First, you need to follow the Security Policy exactly. While you can end up with a module that reports itself as being FIPS validated without following the policy, you cannot claim that it is the FIPS validated module if you don't follow the security policy. The fipscanisterbuild needs to be done using the openssl-fips-1.2 distribution, not openssl-0.9.8. After you build the fips canister, you then build openssl-0.9.8 of your choice (it has to be 0.9.8j or later, and I highly recommend "later" if you're planning to use ssl, and not just crypto routines). Finally, you need to use a specialized process to link your application; I recommend using the fipsld script, or a modification of it (if, for example, your application is C++ instead of C, the original fipsld script probably won't work). Just be sure your modifications to the script still follow all the rules in the security policy (and changing fipsld to invoke a C++ compiler for link is trivial to do and still follow the policy). The OpenSSL FIPS User Guide is very helpful, you can find a copy of it here: http://www.openssl.org/docs/fips/UserGuide-1.2.pdf.
> -----Original Message----- > From: [email protected] [mailto:owner-openssl- > [email protected]] On Behalf Of kevin747 > Sent: Wednesday, August 18, 2010 9:46 PM > To: [email protected] > Subject: openssl FIPS on linux > > > Hi all, > > I want to use FIPS mode under linux. With openssl-0.9.8o, I typed > "./config > fipscanisterbuild" and then typed "make". The compile successful. > Then I did a test about fips, below is my test code (main.cpp): > #include <iostream> > #include <openssl/ssl.h> > #include <openssl/fips.h> > int main(int argc, char *argv[]) > { > OpenSSL_add_all_algorithms(); > #ifdef OPENSSL_FIPS > std::cout << "OPENSSL_FIPS be defined" << std::endl; > bool bRet = FIPS_mode(); > if(bRet) > std::cout << "Already in fips mode" << std::endl; > else > { > bRet = FIPS_mode_set(1); > if(bRet) > std::cout << "FIPS mode set ok" << std::endl; > else > std::cout << "FIPS mode set failed" << std::endl; > } > #else > std::cout << "OPENSSL_FIPS not be defined" << std::endl; > #endif > return 0; > } > > And my Makefile is like: > XX = g++ > CFLAGS = -DOPENSSL_FIPS -I/usr/local/openssl-0.9.8o/include > LDFLAGS = --enable-auto-import -L/usr/local/openssl-0.9.8o/lib -Wl, - > Bstatic > -lssl -lcrypto -Wl, -Bdynamic -ldl > > TARGET = ./test > %.o : %.c > $(CC) $(CFLAGS) -c $< -o $@ -g > %.o : %.cpp > $(XX) $(CFLAGS) -c $< -o $@ -g > > SOURCES = $(wildcard *.c *.cpp) > OBJS = $(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))) > > $(TARGET) : $(OBJS) > $(XX) $(OBJS) -o $(TARGET) $(LDFLAGS) > chmod a+x $(TARGET) > > clean: > rm $(OBJS) > > And the output is: > x...@xxx-desktop:~/test$ ./test > OPENSSL_FIPS be defined > FIPS mode set failed > > Can anyone see where I have made mistakes? Any suggestion would be much > appreciated. > > Best Regards, > rentt > -- > View this message in context: http://old.nabble.com/openssl-FIPS-on- > linux-tp29477756p29477756.html > Sent from the OpenSSL - Dev mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected]
smime.p7s
Description: S/MIME cryptographic signature
