Reposting as my original message doesn't seem to have been added to the mailing list.
> From: Steve Marquess [mailto:marqu...@opensslfoundation.com] > Sent: Tuesday, 23 August 2011 10:34 a.m. > To: Harvey Shepherd > Cc: openssl-users@openssl.org > Subject: Re: Using the FIPS Object Module > > ... > >> Please, please always keep in mind that the OpenSSL FIPS > Object > > >> Module and the OpenSSL library are separate and distinct > software > > >> components. They should be built separately, with the > "FIPS > > >> capable" OpenSSL libraries incorporating the > independently generated FIPS module. > > >> > > >> For the v1.2.3 module use > > >> http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz > for the > > >> FIPS module and the latest 0.9.8 distribution (currently > 0.9.8r) > > >> for the FIPS capable libraries. > Okay, so I've now built a FIPS capable OpenSSL library (using OpenSSL FIPS v1.2.3 and OpenSSL v0.9.8r) as follows (for my platform): FOR OPENSSL-FIPS ================ export CROSS_COMPILE=ppc_8xx- export HOSTCC=/usr/bin/gcc export FIPS_SIG=<snipped path>/openssl-fips/incore ./Configure linux-generic32 fipscanisterbuild no-asm no-hw make FOR OPENSSL =========== ./Configure fips no-asm no-hw no-shared --with-fipslibdir=<snippedpath>/openssl-fips/fips ppc_8xx-gcc make LDFLAGS="-static" This all builds successfully and I then build my application (Net-SNMP) and link in the .../openssl/libcrypto.a library. It builds successfully but when I try to run the application and enable FIPS mode, it aborts with the error: 340:error:2D069070:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match segment aliasing:fips.c:230: Now I see in the User Guide, that it specifies that if the runtime application interfaces with the OpenSSL FIPS Object Module, then it must be linked using the fipsld script. Perhaps I'm misunderstanding something here but in my case is it not base OpenSSL which is interfacing with the Object Module (when those two are linked together, the fipsld script is used and the fingerprint checks all pass), and therefore it would not be necessary to link Net-SNMP using this script? I have actually tried linking Net-SNMP using the script, which isn't straightforward as it also uses its own script to link, rather than the makefile. When I did manage to get it to try, it failed with diff: .sha1: No such file or directory No such file or directory fingerprint mismatch It looks like a pathname appears to be missing. Please can anyone let me know what I'm doing wrong. Thanks, Harvey Shepherd ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
