Hi All,
Sorry if the answer to this posting seems obvious, but I'm not very
knowledgeable when it comes to build processes. I'm trying to build a version
of Net-SNMP that only uses FIPS recognised algorithms for SNMPv3 user
authentication and encryption (i.e. SHA-1 and AES-128). I have already compiled
out usage of all other non-FIPS algorithms when building the Net-SNMP daemon,
which currently links in the standard OpenSSL libcrypto library.
I am now trying to link it against the FIPS Object Module, which I have
successfully built using a slightly modified version of the instructions in the
User Guide, due to the build process and requirements for my target platform:
export CROSS_COMPILE=ppc_8xx-; \
./Configure linux-generic32 fipscanisterbuild no-asm no-hw
export CROSS_COMPILE= ppc_8xx-; \
export HOSTCC=/usr/bin/gcc; \
export FIPS_SIG=openssl-fips/incore; \
$(MAKE) -C openssl-fips
I realise that these build changes make the result not FIPS certified, but my
goal is to produce a version of Net-SNMP that is based on unmodified encryption
algorithm implementations provided by a FIPS certified SSL library. The above
build process seems to create a shared crypto library (libcrypto.so.0.9.8),
even though I haven't built the standard OpenSSL distribution (i.e. it is not a
FIPS Capable OpenSSL build). I have found that Net-SNMP happily uses this
library for its encryption support and works with no problems.
So assuming that I want to produce a solution which I could get certified by
FIPS if I chose to, my questions are:
1. Can I use this shared crypto library as-is, and not worry about
creating a FIPS Capable OpenSSL build?
2. Is it still a good idea to perform the hashing verification steps in
the User Guide and call FIPS_mode_set()?
3. Where does fipscanister fit into all this?
I'd be very grateful for any assistance you could provide with this.
Regards,
Harvey Shepherd
