Re: FIPS 1.2 and Openssl.

Sat, 20 Dec 2008 15:32:38 -0800 

Kyle Hamilton wrote:

The Security Policy is absolutely clear on this point.  (If you
haven't read it yet, you MUST, if you want to claim FIPS validation
for whatever you're putting it into.)  You can copy it from /usr/local
to whereever you need it, but in that case you also have to edit the
Makefile for OpenSSL to look for fipsld, fips_premain.c, and the
associated files.

For what it's worth, there are only two ways you can build the
FIPS-validated library on any UNIX-based system, each comprising three
steps.

Option 1:
./config fips
make
make install

Option 2:
./config fips no-asm
make
make install

-Kyle H

On Fri, Dec 19, 2008 at 9:13 PM, Victor Duchovni
<victor.ducho...@morganstanley.com> wrote:

On Fri, Dec 19, 2008 at 03:22:17PM -0800, Kyle Hamilton wrote:


The distribution will ALWAYS look for the FIPS files in
/usr/local/ssl/fips-1.0/lib/, since that is where they are put when
you follow the commands given in the Security Policy precisely (as you
must, if you want the validation to 'stick').

Can you elaborate on this point? We use AFS, software is never installed
in /usr/local. Rather there is a structured namespace for versioned
releases of software for a variety of system architectures. OpenSSL
libraries live in paths along the lines of:

   /afs/rdonly/sec/PROJ/openssl/0.9.8i/.exec/x86_64.linux.2.6.glibc.2.3/lib

and multiple versions of OpenSSL are installed at the same time, each in
their own release tree. Is it really not possible to build the fips code
to reside in non-default locations?\\
Note that the Security Policy is very inflexible regarding the *buildtime* process to create the FIPS Object Module (fipscanister.o et. al.), but that *runtime* usage is not so heavily constrained. Specifically, once you create fipscanister.o per the Security Policy you can subsequently copy it to other locations such as your /afs/rdonly/... path. 

-Steve M.

--
Steve Marquess
Open Source Software institute
marqu...@oss-institute.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to