Take everything I say here with a grain of salt: I'm not a FIPS expert, and it's entirely possible that I am misinterpreting something that I read. If Steve M wants to weigh in and verify or debunk my interpretation, I would not object! :)
The answer to your question is: there might be, but this is FAR beyond the level where anyone other than a specialist will be able to help you. This can be done if (and only if) ALL of the following are true: 1) you can cobble up an environment where you create the fipscanister using only unmodified sources into a binary that will load and run in your monolithic environment, only using one of the four command lines allowed by the Security Policy; 2) you can link the fipscanister.o file into your proprietary kernel, including all its validation mechanisms (fips_premain.c); 3) you can port the OpenSSL code, 0.9.8j or later, into your proprietary kernel; 4) you can perform any steps necessary to configure 0.9.8j to realize that the FIPS canister is there. The security policy states only that the fipscanister.o must be created in the manner detailed in the security policy, and fips_premain.c must be compiled and linked in. Once it's created, you can copy it anywhere, you can do anything with it, as long as you don't violate the process of creation. (the process of creation includes the embedding of the keyed MAC into the fipscanister.o library.) You also cannot edit fips_premain.c, and your build environment must include the fipscanister.o.sha1 and fips_premain.c.sha1 files. More notably, the security policy does NOT state that you must use the provided fipsld script to link. As long as all the steps performed by the fipsld script are performed, then you will be able to use FIPS_mode_set() from within your monolithic kernel. At least it sounds like you're not using shared libraries. This makes things MUCH less difficult for you. However, it is important to recognize that fipsld does everything it can to set fips_premain.c to run before the main() entry point. Your environment cannot allow for that -- but you still must set it up so that FINGERPRINT_premain() runs before the first invocation to FIPS_mode_set(). This should be done as early in your startup process as possible, but if you want to make it possible to figure out what it might complain about you MUST do it *AFTER* you initialize stdio (it prints diagnostics to stderr). Also, once your application is in FIPS mode, absolutely no other source of cryptographic provision (no sources of random number generation, no sources of hash algorithms, no sources of symmetric cryptography, no sources of asymmetric cryptography) may be used*. Once FIPS_mode_set() is called, OpenSSL will enforce this as relates to calls into the library itself. However, it's your responsibility to make sure that no other crypto implementations exist in your code. Good luck! -Kyle H *: You actually can use other FIPS-validated modules to provide cryptographic services to your application, but if you want to move key data from one module to another you must first export it, with encryption, from the one module that has it -- and then import it into the other module and only then decrypt it. With OpenSSL, no key-storage facilities are present, so you don't have much to worry about on this score -- just remember that FIPS mandates that any key-storage facilities only release their private and symmetric keys once they've been encrypted. 2009/2/26 smitha daggubati <smithad...@gmail.com>: > Hello all, > I am going through the FIPS userguide and security policy documents and have > a few questions. > We have a proprietary kernel where we already have ported the openssl code. > Our proprietary kernel is a monolithic kernel and to port the openssl library > we had to modify the openssl code. A simple example of the modifications we > had to do was to replace "include stdio.h" with our specific files. There > were other modifications as well but all were tailored with getting the > openssl sources to complie as part of our kernel and not any with the general > ssl code as such. > > Now we have plans to make our openssl FIPS Capable. Going through the > Userguide and security doc looks like there are specific steps that need to > be followed > for > a) compiling > b) linking > > I can think of getting the fipscanister .o by following the exact compilation > steps mentioned in the userguide and then point my modified ssl sources to > use the above fipscanister.o.(I am not even sure that this is possible > without modifications but lets assume it is for now) > > I am not sure of the linking step though because as i said ealrier we have a > monolithic kernel that means i cannot use the fipsld uility. Also it being a > monolithic kernel there is no seperation between the application and the > fipscanister library. > Is there any way i can make my implementaion of openssl FIPS capable and FIPS > compliant ? > > thanks for your time > > smitha > > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
