On 03/06/2012 06:47 PM, William A. Rowe Jr. wrote: > On 3/6/2012 8:43 AM, Steve Marquess wrote: >> On 03/06/2012 08:49 AM, Vanden, Michelle CTR USAF AFMC AAC/EBYC wrote: >>> Hello Steve, >>> >>> Will the new certificate support that is has been tested in a Windows 7 >> >> That validation will include the following MS Windows platforms: >> >> Windows 7 32bit on x86, SSE2 optimization >> Windows 7 64bit on x86, SSE2 optimization >> >> AES-NI optimization is not covered, so for instance the module cannot be >> used with Windows on many Intel Core i5 processors. > > The real question is what does it take to cripple AES-NI optimization by > OpenSSL? If it's not validated, and fips mode is set on, that optimization > should simply be crippled. Is this possible? > > I trust there is no AES-NI code in the validated fipscanister? So therefore > any workaround would be possible within the openssl 1.0.1 non-validated code?
There is AES-NI code in the validated module (for x86). Remember that "validated" is a bureaucratic designation, not a technical condition. The exact same code can be validated in one context and not in another, and in general the code itself can't tell which is which. For instance, if you built the module with the command "./config no-idea" then it would by definition not be validated (Security Policy violation), even though the resulting object code would be completely indistinguishable from that of a valid module. In the specific case of AES-NI the runtime capability check can be overridden (and the AES-NI code path disabled) by setting the environment variable OPENSSL_ia32cap=~0x200000200000000, so if you were careful to do that for a AES-NI capable processor then arguably that would be a legitimate use (all other validation criteria having been met). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
