[openssl-users] Generating FIPS Compliant libcrypto.so

Mark mseaborn62 at hotmail.com
Thu Jun 25 14:17:02 UTC 2015 

Ok, I searched and there are a lot of topics around building the fip
compliant version of openssl. My problem is with the generation of the
libcrypto.so.

Environment
Debian 8
openssl fips 2.0.9
openssl 1.0.1o

I follow the security guide and build a valid fipscanister.o file. I test it
and it works fine.

Then in section 3.3 of the users guide it states.
"The FIPS Object Module is not directly usable as a shared library, but it
can be linked into an
application that is a shared library. A “FIPS compatible” OpenSSL
distribution will automatically
incorporate an available FIPS Object Module into the libcrypto shared
library when built using
the fips option (see §4.2.3)."

Then in section 4.2.3 of the users guide it states.
"Once the validated FIPS Object Module has been generated it is usually
combined with an
OpenSSL distribution in order to provide the standard OpenSSL API. Any 1.0.1
release can be
used for this purpose. The commands

      ./config fips <...other options...>
      make <...options...>
      make install

will build and install the new OpenSSL without overwriting the validated
FIPS Object Module
files."

This produces a version of libcrypto.a that can be statically linked to an
application and SET_FIPS_MODE(1); Returns 1. However, this does process does
not create the libcrypto.so file during the build process. 

So my next logical step was to configure openssl-1.0.1o for shared
libraries. 

   ./config fips shared
    make depend
    make
    su root
    make install

This creates libcrypto.so just fine. However here is the rub, i get the
following issue trying to link the functions into a file.
140261525202608:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips
mode not supported:o_fips.c:92:


I am also having an issue where openssl 1.0.1o creates PEM version of the
public/private keys = 
-----BEGIN RSA PUBLIC KEY-----
MAA=
-----END RSA PUBLIC KEY-----
-----BEGIN PRIVATE KEY-----
MBkCAQAwDQYJKoZIhvcNAQEBBQAEBTADAgEA
-----END PRIVATE KEY-----
-----BEGIN RSA PUBLIC KEY-----

no matter what size key i ask it to create 1024, 2048, or 4096 on the
statically liked version of the software.

What is the right way to get openssl to generate the libcrypto.so in a
"compliant" manner?



--
View this message in context: http://openssl.6102.n7.nabble.com/Generating-FIPS-Compliant-libcrypto-so-tp58890.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

More information about the openssl-users mailing list