OpenSSL and FIPS 140-2 Validation Status

The most recent open source based validation of a cryptographic module (Module) compatible with the OpenSSL libraries is v1.2, FIPS 140-2 certificate #1051. This Module is documented in the User Guide.

Important Note: Due to upcoming changes in the FIPS 140-2 validation requirements the current v1.2 Module will no longer be a suitable model for private label validations in its current form past the year 2010. See the NIST Notices, discussion paper and Draft 800-131.

New Validation in Progress

As of January 4, 2011 we have sponsorship for a new open source FIPS 140-2 Level 1 validation. This validation will cover most of the objectives we have been wanting to achieve in a new validation, including:

Satisfying the new CMVP testing guidelines.
One or more new PRNG implementations.
Algorithm test programs for the AESGCM and ECDSA algorithms.
RSA encryption.
Upgrade DSA2 for key sizes greater then 1024.
Any mandatory additional tests or algorithm modifications for the testing guidelines.
An extensive re-design of the FIPS Module to eliminate OpenSSL revision dependencies. The new module will live in a completely separate purpose-built source distribution. In contrast to the current module, this new module will at least in principle be useful in some stand-alone contexts requiring only low level cryptographic primitives.

In addition this validation will also include:

Suite B cryptography, and a "Suite B" mode of operation enforcement similar to that provided by the current "FIPS capable" OpenSSL.

What this validation currently does not include is many common test platforms present in earlier validations. It will be possible for new co-sponsors to include additional test platforms for only the incremental costs, provided that such arrangements are made prior to the point where the timeline for the ongoing validation effort is adversely impacted. The window of opportunity for the addition of new platforms (or other non-disruptive enhancements) is anticipated to extend only through the first quarter of this year. Since our initial sponsors have time-sensitive schedule requirements we cannot and will not jeopardize the overall schedule for other objectives not included in those original agreements.

Current Status

As of mid-September 2011 coding is complete for both the new FIPS module and the accompanying "FIPS capable" support in OpenSSL. The FIPS module code is available in separate snapshot distributions (openssl-fips-2.0-test-2011MMDD.tar.gz) and the "FIPS capable" support is in the 1.0.1-stable branch (openssl-1.0.1-stable-SNAP-2011MMDD.tar.gz).

On October 26 2011 a source code distribution was delivered to the testing lab. Note we anticipate some additional non-cryptographic code changes to accommodate specific test lab requests to modify and enhance the supporting test suite software.

On December 23 2011 the formal validation submission was sent to the CMVP.

For the duration of the validation process changes to the FIPS module source code will be difficult at best, but we are still interested in reports of problems. The original Call for Testing instructions are still valid.

As of mid-May we are still waiting on action by the CMVP.

Sponsors

The OpenSSL Software Foundation receives support from multiple sources for each validation effort; however only those sponsors who have elected to be recognised for their contribution to OpenSSL are listed below.

Original sponsors: overall validation effort with one platform (Android on ARMv7)
Intersoft International, Inc., platform sponsor (VC++ Win32/x86 asm optimisation)
Opengear, Inc., platform sponsor (uCLinux ARMv4 asm optimisation)
QuintessenceLabs Pty Ltd, platform sponsor (Fedora 14 x86-64 asm optimisation)
PKWARE, Inc., platform sponsor (HPUX 11i on Itanium 32, 64 bit with asm optimisation)
platform sponsor (Ubuntu Linux 32bit x86 with asm optimisation)
Cerberus, LLC, general sponsor
DHS Science and Technology Directorate-sponsored Homeland Open Security Technology (HOST) program, algorithm sponsor (CMAC, AES-CCM)
Innominate Security Technologies AG, platform sponsor (Linux on Freescale MPC8313)
PSW Group, general sponsor

If you have an interest in sponsoring any changes or additions to this validation please contact the OSF.

Some commercial software vendors ask us "what do we gain from sponsoring a validation that our competition can also use?". Our answer is "nothing, if you think in terms of obstructing your competition". If, on the other hand, you compete primarily on the merits of you products what others may do with the validation is less of a threat as they derive no more advantage from it than you do. Your advantage is that your sponsorship will probably cost less that the commercial software license you would otherwise have to buy, and you will retain backwards compatibility with the regular OpenSSL API while avoiding vendor lock-in.