Error in building openssl-1.0.0-beta4 in AIX
Hi ALL ,
I tried to build openssl-1.0.0-beta4 version of Openssl for AIX . I am
getting error while building .
I have followed the following step.
1. ./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl
no-idea no-rc5 no-ec no-symlinks shared threads aix-cc
Configuring for aix-cc
no-ec [option] OPENSSL_NO_EC (skip dir)
no-ecdh [forced] OPENSSL_NO_ECDH (skip dir)
no-ecdsa[forced] OPENSSL_NO_ECDSA (skip dir)
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-gost [forced] OPENSSL_NO_GOST (skip dir)
no-idea [option] OPENSSL_NO_IDEA (skip dir)
no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-rc5 [option] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-store[experimental] OPENSSL_NO_STORE (skip dir)
no-symlinks [option]
no-zlib [default]
no-zlib-dynamic [default]
IsMK1MF=0
CC=cc
CFLAG =-DOPENSSL_THREADS -qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H
-DSSL_ALLOW_ADH -q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst
-DSHA1_ASM -DSHA256_ASM -DAES_ASM
EX_LIBS =
CPUID_OBJ =ppccpuid.o
BN_ASM=bn-ppc.o
DES_ENC =des_enc.o fcrypt_b.o
AES_ENC =aes_core.o aes_cbc.o aes-ppc.o
BF_ENC=bf_enc.o
CAST_ENC =c_enc.o
RC4_ENC =rc4_enc.o rc4_skey.o
RC5_ENC =rc5_enc.o
MD5_OBJ_ASM =
SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o
RMD160_OBJ_ASM=
CMLL_ENC= =camellia.o cmll_misc.o cmll_cbc.o
PROCESSOR =
RANLIB=/usr/bin/ranlib
ARFLAGS =-X 32
PERL =/usr/bin/perl
THIRTY_TWO_BIT mode
BN_LLONG mode
RC4 uses uchar
RC4_CHUNK is undefined
Since you've disabled or enabled at least one algorithm, you need to do
the following before building:
make depend
Configured for aix-cc.
2. make depend
making depend in crypto...
making depend in crypto/objects...
${TOP}/util/domd ${TOP} -MD makedepend -- -DOPENSSL_THREADS
-qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -DSSL_ALLOW_ADH -q32 -O
-DB_ENDIAN -qmaxmem=16384 -qro -qroconst -DSHA1_ASM -DSHA256_ASM
-DAES_ASM -I.. -I../.. -I../asn1 -I../evp -I../../include
-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH
-DOPENSSL_NO_ECDSA -DOPENSSL_NO_GMP -DOPENSSL_NO_GOST
-DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE -- o_names.c obj_dat.c
obj_lib.c obj_err.c obj_xref.c
making depend in crypto/md4...
${TOP}/util/domd ${TOP} -MD makedepend -- -DOPENSSL_THREADS
-qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -DSSL_ALLOW_ADH -q32 -O
-DB_ENDIAN -qmaxmem=16384 -qro -qroconst -DSHA1_ASM -DSHA256_ASM
-DAES_ASM -I.. -I../.. -I../asn1 -I../evp -I../../include
-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH
-DOPENSSL_NO_ECDSA -DOPENSSL_NO_GMP -DOPENSSL_NO_GOST
-DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE -- md4_dgst.c md4_one.c
making depend in crypto/md5...
${TOP}/util/domd ${TOP} -MD makedepend -- -DOPENSSL_THREADS
-qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -DSSL_ALLOW_ADH -q32 -O
-DB_ENDIAN -qmaxmem=16384 -qro -qroconst -DSHA1_ASM -DSHA256_ASM
-DAES_ASM -I.. -I../.. -I../asn1 -I../evp -I../../include
-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH
-DOPENSSL_NO_ECDSA -DOPENSSL_NO_GMP -DOPENSSL_NO_GOST
-DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE -- md5_dgst.c md5_one.c
making depend in crypto/sha...
