On February 26, 2009 02:19:43 pm smitha daggubati wrote:
> Hello all,
> I am going through the FIPS userguide and security policy documents and
> have a few questions.
> We have a proprietary kernel where we already have ported the openssl code.
> Our proprietary kernel is a monolithic kernel and to port the openssl
> library we had to modify the openssl code. A simple example of the
> modifications we had to do was to replace "include stdio.h" with our
> specific files. There were other modifications as well but all were
> tailored with getting the openssl sources to complie as part of our kernel
> and not any with the general ssl code as such.
>
> Now we have plans to make our openssl FIPS Capable.  Going through the
> Userguide and security doc looks like there are specific steps that need to
> be followed
> for
>  a) compiling
>  b) linking
>
> I can think of getting the fipscanister .o by following the exact
> compilation steps mentioned in the userguide and then point my modified ssl
> sources to use the above fipscanister.o.(I am not even sure that this is
> possible without modifications but lets assume it is for now)
>
That sounds like it may be OK.

>  I am not sure of the linking step though because as i said ealrier we have
> a monolithic kernel that means i cannot use the fipsld uility. Also it
> being a monolithic kernel there is no seperation between the application
> and the fipscanister library.
> Is there any way i can make my implementaion of openssl FIPS capable and
> FIPS compliant ?
>
Ok - given this, then my guess is that the only way that you would end up with 
a "FIPS Validated" result is if you submitted your product to NIST yourself, 
and had it validated as a product, with it's own validation certificate 
(and/or paid someone like the great Steve Marquess to help you through the 
process :)

Are you REALLY sure that you need to have FIPS? As has been mentioned before, 
unless you REALLY need it (i.e.: your US Government client won't buy your 
product unless it is FIPS certified), it's not worth the trouble just to have 
an additional rating.

Have fun.

-- 
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to