Sean Coleman wrote:
Hello,
I found the following thread concerning x86_64 bit compilations and
issues a user
experienced when compiling a fips compliant openssl:
http://marc.info/?l=openssl-dev&m=121451375530617&w=2
In one of the the threads, it was asked whether it was possible to
build a 64 bit
version of the fips compliant openssl package. The reply stated that
it was
not possible to build a win64 version. ...<snip>...
Please keep in mind that the question "is is possible to build the
validated product X so that..." is moot. The only reason, presumably,
why you would want to build the FIPS Object Module in the first place is
to satisfy a policy requirement for FIPS validated cryptography. But,
*any* modification of the original as-validated source code or
documented build procedure renders the result non-compliant and hence
useless for that intended purpose. If you don't have a strong business,
political, administrative, or regulatory requirement to use FIPS
validated software then don't. It has no technical advantages with
respect to the standard unvalidated OpenSSL -- is isn't more secure,
higher performing, or more robust. In fact from a purely technical
perspective there are a number of distinct disadvantages.
For the original 1.x FIPS object module (currently the only available
validated version) we originally planned to include both static and
shared (i.e. -fPIC) cases in the testing. That validation turned out to
consume more time and money that we had budgeted, so we were reluctantly
forced to drop the -fPIC case, unfortunately at a point where we could
not make -fPIC the default for the surviving non-shared case. For the
v1.1.2 FIPS object module you're just plain out of luck on any platform
which does not generate position independent code by default, such as
Linux. Ditto for 64 bit code, we didn't include any 64 bit platforms at
all.
For the next validation, the 0.9.8 based v1.2, we did make -fPIC the
default for all object code generation. 64 bit x86 is also covered,
along with x86 assemble optimizations. That validation could be
available in as little as a few weeks, so I encourage you to concentrate
your efforts on that release. As discussed in previous threads an
evaluation source release is at
ftp://ftp.openssl.org/snapshot/openssl-fips-test-1.2.0.tar.gz.
Any problems reported for v1.2 can't be fixed for the forthcoming
validation, but we can fix them for any future validations. At this
point v1.1.2 is sufficiently dated, and diverges enough from v1.2, that
bug fixes are less likely to be relevant to the current development
baseline that we can change.
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]