${TOP}/util/domd ${TOP} -MD makedepend -- -DOPENSSL_THREADS
-qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -DSSL_ALLOW_ADH -q32 -O
-DB_ENDIAN -qmaxmem=16384 -qro -qroconst -DSHA1_ASM -DSHA256_ASM
-DAES_ASM -I.. -I../.. -I../asn1 -I../evp -I../../include
-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH
-DOPENSSL_NO_ECDSA -DOPENSSL_NO_GMP -DOPENSSL_NO_GOST
-DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE -- sha_dgst.c sha1dgst.c
sha_one.c sha1_one.c sha256.c sha512.c
making depend in crypto/mdc2...
${TOP}/util/domd ${TOP} -MD makedepend -- -DOPENSSL_THREADS
-qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -DSSL_ALLOW_ADH -q32 -O
-DB_ENDIAN -qmaxmem=16384 -qro -qroconst -DSHA1_ASM -DSHA256_ASM
-DAES_ASM -I.. -I../.. -I../asn1 -I../evp -I../../include
-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH
-DOPENSSL_NO_ECDSA -DOPENSSL_NO_GMP -DOPENSSL_NO_GOST
-DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE -- mdc2dgst.c mdc2_one.c
making depend in crypto/hmac...
${TOP}/util/domd ${TOP} -MD makedepend -- -DOPENSSL_THREADS
-qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -DSSL_ALLOW_ADH -q32 -O
-DB_ENDIAN -qmaxmem=16384 -qro -qroconst -DSHA1_ASM -DSHA256_ASM
-DAES_ASM -I..
Fips Capable Openssl 9.8 J fails for xlc_r compiler
Hi All,
I am facing problem when i am trying to build shared library of fips
capable openssl 9.8J. I am using aix-xlc_r to build openssl 9.8j and
whenever i try to run and aix-cc compiler for opensslfips 1.2 (I was able to
build static library with no-shared option )
sh testfipsssl
test SSL protocol
test ssl3 is forbidden in FIPS mode
508008:error:2D06906E:FIPS
routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
match:fips.c:238:
test ssl2 is forbidden in FIPS mode
508010:error:2D06906E:FIPS
routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
match:fips.c:238:
test tls1
508012:error:2D06906E:FIPS
routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
match:fips.c:238:
make: The error code from the last command is 1.
but when i creating static library it was successfully working .
I have applied following patches for creating shared library with respect
xlc_r compiler
--- Makefile.shared.aix 2006-05-20 08:51:09.0 +
+++ Makefile.shared 2007-03-15 20:51:06.0 +
@@ -67,8 +67,8 @@
#--
# The rest is private to this makefile.
-SET_X=:
-#SET_X=set -x
+#SET_X=:
+SET_X=set -x
top:
echo Trying to use this makefile interactively? Don't.
