On Fri, Sep 14, 2012, TJ wrote: > On 7 September 2012 23:54, Steve Marquess > <marqu...@opensslfoundation.com> wrote: > > On 09/07/2012 12:24 AM, TJ wrote: > >> I'm doing a cross platform FIPS build (FIPSv2.0.1 with OpenSSL 1.01c). > >> > >> ./Configure no-asm no-hw linux-generic32 > >> make -j1 -C openssl-fips > > > > Might as well stop right there as the resulting FIPS module isn't FIPS > > 140-2 validated. There is no point in using the FIPS module if you can't > > claim, and don't require, validation; it has no inherent performance or > > security advantages over regular OpenSSL (in fact it is technically > > *inferior* in both respects). > > > > Actually, we do require validation, which is why I was trying to use > the FIPS module, but there are other components we need to operate > inside the logical cryptographic boundary so a separate validation > will be required anyway, This obviously means it doesn?t really matter > if I build the FIPS module in a non-compliant way. > I removed it anyway and got OpenSSL v1.0.1c to build and run, but now > the self tests (which are required for validation) don't run. Are > these self test available as a function call in base OpenSSL without > the FIPS component? If so, how? If not, what should I do now?; reload > the FIPS module and try to get it to build for my platform, or what?
The self tests are only part of the FIPS module. A native build needs to execute some of the targets on the host system to embed signatures, if you can't do that then you need to set the FIPS_SIG environment variable to point to an appropriate script which will perform the signature calculation. The "incore" script under the util directory is normally used for that purpose: so try setting FIPS_SIG to point to it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
