On Thu, Oct 25, 2012, Mendonca, Joseph wrote: > Steve, > > I resolved the remaining problem and now have FIPS working. For > OpenSSL, I had previously, found a compiler problem introduced during > optimization and had disabled optimization to avoid the problem. I had > to disable optimization during the FIPS module build to resolve this > remaining problem. > Changed: > $opt_cflags=' /MC /O1i'; # optimize for space, but with > intrinsics... > To: > $opt_cflags=' /MC /Od'; # optimize for space, but with > intrinsics... > In util\pl\VC-32.pl (for FIPS module) >
Unfortunately making changes like that violates the security policy and the result is no longer validated. The original CE5 validation also suffered from a compiler bug which was worked around by disabling optimisation for the affected code see crypto/bn/bn_nist.c in the 2.0.1 sources. What version of C compiler are you using? > However, having to continuously update "--with-baseaddr=0xnnnnnnn" is > going to be pain. So we need to explore the static linking option. It > is not obvious to me the changes needed generate the static LIB(s) > instead of the DLL. Could you provide me with the proper settings to > generate LIBs instead of the (libeay32.)DLL? > Well a fixed base address can work provided you make approriate changes to platform builder and include the DLL in the nk.bin file. A static build of the FIPS capable OpenSSL is untested but should follow the rules of a static Win32 build (call the static Makefile instead). You'd then need to modify the link procedure of your application to call fipslink.pl or an equivalent (e.g. making use of msincore). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
