Re: FIPS Open SSL Build using VC++ on Windows
On Tue, Oct 12, 2010 at 6:26 PM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Oct 12, 2010, Vivek Madani wrote: Are you using fipslink.pl to statically link FIPS module to your application/dll? If not, I believe you need to use it to comply to OpenSSL FIPS security policy. You don't need to use fipslink.pl or fipsld but if you don't you have to provide equivalent functionality in your own linker script. Right. Wondering if anyone has tried this with VS 2008. Is this documented anywhere else except for UserGuide? I have an application working fine with dynamically linked libeay32.dll and might want to try out static linking. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl certificate date issue
Hi all, I am trying to generate certificate which is valid for 20years. As the 20years crosses unix end time(January 19, 2038 03:14:07 GMT) from the current date, openssl certificate generated will have wrong dates(Not before and not after times) in certificate as follows: *Validity Not Before: Oct 13 06:43:05 2010 GMT Not After : Jan 23 00:14:49 1902 GMT* Is there any way to generate certificate which is valid for 20yrs from current date so that it will have correct validity times even if 20years crosses unix end time? Please guide me. Regards, Vinay
Re: FIPS Open SSL Build using VC++ on Windows
Thanks Steve Thanks everyone for reply Thanks for the reply and information. Now i have build FIPS 1.2 module, trying to build static build on version OpenSSL - 0.9.8o While building using *nmake -f ms\nt.mak* i see an link error - interestingly i didnt see this error with FIPS Module (1.2) Build .\crypto\comp\c_zlib.c(25) : fatal error C1083: Cannot open include file: 'zlib. h': No such file or directory NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 8\VC\BIN\c l.EXE' : return code '0x2' Stop. can you please let me know what i am missing here ... Thanks, Rajesh. - On Tue, Oct 12, 2010 at 6:21 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Tue, Oct 12, 2010, rajesh kumar wrote: Hi All, i am very new to OpenSSL build ... I have build the static build of FIPS Capable OpenSSL as mentioned in user guide 1.2. I have used following commands on VS2005 Command Prompt... *Build FIPS Module : ms\do_fips no-asm* * * *Set Confiugration : perl Configure VC-WIN32 --with-fipslibdir=..\openssl-0.9.8l\out32dll* * That looks like you aren't linking to the validated module: you *must* use the 1.2 sources to build the module and link against that or the result is not FIPS 140-2 compliant. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS Open SSL Build using VC++ on Windows
Steve, I have made changes in nt.mak file to not pass -DZLIB option in cFlags and now i am able to compile and build static build of OpenSSL. Now i face the same issue as mentioned earlier -- error LNK2019: unresolved external symbol _FIPS_mode_set referenced in function In detail this is what i have done... - I have following Folder structure; Source is downloaded from OpenSSL.org OpenSSL Version 0.9.8.o - C:\OPENSSL_BUILD\openssl-0.9.8o FIPS Module Version 1.2 - C:\OPENSSL_BUILD\openssl-fips-1.2 - I have done following steps to build OpenSSL as mentioned in User Guide From VS 2005 Command Window - cd C:\OPENSSL_BUILD\openssl-fips-1.2 - ms\do_fips no-asm - this is to build FIPS Module - cd C:\OPENSSL_BUILD\openssl-0.9.8o - perl Configure VC-WIN32 --with-fipslibdir=C:\OPENSSL_BUILD\openssl-fips-1.2\out32dll - nmake -f ms\nt.mak - to build static OpenSSL can some one please let me know if i am missing anything.. Thanks in Advance - Rajesh -- On Wed, Oct 13, 2010 at 12:28 PM, rajesh kumar rajeshdavul...@gmail.comwrote: Thanks Steve Thanks everyone for reply Thanks for the reply and information. Now i have build FIPS 1.2 module, trying to build static build on version OpenSSL - 0.9.8o While building using *nmake -f ms\nt.mak* i see an link error - interestingly i didnt see this error with FIPS Module (1.2) Build .\crypto\comp\c_zlib.c(25) : fatal error C1083: Cannot open include file: 'zlib. h': No such file or directory NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 8\VC\BIN\c l.EXE' : return code '0x2' Stop. can you please let me know what i am missing here ... Thanks, Rajesh. - On Tue, Oct 12, 2010 at 6:21 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Tue, Oct 12, 2010, rajesh kumar wrote: Hi All, i am very new to OpenSSL build ... I have build the static build of FIPS Capable OpenSSL as mentioned in user guide 1.2. I have used following commands on VS2005 Command Prompt... *Build FIPS Module : ms\do_fips no-asm* * * *Set Confiugration : perl Configure VC-WIN32 --with-fipslibdir=..\openssl-0.9.8l\out32dll* * That looks like you aren't linking to the validated module: you *must* use the 1.2 sources to build the module and link against that or the result is not FIPS 140-2 compliant. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
On Tue October 12 2010, Bill wrote:
Hello Steve,
Good eye! That got rid of the compilation error.
However, FIPS_mode_set(1) fails when it gets called from a shared
library that links with the static version of the FIPS-capable
OpenSSL library.
Calling FIPS_mode_set(1) works fine when called directly from an
executable that has been compiled with the static version of the FIPS
capable OpenSSL library.
The same scenario works fine on Mac OS X (Leopard and Snow Leopard).
So it looks like this problem is specific to Ubuntu Linux.
Do a file path_to/gcc see if it is a compiled program or a script.
Depending on the update age of your Ubuntu distribution, you may find
that it is a script now.
