That's how FIPS 140 certification works. If *any* change is made to the thing that was certified, then it must reviewed and re-certified. If the change is small, then the review process can be short. The certifying lab hasto ensure that the change didn't intentionally or unintentionally compromise the security of the rest of the module. My take on it is that the lab cannot trust the vendor (the OpenSSL community in this case) not to be trying to compromise the module.

Paul
___________________________________
Paul A. Suhler | Firmware Engineer | Quantum Corporation | Office: 949.856.7748 | paul.suhler@quantum.com
___________________________________
Disregard the Quantum Corporation confidentiality notice below. The information contained in this transmission is not confidential. Permission is hereby explicitly granted to disclose, copy, and further distribute to any individuals or organizations, without restriction.

-----Original Message-----
From: owner-openssl-users@openssl.org [mailtowner-openssl-users@openssl.org] On Behalf Of Roger No-Spam
Sent: Tuesday, November 04, 2008 8:34 AM
To: openssl-users@openssl.org
Subject: FIPS and new releases of openssl


Hello,

In appendix B of the openssl FIPS security policy it is stated that the module must be built with a particular tar file (openssl-fips-1.1.2.tar.gz) and a hmac hash value for the tar file is specified. Furthermore it is statedthat there shall be no additions, deletions, or alterations of the set of files in the tar file as used during module build.

The way I read this is that if you modify for instance the ASN.1 or SSL code (in order to fix a bug), then the FIPS validation is canceled. This does not make sense to me. Why can't higher level code be bug fixed without FIPSvalidation being canceled?

/Roger
__________________________________________________ _______________
Var sommaren för kort? Här hittar du solen!
http://resor.se.msn.com/____________...______________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

-----------------------------------------------------------
The information contained in this transmission may be
confidential. Any disclosure, copying, or further
distribution of confidential information is not permitted
unless such privilege is explicitly granted in writing by
Quantum Corporation. Furthermore, Quantum Corporation is not
responsible for the proper and complete transmission of the
substance of this communication or for any delay in its
receipt.
------------------------------------------------------------
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org