On Fri, Feb 10, 2006, Kyle Hamilton wrote:

> (the 'non-security-policy-compliant' part comes from the extra
> parameter to ./config -- I can't touch the OpenSSL build that's
> already in the system directories, and the security policy states that
> no other parameters can be passed to ./config. [if that's true, it
> should test for it.])

The "no extra parameters" rule only applies to the building of the FIPS
module itself.

The compiled module could be used by another build of OpenSSL which does
include parameters.

This functionality is not yet integrated completely into the build system.
Though this can be done for the Windows VC++ build.

> The security policy makes no mention of the requirement to use the
> 'fipsld' command. In fact, the security policy's 'testing' code is
> incorrect (as far as it goes) -- it should, in my view, result in a
> compilable program that can be used to verify that the library will go
> into FIPS mode. (The SP also fails to mention that you can't use the
> library in non-FIPS mode without the use of the fipsld command.)

The user guide will be updated to reflect the changes to the fingerprinting
system in due course. It will also contain some guidelines about the steps an
application needs to make to be compliant.

The version of OpenSSL submitted for testing some months ago used this
technique, the changes have however only been recently applied to CVS.

Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org