Peter Beal wrote:
Hi All,
I need to create a FIPS validated version based on 0.9.8r. This
library also needs to utilize the Intel AES instructions. My current
plan is to patch in the AESNI engine and then move pertinent logic
over into the FIPS Canister. Is this a reasonable approach to achieve
this? Or, is there some issue that I'm not aware of, such as built in
engines and FIPS being mutually exclusive?
Since you're obtaining a validation of your own that is really a
question for your CMVP accredited test lab. The answer will depend on
their interpretation of "hybrid" in the FIPS 140-2 context (I have a
definite opinion but that is irrelevant if your test lab feels differently).
You can't of course make changes to the validated code -- any changes at
all -- and still call it validated.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
[email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