That might make a difference if it is.
Mike
Is there a trick to make this work?
Here are the details:
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
soname,libfoo.so.1 -o libfoo.so.1 foo.o \
./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
$ ./foobar
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./cmd
FIPS mode is enabled.
$ cat foo.cpp
#include stdio.h
#include foo.h
#include openssl/err.h
#include openssl/evp.h
int
fips_check(void)
{
unsigned long fipscode;
unsigned long code;
if(1 == (fipscode = FIPS_mode_set(1))) {
printf(FIPS_mode_set(1) succeeded\n);
} else {
char err_msg[256+1];
int flags, line; char *report_data, *file;
code = ERR_get_error_line_data(
(const char**)file,
line,
(const char**)report_data,
flags);
ERR_error_string_n(code, err_msg, 256);
printf(SSL: %lu:%lu:%s:%d:%d:%s\n,
fipscode, code, file, line, flags, err_msg);
printf(FIPS_mode_set(1) failed\n);
}
return 0;
}
$ cat cmd.cpp
#include stdio.h
#include openssl/evp.h
int
main()
{
if (FIPS_mode_set(1) == 0) {
printf(Failed to enable FIPS mode\n);
} else {
printf(FIPS mode is enabled.\n);
}
}
$ cat foo.h
#ifdef __cplusplus
extern C {
#endif
int fips_check(void);
#ifdef __cplusplus
}
#endif
$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-soname,$(LIB)
all: foobar cmd
foobar: $(LIB) foobar2.cpp
$(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++
$(LIB): $(OBJ)
rm -f libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $(OPTS)
-o $(LIB) $(OBJ) \
$(LIBCRYPTO) -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
$(CMD): cmd.cpp
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -Wall \
$(INCLUDES) $(LIBCRYPTO) -lstdc++
$(OBJ): foo.cpp
$(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
clean:
rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
$ uname -a
Linux ixoubuntu 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19
UTC 2010 i686 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION=Ubuntu 10.04 LTS
$ gcc --version
gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There
is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
On Oct 12, 2010, at 2:36 PM, Dr. Stephen Henson wrote:
On Tue, Oct 12, 2010, Bill wrote:
Hello,
I have followed the FIPS UserGuide 1.2 to build a FIPS object
module and a
FIPS capable OpenSSL.
I used openssl-fips-1.2.tar.gz and openssl-0.9.8o.tar.gz to build
these.
On Ubuntu, when I try to build a shared library that links with the
FIPS-capable OpenSSL static library, I get the following link error:
$ make
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared
-W1,-soname,libfoo.so.1 \
-o libfoo.so.1 foo.o ./openssl-0.9.8o-fips/lib/libcrypto.a
cc1: error: unrecognized command line option -W1,-soname,libfoo.so.
1
make: *** [libfoo.so.1] Error 1
That should be -Wl (letter l) and not -W1 (figure 1) shouldn't it?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
消luisneves
how are you ? Just received my iphone 3gs 32gb from this website www.hgbet.com . much cheaper than others and genuine . if you would like to get one,you can check it out, all the best for 2010 Regards, E-mail: hgbet...@188.com MSN : hg...@hotmail.com ¿cómo estás? Acabo de recibir mi iphone 3g 32gb de este www.hgbet.com sitio web. mucho más barato que otros y genuino. si desea obtener una, usted puede comprobar hacia fuera, todo lo mejor para 2010 Un cordial saludo, E-mail: hgbet...@188.com MSN: hg...@hotmail.com
RE: FIPS mode - fails to read the RSA key
Again thank you Steve, Invoking OpenSSL_add_all_algorithms() made the certificate processing without any trouble. Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, October 08, 2010 4:09 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Fri, Oct 08, 2010, john.mattapi...@wipro.com wrote: Thank you Steve, I had problem in creating certificate and key in FIPS mode. With your suggestion now I am able to create FIPS supported certificate When I create it with a passphrase the key looks as below -BEGIN ENCRYPTED PRIVATE KEY- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA ..snip toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE -END ENCRYPTED PRIVATE KEY- Now it fails at PKCS8_decrypt in PEM_read_bio_PrivateKey. I verified that passphase returned by the cb is as same as the one that I used to create the certificate. Any hint if I miss something in the key generation The command I used to create this key is ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out wv-cert.pem If I create the key with out passphrase then the code hits this snippet of the code (PEM_read_bio_PrivateKey) and works fine .. .. p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); .. .. Have you included OpenSSL_add_all_algorithms() in your code? If so then see the FAQ for details of how to print out error messages. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl certificate date issue
On Wed, Oct 13, 2010, Vinay Kumar L wrote: Hi all, I am trying to generate certificate which is valid for 20years. As the 20years crosses unix end time(January 19, 2038 03:14:07 GMT) from the current date, openssl certificate generated will have wrong dates(Not before and not after times) in certificate as follows: *Validity Not Before: Oct 13 06:43:05 2010 GMT Not After : Jan 23 00:14:49 1902 GMT* Is there any way to generate certificate which is valid for 20yrs from current date so that it will have correct validity times even if 20years crosses unix end time? Please guide me. OpenSSL 0.9.8 and earlier relies on the OS supplied date routines. OpenSSL 1.0.0 and later uses its own routines: I'd suggest you try that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Incore.gz different signature from target machine
