Even if I want to run in FIPS mode the RAND_status() should remain as-was and not remapped?
That asked, I rebuilt per suggestion and RAND_status() succeeds, but FIPS_rand_status() still fails as does FIPS_selftest() and FIPS_rand_bytes(). ~/ # ./fips_can_test64 RAND_status (pre FIPS mode) succeeded FIPS_mode_set succeeded FIPS_mode succeeded FIPS_selftest_drbg_all successful FIPS_rand_status failed, strength: 256 RAND_status succeeded Got 0 random bytes FIPS_selftest_rsa failed FIPS_selftest_ecdsa failed FIPS_selftest_dsa failed NotOK: selftest Thanks, Woody Dr. Stephen Henson wrote on 02/27/2012 03:04 PM: > > On Mon, Feb 27, 2012, gatewood_gr...@mcafee.com wrote: > > > Even without linking the canister (not using fipsld), if I use the FIPS > > includes, RAND_status() fails. According to nm, the RAND_status is > > still redirected to FIPS_rand_status. > > > > > > Ah you're including the FIPS module header files if that happens. The > function > RAND_status() should stay as RAND_status() when building against the FIPS > capapable OpenSSL. > > Try specifying the path to the FIPS capable OpenSSL header install > location > first so they are used in preference to the module header files. In > fact you > can delete everything apart from fips.h and fips_rand.h from the module > install of header files. > > Also use the FIPSDIR environment variable instead of specifying any > options fo > ./config for the module, you can also use that instead of the --with-fips* > options when you build the FIPS capable OpenSSL. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Gatewood Green Principal Software Engineer NitroSecurity, now part of McAfee o: 2085528269 c: 2082067455 e: gatewood_gr...@mcafee.com w: http://www.nitrosecurity.com/ Imagine, if you will, a world in which there are no hypothetical situations...
signature.asc
Description: OpenPGP digital signature
