Thanks. I was using an older User Guide. The newest one does indeed state that the FIPS module is no longer a subset, but that validation was considered only on a completed distribution. Alas, now I have some real problems if I am limited to 0.9.7.
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:owner-openssl- > [EMAIL PROTECTED] On Behalf Of Troy Monaghen > Sent: Friday, June 01, 2007 7:20 AM > To: openssl-users@openssl.org > Subject: Re: Q's on making 0.9.8e with FIPS 1.1.1 andno-cipher/enable- > cipher > > > On Thu, 2007-05-31 at 22:09 -0700, Carlo Milono wrote: > > On a Linux AS4 machine, I was able to successfully build both 0.9.8.e > and FIPS 1.1.1 and have both pass all tests :-) > > > > The VERSION in the FIPS Makefile is different than the version of the > base OpenSSL, and the only way to change the output of "openssl version" > is to change the header file. I've done that to reflect the base (23 Feb > 2007) so that now when I execute "openssl version" it reflects both the > base and the fact that it is linked with the FIPS module. > > If you modified the header in the FIPS tree then you are not FIPS > compliant. The security policy in section 4 requires that "The source > code that is compiled into the FIPS Object Module is bitwise identical > to the source code used for the validation testing, and is compiled in > the same way." > > > I've been told that I need to use the same version of OpenSSL that is > reflected in the base - i.e., I cannot use 0.9.8e. I don't think this is > correct as the FIPS 1.1.1 has been quite stable from what I can see, and > that the FIPS certificate is for the FIPS module independent of the base. > Is this a correct interpretation? > > According to the OpenSSL FIPS User Guide, the 1.1.1 FIPS module is only > designed to work with the 0.9.7 series of OpenSSL. > > > Next, due to export regulations, we don't want any ciphers in this build > that weren't in the previous builds, so I executed a "./config no-idea no- > EXP1024..." and several others that were "top level". I don't want to muck > around in the build/release area to copy any configuration files at this > time (don't ask why) - I'm trying to build a compliant FIPS-based OpenSSL > on my own. It didn't seem to work for "no-idea" and some of the others. > I'm curious how I can validate the "./config" without having to completely > read through the config ->CONFIGURATION -> Makefile chain. > > When configuring the FIPS OpenSSL you may only specify the fips option > to the config command. Anything else is a violation of the security > policy and renders the result to be non-FIPS compliant. Section C.1 of > the security policy states: > > "Build the OpenSSL FIPS Object Module from source after unpacking the > source distribution opensslfips1.1.1.tar.gz. The FIPS specific code is > incorporated into the generated FIPS Object Module file when the fips > configuration option is specified as: > $ ./config fips > Note that no other configuration options may be specified by the user." > > > Disclaimer: I am not an expert in OpenSSL or FIPS... just involved in a > project that is using it. > > > Troy > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
