On 07/05/2012 12:43 PM, Alex Chen wrote:
> Thanks for the information, Steve. I do have some questions about the FIPS
> module.
>
> 1. What does 'support' mean? Does it involve source code change or is it
> simple changes in the configure script to make the code compile correctly
> in a specific OS and generate the proper library?
In this context it means we expect to be adding iOS to the OpenSSL FIPS
Object Module 2.0 (#1747) validation as a formally tested platform
("Operational Environment"), which will mean that module can be used on
iOS where FIPS 140-2 validation is required.
> 2. Since the FIPS module 2.0 has already been certified will it require a
> new certification if iOS support is added? Or is it going to fall into the
> 'Change Letter' modification category?
Yes, iOS will be added to the existing #1747 validation via a "change
letter" process.
> 3. From what is currently available, if a user wants to use OpenSSL FIPS
> module for MacOS, the only option seems to be FIPS module 1.2.4 (and
> implicitly OpenSSL 0.9.8)?
Correct.
> 4. It seems there is a sponsor for FIPS module 1.2.4 for MacOS but not in
> FIPS module 2.0. What is involved in a 'sponsorship'?
Money (always!) and sometimes the provision of suitable platforms to
test on. In the case of Mac OS X we will need access to appropriate
hardware for the duration of the testing process (several weeks).
> 5. If we take the source code and create an Xcode project to build the
> library instead of using the configure script but use the same flags and
> defines specified in the Makefile, will the resulting library still be
> consider valid, assuming it passes all the tests that come with the source
> code?
Only the FIPS module itself (the fipscanister object file) is validated.
That must be generated *exactly* as documented in the Security Policy,
and the documented process does not use Xcode for OS X. Once that is
done there are essentially no restrictions on how you subsequently link
it with your application code.
So, you're stuck with the config/Configure scripts for the module build;
no room for creativity there. We used Xcode to build the test programs
used for the OS X and iOS validation testing.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
