diff options
author | Richard Levitte <levitte@openssl.org> | 2022-08-25 14:11:08 +0300 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2022-08-25 14:11:08 +0300 |
commit | a28a49557c2d57ddbff6246d4b00e2042b148843 (patch) | |
tree | 01590a52cdd7deba3734ea6d7052cd741e47dad3 | |
parent | d0dcba4a496362b61c19a491c7d8098eaf970de5 (diff) |
Following an OMC decision, remove all FOM v2 information
The old FOM v2 has stopped being relevant for quite a while, and now
that the new FIPS module has got a certificate, it's time to finally
drop all documentation of the old one.
^PET-237 Closed
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/web/pull/358)
46 files changed, 7 insertions, 378 deletions
@@ -106,7 +106,7 @@ SIMPLE = $(H_TOP) \ SRCLISTS = $(foreach S,$(FUTURESERIES) $(SERIES) $(OLDSERIES2) fips,source/old/$(S)/index.inc source/old/$(S)/index.html) SIMPLEDOCS = $(H_DOCS) \ - docs/faq.inc docs/fips.inc \ + docs/faq.inc \ docs/OpenSSLStrategicArchitecture.html \ docs/OpenSSL300Design.html \ docs/manpages.html @@ -307,14 +307,6 @@ docs/faq.inc: $(wildcard docs/faq-[0-9]-*.txt) Makefile bin/mk-faq @rm -f $@ ./bin/mk-faq docs/faq-[0-9]-*txt >$@ -# We don't want to include our web source files in the list of FIPS files -# to be downloaded, so we filter them out. ./bin/mk-filelist can handle -# multiple file arguments. Trust git ls-files over $(wildcard ...) -FIPS_FILES = $(filter-out %.yaml %.md %.tt,$(shell git ls-files -- docs/fips)) -docs/fips.inc: $(FIPS_FILES) Makefile bin/mk-filelist - @rm -f $@ - ./bin/mk-filelist docs/fips fips/ $(notdir $(FIPS_FILES)) >$@ - ###################################################################### ## ## Policy page building section diff --git a/docs/fips.md b/docs/fips.md index 9315ec6..8e5a6bf 100644 --- a/docs/fips.md +++ b/docs/fips.md @@ -3,58 +3,11 @@ breadcrumb: FIPS-140 --- # FIPS-140 -Note that this page contains historic information about our legacy -OpenSSL FIPS Object Module (FOM) 2.0. For information about the -OpenSSL FOM 3.0 refer to -[the FIPS module manual page](https://www.openssl.org/docs/man3.0/man7/fips_module.html) +OpenSSL version 3 contains a FIPS module, see [the FIPS module manual +page] for more information. -The most recent validation of a cryptographic module (Module) compatible -with OpenSSL 1.0.2 is v2.0.16, FIPS 140-2 certificate -[\#1747](https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/1747). -This Module is documented in the [2.0 User Guide](fips/UserGuide-2.0.pdf); -the [source code](/source/openssl-fips-2.0.16.tar.gz), and -[Security Policy](fips/SecurityPolicy-2.0.16.pdf) are also available. +This FIPS module is validated, and has the certificate number [\#4282]. +The certificate page includes a link to the Security Policy. -For various bureaucratic reasons, the same module is also available as -validation -[\#2398](https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2398) -(revision 2.0.16). - -Neither validation will work with any release other than 1.0.2. The -OpenSSL project is no longer maintaining either the 1747 or the 2398 -module. This includes adding platforms to those validations. The OpenSSL -project is no longer involved in private label validations nor adding -platforms to the existing certificates. - -Here is the complete set of files. Note that if you are interested in -the "1747" validation, you only need the three files mentioned above. - -<p> -<table> - <tr> - <td>KBytes </td> - <td>Date </td> - <td>File </td> - </tr> - <!