This is the build script i have used to build the openssl fips 1.2 and
openssl 9.8j . try this and let me know if this help you.
#!/bin/ksh
SOURCEDIR=$(pwd)
SOURCE0=$SOURCEDIR/openssl-fips-1.2.tar.gz
SOURCE1=$SOURCEDIR/openssl-0.9.8j.tar.gz
function openssl_fips_workaround_object_mode
{
#
# config uses /usr/bin/getconf to determine object mode. We will set
$PATH
# to find our own getconf first. This getconf just returns $OBJECT_MODE.
#
cat >getconf <<\EOF
#!/bin/ksh
if [[ $1 = "KERNEL_BITMODE" ]]; then
echo ${OBJECT_MODE:-32};
exit 0;
else
exec /usr/bin/getconf $*
fi
EOF
chmod +x getconf
}
function extract_patch_build
{
set -x
#
# First we build openssl-fips.
#
rm -rf openssl-fips-1.2
gunzip -c $SOURCE0 | tar -xf -
cd openssl-fips-1.2
openssl_fips_workaround_object_mode
export OLDPATH=$PATH PATH=$(pwd):$PATH
./config fipscanisterbuild no-asm
make
export PATH=$OLDPATH
fipslibdir=$(pwd)/fips
cd ..
#
# Second, we build FIPS compatible openssl.
#
rm -rf openssl-0.9.8j
gunzip -c $SOURCE1 | tar -xf -
cd openssl-0.9.8j
./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl
--with-fipslibdir=$fipslibdir fips no-idea no-rc5 no-ec no-symlinks shared
threads aix${1}-xlc_r
make depend
make
touch libcrypto.a
make
cd ..
}
#
# main
#
set -x
extract_patch_build
#
# build 64-bit in subdir "64"
#
mkdir 64
cd 64
OBJECT_MODE=64 extract_patch_build 64
cd ..
#
# Add the 64-bit shared objects to the archives.
# Also add the fipscanisters.
#
cd openssl-0.9.8j
cp ../64/openssl-0.9.8j/libssl.so.0.9.8 libssl64.so.0.9.8
cp ../64/openssl-0.9.8j/libcrypto.so.0.9.8 libcrypto64.so.0.9.8
cp ../openssl-fips-1.2/fips/fipscanister.o .
cp ../openssl-fips-1.2/fips/fipscanister.o.sha1 .
rm -f libssl.so libcrypto.so libssl*.a libcrypto*.a
export OBJECT_MODE=32_64
/usr/bin/ar -qv libssl.a libssl.so.0.9.8 libssl64.so.0.9.8
/usr/bin/ar -qv libcrypto.a libcrypto.so.0.9.8 libcrypto64.so.0.9.8
fipscanister.o ../64/openssl-fips-1.2/fips/fipscanister.o
Try this build script .I will generate both 32 bit as well as 64 bit fips
object module with out changing any make file
On Thu, Mar 12, 2009 at 2:31 AM, Steve Marquess <
marqu...@veridicalsystems.com> wrote:
> Jeremy Regan wrote:
>
>> Hello,
>>
>> I was able to build the FIPS 1.2 software successfully using
>>
>> ./config --prefix=/apps/fips_build/fips-1.2-install fipscanisterbuild
>> no-asm
>> make
>> make install
>>
>>
>>
> Standard nag: you built it successfully in the sense that it compiled and
> linked without error, but you can't represent the result as FIPS 140-2
> validated. The Security Policy is very specific about the fact that only two
> options to ./config are allowed, "no-asm" and "fipscanisterbuild".
>
> What you can do is build it as mandated and then copy the resulting module
> where you want it to go. I know the difference seems silly, but the CMVP was
> very adamant on that point when we were working the first validation.
>
> -Steve M.
>
> --
> Steve Marquess
> Veridical Systems, Inc.
> marqu...@veridicalsystems.com
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
