Re: OpenSSL FIPS build/link issues

Jeffrey Walton Mon, 14 Jan 2013 03:56:14 -0800

On Mon, Jan 14, 2013 at 5:52 AM, Rahul Godbole <rahulmg1...@gmail.com> wrote:
>
> 1)  I am trying to build OpenSSL for FIPS. When I link to the below
> functions from an external program linking to libcrypto.a, I get a linking
> error for them. When I grepped for the below functions in libcrypto.a and
> aes_core.o ( aes_core.c is where they are defined ), I got not results. I
> have built the whole thing with symbols. It looks like these functions are
> not being compiled with fips on. I need them to be compiled
>
> AES_set_encrypt_key()
> AES_encrypt()
> AES_set_decrypt_key()
> AES_decrypt()
When I link against the archive (most often), I specify the full path
(no -l or -L flags): /usr/local/ssl/iphoneos/lib/libcrypto.a.


The dynamic library requires some extra steps (re: fipsld), but I
don't need it. I don't believe you need it either since you are
linking against the archive.

> 2) libssl.a/libssl.so and libcrypto.so are not being built in the OpenSSL
> fips build. I need it to be built.
I don't believe this is correct. Below is from my FIPS capable iOS gear:

$ nm  /usr/local/ssl/iphoneos/lib/libcrypto.a 2>/dev/null | egrep -i
"(AES_set|AES_encrypt|AES_decrypt)"
000251a4 T _fips_aes_decrypt
00024cdc T _fips_aes_encrypt
00024ae0 T _fips_aes_set_decrypt_key
00024700 T _fips_aes_set_encrypt_key
0000000c T _AES_set_decrypt_key
00000044 T _AES_set_encrypt_key
         U _private_AES_set_decrypt_key
         U _private_AES_set_encrypt_key
         ...
00000aa4 T _AES_decrypt
000005dc T _AES_encrypt
000003e0 T _private_AES_set_decrypt_key
00000000 T _private_AES_set_encrypt_key
         U _AES_decrypt
         U _AES_encrypt
         ...

When you build the FIPS Capable, it simply uses the FIPS Object Module
(which provides the validated cryptography). FIPS is transparent to
the user (me and you) after you build the FIPS Object Module.

Confirm you:

  $ rm  -rf  openssl-1.0.1c/
  $ tar  xzf  openssl-1.0.1c.tar.gz
  $ cd   openssl-fips-1.0.1c/
  $ ./config fips <config options>
  $ make  <make options>
  $ sudo make install

The config options I use are: --openssldir, -no-sslv2, -no-sslv3,
-no-comp, -no-shared, -no-dso, -no-hw, -no-engines. I don't use make
option at the moment (or only as workarounds for a broken MAKEDEPEND).

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: OpenSSL FIPS build/link issues

Reply via email to