Hi Bill,
Try the following recipe......
1) Clean your system. By default, openssl installs to /usr/local/ssl, and
you existing Ubuntu install will be in /usr, so you are safe to rm -rf
/usr/local/ssl
2) get http://www.openssl.org/source/openssl-1.0.1c.tar.gz
3) get ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-"date"; . Get
the latest, it changes nightly
4) extract them.
5) Get into openssl-fips-2.0-test-XXX and run
#./config <- no other flags allowed for a fips build, except no-asm to
turn off speedups )
#make
#make install
There's a test make target too, go looking in the makefile.
The make install will have put some headers, libraries, and support files
in /usr/local/ssl/fips-2.0
If you look under lib in there, you will see some checksum files, an object
file, and pre_main stub .c file. This is the code that allows a binary to
get its out checksum.
6) Now build openssl-1.0.1c against the fips headers and objects that have
just been installed in /usr/local/ssl/fips-2.0 .....
cd openssl-1.0.1c
#./config fips shared
#make
#make install
Again, there's a make test target, look in the makefile for it.
That will give you libssl.a, libcrypto.a, the .so's and headers in
/usr/local/ssl.
The the openssl in /usr/local/ssl/bin by setting you're LD_PRELOAD and
running
#cd /usr/local/ssl/bin
#./openssl version <- you should see fips in the output.
#echo "Some stupid test text" > foo.txt
#./openssl bf -salt -in foo.txt
(supply a password x2 )
It should echo out the crypted text.
Repeat the test, but export OPENSSL_FIPS=1 first.
Openssl should barf, claiming that its not allowed to use that algorithm.
This means fips mode is working correctly.
This is an easy process on x86, its a different story if yo're cross
compiling, which you're not.
Good luck.
Simon
****
>
