> Anybody have any insight? Any information gratefully received! > > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Harvey Shepherd > Sent: Wednesday, 17 August 2011 12:06 p.m. > To: openssl-users@openssl.org > Subject: Using the FIPS Object Module > > Hi All, > > Sorry if the answer to this posting seems obvious, but I'm not very > knowledgeable when it comes to build processes. I'm trying to build a version > of Net-SNMP that only uses FIPS recognised algorithms for SNMPv3 user > authentication and encryption (i.e. SHA-1 and AES-128). I have already > compiled out usage of all other non-FIPS algorithms when building the > Net-SNMP daemon, which currently links in the standard OpenSSL libcrypto > library. > > I am now trying to link it against the FIPS Object Module, which I have > successfully built using a slightly modified version of the instructions in > the User Guide, due to the build process and requirements for my target > platform: > > export CROSS_COMPILE=ppc_8xx-; \ > ./Configure linux-generic32 fipscanisterbuild no-asm no-hw > export CROSS_COMPILE= ppc_8xx-; \ > export HOSTCC=/usr/bin/gcc; \ > export FIPS_SIG=openssl-fips/incore; \ > $(MAKE) -C openssl-fips > > I realise that these build changes make the result not FIPS certified, but my > goal is to produce a version of Net-SNMP that is based on unmodified > encryption algorithm implementations provided by a FIPS certified SSL > library. The above build process seems to create a shared crypto library > (libcrypto.so.0.9.8), even though I haven't built the standard OpenSSL > distribution (i.e. it is not a FIPS Capable OpenSSL build). I have found that > Net-SNMP happily uses this library for its encryption support and works with > no problems. > > So assuming that I want to produce a solution which I could get certified by > FIPS if I chose to, my questions are: > > > 1. Can I use this shared crypto library as-is, and not worry about > creating a FIPS Capable OpenSSL build? > > 2. Is it still a good idea to perform the hashing verification steps in > the User Guide and call FIPS_mode_set()? > > 3. Where does fipscanister fit into all this? > > I'd be very grateful for any assistance you could provide with this.
Building the FIPS module (fipscanister.o) and the usual shared libraries out of the same source distribution is unwise. For the older v1.2.3 module, the shared libraries generated as a byproduct of the FIPS module build are unsupported, buggy, and obsolete. For the upcoming v2.0 module, currently only in HEAD, the shared libraries are not "FIPS capable". Please, please always keep in mind that the OpenSSL FIPS Object Module and the OpenSSL library are separate and distinct software components. They should be built separately, with the "FIPS capable" OpenSSL libraries incorporating the independently generated FIPS module. For the v1.2.3 module use http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz for the FIPS module and the latest 0.9.8 distribution (currently 0.9.8r) for the FIPS capable libraries. For the v2.0 module (still in development and unreleased but functional), use the latest ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-2011MMDD.tar.gz snapshot to build the FIPS module, and the latest 1.0.1 stable snapshot for the FIPS capable libraries. Building the FIPS module and the FIPS capable libraries merely gives you the means to reference the *potentially* validated FIPS module from an application. For that application to claim use of FIPS validated cryptography you need to do several other things besides building the FIPS module in accordance with the Security Policy, such as making sure the FIPS capable libraries are used for *all* cryptographic operations, and enabling the FIPS mode with FIPS_mode_set(). An attempt was made to document the various aspects of this process in the User Guide, http://www.openssl.org/docs/fips/UserGuide.pdf. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