--#include virtual="fips.inc" --> -</table> -</p> - -## Background - -Please please read the [User Guide](fips/UserGuide.pdf). - -- OpenSSL itself is not validated. Instead a special carefully defined - software component called the OpenSSL FIPS Object Module has been - created. This Module was designed for compatibility with OpenSSL so - that products using the OpenSSL API can be converted to use - validated cryptography with minimal effort. -- The OpenSSL FIPS Object Module 2.0 validation is "delivered" in - source code form, meaning that if you can use it exactly as is and - can build it (according to the very specific documented - instructions) for your platform, then you can use it as validated - cryptography on a "vendor affirmed" basis. -- If even a single line of the source code or build process has to be - changed for your intended application, you cannot use the open - source based validated module directly. You must obtain your own - validation. +[the FIPS module manual page]: https://www.openssl.org/docs/man3.0/man7/fips_module.html +[\#4282]: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282 diff --git a/docs/fips/SecurityPolicy-1.1.1.pdf b/docs/fips/SecurityPolicy-1.1.1.pdf Binary files differdeleted file mode 100644 index e79ba44..0000000 --- a/docs/fips/SecurityPolicy-1.1.1.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-1.1.2.pdf b/docs/fips/SecurityPolicy-1.1.2.pdf Binary files differdeleted file mode 100644 index 4cab221..0000000 --- a/docs/fips/SecurityPolicy-1.1.2.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-1.2.2.pdf b/docs/fips/SecurityPolicy-1.2.2.pdf Binary files differdeleted file mode 100644 index 0cf6e9e..0000000 --- a/docs/fips/SecurityPolicy-1.2.2.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-1.2.3.pdf b/docs/fips/SecurityPolicy-1.2.3.pdf Binary files differdeleted file mode 100644 index b4e8c71..0000000 --- a/docs/fips/SecurityPolicy-1.2.3.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-1.2.4.pdf b/docs/fips/SecurityPolicy-1.2.4.pdf Binary files differdeleted file mode 100644 index 2bb1ace..0000000 --- a/docs/fips/SecurityPolicy-1.2.4.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-1.2.pdf b/docs/fips/SecurityPolicy-1.2.pdf Binary files differdeleted file mode 100644 index 9ac0515..0000000 --- a/docs/fips/SecurityPolicy-1.2.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.1.pdf b/docs/fips/SecurityPolicy-2.0.1.pdf Binary files differdeleted file mode 100644 index e93e0e1..0000000 --- a/docs/fips/SecurityPolicy-2.0.1.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.10.odt b/docs/fips/SecurityPolicy-2.0.10.odt Binary files differdeleted file mode 100644 index 12ce77e..0000000 --- a/docs/fips/SecurityPolicy-2.0.10.odt +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.10.pdf b/docs/fips/SecurityPolicy-2.0.10.pdf Binary files differdeleted file mode 100644 index 83cb360..0000000 --- a/docs/fips/SecurityPolicy-2.0.10.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.11.pdf b/docs/fips/SecurityPolicy-2.0.11.pdf Binary files differdeleted file mode 100644 index e4354dd..0000000 --- a/docs/fips/SecurityPolicy-2.0.11.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.12.pdf b/docs/fips/SecurityPolicy-2.0.12.pdf Binary files differdeleted file mode 100644 index 131ec5e..0000000 --- a/docs/fips/SecurityPolicy-2.0.12.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.13.pdf b/docs/fips/SecurityPolicy-2.0.13.pdf Binary files differdeleted file mode 100644 index e4ea6c6..0000000 --- a/docs/fips/SecurityPolicy-2.0.13.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.14.pdf b/docs/fips/SecurityPolicy-2.0.14.pdf Binary files differdeleted file mode 100644 index 6d4d6c6..0000000 --- a/docs/fips/SecurityPolicy-2.0.14.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.15.pdf b/docs/fips/SecurityPolicy-2.0.15.pdf Binary files differdeleted file mode 100644 index b2b5a11..0000000 --- a/docs/fips/SecurityPolicy-2.0.15.