@@ -101,7 +101,7 @@
LIBDEPS=$${LIBDEPS:-$(LIBDEPS)}; \
SHAREDCMD=$${SHAREDCMD:-$(CC)}; \
SHAREDFLAGS=$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}; \
-nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' '
lib$(LIBNAME).exp; \
+/usr/bin/nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' '
lib$(LIBNAME).exp; \
LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' /dev/null
21; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
@@ -109,7 +109,7 @@
-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
) $(SYMLINK_SO); \
- ( $(SET_X); rm -f lib$(LIBNAME).exp )
+ ( $(SET_X) )
SYMLINK_SO=\
if [ -n $$INHIBIT_SYMLINKS ]; then :; else \
@@ -139,7 +139,7 @@
LINK_SO_A_UNPACKED=\
UNPACKDIR=link_tmp.; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
- (cd $$UNPACKDIR; ar x ../lib$(LIBNAME).a) \
+ (cd $$UNPACKDIR; /usr/bin/ar x ../lib$(LIBNAME).a) \
([ -z $(LIBEXTRAS) ] || cp $(LIBEXTRAS) $$UNPACKDIR) \
SHOBJECTS=$$UNPACKDIR/*.o; \
$(LINK_SO) rm -rf $$UNPACKDIR
@@ -489,9 +489,10 @@
OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
- ALLSYMSFLAGS='-bnogc'; \
+ ALLSYMSFLAGS=; \
NOALLSYMSFLAGS=''; \
- SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp
-bM:SRE'; \
+ SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -qmkshrobj
-bE:lib$(LIBNAME).exp
-blibpath:$(LIBRPATH):/usr/lib:/lib'; \
+ LIBDEPS='$(LIBDEPS) -lm -lc'; \
$(LINK_SO_O); rm -rf lib$(LIBNAME).exp
link_a.aix:
@ $(CALC_VERSIONS); \
@@ -499,12 +500,14 @@
OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
- ALLSYMSFLAGS='-bnogc'; \
+ ALLSYMSFLAGS=; \
NOALLSYMSFLAGS=''; \
- SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp
-bM:SRE'; \
- $(LINK_SO_A_VIA_O)
+ SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -qmkshrobj
-bE:lib$(LIBNAME).exp
-blibpath:$(LIBRPATH):/usr/lib:/lib'; \
+ LIBDEPS='$(LIBDEPS) -lm -lc'; \
+ $(LINK_SO_A_UNPACKED)
link_app.aix:
- LDFLAGS=$(CFLAGS) -blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}; \
+ LDFLAGS=$(CFLAGS) -blibpath:$(LIBRPATH):/usr/lib:/lib; \
+ LIBDEPS='$(LIBDEPS) -lm -lc'; \
$(LINK_APP)
link_o.reliantunix:
Is there any thing extra patchs to be applied to make it workable with
aix-xlc_r compiler .
Please Help
Thanks
Joshi
--
View this message in context:
http://www.nabble.com/Fips-Capable-Openssl-9.8-J-fails-for-xlc_r-compiler-tp21700703p21700703.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Make test fails for openssl fips 1.2 for 64 bit
Hi All, I have came across the error when i build openssl fips 1.2 for 64 bit . ./Configure fipscanisterbuild aix64-cc make was successful make test results the following error $ sh testss make a certificate request using 'req' rsa Generating a 1024 bit RSA private key ..++ ++ writing new private key to 'keyCA.ss' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:AU Organization Name (eg, company) []:Dodgy Brothers Common Name (eg, YOUR name) []:Dodgy CA convert the certificate request into a self signed certificate using 'x509' Signature ok subject=/C=AU/O=Dodgy Brothers/CN=Dodgy CA Getting Private key convert a certificate into a certificate request using 'x509' Getting request Private Key Generating certificate request testss[58]: 1110178 Memory fault(coredump) error using 'x509' convert a certificate to a certificate request Thanks in Advance Thanks Joshi -- View this message in context: http://www.nabble.com/Make-test-fails-for-openssl-fips-1.2-for-64-bit-tp21562002p21562002.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
validating certificate chain
Hi All, I have chain of certificate in a single file (Bundle of certificate in a single file ).How can i verify the validity of certificate chain . Is there any openssl utility (openssl -verify) which i can use to validate it or is there any way to do the same thing Thanks In Advance Joshi -- View this message in context: http://www.nabble.com/validating-certificate-chain-tp21500131p21500131.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to use ssl V3 version for openssl 9.8h
Hi All, I have a requirement to use only SSL v3 version of openssl 9.8h . I believe, both ssl V2 and ssl V3 is used now . So to implement this ,what all changes i have to make to implement this requirement.I believe only i have to change some configuration file. Please Help. Thanks in Advance Joshi Chandran -- View this message in context: http://www.nabble.com/How-to-use-ssl-V3-version-for-openssl-9.8h-tp21009292p21009292.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
What would cause a seg fault?
