RE: Using the FIPS Object Module

Thu, 18 Aug 2011 16:39:16 -0700 

Anybody have any insight? Any information gratefully received!

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Harvey Shepherd
Sent: Wednesday, 17 August 2011 12:06 p.m.
To: openssl-users@openssl.org
Subject: Using the FIPS Object Module

Hi All,

Sorry if the answer to this posting seems obvious, but I'm not very 
knowledgeable when it comes to build processes. I'm trying to build a version 
of Net-SNMP that only uses FIPS recognised algorithms for SNMPv3 user 
authentication and encryption (i.e. SHA-1 and AES-128). I have already compiled 
out usage of all other non-FIPS algorithms when building the Net-SNMP daemon, 
which currently links in the standard OpenSSL libcrypto library.

I am now trying to link it against the FIPS Object Module, which I have 
successfully built using a slightly modified version of the instructions in the 
User Guide, due to the build process and requirements for my target platform:

        export CROSS_COMPILE=ppc_8xx-; \
        ./Configure linux-generic32 fipscanisterbuild no-asm no-hw
        export CROSS_COMPILE= ppc_8xx-; \
        export HOSTCC=/usr/bin/gcc; \
        export FIPS_SIG=openssl-fips/incore; \
        $(MAKE) -C openssl-fips

I realise that these build changes make the result not FIPS certified, but my 
goal is to produce a version of Net-SNMP that is based on unmodified encryption 
algorithm implementations provided by a FIPS certified SSL library. The above 
build process seems to create a shared crypto library (libcrypto.so.0.9.8), 
even though I haven't built the standard OpenSSL distribution (i.e. it is not a 
FIPS Capable OpenSSL build). I have found that Net-SNMP happily uses this 
library for its encryption support and works with no problems.

So assuming that I want to produce a solution which I could get certified by 
FIPS if I chose to, my questions are:


1.       Can I use this shared crypto library as-is, and not worry about 
creating a FIPS Capable OpenSSL build?

2.       Is it still a good idea to perform the hashing verification steps in 
the User Guide and call FIPS_mode_set()?

3.       Where does fipscanister fit into all this?

I'd be very grateful for any assistance you could provide with this.


Regards,
Harvey Shepherd

Reply via email to