Hi Steve, Thanks for the reply - I appreciate it. Please see my comments below.
> > Sorry if the answer to this posting seems obvious, but I'm not very > knowledgeable when it comes to build processes. I'm trying to build a > version of Net-SNMP that only uses FIPS recognised algorithms for > SNMPv3 user authentication and encryption (i.e. SHA-1 and AES-128). I > have already compiled out usage of all other non-FIPS algorithms when > building the Net-SNMP daemon, which currently links in the standard > OpenSSL libcrypto library. > > > > I am now trying to link it against the FIPS Object Module, which I > have successfully built using a slightly modified version of the > instructions in the User Guide, due to the build process and > requirements for my target platform: > > > > export CROSS_COMPILE=ppc_8xx-; \ > > ./Configure linux-generic32 fipscanisterbuild no-asm no-hw > > export CROSS_COMPILE= ppc_8xx-; \ > > export HOSTCC=/usr/bin/gcc; \ > > export FIPS_SIG=openssl-fips/incore; \ > > $(MAKE) -C openssl-fips > > > > I realise that these build changes make the result not FIPS > certified, but my goal is to produce a version of Net-SNMP that is > based on unmodified encryption algorithm implementations provided by a > FIPS certified SSL library. The above build process seems to create a > shared crypto library (libcrypto.so.0.9.8), even though I haven't built > the standard OpenSSL distribution (i.e. it is not a FIPS Capable > OpenSSL build). I have found that Net-SNMP happily uses this library > for its encryption support and works with no problems. > > > > So assuming that I want to produce a solution which I could get > certified by FIPS if I chose to, my questions are: > > > > > > 1. Can I use this shared crypto library as-is, and not worry > about creating a FIPS Capable OpenSSL build? > > > > 2. Is it still a good idea to perform the hashing verification > steps in the User Guide and call FIPS_mode_set()? > > > > 3. Where does fipscanister fit into all this? > > > > I'd be very grateful for any assistance you could provide with this. > > Building the FIPS module (fipscanister.o) and the usual shared > libraries > out of the same source distribution is unwise. For the older v1.2.3 > module, the shared libraries generated as a byproduct of the FIPS > module > build are unsupported, buggy, and obsolete. For the upcoming v2.0 > module, currently only in HEAD, the shared libraries are not "FIPS > capable". > > Please, please always keep in mind that the OpenSSL FIPS Object Module > and the OpenSSL library are separate and distinct software components. > They should be built separately, with the "FIPS capable" OpenSSL > libraries incorporating the independently generated FIPS module. > > For the v1.2.3 module use > http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz for the FIPS > module and the latest 0.9.8 distribution (currently 0.9.8r) for the > FIPS > capable libraries. > I have those two components already, but from my reading the User Guide doesn't seem to say that the two MUST be linked together, and since the crypto library produced by the FIPS Object Module seemed to provide all the SHA-1 and AES-128 functionality I needed for Net-SNMP, I was hoping I could get away without using base OpenSSL at all (in order to reduce complexity and the library size). I have now changed my build process to statically link the crypto library with Net-SNMP, and hence I'm not using the shared library any longer. But remember that due to the build changes required by my application for cross compilation on my platform, the result will not be FIPS certified anyway. What I'm trying to produce is a solution using unmodified algorithms implemented by a FIPS certified encryption module, so that I can easily obtain certification myself if desired. > Building the FIPS module and the FIPS capable libraries merely gives > you > the means to reference the *potentially* validated FIPS module from an > application. For that application to claim use of FIPS validated > cryptography you need to do several other things besides building the > FIPS module in accordance with the Security Policy, such as making sure > the FIPS capable libraries are used for *all* cryptographic operations, > and enabling the FIPS mode with FIPS_mode_set(). > It was my hope that in exclusively using the FIPS Object Module crypto library, there would be no need to worry about enabling FIPS mode, as I assumed that the FIPS Object Module would not implement anything that was outside of the FIPS mandate. As I noted above, I can't follow the Security Policy guidelines exactly anyway, due to my build changes. > An attempt was made to document the various aspects of this process in > the User Guide, http://www.openssl.org/docs/fips/UserGuide.pdf. > Yes, I've read this document from cover to cover but it doesn't really cover cross-compilation at all, apart from a single mention that it can be done. It doesn't specify if the setting of environment variables such as CROSS_COMPILE prior to performing the build invalidates the FIPS certification, or explain exactly how the cross compilation should be performed. Regards, Harvey ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