Hi All, I have recompiled the shared object file SSLeay.so to link to the version of libssl.a provided by openssl.base. Previously, this shared object linked to the libssl.a (openssl 9.8h) provided by the RPM on the Linux Toolbox for AIX.Now that the shared object is linked against the newer library, it seg faults in a call to the function SSL_CTX_ctrl(). Code Dump Segmentation fault in SSL_CTX_ctrl at 0xd1f6bb80 ($t1) 0xd1f6bb80 (SSL_CTX_ctrl+0xfc) 900300a4 stw r0,0xa4(r3) (dbx) where SSL_CTX_ctrl() at 0xd1f6bb80 XS_Crypt__SSLeay__CTX_new() at 0xd1f64318 Perl_pp_entersub() at 0xd31100d8 Perl_runops_standard() at 0xd3163ad4 S_call_body() at 0xd3075950 Perl_call_sv() at 0xd3079dac S_call_list_body() at 0xd30758bc Perl_call_list() at 0xd307c4f0 Perl_newATTRSUB() at 0xd30d3318 Perl_utilize() at 0xd30d3af8 Perl_yyparse() at 0xd310a494 S_parse_body() at 0xd30765e0 perl_parse() at 0xd307ccc0 main() at 0x1460 Here is the full ld command, ld -bhalt:4 -bM:SRE -bI:/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE/perl.exp -bE:SSLeay.exp -bnoentry -lpthreads -lc_r SSLeay.o -o blib/arch/auto/Crypt/SSLeay/SSLeay.so -L/usr/lib -lssl -lcrypto Also, here is the output of 'dump -Tv SSLeay.so' for the symbol in the stack trace: ***Loader Symbol Table Information*** [Index] Value Scn IMEX Sclass Type IMPid Name [71]0xundef IMP DS EXTref libssl.a(libssl.so.0.9.8) SSL_CTX_ctrl Is this beacuse i have to specify the header file also when i am doing linking. Can u please help me Thanks Joshi Chandran -- View this message in context: http://www.nabble.com/What-would-cause-a-seg-fault--tp20108404p20108404.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL 'zlib' Compression Memory Leak Remote Denial of Service Vulnerability in openssl 0.9.8h
Hi All, I am using openssl 9.8h and i have found Compression Memory Leak Remote Denial of Service Vulnerability in it. The vulnerability info can be found in the following link http://www.securityfocus.com/bid/31692/info. Is there any patches i can apply on openssl 0.9.8h please help Thanks Joshi -- View this message in context: http://www.nabble.com/OpenSSL-%27zlib%27-Compression-Memory-Leak-Remote-Denial-of-Service-Vulnerability-in-openssl-0.9.8h-tp19967839p19967839.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl Fips Shared Library
Hi I was trying to build shared library of fips and i am facing some problem with that .This is the step i have done 1. I have created the fips object module (used openssl fips 1.1.2) 2. Used openssl 0.9.7m to create fips capable module and when i use shared option in ./configure ,all the fips related fucntion failed (like fips_test_suite failed) ,if i am not using shared option,that time it successed. This is the error which i am getting when using shared option in ./Configure in openssl 0.9.7m ./fips_test_suite FIPS-mode test application 1. Non-Approved cryptographic operation test... a. Included algorithm (D-H)...successful 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212: 2. Automatic power-up self test...FAILED! but it works fine when shared is not used This means the shared library is not supported by this version. Can u please help what is wrong here Thanks in advance Joshi Chandran -- View this message in context: http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19552549.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl Fips Shared Library
I have followed the step mention in OpenSSL FIPS Security Policy for openssl
fips 1.1.2 and that all work fine.
But when i started working on fips capable openssl using openssl 0.9.7m and
used the shared option in the ./Configure,it is giving the error
but work fine when not using shared option
The step to generate fips module (using openssl fips 1.1.2)
1. ./Configure fips aix-cc
2. make
The step used to generate fips capable openssl
./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl
--with-fipslibdir=$fipslibdir fips no-idea no-rc5 no-ec no-symlinks shared
threads aix${1}-xlc_r
make depend
make
# Relink the 'openssl' program with correct libpath.
cd apps
rm openssl
make CC='xlc_r -bnolibpath'
cd ../..
