Re: fips status of the openssl command line tool

Wed, 21 Feb 2007 15:31:36 -0800

As long as fipscanister.o is compiled through the means specified in the security policy (basically, "./config fips"), the resulting canister is considered validated for FIPS purposes.
I'll read through IG G.5 and summarize it when I get the chance, probably later tonight -- but I would presume it includes at a minimum: 

1) Generates binaries compliant with the ABI for the architecture;

2) Generates binaries that only use the ABI and APIs provided with  
the architecture;

3) Uses header files that accurately describe the architecture;

4) Generates accurate binaries for the code presented, with no  
additions or subtractions.



I must stress that at this time this is my own personal belief that  
is not backed up by having read the long complex document that  
specifies the precise requirements.


Cheers,

-Kyle H

On Feb 21, 2007, at 2:53 PM, Christopher Marshall wrote:



--- Christopher Marshall <[EMAIL PROTECTED]> wrote:


I have a question about the FIPS 140-2 status of the openssl  
command line tool.



If I successfully compile openssl-fips-1.1.1 to obtain an openssl  
command line tool linked

against

it (fipscanister.o), and I use that openssl commandline tool to  
encrypt a file with a FIPS
approved cipher (for example, AES), would that use be considered  
FIPS 140-2 compliant?


Chris Marshall





I have another question.  Sorry about not thinking of it before  
hitting send.



In the OpenSSL FIPS 140-2 Security Policy pdf, section 2.6, it is  
noted that two test environments
were used for obtaining FIPS 140-2 certification (HP-UX 11i + gcc  
3.4.2 and IBM NetVista, Suse
Linux 9.0 + gcc 3.3.1).  It then ominously states that the result  
of compiling the FIPS source on
other OS+compiler versions will be FIPS 140-2 compliant as long as  
the conditions described in IG
G.5 are met.  I downloaded the referenced "IG G.5" and it seems to  
be a long, complex document

describing the FIPS 140-2 testing process.


What I want to do is compile openSSL-fips-1.1.1 on HP-UX  11.11  
with a recent gcc version and have
the result be FIPS 140-2 compliant.  Do I need to upgrade my OS to  
HP-UX 11i and only use gcc

3.4.2 or can I use HP-UX 11.11 with any recent gcc version?

Chris Marshall

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to