On 09/28/2015 09:13 AM, John Foley wrote: > On 09/23/2015 08:16 AM, Steve Marquess wrote: >> John, let me elaborate on my comment above by noting that the Cisco >> contribution includes a bunch of FIPS specific code for which there is >> no counterpart on the master branch (i.e. no place to put it). A >> version which worked on master with all the FIPS stuff stripped out >> and with tests via evp_test would be a lot more interesting. -Steve M. > Hi Steve, > > We can certainly submit a pull request on the master branch. It'll take > a little time to prepare that. IMHO, there is value in accepting this > pull request on the FIPS branch as well. There are OpenSSL users doing > private label FIPS validations that would benefit. Sure, value for the very small number of vendors with pockets deep enough to pursue their own proprietary validations that will benefit no one else. We're an open source organization with limited resources. We want to apply those resources effectively to benefit the greater community. Even though FIPS 140-2 is of significant interest to only part of the U.S. market, and of minimal interest to the rest of the world, the open source based validations see enough use[*] to justify the significant effort those consume. We can't justify that impact for a handful of U.S. vendors. Then there is the issue of code "ownership". We have dropped code for platforms we can't access and test ourselves. The real "test" for FIPS related code is whether the validation bureaucracy will approve it, and we know from long experience that we can't assume said approval; the "interop" test is a validation certificate. If we accept outside contributions of FIPS related code we'll have no way of knowing if that code will actually satisfy any particular attempt at validation. Your response to that will be that you'll only give us code that *you* have successfully validated, in a module that only you can use, but again we know from long experience that the exact same module can be submitted multiple times with very different results. Your successful private closed source validation is of minimal use to anyone else. An open source based validation, that everyone can use either directly or as the basis for copycat "private label" validations, is the correct answer. I see no benefit to us or the vast majority of our user base in committing speculative code that we can't verify and that most of our users can't use. > Pull request 368 > contains the FIPS vector processing utility for KDF. None of the FIPS > vector processing utilities reside in master. The pull request we > prepare for master isn't going to include the KDF vector processing utility. > > Please let me know whether we should proceed with preparing a pull > request on master. If it doesn't have any FIPS dependencies and is useful for the overall OpenSSL community outside of any FIPS context, sure. Thanks, -Steve M. [*] Many hundreds of vendors, most but not all small companies you never heard of. Those are the ones who use the #1747 validation directly, still more do copycat validations. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
