building 0.9.7j with fips parameter

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

building 0.9.7j with fips parameter

Tinnerello, Richard
building 0.9.7j with fips parameter

Hello,
Has anyone been able to build 0.9.7j (OpenSSL-fips-1.0) with the 'fips' parameter?
We get a hash check error although we have modified nothing in the distribution:

make[3]: Leaving directory `/sci/users/OpenSSL/openssl-0.9.7j/fips-1.0/hmac'
/usr/local/bin/perl ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1)
Hash check failed for file Makefile
FATAL: hash mismatch on 1 files
*** Your source code does not match the FIPS validated source ***
make[2]: *** [check] Error 1

The 0.9.7i version builds fine with fips specified. Thanks,
Richard

Reply | Threaded
Open this post in threaded view
|

Re: building 0.9.7j with fips parameter

Dr. Stephen Henson
On Thu, Mar 30, 2006, Tinnerello, Richard wrote:

> Hello,
> Has anyone been able to build 0.9.7j (OpenSSL-fips-1.0) with the 'fips' parameter?
> We get a hash check error although we have modified nothing in the distribution:
>
> make[3]: Leaving directory `/sci/users/OpenSSL/openssl-0.9.7j/fips-1.0/hmac'
> /usr/local/bin/perl ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1)
> Hash check failed for file Makefile
> FATAL: hash mismatch on 1 files
> *** Your source code does not match the FIPS validated source ***
> make[2]: *** [check] Error 1
>
> The 0.9.7i version builds fine with fips specified. Thanks,

This will be detailed in the user guide in due course.

Briefly... you first have to compile and install from the validated source
which is at:

http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz

You *have to* use the command sequence:

./config fips
make
make install

then you can download a recent OpenSSL 0.9.7 snapshot. You can pass additional
command line options this time and you have to include the "fips" switch to
config or Configure. It should then link in the validated FIPS modules you
built before.

The functionality to link a newer version of OpenSSL to the validated module
is a fairly recent change so it may need a bit of tweaking.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: building 0.9.7j with fips parameter

Jim Adams
In reply to this post by Tinnerello, Richard

I was recently able to build the 20060323 stable snapshot of 0.9.7j in
fips mode with the fips 1.0
canister built per the security policy.  (Windows build).  Previously
when I got the error that the
source didn't match the validated source, it was because I had unzipped
with CR LF instead of
just LF.

Jim

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Thursday, March 30, 2006 11:34 AM
To: [hidden email]
Subject: Re: building 0.9.7j with fips parameter

On Thu, Mar 30, 2006, Tinnerello, Richard wrote:

> Hello,
> Has anyone been able to build 0.9.7j (OpenSSL-fips-1.0) with the
'fips' parameter?
> We get a hash check error although we have modified nothing in the
distribution:
>
> make[3]: Leaving directory
`/sci/users/OpenSSL/openssl-0.9.7j/fips-1.0/hmac'
> /usr/local/bin/perl ../util/checkhash.pl || (rm fipscanister.o*
2>/dev/null; exit 1)
> Hash check failed for file Makefile
> FATAL: hash mismatch on 1 files
> *** Your source code does not match the FIPS validated source ***
> make[2]: *** [check] Error 1
>
> The 0.9.7i version builds fine with fips specified. Thanks,

This will be detailed in the user guide in due course.

Briefly... you first have to compile and install from the validated
source
which is at:

http://www.openssl.org/source/OpenSSL-fips-1.0.tar.gz

You *have to* use the command sequence:

./config fips
make
make install

then you can download a recent OpenSSL 0.9.7 snapshot. You can pass
additional
command line options this time and you have to include the "fips" switch
to
config or Configure. It should then link in the validated FIPS modules
you
built before.

The functionality to link a newer version of OpenSSL to the validated
module
is a fairly recent change so it may need a bit of tweaking.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]