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.16.pdf b/docs/fips/SecurityPolicy-2.0.16.pdf Binary files differdeleted file mode 100644 index 93ebcee..0000000 --- a/docs/fips/SecurityPolicy-2.0.16.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.2.pdf b/docs/fips/SecurityPolicy-2.0.2.pdf Binary files differdeleted file mode 100644 index 088b749..0000000 --- a/docs/fips/SecurityPolicy-2.0.2.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.3.pdf b/docs/fips/SecurityPolicy-2.0.3.pdf Binary files differdeleted file mode 100644 index 5e5fccc..0000000 --- a/docs/fips/SecurityPolicy-2.0.3.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.4.pdf b/docs/fips/SecurityPolicy-2.0.4.pdf Binary files differdeleted file mode 100644 index 1cca3ac..0000000 --- a/docs/fips/SecurityPolicy-2.0.4.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.5.pdf b/docs/fips/SecurityPolicy-2.0.5.pdf Binary files differdeleted file mode 100644 index 5b54047..0000000 --- a/docs/fips/SecurityPolicy-2.0.5.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.6.pdf b/docs/fips/SecurityPolicy-2.0.6.pdf Binary files differdeleted file mode 100644 index 78a5945..0000000 --- a/docs/fips/SecurityPolicy-2.0.6.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.7.pdf b/docs/fips/SecurityPolicy-2.0.7.pdf Binary files differdeleted file mode 100644 index 0f1a607..0000000 --- a/docs/fips/SecurityPolicy-2.0.7.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.8.pdf b/docs/fips/SecurityPolicy-2.0.8.pdf Binary files differdeleted file mode 100644 index 95da962..0000000 --- a/docs/fips/SecurityPolicy-2.0.8.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.9.odt b/docs/fips/SecurityPolicy-2.0.9.odt Binary files differdeleted file mode 100644 index 8c285b0..0000000 --- a/docs/fips/SecurityPolicy-2.0.9.odt +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.9.pdf b/docs/fips/SecurityPolicy-2.0.9.pdf Binary files differdeleted file mode 100644 index b4ff166..0000000 --- a/docs/fips/SecurityPolicy-2.0.9.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-2.0.pdf b/docs/fips/SecurityPolicy-2.0.pdf Binary files differdeleted file mode 100644 index f96809d..0000000 --- a/docs/fips/SecurityPolicy-2.0.pdf +++ /dev/null diff --git a/docs/fips/SecurityPolicy-RE-2.0.10.pdf b/docs/fips/SecurityPolicy-RE-2.0.10.pdf Binary files differdeleted file mode 100644 index db0ef99..0000000 --- a/docs/fips/SecurityPolicy-RE-2.0.10.pdf +++ /dev/null diff --git a/docs/fips/UserGuide-1.1.1.pdf b/docs/fips/UserGuide-1.1.1.pdf Binary files differdeleted file mode 100644 index edb94fa..0000000 --- a/docs/fips/UserGuide-1.1.1.pdf +++ /dev/null diff --git a/docs/fips/UserGuide-1.2.pdf b/docs/fips/UserGuide-1.2.pdf Binary files differdeleted file mode 100644 index a0d0155..0000000 --- a/docs/fips/UserGuide-1.2.pdf +++ /dev/null diff --git a/docs/fips/UserGuide-2.0.pdf b/docs/fips/UserGuide-2.0.pdf Binary files differdeleted file mode 100644 index 4b5677b..0000000 --- a/docs/fips/UserGuide-2.0.pdf +++ /dev/null diff --git a/docs/fips/UserGuide.pdf b/docs/fips/UserGuide.pdf Binary files differdeleted file mode 100644 index 126ef28..0000000 --- a/docs/fips/UserGuide.pdf +++ /dev/null diff --git a/docs/fips/dirdata.yaml b/docs/fips/dirdata.yaml deleted file mode 100644 index 9cc266d..0000000 --- a/docs/fips/dirdata.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -breadcrumbs: - - | - [Home](/) : [Docs](../) : [FIPS](../fips.html) ---- diff --git a/docs/fips/fips-2.0-tv.tar.gz b/docs/fips/fips-2.0-tv.tar.gz Binary files differdeleted file mode 100644 index 0c9a275..0000000 --- a/docs/fips/fips-2.0-tv.tar.gz +++ /dev/null diff --git a/docs/fips/incore.gz b/docs/fips/incore.gz Binary files differdeleted file mode 100644 index c6171f0..0000000 --- a/docs/fips/incore.gz +++ /dev/null diff --git a/docs/fips/incore2 b/docs/fips/incore2 deleted file mode 100644 index cf90e6e..0000000 --- a/docs/fips/incore2 +++ /dev/null @@ -1,248 +0,0 @@ -#!