This shared option is creating the fips related function to fail
This is the error message
./fips_test_suite
FIPS-mode test application
1. Non-Approved cryptographic operation test...
a. Included algorithm (D-H)...successful
1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212:
2. Automatic power-up self test...FAILED!
but it okay when i am omitting the shared option
Does it means it does not support shared libraary
I have got link which is also stating same
http://www.mail-archive.com/openssl-users@openssl.org/msg53664.html
I am attaching the build script i am using
http://www.nabble.com/file/p19555718/fipsbuild.txt fipsbuild.txt
Please help me to resolve this problem
Thanks in Advance
Joshi Chandran
Patrick Patterson-3 wrote:
Hi Joshi:
On September 18, 2008 11:01:28 am joshi chandra wrote:
Hi
I was trying to build shared library of fips and i am facing some problem
with that .This is the step i have done
1. I have created the fips object module (used openssl fips 1.1.2)
2. Used openssl 0.9.7m to create fips capable module and when i use
shared
option in ./configure ,all the fips related fucntion failed (like
fips_test_suite failed) ,if i am not using shared option,that time it
successed.
This is the error which i am getting when using shared option in
./Configure in openssl 0.9.7m
./fips_test_suite
FIPS-mode test application
1. Non-Approved cryptographic operation test...
a. Included algorithm (D-H)...successful
1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212:
2. Automatic power-up self test...FAILED!
but it works fine when shared is not used
This means the shared library is not supported by this version.
Can u please help what is wrong here
From my understanding, to get a FIPS validated module, you must follow the
OpenSSL FIPS Security Policy letter for letter. That means that if you
change
a single option on the ./configure line, it is no longer the FIPS
validated
version that you are building. Consequently, I suggest you read the
security
policy, and see if what you are trying to do is a validated configuration.
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19555718.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Openssl Fips Shared Library
when i have used shared option in the ./Configure , i was able to compile the openssl 0.9.7m successfully but when i tested the fips function in the test folder ,that time it was producing the error message and when i removed shared option by no-shared option in the ./Configure command in the openssl 0.9.7m, all the fips function in the test folder was successfully executed , is this beacuse of the linking problem The error message was ./fips_test_suite FIPS-mode test application 1. Non-Approved cryptographic operation test... a. Included algorithm (D-H)...successful 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212: 2. Automatic power-up self test...FAILED! Can you please tell me is the shared library is possible for openssl 0.9.7m which is using the openssl fips 1.1.2 module can u please explain this statement 'If it does consist of position independent code then you can incorporate it into a shared library just like any other object module, subject of course to the fipsld linking to set the in-core hash.' How to link fipsld to in-core hash Thanks in Advance Joshi Chandran Steve Marquess wrote: Carlo Milono wrote: How curious that this topic would come up today as I had a discussion on it just two days earlier. The OpenSSL FIPS 140-2 Security Policy Version 1.1.2 states: The FIPS Object Module is not a static library. It may be incorporated into shared library files or runtime executable application files, but in any event can only be incorporated intact and in its entirety. This was leading me to believe that we could use this in a shared library mode; perhaps we need to understand the boundaries of what may be included in a shared library? How can we interpret the above quote? The FIPS Object Module is just that, an object module (fipscanister.o). For v1.1.x it may or may not consist of position independent code, depending on the platform. If it does consist of position independent code then you can incorporate it into a shared library just like any other object module, subject of course to the fipsld linking to set the in-core hash. If it isn't position independent, then you're out of luck as the Security Policy rules don't allow you to modify the build-time parameters. For v1.2 the FIPS Object Module is always generated as position independent code. The corresponding FIPS capable OpenSSL distributions (fips option) will automatically include it in the libcrypto shared library. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19558250.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
