David Schwartz wrote:

> Build the FIPS module, then fix the higher-level code, then build the rest
> of OpenSSL. So long as don't modify the source before building the FIPS
> module, you are fine. You can fix the code that doesn't go in the FIPS
> canister without violating FIPS, then link your fixed code with the
> canister.

Correct -- just don't modify *any* code in the special
openssl-fips-1.1.2.tar.gz tarball, whether that code has any effect on
the resulting fipscanister.o object module or not. You can't even
modify the README file. Once fipscanister.o (and handful of ancillary
files) are generated you should throw away everything else from that
build. The fipscanister.o can subsequently be used with a FIPS
compatible (i.e., recent) OpenSSL built the usual way from one of the
usual tarballs. You do not want to use any of the other object code
from the special FIPS tarball.

-Steve M.

Steve Marquess
Open Source Software Institute

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org