Protocol Droid

Thanks. I usually just use the published binaries.

Is it possible to make reproducible builds?

If anyone want to join me in updating this code you can see my latest version here: https://github.com/A9G-Data-Droid/OpenSSLUI

Rony, you don't have to go through any certification process. You only need to provide a "FIPS Mode" where the software can only use FIPS validated encryption libraries. The library goes through the certification process. In the case of OpenSSL they have done the validation for you. Here is their cert: https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2473 You can see it very clearly in the OpenSSL UserGuide: Exclusive Use of the FIPS Object Module for Cryptography...

It allows government workers, contractors and subcontractors to use PasswordSafe at work. As it stands I have to remove PasswordSafe and ban it from my organization until it has a compliant FIPS mode. That is the purpose of me making this thread. There are thousands of contractors and subcontractors in America each with thousands of users. I don't assume to know anything about the userbase of this software but there are a very large number of users who can't use it. This thread is also valuable to...

MrMe, Twofish is not a FIPS approved algorythm so it couldn't be used at all for this purpose. That's why I've been calling it "FIPS Mode". Any pre-existing password database would need to be converted to a FIPS compliant password database that was encrypted using approved methods. FIPS mode should be chosen at install time so users can't accidentally become non-compliant by clicking some settings. Either that, or the whole app could default to using FIPS approved algorythms. That's up to Rony.

Your software doesn't need a certificate if you are using a FIPS certified encryption library to perform encryption operations in "FIPS mode". This wiki shows some examples of libraries which are FIPS validated: https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries Looks like using a special version of OpenSSL called "OpenSSL FIPS Object Module" might be your best bet for something you can freely drop in to your program to create a "FIPS mode": https://www.openssl.org/docs/fips.html

Thanks for confirming! Without a FIPS mode this software can't be used by federal entities, including government contractors. Good to know.