> Hello, > > In appendix B of the openssl FIPS security policy it is stated > that the module must be built with a particular tar file > (openssl-fips-1.1.2.tar.gz) and a hmac hash value for the tar > file is specified. Furthermore it is stated that there shall be > no additions, deletions, or alterations of the set of files in > the tar file as used during module build.
Correct. > The way I read this is that if you modify for instance the ASN.1 > or SSL code (in order to fix a bug), then the FIPS validation is > canceled. This does not make sense to me. Why can't higher level > code be bug fixed without FIPS validation being canceled? Build the FIPS module, then fix the higher-level code, then build the rest of OpenSSL. So long as don't modify the source before building the FIPS module, you are fine. You can fix the code that doesn't go in the FIPS canister without violating FIPS, then link your fixed code with the canister. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
