Is it neccessary to use same compiler to build opensslfips 1.2 and openssl
9.8J . if i am using different compiler ,does it create problem . Please
Reply as this issue is become a problem for me for generating the shared
library of fips capable openssl 9.8j
Opensslfips 1.2
# ./config -t
Operating system: 00C3E1AD4C00-ibm-aix
Configuring for aix-gcc
/usr/bin/perl ./Configure aix-gcc
Openssl 9.8j
# ./config -t
Operating system: 00C3E1AD4C00-ibm-aix
WARNING! If you wish to build 64-bit kit, then you have to
invoke './Configure aix64-cc' *manually*.
Configuring for aix-cc
/usr/bin/perl ./Configure aix-cc
Will this a problem. Please reply .
Thanks
Joshi
On Sat, Jan 24, 2009 at 12:53 PM, rajan chittil <rajanchit...@gmail.com>wrote:
> I have used aix64-cc compiler to build openssl fips 1.2 But since we have
> GPFS problem , we have to use xlc_r compiler to build openssl 9.8J .Since
> i am using xlc_r compiler it is not created validated module. Can you please
> tell me what all changes i need to do to build the openssl 9.8J by using
> xlc_r compiler . I have seen some are using some patch on Makefile.shared
> file etc. Can you please guide me .
>
> Thanks
>
> Rajan
>
>
> On Sat, Jan 24, 2009 at 3:47 AM, <mail1...@tds.net> wrote:
>
>>
>> ---- "Dr. Stephen Henson" <st...@openssl.org> wrote:
>> > On Fri, Jan 23, 2009, rajan chittil wrote:
>> >
>> > > Hi ,
>> > >
>> > > I have gone through security policy (
>> > > http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf) and user
>> guide.(
>> > > http://www.openssl.org/docs/fips/UserGuide-1.2.pdf).
>> > >
>> > > I have changed the configuration option to
>> > >
>> > > 1. opensslfips1.2
>> > > ./config fipscanisterbuild
>> > > make
>> > >
>> > > 2. openssl 9.8j
>> > > ./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl
>> > >
>> --with-fipslibdir=/home/rajan/openssl/opensslfips1.2/fips64/openssl-fips-1.2/fips
>> > > fips no-idea no-rc5 no-ec no-symlinks shared threads aix64-xlc_r
>> > > make
>> > > make test
>> > >
>> > > But still i am getting the same error
>> > >
>> > > test SSL protocol
>> > > test ssl3 is forbidden in FIPS mode
>> > > 508008:error:2D06906E:FIPS
>> > > routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
>> > > match:fips.c:238:
>> > > test ssl2 is forbidden in FIPS mode
>> > > 508010:error:2D06906E:FIPS
>> > > routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
>> > > match:fips.c:238:
>> > > test tls1
>> > > 508012:error:2D06906E:FIPS
>> > > routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
>> > > match:fips.c:238:
>> > > make: The error code from the last command is 1.
>> > >
>> > >
>> > > Stop.
>> > > make: The error code from the last command is 2.
>> > >
>> > >
>> > > Stop.
>> > >
>> > > But i have tested ./fips_test_suite it work fine
>> > >
>> > > $ ./fips_test_suite
>> > > FIPS-mode test application
>> > >
>> > > 1. Non-Approved cryptographic operation test...
>> > > a. Included algorithm (D-H)...successful
>> > > 2. Automatic power-up self test...successful
>> > > 3. AES encryption/decryption...successful
>> > > 4. RSA key generation and encryption/decryption...successful
>> > > 5. DES-ECB encryption/decryption...successful
>> > > 6. DSA key generation and signature validation...successful
>> > > 7a. SHA-1 hash...successful
>> > > 7b. SHA-256 hash...successful
>> > > 7c. SHA-512 hash...successful
>> > > 7d. HMAC-SHA-1 hash...successful
>> > > 7e. HMAC-SHA-224 hash...successful
>> > > 7f. HMAC-SHA-256 hash...successful
>> > > 7g. HMAC-SHA-384 hash...successful
>> > > 7h. HMAC-SHA-512 hash...successful
>> > > 8. Non-Approved cryptographic operation test...
>> > > a. Included algorithm (D-H)...successful as expected
>> > > 9. Zero-ization...
>> > > Generated 128 byte RSA private key
>> > > BN key before overwriting:
>> > >
>> 77eed34099e0d0dc56d316727fd2217c3bc0f6409bc1cd12ffdb427101218787e5bcc0013f58d1633b3f8934c1cf65a05744701fefc80dd92ac7ac4e88ff91ae18c5dda39e77257e3be162cda8f252dfca19dc3998af38b6de90c766295dfd74db93ea66333f3c91c35d8958292f205a6d89d4332f913f21fb6756179008ef29
>> > > BN key after overwriting:
>> > >
>> 5171b0a563d968222705431c1abf13bef9780e38a28817d7a36c953d18179e2330ee87d363b8154e2d268eb5aed447bd6419da455d390ce70891bf0512360721e0be0e44c32489e1c975436fa752460397a8e921a0ad64eee7200abe57c2807925edc105a5233da59dd7b4a26a675a2683d5cbee2d87f02fefbfaab5c355e264
>> > > char buffer key before overwriting:
>> > > 4850f0a33aedd3af6e477f8302b10968
>> > > char buffer key after overwriting:
>> > > 96a916306b46b3d4189fa6d1b04a4ed9
>> > > successful as expected
>> > >
>> > > All tests completed with 0 errors
>> > >
>> > > $ ./fips_test_suite aes
>> > > FIPS-mode test application
>> > >
>> > > AES encryption/decryption with corrupted KAT...
>> > >
>> ERROR:2d06e065:lib=45,func=110,reason=101:file=fips_aes_selftest.c:line=98:
>> > > Power-up self test failed
>> > > $ ./fips_test_suite sha1
>> > > FIPS-mode test application
>> > >
>> > > SHA-1 hash with corrupted KAT...
>> > >
>> ERROR:2d073065:lib=45,func=115,reason=101:file=fips_sha1_selftest.c:line=90:
>> > > Power-up self test failed
>> > >
>> > > This things work fine.
>> > >
>> > > Can You please tell me where i am going wrong.
>> > >
>> >
>> > Try building without the "shared" option and see if that works. Also
>> make sure
>> > the system type is consistent between the two builds... in the FIPS
>> directory
>> > do:
>> >
>> > ./config -t
>> >
>> > and ensure you use that type for the 0.9.8j build.
>> >
>> > Steve.
>> > --
>> > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
>> > OpenSSL project core developer and freelance consultant.
>> > Homepage: http://www.drh-consultancy.demon.co.uk
>> > ______________________________________________________________________
>> > OpenSSL Project http://www.openssl.org
>> > User Support Mailing List openssl-users@openssl.org
>> > Automated List Manager majord...@openssl.org
>>
>> [image: ;-)] HOWDY COWBOYS &COWGIRLS
>>
>> i get all your e-mail all the time every day, i develo web ages, excuse my
>> daughters com uter it doesnt have the letter thats missing, anyway
>>
>> i must get at least12 mails a day about your develo ing secure info and
>> netsca e develo ment. sssi etc. dont send them
>>
>> anymore, i know you use lists, take my adress off. thanx from bob in the
>> usa! and GOD bless all!
>>
>
>
--
Regards
Joshi Chandran
