David Schwartz wrote:
...
Build the FIPS module, then fix the higher-level code, then build the rest
of OpenSSL. So long as don't modify the source before building the FIPS
module, you are fine. You can fix the code that doesn't go in the FIPS
canister without violating FIPS, then link your fixed code with the
canister.
Correct -- just don't modify *any* code in the special
openssl-fips-1.1.2.tar.gz tarball, whether that code has any effect on
the resulting fipscanister.o object module or not. You can't even
modify the README file. Once fipscanister.o (and handful of ancillary
files) are generated you should throw away everything else from that
build. The fipscanister.o can subsequently be used with a FIPS
compatible (i.e., recent) OpenSSL built the usual way from one of the
usual tarballs. You do not want to use any of the other object code
from the special FIPS tarball.
-Steve M.
--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
