On Fri, Mar 16, 2012, Alex Chen wrote: > I have downloaded the OpenSSL 1.0.1 and FIPS object module v1.2. Both will > build a libcrypto.a library. I have some questions and hope someone can > clarify them for me. This FIPS thing is totally new so please if forgive me > if the questions are off the target. > > 1. Is the crypto code in FIPS a subset of the OpenSSL source? Does it > include only FIPS approved cryptographic algorithms? >
Well it is a subset of the OpenSSL source but it effectively behaves like a stand alone module which the FIPS capable OpenSSL. > 2. I assume libssl depends on libcrypto so if I need to use libcrypto in > addition to SSL, should I build OpenSSL to get both libssl and libcrypto and > replace libcrypto with the one built from FIPS? > No you use the libcrypto in the FIPS capable OpenSSL. When you build with the appropriate configuration the FIPS module is linked in. > 3. Is the 'FIPS_mode_set' API defined only in libcrypto built from the FIPS > object module source? > Yes. > 4. The 'fips' configuration is accepted in Configure, but not document in > the script. What is the use of 'fips' configuration setting when building > OpenSSL? When I run ./config threads shared fips no-hw zlib-dynamic no-idea > no-rc2 no-rc4 no-rc5 no-camellia no-bf make depend make make test > > I get the following errors during 'make test' phase > > Doing certs testing... cc -I.. -I../include -fPIC -fno-common > -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT > -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN > -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM > -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM > -DWHIRLPOOL_ASM -DGHASH_ASM -c -o bntest.o bntest.c (cd ..; make > DIRS=crypto all) making all in crypto... cc -I. -I.. -I../include -fPIC > -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -fomit-frame-pointer > -DL_ENDIAN -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m > -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM > -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM > -c -o o_fips.o o_fips.c o_fips.c:60:26: error: openssl/fips.h: No such file > or directory o_fips.c:61:31: error: openssl/fips_rand.h: No such file or > directory o_fips.c: In function ?FIPS_mode_set?: o_fips.c:84: warning: > passing argument 1 of ?RAND_set_rand_method? makes pointer from integer > without a cast make[3]: *** [o_fips.o] Error 1 make[2]: *** [build_crypto] > Error 1 make[1]: *** [../libcrypto.a] Error 2 make: *** [tests] Error 2 > You need to compile up and install the FIPS 2.0 test module and use the --with-fipsdir=<dir> option to the FIPS capable OpenSSL to indicate where it was installed if it isn't the default location. I'll add some sanity checks to the Configure script so it catches this sooner with a more meaningful error message. > > 5. What is the incore script for? If I run it without any parameters under > MacOS 10.7, I get the error instead of usage > > $ ./incore Modification of non-creatable array value attempted, > subscript > -1 at ./incore line 366. > It is used for cross compilation. If you're doing a native build you can ignore it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
