Hi ,
I have gone through security policy (
http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf) and user guide.(
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf).
I have changed the configuration option to
1. opensslfips1.2
./config fipscanisterbuild
make
2. openssl 9.8j
./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl
--with-fipslibdir=/home/rajan/openssl/opensslfips1.2/fips64/openssl-fips-1.2/fips
fips no-idea no-rc5 no-ec no-symlinks shared threads aix64-xlc_r
make
make test
But still i am getting the same error
test SSL protocol
test ssl3 is forbidden in FIPS mode
508008:error:2D06906E:FIPS
routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
match:fips.c:238:
test ssl2 is forbidden in FIPS mode
508010:error:2D06906E:FIPS
routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
match:fips.c:238:
test tls1
508012:error:2D06906E:FIPS
routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
match:fips.c:238:
make: The error code from the last command is 1.
Stop.
make: The error code from the last command is 2.
Stop.
But i have tested ./fips_test_suite it work fine
$ ./fips_test_suite
FIPS-mode test application
1. Non-Approved cryptographic operation test...
a. Included algorithm (D-H)...successful
2. Automatic power-up self test...successful
3. AES encryption/decryption...successful
4. RSA key generation and encryption/decryption...successful
5. DES-ECB encryption/decryption...successful
6. DSA key generation and signature validation...successful
7a. SHA-1 hash...successful
7b. SHA-256 hash...successful
7c. SHA-512 hash...successful
7d. HMAC-SHA-1 hash...successful
7e. HMAC-SHA-224 hash...successful
7f. HMAC-SHA-256 hash...successful
7g. HMAC-SHA-384 hash...successful
7h. HMAC-SHA-512 hash...successful
8. Non-Approved cryptographic operation test...
a. Included algorithm (D-H)...successful as expected
9. Zero-ization...
Generated 128 byte RSA private key
BN key before overwriting:
77eed34099e0d0dc56d316727fd2217c3bc0f6409bc1cd12ffdb427101218787e5bcc0013f58d1633b3f8934c1cf65a05744701fefc80dd92ac7ac4e88ff91ae18c5dda39e77257e3be162cda8f252dfca19dc3998af38b6de90c766295dfd74db93ea66333f3c91c35d8958292f205a6d89d4332f913f21fb6756179008ef29
BN key after overwriting:
5171b0a563d968222705431c1abf13bef9780e38a28817d7a36c953d18179e2330ee87d363b8154e2d268eb5aed447bd6419da455d390ce70891bf0512360721e0be0e44c32489e1c975436fa752460397a8e921a0ad64eee7200abe57c2807925edc105a5233da59dd7b4a26a675a2683d5cbee2d87f02fefbfaab5c355e264
char buffer key before overwriting:
4850f0a33aedd3af6e477f8302b10968
char buffer key after overwriting:
96a916306b46b3d4189fa6d1b04a4ed9
successful as expected
All tests completed with 0 errors
$ ./fips_test_suite aes
FIPS-mode test application
AES encryption/decryption with corrupted KAT...
ERROR:2d06e065:lib=45,func=110,reason=101:file=fips_aes_selftest.c:line=98:
Power-up self test failed
$ ./fips_test_suite sha1
FIPS-mode test application
SHA-1 hash with corrupted KAT...
ERROR:2d073065:lib=45,func=115,reason=101:file=fips_sha1_selftest.c:line=90:
Power-up self test failed
This things work fine.
Can You please tell me where i am going wrong.
Thanks
Rajan
On Thu, Jan 22, 2009 at 4:56 PM, Kyle Hamilton <aerow...@gmail.com> wrote:
> Yeah. You're violating the Security Policy of the FIPS-validated
> module, and thus you will NEVER get a validated build. READ THE
> SECURITY POLICY.
>
> You need to use './config fipscanisterbuild' or './config
> fipscanisterbuild no-asm'. If you don't use one of these configs,
> you're not going to get a validated build out of it.
>
> Further, you don't use '--with-fipslibdir=$fipslibdir' -- if you used
> 'make install' from the FIPS validated build, 0.9.8j will
> automatically use the standard FIPS module installation path. (You're
> essentially passing '--with-fipslibdir=', which screws up where it
> looks for the module for the build.)
>
> Read the security policy, and read the user guide. If you don't, and
> you continue asking questions that show that you haven't, you're
> unlikely to get any more or more useful answers.
>
> -Kyle H
>
> On Thu, Jan 22, 2009 at 3:02 AM, rajan chittil <rajanchit...@gmail.com>
> wrote:
> >
> > Hi All,
> >
> > Can any one tell me please where i am going wrong .
> >
> > Thanks
> >
> > Rajan
> > On Wed, Jan 21, 2009 at 11:52 PM, joshi chandran
> > <joshichandran...@gmail.com> wrote:
> >>
> >> I have used the same security policy step .
> >>
> >> openssl fips 1.2
> >> 1. ./Configure fipscansiterbuild aix-cc
> >> 2. make
> >> 3. make install
> >>
> >> openssl 9.8j
> >> 1. ./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl
> >> --with-fipslibdir=$fipslibdir fips no-idea no-rc5 no-ec no-symlinks
> shared
> >> threads aix-xlc_r
> >> 2. make
> >> 3. make test
> >>
> >> Can u please tell me where i have gone wrong
> >>
> >> Thanks
> >>
> >> Rajan
> >> On Wed, Jan 21, 2009 at 10:50 PM, Dr. Stephen Henson <st...@openssl.org
> >
> >> wrote:
> >>>
> >>> On Wed, Jan 21, 2009, rajanchittil wrote:
> >>>
> >>> >
> >>> > Hi All,
> >>> >
> >>> > I am new to openssl and i am first time building openssl source code
> .
> >>> >
> >>> > I have build openssl fips 1.2
> >>> >
> >>> > ./Configure fipscansiterbuild aix-cc
> >>> > make
> >>> >
> >>> > It generated the fips module
> >>> >
> >>>
> >>> That build procedure violates the security policy so the result is not
> >>> validated.
> >>>
> >>> Steve.
> >>> --
> >>> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> >>> OpenSSL project core developer and freelance consultant.
> >>> Homepage: http://www.drh-consultancy.demon.co.uk
> >>> ______________________________________________________________________
> >>> OpenSSL Project http://www.openssl.org
> >>> User Support Mailing List openssl-users@openssl.org
> >>> Automated List Manager majord...@openssl.org
> >>
> >>
> >>
> >> --
> >> Regards
> >> Joshi Chandran
> >
> >
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
