On 09/13/2012 06:08 PM, TJ wrote: > On 7 September 2012 23:54, Steve Marquess > <marqu...@opensslfoundation.com> wrote: >> On 09/07/2012 12:24 AM, TJ wrote: >>> I'm doing a cross platform FIPS build (FIPSv2.0.1 with OpenSSL 1.01c). >>> >>> ./Configure no-asm no-hw linux-generic32 >>> make -j1 -C openssl-fips >> >> Might as well stop right there as the resulting FIPS module isn't FIPS >> 140-2 validated. There is no point in using the FIPS module if you can't >> claim, and don't require, validation; it has no inherent performance or >> security advantages over regular OpenSSL (in fact it is technically >> *inferior* in both respects). >> > > Actually, we do require validation, which is why I was trying to use > the FIPS module, but there are other components we need to operate > inside the logical cryptographic boundary so a separate validation > will be required anyway, This obviously means it doesn’t really matter > if I build the FIPS module in a non-compliant way.
So you're modifying the FIPS module. If you're not then there is no reason to redefine the crypto module boundary, and not use the already validated FIPS module. Additional cryptographic components can be separately validated. > I removed it anyway and got OpenSSL v1.0.1c to build and run, but now > the self tests (which are required for validation) don't run. Are > these self test available as a function call in base OpenSSL without > the FIPS component? If so, how? If not, what should I do now?; reload > the FIPS module and try to get it to build for my platform, or what? What do you mean by "self tests"? The KATs that are done automatically when FIPS mode is enabled (FIPS_mode_set())? If those fail then FIPS mode can't be enabled and the FIPS module doesn't work at all, nothing to do with obtaining a validation. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
