I'm pleased to be able to announce progress on our latest FIPS 140 validation of the Cryptographic Framework in Oracle Solaris. The version of the Cryptographic Framework in Oracle Solaris 11.4 is now listed as an Implementation Under Test for FIPS 140-2. Previous releases of Oracle Solaris 11 have been validated to FIPS 140-2 on SPARC and x86 hardware.
For Oracle Solaris 11.4 the implementation of the Cryptographic Framework in userspace, underwent a fairly significant re-architecture and re-implementation at its lower levels. One of the main motivations for this work was to assist with FIPS 140 validations by keeping the "FIPS 140 module boundary" as small as possible but also to provide an API with lower overhead and that was easier to use. This helps to address the issues I raised in a previous blog post about the impact a FIPS 140-2 validation can have on a cryptographic library.
In previous releases of Oracle Solaris 11 the "FIPS 140 module boundary" in userspace was at the PKCS #11 library layer, the target of validation of Oracle Solaris 11.4 is the libucrypto library which is a lightweight cryptographic API that the PKCS #11 layer is built on top of. The API for libucrypto is essentially the same as that used in the kernel cryptographic framework in all version of Oracle Solaris. As in previous validations the use of hardware acceleration capabilities in the processor is included in the validated configuration.
Further updates will be posted when the CAVP (Cryptographic Algorithm Validation Program) certificates for each of the ciphers are available and when the final CMVP certificate is issued. Timing of those is dependent on many parties; including Oracle, the validation lab and NIST.