I have followed the step mention in OpenSSL FIPS Security Policy for openssl
fips 1.1.2 and that all work fine.
But when i started working on fips capable openssl using openssl 0.9.7m and
used the shared option in the ./Configure,it is giving the error
but work fine when not using shared option
The step to generate fips module (using openssl fips 1.1.2)
1. ./Configure fips aix-cc
2. make
The step used to generate fips capable openssl
./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl
--with-fipslibdir=$fipslibdir fips no-idea no-rc5 no-ec no-symlinks shared
threads aix${1}-xlc_r
make depend
make
# Relink the 'openssl' program with correct libpath.
cd apps
rm openssl
make CC='xlc_r -bnolibpath'
cd ../..
This shared option is creating the fips related function to fail
This is the error message
./fips_test_suite
>> FIPS-mode test application
>>
>> 1. Non-Approved cryptographic operation test...
>> a. Included algorithm (D-H)...successful
>> 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212:
>> 2. Automatic power-up self test...FAILED!
but it okay when i am omitting the shared option
Does it means it does not support shared libraary
I have got link which is also stating same
http://www.mail-archive.com/openssl-users@openssl.org/msg53664.html
I am attaching the build script i am using
http://www.nabble.com/file/p19555718/fipsbuild.txt fipsbuild.txt
Please help me to resolve this problem
Thanks in Advance
Joshi Chandran
Patrick Patterson-3 wrote:
>
> Hi Joshi:
>
> On September 18, 2008 11:01:28 am joshi chandra wrote:
>> Hi
>>
>> I was trying to build shared library of fips and i am facing some problem
>> with that .This is the step i have done
>>
>> 1. I have created the fips object module (used openssl fips 1.1.2)
>>
>> 2. Used openssl 0.9.7m to create fips capable module and when i use
>> shared
>> option in ./configure ,all the fips related fucntion failed (like
>> fips_test_suite failed) ,if i am not using shared option,that time it
>> successed.
>>
>> This is the error which i am getting when using shared option in
>> ./Configure in openssl 0.9.7m
>> ./fips_test_suite
>> FIPS-mode test application
>>
>> 1. Non-Approved cryptographic operation test...
>> a. Included algorithm (D-H)...successful
>> 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212:
>> 2. Automatic power-up self test...FAILED!
>>
>> but it works fine when shared is not used
>>
>> This means the shared library is not supported by this version.
>>
>> Can u please help what is wrong here
>>
> From my understanding, to get a FIPS validated module, you must follow the
> OpenSSL FIPS Security Policy letter for letter. That means that if you
> change
> a single option on the ./configure line, it is no longer the "FIPS
> validated"
> version that you are building. Consequently, I suggest you read the
> security
> policy, and see if what you are trying to do is a validated configuration.
>
> Have fun.
>
> --
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> http://www.carillon.ca
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
>
--
View this message in context:
http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19555718.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
