On 04/08/2013 10:12 PM, Raghav Varadan wrote: > Hi, > > I'm trying to build fips capable openssl for Mac OS X 64 bit platform. The > config script ./config automatically builds the libraries for 32 bit OS X > and it displays the warning asking for manual configuration. > > openssl-fips-2.0.3 Raghav$ ./config no-asm > Operating system: i686-apple-darwinDarwin Kernel Version 12.3.0: Sun Jan 6 > 22:37:10 PST 2013; root:xnu-2050.22.13~1/RELEASE_X86_64 > WARNING! If you wish to build 64-bit library, then you have to > invoke './Configure darwin64-x86_64-cc' *manually*. > You have about 5 seconds to press Ctrl-C to abort. > > > So my question is if I manually configure i.e ./Configure darwin-x86_64-cc > instead of executing the config script, does it affect the fips > certification?
First, it's "FIPS 140-2 validation", not "certification". There is no such thing as "fips validation". Second, the Security Policy and User Guide documents are quite clear on the requirement to use the command "./config" and not "Configure", "config <options>", or anything but "./config". Third, 64-bit OS X isn't among the formally tested platforms for validation #1747 so that validation does not directly apply (the CMVP considers 32-bit and 64-bit to be separate code paths). We have tested 64-bit OS X in other contexts (private label validations that are of no value to the general public), and in those cases we use a "setenv-*.sh" dot-sourced script to set appropriate environment variables, e.g.: $ cat setenv-darwin-x86_64.sh #!/bin/bash SYSTEM="Darwin" MACHINE="x86_64" KERNEL_BITS=64 export MACHINE export SYSTEM export KERNEL_BITS $ At some point we'll have a platform sponsor for 64-bit OS X and you'll then be able to use the FIPS module for that platform. In the meantime you can't use the #1747 validation to create a FIPS 140-2 validated module for 64-bit OS X, regardless of how you build it. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