/bin/sh -# -# calculate in-core fingerprint via looking at the object file rather than -# running a program on the target -# - -DEBUG= - -OBJCOPY=${CROSS_COMPILE}objcopy -OBJDUMP=${CROSS_COMPILE}objdump - -#OBJCOPY=objcopy -#OBJDUMP=objdump - -HMAC_KEY="etaonrishdlcupfm" -FINGERTYPE="openssl sha1 -hmac ${HMAC_KEY}" - -# FINGERTYPE can be made via openssl or fips_standalone_sha1 (output word 2) - -# allow for a simple -d option -if [ "$1" = "-d" ]; then - DEBUG=1 - shift -fi - -if [ "$1" != "-exe" -a "$1" != "-dso" ]; then - echo "usage: incore [-exe|-dso] executable" >&2 - exit 1 -fi - -APP="$2" - -if [ -z "$APP" ]; then - echo "usage: incore [-exe|-dso] executable" >&2 - exit 1 -fi - -if [ ! -f "$APP" ]; then - echo "incore: $APP not found" >&2 - exit 1 -fi - -#TARGET=elf64-x86-64 -TARGET=`$OBJDUMP -f $APP | grep 'file format' | awk '{print $4}'` - -if [ ! -z "$DEBUG" ]; then - echo "TARGET: $TARGET" >&2 -fi - -# INCORE_ADJUST is the fixup allowance for FIPS_ref_point() handling in -# fips/fips_canister.c which is used rather than the actual -# function address - -if [ -z "$INCORE_ADJUST" ]; then - - INCORE_ADJUST=4 - case $TARGET in - elf64-x86-64) INCORE_ADJUST=4;; - #elf32-littlearm|elf32-little|elf32-bigarm) INCORE_ADJUST="-36";; - elf32-littlearm|elf32-little|elf32-bigarm) INCORE_ADJUST="0";; - esac - -fi - -#$OBJCOPY -j .rodata -v -O binary $APP $APP-rodata | grep -v '^copy from' -#$OBJCOPY -j .text -v -O binary $APP $APP-text | grep -v '^copy from' -#$OBJCOPY -j .rodata -v -F $TARGET $APP $APP-rodata | grep -v '^copy from' -#$OBJCOPY -j .text -v -F $TARGET $APP $APP-text | grep -v '^copy from' - -# -# locate all the required symbols -# -eval `$OBJDUMP -t $APP | egrep 'FIPS_text_start|FIPS_text_end|FIPS_rodata_end|FIPS_rodata_start|FIPS_signature|FINGERPRINT_ascii_value' | awk '{printf("%s=%s\n",$6,toupper($1))}' | sed -e 's/\./_/g'` - -# -# locate the offsets and length of the interesting sections -# -eval `$OBJDUMP -h $APP | egrep '.text|.rodata|.bss' | awk '{printf("%s=%s\n%s_OFF=%s\n",$2,toupper($4),$2,toupper($6))}' | sed -e 's/^\./DOT/' -e 's/\./_/g'` - -# -# should now have the following variables set which can be used to -# extract the right parts from the -rodata and -text files -# -# e.g. -# FIPS_rodata_end=0000000000436160 -# FIPS_rodata_start=0000000000430B00 -# FIPS_signature=000000000063EBE0 -# FIPS_text_end=00000000004304E0 -# FIPS_text_start=0000000000401780 -# DOTrodata=0000000000430AE0 -# DOTrodata_OFF=00030AE0 -# DOTtext=0000000000401690 -# DOTtext_OFF=00001690 - -# -# show the values - debug -# -if [ ! -z "$DEBUG" ]; then - ( - echo "FIPS_rodata_end=$FIPS_rodata_end" - echo "FIPS_rodata_start=$FIPS_rodata_start" - echo "FIPS_signature=$FIPS_signature" - echo "FIPS_text_end=$FIPS_text_end" - echo "FIPS_text_start=$FIPS_text_start" - echo "FINGERPRINT_ascii_value=$FINGERPRINT_ascii_value" - echo "DOTrodata=$DOTrodata" - echo "DOTrodata_OFF=$DOTrodata_OFF" - echo "DOTtext=$DOTtext" - echo "DOTtext_OFF=$DOTtext_OFF" - ) >&2 -fi - -if [ -z "$FIPS_rodata_start" ]; then - echo "$APP: Not a FIPS executable" >&2 - exit 1 -fi -if [ -z "$FIPS_rodata_end" ]; then - echo "$APP: Not a FIPS executable" >&2 - exit 1 -fi -if [ -z "$FIPS_text_start" ]; then - echo "$APP: Not a FIPS executable" >&2 - exit 1 -fi -if [ -z "$FIPS_text_end" ]; then - echo "$APP: Not a FIPS executable" >&2 - exit 1 -fi - -# -# use 'bc' to calculate offsets and lengths for RODATA -# -RSTART=`cat <<EOF | bc -obase=10 -ibase=16 -$FIPS_rodata_start-$DOTrodata -EOF` -RLEN=`cat <<EOF | bc -obase=10 -ibase=16 -$FIPS_rodata_end-$FIPS_rodata_start -EOF` -ROFF=`cat <<EOF | bc -obase=10 -ibase=16 -$DOTrodata_OFF -EOF` -ROFF=`expr $ROFF + $RSTART` - -# -# use 'bc' to calculate offsets and lengths for TEXT -# -TSTART=`cat <<EOF | bc -obase=10 -ibase=16 -$FIPS_text_start-$DOTtext -EOF` -TLEN=`cat <<EOF | bc -obase=10 -ibase=16 -$FIPS_text_end-$FIPS_text_start -EOF` -TOFF=`cat <<EOF | bc -obase=10 -ibase=16 -$DOTtext_OFF -EOF` -TOFF=`expr $TOFF + $TSTART + $INCORE_ADJUST` - -# -# use 'bc' to calculate where to locate FINGERPRINT_ascii_value -# -FSTART=`cat <<EOF | bc -obase=10 -ibase=16 -$FINGERPRINT_ascii_value-$DOTrodata -EOF` -# 20 bytes as ASCII HEX -FLEN=40 -FOFF=`cat <<EOF | bc -obase=10 -ibase=16 -$DOTrodata_OFF -EOF` -FOFF=`expr $FOFF + $FSTART` - -# -# NOTE: this code does not check for FIPS_signature being inside the -# rodata segment and exclude it from the calculation which is what -# the actual runtime code does as we do not update it; the -# FIPS_signature should be in BSS - but in either case our calculation -# is correct as the signature comes from FINGERPRINT_ascii_value -# when FIPS_signature is actually blank (zero) -# - -# -# dump useful values -# -if [ ! -z "$DEBUG" ]; then - ( - echo "TSTART $TSTART" - echo "TLEN $TLEN" - echo "TOFF $TOFF" - echo "INCORE_ADJUST $INCORE_ADJUST" - - echo "RSTART $RSTART" - echo "RLEN $RLEN" - echo "ROFF $ROFF" - - echo "FSTART $FSTART" - echo "FLEN $FLEN" - echo "FOFF $FOFF" - ) >&2 -fi - -# some debug code when looking at the values -if [ ! -z "$INCORE_DEBUG" ]; then - dd if=$APP of=mac1 bs=1 skip=$TOFF count=$TLEN - dd if=$APP of=mac2 bs=1 skip=$ROFF count=$RLEN - cat mac1 mac2 > mac - $FINGERTYPE mac -fi - -# -# show the actual value of FINGERPRINT_ascii_value as placed in -# the program by fipsld -# -if [ ! -z "$DEBUG" ]; then - ( - echo "embedded: " - dd if=$APP bs=1 skip=$FOFF count=$FLEN 2>/dev/null - echo - ) >&2 -fi - -# -# now calculate what that value should be from the appropriate sections -# of the object file -# -if [ ! -z "$DEBUG" ]; then - echo "calculated: " >&2 -fi -( dd if=$APP bs=1 skip=$TOFF count=$TLEN && \ - dd if=$APP bs=1 skip=$ROFF count=$RLEN ) 2>/dev/null | $FINGERTYPE - -exit $? - - diff --git a/docs/fips/privatelabel.md b/docs/fips/privatelabel.md deleted file mode 100644 index 49b940f..0000000 --- a/docs/fips/privatelabel.md +++ /dev/null @@ -1,15 +0,0 @@ -# OpenSSL FIPS 140-2 Private Label Validations - -If you haven't already, please read our -[FIPS 140-2 Notes](/docs/fipsnotes.html) page. - -**IMPORTANT NOTE:** The addition of multiple new formal requirements -since the #1747 validation was first approved in 2012, and recent -unfavorable experiences with increasingly unpredictable outcomes from -the validation process, have increased to the point where private label -validations are no longer economically feasible for a small organization -of limited means; the risk doesn't justify the substantial investment -of time and money required to pursue new validations. As of 2015 we are -no longer performing any private label validations. - -We will be starting work on a new FIPS validation soon. diff --git a/docs/fips/rsp.HP-UX.2005-07-01.tar.gz b/docs/fips/rsp.HP-UX.2005-07-01.tar.gz Binary files differdeleted file mode 100644 index 8313592..0000000 --- a/docs/fips/rsp.HP-UX.2005-07-01.tar.gz +++ /dev/null diff --git a/docs/fips/rsp.SuSE.2005-06-30.tar.gz b/docs/fips/rsp.SuSE.2005-06-30.tar.gz Binary files differdeleted file mode 100644 index f978047..0000000 --- a/docs/fips/rsp.SuSE.2005-06-30.tar.gz +++ /dev/null diff --git a/docs/fips/rsp.SuSE.2005-07-01.tar.gz b/docs/fips/rsp.SuSE.2005-07-01.tar.gz Binary files differdeleted file mode 100644 index c5c1ba6..0000000 --- a/docs/fips/rsp.SuSE.2005-07-01.tar.gz +++ /dev/null diff --git