On Thu, 2007-05-31 at 22:09 -0700, Carlo Milono wrote: > On a Linux AS4 machine, I was able to successfully build both 0.9.8.e and > FIPS 1.1.1 and have both pass all tests :-) > > The VERSION in the FIPS Makefile is different than the version of the base > OpenSSL, and the only way to change the output of "openssl version" is to > change the header file. I've done that to reflect the base (23 Feb 2007) so > that now when I execute "openssl version" it reflects both the base and the > fact that it is linked with the FIPS module.
If you modified the header in the FIPS tree then you are not FIPS compliant. The security policy in section 4 requires that "The source code that is compiled into the FIPS Object Module is bitwise identical to the source code used for the validation testing, and is compiled in the same way." > I've been told that I need to use the same version of OpenSSL that is > reflected in the base - i.e., I cannot use 0.9.8e. I don't think this is > correct as the FIPS 1.1.1 has been quite stable from what I can see, and that > the FIPS certificate is for the FIPS module independent of the base. Is this > a correct interpretation? According to the OpenSSL FIPS User Guide, the 1.1.1 FIPS module is only designed to work with the 0.9.7 series of OpenSSL. > Next, due to export regulations, we don't want any ciphers in this build that > weren't in the previous builds, so I executed a "./config no-idea > no-EXP1024..." and several others that were "top level". I don't want to muck > around in the build/release area to copy any configuration files at this time > (don't ask why) - I'm trying to build a compliant FIPS-based OpenSSL on my > own. It didn't seem to work for "no-idea" and some of the others. I'm > curious how I can validate the "./config" without having to completely read > through the config ->CONFIGURATION -> Makefile chain. When configuring the FIPS OpenSSL you may only specify the fips option to the config command. Anything else is a violation of the security policy and renders the result to be non-FIPS compliant. Section C.1 of the security policy states: "Build the OpenSSL FIPS Object Module from source after unpacking the source distribution opensslfips1.1.1.tar.gz. The FIPS specific code is incorporated into the generated FIPS Object Module file when the fips configuration option is specified as: $ ./config fips Note that no other configuration options may be specified by the user." Disclaimer: I am not an expert in OpenSSL or FIPS... just involved in a project that is using it. Troy ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
