Ovaj vodič objašnjava kako kompilirati OpenSSL s FIPS 140-3 podrškom.
FIPS 140-3 (Federal Information Processing Standard) je američki standard za kriptografske module. Definira:
Tko treba FIPS?
| Industrija | FIPS potreban? |
| ———— | —————- |
| Američke vladine agencije | Da |
| EU vladine agencije | Često (BSI preporučuje) |
| Banke | Obično da |
| Zdravstvo | Često da |
| Interne aplikacije | Rijetko |
call "%ProgramFiles%\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat" set PATH=%STRAWBERRY_PERL%\bin;%LOCALAPPDATA%\bin\NASM;%PATH% cd /d %OPENSSL_SRC%
perl Configure VC-WIN64A enable-fips --prefix=D:\Projects\openssl-3.6.0\bin --openssldir=D:\Projects\openssl-3.6.0\bin\ssl
Važno: Parametar enable-fips omogućuje FIPS provider.
nmake
nmake install_sw install_fips
install_fips instalira FIPS provider i generira konfiguraciju modula!
Uz standardne datoteke:
bin\
├── bin\
│ ├── openssl.exe
│ ├── libcrypto-3-x64.dll
│ └── libssl-3-x64.dll
├── lib\
│ └── ossl-modules\
│ ├── fips.dll # FIPS Provider Modul
│ └── legacy.dll
└── ssl\
├── openssl.cnf
└── fipsmodule.cnf # FIPS Modul Konfiguracija
Otvorite D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf i dodajte:
# Na početak datoteke openssl_conf = openssl_init [openssl_init] providers = provider_sect alg_section = algorithm_sect [provider_sect] fips = fips_sect base = base_sect [fips_sect] activate = 1 [base_sect] activate = 1 [algorithm_sect] default_properties = fips=yes
set OPENSSL_CONF=D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf # Izlistajte providere openssl list -providers
Očekivani izlaz:
Providers:
base
name: OpenSSL Base Provider
version: 3.6.0
status: active
fips
name: OpenSSL FIPS Provider
version: 3.6.0
status: active
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional