e, nor#all* FlinkH FIPS_CC i" t!e $ co#piler na#e, nor#all* FclH FIPS_CC_ARGS i" a "tring of $ co#piler argu#ent" for co#piling fips_premain.c PREMAIN_DSO_EXE "!ould &e "et to t!e pat! to fips_premain_dso.exe if a ;LL i" &eing lin,ed (can &e o#itted ot!erwi"e) PREMAIN_SHA1_EXE i" t!e full pat! to fips_standalone_sha1.exe FIPS_TARGET i" t!e pat! of t!e target e9ecuta&le or ;LL file FIPSLIB_D i" t!e pat! to t!e director* containing t!e in"talled F-.S #odule
.age 52 of 1/0
D!en t!e"e varia&le" are "pecified fipslink.pl can &e called in t!e "a#e wa* a" t!e "tandard lin,er. -t will auto#aticall* c!ec, t!e !a"!e", lin, t!e target, generate t!e target in8core !a"!, and lin, a "econd ti#e to e#&ed t!e !a"! in t!e target file. !e "tatic li&rar* Aa,efile ms\nt.mak in t!e OpenSSL di"tri&ution give" an e9a#ple of t!e u"age of fipslink.pl.
5.4
"ppli+ation Implementation Re+ommendations
!i" "ection de"cri&e" additional "tep" not "trictl* reBuired for F-.S 14082 validation &ut reco##ended a" good practice. Provide (n Indic(tion of FIPS Mode Securit* and ri", a""e""#ent auditor" will want to verif* t!at an application utiliCing cr*ptograp!* i" u"ing F-.S 14082 validated "oftware in a F-.S co#pliant #ode. Aan* "uc! application" will "uperficiall* appear to function t!e "a#e w!et!er &uilt wit! a non8F-.S OpenSSL, w!en &uilt wit! t!e F-.S O&2ect Aodule and running in non8F-.S #ode, and w!en &uilt wit! t!e F-.S O&2ect Aodule and running in F-.S #ode. %" an aid to "uc! review" t!e application de"igner "!ould provide a readil* vi"i&le indication t!at t!e application !a" initialiCed t!e F-.S O&2ect Aodule to F-.S #ode, after a "ucce""ful return fro# t!e FIPS_mode_set() %.- call. !e indication can ta,e t!e for# of a tty or stdout #e""age, a syslog entr*, or an addition to a protocol greeting &anner. For e9a#ple a SS5 "erver could print a protocol &anner of t!e for#( SSH-2.0-OpenSSH_3.7.1p2 FIPS to provide an ea"il* referenced indication t!at t!e "erver wa" properl* initialiCed to F-.S #ode. Gr(ceful /void(nce of +on$FIPS /l'orithms Aan* application" allow end u"er and)or "*"te# ad#ini"trator configura&le "pecification of cr*ptograp!ic algorit!#". !e OpenSSL %.- u"ed wit! t!e F-.S O&2ect Aodule in F-.S #ode i" de"igned to return error condition" w!en an atte#pt i" #ade to u"e a non8F-.S algorit!# via t!e OpenSSL %.-. !e"e error" #a* re"ult in une9pected failure of t!e application, including fatal a""ert error" for algorit!# function call" lac,ing a te"ta&le return code. 5owever, t!ere i" no guarantee t!at t!e OpenSSL %.- will alwa*" return an error condition in ever* po""i&le per#utation or "eBuence of %.- call" t!at #ig!t invo,e code relating to non8F-.S algorit!#". -n an* ca"e, it i" t!e re"pon"i&ilit* of t!e application progra##er to avoid t!e u"e of non8F-.S algorit!#". 'ne9pected run8ti#e error" can &e avoided if t!e cip!er "uite" or ot!er algorit!# "election option"
.age 53 of 1/0
are defaulted to F-.S approved algorit!#", and if warning or error #e""age" are generated for an* end u"er "election of non8F-.S algorit!#".
5.5
0o+umentation and Re+ord/;eeping Re+ommendations
!e "upplier or developer of a product &a"ed on t!e F-.S O&2ect Aodule cannot clai# t!at t!e product it"elf i" F-.S 14082 validated under certificate T1@4@. -n"tead a "tate#ent "i#ilar to t!e following i" reco##ended( Pro(#ct ???? #ses an embe((e( FIPS 140-2-&ali(ate( cryptograp4ic mo(#le ,+ertificate F1.4.- r#nning on a GGGG platform per FIPS 140-2 Implementation G#i(ance section G.8 g#i(elines. w!ere LLLL i" t!e product na#e (F$r*pto#agical <nfa&ulator v3.1H) and IIII i" t!e !o"t operating "*"te# (FSolari" 10H). !i" "tate#ent a""ert" 1u"er affir#ation1 of t!e validation per Section >.5 of t!e Implementation G#i(ance docu#ent. D!ile not "trictl* reBuired &* t!e Securit* .olic* or F-.S 14082, a written record docu#enting co#pliance wit! t!e Securit* .olic* would &e a prudent precaution for an* part* generating and u"ing or di"tri&uting an application t!at will &e "u&2ect to F-.S 14082 co#pliance reBuire#ent". !i" record "!ould docu#ent t!e following( For t!e F-.S O&2ect Aodule generation( 1. D!ere t!e openssl-fips-2.0.tar.gz di"tri&ution file wa" o&tained fro#, and !ow t!e 5A%$ S5%81 dige"t of t!at file wa" verified per %ppendi9 = of t!e Securit* .olic*. 2. !e !o"t platfor# on w!ic! t!e fipscanister.o, fipscanister.o.sha1, fips_premain.c, and fips_premain.c.sha1 file" were generated. !i" platfor# identification at a #ini#u# "!ould note t!e proce""or arc!itecture (F90:H, F.%84-S$H,...), t!e operating "*"te# (FSolari" 10H, FDindow" L.H,...), and t!e co#piler (Fgcc 3.4.3H,...).
3. %n a""ertion t!at t!e fipscanister.o #odule wa" generated wit! t!e t!ree co##and" ./config [no-asm] make make install and "pecificall* t!at no ot!er &uild8ti#e option" were "pecified. 4. % record of t!e 5A%$ S5%81 dige"t of t!e fipscanister.o (t!e content" of t!e fipscanister.o.sha1 file). !at dige"t identifie" t!i" "pecific F-.S O&2ect Aodule6
.age 54 of 1/0
if *ou i##ediatel* &uild anot!er #odule it will !ave a different dige"t and i" a different F-.S O&2ect Aodule. 5. %n a""ertion t!at t!e content" of t!e di"tri&ution file were not #anuall* #odified in an* wa* at an* ti#e during t!e &uild proce"". For t!e application in w!ic! t!e F-.S O&2ect Aodule i" e#&edded( 1. % record of t!e 5A%$ S5%81 dige"t of t!e fipscanister.o t!at wa" e#&edded in t!e application. 2. %n a""ertion t!at t!e application doe" not utiliCe an* cr*ptograp!ic i#ple#entation" ot!er t!at t!o"e provided &* t!e F-.S O&2ect Aodule or contained in t!e F-.S capa&le OpenSSL 1.0.1 li&rarie" (w!ere non8F-.S algorit!#" are di"a&led in F-.S #ode). 3. % de"cription of !ow t!e application clearl* indicate" w!en F-.S #ode i" ena&led (a""u#ing t!at F-.S #ode i" a runti#e "electa&le option). Gote t!at t!e application #u"t call FIPS_mode_set(), w!et!er t!at call i" triggered &* runti#e option" or not.
5.#
7hen is a Separate FIPS 14'/2 <alidation Re=uired>
D!en a deci"ion i" #ade on w!et!er a particular - "olution i" F-.S 14082 co#pliant, #ultiple factor" need to &e ta,en into account, including t!e F-.S .u& 14082 "tandard, F-.S 14082 ;erived e"t 4eBuire#ent", $A3. F%N and -#ple#entation >uidance. !e ulti#ate aut!orit* in t!i" proce"" &elong" to t!e $A3.. !e $A3. provide" it" current interpretation" and guideline" a" to t!e interpretation of t!e F-.S 14082 "tandard and t!e confor#ance te"ting)validation proce"" on it" pu&lic we& "ite !ttp())c"rc.ni"t.gov)cr*ptval). -n particular, t!e onl* official docu#ent ,nown to u" w!ic! di"cu""e" u"e of e#&edded cr*ptograp!ic #odule" i" t!e $A3. F%N availa&le at !ttp())c"rc.ni"t.gov)cr*ptval)1408 1)$A3.F%N.pdf. !i" F%N (FreBuentl* %",ed Nue"tion" docu#ent) di"cu""e" incorporation of anot!er vendorO" cr*ptograp!ic #odule" in a "u&"ection of Section 2.2.1 entitled H+an I incorporate anot4er &en(or=s &ali(ate( cryptograp4ic mo(#leH. -n particular, t!e following i" "pecified( HGes. 1 cryptograp4ic mo(#le t4at 4as alrea(y been iss#e( a FIPS 140-1 or FIPS 140-2 &ali(ation certificate may be incorporate( or embe((e( into anot4er pro(#ct. T4e ne< pro(#ct may reference t4e FIPS 140-1 or FIPS 140-2 &ali(ate( cryptograp4ic mo(#le so long as t4e ne< pro(#ct (oes not alter t4e original &ali(ate( cryptograp4ic mo(#le. 1 pro(#ct <4ic4 #ses an embe((e( &ali(ate( cryptograp4ic mo(#le cannot claim itself to be &ali(ate(I only t4at it #tili3es an embe((e( &ali(ate( cryptograp4ic mo(#le. T4ere is no ass#rance t4at a pro(#ct is correctly #tili3ing an embe((e( &ali(ate( cryptograp4ic mo(#le - t4is is o#tsi(e t4e scope of t4e FIPS 140-1 or FIPS 140-2 &ali(ation.H
.age 55 of 1/0
Gote t!at t!e $A3. F%N doe" "pecif* t!at a F-.S 14081)2 validated #odule #a* &e incorporated into anot!er product. -t t!en "pecifie" t!at #a,ing a deci"ion on w!et!er a product i" correctl* utiliCing an e#&edded #odule i" out"ide of t!e "cope of t!e F-.S 14081 or F-.S 14082 validation. % "u&"ection of Section 2.1 of t!e $A3. F%N entitled H1 &en(or is selling me a crypto sol#tion <4at s4o#l( I ask>H "tate"( H6erify <it4 t4e &en(or t4at t4e application or pro(#ct t4at is being offere( is eit4er a &ali(ate( cryptograp4ic mo(#le itself ,e.g. 6P@C Smart+ar(C etc- or t4e application or pro(#ct #ses an embe((e( &ali(ate( cryptograp4ic mo(#le ,toolkitC etc-. 1sk t4e &en(or to s#pply a signe( letter stating t4eir applicationC pro(#ct or mo(#le is a &ali(ate( mo(#le or incorporates a &ali(ate( mo(#leC t4e mo(#le pro&i(es all t4e cryptograp4ic ser&ices in t4e sol#tionC an( reference t4e mo(#les &ali(ation certificate n#mber.H -t i" "pecified t!at t!e #odule provide" 1all t!e cr*ptograp!ic "ervice" in t!e "olution1. -t i" not "pecified t!at t!e #odule provide" 1all t!e "ecurit*8relevant "ervice" in t!e "olution1. % t*pical product #a* provide a variet* of "ervice", &ot! cr*ptograp!ic and non8cr*ptograp!ic. % networ, protocol "uc! a" SS5 or LS provide" &ot! cr*ptograp!ic "ervice" "uc! a" encr*ption and networ, "ervice" "uc! a" tran"#i""ion of data pac,et", pac,et frag#entation, etc. !e F-.S 14082 "tandard i" focu"ed on t!e cr*ptograp!*. !ere are #an* generic "ecurit* relevant functionalitie" "uc! a" anti8viru" protection, firewalling, -.S)-;S and ot!er" w!ic! are not currentl* covered &* t!e F-.S 14082 "tandard. %n anti8viru" "olution w!ic! u"e" a cr*ptograp!ic #odule for it" operation" can "ati"f* reBuire#ent" of t!e F-.S 14082 &* delegating it" cr*ptograp!ic function" to an e#&edded F-.S 14082 validated #odule. -ncluding t!e entire anti8viru" "olution in t!e F-.S 14082 validation would !ardl* i#prove t!e overall "ecurit* "ince F-.S 14082 doe" not currentl* !ave reBuire#ent" in t!e field of anti8viru" protection. -n a "i#ilar fa"!ion, t!e F-.S 14082 "tandard doe" not currentl* !ave reBuire#ent" related to networ, vulnera&ilitie" or denial of "ervice attac,". 3alidated #odule" t*picall* provide algorit!# i#ple#entation" onl*, no networ, functionalit* "uc! a" -.Sec, SS5, LS etc. !i" doe" not, for e9a#ple, prevent Aicro"oft Dindow" fro# providing -.Sec)-K< and LS)SSL functionalit*. !erefore, for e9a#ple, an OpenSS5 &a"ed product properl* u"ing t!e OpenSSL F-.S O&2ect Aodule would not differ fro# Aicro"oft u"ing it" Aicro"oft Kernel Aode $r*pto .rovider in Aicro"oft -.Sec)-K< client w!ic! i" "!ipped wit! ever* cop* of Dindow". -f an application product delegate" all cr*ptograp!ic "ervice" to a validated #odule t!e entire product will &e F-.S co#pliant. Since t!e $A3. doe" not !ave a for#al progra# for validation of - "olution" wit! e#&edded F-.S 14082 #odule", t!e Bue"tion i" one of !ow t!e actual co#pliance)non8co#pliance i" deter#ined. -n practice t!e co#pliance i" deter#ined &* t!e federal agenc*)&u*er "electing t!e "olution. ;uring t!e proce"" t!e cu"to#er #a* contact t!e $A3., te"ting la&" or "ecurit* e9pert" for an opinion. -n #an* ca"e", t!oug!, t!e &u*er" #a,e "uc! deci"ion" independentl*. 5ere it "!ould &e noted t!at F-.S 14082 i" onl* a &a"eline and eac! federal agenc* #a* e"ta&li"! it" own
.age 5: of 1/0
reBuire#ent" e9ceeding t!e reBuire#ent" of F-.S 14082. -n t!e particular e9a#ple of networ, protocol" federal agencie" generall* do accept networ,ing product" (-.Sec) LS)SS5 etc.) wit! e#&edded F-.S 14082 validated cr*ptograp!ic "oftware #odule" or !ardware card" a" F-.S 14082 co#pliant. For t!o"e vendor" de"iring a F"anit* c!ec,H of t!e co#pliance "tatu" of t!eir OpenSSL F-.S O&2ect Aodule &a"ed product, t!e OpenSSL Software Foundation (OSF) can perfor# a review and provide an opinion letter "tating w!et!er, &a"ed on infor#ation provided &* t!e vendor, t!at product appear" to OSF to "ati"f* t!e reBuire#ent" of t!e OpenSSL F-.S O&2ect Aodule Securit* .olic*. !i" opinion letter can include a review &* one or #ore $A3. te"t la&" and)or a OpenSSL tea# #e#&er a" appropriate. !i" opinion letter clearl* "tate" t!at onl* t!e $A3. can provide an aut!oritative ruling on F-.S 14082 co#pliance.
5.%
Common Issues and Mis+on+eptions
-n t!e *ear" "ince t!e fir"t ver"ion" of t!e OpenSSL F-.S O&2ect Aodule were validated weOve "een new u"er" of t!e F-.S #odule "truggle wit! "o#e of t!e "a#e i""ue" over and over again. 5ere we atte#pt to offer "o#e po""i&l* u"eful advice(
5.:.1 4on;t Fig2t It

4ig!tl* or wrongl*, t!e Securit* .olic* ver* clearl* #andate" "pecific fi9ed &uild co##and". Gor#al and natural practice in ot!er conte9t" i" to u"e &uild8ti#e configuration option" to control a"pect" of t!e &uild proce"", &ut t!at i" not an option !ere. -n"tead t!in, a&out t!e end re"ult *ou want to acco#pli"! and w!et!er t!at can &e done &* an* ot!er #ean". For in"tance, t!e default in"tall location canOt &e "pecified &* t!e u"ual --prefi>B &uild8ti#e configuration option. =ut, once created via t!e canonical co##and" *ou can cop* t!e fips$anister#o and a""ociated file" "o#ew!ere el"e. So, one option i" to create a new &uild "*"te#, &uild t!e F-.S #odule wit! w!atever per#i""ion" nece""ar* to write to t!e default --prefi> location, cop* fro# t!ere to t!e de"ired de"tination, and t!en di"card t!e &uild "*"te#. Ie", t!atO" a "ill* wa"te of ti#e fro# a tec!nical "oftware developer o&2ective, &ut *ou wouldnOt &e u"ing t!e F-.S #odule in t!e fir"t place on purel* tec!nical con"ideration".
5.:.2 4on;t '&ert2ink It

De !ave "een Buite a few "oftware vendor" #a,e t!e #i"ta,e of tr*ing to force t!e F-.S #odule &uild proce"" into an in8!ou"e configuration #anage#ent "c!e#e. Our reco##endation( donOt do t!at. !ere i" no point in tr*ing to #anage t!e individual "ource file" of t!e F-.S #odule "ource tar&all &ecau"e t!e canonical &uild proce"" #andate" t!at *ou "tart wit! t!e original tar&all, openss"-fips-%#,#tar#6C, w!ic! !a" a fi9ed dige"t and cannot &e #odified. Li,ewi"e t!ere i" no point in con"tantl* re&uilding t!e F-.S #odule fro# "ource. D!ile legal, a" long a" t!e Securit* .olic* &uild proce"" i" followed, t!ere i" no &enefit to &e gained fro# t!e generate of #ultiple &inar* #odule". !e "ource code can never c!ange (t!e u"ual rea"on for a "tructured &uild8fro#8"ource proce""), and per t!e reco##endation" in 5.5 eac! di"tinct &inar* F-.S #odule "!ould &e "eparatel* trac,ed.
.age 5@ of 1/0
-n lieu of tr*ing to 2a#& t!e #andated F-.S #odule &uild proce"" into an e9i"ting ela&orate in8!ou"e configuration #anage#ent proce"", we reco##end t!at t!e &inar* F-.S #odule &e generated &* !and one ti#e onl* (per di"tinct platfor#) in a "ole#n docu#ented cere#on*, and t!at t!e re"ulting &inar* file" &e #anaged t!roug! t!e for#al "ource)ver"ion)configuration control proce"".
0.
Tec2nical <ote
!i" "ection !a" tec!nical detail" of pri#ar* intere"t to t!e F-.S #odule developer" and #ore advanced u"er". !e t*pical application developer will not need to reference t!i" #aterial.
#.1
0R1:s
Dit! ver* rare e9ception" t!e internal functioning of t!e ;4=>" i" irrelevant to t!e end u"er and application "oftware. -n F-.S #ode ;4=>" are tran"parentl* u"ed &* t!e OpenSSL 4%G; %.and application" will auto#aticall* u"e t!e#. 4ando# nu#&er" are critical for t!e proper operation of cr*ptograp!ic "oftware and !ardware. !e ;4=> or ;eter#ini"tic 4ando# =it >enerator i" intended a" a !ig!er Bualit* replace#ent for t!e earlier .4G>" or ."eudo84ando# Gu#&er >enerator" and i" defined &* S. 0008/0%.
0.1.1 '&er&ie9
!e wa* entrop* i" gat!ered and u"ed for t!e ;4=> i" part of t!e F-.S capa&le OpenSSL "o it can &e #odified out"ide t!e conte9t of t!e F-.S 14082 validation. !e current ver"ion i" in crypto/rand/rand_lib.c. !ere i" a 1default ;4=>1 w!o"e conte9t i" acce""ed u"ing FIPS_get_default_drbg(). !i" default ;4=> i" #apped to t!e RAND_*() call". =* default, t!e F-.S O&2ect Aodule will u"e t!e %<S)$ 4 generator fro# S.0008/0%, Section 10.2, 7!BG /ec4anisms Base( on Block +ip4ers. !e default generator can &e overridden &* t!e calling application at runti#e via t!e function RAND_set_fips_drbg_type(). !e default i" eBuivalent to $ 4?;4=> u"ing %<S wit! a 25: &it ,e* and a derivation function. !e actual default ;4=> t*pe can al"o &e "pecified via a preproce""or #acro w!en t!e 1F-.S capa&le1 OpenSSL i" &uilt(
Difndef Ddefine Dendif Difndef Ddefine Dendif O0'2SSLE+(=;E+'F)-LTETF0' O0'2SSLE+(=;E+'F)-LTETF0' O0'2SSLE+(=;E+'F)-LTEFL);S O0'2SSLE+(=;E+'F)-LTEFL);S 2@+EaesE%56E$tr +(=;EFL);E:T(E-S'E+F
.age 50 of 1/0
!i" #ig!t &e u"eful in environ#ent" w!ere "o#e ;4=> t*pe i" #andated &* local polic*. For e9a#ple, to u"e t!e 5A%$ ;4=> wit! "!a25: &* default(
#9$onfi6 -+O0'2SSLE+(=;E+'F)-LTETF0'B2@+Eh a$1ithS.)%56 G -+O0'2SSLE+(=;E+'F)-LTEFL);SB, Hother optionsI
!e RAND_add() function 2u"t "eed" t!e OpenSSL non8"tandard .4G> and doe" not feed into t!e ;4=> directl*. 5owever t!at function would &e u"ed if t!e ;4=> wa" re"eeded. !e rea"on it doe" t!i" i" t!at t!e ;4=> de"ign doe" not per#it t!e addition of 1out of &and1 entrop*6 t!e addition of entrop* need" to &e co#&ined wit! a generate operation (additional input) or a full re"eed)rein"tantiate (w!ic! would reBuire t!e #ini#u# entrop*). <nviron#ent" wit! a &etter "ource of entrop* (e.g. fa"t !ardware 4G>) could do far &etter. !e entrop* call&ac," are co#pletel* under application control "o t!e calling application can override t!e one" provided &* default. !e* can &e "et &* "uppl*ing a call&ac, function to FIPS_drbg_set_callbacks()after calling OPENSSL_init(). !i" call&ac, function i" invo,ed w!enever t!e ;4=> reBuire" additional entrop*( size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len) % call to t!i" function reBue"t" entropy &it" of entrop* in a &uffer of &etween min_len and max_len "iCe &*te" inclu"ive. !e value" of t!e"e are #ec!ani"# "pecific and ta,en fro# S.0008/0 ta&le". !i" call&ac, "!ould t!en return t!e a#ount of data in t!e &uffer *pout and t!e lengt! in t!e return value, or Cero in ca"e of &eing una&le to retrieve "ufficient entrop*. Once t!i" call co#plete" "ucce""full* t!e ;4=> i" in"tantiated at t!e appropriate (#a9i#u#) "ecurit* "trengt! again ta,ing value" fro# S.0008/0 and S.00085@. De reBue"t rando# data fro# t!e caller of "ufficient entrop* for t!e "ecurit* level of t!e ;4=>. D!en a"*##etric algorit!#" are u"ed (,e* generation, para#eter generation and indeed "igning for ;S%)<$;S%) we c!ec, t!at t!e 4G> !a" "ufficient "ecurit* "trengt! (a" dictated &* t!e relevant "tandard") to perfor# t!e operation. -n"ufficient "ecurit* "trengt! i" an error and t!e operation cannot &e perfor#ed. !ere i" a #ec!ani"#, 1entrop* draining1, w!ic! cau"e" t!e ;4=> to auto#aticall* re"eed after a certain nu#&er of u"e". See S.0008/0 for detail" of !ow t!i" operate". !e function FIPS_drbg_set_reseed_interval() can &e u"ed to #odif* t!e nu#&er of call" &efore auto re"eeding. !e function FIPS_rand_strength() return" t!e "ecurit* "trengt! of t!e default 4G> (t!e one u"ed for ,e* generation et. al.).
.age 5/ of 1/0
-ndividual operation" (for e9a#ple ,e* generation) t!en c!ec, t!e "ecurit* "trengt! of t!e 4G> and return a fatal error if t!ere i" in"ufficient "ecurit* "trengt! to co#plete t!e operation. !e value" u"ed are fro# S.00085@. !i" c!ec, i" perfor#ed &* t!e following function"( fips_check_dsa_prng() fips_check_rsa_prng() fips_check_ec_prng() $urrentl* t!ere i" no eBuivalent for ;5. One could &e added if reBuired &ut it i"nOt clear !ow t!e "trengt!" "!ould &e co#pared w!en .K$ST3 ;5 i" u"ed. !ere i" no ver"ion for <$;5 eit!er &ut t!e onl* operation perfor#ed &* t!at code ("!ared "ecret co#putation) doe" not #a,e u"e of t!e 4G>. =* default t!e !ealt! c!ec," are auto#aticall* perfor#ed ever* 224 generate operation"6 t!i" count can &e #odified (up or down) &* t!e calling application via t!e FIPS_drbg_set_check_interval() function. -f a ;4=> !ealt! c!ec, fail" t!en t!e ;4=> i" placed in an error "tate t!at can &e cleared &* unin"tantiating and rein"tantiating t!e ;4=>. For t!e $ 4 ;4=> a flag allow" t!e optional u"e of a derivation function. Gote t!e ;4=> i" alwa*" in"tantiated at #a9i#u# "ecurit*.
0.1.2 T2e 4"BG /PI

