Hi Steve,
Thanks for the fast reply. So it sounds like I should discuss this with
the test lab with which we're working to see what they say.
My time working in OpenSSL can still be counted in weeks, so I'd be very
interested in your opinion on this. Either way, it'll help me in
proceeding with this technically, help me in discussing this with the
test lab, or both. A few weeks ago, when I first joined this team, I
sat in on a gap analysis meeting with the test lab and I do recall
something about a hybrid solution being discussed. I'm going to read
140-2 again now, specifically looking for discussion of hybrid solutions.
From a technical perspective, is moving the cipher logic of the AESNI
engine over into fipscanister.o even feasible? I'm still a bit confused
on the difference between dynamic engines, static engines, and builtin
engines and have not yet come across documentation explaining this.
Thanks again,
Pete
On 3/31/11 2:08 PM, Steve Marquess wrote:
Peter Beal wrote:
Hi All,
I need to create a FIPS validated version based on 0.9.8r. This
library also needs to utilize the Intel AES instructions. My current
plan is to patch in the AESNI engine and then move pertinent logic
over into the FIPS Canister. Is this a reasonable approach to achieve
this? Or, is there some issue that I'm not aware of, such as built in
engines and FIPS being mutually exclusive?
Since you're obtaining a validation of your own that is really a
question for your CMVP accredited test lab. The answer will depend on
their interpretation of "hybrid" in the FIPS 140-2 context (I have a
definite opinion but that is irrelevant if your test lab feels
differently).
You can't of course make changes to the validated code -- any changes at
all -- and still call it validated.
-Steve M.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
