On Fri, Jan 23, 2009, rajan chittil wrote: > Hi , > > I have gone through security policy ( > http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf) and user guide.( > http://www.openssl.org/docs/fips/UserGuide-1.2.pdf). > > I have changed the configuration option to > > 1. opensslfips1.2 > ./config fipscanisterbuild > make > > 2. openssl 9.8j > ./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl > --with-fipslibdir=/home/rajan/openssl/opensslfips1.2/fips64/openssl-fips-1.2/fips > fips no-idea no-rc5 no-ec no-symlinks shared threads aix64-xlc_r > make > make test > > But still i am getting the same error > > test SSL protocol > test ssl3 is forbidden in FIPS mode > 508008:error:2D06906E:FIPS > routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not > match:fips.c:238: > test ssl2 is forbidden in FIPS mode > 508010:error:2D06906E:FIPS > routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not > match:fips.c:238: > test tls1 > 508012:error:2D06906E:FIPS > routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not > match:fips.c:238: > make: The error code from the last command is 1. > > > Stop. > make: The error code from the last command is 2. > > > Stop. > > But i have tested ./fips_test_suite it work fine > > $ ./fips_test_suite > FIPS-mode test application > > 1. Non-Approved cryptographic operation test... > a. Included algorithm (D-H)...successful > 2. Automatic power-up self test...successful > 3. AES encryption/decryption...successful > 4. RSA key generation and encryption/decryption...successful > 5. DES-ECB encryption/decryption...successful > 6. DSA key generation and signature validation...successful > 7a. SHA-1 hash...successful > 7b. SHA-256 hash...successful > 7c. SHA-512 hash...successful > 7d. HMAC-SHA-1 hash...successful > 7e. HMAC-SHA-224 hash...successful > 7f. HMAC-SHA-256 hash...successful > 7g. HMAC-SHA-384 hash...successful > 7h. HMAC-SHA-512 hash...successful > 8. Non-Approved cryptographic operation test... > a. Included algorithm (D-H)...successful as expected > 9. Zero-ization... > Generated 128 byte RSA private key > BN key before overwriting: > 77eed34099e0d0dc56d316727fd2217c3bc0f6409bc1cd12ffdb427101218787e5bcc0013f58d1633b3f8934c1cf65a05744701fefc80dd92ac7ac4e88ff91ae18c5dda39e77257e3be162cda8f252dfca19dc3998af38b6de90c766295dfd74db93ea66333f3c91c35d8958292f205a6d89d4332f913f21fb6756179008ef29 > BN key after overwriting: > 5171b0a563d968222705431c1abf13bef9780e38a28817d7a36c953d18179e2330ee87d363b8154e2d268eb5aed447bd6419da455d390ce70891bf0512360721e0be0e44c32489e1c975436fa752460397a8e921a0ad64eee7200abe57c2807925edc105a5233da59dd7b4a26a675a2683d5cbee2d87f02fefbfaab5c355e264 > char buffer key before overwriting: > 4850f0a33aedd3af6e477f8302b10968 > char buffer key after overwriting: > 96a916306b46b3d4189fa6d1b04a4ed9 > successful as expected > > All tests completed with 0 errors > > $ ./fips_test_suite aes > FIPS-mode test application > > AES encryption/decryption with corrupted KAT... > ERROR:2d06e065:lib=45,func=110,reason=101:file=fips_aes_selftest.c:line=98: > Power-up self test failed > $ ./fips_test_suite sha1 > FIPS-mode test application > > SHA-1 hash with corrupted KAT... > ERROR:2d073065:lib=45,func=115,reason=101:file=fips_sha1_selftest.c:line=90: > Power-up self test failed > > This things work fine. > > Can You please tell me where i am going wrong. >
Try building without the "shared" option and see if that works. Also make sure the system type is consistent between the two builds... in the FIPS directory do: ./config -t and ensure you use that type for the 0.9.8j build. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