I got the FIPS openssl integrated with my application. Unfortunately I had to stick to build environment which is on sun solaris and my target machine is a powerpc embedded system. Until now I had to create the application in solaris machine execute in the target, after getting the hmac signature recompiled the fips_premain.c with that signature. After checking Dr.Steve's post I tried using incore.gz on my application. Somehow the signatures are different I noticed that the 'file format' of the object I have is elf32-big which is not handled in the script. I assume the INCORE_ADJUST should be -8 for that type of format too. I added that code but still it returns a different signature that does not match with the generated signature from the target. Any values I should check between the script's result on the host machine vs code loaded in the target to make it match ? Thanks John Paul Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Re: Incore.gz different signature from target machine
On Wed, Oct 13, 2010, john.mattapi...@wipro.com wrote: I got the FIPS openssl integrated with my application. Unfortunately I had to stick to build environment which is on sun solaris and my target machine is a powerpc embedded system. Until now I had to create the application in solaris machine execute in the target, after getting the hmac signature recompiled the fips_premain.c with that signature. After checking Dr.Steve's post I tried using incore.gz on my application. Somehow the signatures are different I noticed that the 'file format' of the object I have is elf32-big which is not handled in the script. I assume the INCORE_ADJUST should be -8 for that type of format too. I added that code but still it returns a different signature that does not match with the generated signature from the target. Any values I should check between the script's result on the host machine vs code loaded in the target to make it match ? There are several ways to do this. One is to not embed a signature and call the executable on the target: it should then output the expected signature. You can then tweak the offset so the two match. Alternatively check out the code in FIPS_incore_fingerprint(). You can write a simple program to dump the data that OpenSSL fingerprints, then modify the script to dump the same data for its external fingerprint. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS Open SSL Build using VC++ on Windows
On Wed, Oct 13, 2010, rajesh kumar wrote: Steve, I have made changes in nt.mak file to not pass -DZLIB option in cFlags and now i am able to compile and build static build of OpenSSL. Now i face the same issue as mentioned earlier -- error LNK2019: unresolved external symbol _FIPS_mode_set referenced in function In detail this is what i have done... - I have following Folder structure; Source is downloaded from OpenSSL.org OpenSSL Version 0.9.8.o - C:\OPENSSL_BUILD\openssl-0.9.8o FIPS Module Version 1.2 - C:\OPENSSL_BUILD\openssl-fips-1.2 - I have done following steps to build OpenSSL as mentioned in User Guide From VS 2005 Command Window - cd C:\OPENSSL_BUILD\openssl-fips-1.2 - ms\do_fips no-asm - this is to build FIPS Module - cd C:\OPENSSL_BUILD\openssl-0.9.8o - perl Configure VC-WIN32 --with-fipslibdir=C:\OPENSSL_BUILD\openssl-fips-1.2\out32dll - nmake -f ms\nt.mak - to build static OpenSSL can some one please let me know if i am missing anything.. The user guide says you should do: perl Configure VC-WIN32 fips --with-fipslibdir=c:\fips\path Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
On Tue, Oct 12, 2010, Bill wrote: Hello Steve, Good eye! That got rid of the compilation error. However, FIPS_mode_set(1) fails when it gets called from a shared library that links with the static version of the FIPS-capable OpenSSL library. Calling FIPS_mode_set(1) works fine when called directly from an executable that has been compiled with the static version of the FIPS capable OpenSSL library. The same scenario works fine on Mac OS X (Leopard and Snow Leopard). So it looks like this problem is specific to Ubuntu Linux. Is there a trick to make this work? Here are the details: $ make gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I. rm -f libfoo.so FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-soname,libfoo.so.1 -o libfoo.so.1 foo.o \ ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++ ln -s ./libfoo.so.1 ./libfoo.so gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++ Instead of an explicit path to libcrypto.a try -L/path -lcrypto If that doesn't help uncomment out the set -x a the top of fipsld and post the debug output. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Suspicious Cert - Nokia cell phone refuses to accept the Cert
Dear Openssl-Users, i recently came across a problem with the offered ssl-cert on www.mastersnet.de It's a self signed cert and all of the nokia cell phones, i get my hands on refuse to accept this cert when trying to import it manually in the cert store. It is working without problems for example with a signed cert from cacert (where the root-CA-cert is also not in the default cert store) I'm asking for your help hereby, if some of you could please have a look at this cert and tell me, if there is something suspicous, leading to the reported problem. It might be a bug in the nokia cell phones. It's working with iPhone or windows mobile devices. Thanks in advance Stefan -- Stefan Bauer - PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC plzk.de - Linux - because it works -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
Hello Mike,
It is not a script:
=== Ubuntu 8.04
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION=Ubuntu 8.04.4 LTS
$ which gcc
/usr/bin/gcc
$ file /usr/bin/gcc
/usr/bin/gcc: symbolic link to `gcc-4.2'
$ cd /usr/bin
$ file gcc-4.2
gcc-4.2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped
=== Ubuntu 10.04
$ which gcc
/usr/bin/gcc
$ file /usr/bin/gcc
/usr/bin/gcc: symbolic link to `gcc-4.4'
$ cd /usr/bin
$ file gcc-4.4
gcc-4.4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION=Ubuntu 10.04 LTS
Any ideas about how to make it work?
Thanks,
Bill
On Oct 13, 2010, at 6:01 AM, Michael S. Zick wrote:
On Tue October 12 2010, Bill wrote:
Hello Steve,
Good eye! That got rid of the compilation error.
However, FIPS_mode_set(1) fails when it gets called from a shared
library that links with the static version of the FIPS-capable
OpenSSL library.
