On 03/26/2014 12:30 PM, Mark Hatle wrote: > Looking at the fips_canister.c I see that ia32 (32-bit and 64-bit) > systems are not enabled with the cross compiling when using 'Linux'. > But ia32 (32-bit) is enabled on Android systems. > > This is preventing me from cross compiling and using the fipsld with the > incore script to link my applications. > > I modified fips_canister.c as shown in the attached patch. So far in my > testing (building various applications and running them on the target > system), the incore script is working correctly. > > Would it be possible to add this change to the fips_canister in a future > version, or would this require a full re-validation of the openssl-fips?
A "change letter" update would suffice. That's still a non-trivial expense, in both time and money, but not nearly as expensive as a full validation. > Until then, my only other option is to use something like qemu to run > the linked application to get the necessary checksum, in order to > recompile/relink the final binary. Is modifying the fipsld script in > such a way acceptable for FIPS compliance? You can't modify the fipsld present within the openssl-fips-2.0.N.tar.gz source distribution (*no* such modifications are allowed), but you can use *another* external modified fipsld script that respects the requirements of the Security Policy (i.e., verify the *.sha1 digests as you go). That point is a little confusing. When the FIPS module was first validated only native compilation was supported. Later we worked out how to support cross-compilation, and the precedent of using an external fipsld (and/or incore) utility for building the FIPS module has since been well established. Fipsld and incore (and some other files) are really part of the build environment, like the compiler and linker, and don't need to be in the source distribution tarball proper. If/when we ever do another open source based validation we'll probably leave those build utilities out of the FIPS module tarball entirely. Until then any change to the tarball contents means (at best) a "change letter" update, even something as trivial as a change to a comment. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected] gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
