OpenSSL-fips-1.0 portability question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL-fips-1.0 portability question

joez-2
Hi,

Just a quick question with regarding to the OpenSSL-fips-1.0 version:

I know in order to use fips validated module, an application has to
link with fipscanister.o. But looking at fips_canister.c, I saw a
bunch of assembly codes, my question is how portable is this code?
If I'm using a non-mainstream processor (e.g. a proprietary embedded
system), how hard/easy would it be to port fips_canister.c?

Thanks,
Joe G.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL-fips-1.0 portability question

Dr. Stephen Henson
On Wed, May 10, 2006, Joe wrote:

> Hi,
>
> Just a quick question with regarding to the OpenSSL-fips-1.0 version:
>
> I know in order to use fips validated module, an application has to
> link with fipscanister.o. But looking at fips_canister.c, I saw a
> bunch of assembly codes, my question is how portable is this code?
> If I'm using a non-mainstream processor (e.g. a proprietary embedded
> system), how hard/easy would it be to port fips_canister.c?
>

The security policy document and the user guide will contain some info about
how this works.

However note that to be covered by this validation you cannot change anything
in the OpenSSL-fips-1.0 version in any way nor can the build process be changed
at all. The file fips_canister.c has a hash published in the security policy
so you can't change that either.

That effectively means that compilation has to be done natively and cross
compilation isn't covered.

If you are interested in a specific embedded system being covered in a follow
up certification then you should contact OSSI.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]