Re: Windows build of FIPS 1.1.1 is not thread-safe

Fri, 10 Aug 2007 12:41:20 -0700 


[EMAIL PROTECTED] wrote:

A second option would be to create a wrapper gcc executable that
adds '-DOPENSSL_SYSNAME_WIN32' to the command line before passing it
on to the real gcc. While this seems not to violate the letter of
the Security Policy, it certainly seems shady.

Anyone got a better idea?



Use the Microsoft compiler?

If you really want to be FIPS compliant why are you using mingw?
Some auditor might ask the same question.


In which way is using a closed source compiler where nobody knows
which backdoors it might add to the validated code better than

to use a wrapper executable for gcc? 


I must have bee under the wrong impression that it was certified for
Windows. Not wanting to address the above comment, but looking at the
FIPS documents:
http://csrc.nist.gov/cryptval/140-1/140sp/140sp642.pdf

It looks like Windows was not one of the test platforms, only HP and SUSE,
(both with gcc) and nothing about Windows.  Appendix C says you can only:
./config fips
make
make install


http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf
Says in : G5 1.a.1
"For Level 1 Operational Environment, a software cryptographic module will
 remain compliant with the FIPS 140-2 validation when operating on any
 general purpose computer (GPC) provided that the GPC uses the specified
 single user operating system/mode specified on the validation certificate,
 or another compatible single user operating system, and"

The certificate is here:
http://csrc.nist.gov/cryptval/140-1/140crt/140crt642.pdf
But does not list any operating systems.


AFAIK it's the source code
and the build procedure, that has been certified, not the resulting
binary, or am I wrong here?


No, but it appears windows has fallen through the cracks, and there
is nothing about what compiler is to be used. If it is to be certified
again, can Windows (with you choice of compilers) be one of the test platform?




          Regards,
                  Stefan


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to