openssl-0.9.8-stable-SNAP-20081219.tar.gz recognizes the 'fips' configuration parameter.
The distribution will ALWAYS look for the FIPS files in /usr/local/ssl/fips-1.0/lib/, since that is where they are put when you follow the commands given in the Security Policy precisely (as you must, if you want the validation to 'stick'). -Kyle H On Fri, Dec 19, 2008 at 2:43 PM, Collins, Jerry <j.coll...@tricorind.com> wrote: > Hello, > I've been trying to upgrade our FIPS compliant software to use the 1.2 > release. I have to do this for both Windows and Unix. To date I've > been working on the Unix side but have had a number of problems. > > 1) Our original version used fipsld to build our executables. However > I've been unable to get the current fipsld to work without some major > changes to it. My problem comes from when I try to validate the > fingerprints within the fipsld procedure they don't match due to the > fact that the sha1 files were created by computing them in the > directories, while the validation with fipsld uses a relative path. So > at the very least we have a build result of "HMAC-SHA1(fipscanister.o)= > 895a2bbe267f7cee3aa74186a62b1be82ec6b2c5" and fipsld result of > "HMAC-SHA1(<pathtofipsld>/../lib/fipscanister.o)= > 895a2bbe267f7cee3aa74186a62b1be82ec6b2c5". When I asked on the list > about this it was suggested that I use the static libraries instead of > the fipsld procedure. > > That brings us to: > 2) Where do you get openssl-0.9.8j as suggested in the FIPS 140-2 > User Guide. According to the User Guide, the version in > openssl-fips-1.2 is not a good version of openssl. I've downloaded > openssl-0.9.8i and openssl-0.9.8-stable-SNAP-20081217 (which turns out > to be another i version). > > I tried to build the 0.9.8i version with the fips stuff, but the > config files for 0.9.8i don't recognize the fips parameter. I get > "target already defined - solaris-sparcv9-cc (offending arg: fips)" when > I try to configure for fips. Regardless of whether I'm using the > --with-fipslibdir parameter or not. I tried overlaying the > openssl-0.9.8i and openssl-fips-1.2 packages into a common directory, > reserving the fips subdirectory set and the root files from the fips > package and using the various subdirectories from the 0.9.8i set but > then got a missing include file. > > When I tried the openssl-0.9.8-stable-SNAP-20081217 set the ./config > fips works, but if I try it with the --with-fipslibdir parameter > pointing to the built fips lib I get the following, which tells me it > doesn't recognize the --with-fipslibdir parameter. > > Configuring for solaris-sparcv9-cc > Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] > [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] > [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] > [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] > [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] > os/compiler[:flags] > > So enough of that. My problems are two fold, getting the right > openssl-0.9.8 and integrating it with the openssl-fips-1.2 that I've > managed to build on our system. Any suggestions or answers will be > greatly appreciated. > > Thanks, > Jerry Collins > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
