Re: OpenSSL FIPS Object Module v1.2

Sun, 02 Dec 2007 14:35:08 -0800 

>> However, I
>> am honestly annoyed that there have been two validation cycles past
>> without (still!) a working FIPS-validated module for the Intel Mac.
> 
> What is this statement based on? Intel Mac support was added and tested
>  prior second submission. Though it's limited to 32 bits... Because
> 64-bit capable hardware was not available at that point... A.

I know where he's coming from on that one, I couldn't get fips-1.1.1
to work on Intel Mac...  I think the first issue was that it was setting
-DB_ENDIAN in the cflags when you run ./config fips:
$ ./config fips
Operating system: i386-apple-darwinDarwin Kernel Version 9.1.0: Wed Oct
31 17:46:22 PDT 2007; root:xnu-1228.0.2~1/RELEASE_I386
Configuring for darwin-i386-cc
Configuring for darwin-i386-cc
IsWindows=0
CC            =cc
CFLAG         =-DOPENSSL_SYSNAME_MACOSX -DOPENSSL_THREADS -D_REENTRANT
-DOPENSSL_NO_KRB5 -O3 -fomit-frame-pointer -fno-common -DB_ENDIAN

That's obviously not right for i386 and _does_ cause tests to fail.

Then, when you "illegally" fix that in Configure, the make install
fails (at least on Leopard with XCode 3) starting with:
make[3]: Nothing to be done for `all'.
exdel=""; \
        for i in ../crypto/aes/aes_cbc.o ../crypto/aes/aes_cfb.o
../crypto/aes/aes_ecb.o ../crypto/aes/aes_ofb.o
../crypto/asn1/a_bitstr.o ../crypto/asn1/a_bytes.o
../crypto/asn1/a_dup.o ../crypto/asn1/a_int.o ../crypto/asn1/a_object.o
../crypto/asn1/asn1_err.o ../crypto/asn1/asn1_lib.o
../crypto/asn1/a_type.o ../crypto/asn1/evp_asn1.o
../crypto/asn1/tasn_dec.o ../crypto/asn1/tasn_enc.o
../crypto/asn1/tasn_fre.o ../crypto/asn1/tasn_new.o
../crypto/asn1/tasn_typ.o ../crypto/asn1/tasn_utl.o
../crypto/asn1/t_pkey.o ../crypto/asn1/x_algor.o
../crypto/asn1/x_bignum.o ../crypto/asn1/x_long.o ../crypto/asn1/x_sig.o
../crypto/bio/bio_err.o ../crypto/bio/bio_lib.o ../crypto/bio/b_print.o
../crypto/bio/bss_file.o ../crypto/bn/bn_add.o ../crypto/bn/bn_blind.o
../crypto/bn/bn_ctx.o ../crypto/bn/bn_div.o ../crypto/bn/bn_err.o
../crypto/bn/bn_exp2.o ../crypto/bn/bn_exp.o ../crypto/bn/bn_gcd.o
../crypto/bn/bn_lib.o ../crypto/bn/bn_mod.o ../crypto/bn/bn_mont.o
../crypto/bn/bn_mul.o ../crypto/bn/bn_prime.o ../crypto/bn/bn_print.o
../crypto/bn/bn_rand.o ../crypto/bn/bn_recp.o ../crypto/bn/bn_shift.o
../crypto/bn/bn_sqr.o ../crypto/bn/bn_word.o ../crypto/bn/bn_x931p.o
../crypto/buffer/buf_err.o ../crypto/buffer/buffer.o
../crypto/conf/conf_err.o ../crypto/cpt_err.o ../crypto/cryptlib.o
../crypto/des/cfb64ede.o ../crypto/des/cfb64enc.o
../crypto/des/cfb_enc.o ../crypto/des/des_enc.o ../crypto/des/ecb3_enc.o
../crypto/des/ecb_enc.o ../crypto/des/ofb64ede.o
../crypto/des/ofb64enc.o ../crypto/dh/dh_err.o ../crypto/dh/dh_lib.o
../crypto/dsa/dsa_asn1.o ../crypto/dsa/dsa_err.o ../crypto/dsa/dsa_lib.o
../crypto/dsa/dsa_sign.o ../crypto/dsa/dsa_vrf.o ../crypto/dso/dso_err.o
../crypto/ec/ec_err.o ../crypto/engine/eng_err.o
../crypto/engine/eng_init.o ../crypto/engine/eng_lib.o
../crypto/engine/eng_list.o ../crypto/engine/eng_table.o
../crypto/engine/tb_cipher.o ../crypto/engine/tb_dh.o
../crypto/engine/tb_digest.o ../crypto/engine/tb_dsa.o
../crypto/engine/tb_rand.o ../crypto/engine/tb_rsa.o
../crypto/err/err_all.o ../crypto/err/err.o ../crypto/err/err_prn.o
../crypto/evp/digest.o ../crypto/evp/e_aes.o ../crypto/evp/e_des3.o
../crypto/evp/e_des.o ../crypto/evp/evp_enc.o ../crypto/evp/evp_err.o
../crypto/evp/evp_lib.o ../crypto/evp/m_sha1.o ../crypto/evp/p_lib.o
../crypto/evp/p_sign.o ../crypto/evp/p_verify.o ../crypto/ex_data.o
../crypto/lhash/lhash.o ../crypto/mem_clr.o ../crypto/mem_dbg.o
../crypto/mem.o ../crypto/objects/obj_dat.o ../crypto/objects/obj_err.o
../crypto/objects/obj_lib.o ../crypto/ocsp/ocsp_err.o
../crypto/pem/pem_err.o ../crypto/pkcs12/pk12err.o
../crypto/pkcs7/pkcs7err.o ../crypto/rand/md_rand.o
../crypto/rand/rand_egd.o ../crypto/rand/rand_err.o
../crypto/rand/randfile.o ../crypto/rand/rand_lib.o
../crypto/rand/rand_os2.o ../crypto/rand/rand_unix.o
../crypto/rand/rand_win.o ../crypto/rsa/rsa_err.o
../crypto/rsa/rsa_lib.o ../crypto/rsa/rsa_none.o
../crypto/rsa/rsa_oaep.o ../crypto/rsa/rsa_pk1.o ../crypto/rsa/rsa_pss.o
../crypto/rsa/rsa_sign.o ../crypto/rsa/rsa_ssl.o
../crypto/rsa/rsa_x931.o ../crypto/stack/stack.o ../crypto/uid.o
../crypto/ui/ui_err.o ../crypto/x509v3/v3err.o ../crypto/x509v3/v3_hex.o
../crypto/x509/x509_err.o  bn_asm.o;\
        do \
        exdel="$exdel "`basename $i`""; \
        done ; \
        ar d ../libcrypto.a $exdel
ar: aes_cbc.o: not found in archive
...<snip>...
ar: x509_err.o: not found in archive
ar: bn_asm.o: not found in archive
make[2]: *** [delexobj] Error 1
make[1]: *** [all] Error 2
make: *** [sub_all] Error 1

I hadn't tried to manually copy the libs and includes over, we
just don't support fips on mac-intel since the Configure change
isn't legal to make without invalidating the module anyhow.

-Brad
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to