I'm not convinced this is a problem with making a normal FIPS build,
though. A while back, I compiled openssl-fips-1.2 following the
security policy, then compiled openssl-0.9.8j to make use of the fips
canister built from openssl-fips-1.2 (again, following the security
policy). This was all on Solaris 10 for x86 (along with a bunch of
other systems). The following is the code I just tested that build with
on Solaris 10 for x86:
--- Begin testfips.c ---
#include <stdio.h>
#include <openssl/fips.h>
int main(int argc, char **argv)
{
if (FIPS_mode_set(1))
{
if (FIPS_selftest_rng())
printf("FIPS_selftest_rng() OK\n";
}
return 0;
}
--- End testfips.c ---
I compiled it using the following command:
FIPSLD_CC=gcc fipsld -o testfips testfips.c -lcrypto -lnsl -lsocket
When I run the program, the output is:
FIPS_selftest_rng() OK
I have not tried to compile the fips canister using openssl-0.9.8j, so I
don't know if some change introduced between openssl-fips-1.2 and
openssl-0.9.8j might have introduced this error, but I can verify that
if one does follow the security policy, one gets a working version of
OpenSSL that can be successfully placed into FIPS mode, and all tests
will pass. I should note that "make test" in the openssl-fips-1.2 tree
will FAIL on Solaris x86 (as it will on nearly every system I've
checked), but that's because the test programs don't compile. Also, I
suspect you're not checking the return value of FIPS_mode_set(), as that
will invoke FIPS_selftest_rng(), as I recall.
I'm using gcc 4.1.1 on that system both for compiling OpenSSL and
compiling my test program. I'm also doing 32-bit compiles, which is the
default for the gcc I have installed -- maybe that's a difference?
The fastest way to get something that works for "FIPS" is to just follow
the instructions in the user's guide (which is based on the security
policy). Those instructions have worked for me every time on several
different UNIX platforms.
> -----Original Message-----
> From: owner-openssl-...@openssl.org
> [mailto:owner-openssl-...@openssl.org] On Behalf Of RussMitch
> Sent: Thursday, February 12, 2009 1:25 PM
> To: openssl-dev@openssl.org
> Subject: FIPS_selftest_rng fails on Solaris10 x86
>
>
> Hello,
>
> I've built openssl-0.9.8j on Solaris10 Update 5 as follows:
>
> ./config fipscanisterbuild
> make clean
> make
>
> Next, I've created a simple program that calls
> FIPS_mode_set(1) and links to the libraries in
> /usr/local/ssl/fips/lib.
>
> The first two tests, FIPS_signature_witness() and
> FIPS_check_incore_fingerprint() PASS.
>
> The third test, FIPS_selftest_rng FAILS.
>
> I've also tried the exact same procedure on a Fedora Core5
> linux based machine, and all of the tests PASS.
>
> Anyone have an idea of what may be wrong?
>
> /Russ
> --
> View this message in context:
> http://www.nabble.com/FIPS_selftest_rng-fails-on-Solaris10-x86
-tp21980325p21980325.html
> Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
