On Mon, Jan 14, 2013 at 5:52 AM, Rahul Godbole <rahulmg1...@gmail.com> wrote: > > 1) I am trying to build OpenSSL for FIPS. When I link to the below > functions from an external program linking to libcrypto.a, I get a linking > error for them. When I grepped for the below functions in libcrypto.a and > aes_core.o ( aes_core.c is where they are defined ), I got not results. I > have built the whole thing with symbols. It looks like these functions are > not being compiled with fips on. I need them to be compiled > > AES_set_encrypt_key() > AES_encrypt() > AES_set_decrypt_key() > AES_decrypt() When I link against the archive (most often), I specify the full path (no -l or -L flags): /usr/local/ssl/iphoneos/lib/libcrypto.a.
The dynamic library requires some extra steps (re: fipsld), but I don't need it. I don't believe you need it either since you are linking against the archive. > 2) libssl.a/libssl.so and libcrypto.so are not being built in the OpenSSL > fips build. I need it to be built. I don't believe this is correct. Below is from my FIPS capable iOS gear: $ nm /usr/local/ssl/iphoneos/lib/libcrypto.a 2>/dev/null | egrep -i "(AES_set|AES_encrypt|AES_decrypt)" 000251a4 T _fips_aes_decrypt 00024cdc T _fips_aes_encrypt 00024ae0 T _fips_aes_set_decrypt_key 00024700 T _fips_aes_set_encrypt_key 0000000c T _AES_set_decrypt_key 00000044 T _AES_set_encrypt_key U _private_AES_set_decrypt_key U _private_AES_set_encrypt_key ... 00000aa4 T _AES_decrypt 000005dc T _AES_encrypt 000003e0 T _private_AES_set_decrypt_key 00000000 T _private_AES_set_encrypt_key U _AES_decrypt U _AES_encrypt ... When you build the FIPS Capable, it simply uses the FIPS Object Module (which provides the validated cryptography). FIPS is transparent to the user (me and you) after you build the FIPS Object Module. Confirm you: $ rm -rf openssl-1.0.1c/ $ tar xzf openssl-1.0.1c.tar.gz $ cd openssl-fips-1.0.1c/ $ ./config fips <config options> $ make <make options> $ sudo make install The config options I use are: --openssldir, -no-sslv2, -no-sslv3, -no-comp, -no-shared, -no-dso, -no-hw, -no-engines. I don't use make option at the moment (or only as workarounds for a broken MAKEDEPEND). Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org