On Thu, Jan 08, 2009, PGNet wrote: > > > This is an unfortunate side effect of gcc being stricter about function > > pointers > ... > > The actual errors you see are not part of the validated module but part of > > the rest of OpenSSL. If you complete the make process once (despite the > > crashes) and can do "make install" it will install a validated module. > ... > > Per advice, ignoring the crashes (18 of htem; somewhat disconverting) @ > > ... > Doing certs > aol1.pem => .0 > WARNING: Skipping duplicate certificate aol2.pem > ... > making all in test... > ... > > 'make', indeed, completes. > > ... > making all in tools... > make[1]: Nothing to be done for `all'. > > subsequent, > > make DESTDIR=/usr/local/ssl-fips install > > does, apparently, install, but ignores the DESTDIR spec, installing instead > in, > > ls -al /usr/local/ssl/fips-1.0/lib/ > drwxr-xr-x 11 root wheel 374 2009-01-08 07:18 engines/ > -r--r--r-- 1 root wheel 5396 2007-08-15 06:35 fips_premain.c > -r--r--r-- 1 root wheel 68 2007-08-15 06:35 fips_premain.c.sha1 > -r--r--r-- 1 root wheel 314008 2009-01-08 06:58 fipscanister.o > -r--r--r-- 1 root wheel 68 2009-01-08 06:58 fipscanister.o.sha1 > -r-xr-xr-x 1 root wheel 1412828 2009-01-08 07:18 libcrypto.0.9.8.dylib > -rw-r--r-- 1 root wheel 2094752 2009-01-08 07:18 libcrypto.a > lrwxr-xr-x 1 root wheel 21 2009-01-08 07:18 libcrypto.dylib -> > libcrypto.0.9.8.dylib > -r-xr-xr-x 1 root wheel 310516 2009-01-08 07:18 libssl.0.9.8.dylib > -rw-r--r-- 1 root wheel 380616 2009-01-08 07:18 libssl.a > lrwxr-xr-x 1 root wheel 18 2009-01-08 07:18 libssl.dylib -> > libssl.0.9.8.dylib > drwxr-xr-x 5 root wheel 170 2009-01-08 07:18 pkgconfig/ > > How do I get FIPS installed in a location I specify? > > I'd specify the install prefix on the config/Configure line, but > > http://openssl.org/docs/fips/UserGuide-1.2.pdf > > states, > > "Per the conditions of the FIPS 140-2 validation only one > configuration command may be used: > > ./config fipscanisterbuild > > The specification of any other options on the command line, such as > > ./config fipscanisterbuild shared > > is specifically not permitted." > > > Just want to be clear that everything's working as (mostly) expected ... >
If you want to move the validated module elsewhere afterwards you can do provided you keep to the permission requirements of the security policy. Once you've installed the validated module you can then use OpenSSL 0.9.8j to build a usable version of OpenSSL which links against the validated module. For that you *can* specify whatever arguments you wish to the build process because the validated module is already installed. Of course you have to include the "fips" argument so it uses the validated module. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
