On Fri, Dec 19, 2008, Collins, Jerry wrote: > Hello, > I've been trying to upgrade our FIPS compliant software to use the 1.2 > release. I have to do this for both Windows and Unix. To date I've > been working on the Unix side but have had a number of problems. > > 1) Our original version used fipsld to build our executables. However > I've been unable to get the current fipsld to work without some major > changes to it. My problem comes from when I try to validate the > fingerprints within the fipsld procedure they don't match due to the > fact that the sha1 files were created by computing them in the > directories, while the validation with fipsld uses a relative path. So > at the very least we have a build result of "HMAC-SHA1(fipscanister.o)= > 895a2bbe267f7cee3aa74186a62b1be82ec6b2c5" and fipsld result of > "HMAC-SHA1(<pathtofipsld>/../lib/fipscanister.o)= > 895a2bbe267f7cee3aa74186a62b1be82ec6b2c5". When I asked on the list > about this it was suggested that I use the static libraries instead of > the fipsld procedure. >
Well I suggested using shared libraries instead. Then you can avoid the fipsld procedure entirely. Please state the command you are passing to fipsld to get those paths in the file. Note you should setthe FIPSLIBDIR environment variable if the validated module is in an alternative location. > That brings us to: > 2) Where do you get openssl-0.9.8j as suggested in the FIPS 140-2 > User Guide. According to the User Guide, the version in > openssl-fips-1.2 is not a good version of openssl. I've downloaded > openssl-0.9.8i and openssl-0.9.8-stable-SNAP-20081217 (which turns out > to be another i version). > The 0.9.8j release has unfortunately been delayed. The 0.9.8i release has no fips functionality so that wont work. A recent 0.9.8-stable snapshot should work. > > When I tried the openssl-0.9.8-stable-SNAP-20081217 set the ./config > fips works, but if I try it with the --with-fipslibdir parameter > pointing to the built fips lib I get the following, which tells me it > doesn't recognize the --with-fipslibdir parameter. > > Configuring for solaris-sparcv9-cc > Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] > [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] > [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] > [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] > [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] > os/compiler[:flags] > The format of that option is --with-fipslibdir=/path/to/validated/module Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