%ll ;4=> operation" are perfor#ed t!roug! an opaBue DRBG_CTX "tructure w!ic! corre"pond" to an S.0008/0 1in"tance1. !e function DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags); allocate" and initialiCe" a new DRBG_CTX "tructure for ;4=>. !e 1type1 and 1flags1 para#eter" deter#ine t!e #ec!ani"# and pri#itive" u"ed and t!e "ecurit* "trengt!. Onl* t!e #a9i#u# "ecurit* "trengt! i" "upported for eac! t*pe( i.e. it i" not po""i&le to in"tantiate t!e ;4=> at lower t!an t!e #a9i#u# "trengt!. -n addition to t*pe "pecific value" t!e 1flags1 field can &e "et to DRBG_FLAG_TEST to ena&le 1te"t #ode1. !i" #ode di"a&le" periodic !ealt! c!ec," and t!e continuou" .4G> te"t. -t i" u"ed for internal purpo"e" and to "upport algorit!# validation te"ting. !i" flag A'S GO &e "et for a live in"tance.
.age :0 of 1/0
=efore a valid DRBG_CTX i" returned to t!e application an e9ten"ive !ealt! c!ec, i" perfor#ed on a ;4=> u"ing t!e "a#e #ec!ani"# and pri#itive". -f t!e c!ec, fail" an error i" returned. -f t!e t*pe para#eter i" "et to 0 an uninitialiCed ;4=> "tructure i" returned. !i" "tructure #a* &e initialiCed &* calling FIPS_drbg_init(). !i" function return" a valid DRBG_CTX "tructure if it "ucceed" or G'LL if it fail" (for e9a#ple a invalid t*pe para#eter). -13G %h(r(cteristics %ll four ;4=>" defined &* S.0008/0 are i#ple#ented. are "u##ariCed &elow( 5a"! ;4=> !e t*pe para#eter" NID_sha1, NID_sha224, NID_sha256, NID_sha384 and NID_sha512 "elect t!e !a" ;4=> and t!e corre"ponding !a"! pri#itive. !e S5%1 5a"! ;4=> !a" a "ecurit* "trengt! of 120 &it", t!e S5%224 ;4=> !a" a "ecurit* "trengt! of 1/2 &it" and all ot!er" 25: &it". 5A%$ ;4=> !e t*pe para#eter" NID_hmacWithSHA1, NID_hmacWithSHA224, NID_hmacWithSHA256, NID_hmacWithSHA384 and NID_hmacWithSHA512 "elect t!e 5A%$ ;4=> #ec!ani"# and a""ociated !a"! pri#itive. Securit* "trengt!" are t!e "a#e a" for t!e 5a"! ;4=>. $ 4 ;4=> !e t*pe para#eter" NID_aes_128_ctr, NID_aes_192_ctr and NID_aes_256_ctr "elect t!e $ 4 ;4=> t*pe u"ing %<S and t!e appropriate ,e* lengt!. ;<S i" not "upported. !e "ecurit* "trengt! #atc!e" t!e nu#&er of &it" in t!e ,e*. For t!i" ;4=> t*pe t!e flag DRBG_FLAG_CTR_USE_DF i" "upported w!ic! ena&le" t!e u"e of a derivation function. -f t!i" flag" i" not "et a derivation function i" not u"ed. ;ual <$ ;4=> !e t*pe para#eter i" of t!e for# (curve << 16) | hash. !e curve value NID_X9_62_prime256v1 corre"pond" to t!e curve .825:, NID_secp384r1 to .8304, and NID_secp521r1 to .8521. !e !a"! value "!ould &e "et to t!e "a#e !a"! value" a" for t!e 5a"! ;4=>. !u" (NID_secp384r1 << 16) | NID_sha224 corre"pond" to .8304 wit! !a"! S5%8224. %" indicated in S.0008/0 S5%1 can onl* &e u"ed wit! .825: and S5%8224 cannot &e u"ed wit! .8521. .825: !a" a "ecurit* "trengt! of 120 &it", .8304 1/2 &it" and .8521 25: &it". !e #ec!ani"#", para#eter" and "trengt!
.age :1 of 1/0
Gote( ;ue to widel* reported "eriou" vulnera&ilitie" ;ual <$ ;4=> will &e activel* &loc,ed &* default in t!e 1F-.S capa&le1 OpenSSL. Since t!i" ;4=> i" ,nown to &e co#pro#i"ed it "!ould not &e u"ed for an* non8e9peri#ental purpo"e. Gener(l Functions FIPS_drbg_init !e function int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags); initialiCe" a pre8e9i"ting ;4=>?$ L. !i" i" an efficienc* #ea"ure to avoid t!e need to reallocate a new DRBG_CTX. !i" function return" 1 for "ucce"" and Cero or a negative value for failure. !e return value 82 i" u"ed to indicate an invalid or un"upported t*pe value. !e t*pe value cannot &e 0. !i" function i" ot!erwi"e identical to FIPS_drbg_new(). FIPS_drbg_free !e function void FIPS_drbg_free(DRBG_CTX *dctx); free" up a DRBG_CTX. %fter t!i" call t!e DRBG_CTX pointer i" no longer valid. ;4=> i" fir"t unin"tantiated. FIPS_drbg_set_callbacks !e function int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char**pout, int entropy, size_t min_len, size_t max_len), void (*cleanup_entropy)(DRBG_CTX *ctx, unsigned char *out, size_t olen), size_t entropy_blocklen, size_t (*get_nonce)(DRBG_CTX *ctx, unsigned char **pout, int entropy, size_t min_len, size_t max_len), void (*cleanup_nonce)(DRBG_CTX *ctx, unsigned char *out, size_t olen) ); !e underl*ing
.age :2 of 1/0
"et" entrop* and nonce call&ac," for a DRBG_CTX. !e DRBG_CTX #u"t &e in an unin"tantiated "tate to "et t!e call&ac,"( i.e. t!e call&ac," cannot &e "et on an in"tantiated ;4=>. !i" function i" t*picall* called i##ediatel* following FIPS_drbg_new(). !i" function return" 1 for "ucce"" and 0 if an error occurred( t!e onl* wa* an error can occur i" if an atte#pt i" #ade to "et t!e call&ac," of an in"tantiated ;4=>. D!enever t!e ;4=> reBuire" entrop* or a nonce t!e corre"ponding call&ac," will &e called. !e call&ac," get_entropy and get_nonce request 1entropy1 &it" of entrop* in a &uffer of &etween min_len and max_len &*te". !e function "!ould "et *pout to t!e &uffer containing t!e entrop* and return t!e lengt! in &*te" of t!e &uffer. -f t!e "ource of entrop* or nonce i" una&le to "ati"f* t!e reBue"t it A'S return Cero. place t!e ;4=> in an error condition due to t!e "ource failure. !i" will
!e call&ac," cleanup_entropy and cleanup_nonce are called after t!e entrop* or nonce &uffer" !ave &een u"ed and can &e utiliCed to CeroiCe t!e &uffer". !e 1out1 and 1olen1 para#eter" contain" t!e "a#e value returned &* t!e get function. !e 1entropy_blocklen1 i" u"ed to "pecif* t!e &loc, lengt! of t!e underl*ing entrop* "ource. !i" i" u"ed for t!e continuou" 4G> te"t on t!e entrop* "ource. FIPS_drbg_instantiate !e function int FIPS_drbg_instantiate(DRBG_CTX *dctx, const unsigned char *pers, size_t perslen); in"tantiate" a ;4=> wit! t!e "upplied per"onaliCation "tring pers. "ucce"" and 0 for failure. !i" function return" 1 for
-f t!e per"onaliCation "tring i" of an invalid lengt! for t!e ;4=> #ec!ani"# a non8fatal error i" returned. -nternall* t!i" function in"tantiate" t!e ;4=>. "upplied get?entrop* and get?nonce call&ac,". !i" will reBue"t entrop* and a nonce u"ing t!e
!ere are no "ecurit* "trengt! and prediction re"i"tance argu#ent" to t!i" function. !e ;4=> i" alwa*" in"tantiated at t!e #a9i#u# "trengt! for it" t*pe and prediction re"i"tance reBue"t" are alwa*" "upported.
.age :3 of 1/0
!i" function return" 1 for "ucce"" and 0 for failure. FIPS_drbg_reseed !e function int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, size_t adinlen); re"eed" t!e ;4=> u"ing optional additional input 1adin1 of lengt! 1adinlen1. -f t!e additional input i" of an invalid lengt! for t!e ;4=> #ec!ani"# a non8fatal error i" returned. !e get_entropy call&ac, of t!e ;4=> i" called internall* to reBue"t entrop*. %n e9ten"ive !ealt! c!ec, i" perfor#ed on a ;4=> of t!e "a#e t*pe &efore re"eeding t!e ;4=>. -f t!i" fail" t!e ;4=> i" placed in an error condition and t!e caller #u"t un8in"tantiate and re8 in"tantiate t!e ;4=> &efore atte#pting furt!er call". !i" function return" 1 for "ucce"" and 0 for failure. FIPS_drbg_generate !e function int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,int prediction_resistance, const unsigned char *adin, size_t adinlen); atte#pt" to generate 1outlen1 &*te" of rando# data fro# t!e ;4=>. '"ing optional additional input 1adin1 of lengt! 1adinlen1. -f t!e 1predication_resistance1 para#eter i" non8 Cero a prediction re"i"tance reBue"t will &e #ade and internal re"eeding of t!e ;4=> and reBue"ting entrop* a" reBuired &* S.0008/0 i" perfor#ed. -f an atte#pt i" #ade to reBue"t too #uc! data for a "ingle reBue"t or to "uppl* additional input of an invalid lengt! a non8fatal error i" returned. -f an internal reBue"t for entrop* fail" a fatal error occur" and t!e ;4=> i" placed in an error "tate. !e caller #u"t un8in"tantiate and re8in"tantiate t!e ;4=> &efore atte#pting furt!er call". !i" function return" 1 for "ucce"" and 0 for failure. FIPS_drbg_uninstantiate
.age :4 of 1/0
!e function int FIPS_drbg_uninstantiate(DRBG_CTX *dctx); unin"tantiate" a ;4=>. !i" CeroiCe" an* $S." and return" t!e ;4=> to an uninitialiCed "tate. FIPS_drbg_set_app_data
FIPS_drbg_get_app_data, !e two function"
void *FIPS_drbg_get_app_data(DRBG_CTX *ctx); void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data); get and retrieve an application defined pointer value. !e #eaning of t!i" pointer i" application defined and #ig!t for e9a#ple contain a pointer to a !andle repre"enting t!e entrop* "ource and t!e get_entropy function could retrieve and #a,e u"e of t!at pointer. FIPS_drbg_get_blocklength !e function size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx); return" t!e &loc, lengt! of t!e ;4=>. FIPS_drbg_get_strength !e function int FIPS_drbg_get_strength(DRBG_CTX *dctx); return" t!e "ecurit* "trengt! of t!e ;4=> in &it". FIPS_drbg_set_reseed_interval !e function void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
.age :5 of 1/0
#odifie" t!e re"eed interval value. !e default i" 224 &loc," for t!e ;ual <$ ;4=> and 224 generate operation" for all ot!er t*pe". !e"e value" are lower t!an t!e #a9i#u#" "pecified in S.0008/0. 1/+- interf(ce $r*ptograp!ic operation" #a,e u"e of t!e OpenSSL 4%G; .4G> %.- to reBue"t rando# data. % &rief de"cription of t!i" i" given &elow( int RAND_bytes(unsigned char *buf,int num);
>enerate num rando# &*te" and write to buf. int RAND_pseudo_bytes(unsigned char *buf,int num);
>enerate num rando# &*te" and write to buf. !e rando# data doe" not !ave to &e cr*ptograp!icall* "trong. void RAND_seed(const void *buf,int num); !i" function i" u"ed at variou" point" to add data w!ic! #a* &e u"eful for adding entrop* to t!e .4G>. !e &uffer buf contain" num &*te" w!ic! can &e u"ed. void RAND_add(const void *buf,int num,double entropy); !i" i" "i#ilar to RAND_seed() e9cept t!at t!e data "upplied !a" entrop* 1entropy1. -ef(ult -13G % "pecial ;4=> in"tance called t!e 1default ;4=>1 i" u"ed to #ap t!e ;4=> to t!e 4%G; interface. !e function int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, size_t (*get_adin)(DRBG_CTX *ctx, unsigned char **pout), void (*cleanup_adin)(DRBG_CTX *ctx, unsigned char *out, size_t olen), int (*rand_seed_cb)(DRBG_CTX *ctx, const void *buf, int num), int (*rand_add_cb)(DRBG_CTX *ctx, const void *buf, int num, double entropy)
.age :: of 1/0
); define" variou" call&ac," w!ic! control !ow 4%G; call" are #apped to ;4=> call". !e get_adin call&ac, i" u"ed to retrieve optional additional data u"ed w!enever a reBue"t for rando# data i" #ade u"ing RAND_bytes() or RAND_pseudo_bytes(). D!en t!i" operation i" co#plete cleanup_adin i" called to relea"e t!e &uffer. Gote t!at RAND_bytes() and RAND_pseudo_bytes() are eBuivalent operation" for t!e 4%G; #apping to t!e ;4=>6 t!e* &ot! call FIPS_drbg_generate(). !e FIPS_drbg_generate() function can &e called #ultiple ti#e" to "ati"f* a "ingle reBue"t if t!e num value e9ceed" t!e a#ount of data t!at can &e !andled in a "ingle ;4=> reBue"t. !e call&ac," rand_seed_cb and rand_add_cb are called directl* w!enever RAND_seed() or RAND_add() are called. !e"e are entirel* application defined and could &e u"ed for e9a#ple to add "eed infor#ation to t!e entrop* "ource. !e function DRBG_CTX *FIPS_get_default_drbg(void); retrieve" t!e default ;4=> conte9t. !i" can t!en &e #anipulated u"ing t!e "tandard ;4=> function" "uc! a" FIPS_drbg_init(). !e function int FIPS_rand_strength(void); return" t!e "ecurit* "trengt! in &it" of t!e default .4G>. -13G .e(lth %hec*s !e function int FIPS_drbg_health_check(DRBG_CTX *dctx); initiate" a !ealt! c!ec, on t!e ;4=>. -n addition !ealt! c!ec," are al"o perfor#ed w!en a ;4=> i" fir"t initiated (u"ing FIPS_drbg_new() or FIPS_drbg_set()) w!en a ;4=> i" re"eeded e9plicitl* u"ing FIPS_drbg_reseed() and ever* health_check_interval call" to t!e generate function. !i" interval i" &* default 224 &ut can &e #odified &*( void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
.age :@ of 1/0
-f an* !ealt! c!ec, fail" t!e ;4=> i" placed in an error "tate and no furt!er operation" can &e perfor#ed on t!e ;4=> in"tance until it !a" &een reinitialiCed (unin"tan"tiated and initialiCed). <9tended K% of all ;4=> Function" !e function fips_drbg_single_kat() perfor#" an e9tended Known %n"wer e"t (K% ) of all function"( 1. -n"tantiate ;4=> wit! ,nown data (entrop*, nonce, per"onaliCation "tring). 2. .erfor# generate operation wit!out prediction re"i"tance and c!ec, output #atc!e" e9pected value. 3. 4e"eed wit! ,nown data (entrop*, additional input). 4. .erfor# "econd generate operation wit!out prediction re"i"tance and c!ec, output #atc!e" e9pected value. 5. 'nin"tantiate ;4=>. :. -n"tantiate ;4=> in te"t #ode wit! ,nown data (entrop*, nonce, per"onaliCation "tring). @. .erfor# generate operation wit! prediction re"i"tance and c!ec, output #atc!e" e9pected value "et ,nown entrop* and additional input during t!i" "tep. 0. .erfor# "econd generate operation wit! prediction re"i"tance and c!ec, output #atc!e" e9pected value. /. 'nin"tantiate ;4=>. -t i" a""erted t!at c!ec,ing t!e output of t!e generate function in "tep" 2, 4, @ and 0 en"ure" t!e previou" operation" co#pleted "ucce""full*( i.e. "et t!e ;4=> internal "tate to t!e e9pected value". <9tended <rror ;4=> $!ec,ing <9tended error c!ec,ing i" perfor#ed &* function fips_drbg_error_check()( -nvalid para#eter" are fed into all ;4=> function" in "eBuence a" follow". Gote t!at "o#e te"t" (e.g. entrop* "ource failure) leave t!e te"t ;4=> in an error "tate and it !a" to &e unin"tantiated and in"tantiated again to clear t!e error condition. 1. -n"tantiate wit! invalid per"onaliCation "tring lengt!. 2. -n"tantiate ;4=> wit! entrop* "ource failure (returning Cero entrop*). 3. %tte#pt to generate ;4=> output fro# ;4=> fro# "tep 2. 4. -n"tantiate ;4=> wit! too "!ort an entrop* "tring. 5. -n"tantiate ;4=> wit! too long an entrop* "tring. :. -n"tantiate ;4=> wit! too "#all a nonce (if nonce u"ed in #ec!ani"#). @. -n"tantiate ;4=> wit! too large nonce (if nonce u"ed in #ec!ani"#). 0. -n"tantiate ;4=> wit! good data and generate output, c!ec, call" "ucceed. /. %tte#pt to generate too #uc! output for a "ingle reBue"t. 10. %tte#pt to generate wit! too large additional input.
.age :0 of 1/0
11. %tte#pt to generate wit! prediction re"i"tance and entrop* "ource failure. 12. Set re"eed counter to re"eed interval, generate output and c!ec, re"eed !a" &een perfor#ed. 13. e"t e9plicit re"eed operation wit! too large additional input. 14. e"t e9plicit re"eed wit! entrop* failure. 15. e"t e9plicit re"eed wit! too large entrop* "tring. 1:. e"t e9plicit re"eed wit! too "#all entrop* "tring. 1@. 'nin"tantiate ;4=>( c!ec, internal "tate i" Ceroed. 5ealt! $!ec,ing .erfor#ance !e !ealt! c!ec," are perfor#ed( 1. D!en a ;4=> i" fir"t initialiCed (i.e. &efore in"tantiation) a !ealt! c!ec, i" perfor#ed on a te"t in"tantiation u"ing t!e "a#e #ec!ani"# and para#eter". 2. D!en a re"eed operation i" perfor#ed (ot!er t!an for a prediction re"i"tance reBue"t) a !ealt! c!ec, i" perfor#ed on a te"t in"tantiation. !i" effectivel* perfor#" a "uper"et of t!e reBuire#ent" for te"ting t!e re"eed function i.e. it te"t" all function" including t!e re"eed function. 3. %n internal counter deter#ine" t!e nu#&er of generate operation" "ince t!e la"t !ealt! c!ec,. D!en t!i" reac!e" a pre"et li#it a !ealt! c!ec, i" perfor#ed. !i" li#it i" "et &* default to 224 operation" &ut it can &e "et to an alternative value &* an application. 4. D!en an application e9plicitl* reBue"t" a !ealt! c!ec, wit! t!e call FIPS_drbg_health_check(). %&&reviated .OS ;uring a .ower On Self e"t (.OS ) an a&&reviated K% onl* i" perfor#ed for one in"tance of eac! "upported ;4=> #ec!ani"#. !i" "i#pl* perfor#" an in"tantiate and generate operation and c!ec," t!at t!e output #atc!e" an e9pected value.
#.2
Role 1ased Module "uthenti+ation
Su##ar* % role &a"ed aut!entication #ec!ani"# i" i#ple#ented for t!e purpo"e of "ati"f*ing a '.S. %r#* procure#ent polic*. !e i#ple#entation i" tran"parent to end u"er" if t!e relevant default &uild option" are left undi"tur&ed, a" "!ould generall* &e t!e ca"e. IMPO1)/+) +O)5, /fter the role b(sed (uthentic(tion mech(nism described in this section 0(s implemented! 0e le(rned th(t the ori'in(l /rm& polic& th(t motiv(ted this implement(tion is no lon'er in
.age :/ of 1/0
effect! (s confirmed in correspondence d(ted 20""$"0$22 0ith %IO@G; th(t &ielded this st(tement,
As a result of the Army's transition to the DoD Unified Capabilities Approved Products List (UC APL), both the Army's IA Approved Products List process and the May 21, 2009 "Letter to Industry were rescinded. (CIO/G-6 memorandum dated May 2011). The above referenced document in its entirety, including paragraph 5a, no longer applies. For more details please send inquires to: ArmyIATools@conus.army.mil, 703545-1677 or 703-545-1672.
=ac,ground !e F-.S #odule i" a "oftware li&rar* "o t!e concept of aut!entication to t!e #odule doe"nOt #a,e an* "en"e. For a Level 1 validation t!e $A3. doe" not reBuire an* #odule aut!entication, and t!ere i" no circu#"tance t!at we can envi"ion for w!ic! "uc! aut!entication would !ave an* practical value for vendor" or u"er". % little t!oug!t "!ow" t!at aut!entication of a general purpo"e cr*ptograp!ic li&rar* it"elf #u"t nece""aril* &e a pointle"" nui"ance6 con"ider for in"tance t!e vendor of a Linu9 di"tri&ution ('&untu, 4ed 5at, etc.) t!at elected to utiliCe aut!entication wit! t!e OpenSSL li&rarie". Suc! an OS di"tri&ution will t*picall* default to doCen" of individual application" utiliCing t!o"e li&rarie", wit! doCen" to !undred" #ore availa&le a" optional pac,age". <ac! and ever* one of t!o"e application" would !ave to contain t!e correct aut!entication credential" at all ti#e". %pplication vendor" would eit!er !ave to &e infor#ed of t!o"e credential", widel* and pu&licl*, or would &e forced to "!ip t!eir product wit! unaut!enticated OpenSSL li&rarie" (or li&rarie" aut!enticated wit! different ,nown credential") to avoid t!e failure" t!at would &e cau"ed &* #i"#atc!ed credential". !e re"ult would &e a #e"" t!at would provide #ore opportunitie" t!an o&"tacle" to <vil 5ac,er". 5owever, in 200/ t!e '.S. %r#* "pecified a "et of acBui"ition reBuire#ent", in t!e for# of a #e#o wit! a "u&2ect line of 10etter to In(#stry +oncerning t4e 1ppro&al an( 1c"#isition of Information 1ss#rance ,I1- Tools an( Pro(#cts in t4e 9nite( States 1rmy1 ("ee !ttp"())c!e"".ar#*.#il)a"cp)co##erce)"cp)download")"tandard"polic*?file")letter?to?indu"tr*.pdf). !i" #andate i#po"e" additional reBuire#ent" for F-.S 14082 validated product", &e*ond t!o"e #andated &* t!e $A3.. -n particular, for Level 1 validation" "uc! a" our", it reBuire"( 8. Fe(eral Information Processing Stan(ar(s ,FIPS-D a. FIPS 140-2C 0e&el 1D T4is applies to cryptograp4ic mo(#les t4at are soft<are only sol#tions ,t4e soft<are cannot be b#n(le( or sol( as a 4ar(<are-soft<are sol#tiont4at are #nable to ac4ie&e FIPS 140-2 Sec#rity 0e&el 2. )&erall FIPS 140-2 0e&el 1 sol#tions m#st incorporate t4e follo<ing +ryptograp4ic /o(#les Specifications to a 4ig4er sec#rity le&elD !olesC Ser&icesC an( 1#t4entication ,Sec#rity 0e&el 2- an( 7esign 1ss#rance ,Sec#rity 0e&el -.
.age @0 of 1/0
!e OpenSSL F-.S O&2ect Aodule 2.0 validation cannot &e at overall Level 2 &ecau"e "uc! a validation would nece""aril* tie t!e #odule to "pecific !ardware. !i" %r#* polic* wa" evidentl* directed at turn,e* appliance" (firewall", #o&ile device", etc.) and failed to con"ider t!e ca"e of general purpo"e cr*ptograp!ic li&rarie". !e earlier v1.2.3 F-.S #odule (certificate T1051) predated t!e relea"e of t!e Letter to -ndu"tr*, and "ince t!en weOve !eard fro# Buite a few "oftware vendor" w!o !ave e9perienced difficult* in "elling to t!e %r#* &ecau"e t!e v1.2.3 #odule didnOt #eet t!e 5a reBuire#ent. -t turn" out t!at "ati"f*ing t!i" reBuire#ent i" ea"il* !andled at #ode"t co"t a" a pure docu#entation effort in "o#e conte9t", "uc! a" w!en t!e te"t platfor#" !ave $o##on $riteria ($$) certified operating "*"te#" or t!e #odule it"elf actuall* i#ple#ent" aut!entication. 5owever, t!e $A3. ta,e" t!e not unrea"ona&le po"ition t!at validation at 4ole", Service", and %ut!entication at Level 2 i" not appropriate unle"" aut!entication actuall* ta,e" place (note t!at in t!i" conte9t a non8$$ certified operating "*"te# i" con"idered to provide no aut!entication "ervice"). $$ certified platfor#" are few and far &etween, and it #a,e" no "en"e to i#ple#ent aut!entication to a general purpo"e cr*ptograp!ic li&rar*. So, t!at left u" wit! a &it of a dile##a. !e $A3. and %r#* policie" are in direct conflict, and if we ,new of an* ea"* wa* to get two govern#ent &ureaucracie" to reconcile conflicting policie" weOd tac,le "o#e ea"ier c!allenge" li,e &ro,ering a per#anent peace in t!e Aiddle <a"t. %fter "o#e deli&eration and con"ultation wit! t!e te"t la& we concluded t!at t!e &e"t re"olution to t!i" dile##a wa" to i#ple#ent role8&a"ed aut!entication in a wa* t!at would "ati"f* &ot! t!e $A3. and %r#* reBuire#ent" wit!out "ignificantl* i#pacting t!e end u"er". !i" goal wa" acco#pli"!ed &* reBuiring role &a"ed aut!entication for u"e of t!e #odule in F-.S #ode, and t!en auto#aticall* and tran"parentl* perfor#ing t!at aut!entication in t!e 1F-.S capa&le1 OpenSSL. !e end re"ult i" t!at t!e F-.S #odule plu" 1F-.S capa&le1 OpenSSL co#&ination 88 &* far t!e #o"t co##on u"e of t!e F-.S #odule 88 will &e!ave for t!e calling application a" if t!e role &a"ed aut!entication were not reBuired. Gote we alread* !ave a well e"ta&li"!ed precedent for pu&li"!ing "ecret credential" in t!e conte9t of an open "ource &a"ed validation. !e integrit* te"t #andated &* F-.S 14082, w!ic! i" accorded great "ignificance, reBuire" a 5A%$8S5%1 dige"t of t!e #odule content" (o&2ect code, roug!l* "pea,ing). !e 5A%$ dige"t i" calculated fro# a "ecret 5A%$ ,e* plu" t!e data of intere"t, t!e purpo"e &eing to allow &ot! aut!entication and confir#ation of data integrit* (onl* t!e entit* ,nowing t!e "ecret ,e* can generate t!e correct dige"t). For t!e ver* fir"t validation we were faced wit! t!e c!allenge of w!ere to "tore t!e "ecret 5A%$ ,e*, a" in open "ource code t!ere i" no "uita&le !iding place. %fter "o#e deli&eration t!e $A3. in"tructed u" to 2u"t code t!e 5A%$8S5%1 dige"t a" #andated and leave t!e "ecret ,e* e9po"ed in t!e "ource code. !at "a#e 1"ecret1 ,e* !a" &een in ever* validation "ince and i" pu&li"!ed in t!e corre"ponding Securit* .olic* docu#ent" (%ppendi9 =, it i" 65 74 61 6f 6e 72 69 73 68 64 6c 63 75 70 66 6d, eBuivalent to t!e %S$-- "tring 1etaonrishdlcupfm1).
.age @1 of 1/0
-#ple#entation !e FIPS_mode_set() function fa#iliar to u"er" of pa"t ver"ion" of t!e OpenSSL F-.S O&2ect Aodule i" now defined in t!e 1F-.S capa&le1 OpenSSL, i.e. e9ternall* to t!e F-.S #odule. !e corre"ponding function in t!e F-.S #odule t!at ena&le" t!e F-.S #ode of operation reBuire" role &a"ed aut!entication in t!e for# of a pa""word argu#ent. Gote t!at F-.S 14082 reBuire" at lea"t two role"6 we defined two role" &ut &ot! perfor# identicall* in all re"pect". !e &uild proce"" for t!e F-.S #odule reference" t!ree environ#ent varia&le", wit! default" if not e9plicitl* "et( FIPS_AUTH_KEY FIPS_AUTH_CRYPTO_OFFICER FIPS_AUTH_CRYPTO_USER !e"e environ#ent varia&le" define t!e 5A%$ ,e* and t!e 5A%$" of t!e pa""word" re"pectivel*. !i" are utiliCed during t!e "tandard( ./config make !e FIPS_AUTH_KEY define" t!e 5A%$ ,e* w!ic! default" to "etaonrishdlcupfm". !e two pa""word" default to 1Default FIPS Crypto Officer Password1 and 1Default FIPS Crypto User Password1 re"pectivel* and appear in fips/fips_utl.h. !ere are "everal wa*" to get t!e rig!t for#at for t!e pa""word 5A%$", "uc! a"( echo -n <password> | openssl sha1 -hmac <hmac_key> %t runti#e t!e calling application invo,e" FIPS_module_mode_set(1, password). -nternall* t!i" function generate" t!e dige"t HMAC(FIPS_AUTH_KEY, password)and c!ec," to "ee if t!at value #atc!e" eit!er of FIPS_AUTH_CRYPTO_OFFICER or FIPS_AUTH_CRYPTO_USER. -f t!e pa""word doe" not #atc! t!e error i" treated t!e "a#e a" a fatal .OS error. 3alidation e"ting For u"e &* t!e te"t la& in te"ting t!e role &a"ed aut!entication t!e following co##and line option" are defined for t!e fips_test_suite utilit*, to "pecif* t!e pa""word value to &e pa""ed to FIPS_module_mode_set()( none Gull pa""word
.age @2 of 1/0
bad user officer
-nvalid pa""word of "ufficient lengt! !e FIPS_AUTH_CRYPTO_USER pa""word !e FIPS_AUTH_CRYPTO_OFFICER pa""word
-f none of t!o"e co##and line option" are given t!e FIPS_AUTH_CRYPTO_USER pa""word i" u"ed. Support in t!e 1F-.S capa&le1 OpenSSL % #ean" i" provided in t!e 1F-.S capa&le1 OpenSSL (w!ic! i" 2u"t anot!er application fro# t!e per"pective of t!e F-.S #odule) to "pecif* non8default pa""word"(
.)config <...options...> -DFIPS_AUTH_USER_PASS="\"...password...\""
.lea"e note t!i" i" not "o#et!ing li,el* to &e of value in an* real8world conte9t, and a F-.S #odule &uilt wit! non8default pa""word" i" a li,el* "ource of pro&le#".
#.3
Sel$ Tests
*picall* at lea"t one
%" reBuired &* FS-. 14082 t!e F-.S #odule i#ple#ent" nu#erou" "elf te"t". "elf te"t i" reBuired for eac! cr*ptograp!ic algorit!#. <ac! te"t a" it i" perfor#ed can &e e9a#ined t!roug! an optional call&ac,(
int (*fips_post_cb)(int op, int id, int subid, void *ex); 'nle"" ot!erwi"e "tated &elow t!e call&ac, "!ould alwa*" return 1. t!e operation &eing perfor#ed and can &e one of( !e 1op1 para#eter indicate"
FIPS_POST_BEGIN( indicate" t!at te"ting !a" &egun &ut no te"t" !ave &een perfor#ed *et. FIPS_POST_END( indicate" all te"t" !ave &een co#pleted. !e 1id1 para#eter indicate" t!e overall "tatu" of te"t". -t i" 1 if all te"t" co#pleted "ucce""full* and 0 if at lea"t one te"t failed. For t!e re#aining 1op1 value" t!e 1id1, 1subid1 and 1exstr1 para#eter" indicate detail" of t!e "pecific te"t &eing perfor#ed. See co#plete de"cription" of eac! te"t t*pe for t!e #eaning of t!e"e para#eter". FIPS_POST_STARTED( indicate" an individual te"t !a" "tarted. FIPS_POST_SUCCESS( individual "elf te"t wa" "ucce""ful. FIPS_POST_FAIL( individual "elf te"t failed. FIPS_POST_CORRUPT( a Buer* a" to w!et!er "elf te"t failure #ode "!ould &e "et.
.age @3 of 1/0
-f t!e call&ac, return" 0 a failure i" "i#ulated for t!e referenced "elf te"t. "i#ulate failure i" docu#ented again"t eac! te"t.
!e #et!od u"ed to
0.!.1 P'ST Te t
!e te"t" perfor#ed during .OS are de"cri&ed &elow, along wit! t!e corre"ponding fips_test_suite option(") to trigger t!e te"t ("ee %ppendi9 =.5). ;.#."." Inte'rit& )est
!e id field i" "et to FIPS_TEST_INTEGRITY. !e re#aining para#eter" are not u"ed. !i" i" indicated w!ile incore integrit* te"ting of t!e #odule it"elf i" &eing perfor#ed. !i" operation perfor#" an 5A%$ over "ection" of incore data and c!ec," t!e value again"t an e9pected value "et w!en t!e application i" co#piled Y"ee 2.2 for a #ore co#pre!en"ive de"cription of t!i" operationZ. -f failure i" &eing "i#ulated an additional &*te i" 5A%$ed in addition to t!e incore data to produce an 5A%$ value w!ic! will differ fro# t!e "tored value. riggered &* t!e integrity option to fips_test_suite. ;.#.".2 -13G Self )est
!e id field i" "et to FIPS_TEST_DRBG. !e subid field i" "et to t!e G-; of t!e ;4=> &eing te"ted and t!e 1exstr1 field i" of t*pe (int *) w!ic! point" to t!e ;4=> flag" &eing te"ted. %n a&&reviated K% onl* te"t (not a full !ealt! c!ec,) i" perfor#ed on eac! "upported ;4=> #ec!ani"#. Specificall*, it i" initialiCed in te"t #ode, in"tantiated u"ing ,nown para#eter", output i" generated and t!e re"ult co#pared wit! ,nown good value". -f failure i" &eing "i#ulated t!e 1additional input1 para#eter to t!e generate operation i" pertur&ed &* "etting it to a "!orter lengt! t!an t!e K% value. !i" will re"ult in data &eing generated w!ic! doe" not #atc! t!e e9pected value. $urrentl* t!e following ;4=> #ec!ani"#" and pri#itive" are te"ted a" part of t!e .OS ( a) &) c) d) e) $ 4 ;4=> u"ing 25: &it %<S and a derivation function. $ 4 ;4=> u"ing 25: &it %<S wit!out a derivation function. 5a"! ;4=> u"ing S5%25:. 5A%$ ;4=> u"ing S5%25:. ;ual <$ ;4=> u"ing .825: and S5%825:.
riggered &* t!e drbg option to fips_test_suite.
.age @4 of 1/0
;.#.".#
< .#" P1+G Self )est
!e id field i" "et to FIPS_TEST_X931. !e subid field i" "et to t!e ,e* lengt! of t!e .4G> in &*te". For t!e te"t t!e .4G> i" "et up in te"t #ode. % ,nown ,e*, 3 ("eed) and ; (date ti#e vector) i" "upplied and t!e generated output (4) co#pared to an e9pected value. -f failure i" &eing "i#ulated t!e ,nown 3 value i" corrupted &* incre#enting t!e fir"t &*te. will re"ult in generated data w!ic! doe" not #atc! t!e e9pected value. $urrentl* t!e .OS te"t" t!e L/.31 .4G> u"ing 120, 1/2 and 25: &it ,e* lengt!". riggered &* t!e rng option to fips_test_suite. ;.#.".6 -i'est )est !i"
!e id field i" "et to FIPS_TEST_DIGEST. !e subid field i" "et to t!e dige"t G-; &eing te"ted. !e 1ex1 argu#ent i" not u"ed. $urrentl* onl* S5%1 i" te"ted in t!i" wa*. Known data i" dige"ted and t!e re"ulting !a"! co#pared to a ,nown good value. -f failure i" &eing "i#ulated an e9tra &*te i" dige"ted in addition to t!e ,nown data w!ic! will re"ult in a dige"t w!ic! doe" not #atc! t!e e9pected value. riggered &* t!e sha1 option to fips_test_suite. ;.#.".9 .M/% )est
!e id field i" "et to FIPS_TEST_HMAC. !e subid field i" "et to t!e a""ociate dige"t G-; &eing te"ted. !e 1ex1 argu#ent i" not u"ed. Known data i" 5A%$ed and t!e re"ulting !a"! co#pared to a ,nown good value. -f failure i" &eing "i#ulated an e9tra &*te i" 5A%$ed in addition to t!e ,nown data w!ic! will re"ult in an 5A%$ w!ic! doe" not #atc! t!e e9pected value. !e dige"t" S5%1, S5%224, S5%25:, S5%304 and S5%512 are te"ted in t!i" wa*. riggered &* t!e hmac option to fips_test_suite. ;.#.".; %M/% )est
.age @5 of 1/0
!e id field i" "et to FIPS_TEST_CMAC. !e subid field i" "et to t!e a""ociated cip!er G-; &eing te"ted. !e 1ex1 argu#ent i" not u"ed. Known data i" $A%$ed and t!e re"ulting $A%$ co#pared to a ,nown good value. -f failure i" &eing "i#ulated an e9tra &*te i" $A%$ed in addition to t!e ,nown data w!ic! will re"ult in an 5A%$ w!ic! doe" not #atc! t!e e9pected value. !e triple ;<S cip!er and %<S u"ing 120, 1/2 and 25: &*te" i" te"ted for $A%$. riggered &* t!e cmac option to fips_test_suite. ;.#.".8 %ipher Self )ests !e subid field i" "et to t!e G-; of t!e cip!er
!e id i" field i" "et to FIPS_TEST_CIPHER. &eing te"ted, 1ex1 i" not u"ed.
% ,nown ,e*, -3 and plainte9t i" encr*pted and t!e output cip!erte9t co#pared to a ,nown good value. !e cip!erte9t i" t!en decr*pted u"ing t!e "a#e ,e* and -3 and t!e re"ult co#pared to t!e original plainte9t. -f a failure i" &eing "i#ulated t!e cip!erte9t i" corrupted (fir"t &*te LO4ed wit! 091) &efore t!e decr*ption te"t. %<S in <$= #ode wit! a 120 &it ,e* and triple ;<S in <$= #ode are te"ted. riggered &* t!e aes, des option" to fips_test_suite. ;.#.".2 G%M Self )est !e subid field i" "et to t!e G-; of t!e cip!er &eing
!e id i" field i" "et to FIPS_TEST_GCM. te"ted, 1ex1 i" not u"ed.
% ,nown ,e*, -3, %%; and plainte9t i" encr*pted and t!e output cip!erte9t and tag co#pared to ,nown good value". !e cip!erte9t and ta,e i" t!en decr*pted u"ing t!e "a#e ,e*, -3, %%; and e9pected tag and t!e re"ult co#pared to t!e original plainte9t. -f a failure i" &eing "i#ulated t!e tag i" corrupted (fir"t &*te LO4ed wit! 091) &efore t!e decr*ption te"t.
.age @: of 1/0
%<S in >$A #ode wit! a 25: ,e* i" te"ted. riggered &* t!e aes-gcm option to fips_test_suite. ;.#.". %%M Self )est
!e id i" field i" "et to FIPS_TEST_CCM. !e subid field i" "et to t!e G-; of t!e cip!er &eing te"ted, 1ex1 i" not u"ed. !e te"t i" ot!erwi"e identical to t!e $$A te"t. %<S in $$A #ode wit! a 1/2 &it ,e* i" te"ted. riggered &* t!e aes-ccm option to fips_test_suite. ;.#."."0 <)S Self )est !e te"t i" ot!erwi"e identical to t!e cip!er te"t".
!e id field i" "et to FIPS_TEST_XTS.
%<S in L S #ode wit! a 120 and a 25: &it ,e* i" te"ted. riggered &* t!e aes-xts option to fips_test_suite. ;.#."."" Si'n(ture /l'orithm )ests
!e id field i" "et to FIPS_TEST_SIGNATURE. !e subid field i" "et to t!e G-; of t!e a""ociated dige"t. !e 1ex1 field i" "et to t!e <3.?.K<I "tructure of t!e ,e* &eing u"ed in t!e K% . =* e9a#ining exstr t!e t*pe of ,e* &eing te"ted can &e deter#ined. % "ignature i" calculated u"ing a ,nown private ,e* and data to &e "igned. For deter#ini"tic "ignature algorit!#" (i.e. 4S% in "o#e padding #ode") t!e "ignature i" co#pared to a ,nown good value. !e "ignature i" t!en verified u"ing t!e "a#e data u"ed to create t!e "ignature. -f failure i" &eing "i#ulated an e9tra &*te i" dige"ted in addition to t!e ,nown data for "ignature creation onl*. !i" will re"ult in a "ignature w!ic! doe" not #atc! t!e e9pected value (if t!i" te"t i" &eing perfor#ed) or t!e verification will fail. !e following algorit!#" are te"ted( a) 4S% u"ing .SS padding and S5%25: wit! a 2040 &it ,e*. &) <$;S% u"ing .8224 and S5%512.
.age @@ of 1/0
c) <$;S% u"ing K8233 and S5%512 if &inar* field" are "upported. d) ;S% u"ing S5%304 and a 2040 &it ,e*. riggered &* t!e dsa, ecdsa, rsa option to fips_test_suite. ;.#."2 5%-. Self )ests !e "u&id field i" "et to t!e G-; of t!e curve u"ed. !e
!e id field i" "et to FIPS_TEST_ECDH. 1ex1 field i" not u"ed.
Known private and pu&lic <$;5 ,e*" are u"ed to co#pute a "!ared "ecret (M) value. !i" i" co#pared to a ,nown good value. -f failure i" &eing "i#ulated t!e co#puted "!ared "ecret i" corrupted after generation. !i" will re"ult in a #i"#atc! wit! t!e e9pected value. riggered &* t!e ecdh option to fips_test_suite.
0.!.2 *onditional elf te t .

