I have downloaded the OpenSSL 1.0.1 and FIPS object module v1.2. Both will
build a libcrypto.a library. I have some questions and hope someone can
clarify them for me.
This FIPS thing is totally new so please if forgive me if the questions are off
the target.
1. Is the crypto code in FIPS a subset of the OpenSSL source? Does it include
only FIPS approved cryptographic algorithms?
2. I assume libssl depends on libcrypto so if I need to use libcrypto in
addition to SSL, should I build OpenSSL to get both libssl and libcrypto and
replace libcrypto with the one built from FIPS?
3. Is the 'FIPS_mode_set' API defined only in libcrypto built from the FIPS
object module source?
4. The 'fips' configuration is accepted in Configure, but not document in the
script. What is the use of 'fips' configuration setting when building OpenSSL?
When I run
./config threads shared fips no-hw zlib-dynamic no-idea no-rc2 no-rc4
no-rc5 no-camellia no-bf
make depend
make
make test
I get the following errors during 'make test' phase
Doing certs
testing...
cc -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3
-fomit-frame-pointer -DL_ENDIAN -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
-DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o bntest.o bntest.c
(cd ..; make DIRS=crypto all)
making all in crypto...
cc -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3
-fomit-frame-pointer -DL_ENDIAN -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM
-DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o o_fips.o o_fips.c
o_fips.c:60:26: error: openssl/fips.h: No such file or directory
o_fips.c:61:31: error: openssl/fips_rand.h: No such file or directory
o_fips.c: In function ‘FIPS_mode_set’:
o_fips.c:84: warning: passing argument 1 of ‘RAND_set_rand_method’ makes
pointer from integer without a cast
make[3]: *** [o_fips.o] Error 1
make[2]: *** [build_crypto] Error 1
make[1]: *** [../libcrypto.a] Error 2
make: *** [tests] Error 2
5. What is the incore script for? If I run it without any parameters under
MacOS 10.7, I get the error instead of usage
$ ./incore
Modification of non-creatable array value attempted, subscript -1 at
./incore line 366.
Alex
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
