Yeah, I don't know if that would be technically valid
for FIPS either, I wouldn't be surprised if the certification
required pretty much a non-modified system. I really couldn't
tell you though. On AIX there was also another issue (in relation
to GCC), but if you're using AIX's xlc, it wouldn't have been
hit...
I think the real solution is to get the fixes piggy-backed on
a follow-up cert.
-Brad
Troy Monaghen wrote:
> In an earlier thread, Brad House spoke of the problem I am having:
>
> 1) dladdr() does not exist in AIX4 or AIX5.1, but the
> DSO_pathbyaddr() function from crypto/dso/dso_dlfcn.c
> is not called from anywhere so it's dead code...
> Just #if'd it out.
>
> This is also true for AIX 5.2, and since touching any of the code in the
> FIPS tarball violates the security policy I dont think #if'ing it out is
> an option.
>
> I have come up with the following workaround that does not touch any of
> the files in the FIPS tarball... but does involve touching an AIX header
> file. I don't like touching system header files, but I dont see any
> other way. I'd appreciate any comments on whether or not this might
> affect the validation status of the module. I am using the IBM compiler
> and not gcc.
>
> Note that a grep of the source indicates that the function that is
> failing compilation (DSO_pathbyaddr()) is not actually called by
> anything in the FIPS OpenSSL nor in 0.9.7j.
>
> The two problems in the function are:
> - The Dl_info structure used in the function is not declared
> - The dladdr() function is not defined
>
> My workaround involves modifying an AIX include file
> (/usr/include/dlfcn.h) to include a minimal declaration of the structure
> and a #define of the function that replaces it with the constant value
> zero (which is the return code of the function indicating an error).
> This is placed within an OPENSSL_FIPS #ifdef so that this code is only
> included when building FIPS OpenSSL.
>
> Here is what I added to the end of /usr/include/dlfcn.h (just before the
> #endif /* _H_DLFCN */):
>
>
> /* Allow OpenSSL FIPS to compile without modifying its source code */
> #ifdef OPENSSL_FIPS
>
> typedef struct {
> char *dli_fname;
> } Dl_info;
>
> #define dladdr(x,y) (0)
>
> #endif
>
>
> ---
>
> Thanks
> Troy
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [email protected]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