;.#.2." P(ir0ise consistenc& )est
D!en an a"*##etric "ignature ,e* i" generated a "ignature te"t identical to t!e .OS "ignature te"t" i" perfor#ed on t!e generated ,e*. !e onl* difference i" t!e id field i" "et to FIPS_TEST_PAIRWISE. -n t!e ca"e of 4S% ,e*" a con"i"tenc* te"t i" al"o perfor#ed u"ing an 4S% .K$ST1 padding encr*ption and decr*ption operation( t!i" operation i" not regi"tered wit! t!e call&ac,. Specificall*( ,nown data i" encr*pted, t!e cip!erte9t c!ec,ed it doe" not #atc! t!e plainte9t and t!en decr*pted. !e decr*pted value i" c!ec,ed again"t t!e original plainte9t. For 4S% ,e*" t!e S5%25: dige"t i" u"ed and t!ree te"t" perfor#ed .K$ST1, L/31 and .SS padding. For ;S% and <$;S% ,e*" one te"t u"ing S5%25: i" perfor#ed. riggered &* t!e dsakeygen and rsakeygen option" to fips_test_suite. ;.#.2.2 %ontinuous P1+G )est
D!en not in te"t #ode (i.e. an operational 1live1 .4G>) t!e output of t!e .4G> i" put t!roug! t!e continuou" .4G> te"t for F-.S 14082.
.age @0 of 1/0
!e call&ac, i" not u"ed for t!i" operation. -f t!e function FIPS_x931_stick() i" called t!en t!e L/.31 .4G> output i" copied to t!e "tored la"t &loc, to en"ure t!e te"t will fail on t!e ne9t generate operation. -f t!e function FIPS_drbg_stick() i" called t!en t!e L/.31 .4G> output i" copied to t!e "tored la"t &loc, to en"ure t!e te"t will fail on t!e ne9t generate operation. !e continuou" .4G> te"t for t!e .4G> it"elf i" triggered &* t!e drbgstick and rngstick option" to fips_test_suite. !e continuou" .4G> te"t for t!e entrop* "ource i" triggered &* t!e drbgentstick option to fips_test_suite.
#.4
8C0?
!e $%3. define" a te"t for <$;5 in t!e for# of 1<$$ $;5 .ri#itive1 te"t"( !ttp())c"rc.ni"t.gov)group")S A)cavp)T0/ D!en t!i" <$;5 te"ting wa" introduced for F-.S 14082 we initiall* a""u#ed t!at wit! t!e growing u"e of <$;5 in LS t!e intent wa" to en"ure t!at u"age wa" covered &* an approved algorit!#. !at turn" out not to &e t!e ca"e. !e algorit!# now availa&le for te"ting i" 1cofactor <$;51 (for#all* ,nown a" <$$ $;5) w!ic! i" GO t!e "a#e a" regular <$;5 (for#all* ,nown a" a" t!e <$K%S8;51 "c!e#e) u"ed wit! LS 88 it i" a variant of <$;5 t!at i" not t!e "a#e a" t!at co##onl* u"ed in actual application". !e difference" &etween t!e two algorit!#" are "#all &ut enoug! to #a,e t!e two inco#pati&le in "u&tle wa*". For regular <$;5 t!e "!ared "ecret Z i" t!e x co#ponent of t!e value dQ w!ere d i" one "ide" private ,e* (an integer) and Q t!e ot!er "ide" pu&lic ,e* (an elliptic curve point). For cofactor <$;5 t!e "!ared "ecret Z i" t!e x co#ponent of t!e value hdQ w!ere t!e new value h i" "o#et!ing called t!e cofactor (anot!er integer) w!ic! i" a propert* of t!e curve. For #o"t pri#e"45 curve" h = 1 w!erea" for #an* &inar* curve" h 1. So for #an* pri#e curve" (&ut not all) t!e two algorit!#" *ield t!e "a#e re"ult. For &inar* curve" t!e* do not. Gote t!at t!e addition of a few line" to t!e <$;5 algorit!# i#ple#entation c!ange" it to cofactor <$;5 at w!ic! point it pa""e" t!e $%3. <$$ $;5 .ri#itive te"t. 5owever, if we c!ange our
!e "tandard te"ted pri#e curve" all u"e ! W 1 e9cepting one non "tandard pri#e curve wit! ! RW 16 t!at i" a 120 &it curve and "o for&idden in approved #ode. <ffectivel* t!i" #ean" t!at for an i#ple#entation onl* c!ec,ing pri#e curve" (a" #an* do) t!en t!e di"crepanc* would never &e apparent. F-.S 14082 doe" allow non8"tandard curve" "o two 1te"ted1 algorit!#" could *ield t!e different re"ult".
45
.age @/ of 1/0
<$;5 i#ple#entation to unconditionall* u"e cofactor <$;5 t!en it will not &e interopera&le wit! LS u"ing &inar* curve". <ven t!oug! t!e u"e of cofactor <$;5 i" rare at pre"ent, t!ere could conceiva&l* &e a need at "o#e point. -n order to acco##odate t!at po""i&ilit* w!ile pre"erving co#pati&ilit* wit! e9i"ting application" we added a flag to t!e EC_KEY "tructure to ena&le cofactor <$;5 for u"e wit! t!e F-.S 14082 algorit!# te"t". !i" flag i" "et wit! t!e EC_KEY_set_flags() function( EC_KEY_set_flags(key, EC_FLAG_COFACTOR_ECDH); -f t!i" flag it i" not e9plicitl* "et t!en t!e <$K%S8;51 ( LS co#pati&le) "c!e#e i" u"ed.
#.5
8CC and the @S" Su)li+ense
;4y are t4ere t<o &ersions of t4e )penSS0 FIPS )b*ect /o(#le 2.0> %t lea"t "o#e i#ple#entation" of <lliptic $urve $r*ptograp!* (<$$) are perceived to &e encu#&ered in t!e 'nited State" &* a co#ple9 "et of patent". $oncern a&out t!e po""i&le ri"," of patent infringe#ent !ave &een a "ignificant di"incentive to #ore wide"pread u"e of <$$. -n order to counter "uc! concern" for t!e <$$ nece""ar* to i#ple#ent t!e Suite = algorit!#", t!e GS% e"ta&li"!ed a proce"" for "u&8licen"ing t!e patent" for t!at "u&"et of <$$ ("ee !ttp())www.n"a.gov)ia)progra#")"uite&?cr*ptograp!*)inde9."!t#l). !e OSF !a" o&tained "uc! a "u&licen"e (!ttp())open""lfoundation.co#)te"ting)doc")GS%8.L%.pdf). 5owever, t!at "u&licen"e onl* cover" t!e "pecific patent" pre"u#ed relevant to t!e pri#e curve <$$ u"ed for Suite =. -t doe" not cover ot!er po""i&le t*pe" of <$$ "uc! a" &inar* curve" w!ic! are i#ple#ented in OpenSSL. Judging t!e ri"," of a patent infringe#ent law"uit i" difficult, and not onl* &ecau"e t!e patent" t!e#"elve" are u"uall* inco#pre!en"i&le to t!e "oftware developer. !e #ere t!reat of a patent law"uit can &e crippling to even a #ediu# "ided enterpri"e, regardle"" of t!e legiti#ac* of t!e accu"ation of infringe#ent. -t i" t!e con"idered opinion of t!e OpenSSL tea# t!at t!e i#ple#entation of <$$ in OpenSSL, &ot! pri#ar* and &inar* curve, doe" not infringe an* patent"4:. 5owever, "o#e potential u"er" are "till concerned a&out t!e ri", of patent litigation, under"tanda&l* "o given t!e e9tent to w!ic! "uc! litigation !a" &een u"ed a" an offen"ive co##ercial tactic in recent *ear". For t!e OpenSSL "oftware "uc! u"er" can u"e &uilt8ti#e option" to o#it "pecific algorit!#" of concern fro# t!e re"ulting &inar* code.
%l"o note t!at t!e &ul, of t!e &inar* curve <$$ i#ple#entation to t!e OpenSSL pro2ect wa" contri&uted &* a corporation, t!e for#er Sun Aicro"*"te#", wit! t!e legal re"ource" to anal*Ce "uc! ri",".
4:
.age 00 of 1/0
5owever, t!e re"triction" of F-.S 14082 prevent t!e u"e of "uc! &uild8ti#e option" or #odification of t!e "ource code. One of t!e validation "pon"or" wa" concerned a&out patent ri"," and "o a "eparate 1patent troll1 "ource di"tri&ution of t!e OpenSSL F-.S O&2ect Aodule 2.0 wa" created w!ic! entirel* o#it" t!e &inar* curve <$$. !at di"tri&ution, openssl-fips-ecp-2.0.tar.gz, i" functionall* identical to t!e full di"tri&ution e9cept for t!e o#i""ion of t!o"e algorit!#", and all di"cu""ion of t!e full di"tri&ution el"ew!ere in t!i" docu#ent applie". Gote t!at w!en u"ing t!e 1ecp1 di"tri&ution" t!e corre"ponding 1F-.S capa&le1 OpenSSL #u"t &e &uilt wit! t!e no-ec2m option.
#.#
The ASe+ure InstallationA Issue
!i" late"t of t!e OpenSSL F-.S O&2ect Aodule (1F-.S #odule1) F-.S 14082 validation" "aw t!e introduction of a new reBuire#ent &* t!e $A3.( T4e (istrib#tion tar fileC s4all be &erifie( #sing an in(epen(ently ac"#ire( FIPS 140-2 &ali(ate( cryptograp4ic mo(#le... DeOre told t!at t!i" di"tri&ution tar file verification reBuire#ent co#e" directl* fro# t!e a""ertion" %S10.03 and %S14.02 of t!e ;erived e"t 4eBuire#ent" docu#ent( 1S10.0 D ,0e&els 1C 2C C an( 4- 7oc#mentation s4all specify t4e proce(#res for sec#re installationC initiali3ationC an( start#p of t4e cryptograp4ic mo(#le. 1S14.02D ,0e&els 1C 2C C an( 4- T4e cryptograp4ic mo(#le sec#rity policy s4all consist ofD a specification of t4e sec#rity r#lesC #n(er <4ic4 t4e cryptograp4ic mo(#le s4all operateC incl#(ing t4e sec#rity r#les (eri&e( from t4e re"#irements of t4e stan(ar( an( t4e a((itional sec#rity r#les impose( by t4e &en(or. Su&"eBuent di"cu""ion" #ediated &* t!e te"t la& ela&orated t!i" 1"ecure in"tallation1 reBuire#ent to #ean t!at one of t!e following condition" #u"t &e true( 1) !e di"tri&ution file i" o&tained via a 1tru"ted pat!1, w!ic! i" one of( a) ran"fer via p!*"ical #edia (e.g. $;84OA di",) "ent &* po"tal or deliver* "ervice ('S.S, '.S, Fed<9)6
&) <lectronic tran"fer u"ing cr*ptograp!* (e.g. SS5, 5 .S, -."ec) i#ple#ented &* F-.S 14082 validated product". !at reBuire#ent wa" furt!er ela&orated to "tate t!at t!o"e product" #u"t t!e#"elve" &e a re"ult of 1"ecure in"tallation1. 2) !e di"tri&ution file i" verified (5A%$8S5%81 dige"t c!ec,ed) u"ing a pre8e9i"ting F-.S 14082 validated product t!at i" it"elf t!e re"ult of a 1"ecure in"tallation1.
Gote t!e recur"ive nature of t!e 1"ecure in"tallation1 reBuire#ent repre"ent" a non8trivial c!allenge6 in order to tran"fer or verif* a new validated product an e9i"ting "ecurel* in"talled validated product #u"t alread* &e pre"ent. DeOre "till "truggling to under"tand t!e "cope and i#plication" of
.age 01 of 1/0
t!i" reBuire#ent. !e F-.S 14082 "cripture ( !e F-.S 14082 "tandard Y4eference 1Z, t!e ; 4 Y4eference 4Z, and t!e -> Y4eference 3Z docu#ent") doe"nOt "!ed a lot of lig!t 88 t!e ter# 1tru"ted pat!1 for in"tance i" onl* referenced in t!e conte9t of Level 3 validation". Gote t!o"e 1"ecure in"tallation1 and 1tru"ted pat!1 reBuire#ent" a" e9plained to u" "a* t!at validated "oftware cannot &e di"tri&uted &* traditional #et!od", w!ic! lead" to "o#e intere"ting Bue"tion" a&out t!e u"e of ot!er validated #odule" (puCCle#ent over w!* all ot!er #odule" arenOt "i#ilarl* i#pacted i" a large part of our confu"ion). !o"e Bue"tion" a"ide, pro"pective u"er" of t!i" F-.S #odule need to deter#ine at lea"t one ,nown valid wa* to "ati"f* t!e reBuire#ent for t!i" "pecific validation 88 a wa* not at ri", of &eing ruled invalid &* t!e $A3. after "oftware !a" &een "!ipped or deplo*ed. So far t!e $A3. !a" declined to an"wer "pecific Bue"tion" a&out option" for "ati"f*ing t!i" reBuire#ent6 t!e* Buote t!e for#al docu#entation (a" noted a&ove) and refer u" to t!e te"t la&". De !ave activel* di"cu""ed t!i" i""ue wit! "everal accredited te"t la&" and "elected #e#&er" of t!e F-.S validation co##unit*. 'nfortunatel* t!e te"t la&" are not in clo"e agree#ent. So far we !ave collected a lot of opinion" &ut not #uc! certaint*. -f *ou !ave e9perience or in"ig!t" directl* relevant to t!i" i""ue weOd love to !ear fro# *ou4@. >er& Import(nt +ote, )he conclusions presented here (re still tent(tive (s the& h(ve neither been confirmed nor refuted b& the %M>PA the& simpl& represent our best underst(ndin' of the situ(tion (t this point in time. )hese conclusions could ch(n'e dr(m(tic(ll& b(sed on relev(nt feedb(c* from the %M>P! or more slo0l& in response to (n (ccumul(ted consensus of opinion from the test l(bs (nd FIPS "60$2 communit& of interest.
0.0.1 62at 6on;t 6ork

!i" new reBuire#ent doe"nOt "ound "o &ad until *ou tr* to pin down e9actl* w!at "tep" need to &e ta,en to "ati"f* it. DeOre "till wor,ing on figuring t!i" out, &ut we can eli#inate "o#e option" t!at !ave &een con"idered &ut w!ic! apparentl* are not allowed(
Go delegation( one entit* (OSF for in"tance) canOt perfor# t!e verification of t!e "ource tar&all and t!en po"t t!at verified tar&all on a we&"ite for download &* ever*one el"e unle"" t!e download Bualifie" a" a 1tru"ted pat!1, w!ic! in practice will #ean t!e u"er perfor#ing t!e download will need to o&tain and in"tall F-.S 14082 validated client "oftware (al"o t!roug! a tru"ted pat! ... w!ic! i" a circular pro&le# for #an* u"er"). !e new #odule it"elf (w!at i" &uilt fro# t!e "ource di"tri&ution) cannot &e u"ed to perfor# t!e verification of t!e "ource di"tri&ution it wa" &uilt fro#. <arlier F-.S #odule" ("uc! a" t!e 1.2.3 F-.S #odule, validation certificate nu#&er T1051) apparentl* cannot &e u"ed to perfor# t!e verification. %pparentl* t!e new tar&all verification reBuire#ent will &e retroactivel* applied to t!e older OpenSSL F-.S O&2ect Aodule validation". De do not ,now if t!at will #ean t!at all deplo*ed in"tance" of t!e"e older #odule" will &e declared invalid (t!at would !ave a 4#ge i#pact), &ut t!e con"en"u" of our di"cu""ion" i" t!at t!e older #odule" canOt &e leveraged to verif* t!e new #odule.
4@
!ttp())open""lfoundation.co#)contact.!t#l
.age 02 of 1/0
'"e of an earlier &inar* #odule validation (certificate T1111) wa" "ugge"ted &* t!e $A3.. !ere are two pro&le#" wit! t!at "ugge"tion6 fir"t, t!at particular validation too, "o long (wit! a 13 #ont! wait for $A3. action) t!at it !ad no econo#ic value &* t!e ti#e it wa" finall* co#pleted, and a" a re"ult it wa" a&andoned and we no longer !ave t!e corre"ponding &inar* #odule6 and "econd, per our under"tanding t!at &inar* #odule would need to &e e9ecuted on "o#e ver* o&"olete platfor#" (OpenSuS< 10.2, no longer downloada&le fro# t!e #aintainer, or Aicro"oft Dindow" L. S.2, no longer "old &* t!e vendor). %l"o in #an* environ#ent" ("uc! a" ;o;) u"e of "uc! un"upported operating "*"te#" i" for&idden &* "ecurit* polic*. One of our fir"t t!oug!t" wa" to create (&* "o#e #ean") an e9ecuta&le &inar* utilit* progra# to perfor# t!e verification, t!at could &e run on one or #ore co##on platfor#" (e.g. Linu9, Dindow"), and t!at we could provide pu&licl* for ever*one. 5owever, it "ee#" we canOt 2u"t po"t t!at utilit* for download on a t*pical we& "ite a" t!e downloaded file would not !ave &een o&tained t!roug! a 1tru"ted pat!1. Our under"tanding i" t!at a tru"ted pat! over a networ, would reBuire for#all* F-.S 14082 validated "oftware at &ot! t!e client and "erver w!ic! fail" to addre"" t!e i""ue of !ow to get validated cr*ptograp!* in t!e fir"t place. %not!er clever idea t!at wa" "ugge"ted wa" for u" to provide a utilit* &a"ed on a ,nown co##on co##ercial validated cr*ptograp!ic i#ple#entation, "uc! a" $r*pto%.- in Aicro"oft Dindow". !e utilit* could &e freel* downloaded &ecau"e it would not contain t!e actual cr*ptograp!*. 5owever, #an* pro"pective u"er" will !ave o&tained t!at validated cr*ptograp!* (t!e Aicro"oft Dindow" OS it"elf) &* non8tru"ted #ean" (t!e AS;G download of -SO i#age" doe" not u"e F-.S validated cr*ptograp!*, nor doe" t!e u"ual -nternet &a"ed update proce""). Li,ewi"e an GSS &a"ed utilit* for 4ed 5at <nterpri"e Linu9 would !ave t!e "a#e pro&le# (non8tru"ted in"tallation and update). <ven if t!e initial OS in"tallation wa" done wit! a tru"ted pat!, t!e "u&"eBuent routine update" are not406 "o one would !ave to in"tall t!e OS u"ing a vendor "upplied $;);3; and t!en not "u&"eBuentl* update it over t!e -nternet. Gote t!i" la"t point i" downrig!t #ind8&oggling( it a#ount" to an a""ertion t!at e""entiall* all in"tallation" of validated "oftware #odule" are illegiti#ate.
Aan* ot!er option" !ave &een con"idered a" well, wit!out a clear con"en"u" fro# t!o"e in t!e te"t la&" and t!e co##unit* of intere"t w!o we !ave con"ulted.
0.0.2 62at -ig2t 6ork

!e option" t!at we are fairl* confident will "ati"f* t!e new reBuire#ent are(
'"e of a co##ercial proprietar* product u"ing F-.S 14082 validated cr*ptograp!*, o&tained via a tru"ted pat! (e.g. "nail8#ailed $; or ;3;), to di"pla* t!e 5A%$8S5%81 dige"t of t!e "ource tar&all. !at product "!ould &e capa&le of perfor#ing t!e eBuivalent of(
De were a&le to connect to &ot! Aicro"oft and 4ed 5at di"tri&ution "erver" wit! non8allowed cr*ptograp!ic algorit!#" (e.g. 4$4)6 !ence we can deduce t!at t!o"e "erver" are not utiliCing F-.S 14082 validated cr*ptograp!*.
40
.age 03 of 1/0
openssl s4a1 -4mac etaonris4(lc#pfm openssl-fips-2.0.tar.g3 %" noted a&ove, for rea"on" we donOt under"tand t!e earlier OpenSSL F-.S O&2ect Aodule validation" (e.g. T1051) are apparentl* not eligi&le for t!i" role. %t t!i" point we are not aware of an* "pecific co##ercial product" t!at perfor# t!i" operation on a file, nor !ow #uc! t!e* co"t or !ow to purc!a"e t!e#. 5owever, "uc! product" #u"t e9i"t. -f *ou ,now of or find a "uita&le product plea"e let u" ,now4/ t!e detail".
'"e of a "ource code di"tri&ution t!at can &e o&tained fro# OSF on p!*"ical #edia (a $;8 4OA di",) via "nail8#ail ('S.S). Gote t!i" option i" "pecificall* docu#ented50 a" accepta&le in t!e Securit* .olic* it"elf 88 a !uge co#fort factor for t!o"e concerned a&out t!e lac, of clear guidance in t!i" area. %l"o note t!at "o#e e9perienced and re"pected co##entator" in t!e F-.S 14082 co##unit* of intere"t t!at we con"ulted felt "trongl* t!at p!*"ical #edia "!ould not con"titute a tru"ted pat!. 5owever, a direct "tate#ent a" placed in t!e Securit* .olic* and approved &* t!e $A3. tru#p" an* "uc! concern". 'ntil and if t!e po"tage co"t" get out of !and we will "end t!o"e $;" on reBue"t at no co"t. .lea"e "end *our reBue"t including a full po"tal addre"" to verif*cd7open""lfoundation.co#. Gote t!at t!e file" *ou will receive on t!e"e $;" will &e identical in ever* re"pect (e9cept for F-.S 14082 co#pliance) wit! t!e file" *ou can download fro# t!e openssl.org we& "ite, "o we a", t!at *ou onl* reBue"t t!i" $; if *ou plan to u"e it for generation of F-.S 14082 validated cr*ptograp!* in a conte9t t!at reBuire" "uc! co#pliance. !e downloaded file" are &it8for8&it identical and for an* ot!er purpo"e" will generate e9actl* t!e "a#e re"ult".
0.0.! Still *onfu ed=

Delco#e to t!e clu&. %" we learn #ore a&out "pecific option" t!at will and wonOt "ati"f* t!e reBuire#ent we will po"t t!at infor#ation on t!e OSF we& "ite and in update" to t!i" docu#ent. -n t!e #eanti#e t!e onl* definitive an"wer" will !ave to co#e fro# t!e $A3. it"elf, eit!er directl* or indirectl*. !e &e"t point of contact i" t!e ;irector of G-S $A3.51. -f *ou c!oo"e to contact t!e $A3. t!en plea"e(

Keep all inBuirie" polite and re"pectful. 4e#e#&er t!at t!e $A3. !ave a &ery different per"pective on co#puter" and "oftware t!an t!e average infor#ation tec!nolog* practitioner. !e* do not !ave a "oftware develop#ent &ac,ground.
!ttp())open""lfoundation.co#)contact.!t#l !e di"cu""ion" leading to t!i" "tate#ent in t!e Securit* .olic* were re"pon"i&le for "everal wee," of dela* in o&taining t!e validation. De felt t!e i""ue of !aving one "pecific affir#ativel* approved proce"" for "ati"f*ing t!i" new reBuire#ent wa" "o critical a" to warrant an* nece""ar* dela*6 place#ent of t!at "tate#ent in t!e Securiti* .olic* it"elf wa" e""entiall* our onl* opportunit* to o&tain a definitive re"pon"e on t!e topic fro# t!e $A3.. 51 !ttp())c"rc.ni"t.gov)group")S A)c#vp)contact".!t#l
4/ 50
.age 04 of 1/0
Gote t!at t!e* are not t!e ene#*6 if it wa" t!eir intent to con"ciou"l* &loc, or "a&otage t!e OpenSSL F-.S O&2ect Aodule validation" t!e* could !ave done "o ea"il* long ago u"ing a wide range of &ureaucratic tactic". Gote t!at if *ou di"agree wit! w!at *ou are told &* t!e ;irector of G-S $A3. *ou !ave no recour"e to appeal to an* !ig!er aut!orit*6 !i" word i" definitive and final (tec!nicall* t!e $A3. i" a 2oint '.S.8$anadian progra# wit! t!e $S<52 a" t!e $anadian eBuivalent of G-S , &ut for '.S. u"er" at lea"t t!e G-S $A3. opinion i" w!at #atter". $anadian u"er" #a* want to con"ult t!e $S<). -f *ou learn an*t!ing of intere"t plea"e "!are it wit! u"53 and)or one of t!e OpenSSL #ailing li"t"54.
#.%
:M"C
!e F-.S #odule wa" originall* te"ted wit!, and awarded an algorit!# validation for, %<S >$A including >A%$. !e $%3. "u&"eBuentl* revi"ed t!e algorit!# and retroactivel* de"ignated a nu#&er of validation", including our, a" 1>A%$ not "upported1
0.:.1 */3P /ction

De fir"t !eard of t!i" in an <8#ail forwarded &* our te"t la&, at w!ic! ti#e t!e $%3. and $A3. we& "ite li"ting" !ad alread* &een updated to "!ow 1>A%$ not "upported1 for #ultiple validation". !e $%3. noted t!at our >$A i#ple#entation gave an incorrect an"wer w!en a Cero lengt! plainte9t i" given wit! an %%; input lengt! t!at i" not a #ultiple of 120 &it". !e original >A%$ te"t onl* c!ec,ed input lengt!" t!at were a #ultiple of 120 &it". Gote t!i" pree#ptive action appear" to &e a little unu"ual, t*picall* t!e $%3.)$A.3 will contact a vendor to di"cu"" pro&le#" &efore ta,ing unilateral action.
0.:.2 'ption for /ddre
ing
!e fi9 i" a trivial one line code c!ange, !ttp())cv".open""l.org)c!ngviewEcnW22@45, w!ic! !a" &een applied to t!e regular OpenSSL relea"e". 5owever, c!ange" to F-.S 14082 validated "oftware, no #atter !ow trivial, are not ea"il* effected. -n t!i" ca"e t!e $%3. in"i"ted on rete"ting of all of t!e 50 "o#e previou"l* te"ted platfor#". 4ete"ting wa" not econo#icall* fea"i&le due to #ultiple factor"(
!ttp())www.c"e8c"t.gc.ca)inde98eng.!t#l !ttp())open""lfoundation.co#()contact.!t#l 54 !ttp())open""l.org)"upport)co##unit*.!t#l

52 53
.age 05 of 1/0
Aan* te"t device" !ad alread* &een returned to t!e platfor# "pon"or". So#e of t!o"e were one8off protot*pe or evaluation unit" and arranging wit! t!e "pon"or" to re8"!ip t!at eBuip#ent to t!e OSF te"t la& would !ave ta,en a "u&"tantial a#ount of ti#e and effort. <ven "!ipping co"t" t!e#"elve" were non8trivial, a" OSF pa*" return "!ipping for cu"to#er "upplied eBuip#ent. !o"e co"t" alone were "everal t!ou"and dollar" for t!e initial 2.0 F-.S #odule te"ting. Aan* #an8wee," of effort would !ave &een reBuired to repeat t!e proce"" of in"talling and configuring eac! te"t device and t!en running t!e "oftware &uild and e9ecution proce"". De would !ave to pa* t!e te"t la& for t!e te"ting, a ver* "u&"tantial co"t. <ven wit! negotiation" to ta,e into account t!e fact t!at t!e te"ting proce"" wa" alread* full* docu#ented and te"ted for eac! device, t!at co"t would pro&a&l* !ave &een at lea"t 'SQ50,000.
%ll told we e"ti#ated t!e co"t of rete"ting ever* platfor# would e9ceed 'SQ@0,000 even wit! OSF per"onnel wor,ing for #ini#u# wage. Fortunatel* t!e practical i#pact of re#oving >A%$ fro# t!e 2.0 #odule validation appear" to &e #ini#al, a" di"cu""ed in t!e following "ection. !i" incident doe" illu"trate t!e ri", of unpredicta&le and unilateral $%3.)$A3. action. .a""ing all t!e for#al te"ting and receiving a validation award i" no guarantee t!at t!e validation will not di"appear overnig!t55. !at perceived ri", i" a large part of t!e appeal of t!e 1private la&el1 validation" for ri",8adver"e client".
0.:.! Practical Impact

!e %<S8>$A algorit!# i" an aut!enticated encr*ption algorit!#. -t i" in "o#e wa*" eBuivalent to t!e "eparate 5A%$ and encr*ption algorit!#" u"ed in "o#e cip!er"uite". -t i" an attractive c!oice &ecau"e it doe" ever*t!ing all in one go and t!u" i" i" con"idera&l* fa"ter t!an t!e "eparate encr*ptionVA%$ operation. !e fir"t wide"pread u"e of >$A i" in LS 1.2 in new cip!er"uite". %<S8>$A a" it" input can ta,e (a#ong ot!er t!ing") "o#e additional aut!enticated data (%%;) and plainte9t (in encr*pt #ode). -t" output i" cip!erte9t and a A%$. !e %%; i" u"ed a" "o#e additional data to t!row into t!e A%$ calculation &ut it doe" not appear in t!e output. !e cip!erte9t i" t!e encr*pted plainte9t. -f t!ere i" an* plainte9t)cip!erte9t at all t!en t!e operation i" called >$A, wit! or wit!out %%;.
!at !a" !appened &efore, for in"tance t!e earlier OpenSSL F-.S O&2ect Aodule validation T@33 w!ic! wa" effectivel* revo,ed &* t!e $A3.. See !ttp())veridical"*"te#".co#)&log)inde9.!t#lEpW55.!t#l for a di"cu""ion of t!at incident.
55
.age 0: of 1/0
-f t!ere i" no cip!erte9t)plainte9t and onl* %%; t!en t!e operation i" called >A%$. So >A%$ i" a "pecial ca"e of >$A. !e &ug in t!e F-.S #odule >$A i#ple#entation i" triggered w!en >A%$ i" u"ed, i.e. t!ere i" no cip!erte9t)plainte9t and only %%;. %l"o t!e &ug i" not #anife"ted unle"" t!e %%; i" not a #ultiple of 1: &*te". So if t!e %%; i" a #ultiple of 1: &*te" an(:or t!ere i" an* cip!erte9t)plainte9t t!en t!e F-.S #odule i#ple#entation wor," 2u"t fine. ;uring nor#al operation of t!e LS protocol >A%$ i" not u"ed &ecau"e t!ere i" alwa*" "o#e data to encr*pt or decr*pt. !e degenerate ca"e of a Cero lengt! frag#ent we t4ink could trigger t!i" &ut OpenSSL never produce" "uc! a t!ing and t!ere i" no rea"on for a non8OpenSSL LS "tac, to do "o eit!er. Furt!er review #an* &e needed to deter#ine if a LS 1.2 Cero lengt! frag#ent ca"e i" even t!eoreticall* po""i&le. So to "u##ariCe( under an* nor#al u"e ca"e" t!e OpenSSL LS i#ple#entation wor," in F-.S #ode 2u"t fine wit!out >A%$.
#.(
0?
!e ver"ion of ;5 u"ed &* LS i" a variant on .K$ST3 and not t!e L/.42 "pecification, and !ence i" not co#pliant wit! S.00085:%. For e9a#ple, t!e reBuire#ent( $ac4 pri&ate key s4all be #npre(ictable an( s4all be generate( in t4e range J1C "-1K #sing an 1ppro&e( ran(om bit generator. For LS client" t!at reBuire#ent cannot &e "ati"fied a" "tated &ecau"e t!e para#eter 1B1 i" not "ent fro# "erver to client, onl* t!e para#eter 1p1. $lient" generate a private ,e* in t!e range Y1, p81Z in"tead.
#.,
0S"
!e ;S% private ,e* value i" calculated a" follow"( !e function fips_check_dsa_prng()c!ec," para#eter" and t!at t!e .4G> "trengt! i" con"i"tent wit! t!e# w!en a private ,e* i" generated. !e function fips_ffc_strength() w!ic! ta,e" t!e value" directl* fro# S.0008131% i" u"ed a" well.
.age 0@ of 1/0
:.
1.
"$F$"$<*$S
)penSS0 FIPS 140-2 Sec#rity Policy, 3er"ion 2.0, Open Source Software -n"titute. docu#ent i" availa&le at !ttp())c"rc.ni"t.gov)group")S A)c#vp)docu#ent")1408 1)140"p)140"pGGGG.pdf and !ttp())www.open""l.org)doc")fip"). !i"
2.
F-.S .'= 14082, Sec#rity !e"#irements for +ryptograp4ic /o(#les, Aa* 2001, Gational -n"titute of Standard" and ec!nolog*, availa&le at !ttp())c"rc.ni"t.gov)pu&lication")fip")fip"14082)fip"1402.pdf. Implementation G#i(ance for FIPS P9B 140-2 an( t4e +ryptograp4ic /o(#le 6ali(ation Program, Januar* 2:, 200@, Gational -n"titute of Standard" and ec!nolog*, availa&le at !ttp())c"rc.ni"t.gov)cr*ptval)14081)F-.S1402->.pdf. 7eri&e( Test !e"#irements J7T!K for FIPS P9B 140-2C Sec#rity !e"#irements for +ryptograp4ic /o(#les, Januar* 4, 2011, Gational -n"titute of Standard" and ec!nolog*, availa&le at !ttp())c"rc.ni"t.gov)group")S A)c#vp)docu#ent")fip"1408 2)F-.S1402; 4.pdf. @et<ork Sec#rity <it4 )penSS0C Jo!n 3iega et. al., 15 June 2002, OO4eill* [ %""ociate" @S1 S#ite B +ryptograp4y !ttp())www.n"a.gov)ia)progra#")"uite&?cr*ptograp!*)inde9."!t#l T4e Transitioning of +ryptograp4ic 1lgorit4ms an( Bey Si3es !ttp())c"rc.ni"t.gov)group")S ),e*?#g#t)docu#ent") ran"itioning?$r*pto%lgo"?0@020/.p df 7!1FT !ecommen(ation for t4e Transitioning of +ryptograp4ic 1lgorit4ms an( Bey Si3es !ttp())c"rc.ni"t.gov)pu&lication")draft")0008131)draft8"p0008131?"pd82une2010.pdf F-.S 10:83, 7igital Signat#re Stan(ar( ,7SS!ttp())c"rc.ni"t.gov)pu&lication")fip")fip"10:83)fip"?10:83.pdf S. 0008/0, !ecommen(ation for !an(om @#mber Generation 9sing 7eterministic !an(om Bit Generators ,!e&ise(-, !ttp())c"rc.ni"t.gov)pu&lication")ni"tpu&")0008/0)S.0008/0revi"ed?Aarc!200@.pdf S. 00085:%, !ecommen(ation for Pair-;ise Bey $stablis4ment Sc4emes 9sing 7iscrete 0ogarit4m +ryptograp4*, !ttp())c"rc.ni"t.gov)pu&lication")ni"tpu&")00085:%)S.00085:%?4evi"ion1?Aar008200@.pdf
3.
4.
5. :. @.
0. /. 10.
11.
.age 00 of 1/0
12. 13.
S#ite B ImplementerLs G#i(e to @IST SP 200-8'1, !ttp())www.n"a.gov)ia)?file")Suite=?-#ple#enter?>8113000.pdf S. 00085:=, !ecommen(ation for Pair-;ise Bey $stablis4ment Sc4emes 9sing Integer Factori3ation +ryptograp4y, !ttp())c"rc.ni"t.gov)pu&lication")ni"tpu&")00085:=)"p00085:=.pdf S. 0008100, 4eco##endation for Ke* ;erivation '"ing ."eudorando# Function", !ttp())c"rc.ni"t.gov)pu&lication")ni"tpu&")0008100)"p0008100.pdf 1$S Bey ;rap Specification !ttp())c"rc.ni"t.gov)group")S )tool,it)docu#ent"),#")%<S?,e*?wrap.pdf Implementation G#i(ance for FIPS P9B 140-2 an( t4e +ryptograp4ic /o(#le 6ali(ation ProgramC !ttp())c"rc.ni"t.gov)group")S A)c#vp)docu#ent")fip"14082)F-.S1402->.pdf Aa* 21, 200/ %r#* 10etter to In(#stry1, !ttp"())c!e"".ar#*.#il)a"cp)co##erce)"cp)download")"tandard"polic*?file")letter?to?indu"t r*.pdf )penSS0 FIPS )b*ect /o(#le 9ser=s G#i(e, !ttp())open""l.org)doc")fip")'"er>uide.pdf !e OpenSSL licen"e, !ttp())open""l.org)"ource)licen"e.!t#l
14. 15. 1:.
1@.
10. 1/.
.age 0/ of 1/0
/ppendi% /
'penSS. 4i tri(ution Signing >ey
-n order to &e con"idered F-.S 14082 validated t!e F-.S O&2ect Aodule #u"t &e derived fro# an OpenSSL di"tri&ution "igned &* one of t!e"e aut!oriCed ,e*", a" "!own &* t!e value in t!e Fin'erprint row. !e procedure for verif*ing t!at a "ource di"tri&ution wa" "igned &* one of t!e"e ,e*" i" de"cri&ed in detail in S4.1.2. Gote t!e fingerprint for#at" are "lig!tl* different for t!e two different t*pe" of ,e*" (4S% and ;S%).
OpenSSL %ore )e(m PGP 4e&s

4e& Id )e(m member
,' 77 %1 '5 5% +& 83 =F /&)563+& Mar4 :o> J ar4!awe#$o K Fin6erprint 7= 7& 1& F) 71 6= 87 %5
%6==/37+ (a"f S# 'n6e"s$ha"" Jrse!en6e"s$ha""#$o K Fin6erprint ,, :& %1 8' +1 )= 7, 37 ++ 67 )% 3) ,) 6F 8+ )5 F%&5:75& +r Stephen .enson Jshenson!drh-$onsu"tan$3#$o#u4K Fin6erprint +, 5+ 8: 61 6' %7 '6 6, /1 ': =1 =8 +5 7' '5 &7 &:58)66+ LutC Lani$4e JLutC#Laeni$4e!aet#T--:ott<us#+'K Fin6erprint 13 +, =8 &+ 37 3, :3 '+ ): &: %/ 7+ /5 8: 17 67 %118:F83 =en Laurie J<en!$r3pti>#or6K Fin6erprint 7656 55+' 6%'3 &6FF %587 '=6: /F6+ '156 %118 :F83 ',6+%:=1 (i$hard Levitte J"evitte!"p#seK Fin6erprint 35 3' 6: &' 8: &7 85 %/ =+ &F +1 &' 8F 75 %3 6= 5)6)&=85 =odo Moe""er J%,,/!< oe""er#deK Fin6erprint :7 ): 7' )+ 56 6) 65 ': F6 16 66 83 7' 86 68 %8
.age /0 of 1/0
/ppendi% B
*-3P Te t Procedure
-n"truction" for &uilding OpenSSL and perfor#ing t!e F-.S 14082 and related algorit!# te"t" on Linu9+)'ni9+ Aicro"oft Dindow"+ &a"ed platfor#" are given !ere. !e"e in"truction" are pri#aril* of intere"t to t!e $A3. te"ting la&orator* perfor#ing t!e validation te"ting, or an*one wi"!ing to verif* t!at t!e e9ecuta&le li&rar* generate" generate" t!e "a#e output for t!e algorit!# te"t" perfor#ed &* t!e te"ting la&orator*. Gote t!ere i" no reBuire#ent for end u"er" or application developer" to run t!e"e te"t"6 t!i" di"cu""ion i" included for reference purpo"e" to illu"trate t!e algorit!# te"ting perfor#ed &* t!e $A3. te"t la&. Gote t!i" "tep reBuire" a large director* tree of input te"t data file" produced &* t!e te"ting la& u"ing a G-S provided tool ($%3S)6 "everal "et" of input and re"pon"e value" can &e found !ttp())open""lfoundation.co#)te"ting)validation82.0)te"tvector"). !e file !ttp())open""lfoundation.co#)te"ting)validation82.0)te"tvector")tv.tar.gC contain" a co#plete "et of 25/ te"t vector file" wit! correct re"pon"e" t!at can &e u"ed for a "ingle co#pre!en"ive te"t.
1.1 1uilding the So$t.are / !inu453ni4

