Re: fips 140-2 module conditions and compilation target app

[Dr Paul Dale <pauli@xxxxxxxxxxx>]

    I think you've got the fist of the restriction.  You cannot make any
    changes to the source code, build files or the commands you use to
    build the FOM.  None are acceptable if you want a FIPS validate
    outcome.  I.e. you will lose the FIPS 140-2 validation state if you
    change anything.
    
    
    Pauli

On 5/10/21 5:42 am, Artem Goussev wrote:

 hi,
I develop my application and I need to use OpenSSL 1.0.2 with the OpenSSL FIPS Object Module 2.0. I know that OpenSSL 3.0 was released, but unfortunately I must use OpenSSL 1.0.2. 

I have read   OpenSSL FIPS Object Module 2.0 documentation and I have one misunderstanding.

"note that as a condition of the FIPS 140-2 validation no other user specified configuration options may be specified."

Does it mean that I can't make any changes in the build configuration files? For example, can I change some compilation flags(CFLAGS) or change the list of linked libraries in makefile or others? If I do it will I lose some FIPS-140-2 validation or as a result, will I get an incorrect FIPS 140-2 library or will I lose some FIPS 140-2 compliance ? Can you explain it to me please ?

i already know that i can't change any configuration settings in make files.

it means that command 
      ms\do_fips 

build fips module with CFLAG /MD

and I can't change it, corect? i can't build a fips module with option /MT, correct? 

So it means I can use openssl only in /MD mode, correct? so my target windows console app\dll can be only in /MD mode, correct?

can you help me to understand plz?

thanks.