On 2/9/2016 12:29 PM, Steve Marquess wrote: > On 02/09/2016 03:19 PM, cloud force wrote: >> Hello everyone, >> >> Would the FIPS Object Module v2.0 supposed to only work with the vanilla >> openssl library? If I apply the security patches to the openssl library, >> should the FIPS Object Module v2.0 still work without problems? > You should patch OpenSSL whether you use it with the FIPS module or not. > > From the perspective of the FIPS 140-2 validation, stock OpenSSL is just > application code and is out of scope. So you can patch/hack OpenSSL > proper as much as you want; as long as the intact FIPS module is built > per the mandated process its FIPS-ness is unaffected by OpenSSL. > > -Steve M. > ...with the caveat that you cannot patch the stock OpenSSL in such a way that any crypto operations are done by anything other than the FIPS module, if you want to maintain the FIPS-ness of the systems you build using it. Formatting and processing of (including memory management for) data that is encrypted or decrypted by the FIPS module is fair game, which includes pretty much all of the security holes that have happened to date in the OpenSSL library. -Kyle H