1. $op* t!e OpenSSL di"tri&ution (openssl-fips-2.0.tar.gz) to a director* on t!e te"t "*"te#. %ppro9i#atel* 00A& free "pace i" needed for t!i" file and t!e re"ulting wor, area. 2. .erfor# t!e "tandard &uild. '"e of a script file or co#para&le #ean" of capturing t!e output i" !ig!l* reco##ended. gunzip -c openssl-fips-2.0.tar.gz | tar xf cd openssl ./config [no-asm] make ...w!ere t!e no-asm option #a* or not &e pre"ent depending on t!e platfor#. 3. 4un make build_tests to generate t!e "tandalone additional progra#" to "upport t!e te"ting proce"". o generate a "ingle progra# t!at contain" t!e functionalit* of fip"?te"t?"uite and t!e individual "tandalone algorit!# te"t progra#", run
.age /1 of 1/0
make build_algvs to &uild t!e fips_algvs progra#. !i" progra# i" nece""ar* for "o#e platfor#" t!at do not provide a "uita&le co##and "!ell and for w!ic! t!e e9ecution of #an* "eparate progra#" i" aw,ward or difficult, and #a* &e convenient in ot!er circu#"tance". !e fips_algvs progra# can &e u"ed to e9ecute "pecific te"t", for in"tance fips_algv fips_test_suite post fips_algv fips_dssvs pqg "tv/req/PQGGen.req" "tv/resp/PQGGen.rsp" or if given no co##and line option" it will proce"" t!e "u&co##and" in a #ini#al "!ell "cript a" generated &* perl fipsalgtest.pl --dir=<testvectors> --minimal-script --generate-script=fipstests.sh perl --tprefix= w!ic! will produce a file fipstests.sh wit! t!e "u&co##and" corre"ponding to eac! reBue"t file, e.g.( fips_dssvs pqg "tv/req/PQGGen.req" "tv/resp/PQGGen.rsp" !e fips_algvs progra# "upport" t!e following co##and line option"( -quiet -verbose -script <filename> "uppre"" an* progre"" output. ec!o full co##and line" of e9ecuted co##and" (default i" to o#it filena#e") "cript to u"e, default i" fip"te"t"."!
-n a&"ence of an* option" it a""u#e" a "cript file fipstests.sh "!ould &e read fro# t!e current director*. -f t!e fir"t argu#ent doe"nOt &egin wit! a O8O it i" ta,en a" t!e na#e of a "u& progra# to run( fips_aesavs fips_algvs fips_cmactest fips_desmovs fips_dhvs fips_drbgvs fips_dsatest fips_dssvs fips_ecdhvs
.age /2 of 1/0
fips_ecdsavs fips_gcmtest fips_hmactest fips_randtest fips_rngvs fips_rsagtest fips_rsastest fips_rsavtest fips_shatest fips_test_suite Gote t!at for future validation" t!e fips_algvs progra# will pro&a&l* entirel* replace t!e "eparate fips_test_suite and algorit!# te"t driver progra#".
1.2 "lgorithm Tests / !inu453ni4

4. %dd t!e "u&tree of te"t data to t!e di"tri&ution wor, area( cd fips unzip <zipfile of test vectors>.zip -d testvectors 5. 4un t!e F-.S 14082 algorit!# te"t"( perl fipsalgtest.pl --dir=testvectors !i" "tep run" t!e algorit!# te"t" "pecific to t!e F-.S #ode. %gain a large a#ount of output will &e generated. -f an error occur" proce""ing will &e a&orted. !e output fro# t!e cr*ptograp!ic te"t" will &e co#pared again"t t!e re"pon"e file" alread* pre"ent in t!e te"t data and not per#anentl* "tored. !i" co#pari"on auto#aticall* "uppre""e" t!e w!ite"pace and co##ent line difference" and ignore" t!e "even te"t vector file" t!at are alwa*" different5:. :. o generate and pre"erve new re"pon"e file" u"e t!e --generate option( perl fipsalgtest.pl --dir=testvectors --generate
;ue to t!e nature of t!e cr*ptograp!ic operation" involved t!e following re"pon"e" file" will alwa*" &e different( Ke*.air.r"p ;S% .N>>en.r"p ;S% Sig>en.r"p ;S% Sig>en15.r"p 4S% Sig>en.SS.r"p 4S% Sig>en4S%.r"p 4S% Sig>en.SS.r"p 4S% !e"e file" are li"ted in t!e file ./fips/fips-nodiff.txt t!at i" referenced &* t!e fips_test_diff #a,efile target.
5:
.age /3 of 1/0
Aan* (appro9i#atel* 25/) generated *.rsp file" will &e found in t!e #/testvectors/ director* tree under ./fips)( find testvectors/ -name '*.rsp' @. !e tree of *.rsp file" can al"o &e e9tracted for co#pari"on wit! anot!er tree( find testvectors -name '*.rsp' | cpio -oc > rsp1.cpio . . . cd /tmp mkdir rsp1 rsp2 cd rsp1; cpio -ic < rsp1.cpio cd ../rsp2; cpio -ic < rsp2.cpio diff -r . ../rsp1 -f t!e onl* ot!er difference" are t!e co##ented date8ti#e la&el" t!en t!e tree" #atc!( diff -r ./testvectors/aes/resp/CBCGFSbox128.rsp \ ../rsp1/testvectors/aes/resp/CBCGFSbox128.rsp 6c6 < # Thu Mar 4 11:05:36 2004 --> # Fri Feb 20 12:21:24 2004 diff -r ./testvectors/aes/resp/CBCGFSbox192.rsp \ ../rsp1/testvectors/aes/resp/CBCGFSbox192.rsp 6c6 < # Thu Mar 4 11:05:36 2004 --> # Fri Feb 20 12:21:24 2004
# # #
1.3 1uilding the So$t.are / 7indo.s

1. $op* t!e OpenSSL di"tri&ution (openssl-fips-2.0.tar.gz) to a director* on t!e te"t "*"te#. %ppro9i#atel* 00A& free "pace i" needed. 2. .erfor# t!e "tandard &uild.
.age /4 of 1/0
cd openssl ms\do_fips [no-asm] out32dll\fips_test_suite ...w!ere t!e no-asm option #a* or not &e pre"ent depending on t!e platfor#.
1.4 "lgorithm Tests / 7indo.s

3. !i" procedure i" "i#ilar to t!at for Linu9)'ni9( cd fips unzip <zipfile of test vectors>.zip -d testvectors perl fipsalgtest.pl --win32 --dir=testvectors .\fipstests.bat !ere i" no &undled Cip)unCip co##and for #o"t ver"ion" of Aicro"oft Dindow", &ut #an* t!ird part* i#ple#entation" are availa&le, "uc! a" 4ttpD::gn#<in 2.so#rceforge.net:packages:#n3ip.4tm.
1.5 FIPS 14'/2 Test / "ll Plat$orms

% te"t driver progra# !a" &een provided to de#on"trate &ot! "ucce""ful and failed power8up "elf8 te"t" and t!e invocation of "o#e &a"ic cr*ptograp!ic operation". !i" progra# wa" developed during t!e cour"e of t!e F-.S 14082 validation a" a aid to t!e te"t la& evaluator". !i" te"t progra#, fips_test_suite, can &e found in t!e ./test/ "u&director*. !i" progra# &e!ave" t!e "a#e for Linu9)'ni9 and Dindow"6 for Dindow" invo,e a" .\fips_test_suite in"tead of ./fips_test_suite a" "!own in t!i" e9a#ple. 1. D!en e9ecuted wit! no argu#ent output "i#ilar to t!e full "uite of algorit!# te"t" i" perfor#ed, producing t!e following output(
$ FIPS-mode test application FIPS 2.0-dev unvalidated test module xx XXX xxxx DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK 1. Non-Approved cryptographic operation test... a. Included algorithm (D-H)......successful POST started Integrity test started Integrity test OK DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK DRBG AES-256-CTR test started DRBG AES-256-CTR test OK
.age /5 of 1/0
DRBG SHA256 test started DRBG SHA256 test OK DRBG HMAC-SHA256 test started DRBG HMAC-SHA256 test OK DRBG P-256 SHA256 test started DRBG P-256 SHA256 test OK X9.31 PRNG keylen=16 test started X9.31 PRNG keylen=16 test OK X9.31 PRNG keylen=24 test started X9.31 PRNG keylen=24 test OK X9.31 PRNG keylen=32 test started X9.31 PRNG keylen=32 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK HMAC SHA1 test started HMAC SHA1 test OK HMAC SHA224 test started HMAC SHA224 test OK HMAC SHA256 test started HMAC SHA256 test OK HMAC SHA384 test started HMAC SHA384 test OK HMAC SHA512 test started HMAC SHA512 test OK CMAC AES-128-CBC test started CMAC AES-128-CBC test OK CMAC AES-192-CBC test started CMAC AES-192-CBC test OK CMAC AES-256-CBC test started CMAC AES-256-CBC test OK CMAC DES-EDE3-CBC test started CMAC DES-EDE3-CBC test OK Cipher AES-128-ECB test started Cipher AES-128-ECB test OK CCM test started CCM test OK GCM test started GCM test OK XTS AES-128-XTS test started XTS AES-128-XTS test OK XTS AES-256-XTS test started XTS AES-256-XTS test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Signature RSA test started Signature RSA test OK Signature ECDSA P-224 test started
.age /: of 1/0
Signature ECDSA P-224 test OK Signature ECDSA K-233 test started Signature ECDSA K-233 test OK Signature DSA test started Signature DSA test OK ECDH P-224 test started ECDH P-224 test OK POST Success 2. Automatic power-up self test...successful 3a. AES encryption/decryption...successful 3b. AES-GCM encryption/decryption...successful Pairwise Consistency RSA test started Pairwise Consistency RSA test OK Pairwise Consistency RSA test started Pairwise Consistency RSA test OK Pairwise Consistency RSA test started Pairwise Consistency RSA test OK 4. RSA key generation and encryption/decryption...successful 5. DES-ECB encryption/decryption...successful Pairwise Consistency DSA test started Pairwise Consistency DSA test OK 6. DSA key generation and signature validation...successful 7a. SHA-1 hash...successful 7b. SHA-256 hash...successful 7c. SHA-512 hash...successful 7d. HMAC-SHA-1 hash...successful 7e. HMAC-SHA-224 hash...successful 7f. HMAC-SHA-256 hash...successful 7g. HMAC-SHA-384 hash...successful 7h. HMAC-SHA-512 hash...successful 8a. CMAC-AES-128 hash...successful 8b. CMAC-AES-192 hash...successful 8c. CMAC-AES-256 hash...successful 8e. CMAC-TDEA-3 hash...successful 9. Non-Approved cryptographic operation test... a. Included algorithm (D-H)...successful as expected Pairwise Consistency RSA test started Pairwise Consistency RSA test OK Pairwise Consistency RSA test started Pairwise Consistency RSA test OK Pairwise Consistency RSA test started Pairwise Consistency RSA test OK Generated 128 byte RSA private key BN key before overwriting: 400e460169e1e37d8f415fe50c40fab493185c17e99b76e123bc0f3d7d0c8b1f42881ff7396b3e e388c3b973cece2d7d231109a7202016daf1e26caca9e704b9bffd9bd6151d61ab3050a82e7851 0abf2e450a6c57e9fb7db8a837f81fc93db0c6c95d090ac6752b8ac4ee51623ffcbd270b0ed28 1ebbe2e6a3a9d0a4012a991 BN key after overwriting: 668d6314da4f25ca496a6f98e2f6986437be60f2d34880e8d08060263dd10a3bde7345ef99ed0 0e2edeedf43a1bda7053c58b6474051bbaf9c9e5bf70a488a7b94d88c67fc9e16fc9e4bb23188 36dc47282c8e41d3c35bc400949cd2d2b5e0ee0bd84ce8dffdb02dfc6c9528d0be43b0d95fce6 e979c561070e6da5a05b9e53e char buffer key before overwriting: 4850f0a33aedd3af6e477f8302b10968
.age /@ of 1/0
char buffer key after overwriting: 788fadb58c8163405e883a63550fd732 10. Zero-ization... successful as expected 11. Complete DRBG health check... DRBG AES-128-CTR DF test started DRBG AES-128-CTR DF test OK DRBG AES-192-CTR DF test started DRBG AES-192-CTR DF test OK
.
. . (very long list of DRBG tests) . . . DRBG P-521 SHA384 test started DRBG P-521 SHA384 test OK DRBG P-521 SHA512 test started DRBG P-521 SHA512 test OK successful as expected 12. DRBG generation check... DRBG SHA1 test started DRBG SHA1 test OK DRBG SHA1 test started DRBG SHA1 test OK . . . (very long list of DRBG tests) . . DRBG P-521 SHA512 test OK DRBG P-521 SHA512 test started DRBG P-521 SHA512 test OK successful as expected All tests completed with 0 errors
!e nodh option ",ip" t!e glacial and largel* pointle"" ;5 te"t. !e nodrbg option ",ip" t!e "low full ;4=> te"t !e fullpost option give" a co#plete .OS li"ting in"tead of induced failure and une9pected error". !e output i" t!en #uc! #ore ver&o"e a" it contain" ever* "ucce""ful te"t too. !e fullerr option i" u"eful for code tracing. Gor#all* during t!e induced failure te"t li&rar* error" are not printed out. Dit! t!i" option t!e error code" corre"ponding to eac! operation are di"pla*ed "!owing t!e e9act line and error code output.
.age /0 of 1/0
2. D!en e9ecuted wit! t!e post co##and line option onl* #odule initialiCation will &e perfor#ed(
$ test/fips_test_suite post FIPS-mode test application FIPS 2.0-dev unvalidated test module xx XXX xxxx DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK POST started Integrity test started Integrity test OK DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK DRBG AES-256-CTR test started DRBG AES-256-CTR test OK DRBG SHA256 test started DRBG SHA256 test OK DRBG HMAC-SHA256 test started DRBG HMAC-SHA256 test OK DRBG P-256 SHA256 test started DRBG P-256 SHA256 test OK X9.31 PRNG keylen=16 test started X9.31 PRNG keylen=16 test OK X9.31 PRNG keylen=24 test started X9.31 PRNG keylen=24 test OK X9.31 PRNG keylen=32 test started X9.31 PRNG keylen=32 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK HMAC SHA1 test started HMAC SHA1 test OK HMAC SHA224 test started HMAC SHA224 test OK HMAC SHA256 test started HMAC SHA256 test OK HMAC SHA384 test started HMAC SHA384 test OK HMAC SHA512 test started HMAC SHA512 test OK CMAC AES-128-CBC test started CMAC AES-128-CBC test OK CMAC AES-192-CBC test started CMAC AES-192-CBC test OK CMAC AES-256-CBC test started CMAC AES-256-CBC test OK CMAC DES-EDE3-CBC test started
.age // of 1/0
CMAC DES-EDE3-CBC test OK Cipher AES-128-ECB test started Cipher AES-128-ECB test OK CCM test started CCM test OK GCM test started GCM test OK XTS AES-128-XTS test started XTS AES-128-XTS test OK XTS AES-256-XTS test started XTS AES-256-XTS test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Signature RSA test started Signature RSA test OK Signature ECDSA P-224 test started Signature ECDSA P-224 test OK Signature ECDSA K-233 test started Signature ECDSA K-233 test OK Signature DSA test started Signature DSA test OK ECDH P-224 test started ECDH P-224 test OK POST Success Power-up self test successful $
Gote t!i" invocation i" u"eful for a Buic, e"ti#ation of t!e perfor#ance i#pact of #odule initialiCation. 3. o de#on"trate t!e correct functioning of t!e integrit* and K% te"t failure" a "et of corruption te"t" are run auto#aticall* w!en t!e unBualified fips_test_suite option i" "pecified. -n t!e i#ple#entation of t!e fips_algvs utilit* t!e"e te"t" are "pecified in t!e fail_list_flist "tructure and a "erie" of in8line te"t" w!ic! are traver"ed &* t!e "tatic function do_fail_all() at t!e point w!ere t!e line 13. Induced test failure check... i" printed. <ac! "pecific te"t i" preceded &* one of t!e line" Testing induced failure of XXXX Testing operation failure with XXXX and t!e conclu"ion of all t!e corruption te"t" "!ould end wit! t!e line" Induced failure test completed with 0 errors
.age 100 of 1/0
successful as expected Gote t!e u"e of t!ree "tatic varia&le" &* t!e function do_fail_all() to "pecif* t!e "pecific corruption te"t" to &e perfor#ed. !e individual te"t" in t!e order perfor#ed are( Integrity AES DES3 AES-GCM AES-CCM AES-XTS Digest HMAC CMAC DRBG X9.31 PRNG RSA DSA ECDSA ECDH RSA keygen DSA keygen ECDSA keygen DRBG CPRNG DRBG entropy CPRNG X9.31 CPRNG DRBG entropy failure !i" full "et of corruption te"t" "!ould appear a" follow"( 13. Induced test failure check... Testing induced failure of Integrity test POST started Integrity test failure induced Integrity test failed as expected POST Failed Testing induced failure of AES test POST started Cipher AES-128-ECB test failure induced Cipher AES-128-ECB test failed as expected POST Failed Testing induced failure of DES3 test
.age 101 of 1/0
POST started Cipher DES-EDE3-ECB test failure induced Cipher DES-EDE3-ECB test failed as expected POST Failed Testing induced failure of AES-GCM test POST started GCM test failure induced GCM test failed as expected POST Failed Testing induced failure of AES-CCM test POST started CCM test failure induced CCM test failed as expected POST Failed Testing induced failure of AES-XTS test POST started XTS AES-128-XTS test failure induced XTS AES-128-XTS test failed as expected XTS AES-256-XTS test failure induced XTS AES-256-XTS test failed as expected POST Failed Testing induced failure of Digest test POST started Digest SHA1 test failure induced Digest SHA1 test failed as expected Digest SHA1 test failure induced Digest SHA1 test failed as expected Digest SHA1 test failure induced Digest SHA1 test failed as expected POST Failed Testing induced failure of HMAC test POST started HMAC SHA1 test failure induced HMAC SHA1 test failed as expected HMAC SHA224 test failure induced HMAC SHA224 test failed as expected HMAC SHA256 test failure induced HMAC SHA256 test failed as expected HMAC SHA384 test failure induced HMAC SHA384 test failed as expected HMAC SHA512 test failure induced HMAC SHA512 test failed as expected POST Failed Testing induced failure of CMAC test
.age 102 of 1/0
POST started CMAC AES-128-CBC test failure induced CMAC AES-128-CBC test failed as expected CMAC AES-192-CBC test failure induced CMAC AES-192-CBC test failed as expected CMAC AES-256-CBC test failure induced CMAC AES-256-CBC test failed as expected CMAC DES-EDE3-CBC test failure induced CMAC DES-EDE3-CBC test failed as expected POST Failed Testing induced failure of DRBG test POST started DRBG AES-256-CTR test failure induced DRBG AES-256-CTR DF test failed as expected DRBG AES-256-CTR test failure induced DRBG AES-256-CTR test failed as expected DRBG SHA256 test failure induced DRBG SHA256 test failed as expected DRBG HMAC-SHA256 test failure induced DRBG HMAC-SHA256 test failed as expected DRBG P-256 SHA256 test failure induced DRBG P-256 SHA256 test failed as expected POST Failed Testing induced failure of X9.31 PRNG test POST started X9.31 PRNG keylen=16 test failure induced X9.31 PRNG keylen=16 test failed as expected X9.31 PRNG keylen=24 test failure induced X9.31 PRNG keylen=24 test failed as expected X9.31 PRNG keylen=32 test failure induced X9.31 PRNG keylen=32 test failed as expected POST Failed Testing induced failure of RSA test POST started Signature RSA test failure induced Signature RSA test failed as expected POST Failed Testing induced failure of DSA test POST started Signature DSA test failure induced Signature DSA test failed as expected POST Failed Testing induced failure of ECDSA test POST started
.age 103 of 1/0
Signature ECDSA P-224 test failure induced Signature ECDSA P-224 test failed as expected POST Failed Testing induced failure of ECDH test POST started ECDH P-224 test failure induced ECDH P-224 test failed as expected POST Failed Testing induced failure of RSA keygen test POST started POST Success Pairwise Consistency RSA test failure induced Pairwise Consistency RSA test failed as expected RSA key generation failed as expected. Testing induced failure of DSA keygen test POST started POST Success Pairwise Consistency DSA test failure induced Pairwise Consistency DSA test failed as expected DSA key generation failed as expected. POST started POST Success Testing induced failure of ECDSA keygen test Pairwise Consistency ECDSA test failure induced Pairwise Consistency ECDSA test failed as expected ECDSA key generation failed as expected. POST started POST Success Testing induced failure of DRBG CPRNG test DRBG continuous PRNG failed as expected POST started POST Success Testing induced failure of DRBG entropy CPRNG test DRBG continuous PRNG entropy failed as expected POST started POST Success POST started POST Success Testing induced failure of X9.31 CPRNG test X9.31 continuous PRNG failed as expected POST started POST Success Testing operation failure with DRBG entropy failure DSA key generated OK as expected.
.age 104 of 1/0
DRBG entropy fail failed as expected DSA signing failed as expected ECDSA key generation failed as expected. Induced failure test completed with 0 errors successful as expected So, t!e pre"ence of t!e line Induced failure test completed with 0 errors for t!e &loc, of te"t" &eginning wit! t!e line 13. Induced test failure check... i" a readil* o&"erved indication t!at all corruption te"t" perfor#ed a" e9pected. 4. o de#on"trate t!e #odule aut!entication one of four co##and line option" #a* &e given to "pecif* t!e pa""word value to &e pa""ed to FIPS_module_mode_set()( nopass badpass user officer Gull pa""word -nvalid pa""word of "ufficient lengt! !e FIPS_AUTH_CRYPTO_USER pa""word !e FIPS_AUTH_CRYPTO_OFFICER pa""word
-f none of t!o"e co##and line option" are given t!e FIPS_AUTH_CRYPTO_USER pa""word i" u"ed. -nvocation wit! none or badpass will fail( $ test/fips_test_suite badpass FIPS-mode test application FIPS 2.0-dev unvalidated test module xx XXX xxxx DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK ERROR:2D078097:lib=45,func=120,reason=151:file=fips.c:line=3 00 Power-up self test failed $ and invocation wit! user or officer will "ucce""full* perfor# t!e .OS te"t.
1.# Test&e+tor 0ata Files and the $ipsalgtest.pl 3tility
.age 105 of 1/0
!e F-.S 14082 te"t la&" u"e $%3. provided Dindow" &a"ed "oftware ,nown a" t!e F$%3S toolH to generate t!e te"t vector data file" u"ed for t!e algorit!# te"t". !e algorit!#" de"ired are t*picall* "pecified u"ing for#" proprietar* to t!e "pecific te"t la& perfor#ing t!e te"ting. Gon8 proprietar* fac"i#ile" of t!o"e for#" "pecif*ing t!e algorit!#" te"t" foe t!e 2.0 #odule validation can &e found at !ttp())open""lfoundation.co#)te"ting)validation82.0)for#"). !e te"t la& u"e" t!e $%3S tool" to generate a "et of 1reBue"t1 file" for w!ic! corre"ponding 1re"pon"e1 file" #u"t &e generated &* t!e #odule (t!e -' or -#ple#entation 'nder te"t). !e "et of reBue"t file" i" t*picall* delivered in a "ingle Cip or tar file containing a director* tree wit! ar&itrar* pat!na#e". !e onl* con"tant i" t!e na#e" of t!e actual *.rsp re"pon"e file" of input data. Since #atc!ing filena#e" up &* !and Buic,l* &eco#e" tediou" we !ave developed a utilit*, fipsalgtest.pl, t!at will "earc! t!roug! a director* !ierarc!* and identif* t!e relevant te"t vector file". For t!e initial validation t!ere were 25@ uniBue file na#e" wit! 2 duplicate na#e", for a total of 25/ file"( /l'orithm
%<S %<S?>$A $$A $A%$ ;<S ;4=> ;S% ;S%2 <$;S% <$;S%2 5A%$ K%S 4G> 4S% S5% ;<S L S
+umber of B.reC files

100 : 15 0 0 4 5 5 4 4 1 1 : / 15 :: 2 25/
)ot(l
-n order to facilitate t!e proce""ing of te"t vector data a "erie" of utilitie" were developed, cul#inating in t!e fipsalgtest.pl progra#. !i" progra# "earc!e" a target director* for t!e
.age 10: of 1/0
,nown *.rsp file" and generate" a "cript referencing t!e actual pat!na#e" for t!o"e file". !at "cript can t!en &e e9ecuted to perfor# t!e algorit!# te"t" t!at generate t!e *.rsp re"ult file". !e fipsalgtest.pl progra# report" unrecogniCed duplicate *.rsp file" and an* file" t!at were e9pected &ut not found. e"tvector data "et" are generall* received a" *.zip file", #ore rarel* a" *.tgz. % t*pical pat!na#e "tructure (for t!i" validation) i" a" follow"(
./OSF_2464_Template ./OSF_2464_Template/AES ./OSF_2464_Template/AES/resp ./OSF_2464_Template/AES/req ./OSF_2464_Template/AES/req/CBCGFSbox128.req ./OSF_2464_Template/AES/req/CFB128MMT192.req ./OSF_2464_Template/AES/req/CBCVarKey192.req ./OSF_2464_Template/AES/req/CFB1VarTxt256.req ./OSF_2464_Template/AES/req/CBCMMT128.req ./OSF_2464_Template/AES/req/CBCKeySbox256.req ./OSF_2464_Template/AES/req/ECBVarTxt192.req ./OSF_2464_Template/AES/req/CFB128VarKey256.req ./OSF_2464_Template/AES/req/OFBVarTxt128.req ./OSF_2464_Template/AES/req/CFB1MCT192.req ./OSF_2464_Template/AES/req/CBCVarKey128.req ./OSF_2464_Template/AES/req/CFB8VarTxt128.req ./OSF_2464_Template/AES/req/ECBMMT128.req ./OSF_2464_Template/AES/req/CBCGFSbox192.req ./OSF_2464_Template/AES/req/CFB128MCT192.req ./OSF_2464_Template/AES/req/OFBMCT128.req ./OSF_2464_Template/AES/req/CFB1GFSbox256.req . . .
Gote director* na#e" #a* contain e#&edded "pace". nece""aril*) &e carriage return8line feed deli#ited.
!e data file" will generall* (t!oug! not
-f #ultiple platfor#" are involved in a validation t!e te"t vector file" for "everal platfor#" #a* &e inter"per"ed in t!e "a#e director* tree. De !ave al"o received te"t vector file" for a "ingle platfor# in #ultiple different *.zip file", "o t!e fipsalgtest.pl progra# #u"t &e a&le to filter t!e relevant *.rsp file" out of #ultiple "u&directorie". !e following fipsalgtest.pl option" can &e u"ed to acco##odate variou" repre"entation" of te"t vector file"(
fipsalgtest.pl: generate run CAVP algorithm tests --debug Enable debug output --dir=<dirname> Optional root for *.req file search --filter=<regexp> Regex for input files of interest --onedir <dirname> Assume all components in current directory --rspdir=<dirname> Name of subdirectories containing *.rsp files, default "resp" --tprefix=<prefix> Pathname prefix for directory containing test programs
.age 10@ of 1/0
--ignore-bogus --ignore-missing --quiet --quiet-bogus --quiet-missing --generate --generate-script=<filename> --minimal-script
--win32 --compare-all --list-tests --mkdir=<cmd> --notest --rm=<cmd> --script-tprefix --enable-<alg> --disable-<alg> Where <alg> can be one of: aes-ccm (disabled by default) rand-aes (enabled by default) ecdsa (disabled by default) hmac (enabled by default) dh (disabled by default) aes-cfb1 (disabled by default) ecdh (disabled by default) des3-cfb1 (disabled by default) drbg (disabled by default) des3 (enabled by default) dsa (enabled by default) dsa-pqgver (disabled by default) rsa-pss0 (disabled by default) sha (enabled by default) aes (enabled by default) dsa2 (disabled by default) aes-gcm (disabled by default) rsa-pss62 (enabled by default) cmac (disabled by default) aes-xts (disabled by default) rsa (enabled by default) v2 (enabled by default) rand-des2 (disabled by default)
Ignore duplicate or bogus files Ignore missing test files Shhh.... Skip unrecognized file warnings Skip missing request file warnings Generate algorithm test output Generate script to call algorithm programs Simplest possible output for --generate-script Win32 environment Verify unconditionally for all tests Show individual tests Specify "mkdir" command Exit before running tests Specify "rm" command Pathname prefix for --generate-script output Enable algorithm set <alg>. Disable algorithm set <alg>.
Si#pl* run perl fipsalgtest.pl --dir=testvectors --generate to generate t!e *.rsp file" for "u&#i""ion to t!e te"t la&. Su&"eBuentl* running fipsalgtest.pl wit!out t!e 88generate option will co#pare t!e generated output wit! t!e previou"l* e9i"ting *.rsp file", and t!u" provide" a co#pre!en"ive (t!oug! unofficial) c!ec, of t!e algorit!# te"t".
.age 100 of 1/0
-ndividual algorit!# te"t" can &e "electivel* "pecified wit! option" of t!e for# 88enable-xxx or --disable-xxx w!ere xxx i" one of t!e <alg> algorit!# "pecification" !e --ignore-bogus and --ignore-missing option" "uppre"" t!e error e9it if t!e target te"t vector director* contain" #ore or fewer *.rsp file" t!an e9pected (a not unco##on occurrence in validation te"ting. For target platfor#" t!at do not "upport a perl interpreter, &ut w!ic! do provide a &a"ic co##and line "!ell, a "i#ple "!ell "cript can &e generated, for in"tance(
perl ./fips/fipsalgtest.pl --generate-script=fipstest.sh --tprefix=./test/
will create a file fip"te"t."! "cript file t!at "ucce""ivel* invo,e" eac! of t!e algorit!# te"t driver progra#" wit! t!e appropriate input and output file na#e"(
#!/bin/sh # Test vector run script # Auto generated by fipsalgtest.pl script # Do not edit echo Running Algorithm Tests RM="rm -rf"; MKDIR="mkdir"; TPREFIX=./test/ echo "Running DSA tests" $RM "./testvectors/tv/OSF_2464_Template/DSA/resp" $MKDIR "./testvectors/tv/OSF_2464_Template/DSA/resp" echo " running PQGGen test" ${TPREFIX}fips_dssvs pqg "./testvectors/tv/OSF_2464_Template/DSA/req/PQGGen.req" "./testvectors/tv/OSF_2464_Template/DSA/resp/PQGGen.rsp" echo " running KeyPair test" ${TPREFIX}fips_dssvs keypair "./testvectors/tv/OSF_2464_Template/DSA/req/KeyPair.req" "./testvectors/tv/OSF_2464_Template/DSA/resp/KeyPair.rsp" echo " running SigGen test" ${TPREFIX}fips_dssvs siggen "./testvectors/tv/OSF_2464_Template/DSA/req/SigGen.req" "./testvectors/tv/OSF_2464_Template/DSA/resp/SigGen.rsp" echo " running SigVer test" ${TPREFIX}fips_dssvs sigver "./testvectors/tv/OSF_2464_Template/DSA/req/SigVer.req" "./testvectors/tv/OSF_2464_Template/DSA/resp/SigVer.rsp" echo " running PQGVer test"
.age 10/ of 1/0
${TPREFIX}fips_dssvs pqgver "./testvectors/tv/OSF_2464_Template/DSA/req/PQGVer.req" "./testvectors/tv/OSF_2464_Template/DSA/resp/PQGVer.rsp" . . .
For ver* "i#ple "!ell" t!e 8-minimal-script option will o#it u"e of t!e rm and mkdir co##and" to #anage t!e output directorie", in w!ic! ca"e t!e e#pt* req "u&directorie" will need to &e created &efore!and. o proce"" onl* a "u&"et of t!e te"t vector" file, u"e t!e --filter=XXX option to recogniCe onl* certain pat!na#e" and t!e --disable-all --enable-xxx option" to ena&le proce""ing of onl* t!e algorit!#(") in t!at "elected "et for file". For in"tance(
perl ./fips/fipsalgtest.pl --generate-script=fipstestsha.sh --tprefix=./test/ --disable-all --enable-sha --dir=testvectors --filter=SHA
1.# 0o+umentation
!i" "ection di"cu""ed t!e #a2or co#ponent" of t!e docu#entation "et for a F-.S 14082 validation. Finite State Aodel F-.S 14082 validation reBuire" a Finite State Aodule (FSA), "o#et!ing t!at doe"nOt #a,e #uc! "en"e for a general purpo"e cr*ptograp!ic li&rar*. !i" co"#etic reBuire#ent i" "ati"fied &* an ar&itrar* generic diagra# and po""i&l* an a""ociated li"ting or "pread"!eet of t!e "tate" and tran"ition". <ac! te"t la& will t*picall* !ave a generic te#plate or "a#ple t!at can &e u"ed. !e FSA u"ed for t!i" validation can &e found in t!e two file"( !ttp())open""lfoundation.co#)te"ting)validation82.0)doc")FSA.pdf !ttp())open""lfoundation.co#)te"ting)validation82.0)doc")FSA?#ain.pdf !e FSA doe" not contain an* infor#ation of actual tec!nical value. 3endor <vidence ;ocu#ent !e te"t la& #u"t an"wer t!e a""ertion" in t!e ;erived e"t 4eBuire#ent" (; 4) docu#ent (4eference 4). So#e la&" c!o"e to do "o &* directl* li"ting all of t!e a""ertion" wit! corre"ponding re"pon"e" in t!e order t!o"e a""ertion" appear in t!e ; 4. Ot!er" re"pond to t!e a""ertion" in anal*"i" docu#ent "tructured along #ore functional line" wit! #an* of t!e redundant an overlapping a""ertion" grouped toget!er wit! a con"olidated re"pon"e. %" wit! t!e for#al te"t report ("ee following "ection) t!e te"t la& will t*picall* want to clai# t!i" docu#ent a" proprietar*. !e relevant content of t!e anal*"i" docu#ent for t!i" validation !a" &een e9tracted a" %ppendi9 <.
.age 110 of 1/0
For#al e"t 4eport !e te"t la& "u&#it" a for#al te"t report docu#ent to t!e $A3.. e"t la&" are unifor#l* adver"e to relea"ing t!i" docu#ent &ut can u"uall* &e per"uaded to do "o under a non8di"clo"ure agree#ent ("uc! relea"e "!ould &e negotiated prior to e9ecuting a contract). OSF !a" "een "o#e te"t report" &ut cannot pu&li"! t!e# due to t!e non8di"clo"ure re"triction". Gote t!at t!o"e te"t report" would &e of li#ited value a" different te"t la&" can ta,e "ignificantl* different approac!e" to pre"enting t!e "a#e #odule to t!e $A3.. F-.S 14082 validation i" a !ig!l* "u&2ective proce"" and eac! te"t la&, and even different reviewer" at t!e $A3., !ave di"tinctive "t*le". Ai9ing co#ponent" fro# #ultiple "u&#i""ion", even of e9actl* t!e "a#e "oftware, would re"ult in "ignificant di"crepancie" and conflict".
.age 111 of 1/0
/ppendi% *
$%ample 'penSS. Ba ed /pplication
!i" e9a#ple "!ow" a "i#ple application u"ing OpenSSL cr*ptograp!* w!ic! will Bualif* a" F-.S 14082 validated w!en &uilt and in"talled in accordance wit! t!e procedure" in S5. -n t!i" application all cr*ptograp!* i" provided t!roug! t!e F-.S O&2ect Aodule and t!e F-.S #ode initialiCation i" perfor#ed via t!e FIPS_mode_set() call. !e co##and generate" a 5A%$8 S5%81 dige"t of an input "trea# or a file, u"ing t!e "a#e ar&itrar* ,e* a" t!e OpenSSL F-.S Aodule file integrit* c!ec,(
$ ./fips_hmac -v fips_hmac.c FIPS mode enabled 8f2c8e4f60607613471c11287423f8429b068eb2 $ $ ./hmac < hmac.c 8f2c8e4f60607613471c11287423f8429b068eb2 $
Gote t!i" "a#ple co##and i" functionall* eBuivalent to(

env OPENSSL_FIPS=1 openssl -hmac etaonrishdlcupfm hmac.c
or
openssl dgst -fips-fingerprint filename.tar.gz
for an openssl co##and &uilt fro# a F-.S capa&le OpenSSL di"tri&ution. !e OPENSSL_FIPS=1 environ#ent varia&le ena&le" F-.S #ode for a openssl co##and generated fro# a F-.S capa&le OpenSSL di"tri&ution.
C.1 @ati&e Compilation o$ Stati+ally !in;ed Program

M(*efile
CC = gcc OPENSSLDIR = /usr/local/ssl LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a INCLUDES = -I$(OPENSSLDIR)/include CMD = fips_hmac OBJS = $(CMD).o $(CMD): $(OBJS) FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(OBJS) \ $(LIBCRYPTO) $(OBJS): $(CMD).c $(CC) -c $(CMD).c $(INCLUDES) clean:
.age 112 of 1/0
rm $(OBJS)
Gote t!e line

$(OPENSSLDIR)/fips/fipsld -o $(CMD) $(OBJS) ...
u"e" t!e fipsld co##and fro# t!e di"tri&ution "ource tree to perfor# t!e function of verif*ing t!e fipscanister.o dige"t and generating t!e new e#&edded dige"t in t!e application e9ecuta&le o&2ect. Source File
/* Sample application using FIPS mode OpenSSL. This application will qualify as FIPS 140-2 validated when built, installed, and utilized as described in the "OpenSSL FIPS 140-2 Security Policy" manual. This command calculates a HMAC-SHA-1 digest of a file or input data stream using the same arbitrary hard-coded key as the FIPS 140-2 source file build-time integrity checks and runtime executable file integrity check. */ #include <stdio.h> #include <string.h> #include <openssl/hmac.h> static char label[] = "@(#)FIPS approved SHA1 HMAC"; static void dofile(FILE *fp) { HMAC_CTX ctx; unsigned char hmac_value[EVP_MAX_MD_SIZE]; int hmac_len, i; char key[] = "etaonrishdlcupfm"; char buf[256]; /* Initialise context */ HMAC_CTX_init(&ctx); /* Set digest type and key in context */ HMAC_Init_ex(&ctx, key, strlen(key), EVP_sha1(), NULL); /* Process input stream */ while(i = fread(buf,sizeof(char),sizeof(buf),fp)) { if(!HMAC_Update(&ctx, buf, i)) exit(3); } /* Generate digest */ if(!HMAC_Final(&ctx, hmac_value, &hmac_len)) exit(4); HMAC_CTX_cleanup(&ctx);
.age 113 of 1/0
/* Display digest in hex */ for(i = 0; i < hmac_len; i++) printf("%02x", hmac_value[i]); printf("\n"); return; } main(int argc, char *argv[]) { char *opt = NULL; int verbose = 0; int fipsmode = 1; FILE *fp = stdin; int i; /* Process command line arguments */ i = 0; while(++i < argc) { opt = argv[i]; if (!strcmp(opt,"-v")) verbose = 1; else if (!strcmp(opt,"-c")) fipsmode = 0; else if ('-' == opt[0]) { printf("Usage: %s <filename>\n", argv[0]); puts("Options:"); puts("\t-c\tUse non-FIPS mode"); puts("\t-v\tVerbose output"); exit(1); } else break; } /* Enter FIPS mode by default */ if (fipsmode) { if(FIPS_mode_set(1)) { verbose && fputs("FIPS mode enabled\n",stderr); } else { ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); exit(1); } } if (i >= argc) { dofile(fp); } else { while(i < argc) { opt = argv[i]; if ((fp = fopen(opt,"rb")) == NULL) { fprintf(stderr,"Unable to open file \"%s\"\n", opt); exit(1); } dofile(fp);
.age 114 of 1/0
fclose(fp); i++; } } exit(0); }
C.2 Cross/+ompilation o$ AFIPS +apa)leA Shared
penSS! !i)raries
5ere i" an e9a#ple of &uilding and e9ecuting t!e "a#e e9a#ple progra# on an %ndroid 4.0 device u"ing a "!ared libcrypto li&rar*. !e G;K and S;K are fro# t!e file"
android-sdk_r18-linux.tgz android-ndk-r7c-linux-x86.zip
downloaded fro# !ttp())developer.android.co#)"d,)inde9.!t#l.

