Hi,
I'm trying to dig through a problem where building the FIPS capable version
of OpenSSL-1.0.1r is not generating the correct code.
I have done the following:
Created the fips canister according to the instructions in the User Guide, and
installed it.
Then in the openssl source, I use ./config fips no-ec2m shared
--with-fipsdir=/usr/local/ssl/fips-2.0
--with-fipslibdir=/usr/local/ssl/fips-2.0/lib/
I always get a libcrypto.a that fails FIPS_mode_set as not supported.
If I leave the shared parameter off, I get the desired FIPS support, but in
non-PIC code. Since my need is to produce a .so of my own with the libcrypto.a
statically linked into it that doesn't work.
Digging into this a little, I see the FIPS_mode_set() definition in
crypto/o_fips.c is gated by finding a definition of OPENSSL_FIPS. I do see
that in the generated opensslconf.h.
I can't quite see why the shared versus non-shared would create a problem.
I didn't have this trouble with the earlier version 1.0.1j of openssl, or at
least I didn't see it.. was PIC code still generated at that release for
non-shared?
As an aside, I did notice an anomaly in crypto/cryptlib.h near line 72:
#include <openssl/crypto.h>
#include <openssl/buffer.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/opensslconf.h>
However, in crypto.h decisions are made based on the definition of
OPENSSL_FIPS, which is not defined until opensslconf.h is read at line 76, so
the behavior of crypto.h seems to be not as intended.
Thoughts, flames?
Thanks, -Kurt
Kurt Heberlein
Master Technologist
3PAR R&D
HPE Storage
www.hpe.com/storage<http://www.hpe.com/storage>
+1 512 319 4462 (office)
+1 510 685 1141 (mobile)
kurt dot w dot heberlein at-sign hpe dot com
[cid:image001.png@01D195A5.27BD87D0]
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
