I'm not convinced this is a problem with making a normal FIPS build, though. A while back, I compiled openssl-fips-1.2 following the security policy, then compiled openssl-0.9.8j to make use of the fips canister built from openssl-fips-1.2 (again, following the security policy). This was all on Solaris 10 for x86 (along with a bunch of other systems). The following is the code I just tested that build with on Solaris 10 for x86:
--- Begin testfips.c --- #include <stdio.h> #include <openssl/fips.h> int main(int argc, char **argv) { if (FIPS_mode_set(1)) { if (FIPS_selftest_rng()) printf("FIPS_selftest_rng() OK\n"; } return 0; } --- End testfips.c --- I compiled it using the following command: FIPSLD_CC=gcc fipsld -o testfips testfips.c -lcrypto -lnsl -lsocket When I run the program, the output is: FIPS_selftest_rng() OK I have not tried to compile the fips canister using openssl-0.9.8j, so I don't know if some change introduced between openssl-fips-1.2 and openssl-0.9.8j might have introduced this error, but I can verify that if one does follow the security policy, one gets a working version of OpenSSL that can be successfully placed into FIPS mode, and all tests will pass. I should note that "make test" in the openssl-fips-1.2 tree will FAIL on Solaris x86 (as it will on nearly every system I've checked), but that's because the test programs don't compile. Also, I suspect you're not checking the return value of FIPS_mode_set(), as that will invoke FIPS_selftest_rng(), as I recall. I'm using gcc 4.1.1 on that system both for compiling OpenSSL and compiling my test program. I'm also doing 32-bit compiles, which is the default for the gcc I have installed -- maybe that's a difference? The fastest way to get something that works for "FIPS" is to just follow the instructions in the user's guide (which is based on the security policy). Those instructions have worked for me every time on several different UNIX platforms. > -----Original Message----- > From: owner-openssl-...@openssl.org > [mailto:owner-openssl-...@openssl.org] On Behalf Of RussMitch > Sent: Thursday, February 12, 2009 1:25 PM > To: openssl-dev@openssl.org > Subject: FIPS_selftest_rng fails on Solaris10 x86 > > > Hello, > > I've built openssl-0.9.8j on Solaris10 Update 5 as follows: > > ./config fipscanisterbuild > make clean > make > > Next, I've created a simple program that calls > FIPS_mode_set(1) and links to the libraries in > /usr/local/ssl/fips/lib. > > The first two tests, FIPS_signature_witness() and > FIPS_check_incore_fingerprint() PASS. > > The third test, FIPS_selftest_rng FAILS. > > I've also tried the exact same procedure on a Fedora Core5 > linux based machine, and all of the tests PASS. > > Anyone have an idea of what may be wrong? > > /Russ > -- > View this message in context: > http://www.nabble.com/FIPS_selftest_rng-fails-on-Solaris10-x86 -tp21980325p21980325.html > Sent from the OpenSSL - Dev mailing list archive at Nabble.com. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org