Calling FIPS_mode_set(1) works fine when called directly from an
executable that has been compiled with the static version of the FIPS
capable OpenSSL library.
The same scenario works fine on Mac OS X (Leopard and Snow Leopard).
So it looks like this problem is specific to Ubuntu Linux.
Do a file path_to/gcc see if it is a compiled program or a script.
Depending on the update age of your Ubuntu distribution, you may find
that it is a script now.
That might make a difference if it is.
Mike
Is there a trick to make this work?
Here are the details:
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
soname,libfoo.so.1 -o libfoo.so.1 foo.o \
./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
$ ./foobar
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./cmd
FIPS mode is enabled.
$ cat foo.cpp
#include stdio.h
#include foo.h
#include openssl/err.h
#include openssl/evp.h
int
fips_check(void)
{
unsigned long fipscode;
unsigned long code;
if(1 == (fipscode = FIPS_mode_set(1))) {
printf(FIPS_mode_set(1) succeeded\n);
} else {
char err_msg[256+1];
int flags, line; char *report_data, *file;
code = ERR_get_error_line_data(
(const char**)file,
line,
(const char**)report_data,
flags);
ERR_error_string_n(code, err_msg, 256);
printf(SSL: %lu:%lu:%s:%d:%d:%s\n,
fipscode, code, file, line, flags, err_msg);
printf(FIPS_mode_set(1) failed\n);
}
return 0;
}
$ cat cmd.cpp
#include stdio.h
#include openssl/evp.h
int
main()
{
if (FIPS_mode_set(1) == 0) {
printf(Failed to enable FIPS mode\n);
} else {
printf(FIPS mode is enabled.\n);
}
}
$ cat foo.h
#ifdef __cplusplus
extern C {
#endif
int fips_check(void);
#ifdef __cplusplus
}
#endif
$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-soname,$(LIB)
all: foobar cmd
foobar: $(LIB) foobar2.cpp
$(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++
$(LIB): $(OBJ)
rm -f libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $
(OPTS)
-o $(LIB) $(OBJ) \
$(LIBCRYPTO) -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
$(CMD): cmd.cpp
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -
Wall \
$(INCLUDES) $(LIBCRYPTO) -lstdc++
$(OBJ): foo.cpp
$(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
clean:
rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
$ uname -a
Linux ixoubuntu 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19
UTC 2010 i686 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION=Ubuntu 10.04 LTS
$ gcc --version
gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There
is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
On Oct 12, 2010, at 2:36 PM, Dr. Stephen Henson wrote:
On Tue, Oct 12, 2010, Bill wrote:
Hello,
I have followed the FIPS UserGuide 1.2 to build a FIPS object
module and a
FIPS capable OpenSSL.
I used openssl-fips-1.2.tar.gz and openssl-0.9.8o.tar.gz to build
these.
On Ubuntu, when I try to
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
On Oct 13, 2010, at 9:47 AM, Dr. Stephen Henson wrote:
On Tue, Oct 12, 2010, Bill wrote:
Hello Steve,
Good eye! That got rid of the compilation error.
However, FIPS_mode_set(1) fails when it gets called from a shared
library
that links with the static version of the FIPS-capable OpenSSL
library.
Calling FIPS_mode_set(1) works fine when called directly from an
executable
that has been compiled with the static version of the FIPS capable
OpenSSL
library.
The same scenario works fine on Mac OS X (Leopard and Snow
Leopard). So it
looks like this problem is specific to Ubuntu Linux.
Is there a trick to make this work?
Here are the details:
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared
-Wl,-soname,libfoo.so.1 -o libfoo.so.1 foo.o \
./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
Instead of an explicit path to libcrypto.a try -L/path -lcrypto
If that doesn't help uncomment out the set -x a the top of fipsld
and post the
debug output.
Hi Steve,
Thank you for the suggestion but It did not help:
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
soname,libfoo.so.1 \
-o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto
-lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -ldl -lstdc++
gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \
-I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/
libcrypto.a -lstdc++
$ ./foobar
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./foobar2
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./cmd
FIPS mode is enabled.
$ ls ./openssl-0.9.8o-fips/lib
engines fips_premain.c libcrypto.solibssl.so
fipscanister.o fips_premain.c.sha1 libcrypto.so.0.9.8
libssl.so.0.9.8
fipscanister.o.sha1 libcrypto.a libssl.apkgconfig
$ cat foobar.cpp
#include stdio.h
#include dlfcn.h
typedef int (*func_t)(void);
int
main()
{
void *handle = NULL;
func_t func = NULL;
handle = dlopen(./libfoo.so.1, RTLD_LAZY);
if (handle == NULL) {
printf(dlopen: %s\n, dlerror());
return -1;
}
func = (func_t)dlsym(handle, fips_check);
if (func == NULL) {
printf(dlsym: %s\n, dlerror());
return -1;
}
(*(func))();
dlclose(handle);
}
$ cat foobar2.cpp
#include stdio.h
#include foo.h
int
main()
{
fips_check();
}
$ cat cmd.cpp
#include stdio.h
#include openssl/evp.h
int
main()
{
if (FIPS_mode_set(1) == 0) {
printf(Failed to enable FIPS mode\n);
} else {
printf(FIPS mode is enabled.\n);
}
}
$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-soname,$(LIB)
all: foobar foobar2 cmd
foobar: $(LIB) foobar.cpp
$(CC) -o $@ $...@.cpp -Wall -ldl -lstdc++
foobar2: $(LIB) foobar2.cpp
$(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++
$(LIB): $(OBJ)
rm -f libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $(OPTS) \
-o $(LIB) $(OBJ) -L$(OPENSSLDIR)/lib -lcrypto -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
$(CMD): cmd.cpp
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -Wall \
$(INCLUDES) $(LIBCRYPTO) -lstdc++
$(OBJ): foo.cpp
$(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
clean:
rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar foobar2
=== Here is the debug output of fipsld:
$ make clean
rm -rf libfoo.so.1 foo.o cmd *.so foobar foobar2
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
soname,libfoo.so.1 \
-o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto
-lstdc++
+ CC=gcc
+ [ -n gcc ]
+ [ x-shared != x -a x-shared != x-c -a x-shared != x-E ]
+ shift
+ [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x-c -
a x-Wl,-soname,libfoo.so.1 != x-E ]
+ shift
+ [ x-o != x -a x-o != x-c -a x-o != x-E ]
+ shift
+ [ xlibfoo.so.1 != x -a xlibfoo.so.1 != x-c -a xlibfoo.so.1 != x-E ]
+ shift
+ [ xfoo.o != x -a xfoo.o != x-c -a xfoo.o != x-E ]
+ shift
+ [ x-L./openssl-0.9.8o-fips/lib != x -a x-L./openssl-0.9.8o-fips/lib !
