Reputation: 135
What does fipscanisterbuild do?
I am trying to compile openssl-fips on a Solaris 10x86 machine. However the command to compile the openssl-fips thinks that it is building fips for a x86_64 machine. The command I am running is
./config fipscanisterbuild
I have tried replacing it with
./Configure solaris-x86-gcc
I was wondering what the difference between these two commands are. Does the ./Configure solaris-x86-gccsimply force the openssl-fips to be compiled for a specific architecture? Or is it missing something that the ./config fipscanisterbuild does? Does the fipscanisterbuild flag trigger something that I need for openssl-fips? If so, what command should I use to compile openssl-fips but force it to use a solaris-x86-gcc architecture?
Upvotes: 1
Views: 315
Answers (1)
Reputation: 102205
Some background: there's two type of cryptography: cryptography that's FIPS 140-2 validated; and all the rest of the cryptography. You can think of validated cryptography like a tangible commodity.
In OpenSSL, the validated cryptography is housed in the FIPS Object Module. The FIPS Object Module uses the same source files as the regular library. The FIPS Object Module is part of libcrypto because that's where the cryptography is implemented. That's where the non-validated cryptography is, too.
If you download the regular OpenSSL library and configure with config fips, then you will build a FIPS Capable library. Its only FIPS capable because the validated cryptography is in the FIPS Object Module. If you don't have the FIPS Object Module, then you will use the non-validated cryptography. In both cases, the FIPS Capable library will use cryptography from libcrypto. Think of it like a pluggable architecture.
Previously, building of the FIPS Object Module was controlled with fipscanisterbuild. However, its no longer needed. I think its no longer needed because the FIPS Object Module's source files are provided in its own tarball.
Looking at the latest OpenSSL FIPS 140-2 Security Policy, its not specified in the command set so its a policy violation to provide fipscanisterbuild. If you specify fipscanisterbuild, then your process will not result in FIPS validated cryptography.
Some more background: config invokes Configure with a triplet. You can see it at line 962 in config:
$PERL ./Configure $OUT $options
So to answer your question: there's no effective difference in the compiled code. Both the FIPS Object Module and the FIPS Capable Library produce the same code.
./config fipscanisterbuild
If you are building the FIPS Object Module, then this is a policy violation because it does not adhere to the Security Policy. But it results in the same object code for the cryptography.
./Configure solaris-x86-gcc
If you are building the FIPS Object Module, then this is a policy violation because it does not adhere to the Security Policy. But it results in the same object code for the cryptography.
Upvotes: 3
Related Questions
- RHEL8: FIPS Object Module (fipscanister) existing?
- FIPS_mode_set() code not found in openssl package
- Building OpenSSL with FIPS on Mac OSX 10.11
- FIPS Capable OpenSSL and `make depend`
- Compiling openssl-fips on Solaris10 x86
- OpenSSL 1.0.1e failed in FIPS mode
- No fips and --with-fipsdir arguments in OpenSSL 1.0.0l configure script
- use of make depend while compiling fips enabled openssl
- Building FIPS module on sparc 64bit solaris 9
- What does "__fips_constseg" means in openssl