As long as fipscanister.o is compiled through the means specified in
the security policy (basically, "./config fips"), the resulting
canister is considered validated for FIPS purposes.
I'll read through IG G.5 and summarize it when I get the chance,
probably later tonight -- but I would presume it includes at a minimum:
1) Generates binaries compliant with the ABI for the architecture;
2) Generates binaries that only use the ABI and APIs provided with
the architecture;
3) Uses header files that accurately describe the architecture;
4) Generates accurate binaries for the code presented, with no
additions or subtractions.
I must stress that at this time this is my own personal belief that
is not backed up by having read the long complex document that
specifies the precise requirements.
Cheers,
-Kyle H
On Feb 21, 2007, at 2:53 PM, Christopher Marshall wrote:
--- Christopher Marshall <[EMAIL PROTECTED]> wrote:
I have a question about the FIPS 140-2 status of the openssl
command line tool.
If I successfully compile openssl-fips-1.1.1 to obtain an openssl
command line tool linked
against
it (fipscanister.o), and I use that openssl commandline tool to
encrypt a file with a FIPS
approved cipher (for example, AES), would that use be considered
FIPS 140-2 compliant?
Chris Marshall
I have another question. Sorry about not thinking of it before
hitting send.
In the OpenSSL FIPS 140-2 Security Policy pdf, section 2.6, it is
noted that two test environments
were used for obtaining FIPS 140-2 certification (HP-UX 11i + gcc
3.4.2 and IBM NetVista, Suse
Linux 9.0 + gcc 3.3.1). It then ominously states that the result
of compiling the FIPS source on
other OS+compiler versions will be FIPS 140-2 compliant as long as
the conditions described in IG
G.5 are met. I downloaded the referenced "IG G.5" and it seems to
be a long, complex document
describing the FIPS 140-2 testing process.
What I want to do is compile openSSL-fips-1.1.1 on HP-UX 11.11
with a recent gcc version and have
the result be FIPS 140-2 compliant. Do I need to upgrade my OS to
HP-UX 11i and only use gcc
3.4.2 or can I use HP-UX 11.11 with any recent gcc version?
Chris Marshall
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]