On 07/10/2013 03:46 PM, Graeme Perrow via RT wrote:
> I am trying to build the FIPS Object Module for Windows on an AMD64
> machine. I started with the instructions in section 4.3 of the User Guide
> 2.0, and was able to build the FIPS module itself, but the instructions for
> building a FIPS-capable OpenSSL are specific to 32-bit Windows. I adjusted
> the build procedure as follows:
> ...
> Also (and more importantly), if I have to modify the build procedure for
> the FIPS-capable OpenSSL but not for the FIPS Object Module itself, does
> that mean my Module is not FIPS 140-2 validated?
I think this is more of a user list question.
OpenSSL proper (as opposed to the OpenSSL FIPS Object Module) is out of
scope of the FIPS 140-2 validation procedure, so you can hack it to your
hearts content. You need to embed the HMAC-SHA1 integrity check
("incore") digest in the FIPS module embedded in the shared library
executable file, but you aren't constrained to a specific command or
process.
Also note that you must verify the SHA1 digest of the FIPS module files
(as is done automatically in the "fipsld" script). Sort of moot if you
just generated those files, but a technical requirement nonetheless.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[email protected]
[email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
