[email protected] writes: > On Mon, Dec 27, 2010 at 6:47 AM, Henrik Grindal Bakken <[email protected]> > wrote: >>> 3) obtaining your own from-scratch validation starting with the >>> 1.0.0 baseline. Good luck with that, you have a long row to hoe. >> >> We're going for 3), but as I said, our crypto module is not OpenSSL, >> it's the entire product, so the OpenSSL FIPS Object Module isn't >> interesting for me. What is interesting, however, are the self-tests. >> >>> Incidentally, unless you're seeking a Level 2 validation for a >>> non-CC certified environment you'll regret defining the crypto >>> module boundary to include your entire application. >> >> I am seeking a level 2 validation. It's not really an application, >> it's a hardware device. > > Because the 1.0.x releases don't have any support for FIPS, they > don't implement the FIPS-mandated tests. OpenSSL can't help with > prevalidation now, since its FIPS-validated mode fails new > validation standards compliance in some manner. > > You're probably already dealing with having to fork the code (to > prevent any use of non-FIPS-approved algorithms when your hardware > is operating in FIPS-validated mode). This suggests that your best > option might be to import the self-tests from fips-1.2.2 into your > own fork.
It's not really a fork; we do it mostly with a) configuration, and b) limiting algorithms in our own code. We do have some patches, though, and I suppose the best way forward is to pull in the tests from the latest OpenSSL FIPS module and try to fit them into 1.0.0 code. Thanks for your advice. -- Henrik Grindal Bakken <[email protected]> PGP ID: 8D436E52 Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
