Christopher Marshall wrote:
-I have another question. Sorry about not thinking of it before hitting send.
In the OpenSSL FIPS 140-2 Security Policy pdf, section 2.6, it is noted that
two test environments
were used for obtaining FIPS 140-2 certification (HP-UX 11i + gcc 3.4.2 and IBM
NetVista, Suse
Linux 9.0 + gcc 3.3.1). It then ominously states that the result of compiling
the FIPS source on
other OS+compiler versions will be FIPS 140-2 compliant as long as the
conditions described in IG
G.5 are met. I downloaded the referenced "IG G.5" and it seems to be a long,
complex document
describing the FIPS 140-2 testing process.
What I want to do is compile openSSL-fips-1.1.1 on HP-UX 11.11 with a recent
gcc version and have
the result be FIPS 140-2 compliant. Do I need to upgrade my OS to HP-UX 11i
and only use gcc
3.4.2 or can I use HP-UX 11.11 with any recent gcc version?
Refer to the last three paragraphs in section 4 of the Security Policy.
You can generate a valid fipscanister on a different flavor of HP-UX and
a different version of gcc, *if* and only if all of the conditions of
the Security Policy are met. The source has to be compiled with no
modifications whatsoever and no build-time options to ./config are
allowed other than "fips", and so forth.
Stated another way, the CMVP only validates binary modules with respect
to specific platforms, but the source code used to generate those tested
modules can, if "merely" recompiled on another general purpose computer,
also be used to generate binary modules for another platform that
maintains the validation status. Here platform refers to the hardware,
operating system, and build environment (compiler, linker, ...), and
"merely" means you can't tweak the source code or config options even a
tiny bit.
-Steve M.
--
Steve Marquess
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