= x-c -a x-L./openssl-0.9.8o-fips/lib != x-E ]
+ shift
+ [ x-lcrypto != x -a x-lcrypto != x-c -a x-lcrypto != x-E
Re: Openssl certificate date issue
On 12 Oct 2010, at 11:48 PM, Vinay Kumar L wrote: I am trying to generate certificate which is valid for 20years. As the 20years crosses unix end time(January 19, 2038 03:14:07 GMT) from the current date, openssl certificate generated will have wrong dates My understanding is that this is fixed in openssl 1.0.0, but not in 0.9.x. I couldn't find a pr for it, although it has come up on this mailing list a few times. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
On Wed, Oct 13, 2010, Bill wrote: Hi Steve, Thank you for the suggestion but It did not help: $ make gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I. rm -f libfoo.so FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-soname,libfoo.so.1 \ -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++ ln -s ./libfoo.so.1 ./libfoo.so gcc -o foobar foobar.cpp -Wall -ldl -lstdc++ gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++ FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \ -I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++ Install the validated module somewhere and set the environment variable FIPSLIBDIR to that directory before calling fipsld. Then use the -L option to the 0.9.8o fips capable OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
On Wed October 13 2010, Bill wrote:
Hello Mike,
It is not a script:
=== Ubuntu 8.04
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION=Ubuntu 8.04.4 LTS
$ which gcc
/usr/bin/gcc
$ file /usr/bin/gcc
/usr/bin/gcc: symbolic link to `gcc-4.2'
$ cd /usr/bin
$ file gcc-4.2
gcc-4.2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped
=== Ubuntu 10.04
$ which gcc
/usr/bin/gcc
$ file /usr/bin/gcc
/usr/bin/gcc: symbolic link to `gcc-4.4'
$ cd /usr/bin
$ file gcc-4.4
gcc-4.4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION=Ubuntu 10.04 LTS
Any ideas about how to make it work?
Not a clue.
Just that I follow other projects where the Ubuntu change did cause
problems. I don't have any links handy about what they needed to do.
Mike
Thanks,
Bill
On Oct 13, 2010, at 6:01 AM, Michael S. Zick wrote:
On Tue October 12 2010, Bill wrote:
Hello Steve,
Good eye! That got rid of the compilation error.
However, FIPS_mode_set(1) fails when it gets called from a shared
library that links with the static version of the FIPS-capable
OpenSSL library.
Calling FIPS_mode_set(1) works fine when called directly from an
executable that has been compiled with the static version of the FIPS
capable OpenSSL library.
The same scenario works fine on Mac OS X (Leopard and Snow Leopard).
So it looks like this problem is specific to Ubuntu Linux.
Do a file path_to/gcc see if it is a compiled program or a script.
Depending on the update age of your Ubuntu distribution, you may find
that it is a script now.
That might make a difference if it is.
Mike
Is there a trick to make this work?
Here are the details:
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
soname,libfoo.so.1 -o libfoo.so.1 foo.o \
./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
$ ./foobar
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./cmd
FIPS mode is enabled.
