Hello, I've been trying to upgrade our FIPS compliant software to use the 1.2 release. I have to do this for both Windows and Unix. To date I've been working on the Unix side but have had a number of problems.
1) Our original version used fipsld to build our executables. However I've been unable to get the current fipsld to work without some major changes to it. My problem comes from when I try to validate the fingerprints within the fipsld procedure they don't match due to the fact that the sha1 files were created by computing them in the directories, while the validation with fipsld uses a relative path. So at the very least we have a build result of "HMAC-SHA1(fipscanister.o)= 895a2bbe267f7cee3aa74186a62b1be82ec6b2c5" and fipsld result of "HMAC-SHA1(<pathtofipsld>/../lib/fipscanister.o)= 895a2bbe267f7cee3aa74186a62b1be82ec6b2c5". When I asked on the list about this it was suggested that I use the static libraries instead of the fipsld procedure. That brings us to: 2) Where do you get openssl-0.9.8j as suggested in the FIPS 140-2 User Guide. According to the User Guide, the version in openssl-fips-1.2 is not a good version of openssl. I've downloaded openssl-0.9.8i and openssl-0.9.8-stable-SNAP-20081217 (which turns out to be another i version). I tried to build the 0.9.8i version with the fips stuff, but the config files for 0.9.8i don't recognize the fips parameter. I get "target already defined - solaris-sparcv9-cc (offending arg: fips)" when I try to configure for fips. Regardless of whether I'm using the --with-fipslibdir parameter or not. I tried overlaying the openssl-0.9.8i and openssl-fips-1.2 packages into a common directory, reserving the fips subdirectory set and the root files from the fips package and using the various subdirectories from the 0.9.8i set but then got a missing include file. When I tried the openssl-0.9.8-stable-SNAP-20081217 set the ./config fips works, but if I try it with the --with-fipslibdir parameter pointing to the built fips lib I get the following, which tells me it doesn't recognize the --with-fipslibdir parameter. Configuring for solaris-sparcv9-cc Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags] So enough of that. My problems are two fold, getting the right openssl-0.9.8 and integrating it with the openssl-fips-1.2 that I've managed to build on our system. Any suggestions or answers will be greatly appreciated. Thanks, Jerry Collins ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
