RE: FIPS 1.2 and Openssl.

[Collins, Jerry]

According to the FIPS 140-2 User Guide Version 1.2
<snip>
4.2.2 Installing and Protecting the FIPS Object Module

The system administrator should install the generated fipscanister.o,
fipscanister.o.sha1, and fips_premain.c files in a location protected by the 
host
operating system security features. These protections should allow write access 
only to authorized system administrators (FIPS 140-2 Crypto Officers) and read 
access only to authorized users.
<end snip>

There is not a required destination directory.  It says as an example 
/usr/local/lib/.  

Thanks,
Jerry




-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Kyle Hamilton
Sent: Friday, December 19, 2008 5:22 PM
To: openssl-users@openssl.org
Subject: Re: FIPS 1.2 and Openssl.

openssl-0.9.8-stable-SNAP-20081219.tar.gz recognizes the 'fips'
configuration parameter.

The distribution will ALWAYS look for the FIPS files in
/usr/local/ssl/fips-1.0/lib/, since that is where they are put when
you follow the commands given in the Security Policy precisely (as you
must, if you want the validation to 'stick').

-Kyle H

On Fri, Dec 19, 2008 at 2:43 PM, Collins, Jerry <j.coll...@tricorind.com> wrote:
> Hello,
>  I've been trying to upgrade our FIPS compliant software to use the 1.2
> release.  I have to do this for both Windows and Unix.  To date I've
> been working on the Unix side but have had a number of problems.
>
>  1) Our original version used fipsld to build our executables.  However
> I've been unable to get the current fipsld to work without some major
> changes to it.  My problem comes from when I try to validate the
> fingerprints within the fipsld procedure they don't match due to the
> fact that the sha1 files were created by computing them in the
> directories, while the validation with fipsld uses a relative path.  So
> at the very least we have a build result of "HMAC-SHA1(fipscanister.o)=
> 895a2bbe267f7cee3aa74186a62b1be82ec6b2c5" and fipsld result of
> "HMAC-SHA1(<pathtofipsld>/../lib/fipscanister.o)=
> 895a2bbe267f7cee3aa74186a62b1be82ec6b2c5".   When I asked on the list
> about this it was suggested that I use the static libraries instead of
> the fipsld procedure.
>
>  That brings us to:
>   2) Where do you get openssl-0.9.8j as suggested in the FIPS 140-2
> User Guide.  According to the User Guide, the version in
> openssl-fips-1.2 is not a good version of openssl.  I've downloaded
> openssl-0.9.8i and openssl-0.9.8-stable-SNAP-20081217 (which turns out
> to be another i version).
>
>  I tried to build the 0.9.8i version with the fips stuff, but the
> config files for 0.9.8i don't recognize the fips parameter.  I get
> "target already defined - solaris-sparcv9-cc (offending arg: fips)" when
> I try to configure for fips.  Regardless of whether I'm using the
> --with-fipslibdir parameter or not. I tried overlaying the
> openssl-0.9.8i and openssl-fips-1.2 packages into a common directory,
> reserving the fips subdirectory set and the root files from the fips
> package and using the various subdirectories from the 0.9.8i set but
> then got a missing include file.
>
>  When I tried the openssl-0.9.8-stable-SNAP-20081217 set the ./config
> fips works, but if I try it with the --with-fipslibdir parameter
> pointing to the built fips lib I get the following, which tells me it
> doesn't recognize the --with-fipslibdir parameter.
>
> Configuring for solaris-sparcv9-cc
> Usage: Configure [no-<cipher> ...] [enable-<cipher> ...]
> [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx]
> [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic]
> [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR]
> [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity]
> os/compiler[:flags]
>
> So enough of that.  My problems are two fold, getting the right
> openssl-0.9.8 and integrating it with the openssl-fips-1.2 that I've
> managed to build on our system.  Any suggestions or answers will be
> greatly appreciated.
>
> Thanks,
> Jerry Collins
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
:��I"Ϯ��r�m����
(����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���