# Establish the cross-compilation environment export ANDROID_NDK=$PWD/android-ndk-r7c export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linuxx86/bin:$PATH export PATH export MACHINE=armv7l export RELEASE=2.6.39 export SYSTEM=android export ARCH=arm export CROSS_COMPILE="arm-linux-androideabi-" export ANDROID_DEV="$ANDROID_NDK/platforms/android-14/arch-arm/usr" export HOSTCC=gcc # Build the FIPS module gunzip -c openssl-fips-2.0.tar.gz | tar xf cd openssl-fips-2.0/ ./config make make install INSTALLTOP=$PWD/../fips cd ..
# Build the "FIPS capable" OpenSSL gunzip -c openssl-1.0.1c.tar.gz | tar xf cd openssl-1.0.1c/ ./config fips shared --with-fipsdir=$PWD/../fips make depend make # Build the example program arm-linux-androideabi-gcc -o fips_hmac fips_hmac.c \ -Iopenssl-1.0.1c/include/ -Lopenssl-1.0.1c/ -lcrypto -Iopenssl-1.0.1c \
.age 115 of 1/0
-Iandroid-ndk-r7c/platforms/android-14/arch-arm/usr/include \ -Bandroid-ndk-r7c/platforms/android-14/arch-arm/usr/lib # Copy the program and shared library to the Android device ./android-sdk-linux/platform-tools/adb push fips_hmac /data/local/tmp/ ./android-sdk-linux/platform-tools/adb push openssl1.0.1c/libcrypto.so.1.0.0 /data/local/tmp/ # Execute the program on the Android device ./android-sdk-linux/platform-tools/adb push fips_hmac shell cd /data/local/tmp LD_LIBRARY_PATH=openssl-1.0.1c ./fips_hmac -v fips_hmac.c
.age 11: of 1/0
/ppendi% 4
FIPS /PI 4ocumentation
0.1 FIPS Mode

NA ! F@0S D!"#RIPTI$N 1hen <ui"t with the fips $onfi6 option in a$$ordan$e with so e additiona" pro$edura" require ents the OpenSSL F@0S O<?e$t Modu"e $an <e used to satisf3 require ents for F@0S 1/,-% va"idated $r3pto6raph3# $%!R%I!& The OpenSSL F@0S O<?e$t Modu"e ust <e <ui"t with the fips $onfi6 option# The app"i$ation ust $a"" F@0SE odeEsetHI to ena<"e F@0S ode# 1hen in F@0S ode on"3 the F@0S approved en$r3ption a"6orith s are usa<"e8 +(S) ++S) +3+'S in :=:* H:F=1I* :F=8* :F=6/* ':=* OF= ++. +)'S in :=:* H:F=1I* :F=8* :F=1%8* ':=* OF= +S.)-1* S.)-% +.M): Other non-F@0S approved a"6orith s su$h a ="owfish* M+5* @+')* (:/* et$# are disa<"ed in F@0S ode# To deter ine the ode of operation in a runnin6 pro6ra * an app"i$ation $an $a"" F@0SE odeH3I# ) non-Cero return indi$ates F@0S odeM a , indi$ates non-F@0S ode# @f the F@0S power-up se"f-test fai"s su<sequent $r3pto6raphi$ operations are disa<"ed and the app"i$ation wi"" have to e>it# To <e $onsidered F@0S 1/,-% va"idated the OpenSSL F@0S O<?e$t Modu"e va"idated version of the F@0S spe$ifi$ OpenSSL sour$e $ode# ust use the odes with 1%891&%9%56 <it 4e3s odes ode - 2@ST F@0S 1/,-% )pproved ode of operation
1hi"e ost p"atfor s and app"i$ations $an use the OpenSSL F@0S O<?e$t Modu"e to satisf3 2@ST require ents for F@0S 1/,-% va"idated $r3pto6raph3 there are additiona" additiona" require ents <e3ond the $a"" to F@0SE odeEsetHI# ) ore $o p"ete dis$ussion of the OpenSSL F@0S ode $an <e found in the OpenSSL FIPS 140-2 Security Policy whi$h $an <e found at http899$sr$#nist#6ov9$r3ptva"91/,-191/,sp91/,sp1,51#pdf# @nfor ation a<out F@0S 1/, $an <e found at http899$sr$#nist#6ov9$r3ptva"9# N$T!" 3+'S is a"so 4nown as T+')* or Trip"e +ata 'n$r3ption )"6orith #
.age 11@ of 1/0
The power-up se"f-test $an ta4e a si6nifi$ant a ount of ti e on s"ower s3ste s# 'I"T$R( F@0S "!! A)"$ F@0SE odeEsetH3I* F@0SE odeH3I ode support was introdu$ed in version ,#& of OpenSSL#
0.2 FIPSBmodeBset26C FIPSBsel$test26

NA ! F@0SE odeEset* F@0SEse"ftest - perfor "(N$P"I" Din$"ude Jopenss"9$r3pto#hK int F@0SE odeEsetHint O2OFFI int F@0SEse"ftestHvoidI D!"#RIPTI$N F@0SE odeEsetHI ena<"es the F@0S ode of operation for app"i$ations that have $o p"ied with a"" the provisions of the OpenSSL FIPS 140-2 Security Policy# Su$$essfu" e>e$ution of this fun$tion $a"" with non-Cero $N$** is the on"3 wa3 to ena<"e F@0S ode# )fter verif3in6 the inte6rit3 of the e>e$uta<"e o<?e$t $ode usin6 the stored di6est F@0SE odeEsetHI perfor s the power-up se"f-test# 1hen invo4ed with $N$** of Cero F@0SE odeEsetHI e>its F@0S ode# F@0S power-up se"f-test
To deter ine the ode of operation in a runnin6 pro6ra * an app"i$ation $an $a"" F@0SE odeH3I# ) non-Cero return indi$ates F@0S odeM a , indi$ates non-F@0S ode# F@0SEse"ftestHI $an <e $a""ed at an3 ti e to perfor the F@0S power-up se"f-test#
@f the power-up se"f-test fai"s su<sequent $r3pto6raphi$ operations are disa<"ed# The on"3 possi<"e re$over3 is a su$$essfu" re-invo$ation of F@0SE odeEsetHI whi$h is un"i4e"3 to wor4 un"ess the ori6ina" path was in$orre$t# R!T+RN %A)+!" ) return va"ue of 1 indi$ates su$$ess* , fai"ure# "!! A)"$ F@0SE odeH3I* '((E6etEerrorH3I N$T!" F@0SE odeEsetHI and F@0SEse"ftestHI were for er"3 in$"uded with Jopenss"9fips9fips#hK# 'I"T$R( F@0S support was introdu$ed in version ,#& of OpenSSL#
.age 110 of 1/0
0.3 FIPSBmode26
NA ! F@0SE ode N returns the $urrent F@0S "(N$P"I" Din$"ude Jopenss"9$r3pto#hK int F@0SE odeHI D!"#RIPTI$N F@0SE odeHI is used to deter ine the F@0S ode of operation of the runnin6 pro6ra # i6ht in$"ude % ode of operation#
F@0SE odeHI $urrent"3 returns 1 to indi$ate F@0S ode# Future return va"ues to indi$ate e>$"usive use of the 2S)Os Suite = a"6orith s# R!T+RN %A)+!" ) return $ode of non-Cero indi$ates F@0S "!! A)"$ F@0SE odeEsetH3I N$T!" F@0SE odeHI was for er"3 in$"uded with Jopenss"9fips9fips#hK# 'I"T$R( F@0S support was introdu$ed in version ,#& of OpenSSL# ode* , indi$ates non-F@0S ode#
0.4 8rror Codes

-n order to #ini#iCe t!e "iCe of t!e F-.S #odule onl* nu#eric error code" are returned. D!en u"ed in con2unction wit! a F-.S capa&le OpenSSL di"tri&ution t!e"e nu#eric code" will auto#aticall* &e converted to t!e u"ual te9t for#at for di"pla*, &ut t!e F-.S "pecific "tandalone utilitie" print out nu#erical error code". !e"e can &e interpreted wit! t!e openssl errstr co##and or &* c!ec,ing t!e "ource file at t!e referenced location(
$ ../util/shlib_wrap.sh ./fips_shatest ERROR:2d06c071:lib=45,func=108,reason=113:file=fips.c:line=274:1,129d0 $ $ openssl errstr 2d06c071 error:2D06C071:FIPS routines:FIPS_mode_set:unsupported platform $
!e"e error code" are defined in t!e include file fipsAerr.4. !e FIPS_mode_set()call or ot!er function call" in F-.S #ode can return an* of t!e following error"(
.age 11/ of 1/0
1eturn %ode
$4I. O?4?F-.S?AO;<?GO ?S'..O4 <;
Me(nin' (nd %omment

Ffip" #ode not "upportedH Iou li,el* lin,ed again"t a non8F-.S $apa&le li&rar*. <n"ure \config fip" ]option"^\ wa" e9ecuted w!en configuring. 1cannot read e9e1 1cannot read e9e dige"t1 1contradicting evidence1 1e9e dige"t doe" not #atc!1 1fingerprint doe" not #atc!H !e integrit* te"t !a" failed. 1fingerprint doe" not #atc! nonpic relocated1 !i" Aicro"oft Dindow" "pecific error indicate" t!at t!ere #ig!t &e a ;LL addre"" conflict w!ic! need" to &e addre""ed &* re8&a"ing t!e offending ;LL. Ffingerprint doe" not #atc! "eg#ent alia"ing1 !i" error i" returned w!en a defective co#piler !a" #erged .rodata (read8onl*) and .data (writa&le) "eg#ent". !i" "ituation effectivel* degrade" t!e read8onl* "tatu" of con"tant ta&le" and leave" t!e# wit!out !ardware protection, t!u" 2eopardiCing t!e F-.S #ode of operation. 1fip" #ode alread* "et1 1invalid ,e* lengt!1 1,e* too "!ort1 1non fip" #et!odH %tte#pted non F-.S8co#pliant ;S% u"age. 1pairwi"e te"t failed1 One or #ore of t!e algorit!# pairwi"e con"i"tenc* te"t" !a" failed. 1r"a decr*pt error1 1r"a encr*pt error1 1"elfte"t failed1 One or #ore of t!e algorit!# ,nown an"wer te"t" !a" failed. 1te"t failure1 1un"upported platfor#1 -ndicate" t!e validit* of t!e dige"t te"t i" un,nown for t!e current platfor#.
F-.S?4?$%GGO ?4<%;?<L< F-.S?4?$%GGO ?4<%;?<L<?;-><S F-.S?4?$OG 4%;-$ -G>?<3-;<G$< F-.S?4?<L<?;-><S ?;O<S?GO ?A% $5 F-.S?4?F-G><4.4-G ?;O<S?GO ?A% $5 F-.S?4?F-G><4.4-G ?;O<S?GO ?A% $5?8 GOG.-$?4<LO$% <;
F-.S?4?F-G><4.4-G ?;O<S?GO ?A% $5?8 S<>A<G ?%L-%S-G>
F-.S?4?F-.S?AO;<?%L4<%;I?S< F-.S?4?-G3%L-;?K<I?L<G> 5 F-.S?4?K<I? OO?S5O4 F-.S?4?GOG?F-.S?A< 5O; F-.S?4?.%-4D-S<? <S ?F%-L<;
F-.S?4?4S%?;<$4I. ?<44O4 F-.S?4?4S%?<G$4I. ?<44O4 F-.S?4?S<LF <S ?F%-L<; F-.S?4? <S ?F%-L'4< F-.S?4?'GS'..O4 <;?.L% FO4A
.age 120 of 1/0
/ppendi% $
Platform Specific <ote
Gote( t!e #aterial pre"ent in t!i" appendi9 for earlier ver"ion" of t!i" docu#ent !a" &een re#oved and relocated to !ttp())www.open""l.co#)fip")tec!).
8.1
"pple
S D Support
<TBD>
.age 121 of 1/0
8.2
"pple i S Support
OpenSSL full* "upport" &uilding t!e F-.S O&2ect Aodule and F-.S $apa&le li&rar* for iOS device". !ere are five logical "tep" to &uild t!e OpenSSL F-.S O&2ect Aodule and F-.S $apa&le Li&rar* for u"e in an Lcode)iOS pro2ect . !e "tep" are outlined &elow( 1. %cBuire t!e reBuired file" 2. =uild t!e -ncore utilit* 3. =uild t!e F-.S O&2ect Aodule 4. =uild t!e F-.S $apa&le Li&rar* 5. $reate an Lcode .ro2ect !e procedure" for eac! logical "tep are detailed &elow. !e "a#ple Lcode pro2ect i" offered at t!e end of t!e c!apter.
/c#uire "e#uired File

Fir"t, o&tain t!e &a"e file" fro# !ttp())www.open""l.org)"ource)(

Ill#stration 1D )penSS0 FIPS Sample Program
openssl-1.0.1c.tar.gz openssl-fips-2.0.1.tar.gz
Ge9t, acBuire t!e au9iliar* file", w!ic! can &e o&tained fro# !ttp())open""l.co#)fip")2.0)platfor#")io")(

setenv-reset.sh setenv-darwin-i386.sh setenv-ios-11.sh ios-incore-2.0.1.tar.gz
-n addition to t!e reBuired core file" li"ted a&ove, !ttp())open""l.co#)fip")2.0)platfor#")io") include" a "a#ple progra#(
fips-pi.tar.gz
openssl-fips-2.0.1.tar.gz include" t!e F-.S O&2ect Aodule.
.age 122 of 1/0
openssl-1.0.1c.tar.gz !a" t!e F-.S $apa&le OpenSSL li&rar*. ios-incore-2.0.1.tar.gz contain" OS L and iOS "pecific -ncore utilit* to deter#ine t!e o&2ect code dige"t. setenv-darwin-i386.sh and setenv-ios-11.sh are u"ed to "et t!e proper environ#ent" for t!e ta", at !and, w!ile setenv-reset.sh i" u"ed to re"et t!e environ#ent. @oteD as of t4is <riting ,Man#aryC 201 -C t4e scripts 4a&e a PWD (epen(ency an( (o not alert t4e #ser of fail#res s#c4 as missing or errant pat4s. I <as not able to get 4ar(ene(:#p(ate( scripts place( on <eb for (o<nloa(. Please accept my sincerest apologies ,M;-. %fter collecting t!e reBuired file", *our wor,ing director* will loo, "i#ilar to &elow.
Ill#stration 2D ;orking 7irectory #n(er Fin(er
%fter acBuiring t!e file", perfor# t!e following in t!e wor,ing director* to re#ove Buarantine &it and en"ure t!e e9ecute &it i" "et(
$ xattr $ chmod -r -d "com.apple.quarantine" *.tar.gz *.sh +x *.sh
Build t2e Incore 7tility
.age 123 of 1/0
!e -ncore utilit* i" a native application u"ed to e#&ed t!e F-.S O&2ect AoduleO" fingerprint in t!e %4A li&rar*. =uilding -ncore i" a two "tep proce"" P fir"t, &uild a native ver"ion of libcrypto.a, and t!en &uild -ncore u"ing t!e previou"l* &uilt native libcrypto.a. o co#pile t!e incore_macho utilit* for t!e native platfor#, perfor# t!e following "tep"(
$ rm -rf $ tar xzf $ tar xzf $ . $ . $ cd openssl-fips-2.0.1/ openssl-fips-2.0.1.tar.gz ios-incore-2.0.1.tar.gz (delete old artifacts) (unpack fresh files)
./setenv-reset.sh ./setenv-darwin-i386.sh openssl-fips-2.0.1/
(note the leading dot ".") (note the leading dot ".") (perform `cd` after setenv) (several screens of output) (build libcrypto.a, lots of output) (switch to incore's subdirectory) (build incore_macho, lots of output)
$ ./config $ make $ cd iOS/ $ make
@oteD as of t4is <riting ,Man#aryC 201 -C setenv-darwin-i386.sh co#l( silently fail (#e to PWD (epen(encies. Please e%ec#te t4e `env` comman( an( &erify t4e pat4s place( in t4e en&ironment by t4e script. $onfir# t!e utilit* wor,"(
$ ./incore_macho usage: ./incore_macho [--debug] [-exe|-dso] executable
-f t!e utilit* doe" not wor,, delete t!e openssl-fips-2.0.1/ director* and "tart over. Once t!e utilit* !a" &een verified on t!e native platfor#, in"tall t!e incore_macho utilit* in a location on pat!, "uc! a" /usr/local/bin. !e in"truction" &elow offer a "econd c!oice, and place incore_macho in *our !o#e director*.
$ mkdir "$HOME/bin" $ cp incore_macho "$HOME/bin" $ PATH="$HOME/bin":$PATH
.age 124 of 1/0
Finall*, delete t!e openssl-fips-2.0.1/ director* in preparation for t!e %4A &uild of t!e F-.S $apa&le li&rar*. !i" i" done to ,eep cro"" conta#ination to a #ini#u# "ince opensslfips-2.0.1/ i" e""entiall* reu"ed.
$ cd .. $ rm -rf openssl-fip-2.0.1/
!i" in"truction" fro# t!i" point a""u#e t!e &uild environ#ent !a" &een prepared, including t!e creation of t!e incore_macho utilit*, a" docu#ented in t!e previou" "ection, and t!at incore_macho i" on pat!.
Build t2e FIPS '()ect -odule

!i" "ection of t!e docu#ent will guide *ou t!roug! t!e creation of t!e F-.S O&2ect Aodule. !e Aodule i" governed &* t!e F-.S 14082 progra# reBuire#ent" and *ou cannot deviate fro# t!e Securit* .olic* during an* "tage during !andling, fro# acBui"ition, t!roug! &uilding, to in"tallation. -n ca"e of a di"crepanc* &etween t!i" docu#ent and t!e Securit* .olic*, t!e Securit* .olic* will prevail. D!ile t!e"e co##and" loo, "i#ilar to t!o"e recentl* e9ecuted for t!e generation of t!e incore_macho utilit*, t!ere are "u&tle difference". !i" ti#e *ou are cro""8co#piling for t!e an iOS device. D!ile it i" not readil* apparent, t!e iOS tool" u"ed via IOS_TOOLS environ#ental varia&le are availa&le fro# ios-incore-2.0.1.tar.gz, "o *ou #u"t unpac, it again. !e tool" unpac, into openssl-fips-2.0.1/.
$ rm -rf openssl-fips-2.0.1/ $ tar xzf openssl-fips-2.0.1.tar.gz $ tar xzf ios-incore-2.0.1.tar.gz $ cd $ . $ . openssl-fips-2.0.1/ ../setenv-reset.sh ../setenv-ios-11.sh (delete old artifacts) (unpack fresh files) (unpack fresh files) (perform `cd` first) (note the leading dot ".") (note the leading dot ".")
$ llvm-gcc -v (verify expected compiler) Using built-in specs. Target: i686-apple-darwin10 Configured with:/private/var/tmp/llvmgcc42_Embedded/ llvmgcc42_Embedded-2377~4/src/configure ...
.age 125 of 1/0
gcc version 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2377.00)
-ote. as of this /riting 01an)ar'2 231342 setenv-ios-11.sh co)"d si"ent"' fai" d)e to PWD de%endencies. P"ease e5ec)te the `env` co$$and and erif' the %aths %"aced in the en iron$ent !' the scri%t. !e output of intere"t fro# llvm-gcc -v are (1) llvm-gcc i" on pat!6 (2) gcc ver"ion 4.2.16 and (3) t!e co#piler i" for an e#&edded platfor#. %t t!i" point *ou are read* to co##ence t!e "tandard F-.S cani"ter &uild for t!e target platfor#. Gote t!at Ffip" cani"terH i" i#plied, "o t!ere i" no need for eit!er ./config fipscanisterbuild or ./config fips (nor i" it allowed &* t!e Securit* .olic*).
$ ./config $ make (several screens of output) (lots of output)
$onfir# t!e &inarie" are for t!e iOS target device(

$ lipo -info ./fips/fipscanister.o Non-fat file: ./fips/fipscanister.o is architecture: armv7
%fter confir#ing t!e target arc!itecture, co#plete t!e in"tallation procedure &* perfor#ing an in"tall(
$ sudo make install
!e default in"tallation director* i" /usr/local/ssl/Release-iphoneos/. %fter in"tallation, delete t!e openssl-fips-2.0.1/ director* "ince it" no longer needed(
$ rm -rf openssl-fips-2.0.1/
4ecall fro# Section 2.4.2 O&2ect Aodule (Lin, i#e) -ntegrit* t!at application" lin, again"t libcrypto.a, and not directl* to fipscanister.o. Iou will &uild libcrypto.a and libssl.a ne9t in =uild t!e F-.S $apa&le Li&rar*5@.
Build t2e FIPS *apa(le .i(rary

!i" "ection of t!e docu#ent will guide *ou t!roug! t!e creation of t!e !e F-.S $apa&le Li&rar*. !e capa&le li&rar* i" a "tandard OpenSSL di"tri&ution t!at i" FF-.S %wareH. !e FawareH li&rar* !andle" all t!e detail" of operation w!ile in F-.S #ode after *ou "ucce""full* call FIPS_mode_set() ("ee ;.2 F-.S?#ode?"et(), F-.S?"elfte"t()). -f *ou donOt call
5@
!ere i" "o#e !and waiving !ere, &ut t!e detail" are not i#portant at t!e #o#ent for t!e"e procedure".
.age 12: of 1/0
FIPS_mode_set(), t!e li&rar* will "till operate a" e9pected6 &ut it will not &e u"ing validated cr*ptograp!*. 4ecall t!e F-.S O&2ect Aodule i" governed &* t!e F-.S 14082 progra# reBuire#ent", and *ou could not deviate fro# t!e Securit* .olic*. !e F-.S $apa&le Li&rar* doe" not endure t!e "a#e reBuire#ent", and *ou are free to #odif* t!e environ#ent and "ource" wit!in rea"on. o &uild t!e F-.S $apa&le li&rar*, *ou #u"t i""ue ./config fips, &ut ot!er option" are up to *ou. So#e "ugge"ted option" for configure include(
Option 88open""ldir 88wit!8fip"dir 8no8""lv2 8no8""lv3 8no8co#p 8no8"!ared 8no8d"o 8no8!w 8no8engine" %omment =a"e of t!e OpenSSL in"tallation. ;efault value i" --openss"dirB9usr9"o$a"9ss"9(e"ease-iphoneos Location of fip"cani"ter.o, if not located at 9usr9"o$a"9ss"9(e"easeiphoneos9"i<. ;i"a&le SSLv2. SSLv2 i" defective50 ;i"a&le SSLv3. SSLv3 i" defective5/ ;i"a&le co#pre""ion independent of Cli&. $o#pre""ion i" ,nown to lea, "e""ion infor#ation via $4-A< attac,":0 ;i"a&le "!ared li&rar* output. %pple onl* allow" "tatic lin,ing, and d*na#ic lin,ing i" not "upported on iOS. ;i"a&le t!e OpenSSL ;SO %.- (t!e li&rar* offer" a "!ared o&2ect a&"traction la*er). iOS onl* u"e" "tatic lin,ing. ;i"a&le !ardware "upport. ;i"a&le engine "upport.
o &egin, clean old artifact" and "et t!e environ#ent for cro"" co#pilation.
$ rm -rf openssl-1.0.1c/ $ tar xzf openssl-1.0.1c.tar.gz $ cd $ . $ . openssl-fips-1.0.1c/ ../setenv-reset.sh ../setenv-ios-11.sh (delete old artifacts) (unpack fresh files) (perform `cd` first) (note the leading dot ".") (note the leading dot ".")
50 5/
=ruce Sc!neier and ;avid Dagner, 1nalysis of t4e SS0 .0 Protocol, www."c!neier.co#)paper8""l8revi"ed.pdf Loren Deit!, 7ifferences Bet<een SS0&2C SS0& C an( T0S , !ttp())www.*a,"#an.org)Xlweit!)""l.pdf :0 AoCillaO" GSS accidentall* di"a&led co#pre""ion long &efore $4-A< attac," due to co#pile)lin, conflict" (!ttp"())&ugCilla.#oCilla.org)"!ow?&ug.cgiEidW500:@/). AoCillaO" Firefo9 did not "upport co#pre""ion on client". Aan* ot!er &row"er", "uc! a" %ndroid (co#.android.&row"er), did not "upport co#pre""ion.
.age 12@ of 1/0
Ge9t, configure and #a,e t!e F-.S $apa&le li&rar*, w!ere *ou pic, *our favorite option". Go option" are al"o accepta&le(
$ ./config fips <options> $ make <options> (several screens of output) (lots of output)
$onfir# t!e &inarie" are for t!e iOS target device(

$ lipo -info ./libcrypto.a ./libssl.a Non-fat file: ./libcrypto.a is architecture: armv7 Non-fat file: ./libssl.a is architecture: armv7
%fter confir#ing t!e target arc!itecture, co#plete t!e in"tallation procedure &* perfor#ing an in"tall(
$ sudo make install
!e default in"tallation director* i" /usr/local/ssl/Release-iphoneos/. %fter in"tallation, delete t!e openssl-fips-2.0.1/ director* "ince it" no longer needed(
$ rm -rf openssl-fips-1.0.1c/
Iou #ig!t encounter i""ue" due to t!e configuration option". !e i""ue" !ave &een cleared in t!e ver"ion control "*"te#, &ut t!e tar&all" #a*&e dated. -f "o, t!e i""ue" and t!e fi9e" are li"ted &elow. 4ecall *ou !ave latitude in c!anging "ource file" &ecau"e t!e OpenSSL F-.S $apa&le Li&rar* i" out"ide t!e $r*ptograp!ic Aodule ($A) &oundar*. Issue =uilt8in tool" not on pat! 1emed& Open setenv-ios-11.sh, and c!ange t!e CROSS_COMPILE varia&le to
CROSS_COMPILE="$CROSS_CHAIN"
Go valid iOS S;K

makedepend: warning: "armv7" makedepend: error: ... Undefined symbols for architecture armv7: "_ERR_load_COMP_strings" cannot open
Open t!e setenv-ios-11.sh, and c!ange t!e for loop to include :.2, :.1, and :.0 Open t!e Makefile, and c!ange MAKEDEPPROG=makedepend to
MAKEDEPPROG=$(CC) -M
Open err_all.c, and delete (ll declaration" of ERR_load_COMP_strings()
.age 120 of 1/0
'penSS. ?code /pplication

OpenSSL offer" a "a#ple Lcode pro2ect to te"t *our in"tallation. !e #ini#al pro2ect de#on"trate" lin,ing again"t t!e F-.S $apa&le Li&rar*, ena&ling F-.S Aode, di"a&ling F-.S #ode, di"pla*ing t!e e#&edded and calculated fingerprint, and di"pla*ing critical value" fro# fips_premain.c. % "creen capture fro# t!e device i" "!own in -llu"tration 1( OpenSSL F-.S Sa#ple .rogra#. !e e""ence of t!e "a#ple code i" "!own in t!e li"ting &elow. !e code toggle" F-.S #ode &* wa* of FIPS_mode() and FIPS_mode_set(); and retrieve" error infor#ation via ERR_get error(). !e function" are availa&le fro# <openssl/crypto.h> and <openssl/err.h> re"pectivel*. -n t!e ca"e of an error, error value" were di"cu""ed in %ppendi9 ; F-.S %.- ;ocu#entation.
int mode = FIPS_mode(), ret = 0; unsigned long err = 0; if(mode { ret err } else { ret err } == 0) = FIPS_mode_set(1 /*on*/); = ERR_get_error();
= FIPS_mode_set(0 /*off*/); = ERR_get_error();
if(1 != ret) DisplayError("FIPS_mode_set failed", err); ...
%fter creating an Lcode pro2ect, *ou #u"t add fips_premain.c to t!e pro2ect. $op* fips_premain.c fro# it" location at )usr/local/ssl/Release-iphoneos/lib/ into *our pro2ect_" wor,ing director*. Since t!e file i" out"ide t!e $r*ptograp!ic Aodule ($A) &oundar*, *ou can c!ec, it in to revi"ion control and even #odif* it if de"ired (wit!in rea"on).
.age 12/ of 1/0
Ill#stration D fipsApremain.c
!e Lcode =uild Setting" to co#pile an OpenSSL dependent progra# are di"cu""ed &elow. !e =uild Setting "!ould &e "et on t!e Project, and not t!e arget (all target" in!erit fro# t!e pro2ect). !e "a#ple pro2ect !a" "creen capture" of t!e relevant c!ange" under Lcode in t!e top level settings/ director*. 3uild Settin' %rc!itecture" (ARCHS) %lwa*" Searc! '"er .at!" (ALWAYS_SEARCH_USER_PATHS) '"er !eader Searc! .at!" (USER_HEADER_SEARCH_PATHS) Ot!er Lin,er Flag" (OTHER_LDFLAGS) 3uild Settin' 3alid %rc!itecture" (VALID_ARCHS) %lwa*" Searc! '"er .at!" (ALWAYS_SEARCH_USER_PATHS) '"er !eader Searc! .at!" (USER_HEADER_SEARCH_PATHS) Ot!er Lin,er Flag" (OTHER_LDFLAGS) >(lue ar#v@ (re#ove ar#v: and)or ar#v@", unle"" *ou &uilt for t!e arc!itecture). Ie" (due to #include <openssl/crypto.h> in non8 "tandard location) )u"r)local)""l)4elea"e8ip!oneo")include) )u"r)local)""l)4elea"e8ip!oneo")li&cr*pto.a (u"e t!e full* "pecified pat!na#e, wit!out -l or -L) >(lue ar#v@ (re#ove ar#v: and)or ar#v@", unle"" *ou &uilt for t!e arc!itecture). Ie" (due to #include <openssl/crypto.h> in non8 "tandard location) )u"r)local)""l)4elea"e8ip!oneo")include) )u"r)local)""l)4elea"e8ip!oneo")li&cr*pto.a (u"e t!e full* "pecified filena#e, wit!out -l or -L)
.age 130 of 1/0
!e final #odification i" a =uild .!a"e Script on t!e )(r'et (not t!e .ro2ect) to e#&ed t!e AoduleO" e9pected "ignature u"ing incore_macho. !e full co##and to e#&ed t!e "ignature i" /usr/local/bin/incore_macho -exe "$CONFIGURATION_BUILD_DIR/$EXECUTABLE_PATH".
Ill#stration 4D ?co(e B#il( P4ase an( Incore
$.! 6indo9 *$ Support