a/docs/fips/testvectors-XP-2007-10-09.zip b/docs/fips/testvectors-XP-2007-10-09.zip Binary files differdeleted file mode 100644 index e87a4f9..0000000 --- a/docs/fips/testvectors-XP-2007-10-09.zip +++ /dev/null diff --git a/docs/fips/testvectors-linux-2007-10-10.tar.gz b/docs/fips/testvectors-linux-2007-10-10.tar.gz Binary files differdeleted file mode 100644 index e70c1c1..0000000 --- a/docs/fips/testvectors-linux-2007-10-10.tar.gz +++ /dev/null diff --git a/docs/fips/testvectors.HP-UX.tar.gz b/docs/fips/testvectors.HP-UX.tar.gz Binary files differdeleted file mode 100644 index 5b23df6..0000000 --- a/docs/fips/testvectors.HP-UX.tar.gz +++ /dev/null diff --git a/docs/fips/testvectors.SuSE.tar.gz b/docs/fips/testvectors.SuSE.tar.gz Binary files differdeleted file mode 100644 index fe27023..0000000 --- a/docs/fips/testvectors.SuSE.tar.gz +++ /dev/null diff --git a/docs/fips/verifycd.jpg b/docs/fips/verifycd.jpg Binary files differdeleted file mode 100644 index 1037cb4..0000000 --- a/docs/fips/verifycd.jpg +++ /dev/null diff --git a/docs/fips/verifycd.md b/docs/fips/verifycd.md deleted file mode 100644 index ae96a2d..0000000 --- a/docs/fips/verifycd.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -breadcrumb: FIPS 140-2 Verify CD ---- -# FIPS 140-2 verification of the OpenSSL FIPS Object Module source distribution file - -![image of CD label](./verifycd.jpg){width="200" height="200"} The -latest of the OpenSSL FIPS Object Module ("FIPS module") FIPS 140-2 -validations saw the introduction of a new requirement by the CMVP: - -> *The distribution tar file, shall be verified using an independently -> acquired FIPS 140-2 validated cryptographic module\...* - -Some prospective users of the OpenSSL FIPS Object Module 2.0 already -have ready access to an existing securely-installed software product -using FIPS 140-2 validated cryptography that is capable of calculating -the HMAC-SHA-1 digest of a file on disk, in which case satisfying this -requirement is easy (simply calculate the HMAC-SHA-1 digest of the -source distribution file using the key `"etaonrishdlcupfm"` and confirm -it is that same as documented in the [Security -Policy](http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm) -document (e.g., `"2cdd29913c6523df8ad38da11c342b80ed3f1dae"` for -*openssl-fips-2.0.tar.gz*). - -For most prospective users the identification, acquisition, -installation, and configuration of a suitable product may be a -challenge. (See Section 6.6 of our FIPS [User -Guide](/docs/fips/UserGuide-2.0.pdf)) The requirement for this -verification with an independently acquired FIPS 140-2 validated -cryptographic module does not apply when the distribution file is -distributed using a "secure" means. Distribution on physical media is -considered secure in this context so you can verify by obtaining a copy -of the distribution files on CD-ROM disks via postal mail. - -OpenSSL are not providing disks directly at this time. However we have -an arrangement with KeyPair Consulting who will [send a disk to you at -no charge](https://keypair.us/2018/05/cd/). - -> Important Disclaimer: The listing of these third party products does -> not imply any endorsement by the OpenSSL project, and these -> organizations are not affiliated in any way with OpenSSL other than by -> the reference to their independent web sites here. - -Note that the files you will receive on these CDs will be *identical* in -every respect (except for formal FIPS 140-2 compliance) with the files -you can download from [https://www.openssl.org/source/](/source/) Once -the distribution files have been received on this CD they can be -redistributed internally within an organizational entity (corporation, -institution, or agency) by normal means. |