Wei: Here's what I think I've learned about this question.
I think if you compiled openssl-fips-1.1.1 with "config fips; make; make install" the result would be an openssl library that was fips certified. Getting libcurl to make proper use of it would then be a question of whether libcurl makes the call to FIPS_mode_set() or not. If it doesn't, then you aren't getting anything by linking libcurl against openssl-fips. If it does, and libcurl doesn't try to use non FIPS algorithms (like blowfish, for example), then you could claim libcurl's use of openssl-fips was fips certified. If you were to patch the source code to libcurl by inserting a call to FIPS_mode_set() and compile and link it, I am guessing libcurl would not always work properly because it would try to use non-fips algorithms and those operations would fail once FIPS_mode_set() had been called in your patch. One other variation on the above would be if libcurl needs a version of openssl-0.9.7 more recent than the one openssl-fips-1.1.1 is based on. In that case, you would need to compile openssl twice: once to generate fips_canister.o, and once to generate the more recent version of the library that links against fips_canister.o. At that point, the above analysis applies. Chris Marshall --- Wei Weng <[EMAIL PROTECTED]> wrote: > Chris: Thanks for the reply. > > Here is the thing I want: I need to build a openssl library that is fips > capable so that I can link libcurl against the library, since libcurl > uses openssl library to do the decode/encode stuff. > > I am guessing that I will need to build my own openssl library that > linked against FIPS module. > > Is that right? > > > Thanks > > Wei > > > Christopher Marshall wrote: > > Wei: > > > > My current guess is that if all you are trying to do is get an openssl > > utility that is FIPS > > certified, then doing > > ./config fips > > make > > make install > > from inside the top level directory of openssl-fips-1.1.1 is all that is > > required. > > > > If you want an openssl utility of a more recent 0.9.7 version that the one > > fips-1.1.1 is based > on, > > then you would have to do a two pass build as you outlined using one of the > > 0.9.7 snapshots. > > > > Is that correct everyone? > > > > Chris Marshall > > > > > > --- Wei Weng <[EMAIL PROTECTED]> wrote: > > > > > >> Hi. Sorry I can not answer your question, but it seems that you are the > >> only one that is working on getting openssl-fips-1.1.1 to work these > >> days, so I had to bug you for some trivial questions. :) > >> > >> Do you think the process I had gone into making openssl-fips-1.1.1 work > >> is correct? (I do realize we are working on different platforms, but I > >> think the general procedures should be similar) > >> > >> Thanks! The following is from an email I sent the list earlier. > >> > >> Hi all. > >> > >> I want to know whether this is correct in building a FIPS capable > >> openSSL binaries. > >> download openssl-fips-1.1.1.tar.gz and openssl-0.9.7l.tar.gz, unzip them > >> into their own directories. > >> cd openssl-fips-1.1.1, do > >> ./config fips --prefix=/opt/fips > >> and make; make install is going to install fips_canister.o inside > >> /opt/fips/lib directory. > >> cd openssl-0.9.7l, do > >> ./config shared --with-fipslibdir=/opt/fips/lib/ > >> --openssldir=/opt/openssl-0.9.7l/ > >> and make; make install is going to put FIPS capable openssl binaries > >> into /opt/openssl-0.9.7l/ > >> > >> Is this correct? Thanks in advance. > >> > >> > >> Wei > >> > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager [EMAIL PROTECTED] > >> > >> > >> > >> > >> Wei > >> > >> > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager [EMAIL PROTECTED] > >> > >> > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
