On Sat, Sep 20, 2008 at 01:47:55PM -0700, Kyle Hamilton wrote:
> Fips folk: Should the 'fipsdso' target complain if it gets any other
> command line arguments in ./Configure? Since specifying it means that
> you're trying to build the shared object...
>
> -Kyle H
>
> On Sat, Sep 20, 2008 at 8:56 AM, The Doctor <[EMAIL PROTECTED]> wrote:
> > Need to split the FIPS and non-FIPS compliant technologies:
> >
> > When I do a fips compile namely
> > ./Configure threads shared no-sse2 fipsdso enable-capieng enable-montasm
> > enable-cms enable-seed enable-tlsext enable-camellia enable-rfc3779
> > enable-gmp enable-mdc2 enable-rc5 zlib-dynamic --prefix="/usr/contrib"
> > --openssldir="/usr/contrib"
> > debug-bsdi-x86-elf "-g -O3 -Wall -mcpu=pentium3
> >
> > with debug-bsdi-x86-elf
> >
> > "debug-bsdi-x86-elf", "gcc:-DPERL5 -DL_ENDIAN -DTERMIOS
> > -fomit-frame-pointer -O9 -march=pentium3 -Wall -g::${BSDthreads}::-ldl -lm
> > -lc:THIRY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ${x86_gcc_des}
> > ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
> >
> > I get:
> >
> > Testing cipher SEED-ECB(encrypt)
> > Key
> > 0000 28 db c3 bc 49 ff d8 7d cf a5 09 b1 1d 42 2b e7
> > Plaintext
> > 0000 b4 1e 6b e2 eb a8 4a 14 8e 2e ed 84 59 3c 5e c7
> > Ciphertext
> > 0000 9b 9b 7b fc d1 81 3c b9 5d 0b 36 18 f4 0f 51 22
> >
> > test SSL protocol
> > test ssl3 is forbidden in FIPS mode
> > *** IN FIPS MODE ***
> > Available compression methods:
> > 1: zlib compression
> > 8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
> > mode:ssl_lib.c:1402:
> > 8918:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
> > mode:ssl_lib.c:1402:
> > test ssl2 is forbidden in FIPS mode
> > *** IN FIPS MODE ***
> > Available compression methods:
> > 1: zlib compression
> > 8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
> > mode:ssl_lib.c:1402:
> > 8932:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
> > mode:ssl_lib.c:1402:
> > test tls1
> > *** IN FIPS MODE ***
> > Available compression methods:
> > 1: zlib compression
> > 8956:error:0406A08D:rsa routines:RSA_new_method:non fips
> > method:rsa_eng.c:183:
> > 8956:error:0D079064:asn1 encoding routines:ASN1_ITEM_EX_COMBINE_NEW:aux
> > error:tasn_new.c:221:
> > 8956:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> > error:tasn_dec.c:402:Type=RSA
> > 8956:error:0D09B00D:asn1 encoding routines:d2i_PublicKey:ASN1
> > lib:d2i_pu.c:99:
> > 8956:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1
> > lib:x_pubkey.c:366:
> > 8956:error:140BF10C:SSL routines:SSL_SET_CERT:x509 lib:ssl_rsa.c:402:
> > ERROR in SERVER
> > 8956:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> > cipher:s3_srvr.c:1037:
> > TLSv1, cipher (NONE) (NONE)
> > 1 handshakes of 256 bytes done
> > *** Error code 1 (continuing)
> > Test IGE mode
> > ../util/shlib_wrap.sh ./igetest
> > `tests' not remade because of errors.
> > util/opensslwrap.sh version -a
> > OpenSSL 0.9.8j-fips-dev xx XXX xxxx
> > built on: Sat Sep 20 08:02:29 MDT 2008
> > platform: debug-bsdi-x86-elf
> > options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int)
> > blowfish(idx)
> > compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS
> > -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -O3
> > -Wall -mcpu=pentium3 -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O9
> > -march=pentium3 -Wall -g -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT
> > -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
> > OPENSSLDIR: "/usr/contrib"
> > `test' is up to date.
> >
> > using make -k test .
> >
> > Please fix.
> >
>
>From the Configure file:
elsif (/^fips$/)
{
$fips=1;
}
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
# The check for the option is there so scripts aren't
# broken
}
elsif (/^nofipscanistercheck$/)
{
$fips = 1;
$nofipscanistercheck = 1;
}
elsif (/^fipscanisterbuild$/)
{
$fips = 1;
$nofipscanistercheck = 1;
$fipslibdir="";
$fipscanisterinternal="y";
}
elsif (/^fipsdso$/)
{
$fips = 1;
$nofipscanistercheck = 1;
$fipslibdir="";
$fipscanisterinternal="y";
$fipsdso = 1;
}
--
Member - Liberal International
This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED]
God, Queen and country! Beware Anti-Christ rising! Canada vote anything but
Conservative on 14 OCt 2008, join us at http://www.harpocrit.ca .
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
