Krzysztof Koston wrote:
Thank you for quick answer. We are actually planning to submit our final product for validation so my understanding is that it needs to be validated again with all the modifications we have made. Am I correct?
Correct. The existing v1.2 and earlier validations don't cover any cross compilation platforms, so you'll need to obtain your own "rubber stamp" validation of binaries built from that same source but for your specific platform(s). But, that validation can leverage the documentation from the prior validation for some cost savings.
... If yes then I am wondering if this is even technically achievable to get it to build in FIPS mode for our platform. Maybe it would be easier if we downgraded to the earlier version? Does any process/procedure exist for cross compiling any of the older versions?
Yes, you should be able to build the OpenSSL FIPS Object Module by breaking the current single "fipsld" invocation into several discrete steps. The particulars may vary slightly with the build and target platforms, but in general the steps are:
1) Compile and link the initial fipscanister.o and fips_premain.o object modules to create the intermediate executable.
2) Execute that intermediate executable on the target platform, capturing the displayed SHA-1 HMAC hash.
3) Relink on the build platform with the known hash value to obtain the final fipscanister.o.
From a technical perspective can do this with the original openssl-fips-1.2.tar.gz tarball or 0.9.8k+, but because the procedural requirements of the #1051 validation aren't met you can't call the result validated. You need a new validation even though the source code may be identical. That source code has been validated *many* times -- your tax dollars at work :-)
On Jul 20, 2009, at 4:08 PM, Dr. Stephen Henson wrote: > On Mon, Jul 20, 2009, Chris Koston wrote: > >> Hi, >> >> I am trying to compile OpenSSL 0.9.8k with FIPS for ARM machine >> (versatile). I am cross compiling using toolchain for my >> platform. Unfortunatelly during generation of the fips canister >> the process requires some "host native" executables to generate >> what I believe is some checksums. I am not very familiar with >> this process. It is really difficult to find any information >> about FIPS and cross compiling. Does anyone have experience doing >> this? I am not sure what I need to do at this point. I don't know >> which components must be compiled for the host machine and I am >> also not sure if I'm allowed/able to modify the make files in >> order to use the right compiler where necessary. Is what I'm >> talking about really doable? >> > > Cross compiling isn't supported at all for the 1.2 validation. You > need to compile OpenSSL natively with unmodified sources following > the instructions to the letter or it isn't validated. > > Steve.
-- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 marqu...@opensslfoundation.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