GO <( !i" "ection i" inco#plete !e Aicro"oft Dindow" #o&ile operating "*"te#" are a#ong t!e #o"t c!allenging platfor# for t!e F-.S O&2ect Aodule, due to t!e wide variation a#ong individual "*"te# configuration". 4epre"entative =uild !e"e in"truction" are nece""aril* onl* repre"entative of one "pecific configuration and #a* reBuire "u&"tantial #odification for "pecific Dindow" $< or <$ platfor#". *picall* a ver"ion of 3i"ual Studio will &e u"ed. -n t!i" repre"entative e9a#ple t!e following environ#ent varia&le" are defined in a .=% file, seten&-<ince'.bat( @rem @rem setenv_wince.cmd @rem @rem Paths for Visual Studio 2008 on command line (on-64-bithost)
.age 131 of 1/0
@call "c:\Program Files\Microsoft Visual Studio 9.0\VC\"vcvarsall.bat @set OSVERSION=WCE600 @set PLATFORM=MACKEREL @set TARGETCPU=ARMV4I @set WCECOMPAT=C:\wcecompat @SET MACKERELSDK=C:\Program Files\Windows CE Tools\wce600\Mackerel SDK @set PATH=%VSINSTALLDIR%\Common7\IDE;%VCINSTALLDIR %\ce\bin\x86_arm;%VCINSTALLDIR%\bin;%NASMINSTALLDIR%;%PATH% @set INCLUDE=%MACKERELSDK%\Include\Armv4i;%VCINSTALLDIR %\ce\include;%INCLUDE% @set LIB=%MACKERELSDK%\Lib\ARMV4I;%VCINSTALLDIR %\ce\lib\armv4i;%LIB% @set LIBPATH=%MACKERELSDK%\Lib\ARMV4I;%VCINSTALLDIR %\ce\lib\armv4i;%LIBPATH% @set FIPS_SHA1_PATH=perl /openssl-fips2.0/util/fips_standalone_sha1 @set FIPS_SIG=perl /openssl-fips-2.0/util/msincore On t!e Dindow" &uild "*"te#, invo,e a ;OS $o##and .ro#pt and in t!at "!ell enter t!e following( X:\>setenv-wince6 X:\>cl Microsoft (R) C/C++ Optimizing Compiler Version 15.00.20720 for ARM Copyright (C) Microsoft Corporation. All rights reserved. usage: cl [ option... ] filename... [ /link linkoption... ] X:\> X:\>cd openssl-fips-2.0 X:\openssl-fips-2.0>ms\do_fips X:\openssl-fips-2.0>nmake -f ms\cedll.mak -n eit!er ca"e a 1.re"" an* ,e* to continue . . . 1 pro#pt will &e "een. %t t!i" point t!e F-.S O&2ect Aodule and fipsAalg&s utilit* progra# !ave &een created.
build_algvs
.age 132 of 1/0
>eneral $on"ideration" ;LL" pre"ent on $< ver"ion" prior to :.0 ta,e awa* a portion of preciou" 32A= addre"" "pace fro# all proce""e":1. !i" #ean" t!at unli,e 1nor#al1 Dindow", w!ere ;LL load addre"" availa&ilit* i" a per8proce"" attri&ute, itO" a per8"*"te# attri&ute for $< pre8:.0. -n #ore practical ter#" t!e deter#ination of t!e load addre"" can &e dependent on t!e order in w!ic! proce""e" are "tarted. -n general t!e "tatic lin, #et!od i" preferred on $<, unle"" t!e ;LL i" 4OA8&a"ed, and u"e of ceYdllZ.#a, in"tead of ntYdllZ.#a,. Gote t!at t!e two8"tep lin, i" not nece""ar* for Dindow", a" u"e of t!e msincore utilit* after a conventional lin, i" "ufficient. For t!e runti#e integrit* te"t (fingerprint verification) to "ucceed a &inar* #odule, eit!er .e9e or .dll, #u"t &e loaded at a predefined addre"" or not contain an* relocation". %" t!ere i" virtuall* no control over t!e load addre"" for $<, fingerprint verification in a ;LL will fail. !e onl* "olution i" to "taticall* lin, t!e F-.S O&2ect Aodule into an .e9e e9ecuta&le and not a" a ;LL. !e &uild for t!e for#all* te"ted Din $< 5 platfor# u"ed a 4OA8&a"ed ;LL and "o#e flag" "et in .latfor# =uilder. % nor#al ;LL would not wor, a" it ignored t!e load addre"" and "etting )F-L<; "topped it loading altoget!er. Gote t!e fipslink.pl utilit* can !andle even "taticall* lin,ed application". Gote t!at Dindow" and Linu9 cannot &e co#pared in t!i" conte9t, &ecau"e Linu9 can generate po"ition8independent code w!ic! #ean" we avoid an* difficultie" wit! &a"e addre""e", relocation", etc. For Dindow" a con"i"tent load addre"" i" needed for t!e ;LL. -f t!at ;LL i"nOt 4OA8&a"ed t!en t!ing" li,e t!e load order can re"ult in different addre""e" w!ic! will re"ult in an invalid "ignature. So one (#e""*) "olution i" to "et up platfor# &uilder to get t!at con"i"tent load addre""( a" long a" it doe"nOt c!ange it doe"nOt #atter w!at it i". !e proce"" viewer tool can &e u"ed to c!ec, t!e load addre"". !en once a fi9ed addre"" !a" &een e"ta&li"!ed it can &e u"ed to &uild t!e F-.S capa&le OpenSSL to e#&ed t!e "ignature6 t!i" i" t!e --with-baseaddr=<address> option to $onfigure.
$< ;LL" "teal #e#or* fro# all proce""e", "o if onl* one application need" to operate in validated #ode t!en a "taticall* lin,ed #odule i" prefera&le.
:1
.age 133 of 1/0
/ppendi% F
"e triction on t2e $%port of *ryptograp2y
>overn#ent re"triction" and regulation" on t!e u"e, acBui"ition, and di"tri&ution of cr*ptograp!ic product" are a #atter of concern for "o#e potential u"er".
F.1
pen Sour+e So$t.are
-n t!e 'nited State" t!e current e9port regulation" appear to #ore or le"" leave open "ource "oftware in "ource code for#at alone, e9cept for a reporting reBuire#ent to t!e =ureau of -ndu"tr* and Securit* (=-S) of t!e '.S. ;epart#ent of $o##erce6 "ee !ttp())&9a.doc.gov)<ncr*ption)pu&availenc"ourcecodenofif*.!t#l. D!en in dou&t con"ultation wit! legal e9pert" would &e appropriate. %n e9a#ple of an <8#ail #e""age "ent to co#pl* wit! t!i" reporting reBuire#ent i"(
To: crypt@bis.doc.gov, enc@nsa.gov, web_site@bis.doc.gov Subject: TSU NOTIFICATION SUBMISSION TYPE: TSU
SUBMITTED BY: Steve Marquess SUBMITTED FOR: OpenSSL Software Foundation, Inc. POINT OF CONTACT: Steve Marquess PHONE and/or FAX: 877-673-6775 MANUFACTURER: N/A PRODUCT NAME/MODEL #: OpenSSL ECCN: 5D002 NOTIFICATION: http://cvs.openssl.org/dir Employee(s), subcontractor(s), and/or agent(s) of the OpenSSL Software Foundation, Inc. (OSF) are participating in the development of the freely available open source OpenSSL product by providing feedback on new releases, by requesting new features, by correspondence either to the developer and user mailing lists or directly with the product developers, and by subcontracting software development services to one or more of the OpenSSL developers. This correspondence may include suggested source code fragments or patches. All versions of any such contributions incorporated, or software implemented, in any of the OpenSSL software will be publicly accessible at http://cvs.openssl.org/dir. -Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775
.age 134 of 1/0
marquess@opensslfoundation.com
Go re"pon"e wa" received (or e9pected). Ot!er lin," of intere"t( !ttp())&9a.doc.gov)<ncr*ption)$!ec,li"t-n"tr.!t#
F.2
E84port Fo)sC @ot CryptoG
For "oftware e9ported in &inar* for# t!e "ituation i" far le"" certain. %" incredi&le and un&elieva&l* oppo"ed to co##on "en"e a" it "ee#", current '.S. e9port control" appear to re"trict t!e e9port fro# t!e '.S. of "oftware product" t!at u"e t!e OpenSSL product, even if Open"SSL i" u"ed e9clu"ivel* for all cr*ptograp!ic functionalit*. Fro# w!at !a" &een rela*ed fro# "everal vendor" affected &* t!e"e e9port re"triction", e9port approval for "oftware utiliCing OpenSSL i" contingent on a nu#&er of factor" including t!e t*pe of lin,ing ("tatic &uild8ti#e lin,ing or d*na#ic run8ti#e lin,ing). Static lin,ing i" #ore de"ira&le, apparentl* "o#et!ing to do wit! t!e concept of an Fopen cr*ptograp!ic interfaceH. <videntl* a product w!ere t!e end u"er can ea"il* "u&"titute a new cr*ptograp!ic li&rar* (a newer ver"ion of OpenSSL, "a*) i" not per#i""i&le. Geedle"" to "a* t!e written regulation" and e9pert co##entar* are varied, "o advice of legal coun"el i" reco##ended. !e onl* ot!er "afe cour"e of action would &e to pa* non8'.S. citiCen" to develop t!e cr*ptograp!ic "oftware over"ea" and import it into t!e '.S., a" i#port" are not re"tricted. Foreigner" w!o &enefit financiall* fro# t!i" "ituation refer to t!e '.S. Fe9port 2o&", not cr*ptoH polic*. Lin," of intere"t( !ttp())www.a9"#it!.co#)<ncr*ption?Law.!t# !ttp())li&rar*.findlaw.co#)2000)Jan)1)120443.!t#l !ttp())cr*pto#e.org)&9a8&ern"tein.!t#
.age 135 of 1/0
/PP$<4I? G
Security Policy $rrata
!e for#al Securit* .olic* (!ttp())c"rc.ni"t.gov)group")S A)c#vp)docu#ent")14081)140"p)140"p1@4@.pdf i" a controlled docu#ent and "o, a" wit! t!e validated "oftware proper, cannot readil* &e c!anged. !i" "ection li"t" ,nown error" in t!at docu#ent.
a&le 2( !e operating "*"te# for platfor# / i" li"ted a" 1%ndroid 2.21. !at device wa" t!e Aotorola Loo# running %ndroid 3.0, t!e earlie"t ver"ion of %ndroid t!at device "!ipped wit!. ;uring t!e period t!e validation wa" in proce"" t!at ver"ion of %ndroid on t!at device wa" "uper"eded &* %ndroid 4.0 w!ic! wa" te"ted a" platfor# 3/, "o platfor# / i" of acade#ic intere"t onl* (note platfor# e""entiall* / duplicate" platfor# 2). !e error wa" reported to t!e te"t la& even prior to t!e for#al validation award, &ut "ince correction of error" in co#pleted validation" i" difficult we elected not to pre"" t!e i""ue.
.age 13: of 1/0
/ppendi% @
Y =;Z
4T" /naly i
.age 13@ of 1/0
/ppendi% I
/PI $ntry Point (y Source File
!e %.- entr* point" in t!e Aodule are li"ted !ere, organiCed &* "ource file. F-.S 14082 reBuire" t!at logical interface" !ave to &e identified a" one of 1data input1, 1data output1, 1control input1, or 1"tatu" output1. Function" wit! #ultiple argu#ent" and t!e $ language argu#ent pa""ing #ec!ani"# do not naturall* #atc! t!e"e categorie", e"peciall* w!ere pointer" to "tructure" are u"ed. !i" ta&le de"ignate" eac! function a" pri#aril* "erving one of t!e four purpo"e", wit! t!e individual argu#ent" al"o de"ignated a" input, output, or &ot!. !e function na#e" are in bold. -nput argu#ent" are !ig!lig!ted in >re* and li"ted wit! a rig!t pointing arrow (8^). Output argu#ent" are li"ted wit! a left pointing arrow (]8). .ointer argu#ent" referencing "tructure" containing &ot! input and output data ele#ent" are li"ted wit! a dou&le arrow (]8^). !e function return value i" denoted in t!e li"t of argu#ent" a" 14eturn1. Gote t!at #an* of t!e"e Aodule %.- function" call" are rarel* if ever referenced directl* &* application", in"tead t!e* are referenced fro# t!e "eparate OpenSSL product &* a non8 cr*ptograp!ic a&"traction la*er "uc! a" t!e <3. interface ("ee 4eference 11). So#e e9ternal "*#&ol" defined in t!e Aodule &ut not intended for reference &* calling application" are o#itted. %l"o note t!at t!e %.- a" docu#ented &elow #a* var* "lig!tl* &* platfor# due to t!e u"e of a""e#&l* language opti#iCation". So#e general note"( !e .OS code i" contained in t!e .:fips: "u&director*, &eginning wit! t!e FIPS_module_mode_set() function in .:fips:fips.c and leading directl* function" defined in .:fips:fipsApost.c. !e &e"t wa* to trace eac! of t!e algorit!# i#ple#entation" i" fro# t!e re"pective algorit!# te"t driver", a" t!e* "tart wit! t!e $%3S te"t vector reBue"t file data and #a,e t!e appropriate %.- call" to perfor# t!e algorit!# proce""ing. !o"e are found in t!e .:fips:???: directorie", for 1???1 t!e algorit!#, and are al"o "*#lin,ed fro# t!e .:test: "u&director*( test:fipsAaesa&s.c -N ..:fips:aes:fipsAaesa&s.c test:fipsAcmactest.c -N ..:fips:cmac:fipsAcmactest.c test:fipsA(esmo&s.c -N ..:fips:(es:fipsA(esmo&s.c test:fipsA(4&s.c -N ..:fips:(4:fipsA(4&s.c test:fipsA(rbg&s.c -N ..:fips:ran(:fipsA(rbg&s.c test:fipsA(satest.c -N ..:fips:(sa:fipsA(satest.c test:fipsA(ss&s.c -N ..:fips:(sa:fipsA(ss&s.c test:fipsAec(4&s.c -N ..:fips:ec(4:fipsAec(4&s.c test:fipsAec(sa&s.c -N ..:fips:ec(sa:fipsAec(sa&s.c
.age 130 of 1/0
test:fipsAgcmtest.c -N ..:fips:aes:fipsAgcmtest.c test:fipsA4mactest.c -N ..:fips:4mac:fipsA4mactest.c test:fipsAran(test.c -N ..:fips:ran(:fipsAran(test.c test:fipsArng&s.c -N ..:fips:ran(:fipsArng&s.c test:fipsArsagtest.c -N ..:fips:rsa:fipsArsagtest.c test:fipsArsastest.c -N ..:fips:rsa:fipsArsastest.c test:fipsArsa&test.c -N ..:fips:rsa:fipsArsa&test.c test:fipsAs4atest.c -N ..:fips:s4a:fipsAs4atest.c Gote t!e algorit!# te"t driver" t!e#"elve" are not part of t!e F-.S #odule. S*#&ol rena#ing( So#e "*#&ol na#e" a" defined in t!e "ource code are d*na#icall* redefined at &uild ti#e. !i" %.- docu#entation "!ow" &ot! t!e original ("ource code) and &uild ti#e (o&2ect code) "*#&ol na#e", for in"tance( FIPS_bn_bn2bin (renames BN_bn2bin) in file ./crypto/bn/bn_lib.[o|c] w!ic! indicate" t!at t!e FIPSAbnAbn2bin,- function a" "een in t!e co#piled code (.:crypto:bn:bnAlib.o) i" found in t!e "ource code a" function B@Abn2bin,- in "ource file .:crypto:bn:bnAlib.c. So#e function" are not rena#ed, for in"tance( FIPS_module_mode_set in file ./fips/fips.[o|c] indicate" t!at FIPSAmo(#leAmo(eAset,- i" defined in .:fips:fips.c and .:fips:fips.o wit! t!e "a#e "*#&ol na#e. Li,ewi"e, FIPS_add_lock (reimplements CRYPTO_add_lock) in file ./fips/utl/fips_lck.[o|c] indicate" t!at FIPS_add_lock() i" defined &* t!at na#e in &ot! .:fips:#tl:fipsAlck.o and .:fips:#tl:fipsAlck.c6 t!e 1rei#ple#ent"1 notation refer" to t!e redefinition of t!i" F-.S #odule "pecific function to replace a "i#ilar ,nown function fro# t!e original OpenSSL di"tri&ution fro# w!ic! t!e F-.S #odule wa" derived. !i" li"t wa" produced &* t!e api_list.pl tool in t!e .:fips:tools: "u&director* of t!e "ource code di"tri&ution, u"ing "upporting file" al"o in t!at director*( api_fns.pm declarations.dat a perl #odule t!at for api?li"t.pl a file of infor#ation a&out pu&lic fip" "*#&ol"
.age 13/ of 1/0
!i" utilit* atte#pt" to 1direction of u"e1 for eac! function para#eter, i.e. w!et!er t!at para#eter i" referenced a" input, a" output, or &ot!. !at deter#ination i" far fro# clear in "o#e ca"e", a" for "o#e t*pe" of para#eter" t!ere i" no clear an"wer 88 con"ider for in"tance a pointer to a "tructure containing a call&ac, to a function t!at i" onl* called a" an e9ception. -n an* event t!at infor#ation i" "tored in t!e file declarations.dat and can &e #anuall* corrected &* replacing t!e value for t!e ,e* OdirectionO w!ere t!e value contain" a Bue"tion #ar,. !o"e value" can &e c!anged a" appropriate, to one of( <-> <-> output input both
and t!e #anuall* c!anged value" will &e pre"erved in t!e declarations.dat file. !e api_list.pl utilit* !a" no co##and line option" and i" invo,ed fro# t!e root of t!e "ource code wor, area( perl fips/tools/api_list.pl > <outfile> !e 5 AL for#atted content" of t!e output file can &e lig!tl* edited for inclu"ion in docu#ent" "uc! a" t!i" one. !i" following li"t "!ow" t!e function" in alp!a&etical order &* t!e runti#e "*#&ol na#e.
F-.S?add?error?data (rei#ple#ent" <44?add?error?data) in file .)fip")utl)fip"?err.Yo`cZ void FIPSD(ddDerrorDd(t((int nu#, ...) 8^ nu# 8^ ... F-.S?add?loc, (rei#ple#ent" $4I. O?add?loc,) in file .)fip")utl)fip"?lc,.Yo`cZ int FIPSD(ddDloc*(int apointer, int a#ount, int t*pe, con"t c!ar afile, int line) ]8 pointer 8^ a#ount 8^ t*pe 8^ file 8^ line ]8 4eturn
.age 140 of 1/0
F-.S?&n?&in2&n (rena#e" =G?&in2&n) in file .)cr*pto)&n)&n?li&.Yo`cZ =->G'A aFIPSDbnDbin2bn(con"t un"igned c!ar a", int len, =->G'A aret) 8^ " 8^ len ]8^ ret ]8 4eturn F-.S?&n?&n2&in (rena#e" =G?&n2&in) in file .)cr*pto)&n)&n?li&.Yo`cZ int FIPSDbnDbn2bin(con"t =->G'A aa, un"igned c!ar ato) 8^ a ]8 to ]8 4eturn F-.S?&n?clear (rena#e" =G?clear) in file .)cr*pto)&n)&n?li&.Yo`cZ void FIPSDbnDcle(r(=->G'A aa) ]8^ a F-.S?&n?clear?free (rena#e" =G?clear?free) in file .)cr*pto)&n)&n?li&.Yo`cZ void FIPSDbnDcle(rDfree(=->G'A aa) ]8^ a F-.S?&n?free (rena#e" =G?free) in file .)cr*pto)&n)&n?li&.Yo`cZ void FIPSDbnDfree(=->G'A aa) ]8^ a F-.S?&n?generate?pri#e?e9 (rena#e" =G?generate?pri#e?e9) in file .)cr*pto)&n)&n?pri#e.Yo`cZ int FIPSDbnD'ener(teDprimeDeE(=->G'A aret, int &it", int "afe, con"t =->G'A aadd, con"t =->G'A are#, =G?><G$= ac&) ]8^ ret 8^ &it" 8^ "afe 8^ add
.age 141 of 1/0
8^ ]8^ ]8
re# c& 4eturn
F-.S?&n?get?word (rena#e" =G?get?word) in file .)cr*pto)&n)&n?li&.Yo`cZ =G?'LOG> FIPSDbnD'etD0ord(con"t =->G'A aa) 8^ a ]8 4eturn F-.S?&n?i"?&it?"et (rena#e" =G?i"?&it?"et) in file .)cr*pto)&n)&n?li&.Yo`cZ int FIPSDbnDisDbitDset(con"t =->G'A aa, int n) 8^ a 8^ n ]8 4eturn F-.S?&n?i"?pri#e?e9 (rena#e" =G?i"?pri#e?e9) in file .)cr*pto)&n)&n?pri#e.Yo`cZ int FIPSDbnDisDprimeDeE(con"t =->G'A ap, int nc!ec,", =G?$ L act9, =G?><G$= ac&) 8^ p 8^ nc!ec," ]8 ct9 ]8^ c& ]8 4eturn F-.S?&n?i"?pri#e?fa"tte"t?e9 (rena#e" =G?i"?pri#e?fa"tte"t?e9) in file .)cr*pto)&n)&n?pri#e.Yo` cZ int FIPSDbnDisDprimeDf(sttestDeE(con"t =->G'A ap, int nc!ec,", =G?$ L act9, int do?trial?divi"ion, =G?><G$= ac&) 8^ p 8^ nc!ec," ]8 ct9 8^ do?trial?divi"ion ]8^ c& ]8 4eturn
.age 142 of 1/0
F-.S?&n?new (rena#e" =G?new) in file .)cr*pto)&n)&n?li&.Yo`cZ =->G'A aFIPSDbnDne0() ]8 4eturn F-.S?&n?nu#?&it" (rena#e" =G?nu#?&it") in file .)cr*pto)&n)&n?li&.Yo`cZ int FIPSDbnDnumDbits(con"t =->G'A aa) 8^ a ]8 4eturn F-.S?&n?nu#?&it"?word (rena#e" =G?nu#?&it"?word) in file .)cr*pto)&n)&n?li&.Yo`cZ int FIPSDbnDnumDbitsD0ord(=G?'LOG> l) 8^ l ]8 4eturn F-.S?&n?p"eudo?rand (rena#e" =G?p"eudo?rand) in file .)cr*pto)&n)&n?rand.Yo`cZ int FIPSDbnDpseudoDr(nd(=->G'A arnd, int &it", int top, int &otto#) ]8^ rnd 8^ &it" 8^ top 8^ &otto# ]8 4eturn F-.S?&n?p"eudo?rand?range (rena#e" =G?p"eudo?rand?range) in file .)cr*pto)&n)&n?rand.Yo`cZ int FIPSDbnDpseudoDr(ndDr(n'e(=->G'A arnd, con"t =->G'A arange) ]8^ rnd 8^ range ]8 4eturn F-.S?&n?rand (rena#e" =G?rand) in file .)cr*pto)&n)&n?rand.Yo`cZ int FIPSDbnDr(nd(=->G'A arnd, int &it", int top, int &otto#) ]8^ rnd 8^ &it"
.age 143 of 1/0
8^ 8^ ]8
top &otto# 4eturn
F-.S?&n?rand?range (rena#e" =G?rand?range) in file .)cr*pto)&n)&n?rand.Yo`cZ int FIPSDbnDr(ndDr(n'e(=->G'A arnd, con"t =->G'A arange) ]8^ rnd 8^ range ]8 4eturn F-.S?&n?"et?&it (rena#e" =G?"et?&it) in file .)cr*pto)&n)&n?li&.Yo`cZ int FIPSDbnDsetDbit(=->G'A aa, int n) ]8^ a 8^ n ]8 4eturn F-.S?&n?9/31?derive?pri#e?e9 (rena#e" =G?L/31?derive?pri#e?e9) in file .)cr*pto)&n)&n?9/31p.Yo`cZ int FIPSDbnDE #"DderiveDprimeDeE(=->G'A ap, =->G'A ap1, =->G'A ap2, con"t =->G'A aLp, con"t =->G'A aLp1, con"t =->G'A aLp2, con"t =->G'A ae, =G?$ L act9, =G?><G$= ac&) ]8^ p ]8^ p1 ]8^ p2 8^ Lp 8^ Lp1 8^ Lp2 8^ e ]8 ct9 ]8^ c& ]8 4eturn F-.S?&n?9/31?generate?pri#e?e9 (rena#e" =G?L/31?generate?pri#e?e9) in file .)cr*pto)&n)&n?9/31p.Yo`cZ int FIPSDbnDE #"D'ener(teDprimeDeE(=->G'A ap, =->G'A ap1, =->G'A ap2, =->G'A
.age 144 of 1/0
aLp1, =->G'A aLp2, con"t =->G'A aLp, con"t =->G'A ae, =G?$ L act9, =G?><G$= ac&) ]8^ p ]8^ p1 ]8^ p2 ]8^ Lp1 ]8^ Lp2 8^ Lp 8^ e ]8 ct9 ]8^ c& ]8 4eturn F-.S?&n?9/31?generate?9pB (rena#e" =G?L/31?generate?LpB) in file .)cr*pto)&n)&n?9/31p.Yo` cZ int FIPSDbnDE #"D'ener(teDEpC(=->G'A aLp, =->G'A aLB, int n&it", =G?$ L act9) ]8^ Lp ]8^ LB 8^ n&it" ]8 ct9 ]8 4eturn F-.S?c!ec,?incore?fingerprint in file .)fip")fip".Yo`cZ int FIPSDchec*DincoreDfin'erprint() ]8 4eturn F-.S?cip!er (rei#ple#ent" <3.?$ip!er) in file .)fip")utl)fip"?enc.Yo`cZ ??owur int FIPSDcipher(<3.?$-.5<4?$ L ac, un"igned c!ar aout, con"t un"igned c!ar ain, un"igned int inl) ]8 c ]8 out 8^ in 8^ inl ]8 4eturn
.age 145 of 1/0
F-.S?cip!er?ct9?cleanup (rei#ple#ent" <3.?$-.5<4?$ L?cleanup) in file .)fip")utl)fip"?enc. Yo`cZ int FIPSDcipherDctEDcle(nup(<3.?$-.5<4?$ L aa) ]8 a ]8 4eturn F-.S?cip!er?ct9?cop* (rei#ple#ent" <3.?$-.5<4?$ L?cop*) in file .)fip")utl)fip"?enc.Yo`cZ int FIPSDcipherDctEDcop&(<3.?$-.5<4?$ L aout, con"t <3.?$-.5<4?$ L ain) ]8 out 8^ in ]8 4eturn F-.S?cip!er?ct9?ctrl (rei#ple#ent" <3.?$-.5<4?$ L?ctrl) in file .)fip")utl)fip"?enc.Yo`cZ int FIPSDcipherDctEDctrl(<3.?$-.5<4?$ L act9, int t*pe, int arg, void aptr) ]8 ct9 8^ t*pe 8^ arg ]8^ ptr ]8 4eturn F-.S?cip!er?ct9?free (rei#ple#ent" <3.?$-.5<4?$ L?free) in file .)fip")utl)fip"?enc.Yo`cZ void FIPSDcipherDctEDfree(<3.?$-.5<4?$ L aa) ]8 a F-.S?cip!er?ct9?init (rei#ple#ent" <3.?$-.5<4?$ L?init) in file .)fip")utl)fip"?enc.Yo`cZ void FIPSDcipherDctEDinit(<3.?$-.5<4?$ L aa) ]8 a F-.S?cip!er?ct9?new (rei#ple#ent" <3.?$-.5<4?$ L?new) in file .)fip")utl)fip"?enc.Yo`cZ <3.?$-.5<4?$ L aFIPSDcipherDctEDne0() ]8 4eturn
.age 14: of 1/0
F-.S?cip!er?ct9?"et?,e*?lengt! (rei#ple#ent" <3.?$-.5<4?$ L?"et?,e*?lengt!) in file .)fip")utl)fip"?enc.Yo`cZ int FIPSDcipherDctEDsetD*e&Dlen'th(<3.?$-.5<4?$ L a9, int ,e*len) ]8 9 8^ ,e*len ]8 4eturn F-.S?cip!erinit (rei#ple#ent" <3.?$ip!er-nit) in file .)fip")utl)fip"?enc.Yo`cZ ??owur int FIPSDcipherinit(<3.?$-.5<4?$ L act9, con"t <3.?$-.5<4 acip!er, con"t un"igned c!ar a,e*, con"t un"igned c!ar aiv, int enc) ]8 ct9 8^ cip!er 8^ ,e* 8^ iv 8^ enc ]8 4eturn F-.S?c#ac?ct9?cleanup (rena#e" $A%$?$ L?cleanup) in file .)cr*pto)c#ac)c#ac.Yo`cZ void FIPSDcm(cDctEDcle(nup($A%$?$ L act9) ]8 ct9 F-.S?c#ac?ct9?cop* (rena#e" $A%$?$ L?cop*) in file .)cr*pto)c#ac)c#ac.Yo`cZ int FIPSDcm(cDctEDcop&($A%$?$ L aout, con"t $A%$?$ L ain) ]8 out 8^ in ]8 4eturn F-.S?c#ac?ct9?free (rena#e" $A%$?$ L?free) in file .)cr*pto)c#ac)c#ac.Yo`cZ void FIPSDcm(cDctEDfree($A%$?$ L act9) ]8 ct9 F-.S?c#ac?ct9?get0?cip!er?ct9 (rena#e" $A%$?$ L?get0?cip!er?ct9) in file .)cr*pto)c#ac)c#ac.Yo`cZ
.age 14@ of 1/0
<3.?$-.5<4?$ L aFIPSDcm(cDctED'et0DcipherDctE($A%$?$ L act9) ]8 ct9 ]8 4eturn F-.S?c#ac?ct9?new (rena#e" $A%$?$ L?new) in file .)cr*pto)c#ac)c#ac.Yo`cZ $A%$?$ L aFIPSDcm(cDctEDne0() ]8 4eturn F-.S?c#ac?final (rena#e" $A%$?Final) in file .)cr*pto)c#ac)c#ac.Yo`cZ int FIPSDcm(cDfin(l($A%$?$ L act9, un"igned c!ar aout, "iCe?t apoutlen) ]8 ct9 ]8 out ]8 poutlen ]8 4eturn F-.S?c#ac?init (rena#e" $A%$?-nit) in file .)cr*pto)c#ac)c#ac.Yo`cZ int FIPSDcm(cDinit($A%$?$ L act9, con"t void a,e*, "iCe?t ,e*len, con"t <3.?$-.5<4 acip!er, <G>-G< ai#pl) ]8 ct9 8^ ,e* 8^ ,e*len 8^ cip!er ]8^ i#pl ]8 4eturn F-.S?c#ac?re"u#e (rena#e" $A%$?re"u#e) in file .)cr*pto)c#ac)c#ac.Yo`cZ int FIPSDcm(cDresume($A%$?$ L act9) ]8 ct9 ]8 4eturn F-.S?c#ac?update (rena#e" $A%$?'pdate) in file .)cr*pto)c#ac)c#ac.Yo`cZ int FIPSDcm(cDupd(te($A%$?$ L act9, con"t void adata, "iCe?t dlen)
.age 140 of 1/0
]8 8^ 8^ ]8
ct9 data dlen 4eturn
F-.S?cr*pto?get?id?call&ac, (rena#e" $4I. O?get?id?call&ac,) in file .)cr*pto)t!r?id.Yo`cZ un"igned long (aFIPSDcr&ptoD'etDidDc(llb(c*())(void) ]8 4eturn F-.S?cr*pto?"et?id?call&ac, (rena#e" $4I. O?"et?id?call&ac,) in file .)cr*pto)t!r?id.Yo`cZ void FIPSDcr&ptoDsetDidDc(llb(c*(un"igned long (afunc)(void)) ]8^ func F-.S?cr*pto?t!read?id (rena#e" $4I. O?t!read?id) in file .)cr*pto)t!r?id.Yo`cZ un"igned long FIPSDcr&ptoDthre(dDid() ]8 4eturn F-.S?cr*pto?t!readid?get?call&ac, (rena#e" $4I. O? 54<%;-;?get?call&ac,) in file .)cr*pto)t!r?id.Yo`cZ void (aFIPSDcr&ptoDthre(didD'etDc(llb(c*())($4I. O? 54<%;-; a) ]8 4eturn F-.S?cr*pto?t!readid?!a"! (rena#e" $4I. O? 54<%;-;?!a"!) in file .)cr*pto)t!r?id.Yo`cZ un"igned long FIPSDcr&ptoDthre(didDh(sh(con"t $4I. O? 54<%;-; aid) 8^ id ]8 4eturn F-.S?cr*pto?t!readid?"et?call&ac, (rena#e" $4I. O? 54<%;-;?"et?call&ac,) in file .)cr*pto)t!r?id.Yo`cZ int FIPSDcr&ptoDthre(didDsetDc(llb(c*(void (at!readid?func)($4I. O? 54<%;-; a))
.age 14/ of 1/0
]8^ ]8
t!readid?func 4eturn
F-.S?cr*pto?t!readid?"et?nu#eric (rena#e" $4I. O? 54<%;-;?"et?nu#eric) in file .)cr*pto)t!r?id.Yo`cZ void FIPSDcr&ptoDthre(didDsetDnumeric($4I. O? 54<%;-; aid, un"igned long val) ]8^ id 8^ val F-.S?cr*pto?t!readid?"et?pointer (rena#e" $4I. O? 54<%;-;?"et?pointer) in file .)cr*pto)t!r?id.Yo`cZ void FIPSDcr&ptoDthre(didDsetDpointer($4I. O? 54<%;-; aid, void aptr) ]8^ id ]8^ ptr F-.S?de"?c!ec,?,e*?parit* (rena#e" ;<S?c!ec,?,e*?parit*) in file .)cr*pto)de")"et?,e*.Yo`cZ int FIPSDdesDchec*D*e&Dp(rit&(con"t?;<S?c&loc, a,e*) 8^ ,e* ]8 4eturn F-.S?d!?c!ec, (rena#e" ;5?c!ec,) in file .)cr*pto)d!)d!?c!ec,.Yo`cZ int FIPSDdhDchec*(con"t ;5 ad!, int acode") 8^ d! ]8 code" ]8 4eturn F-.S?d!?c!ec,?pu&?,e* (rena#e" ;5?c!ec,?pu&?,e*) in file .)cr*pto)d!)d!?c!ec,.Yo`cZ int FIPSDdhDchec*DpubD*e&(con"t ;5 ad!, con"t =->G'A apu&?,e*, int acode") 8^ d! 8^ pu&?,e* ]8 code" ]8 4eturn
.age 150 of 1/0
F-.S?d!?co#pute?,e* (rena#e" ;5?co#pute?,e*) in file .)cr*pto)d!)d!?,e*.Yo`cZ int FIPSDdhDcomputeD*e&(un"igned c!ar a,e*, con"t =->G'A apu&?,e*, ;5 ad!) ]8 ,e* 8^ pu&?,e* ]8^ d! ]8 4eturn F-.S?d!?co#pute?,e*?padded (rena#e" ;5?co#pute?,e*?padded) in file .)cr*pto)d!)d!?,e*.Yo` cZ int FIPSDdhDcomputeD*e&Dp(dded(un"igned c!ar a,e*, con"t =->G'A apu&?,e*, ;5 ad!) ]8 ,e* 8^ pu&?,e* ]8^ d! ]8 4eturn F-.S?d!?free in file .)fip")d!)fip"?d!?li&.Yo`cZ void FIPSDdhDfree(;5 ad!) ]8^ d! F-.S?d!?generate?,e* (rena#e" ;5?generate?,e*) in file .)cr*pto)d!)d!?,e*.Yo`cZ int FIPSDdhD'ener(teD*e&(;5 ad!) ]8^ d! ]8 4eturn F-.S?d!?generate?para#eter"?e9 (rena#e" ;5?generate?para#eter"?e9) in file .)cr*pto)d!)d!?gen.Yo`cZ int FIPSDdhD'ener(teDp(r(metersDeE(;5 ad!, int pri#e?len, int generator, =G?><G$= ac&) ]8^ d! 8^ pri#e?len 8^ generator ]8^ c& ]8 4eturn
.age 151 of 1/0
F-.S?d!?new in file .)fip")d!)fip"?d!?li&.Yo`cZ ;5 a FIPSDdhDne0() ]8 4eturn F-.S?d!?open""l (rena#e" ;5?OpenSSL) in file .)cr*pto)d!)d!?,e*.Yo`cZ con"t ;5?A< 5O; aFIPSDdhDopenssl() ]8 4eturn F-.S?dige"t (rei#ple#ent" <3.?;ige"t) in file .)fip")utl)fip"?#d.Yo`cZ ??owur int FIPSDdi'est(con"t void adata, "iCe?t count, un"igned c!ar a#d, un"igned int a"iCe, con"t <3.?A; at*pe, <G>-G< ai#pl) 8^ data 8^ count ]8 #d ]8 "iCe 8^ t*pe ]8^ i#pl ]8 4eturn F-.S?dige"tfinal (rei#ple#ent" <3.?;ige"tFinal?e9) in file .)fip")utl)fip"?#d.Yo`cZ ??owur int FIPSDdi'estfin(l(<3.?A;?$ L act9, un"igned c!ar a#d, un"igned int a") ]8 ct9 ]8 #d ]8 " ]8 4eturn F-.S?dige"tinit (rei#ple#ent" <3.?;ige"t-nit) in file .)fip")utl)fip"?#d.Yo`cZ ??owur int FIPSDdi'estinit(<3.?A;?$ L act9, con"t <3.?A; at*pe) ]8 ct9 8^ t*pe ]8 4eturn
.age 152 of 1/0
F-.S?dige"tupdate (rei#ple#ent" <3.?;ige"t'pdate) in file .)fip")utl)fip"?#d.Yo`cZ ??owur int FIPSDdi'estupd(te(<3.?A;?$ L act9, con"t void ad, "iCe?t cnt) ]8 ct9 8^ d 8^ cnt ]8 4eturn F-.S?dr&g?free in file .)fip")rand)fip"?dr&g?li&.Yo`cZ void FIPSDdrb'Dfree(;4=>?$ L adct9) ]8 dct9 F-.S?dr&g?generate in file .)fip")rand)fip"?dr&g?li&.Yo`cZ int FIPSDdrb'D'ener(te(;4=>?$ L adct9, un"igned c!ar aout, "iCe?t outlen, int prediction?re"i"tance, con"t un"igned c!ar aadin, "iCe?t adinlen) ]8 dct9 ]8 out 8^ outlen 8^ prediction?re"i"tance 8^ adin 8^ adinlen ]8 4eturn F-.S?dr&g?get?app?data in file .)fip")rand)fip"?dr&g?li&.Yo`cZ void aFIPSDdrb'D'etD(ppDd(t((;4=>?$ L act9) ]8 ct9 ]8 4eturn F-.S?dr&g?get?&loc,lengt! in file .)fip")rand)fip"?dr&g?li&.Yo`cZ "iCe?t FIPSDdrb'D'etDbloc*len'th(;4=>?$ L adct9) ]8 dct9 ]8 4eturn
.age 153 of 1/0
F-.S?dr&g?get?"trengt! in file .)fip")rand)fip"?dr&g?li&.Yo`cZ int FIPSDdrb'D'etDstren'th(;4=>?$ L adct9) ]8 dct9 ]8 4eturn F-.S?dr&g?!ealt!?c!ec, in file .)fip")rand)fip"?dr&g?"elfte"t.Yo`cZ int FIPSDdrb'Dhe(lthDchec*(;4=>?$ L adct9) ]8 dct9 ]8 4eturn F-.S?dr&g?init in file .)fip")rand)fip"?dr&g?li&.Yo`cZ int FIPSDdrb'Dinit(;4=>?$ L adct9, int t*pe, un"igned int flag") ]8 dct9 8^ t*pe 8^ flag" ]8 4eturn F-.S?dr&g?in"tantiate in file .)fip")rand)fip"?dr&g?li&.Yo`cZ int FIPSDdrb'Dinst(nti(te(;4=>?$ L adct9, con"t un"igned c!ar aper", "iCe?t per"len) ]8 dct9 8^ per" 8^ per"len ]8 4eturn F-.S?dr&g?#et!od in file .)fip")rand)fip"?dr&g?rand.Yo`cZ con"t 4%G;?A< 5O; aFIPSDdrb'Dmethod() ]8 4eturn F-.S?dr&g?new in file .)fip")rand)fip"?dr&g?li&.Yo`cZ ;4=>?$ L aFIPSDdrb'Dne0(int t*pe, un"igned int flag") 8^ t*pe
.age 154 of 1/0
8^ ]8
flag" 4eturn
F-.S?dr&g?re"eed in file .)fip")rand)fip"?dr&g?li&.Yo`cZ int FIPSDdrb'Dreseed(;4=>?$ L adct9, con"t un"igned c!ar aadin, "iCe?t adinlen) ]8 dct9 8^ adin 8^ adinlen ]8 4eturn F-.S?dr&g?"et?app?data in file .)fip")rand)fip"?dr&g?li&.Yo`cZ void FIPSDdrb'DsetD(ppDd(t((;4=>?$ L act9, void aapp?data) ]8 ct9 ]8^ app?data F-.S?dr&g?"et?call&ac," in file .)fip")rand)fip"?dr&g?li&.Yo`cZ int FIPSDdrb'DsetDc(llb(c*s(;4=>?$ L adct9, "iCe?t (aget?entrop*)(;4=>?$ L act9, un"igned c!ar aapout, int entrop*, "iCe?t #in?len, "iCe?t #a9?len), void (acleanup?entrop*) (;4=>?$ L act9, un"igned c!ar aout, "iCe?t olen), "iCe?t entrop*?&loc,len, "iCe?t (aget?nonce) (;4=>?$ L act9, un"igned c!ar aapout, int entrop*, "iCe?t #in?len, "iCe?t #a9?len), void (acleanup?nonce)(;4=>?$ L act9, un"igned c!ar aout, "iCe?t olen)) ]8 dct9 ]8 get?entrop* ]8 cleanup?entrop* 8^ entrop*?&loc,len ]8 get?nonce ]8 cleanup?nonce ]8 4eturn F-.S?dr&g?"et?c!ec,?interval in file .)fip")rand)fip"?dr&g?li&.Yo`cZ void FIPSDdrb'DsetDchec*Dinterv(l(;4=>?$ L adct9, int interval) ]8 dct9 8^ interval
.age 155 of 1/0
F-.S?dr&g?"et?rand?call&ac," in file .)fip")rand)fip"?dr&g?li&.Yo`cZ int FIPSDdrb'DsetDr(ndDc(llb(c*s(;4=>?$ L adct9, "iCe?t (aget?adin)(;4=>?$ L act9, un"igned c!ar aapout), void (acleanup?adin)(;4=>?$ L act9, un"igned c!ar aout, "iCe?t olen), int (arand?"eed?c&)(;4=>?$ L act9, con"t void a&uf, int nu#), int (arand?add?c&)(;4=>?$ L act9, con"t void a&uf, int nu#, dou&le entrop*)) ]8 dct9 ]8 get?adin ]8 cleanup?adin 8^ rand?"eed?c& 8^ rand?add?c& ]8 4eturn F-.S?dr&g?"et?re"eed?interval in file .)fip")rand)fip"?dr&g?li&.Yo`cZ void FIPSDdrb'DsetDreseedDinterv(l(;4=>?$ L adct9, int interval) ]8 dct9 8^ interval F-.S?dr&g?"tic, in file .)fip")rand)fip"?dr&g?li&.Yo`cZ void FIPSDdrb'Dstic*(int onoff) 8^ onoff F-.S?dr&g?unin"tantiate in file .)fip")rand)fip"?dr&g?li&.Yo`cZ int FIPSDdrb'Duninst(nti(te(;4=>?$ L adct9) ]8 dct9 ]8 4eturn F-.S?d"a?free in file .)fip")d"a)fip"?d"a?li&.Yo`cZ void FIPSDds(Dfree(;S% ar) ]8^ r F-.S?d"a?generate?,e* (rena#e" ;S%?generate?,e*) in file .)cr*pto)d"a)d"a?,e*.Yo`cZ int FIPSDds(D'ener(teD*e&(;S% aa)
.age 15: of 1/0
]8^ ]8
a 4eturn
F-.S?d"a?generate?para#eter"?e9 (rena#e" ;S%?generate?para#eter"?e9) in file .)cr*pto)d"a)d"a?gen.Yo`cZ int FIPSDds(D'ener(teDp(r(metersDeE(;S% ad"a, int &it", con"t un"igned c!ar a"eed, int "eed?len, int acounter?ret, un"igned long a!?ret, =G?><G$= ac&) ]8^ d"a 8^ &it" 8^ "eed 8^ "eed?len ]8 counter?ret ]8^ !?ret ]8^ c& ]8 4eturn F-.S?d"a?new in file .)fip")d"a)fip"?d"a?li&.Yo`cZ ;S% a FIPSDds(Dne0() ]8 4eturn F-.S?d"a?open""l (rena#e" ;S%?OpenSSL) in file .)cr*pto)d"a)d"a?o""l.Yo`cZ con"t ;S%?A< 5O; aFIPSDds(Dopenssl() ]8 4eturn F-.S?d"a?"ig?free (rei#ple#ent" ;S%?S->?free) in file .)fip")d"a)fip"?d"a?li&.Yo`cZ void FIPSDds(Dsi'Dfree(;S%?S-> aa) ]8^ a F-.S?d"a?"ig?new (rei#ple#ent" ;S%?S->?new) in file .)fip")d"a)fip"?d"a?li&.Yo`cZ ;S%?S-> a FIPSDds(Dsi'Dne0() ]8 4eturn
.age 15@ of 1/0
F-.S?d"a?"ign in file .)fip")d"a)fip"?d"a?"ign.Yo`cZ ;S%?S-> a FIPSDds(Dsi'n(;S% ad"a, con"t un"igned c!ar a#"g, "iCe?t #"glen, con"t <3.?A; a#!a"!) ]8^ d"a 8^ #"g 8^ #"glen 8^ #!a"! ]8 4eturn F-.S?d"a?"ign?ct9 in file .)fip")d"a)fip"?d"a?"ign.Yo`cZ ;S%?S-> a FIPSDds(Dsi'nDctE(;S% ad"a, <3.?A;?$ L act9) ]8^ d"a ]8 ct9 ]8 4eturn F-.S?d"a?"ign?dige"t in file .)fip")d"a)fip"?d"a?"ign.Yo`cZ ;S%?S-> a FIPSDds(Dsi'nDdi'est(;S% ad"a, con"t un"igned c!ar adig, int dlen) ]8^ d"a 8^ dig 8^ dlen ]8 4eturn F-.S?d"a?verif* in file .)fip")d"a)fip"?d"a?"ign.Yo`cZ int FIPSDds(Dverif&(;S% ad"a, con"t un"igned c!ar a#"g, "iCe?t #"glen, con"t <3.?A; a#!a"!, ;S%?S-> a") ]8^ d"a 8^ #"g 8^ #"glen 8^ #!a"! ]8^ " ]8 4eturn F-.S?d"a?verif*?ct9 in file .)fip")d"a)fip"?d"a?"ign.Yo`cZ int FIPSDds(Dverif&DctE(;S% ad"a, <3.?A;?$ L act9, ;S%?S-> a")
.age 150 of 1/0
]8^ ]8 ]8^ ]8
d"a ct9 " 4eturn
F-.S?d"a?verif*?dige"t in file .)fip")d"a)fip"?d"a?"ign.Yo`cZ int FIPSDds(Dverif&Ddi'est(;S% ad"a, con"t un"igned c!ar adig, int dlen, ;S%?S-> a") ]8^ d"a 8^ dig 8^ dlen ]8^ " ]8 4eturn F-.S?ec?get?&uiltin?curve" (rena#e" <$?get?&uiltin?curve") in file .)cr*pto)ec)ec?curve.Yo`cZ "iCe?t FIPSDecD'etDbuiltinDcurves(<$?&uiltin?curve ar, "iCe?t nite#") ]8^ r 8^ nite#" ]8 4eturn F-.S?ec?group?clear?free (rena#e" <$?>4O'.?clear?free) in file .)cr*pto)ec)ec?li&.Yo`cZ void FIPSDecD'roupDcle(rDfree(<$?>4O'. agroup) ]8^ group F-.S?ec?group?get0?generator (rena#e" <$?>4O'.?get0?generator) in file .)cr*pto)ec)ec?li&.Yo` cZ con"t <$?.O-G aFIPSDecD'roupD'et0D'ener(tor(con"t <$?>4O'. agroup) 8^ group ]8 4eturn F-.S?ec?group?get0?"eed (rena#e" <$?>4O'.?get0?"eed) in file .)cr*pto)ec)ec?li&.Yo`cZ un"igned c!ar aFIPSDecD'roupD'et0Dseed(con"t <$?>4O'. a9) 8^ 9 ]8 4eturn
.age 15/ of 1/0
F-.S?ec?group?get?a"n1?flag (rena#e" <$?>4O'.?get?a"n1?flag) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupD'etD(sn"Dfl('(con"t <$?>4O'. agroup) 8^ group ]8 4eturn F-.S?ec?group?get?cofactor (rena#e" <$?>4O'.?get?cofactor) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupD'etDcof(ctor(con"t <$?>4O'. agroup, =->G'A acofactor, =G?$ L act9) 8^ group ]8^ cofactor ]8 ct9 ]8 4eturn F-.S?ec?group?get?curve?gf2# (rena#e" <$?>4O'.?get?curve?>F2#) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupD'etDcurveD'f2m(con"t <$?>4O'. agroup, =->G'A ap, =->G'A aa, =->G'A a&, =G?$ L act9) 8^ group ]8^ p ]8^ a ]8^ & ]8 ct9 ]8 4eturn F-.S?ec?group?get?curve?gfp (rena#e" <$?>4O'.?get?curve?>Fp) in file .)cr*pto)ec)ec?li&.Yo` cZ int FIPSDecD'roupD'etDcurveD'fp(con"t <$?>4O'. agroup, =->G'A ap, =->G'A aa, =->G'A a&, =G?$ L act9) 8^ group ]8^ p ]8^ a ]8^ & ]8 ct9 ]8 4eturn
.age 1:0 of 1/0
