On February 26, 2009 02:19:43 pm smitha daggubati wrote: > Hello all, > I am going through the FIPS userguide and security policy documents and > have a few questions. > We have a proprietary kernel where we already have ported the openssl code. > Our proprietary kernel is a monolithic kernel and to port the openssl > library we had to modify the openssl code. A simple example of the > modifications we had to do was to replace "include stdio.h" with our > specific files. There were other modifications as well but all were > tailored with getting the openssl sources to complie as part of our kernel > and not any with the general ssl code as such. > > Now we have plans to make our openssl FIPS Capable. Going through the > Userguide and security doc looks like there are specific steps that need to > be followed > for > a) compiling > b) linking > > I can think of getting the fipscanister .o by following the exact > compilation steps mentioned in the userguide and then point my modified ssl > sources to use the above fipscanister.o.(I am not even sure that this is > possible without modifications but lets assume it is for now) > That sounds like it may be OK.
> I am not sure of the linking step though because as i said ealrier we have > a monolithic kernel that means i cannot use the fipsld uility. Also it > being a monolithic kernel there is no seperation between the application > and the fipscanister library. > Is there any way i can make my implementaion of openssl FIPS capable and > FIPS compliant ? > Ok - given this, then my guess is that the only way that you would end up with a "FIPS Validated" result is if you submitted your product to NIST yourself, and had it validated as a product, with it's own validation certificate (and/or paid someone like the great Steve Marquess to help you through the process :) Are you REALLY sure that you need to have FIPS? As has been mentioned before, unless you REALLY need it (i.e.: your US Government client won't buy your product unless it is FIPS certified), it's not worth the trouble just to have an additional rating. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org