Mark Phalan wrote:
I've been working on getting a FIPS Capable OpenSSL into OpenSolaris.
Excellent, we designed the OpenSSL FIPS Object Module and the "FIPS capable" OpenSSL to enable just this sort of support in vendor O/S distros. One set of "FIPS capable" OpenSSL libraries shipped to all customers, with FIPS mode for the entire system enabled or not at runtime. Note the global configuration file and OPENSSL_config() call can be used for this purpose (see section 5.2 of http://openssl.org/docs/fips/UserGuide-1.2.pdf).
Due to the way the FIPS Capable OpenSSL is built it ends up with older implementations of ciphers (all the ones that fipscanister.o implements). These cipher implementations are used regardless of being in FIPS mode or not.
Ummm, not so. Use the OpenSSL FIPS Object Module v1.2 (the fipscanister.o part *only*, throw the rest away!) along with a current version of OpenSSL 0.9.8 for everything else. That way the old but validated crypto implementations in fipscanister.o are used in FIPS mode, the standard unvalidated (and current) ones in 0.9.8k+ are used when not in FIPS mode.
The FIPS capable build process is discussed in the User Guide document noted above.
... I'm new to the list so if these things have been discussed before feel free to send me to an archive of that previous discussion.
Yes, but this is tricky stuff, complex crypto compounded with unintuitive policy requirements, so please feel free to ask.
-Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
