I have downloaded the OpenSSL 1.0.1 and FIPS object module v1.2. Both will build a libcrypto.a library. I have some questions and hope someone can clarify them for me. This FIPS thing is totally new so please if forgive me if the questions are off the target.
1. Is the crypto code in FIPS a subset of the OpenSSL source? Does it include only FIPS approved cryptographic algorithms? 2. I assume libssl depends on libcrypto so if I need to use libcrypto in addition to SSL, should I build OpenSSL to get both libssl and libcrypto and replace libcrypto with the one built from FIPS? 3. Is the 'FIPS_mode_set' API defined only in libcrypto built from the FIPS object module source? 4. The 'fips' configuration is accepted in Configure, but not document in the script. What is the use of 'fips' configuration setting when building OpenSSL? When I run ./config threads shared fips no-hw zlib-dynamic no-idea no-rc2 no-rc4 no-rc5 no-camellia no-bf make depend make make test I get the following errors during 'make test' phase Doing certs testing... cc -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o bntest.o bntest.c (cd ..; make DIRS=crypto all) making all in crypto... cc -I. -I.. -I../include -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o o_fips.o o_fips.c o_fips.c:60:26: error: openssl/fips.h: No such file or directory o_fips.c:61:31: error: openssl/fips_rand.h: No such file or directory o_fips.c: In function ‘FIPS_mode_set’: o_fips.c:84: warning: passing argument 1 of ‘RAND_set_rand_method’ makes pointer from integer without a cast make[3]: *** [o_fips.o] Error 1 make[2]: *** [build_crypto] Error 1 make[1]: *** [../libcrypto.a] Error 2 make: *** [tests] Error 2 5. What is the incore script for? If I run it without any parameters under MacOS 10.7, I get the error instead of usage $ ./incore Modification of non-creatable array value attempted, subscript -1 at ./incore line 366. Alex ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org