F-.S?ec?group?get?curve?na#e (rena#e" <$?>4O'.?get?curve?na#e) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupD'etDcurveDn(me(con"t <$?>4O'. agroup) 8^ group ]8 4eturn F-.S?ec?group?get?degree (rena#e" <$?>4O'.?get?degree) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupD'etDde'ree(con"t <$?>4O'. agroup) 8^ group ]8 4eturn F-.S?ec?group?get?order (rena#e" <$?>4O'.?get?order) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupD'etDorder(con"t <$?>4O'. agroup, =->G'A aorder, =G?$ L act9) 8^ group ]8^ order ]8 ct9 ]8 4eturn F-.S?ec?group?#et!od?of (rena#e" <$?>4O'.?#et!od?of) in file .)cr*pto)ec)ec?li&.Yo`cZ con"t <$?A< 5O; aFIPSDecD'roupDmethodDof(con"t <$?>4O'. agroup) 8^ group ]8 4eturn F-.S?ec?group?new (rena#e" <$?>4O'.?new) in file .)cr*pto)ec)ec?li&.Yo`cZ <$?>4O'. aFIPSDecD'roupDne0(con"t <$?A< 5O; a#et!) 8^ #et! ]8 4eturn F-.S?ec?group?new?&*?curve?na#e (rena#e" <$?>4O'.?new?&*?curve?na#e) in file .)cr*pto)ec)ec?curve.Yo`cZ <$?>4O'. aFIPSDecD'roupDne0Db&DcurveDn(me(int nid)
.age 1:1 of 1/0
8^ ]8
nid 4eturn
F-.S?ec?group?new?curve?gf2# (rena#e" <$?>4O'.?new?curve?>F2#) in file .)cr*pto)ec)ec?cvt.Yo`cZ <$?>4O'. aFIPSDecD'roupDne0DcurveD'f2m(con"t =->G'A ap, con"t =->G'A aa, con"t =->G'A a&, =G?$ L act9) 8^ p 8^ a 8^ & ]8 ct9 ]8 4eturn F-.S?ec?group?new?curve?gfp (rena#e" <$?>4O'.?new?curve?>Fp) in file .)cr*pto)ec)ec?cvt. Yo`cZ <$?>4O'. aFIPSDecD'roupDne0DcurveD'fp(con"t =->G'A ap, con"t =->G'A aa, con"t =->G'A a&, =G?$ L act9) 8^ p 8^ a 8^ & ]8 ct9 ]8 4eturn F-.S?ec?group?preco#pute?#ult (rena#e" <$?>4O'.?preco#pute?#ult) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupDprecomputeDmult(<$?>4O'. agroup, =G?$ L act9) ]8^ group ]8 ct9 ]8 4eturn F-.S?ec?group?"et?a"n1?flag (rena#e" <$?>4O'.?"et?a"n1?flag) in file .)cr*pto)ec)ec?li&.Yo`cZ void FIPSDecD'roupDsetD(sn"Dfl('(<$?>4O'. agroup, int flag) ]8^ group 8^ flag
.age 1:2 of 1/0
F-.S?ec?group?"et?curve?gf2# (rena#e" <$?>4O'.?"et?curve?>F2#) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupDsetDcurveD'f2m(<$?>4O'. agroup, con"t =->G'A ap, con"t =->G'A aa, con"t =->G'A a&, =G?$ L act9) ]8^ group 8^ p 8^ a 8^ & ]8 ct9 ]8 4eturn F-.S?ec?group?"et?curve?gfp (rena#e" <$?>4O'.?"et?curve?>Fp) in file .)cr*pto)ec)ec?li&.Yo` cZ int FIPSDecD'roupDsetDcurveD'fp(<$?>4O'. agroup, con"t =->G'A ap, con"t =->G'A aa, con"t =->G'A a&, =G?$ L act9) ]8^ group 8^ p 8^ a 8^ & ]8 ct9 ]8 4eturn F-.S?ec?group?"et?curve?na#e (rena#e" <$?>4O'.?"et?curve?na#e) in file .)cr*pto)ec)ec?li&. Yo`cZ void FIPSDecD'roupDsetDcurveDn(me(<$?>4O'. agroup, int nid) ]8^ group 8^ nid F-.S?ec?group?"et?generator (rena#e" <$?>4O'.?"et?generator) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecD'roupDsetD'ener(tor(<$?>4O'. agroup, con"t <$?.O-G agenerator, con"t =->G'A aorder, con"t =->G'A acofactor) ]8^ group 8^ generator 8^ order 8^ cofactor ]8 4eturn
.age 1:3 of 1/0
F-.S?ec?group?"et?point?conver"ion?for# (rena#e" <$?>4O'.?"et?point?conver"ion?for#) in file .)cr*pto)ec)ec?li&.Yo`cZ void FIPSDecD'roupDsetDpointDconversionDform(<$?>4O'. agroup, point?conver"ion?for#?t for#) ]8^ group 8^ for# F-.S?ec?,e*?c!ec,?,e* (rena#e" <$?K<I?c!ec,?,e*) in file .)cr*pto)ec)ec?,e*.Yo`cZ int FIPSDecD*e&Dchec*D*e&(con"t <$?K<I a,e*) 8^ ,e* ]8 4eturn F-.S?ec?,e*?clear?flag" (rena#e" <$?K<I?clear?flag") in file .)cr*pto)ec)ec?,e*.Yo`cZ void FIPSDecD*e&Dcle(rDfl('s(<$?K<I a,e*, int flag") ]8^ ,e* 8^ flag" F-.S?ec?,e*?cop* (rena#e" <$?K<I?cop*) in file .)cr*pto)ec)ec?,e*.Yo`cZ <$?K<I aFIPSDecD*e&Dcop&(<$?K<I ad"t, con"t <$?K<I a"rc) ]8^ d"t 8^ "rc ]8 4eturn F-.S?ec?,e*?dup (rena#e" <$?K<I?dup) in file .)cr*pto)ec)ec?,e*.Yo`cZ <$?K<I aFIPSDecD*e&Ddup(con"t <$?K<I a"rc) 8^ "rc ]8 4eturn F-.S?ec?,e*?free (rena#e" <$?K<I?free) in file .)cr*pto)ec)ec?,e*.Yo`cZ void FIPSDecD*e&Dfree(<$?K<I a,e*) ]8^ ,e*
.age 1:4 of 1/0
F-.S?ec?,e*?generate?,e* (rena#e" <$?K<I?generate?,e*) in file .)cr*pto)ec)ec?,e*.Yo`cZ int FIPSDecD*e&D'ener(teD*e&(<$?K4O'. aFIPSDecD*e&D'et0D'roup(con"t <$?KG'A aFIPSDecD*e&D'et0Dpriv(teD*e&(con"t <$?K<I a,e*) 8^ ,e* ]8 4eturn F-.S?ec?,e*?get0?pu&lic?,e* (rena#e" <$?K<I?get0?pu&lic?,e*) in file .)cr*pto)ec)ec?,e*.Yo` cZ con"t <$?.O-G aFIPSDecD*e&D'et0DpublicD*e&(con"t <$?K<I a,e*) 8^ ,e* ]8 4eturn F-.S?ec?,e*?get?conv?for# (rena#e" <$?K<I?get?conv?for#) in file .)cr*pto)ec)ec?,e*.Yo`cZ point?conver"ion?for#?t FIPSDecD*e&D'etDconvDform(con"t <$?K<I a,e*) 8^ ,e* ]8 4eturn F-.S?ec?,e*?get?enc?flag" (rena#e" <$?K<I?get?enc?flag") in file .)cr*pto)ec)ec?,e*.Yo`cZ un"igned FIPSDecD*e&D'etDencDfl('s(con"t <$?K<I a,e*) 8^ ,e* ]8 4eturn
.age 1:5 of 1/0
F-.S?ec?,e*?get?flag" (rena#e" <$?K<I?get?flag") in file .)cr*pto)ec)ec?,e*.Yo`cZ int FIPSDecD*e&D'etDfl('s(con"t <$?K<I a,e*) 8^ ,e* ]8 4eturn F-.S?ec?,e*?get?,e*?#et!od?data (rena#e" <$?K<I?get?,e*?#et!od?data) in file .)cr*pto)ec)ec?,e*.Yo`cZ void aFIPSDecD*e&D'etD*e&DmethodDd(t((<$?K<I a,e*, void a(adup?func)(void a), void (afree?func)(void a), void (aclear?free?func)(void a)) ]8^ ,e* ]8^ dup?func ]8^ free?func ]8^ clear?free?func ]8 4eturn F-.S?ec?,e*?in"ert?,e*?#et!od?data (rena#e" <$?K<I?in"ert?,e*?#et!od?data) in file .)cr*pto)ec)ec?,e*.Yo`cZ void FIPSDecD*e&DinsertD*e&DmethodDd(t((<$?K<I a,e*, void adata, void a(adup?func)(void a), void (afree?func)(void a), void (aclear?free?func)(void a)) ]8^ ,e* ]8^ data ]8^ dup?func ]8^ free?func ]8^ clear?free?func F-.S?ec?,e*?new (rena#e" <$?K<I?new) in file .)cr*pto)ec)ec?,e*.Yo`cZ <$?K<I aFIPSDecD*e&Dne0() ]8 4eturn F-.S?ec?,e*?new?&*?curve?na#e (rena#e" <$?K<I?new?&*?curve?na#e) in file .)cr*pto)ec)ec?,e*.Yo`cZ <$?K<I aFIPSDecD*e&Dne0Db&DcurveDn(me(int nid) 8^ nid ]8 4eturn
.age 1:: of 1/0
F-.S?ec?,e*?preco#pute?#ult (rena#e" <$?K<I?preco#pute?#ult) in file .)cr*pto)ec)ec?,e*. Yo`cZ int FIPSDecD*e&DprecomputeDmult(<$?K<I a,e*, =G?$ L act9) ]8^ ,e* ]8 ct9 ]8 4eturn F-.S?ec?,e*?"et?a"n1?flag (rena#e" <$?K<I?"et?a"n1?flag) in file .)cr*pto)ec)ec?,e*.Yo`cZ void FIPSDecD*e&DsetD(sn"Dfl('(<$?K<I aec,e*, int a"n1?flag) ]8^ ec,e* 8^ a"n1?flag F-.S?ec?,e*?"et?conv?for# (rena#e" <$?K<I?"et?conv?for#) in file .)cr*pto)ec)ec?,e*.Yo`cZ void FIPSDecD*e&DsetDconvDform(<$?K<I aec,e*, point?conver"ion?for#?t cfor#) ]8^ ec,e* 8^ cfor# F-.S?ec?,e*?"et?enc?flag" (rena#e" <$?K<I?"et?enc?flag") in file .)cr*pto)ec)ec?,e*.Yo`cZ void FIPSDecD*e&DsetDencDfl('s(<$?K<I aec,e*, un"igned int flag") ]8^ ec,e* 8^ flag" F-.S?ec?,e*?"et?flag" (rena#e" <$?K<I?"et?flag") in file .)cr*pto)ec)ec?,e*.Yo`cZ void FIPSDecD*e&DsetDfl('s(<$?K4O'. agroup) ]8^ ,e*
.age 1:@ of 1/0
8^ ]8
group 4eturn
F-.S?ec?,e*?"et?private?,e* (rena#e" <$?K<I?"et?private?,e*) in file .)cr*pto)ec)ec?,e*.Yo`cZ int FIPSDecD*e&DsetDpriv(teD*e&(<$?KG'A aprv) ]8^ ,e* 8^ prv ]8 4eturn F-.S?ec?,e*?"et?pu&lic?,e* (rena#e" <$?K<I?"et?pu&lic?,e*) in file .)cr*pto)ec)ec?,e*.Yo`cZ int FIPSDecD*e&DsetDpublicD*e&(<$?K<I a,e*, con"t <$?.O-G apu&) ]8^ ,e* 8^ pu& ]8 4eturn F-.S?ec?,e*?"et?pu&lic?,e*?affine?coordinate" (rena#e" <$?K<I?"et?pu&lic?,e*?affine?coordinate") in file .)cr*pto)ec)ec?,e*.Yo`cZ int FIPSDecD*e&DsetDpublicD*e&D(ffineDcoordin(tes(<$?KG'A a9, =->G'A a*) ]8^ ,e* ]8^ 9 ]8^ * ]8 4eturn F-.S?ec?,e*?up?ref (rena#e" <$?K<I?up?ref) in file .)cr*pto)ec)ec?,e*.Yo`cZ int FIPSDecD*e&DupDref(<$?K<I a,e*) ]8^ ,e* ]8 4eturn F-.S?ec?#et!od?get?field?t*pe (rena#e" <$?A< 5O;?get?field?t*pe) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDmethodD'etDfieldDt&pe(con"t <$?A< 5O; a#et!)
.age 1:0 of 1/0
8^ ]8
#et! 4eturn
F-.S?ec?point?clear?free (rena#e" <$?.O-G ?clear?free) in file .)cr*pto)ec)ec?li&.Yo`cZ void FIPSDecDpointDcle(rDfree(<$?.O-G apoint) ]8^ point F-.S?ec?point?free (rena#e" <$?.O-G ?free) in file .)cr*pto)ec)ec?li&.Yo`cZ void FIPSDecDpointDfree(<$?.O-G apoint) ]8^ point F-.S?ec?point?get?affine?coordinate"?gf2# (rena#e" <$?.O-G ?get?affine?coordinate"?>F2#) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointD'etD(ffineDcoordin(tesD'f2m(con"t <$?>4O'. agroup, con"t <$?.O-G ap, =->G'A a9, =->G'A a*, =G?$ L act9) 8^ group 8^ p ]8^ 9 ]8^ * ]8 ct9 ]8 4eturn F-.S?ec?point?get?affine?coordinate"?gfp (rena#e" <$?.O-G ?get?affine?coordinate"?>Fp) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointD'etD(ffineDcoordin(tesD'fp(con"t <$?>4O'. agroup, con"t <$?.O-G ap, =->G'A a9, =->G'A a*, =G?$ L act9) 8^ group 8^ p ]8^ 9 ]8^ * ]8 ct9 ]8 4eturn
.age 1:/ of 1/0
F-.S?ec?point?get?2pro2ective?coordinate"?gfp (rena#e" <$?.O-G ?get?Jpro2ective?coordinate"?>Fp) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointD'etDjprojectiveDcoordin(tesD'fp(con"t <$?>4O'. agroup, con"t <$?.O-G ap, =->G'A a9, =->G'A a*, =->G'A aC, =G?$ L act9) 8^ group 8^ p ]8^ 9 ]8^ * ]8^ C ]8 ct9 ]8 4eturn F-.S?ec?point?i"?at?infinit* (rena#e" <$?.O-G ?i"?at?infinit*) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointDisD(tDinfinit&(con"t <$?>4O'. agroup, con"t <$?.O-G ap) 8^ group 8^ p ]8 4eturn F-.S?ec?point?i"?on?curve (rena#e" <$?.O-G ?i"?on?curve) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointDisDonDcurve(con"t <$?>4O'. agroup, con"t <$?.O-G apoint, =G?$ L act9) 8^ group 8^ point ]8 ct9 ]8 4eturn F-.S?ec?point?#a,e?affine (rena#e" <$?.O-G ?#a,e?affine) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointDm(*eD(ffine(con"t <$?>4O'. agroup, <$?.O-G apoint, =G?$ L act9) 8^ group ]8^ point ]8 ct9 ]8 4eturn F-.S?ec?point?#et!od?of (rena#e" <$?.O-G ?#et!od?of) in file .)cr*pto)ec)ec?li&.Yo`cZ
.age 1@0 of 1/0
con"t <$?A< 5O; aFIPSDecDpointDmethodDof(con"t <$?.O-G apoint) 8^ point ]8 4eturn F-.S?ec?point?#ul (rena#e" <$?.O-G ?#ul) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointDmul(con"t <$?>4O'. agroup, <$?.O-G ar, con"t =->G'A an, con"t <$?.O-G aB, con"t =->G'A a#, =G?$ L act9) 8^ group ]8^ r 8^ n 8^ B 8^ # ]8 ct9 ]8 4eturn F-.S?ec?point?new (rena#e" <$?.O-G ?new) in file .)cr*pto)ec)ec?li&.Yo`cZ <$?.O-G aFIPSDecDpointDne0(con"t <$?>4O'. agroup) 8^ group ]8 4eturn F-.S?ec?point?"et?to?infinit* (rena#e" <$?.O-G ?"et?to?infinit*) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointDsetDtoDinfinit&(con"t <$?>4O'. agroup, <$?.O-G apoint) 8^ group ]8^ point ]8 4eturn F-.S?ec?point"?#a,e?affine (rena#e" <$?.O-G "?#a,e?affine) in file .)cr*pto)ec)ec?li&.Yo`cZ int FIPSDecDpointsDm(*eD(ffine(con"t <$?>4O'. agroup, "iCe?t nu#, <$?.O-G apoint", =G?$ L act9) 8^ group 8^ nu# ]8^ point" ]8 ct9 ]8 4eturn
.age 1@1 of 1/0
F-.S?ecd!?co#pute?,e* (rena#e" <$;5?co#pute?,e*) in file .)cr*pto)ecd!)ec!?,e*.Yo`cZ int FIPSDecdhDcomputeD*e&(void aout, "iCe?t outlen, con"t <$?.O-G apu&?,e*, <$?K<I aecd!, void a(aK;F)(con"t void ain, "iCe?t inlen, void aout, "iCe?t aoutlen)) ]8^ out 8^ outlen 8^ pu&?,e* ]8^ ecd! 8^ K;F ]8 4eturn F-.S?ecd!?open""l (rena#e" <$;5?OpenSSL) in file .)cr*pto)ecd!)ec!?o""l.Yo`cZ con"t <$;5?A< 5O; aFIPSDecdhDopenssl() ]8 4eturn F-.S?ecd"a?open""l (rena#e" <$;S%?OpenSSL) in file .)cr*pto)ecd"a)ec"?o""l.Yo`cZ con"t <$;S%?A< 5O; aFIPSDecds(Dopenssl() ]8 4eturn F-.S?ecd"a?"ig?free (rei#ple#ent" <$;S%?S->?free) in file .)fip")ecd"a)fip"?ecd"a?li&.Yo`cZ void FIPSDecds(Dsi'Dfree(<$;S%?S-> a"ig) ]8^ "ig F-.S?ecd"a?"ig?new (rei#ple#ent" <$;S%?S->?new) in file .)fip")ecd"a)fip"?ecd"a?li&.Yo`cZ <$;S%?S-> aFIPSDecds(Dsi'Dne0() ]8 4eturn F-.S?ecd"a?"ign in file .)fip")ecd"a)fip"?ecd"a?"ign.Yo`cZ <$;S%?S-> a FIPSDecds(Dsi'n(<$?K a FIPSDecds(Dsi'nDctE(<$?K a FIPSDecds(Dsi'nDdi'est(<$?K<I a,e*, con"t un"igned c!ar adig, int dlen) ]8^ ,e* 8^ dig 8^ dlen ]8 4eturn F-.S?ecd"a?verif* in file .)fip")ecd"a)fip"?ecd"a?"ign.Yo`cZ int FIPSDecds(Dverif&(<$?K a") ]8^ ,e* 8^ #"g 8^ #"glen 8^ #!a"! ]8^ " ]8 4eturn F-.S?ecd"a?verif*?ct9 in file .)fip")ecd"a)fip"?ecd"a?"ign.Yo`cZ int FIPSDecds(Dverif&DctE(<$?K a") ]8^ ,e* ]8 ct9 ]8^ " ]8 4eturn
.age 1@3 of 1/0
F-.S?ecd"a?verif*?dige"t in file .)cr*pto)ecd"a)ec"?o""l.Yo`cZ int FIPSDecds(Dverif&Ddi'est(<$?K a") ]8^ ,e* 8^ dig 8^ dlen ]8^ " ]8 4eturn F-.S?evp?ae"?120?c&c (rena#e" <3.?ae"?120?c&c) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22Dcbc() ]8 4eturn F-.S?evp?ae"?120?cc# (rena#e" <3.?ae"?120?cc#) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22Dccm() ]8 4eturn F-.S?evp?ae"?120?cf&1 (rena#e" <3.?ae"?120?cf&1) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22Dcfb"() ]8 4eturn F-.S?evp?ae"?120?cf&120 (rena#e" <3.?ae"?120?cf&120) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22Dcfb"22() ]8 4eturn F-.S?evp?ae"?120?cf&0 (rena#e" <3.?ae"?120?cf&0) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22Dcfb2() ]8 4eturn F-.S?evp?ae"?120?ctr (rena#e" <3.?ae"?120?ctr) in file .)cr*pto)evp)e?ae".Yo`cZ
.age 1@4 of 1/0
con"t <3.?$-.5<4 aFIPSDevpD(esD"22Dctr() ]8 4eturn F-.S?evp?ae"?120?ec& (rena#e" <3.?ae"?120?ec&) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22Decb() ]8 4eturn F-.S?evp?ae"?120?gc# (rena#e" <3.?ae"?120?gc#) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22D'cm() ]8 4eturn F-.S?evp?ae"?120?of& (rena#e" <3.?ae"?120?of&) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22Dofb() ]8 4eturn F-.S?evp?ae"?120?9t" (rena#e" <3.?ae"?120?9t") in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD"22DEts() ]8 4eturn F-.S?evp?ae"?1/2?c&c (rena#e" <3.?ae"?1/2?c&c) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD" 2Dcbc() ]8 4eturn F-.S?evp?ae"?1/2?cc# (rena#e" <3.?ae"?1/2?cc#) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD" 2Dccm() ]8 4eturn F-.S?evp?ae"?1/2?cf&1 (rena#e" <3.?ae"?1/2?cf&1) in file .)cr*pto)evp)e?ae".Yo`cZ
.age 1@5 of 1/0
con"t <3.?$-.5<4 aFIPSDevpD(esD" 2Dcfb"() ]8 4eturn F-.S?evp?ae"?1/2?cf&120 (rena#e" <3.?ae"?1/2?cf&120) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD" 2Dcfb"22() ]8 4eturn F-.S?evp?ae"?1/2?cf&0 (rena#e" <3.?ae"?1/2?cf&0) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD" 2Dcfb2() ]8 4eturn F-.S?evp?ae"?1/2?ctr (rena#e" <3.?ae"?1/2?ctr) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD" 2Dctr() ]8 4eturn F-.S?evp?ae"?1/2?ec& (rena#e" <3.?ae"?1/2?ec&) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD" 2Decb() ]8 4eturn F-.S?evp?ae"?1/2?gc# (rena#e" <3.?ae"?1/2?gc#) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD" 2D'cm() ]8 4eturn F-.S?evp?ae"?1/2?of& (rena#e" <3.?ae"?1/2?of&) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD" 2Dofb() ]8 4eturn F-.S?evp?ae"?25:?c&c (rena#e" <3.?ae"?25:?c&c) in file .)cr*pto)evp)e?ae".Yo`cZ
.age 1@: of 1/0
con"t <3.?$-.5<4 aFIPSDevpD(esD29;Dcbc() ]8 4eturn F-.S?evp?ae"?25:?cc# (rena#e" <3.?ae"?25:?cc#) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD29;Dccm() ]8 4eturn F-.S?evp?ae"?25:?cf&1 (rena#e" <3.?ae"?25:?cf&1) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD29;Dcfb"() ]8 4eturn F-.S?evp?ae"?25:?cf&120 (rena#e" <3.?ae"?25:?cf&120) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD29;Dcfb"22() ]8 4eturn F-.S?evp?ae"?25:?cf&0 (rena#e" <3.?ae"?25:?cf&0) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD29;Dcfb2() ]8 4eturn F-.S?evp?ae"?25:?ctr (rena#e" <3.?ae"?25:?ctr) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD29;Dctr() ]8 4eturn F-.S?evp?ae"?25:?ec& (rena#e" <3.?ae"?25:?ec&) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD29;Decb() ]8 4eturn F-.S?evp?ae"?25:?gc# (rena#e" <3.?ae"?25:?gc#) in file .)cr*pto)evp)e?ae".Yo`cZ
.age 1@@ of 1/0
con"t <3.?$-.5<4 aFIPSDevpD(esD29;D'cm() ]8 4eturn F-.S?evp?ae"?25:?of& (rena#e" <3.?ae"?25:?of&) in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD29;Dofb() ]8 4eturn F-.S?evp?ae"?25:?9t" (rena#e" <3.?ae"?25:?9t") in file .)cr*pto)evp)e?ae".Yo`cZ con"t <3.?$-.5<4 aFIPSDevpD(esD29;DEts() ]8 4eturn F-.S?evp?de"?ede (rena#e" <3.?de"?ede) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDede() ]8 4eturn F-.S?evp?de"?ede3 (rena#e" <3.?de"?ede3) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDede#() ]8 4eturn F-.S?evp?de"?ede3?c&c (rena#e" <3.?de"?ede3?c&c) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDede#Dcbc() ]8 4eturn F-.S?evp?de"?ede3?cf&1 (rena#e" <3.?de"?ede3?cf&1) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDede#Dcfb"() ]8 4eturn F-.S?evp?de"?ede3?cf&:4 (rena#e" <3.?de"?ede3?cf&:4) in file .)cr*pto)evp)e?de"3.Yo`cZ
.age 1@0 of 1/0
con"t <3.?$-.5<4 aFIPSDevpDdesDede#Dcfb;6() ]8 4eturn F-.S?evp?de"?ede3?cf&0 (rena#e" <3.?de"?ede3?cf&0) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDede#Dcfb2() ]8 4eturn F-.S?evp?de"?ede3?ec& (rena#e" <3.?de"?ede3?ec&) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDede#Decb() ]8 4eturn F-.S?evp?de"?ede3?of& (rena#e" <3.?de"?ede3?of&) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDede#Dofb() ]8 4eturn F-.S?evp?de"?ede?c&c (rena#e" <3.?de"?ede?c&c) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDedeDcbc() ]8 4eturn F-.S?evp?de"?ede?cf&:4 (rena#e" <3.?de"?ede?cf&:4) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDedeDcfb;6() ]8 4eturn F-.S?evp?de"?ede?ec& (rena#e" <3.?de"?ede?ec&) in file .)cr*pto)evp)e?de"3.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDdesDedeDecb() ]8 4eturn F-.S?evp?de"?ede?of& (rena#e" <3.?de"?ede?of&) in file .)cr*pto)evp)e?de"3.Yo`cZ
.age 1@/ of 1/0
con"t <3.?$-.5<4 aFIPSDevpDdesDedeDofb() ]8 4eturn F-.S?evp?d"" (rena#e" <3.?d"") in file .)cr*pto)evp)#?d"".Yo`cZ con"t <3.?A; aFIPSDevpDdss() ]8 4eturn F-.S?evp?d""1 (rena#e" <3.?d""1) in file .)cr*pto)evp)#?d""1.Yo`cZ con"t <3.?A; aFIPSDevpDdss"() ]8 4eturn F-.S?evp?ecd"a (rena#e" <3.?ecd"a) in file .)cr*pto)evp)#?ecd"a.Yo`cZ con"t <3.?A; aFIPSDevpDecds(() ]8 4eturn F-.S?evp?enc?null (rena#e" <3.?enc?null) in file .)cr*pto)evp)e?null.Yo`cZ con"t <3.?$-.5<4 aFIPSDevpDencDnull() ]8 4eturn F-.S?evp?"!a1 (rena#e" <3.?"!a1) in file .)cr*pto)evp)#?"!a1.Yo`cZ con"t <3.?A; aFIPSDevpDsh("() ]8 4eturn F-.S?evp?"!a224 (rena#e" <3.?"!a224) in file .)cr*pto)evp)#?"!a1.Yo`cZ con"t <3.?A; aFIPSDevpDsh(226() ]8 4eturn F-.S?evp?"!a25: (rena#e" <3.?"!a25:) in file .)cr*pto)evp)#?"!a1.Yo`cZ
.age 100 of 1/0
con"t <3.?A; aFIPSDevpDsh(29;() ]8 4eturn F-.S?evp?"!a304 (rena#e" <3.?"!a304) in file .)cr*pto)evp)#?"!a1.Yo`cZ con"t <3.?A; aFIPSDevpDsh(#26() ]8 4eturn F-.S?evp?"!a512 (rena#e" <3.?"!a512) in file .)cr*pto)evp)#?"!a1.Yo`cZ con"t <3.?A; aFIPSDevpDsh(9"2() ]8 4eturn F-.S?free (rei#ple#ent" $4I. O?free) in file .)fip")utl)fip"?#e#.Yo`cZ void FIPSDfree(void aptr) ]8^ ptr F-.S?get?cip!er&*nid in file .)fip")utl)fip"?enc.Yo`cZ con"t "truct evp?cip!er?"t aFIPSD'etDcipherb&nid(int nid) 8^ nid ]8 4eturn F-.S?get?default?dr&g in file .)fip")rand)fip"?dr&g?rand.Yo`cZ ;4=>?$ L aFIPSD'etDdef(ultDdrb'() ]8 4eturn F-.S?get?dige"t&*nid in file .)fip")utl)fip"?#d.Yo`cZ con"t "truct env?#d?"t aFIPSD'etDdi'estb&nid(int nid) 8^ nid ]8 4eturn
.age 101 of 1/0
F-.S?get?ti#evec in file .)fip")rand)fip"?rand.Yo`cZ void FIPSD'etDtimevec(un"igned c!ar a&uf, un"igned long apctr) ]8 &uf ]8^ pctr F-.S?!#ac (rena#e" 5A%$) in file .)cr*pto)!#ac)!#ac.Yo`cZ un"igned c!ar aFIPSDhm(c(con"t <3.?A; aevp?#d, con"t void a,e*, int ,e*?len, con"t un"igned c!ar ad, "iCe?t n, un"igned c!ar a#d, un"igned int a#d?len) 8^ evp?#d 8^ ,e* 8^ ,e*?len 8^ d 8^ n ]8 #d ]8 #d?len ]8 4eturn F-.S?!#ac?ct9?cleanup (rena#e" 5A%$?$ L?cleanup) in file .)cr*pto)!#ac)!#ac.Yo`cZ void FIPSDhm(cDctEDcle(nup(5A%$?$ L act9) ]8 ct9 F-.S?!#ac?ct9?cop* (rena#e" 5A%$?$ L?cop*) in file .)cr*pto)!#ac)!#ac.Yo`cZ ??owur int FIPSDhm(cDctEDcop&(5A%$?$ L adct9, 5A%$?$ L a"ct9) ]8 dct9 ]8 "ct9 ]8 4eturn F-.S?!#ac?ct9?init (rena#e" 5A%$?$ L?init) in file .)cr*pto)!#ac)!#ac.Yo`cZ void FIPSDhm(cDctEDinit(5A%$?$ L act9) ]8 ct9 F-.S?!#ac?ct9?"et?flag" (rena#e" 5A%$?$ L?"et?flag") in file .)cr*pto)!#ac)!#ac.Yo`cZ
.age 102 of 1/0
void FIPSDhm(cDctEDsetDfl('s(5A%$?$ L act9, un"igned long flag") ]8 ct9 8^ flag" F-.S?!#ac?final (rena#e" 5A%$?Final) in file .)cr*pto)!#ac)!#ac.Yo`cZ ??owur int FIPSDhm(cDfin(l(5A%$?$ L act9, un"igned c!ar a#d, un"igned int alen) ]8 ct9 ]8 #d ]8 len ]8 4eturn F-.S?!#ac?init (rena#e" 5A%$?-nit) in file .)cr*pto)!#ac)!#ac.Yo`cZ ??owur int FIPSDhm(cDinit(5A%$?$ L act9, con"t void a,e*, int len, con"t <3.?A; a#d) ]8 ct9 8^ ,e* 8^ len 8^ #d ]8 4eturn F-.S?!#ac?init?e9 (rena#e" 5A%$?-nit?e9) in file .)cr*pto)!#ac)!#ac.Yo`cZ ??owur int FIPSDhm(cDinitDeE(5A%$?$ L act9, con"t void a,e*, int len, con"t <3.?A; a#d, <G>-G< ai#pl) ]8 ct9 8^ ,e* 8^ len 8^ #d ]8^ i#pl ]8 4eturn F-.S?!#ac?update (rena#e" 5A%$?'pdate) in file .)cr*pto)!#ac)!#ac.Yo`cZ ??owur int FIPSDhm(cDupd(te(5A%$?$ L act9, con"t un"igned c!ar adata, "iCe?t len) ]8 ct9 8^ data 8^ len ]8 4eturn
.age 103 of 1/0
F-.S?incore?fingerprint in file .)fip")fip".Yo`cZ un"igned int FIPSDincoreDfin'erprint(un"igned c!ar a"ig, un"igned int len) ]8 "ig 8^ len ]8 4eturn F-.S?loc, (rei#ple#ent" $4I. O?loc,) in file .)fip")utl)fip"?lc,.Yo`cZ void FIPSDloc*(int #ode, int t*pe, con"t c!ar afile, int line) 8^ #ode 8^ t*pe 8^ file 8^ line F-.S?#alloc (rei#ple#ent" $4I. O?#alloc) in file .)fip")utl)fip"?#e#.Yo`cZ void aFIPSDm(lloc(int nu#, con"t c!ar afile, int line) 8^ nu# 8^ file 8^ line ]8 4eturn F-.S?#d?ct9?cleanup (rei#ple#ent" <3.?A;?$ L?cleanup) in file .)fip")utl)fip"?#d.Yo`cZ int FIPSDmdDctEDcle(nup(<3.?A;?$ L act9) ]8 ct9 ]8 4eturn F-.S?#d?ct9?cop* (rei#ple#ent" <3.?A;?$ L?cop*?e9) in file .)fip")utl)fip"?#d.Yo`cZ ??owur int FIPSDmdDctEDcop&(<3.?A;?$ L aout, con"t <3.?A;?$ L ain) ]8 out 8^ in ]8 4eturn
.age 104 of 1/0
F-.S?#d?ct9?create (rei#ple#ent" <3.?A;?$ L?create) in file .)fip")utl)fip"?#d.Yo`cZ <3.?A;?$ L aFIPSDmdDctEDcre(te() ]8 4eturn F-.S?#d?ct9?de"tro* (rei#ple#ent" <3.?A;?$ L?de"tro*) in file .)fip")utl)fip"?#d.Yo`cZ void FIPSDmdDctEDdestro&(<3.?A;?$ L act9) ]8 ct9 F-.S?#d?ct9?init (rei#ple#ent" <3.?A;?$ L?init) in file .)fip")utl)fip"?#d.Yo`cZ void FIPSDmdDctEDinit(<3.?A;?$ L act9) ]8 ct9 F-.S?#odule?#ode in file .)fip")fip".Yo`cZ int FIPSDmoduleDmode() ]8 4eturn F-.S?#odule?#ode?"et in file .)fip")fip".Yo`cZ int FIPSDmoduleDmodeDset(int onoff, con"t c!ar aaut!) 8^ onoff 8^ aut! ]8 4eturn F-.S?#odule?ver"ion in file .)fip")fip".Yo`cZ un"igned long FIPSDmoduleDversion() ]8 4eturn F-.S?#odule?ver"ion?te9t in file .)fip")fip".Yo`cZ con"t c!ar aFIPSDmoduleDversionDteEt() ]8 4eturn
.age 105 of 1/0
F-.S?open""l?clean"e (rena#e" O.<GSSL?clean"e) in file .)cr*pto)90:cpuid.Yo`cZ void FIPSDopensslDcle(nse(void aptr, "iCe?t len) ]8^ ptr 8^ len F-.S?open""l?"!owfatal (rena#e" O.<GSSL?"!owfatal) in file .)cr*pto)cr*ptli&.Yo`cZ void FIPSDopensslDsho0f(t(l(con"t c!ar af#ta, ...) 8^ f#ta 8^ ... F-.S?open""ldie (rena#e" OpenSSL;ie) in file .)cr*pto)cr*ptli&.Yo`cZ void FIPSDopenssldie(con"t c!ar afile, int line, con"t c!ar aa""ertion) 8^ file 8^ line 8^ a""ertion F-.S?po"t?"et?call&ac, in file .)fip")fip"?po"t.Yo`cZ void FIPSDpostDsetDc(llb(c*(int (apo"t?c&)(int op, int id, int "u&id, void ae9)) ]8 po"t?c& F-.S?put?error (rei#ple#ent" <44?put?error) in file .)fip")utl)fip"?err.Yo`cZ void FIPSDputDerror(int li&, int func, int rea"on, con"t c!ar afile, int line) 8^ li& 8^ func 8^ rea"on 8^ file 8^ line F-.S?rand?add (rei#ple#ent" 4%G;?add) in file .)fip")rand)fip"?rand?li&.Yo`cZ void FIPSDr(ndD(dd(con"t void a&uf, int nu#, dou&le entrop*) 8^ &uf
.age 10: of 1/0
8^ 8^
nu# entrop*
F-.S?rand?&*te" (rei#ple#ent" 4%G;?&*te") in file .)fip")rand)fip"?rand?li&.Yo`cZ int FIPSDr(ndDb&tes(un"igned c!ar a&uf, int nu#) ]8 &uf 8^ nu# ]8 4eturn F-.S?rand?get?#et!od in file .)fip")rand)fip"?rand?li&.Yo`cZ con"t 4%G;?A< 5O; aFIPSDr(ndD'etDmethod() ]8 4eturn F-.S?rand?p"eudo?&*te" (rei#ple#ent" 4%G;?p"eudo?&*te") in file .)fip")rand)fip"?rand?li&.Yo` cZ int FIPSDr(ndDpseudoDb&tes(un"igned c!ar a&uf, int nu#) ]8 &uf 8^ nu# ]8 4eturn F-.S?rand?"eed (rei#ple#ent" 4%G;?"eed) in file .)fip")rand)fip"?rand?li&.Yo`cZ void FIPSDr(ndDseed(con"t void a&uf, int nu#) 8^ &uf 8^ nu# F-.S?rand?"et?&it" in file .)fip")rand)fip"?rand?li&.Yo`cZ void FIPSDr(ndDsetDbits(int n&it") 8^ n&it" F-.S?rand?"et?#et!od in file .)fip")rand)fip"?rand?li&.Yo`cZ int FIPSDr(ndDsetDmethod(con"t 4%G;?A< 5O; a#et!)
.age 10@ of 1/0
8^ ]8
#et! 4eturn
F-.S?rand?"tatu" (rei#ple#ent" 4%G;?"tatu") in file .)fip")rand)fip"?rand?li&.Yo`cZ int FIPSDr(ndDst(tus() ]8 4eturn F-.S?rand?"trengt! in file .)fip")rand)fip"?rand?li&.Yo`cZ int FIPSDr(ndDstren'th() ]8 4eturn F-.S?r"a?&linding?off (rena#e" 4S%?&linding?off) in file .)cr*pto)r"a)r"a?crpt.Yo`cZ void FIPSDrs(Dblindin'Doff(4S% ar"a) ]8^ r"a F-.S?r"a?&linding?on (rena#e" 4S%?&linding?on) in file .)cr*pto)r"a)r"a?crpt.Yo`cZ int FIPSDrs(Dblindin'Don(4S% ar"a, =G?$ L act9) ]8^ r"a ]8 ct9 ]8 4eturn F-.S?r"a?flag" (rena#e" 4S%?flag") in file .)cr*pto)r"a)r"a?crpt.Yo`cZ int FIPSDrs(Dfl('s(con"t 4S% ar) 8^ r ]8 4eturn F-.S?r"a?free in file .)fip")r"a)fip"?r"a?li&.Yo`cZ void FIPSDrs(Dfree("truct r"a?"t ar) ]8^ r
.age 100 of 1/0
F-.S?r"a?generate?,e*?e9 (rena#e" 4S%?generate?,e*?e9) in file .)cr*pto)r"a)r"a?gen.Yo`cZ int FIPSDrs(D'ener(teD*e&DeE(4S% ar"a, int &it", =->G'A ae, =G?><G$= ac&) ]8^ r"a 8^ &it" ]8^ e ]8^ c& ]8 4eturn F-.S?r"a?new in file .)fip")r"a)fip"?r"a?li&.Yo`cZ "truct r"a?"t aFIPSDrs(Dne0() ]8 4eturn F-.S?r"a?p,c"1?""lea* (rena#e" 4S%?.K$S1?SSLea*) in file .)cr*pto)r"a)r"a?ea*.Yo`cZ con"t 4S%?A< 5O; aFIPSDrs(Dp*cs"Dssle(&() ]8 4eturn F-.S?r"a?private?decr*pt (rena#e" 4S%?private?decr*pt) in file .)cr*pto)r"a)r"a?crpt.Yo`cZ int FIPSDrs(Dpriv(teDdecr&pt(int flen, con"t un"igned c!ar afro#, un"igned c!ar ato, 4S% ar"a, int padding) 8^ flen 8^ fro# ]8 to ]8^ r"a 8^ padding ]8 4eturn F-.S?r"a?private?encr*pt (rena#e" 4S%?private?encr*pt) in file .)cr*pto)r"a)r"a?crpt.Yo`cZ int FIPSDrs(Dpriv(teDencr&pt(int flen, con"t un"igned c!ar afro#, un"igned c!ar ato, 4S% ar"a, int padding) 8^ flen 8^ fro# ]8 to ]8^ r"a
.age 10/ of 1/0
8^ ]8
padding 4eturn
F-.S?r"a?pu&lic?decr*pt (rena#e" 4S%?pu&lic?decr*pt) in file .)cr*pto)r"a)r"a?crpt.Yo`cZ int FIPSDrs(DpublicDdecr&pt(int flen, con"t un"igned c!ar afro#, un"igned c!ar ato, 4S% ar"a, int padding) 8^ flen 8^ fro# ]8 to ]8^ r"a 8^ padding ]8 4eturn F-.S?r"a?pu&lic?encr*pt (rena#e" 4S%?pu&lic?encr*pt) in file .)cr*pto)r"a)r"a?crpt.Yo`cZ int FIPSDrs(DpublicDencr&pt(int flen, con"t un"igned c!ar afro#, un"igned c!ar ato, 4S% ar"a, int padding) 8^ flen 8^ fro# ]8 to ]8^ r"a 8^ padding ]8 4eturn F-.S?r"a?"ign in file .)fip")r"a)fip"?r"a?"ign.Yo`cZ int FIPSDrs(Dsi'n("truct r"a?"t ar"a, con"t un"igned c!ar a#"g, int #"glen, con"t "truct env?#d?"t a#!a"!, int r"a?pad?#ode, int "altlen, con"t "truct env?#d?"t a#gf15a"!, un"igned c!ar a"igret, un"igned int a"iglen) ]8^ r"a 8^ #"g 8^ #"glen 8^ #!a"! 8^ r"a?pad?#ode 8^ "altlen 8^ #gf15a"! ]8 "igret ]8 "iglen ]8 4eturn
.age 1/0 of 1/0
F-.S?r"a?"ign?ct9 in file .)fip")r"a)fip"?r"a?"ign.Yo`cZ int FIPSDrs(Dsi'nDctE("truct r"a?"t ar"a, "truct env?#d?ct9?"t act9, int r"a?pad?#ode, int "altlen, con"t "truct env?#d?"t a#gf15a"!, un"igned c!ar a"igret, un"igned int a"iglen) ]8^ r"a ]8 ct9 8^ r"a?pad?#ode 8^ "altlen 8^ #gf15a"! ]8 "igret ]8 "iglen ]8 4eturn F-.S?r"a?"ign?dige"t in file .)fip")r"a)fip"?r"a?"ign.Yo`cZ int FIPSDrs(Dsi'nDdi'est("truct r"a?"t ar"a, con"t un"igned c!ar a#d, int #d?len, con"t "truct env?#d?"t a#!a"!, int r"a?pad?#ode, int "altlen, con"t "truct env?#d?"t a#gf15a"!, un"igned c!ar a"igret, un"igned int a"iglen) ]8^ r"a 8^ #d 8^ #d?len 8^ #!a"! 8^ r"a?pad?#ode 8^ "altlen 8^ #gf15a"! ]8 "igret ]8 "iglen ]8 4eturn F-.S?r"a?"iCe (rena#e" 4S%?"iCe) in file .)cr*pto)r"a)r"a?crpt.Yo`cZ int FIPSDrs(Dsi?e(con"t 4S% ar"a) 8^ r"a ]8 4eturn F-.S?r"a?verif* in file .)fip")r"a)fip"?r"a?"ign.Yo`cZ int FIPSDrs(Dverif&("truct r"a?"t ar"a, con"t un"igned c!ar a#"g, int #"glen, con"t "truct env?#d?"t a#!a"!, int r"a?pad?#ode, int "altlen, con"t "truct env?#d?"t a#gf15a"!, con"t un"igned c!ar a"ig&uf, un"igned int "iglen) ]8^ r"a
.age 1/1 of 1/0
8^ 8^ 8^ 8^ 8^ 8^ 8^ 8^ ]8
#"g #"glen #!a"! r"a?pad?#ode "altlen #gf15a"! "ig&uf "iglen 4eturn
F-.S?r"a?verif*?ct9 in file .)fip")r"a)fip"?r"a?"ign.Yo`cZ int FIPSDrs(Dverif&DctE("truct r"a?"t ar"a, "truct env?#d?ct9?"t act9, int r"a?pad?#ode, int "altlen, con"t "truct env?#d?"t a#gf15a"!, con"t un"igned c!ar a"ig&uf, un"igned int "iglen) ]8^ r"a ]8 ct9 8^ r"a?pad?#ode 8^ "altlen 8^ #gf15a"! 8^ "ig&uf 8^ "iglen ]8 4eturn F-.S?r"a?verif*?dige"t in file .)fip")r"a)fip"?r"a?"ign.Yo`cZ int FIPSDrs(Dverif&Ddi'est("truct r"a?"t ar"a, con"t un"igned c!ar adig, int diglen, con"t "truct env?#d?"t a#!a"!, int r"a?pad?#ode, int "altlen, con"t "truct env?#d?"t a#gf15a"!, con"t un"igned c!ar a"ig&uf, un"igned int "iglen) ]8^ r"a 8^ dig 8^ diglen 8^ #!a"! 8^ r"a?pad?#ode 8^ "altlen 8^ #gf15a"! 8^ "ig&uf 8^ "iglen ]8 4eturn F-.S?r"a?9/31?derive?e9 (rena#e" 4S%?L/31?derive?e9) in file .)cr*pto)r"a)r"a?9/31g.Yo`cZ
.age 1/2 of 1/0
int FIPSDrs(DE #"DderiveDeE(4S% ar"a, =->G'A ap1, =->G'A ap2, =->G'A aB1, =->G'A aB2, con"t =->G'A aLp1, con"t =->G'A aLp2, con"t =->G'A aLp, con"t =->G'A aLB1, con"t =->G'A aLB2, con"t =->G'A aLB, con"t =->G'A ae, =G?><G$= ac&) ]8^ r"a ]8^ p1 ]8^ p2 ]8^ B1 ]8^ B2 8^ Lp1 8^ Lp2 8^ Lp 8^ LB1 8^ LB2 8^ LB 8^ e ]8^ c& ]8 4eturn F-.S?r"a?9/31?generate?,e*?e9 (rena#e" 4S%?L/31?generate?,e*?e9) in file .)cr*pto)r"a)r"a?9/31g.Yo`cZ int FIPSDrs(DE #"D'ener(teD*e&DeE(4S% ar"a, int &it", con"t =->G'A ae, =G?><G$= ac&) ]8^ r"a 8^ &it" 8^ e ]8^ c& ]8 4eturn F-.S?"elfte"t in file .)fip")fip"?po"t.Yo`cZ int FIPSDselftest() ]8 4eturn F-.S?"elfte"t?ae" in file .)fip")ae")fip"?ae"?"elfte"t.Yo`cZ int FIPSDselftestD(es() ]8 4eturn
.age 1/3 of 1/0
F-.S?"elfte"t?ae"?cc# in file .)fip")ae")fip"?ae"?"elfte"t.Yo`cZ int FIPSDselftestD(esDccm() ]8 4eturn F-.S?"elfte"t?ae"?gc# in file .)fip")ae")fip"?ae"?"elfte"t.Yo`cZ int FIPSDselftestD(esD'cm() ]8 4eturn F-.S?"elfte"t?ae"?9t" in file .)fip")ae")fip"?ae"?"elfte"t.Yo`cZ int FIPSDselftestD(esDEts() ]8 4eturn F-.S?"elfte"t?c!ec, in file .)fip")fip".Yo`cZ void FIPSDselftestDchec*() F-.S?"elfte"t?c#ac in file .)fip")c#ac)fip"?c#ac?"elfte"t.Yo`cZ int FIPSDselftestDcm(c() ]8 4eturn F-.S?"elfte"t?de" in file .)fip")de")fip"?de"?"elfte"t.Yo`cZ int FIPSDselftestDdes() ]8 4eturn F-.S?"elfte"t?dr&g in file .)fip")rand)fip"?dr&g?"elfte"t.Yo`cZ int FIPSDselftestDdrb'() ]8 4eturn F-.S?"elfte"t?dr&g?all in file .)fip")rand)fip"?dr&g?"elfte"t.Yo`cZ
.age 1/4 of 1/0
int FIPSDselftestDdrb'D(ll() ]8 4eturn F-.S?"elfte"t?d"a in file .)fip")d"a)fip"?d"a?"elfte"t.Yo`cZ int FIPSDselftestDds(() ]8 4eturn F-.S?"elfte"t?ecd! in file .)fip")ecd!)fip"?ecd!?"elfte"t.Yo`cZ int FIPSDselftestDecdh() ]8 4eturn F-.S?"elfte"t?ecd"a in file .)fip")ecd"a)fip"?ecd"a?"elfte"t.Yo`cZ int FIPSDselftestDecds(() ]8 4eturn F-.S?"elfte"t?failed in file .)fip")fip".Yo`cZ int FIPSDselftestDf(iled() ]8 4eturn F-.S?"elfte"t?!#ac in file .)fip")!#ac)fip"?!#ac?"elfte"t.Yo`cZ int FIPSDselftestDhm(c() ]8 4eturn F-.S?"elfte"t?r"a in file .)fip")r"a)fip"?r"a?"elfte"t.Yo`cZ int FIPSDselftestDrs(() ]8 4eturn F-.S?"elfte"t?"!a1 in file .)fip")"!a)fip"?"!a1?"elfte"t.Yo`cZ
.age 1/5 of 1/0
int FIPSDselftestDsh("() ]8 4eturn F-.S?"elfte"t?9/31 in file .)fip")rand)fip"?rand?"elfte"t.Yo`cZ int FIPSDselftestDE #"() ]8 4eturn F-.S?"et?error?call&ac," in file .)fip")utl)fip"?err.Yo`cZ void FIPSDsetDerrorDc(llb(c*s(void (aput?c&)(int li&, int func,int rea"on,con"t c!ar afile,int line), void (aadd?c&)(int nu#, va?li"t arg")) 8^ put?c& ]8 add?c& F-.S?"et?loc,ing?call&ac," in file .)fip")utl)fip"?lc,.Yo`cZ void FIPSDsetDloc*in'Dc(llb(c*s(void (afunc)(int #ode, int t*pe, con"t c!ar afile,int line), int (aadd?c&)(int apointer, int a#ount, int t*pe, con"t c!ar afile, int line)) 8^ func 8^ add?c& F-.S?"et?#alloc?call&ac," in file .)fip")utl)fip"?#e#.Yo`cZ void FIPSDsetDm(llocDc(llb(c*s(void a(a#alloc?c&)(int nu#, con"t c!ar afile, int line), void (afree?c&)(void a)) 8^ #alloc?c& ]8^ free?c& F-.S?te9t?end in file .)fip")fip"?end.Yo`cZ void aFIPSDteEtDend() ]8 4eturn F-.S?te9t?"tart in file .)fip")fip"?"tart.Yo`cZ
.age 1/: of 1/0
void aFIPSDteEtDst(rt() ]8 4eturn F-.S?9/31?&*te" in file .)fip")rand)fip"?rand.Yo`cZ int FIPSDE #"Db&tes(un"igned c!ar aout, int outlen) ]8 out 8^ outlen ]8 4eturn F-.S?9/31?#et!od in file .)fip")rand)fip"?rand.Yo`cZ con"t 4%G;?A< 5O; aFIPSDE #"Dmethod() ]8 4eturn F-.S?9/31?re"et in file .)fip")rand)fip"?rand.Yo`cZ void FIPSDE #"Dreset() F-.S?9/31?"eed in file .)fip")rand)fip"?rand.Yo`cZ int FIPSDE #"Dseed(con"t void a&uf, int nu#) 8^ &uf 8^ nu# ]8 4eturn F-.S?9/31?"et?dt in file .)fip")rand)fip"?rand.Yo`cZ int FIPSDE #"DsetDdt(un"igned c!ar adt) ]8 dt ]8 4eturn F-.S?9/31?"et?,e* in file .)fip")rand)fip"?rand.Yo`cZ int FIPSDE #"DsetD*e&(con"t un"igned c!ar a,e*, int ,e*len) 8^ ,e*
.age 1/@ of 1/0
8^ ]8
,e*len 4eturn
F-.S?9/31?"tatu" in file .)fip")rand)fip"?rand.Yo`cZ int FIPSDE #"Dst(tus() ]8 4eturn F-.S?9/31?"tic, in file .)fip")rand)fip"?rand.Yo`cZ void FIPSDE #"Dstic*(int onoff) 8^ onoff F-.S?9/31?te"t?#ode in file .)fip")rand)fip"?rand.Yo`cZ int FIPSDE #"DtestDmode() ]8 4eturn
.age 1/0 of 1/0