$ cat foo.cpp
#include stdio.h
#include foo.h
#include openssl/err.h
#include openssl/evp.h
int
fips_check(void)
{
unsigned long fipscode;
unsigned long code;
if(1 == (fipscode = FIPS_mode_set(1))) {
printf(FIPS_mode_set(1) succeeded\n);
} else {
char err_msg[256+1];
int flags, line; char *report_data, *file;
code = ERR_get_error_line_data(
(const char**)file,
line,
(const char**)report_data,
flags);
ERR_error_string_n(code, err_msg, 256);
printf(SSL: %lu:%lu:%s:%d:%d:%s\n,
fipscode, code, file, line, flags, err_msg);
printf(FIPS_mode_set(1) failed\n);
}
return 0;
}
$ cat cmd.cpp
#include stdio.h
#include openssl/evp.h
int
main()
{
if (FIPS_mode_set(1) == 0) {
printf(Failed to enable FIPS mode\n);
} else {
printf(FIPS mode is enabled.\n);
}
}
$ cat foo.h
#ifdef __cplusplus
extern C {
#endif
int fips_check(void);
#ifdef __cplusplus
}
#endif
$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-soname,$(LIB)
all: foobar cmd
foobar: $(LIB) foobar2.cpp
$(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++
$(LIB): $(OBJ)
rm -f libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $
(OPTS)
-o $(LIB) $(OBJ) \
$(LIBCRYPTO) -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
$(CMD): cmd.cpp
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -
Wall \
$(INCLUDES) $(LIBCRYPTO) -lstdc++
$(OBJ): foo.cpp
$(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
clean:
rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
$ uname -a
Linux ixoubuntu 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19
UTC 2010 i686 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION=Ubuntu 10.04 LTS
$ gcc --version
gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There
is NO
warranty; not
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
On Oct 13, 2010, at 11:27 AM, Dr. Stephen Henson wrote: On Wed, Oct 13, 2010, Bill wrote: Hi Steve, Thank you for the suggestion but It did not help: $ make gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I. rm -f libfoo.so FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-soname,libfoo.so.1 \ -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++ ln -s ./libfoo.so.1 ./libfoo.so gcc -o foobar foobar.cpp -Wall -ldl -lstdc++ gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++ FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \ -I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/ libcrypto.a -lstdc++ Install the validated module somewhere and set the environment variable FIPSLIBDIR to that directory before calling fipsld. Then use the -L option to the 0.9.8o fips capable OpenSSL. Hello Steve, I have applied your suggestion with a fresh install of the FIPS capable OpenSSL but the problem persists: $ make clean rm -rf libfoo.so.1 foo.o cmd *.so foobar foobar2 $ make gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I. rm -f libfoo.so FIPSLIBDIR=openssl-0.9.8o-fips/lib FIPSLD_CC=gcc ./openssl-0.9.8o-fips/ bin/fipsld -shared -Wl,-soname,libfoo.so.1 \ -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++ ln -s ./libfoo.so.1 ./libfoo.so gcc -o foobar foobar.cpp -Wall -ldl -lstdc++ gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++ FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \ -I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/ libcrypto.a -lstdc++ $ ./foobar SSL: 0:755404910:fips.c:238:0:error: 2D06906E:lib(45):func(105):reason(110) FIPS_mode_set(1) failed $ ./foobar2 ./foobar2: error while loading shared libraries: libfoo.so.1: cannot open shared object file: No such file or directory $ ./cmd FIPS mode is enabled. $ cat makefile CC = gcc OPENSSLDIR = ./openssl-0.9.8o-fips LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a INCLUDES = -I$(OPENSSLDIR)/include OBJ = foo.o LIB = libfoo.so.1 CMD = cmd OPTS=-Wl,-soname,$(LIB) all: foobar foobar2 cmd foobar: $(LIB) foobar.cpp $(CC) -o $@ $...@.cpp -Wall -ldl -lstdc++ foobar2: $(LIB) foobar2.cpp $(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++ $(LIB): $(OBJ) rm -f libfoo.so FIPSLIBDIR=openssl-0.9.8o-fips/lib FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/ fipsld -shared $(FIPS_OPTS) $(OPTS) \ -o $(LIB) $(OBJ) -L$(OPENSSLDIR)/lib -lcrypto -lstdc++ ln -s ./libfoo.so.1 ./libfoo.so $(CMD): cmd.cpp FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -Wall \ $(INCLUDES) $(LIBCRYPTO) -lstdc++ $(OBJ): foo.cpp $(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I. clean: rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar foobar2 $ ll ./openssl-0.9.8o-fips/lib total 5024 drwxr-xr-x 2 bdurant bdurant4096 2010-10-13 12:59 engines -r--r--r-- 1 bdurant bdurant 305263 2010-10-13 12:59 fipscanister.o -r--r--r-- 1 bdurant bdurant 68 2010-10-13 12:59 fipscanister.o.sha1 -r--r--r-- 1 bdurant bdurant5396 2010-10-13 12:59 fips_premain.c -r--r--r-- 1 bdurant bdurant 68 2010-10-13 12:59 fips_premain.c.sha1 -rw-r--r-- 1 bdurant bdurant 2414458 2010-10-13 12:59 libcrypto.a lrwxrwxrwx 1 bdurant bdurant 18 2010-10-13 12:59 libcrypto.so - libcrypto.so.0.9.8 -r-xr-xr-x 1 bdurant bdurant 1603396 2010-10-13 12:59 libcrypto.so.0.9.8 -rw-r--r-- 1 bdurant bdurant 454006 2010-10-13 12:59 libssl.a lrwxrwxrwx 1 bdurant bdurant 15 2010-10-13 12:59 libssl.so - libssl.so.0.9.8 -r-xr-xr-x 1 bdurant bdurant 334014 2010-10-13 12:59 libssl.so.0.9.8 drwxr-xr-x 2 bdurant bdurant4096 2010-10-13 12:59 pkgconfig --- bdur...