UserGuide-2 0

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

UserGuide-2 0

Загружено:

Авторское право:

Доступные форматы

User Guide

for the OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

%op&ri'ht (nd )r(dem(r* +otice

Intersoft International, Inc.

-ep(rtment of .omel(nd Securit& Science (nd )echnolo'& -irector(te

User Guide $ OpenSSL FIPS Object Module v2.0

wit! tec!nical wor, &*(

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

<it!er directl* or via 1'"er %ffir#ation1 w!ic! i" di"cu""ed in 5.5.

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

2.1.1 FIPS 140-2 Specific Terminology

User Guide $ OpenSSL FIPS Object Module v2.0

2.1.2 General Glo

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

S5% SS<2 SS5 SSL SSS<3 Suite = LS 3AS 90: L S L S8%<S

The FIPS Module and Integrity Test

User Guide $ OpenSSL FIPS Object Module v2.0

The FIPS Integrity Test

2.!.1 "e#uirement for $%clu i&e Integrity Te t

2.!.2 "e#uirement for Fi%ed '()ect *ode 'rder

User Guide $ OpenSSL FIPS Object Module v2.0

The File Integrity Chain

2.4.1 Source File +Build Time, Integrity

2.4.2 '()ect -odule +.ink Time, Integrity

User Guide $ OpenSSL FIPS Object Module v2.0

2.4.! /pplication $%ecuta(le '()ect +"un Time, Integrity

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

2.0.1 FIPS -ode Initiali1ation

2.0.2 /lgorit2m /&aila(le in FIPS -ode

User Guide $ OpenSSL FIPS Object Module v2.0

Re&isions o$ the 2.' Module

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

-no.n Supported Plat$orms

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

Pl(tform %ross 1eference

User Guide $ OpenSSL FIPS Object Module v2.0

User Guide $ OpenSSL FIPS Object Module v2.0

!.2.1 *ode Pat2 and *ommand Set

%omm(nd Set Linu9)'ni9 '1 '2 Dindow" D1 D2

1epresent(tive Pl(tform Linu9)'ni9 u1 u1 Dindow" w1 w2

User Guide $ OpenSSL FIPS Object Module v2.0

%ode P(th 90: a""e#&ler 90:8:4 a""e#&ler '3

%omm(nd Set Linu9)'ni9 Dindow" D3

1epresent(tive Pl(tform Linu9)'ni9 u2 Dindow" w3 w4

'4 D4 u2 Table .2.1a - +o(e Pat4s an( +omman( Sets

w!ere t!e co##and "et" are %omm(nd Set +(me

'2 Linu9)'ni9 wit! 90:)90:8:4 opti#iCation" D1 Dindow", pure $

D2 Dindow" wit! 90:)90:8:4 opti#iCation"

!.2.1 ode Pat2 and ommand Set

(ct)a" S'ste$ S + Processor + %ti$i,ation

(ct)a" S'ste$ S + Processor + %ti$i,ation

(ct)a" S'ste$ S + Processor + %ti$i,ation

4.1.1 reation of a FIPS '()ect -odule from 't2er Source ode