@ixoubuntu[ubuntu 10.04 LTS(lucid)]:/home/bdurant/crita --- $ openssl-0.9.8o-fips/bin/openssl version OpenSSL 0.9.8o-fips 01 Jun 2010 $ echo $FIPSLIBDIR openssl-0.9.8o-fips/lib What else could it be? Thanks, Bill Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
Here is the result with fipsld in debug mode: $ make clean rm -rf libfoo.so.1 foo.o cmd *.so foobar foobar2 $ make gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I. rm -f libfoo.so FIPSLIBDIR=openssl-0.9.8o-fips/lib FIPSLD_CC=gcc ./openssl-0.9.8o-fips/ bin/fipsld -shared -Wl,-soname,libfoo.so.1 \ -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++ + CC=gcc + [ -n gcc ] + [ x-shared != x -a x-shared != x-c -a x-shared != x-E ] + shift + [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x-c - a x-Wl,-soname,libfoo.so.1 != x-E ] + shift + [ x-o != x -a x-o != x-c -a x-o != x-E ] + shift + [ xlibfoo.so.1 != x -a xlibfoo.so.1 != x-c -a xlibfoo.so.1 != x-E ] + shift + [ xfoo.o != x -a xfoo.o != x-c -a xfoo.o != x-E ] + shift + [ x-L./openssl-0.9.8o-fips/lib != x -a x-L./openssl-0.9.8o-fips/lib ! = x-c -a x-L./openssl-0.9.8o-fips/lib != x-E ] + shift + [ x-lcrypto != x -a x-lcrypto != x-c -a x-lcrypto != x-E ] + shift + [ x-lstdc++ != x -a x-lstdc++ != x-c -a x-lstdc++ != x-E ] + shift + [ x != x -a x != x-c -a x != x-E ] + [ 0 -ge 1 ] + [ x-shared != x -a x-shared != x-o ] + shift + [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x-o ] + shift + [ x-o != x -a x-o != x-o ] + echo libfoo.so.1 + TARGET=libfoo.so.1 + basename libfoo.so.1 + [ -n libfoo.so.1 ] + [ x-shared != x -a x-shared != x-DDEBUG_FINGERPRINT_PREMAIN ] + shift + [ x-Wl,-soname,libfoo.so.1 != x -a x-Wl,-soname,libfoo.so.1 != x- DDEBUG_FINGERPRINT_PREMAIN ] + shift + [ x-o != x -a x-o != x-DDEBUG_FINGERPRINT_PREMAIN ] + shift + [ xlibfoo.so.1 != x -a xlibfoo.so.1 != x-DDEBUG_FINGERPRINT_PREMAIN ] + shift + [ xfoo.o != x -a xfoo.o != x-DDEBUG_FINGERPRINT_PREMAIN ] + shift + [ x-L./openssl-0.9.8o-fips/lib != x -a x-L./openssl-0.9.8o-fips/lib ! = x-DDEBUG_FINGERPRINT_PREMAIN ] + shift + [ x-lcrypto != x -a x-lcrypto != x-DDEBUG_FINGERPRINT_PREMAIN ] + shift + [ x-lstdc++ != x -a x-lstdc++ != x-DDEBUG_FINGERPRINT_PREMAIN ] + shift + [ x != x -a x != x-DDEBUG_FINGERPRINT_PREMAIN ] + [ 0 -ge 1 ] + sed -e s|[^/]*$|| + echo ./openssl-0.9.8o-fips/bin/fipsld + THERE=./openssl-0.9.8o-fips/bin/.. + [ x-shared != x ] + shift + [ x-Wl,-soname,libfoo.so.1 != x ] + shift + [ x-o != x ] + shift + [ xlibfoo.so.1 != x ] + shift + [ xfoo.o != x ] + shift + [ x-L./openssl-0.9.8o-fips/lib != x ] + shift + [ x-lcrypto != x ] + shift + [ x-lstdc++ != x ] + shift + [ x != x ] + CANISTER_O= + [ -z ] + [ -n openssl-0.9.8o-fips/lib ] + CANISTER_O=openssl-0.9.8o-fips/lib/fipscanister.o + CANISTER_O_CMD=openssl-0.9.8o-fips/lib/fipscanister.o + [ -f openssl-0.9.8o-fips/lib/fipscanister.o ] + dirname openssl-0.9.8o-fips/lib/fipscanister.o + PREMAIN_C=openssl-0.9.8o-fips/lib/fips_premain.c + HMAC_KEY=etaonrishdlcupfm + TARGET=./libfoo.so.1 + basename ./libfoo.so.1 + FINGERTYPE=./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 + diff -w openssl-0.9.8o-fips/lib/fips_premain.c.sha1 - + sed s/(.*\//(/ + ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 openssl-0.9.8o-fips/lib/fips_premain.c + diff -w openssl-0.9.8o-fips/lib/fipscanister.o.sha1 - + sed s/(.*\//(/ + ./openssl-0.9.8o-fips/bin/../fips/fips_standalone_sha1 openssl-0.9.8o-fips/lib/fipscanister.o + [ -f ./openssl-0.9.8o-fips/bin/../libcrypto.a ] + /bin/rm -f ./libfoo.so.1 + gcc openssl-0.9.8o-fips/lib/fipscanister.o openssl-0.9.8o-fips/lib/ fips_premain.c -shared -Wl,-soname,libfoo.so.1 -o libfoo.so.1 foo.o - L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++ + [ -z ] + ./openssl-0.9.8o-fips/bin/../fips/fips_premain_dso ./libfoo.so.1 + SIG=f2a427ac9a1d602b725e1d9ba0302b85979220d8 + /bin/rm -f ./libfoo.so.1 + [ -z f2a427ac9a1d602b725e1d9ba0302b85979220d8 ] + gcc openssl-0.9.8o-fips/lib/fipscanister.o - DHMAC_SHA1_SIG=f2a427ac9a1d602b725e1d9ba0302b85979220d8 openssl-0.9.8o-fips/lib/fips_premain.c -shared -Wl,-soname,libfoo.so.1 -o libfoo.so.1 foo.o -L./openssl-0.9.8o-fips/lib -lcrypto -lstdc++ ln -s ./libfoo.so.1 ./libfoo.so gcc -o foobar foobar.cpp -Wall -ldl -lstdc++ gcc -o foobar2 foobar2.cpp -Wall -I. -L. -lfoo -lstdc++ FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -o cmd cmd.cpp -Wall \ -I./openssl-0.9.8o-fips/include ./openssl-0.9.8o-fips/lib/ libcrypto.a -lstdc++ + CC=gcc + [ -n gcc ] + [ x-o != x -a x-o != x-c -a x-o != x-E ] + shift + [ xcmd != x -a xcmd != x-c -a xcmd != x-E ] + shift + [ xcmd.cpp != x -a xcmd.cpp != x-c -a xcmd.cpp != x-E ] + shift + [ x-Wall != x -a x-Wall != x-c -a x-Wall != x-E ] + shift + [ x-I./openssl-0.9.8o-fips/include != x -a x-I./openssl-0.9.8o-fips/ include != x-c -a x-I./openssl-0.9.8o-fips/include != x-E ] + shift + [ x./openssl-0.9.8o-fips/lib/libcrypto.a != x -a x./openssl-0.9.8o- fips/lib/libcrypto.a != x-c -a x./openssl-0.9.8o-fips/lib/libcrypto.a ! = x-E ] + shift + [ x-lstdc++ != x -a x-lstdc++ != x-c -a x-lstdc++ != x-E ] + shift + [ x != x -a x != x-c -a x != x-E ] + [ 0 -ge 1 ] + [ x-o != x -a x-o != x-o ] + echo cmd + TARGET=cmd + basename cmd + [ -n cmd ] + [
Building FIPS-capable OpenSSL as a universal binary on Mac OS X
Hello, Is it possible to build the latest FIPS-capable OpenSSL as a universal binary on Mac OS X similar to the following? $ sw_vers ProductName:Mac OS X ProductVersion: 10.5.8 BuildVersion: 9L30 $ file /usr/lib/libcrypto.dylib /usr/lib/libcrypto.dylib: Mach-O universal binary with 4 architectures /usr/lib/libcrypto.dylib (for architecture ppc7400): Mach-O dynamically linked shared library ppc /usr/lib/libcrypto.dylib (for architecture ppc64): Mach-O 64-bit dynamically linked shared library ppc64 /usr/lib/libcrypto.dylib (for architecture i386): Mach-O dynamically linked shared library i386 /usr/lib/libcrypto.dylib (for architecture x86_64): Mach-O 64-bit dynamically linked shared library x86_64 $ file /usr/lib/libwrap.a /usr/lib/libwrap.a: Mach-O universal binary with 4 architectures /usr/lib/libwrap.a (for architecture ppc): current ar archive random library /usr/lib/libwrap.a (for architecture ppc64): current ar archive random library /usr/lib/libwrap.a (for architecture i386): current ar archive random library /usr/lib/libwrap.a (for architecture x86_64): current ar archive random library I am interested in building the static version of the FIPS-capable OpenSSL as an universal binary. I would appreciate any clues on how to accomplish this (if it is possible). Thank you, Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL Negotiation Command Failed when sending mail via TLS
I am using the OpenSSL dlls libeay32 and ssleay32 to send SMTP email using TLS. My code works fine on most machines, but on one particular computer, it fails with the error: Start SSL negotiation command failed Whenever I try to connect to the mail server. All the machines are connecting to the same mail server (Gmail) so its not a problem on the server end. The problem machine is a Windows 7 32 bit install. Can anyone shed some light on what might cause this, or how I can best debug the problem? Thanks,
Re: Cannot build shared library on Linux with FIPS capable OpenSSL
On Oct 13, 2010, at 11:30 AM, Michael S. Zick wrote:
On Wed October 13 2010, Bill wrote:
Hello Mike,
It is not a script:
=== Ubuntu 8.04
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION=Ubuntu 8.04.4 LTS
$ which gcc
/usr/bin/gcc
$ file /usr/bin/gcc
/usr/bin/gcc: symbolic link to `gcc-4.2'
$ cd /usr/bin
$ file gcc-4.2
gcc-4.2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
for
GNU/Linux 2.6.8, dynamically linked (uses shared libs), stripped
=== Ubuntu 10.04
$ which gcc
/usr/bin/gcc
$ file /usr/bin/gcc
/usr/bin/gcc: symbolic link to `gcc-4.4'
$ cd /usr/bin
$ file gcc-4.4
gcc-4.4: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),
dynamically linked (uses shared libs), for GNU/Linux 2.6.15, stripped
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION=Ubuntu 10.04 LTS
Any ideas about how to make it work?
Not a clue.
Just that I follow other projects where the Ubuntu change did cause
problems. I don't have any links handy about what they needed to do.
Ok. thanks for the suggestions. Let me know if you come across a
solution.
Thanks,
Bill
Mike
Thanks,
Bill
On Oct 13, 2010, at 6:01 AM, Michael S. Zick wrote:
On Tue October 12 2010, Bill wrote:
Hello Steve,
Good eye! That got rid of the compilation error.
However, FIPS_mode_set(1) fails when it gets called from a shared
library that links with the static version of the FIPS-capable
OpenSSL library.
Calling FIPS_mode_set(1) works fine when called directly from an
executable that has been compiled with the static version of the
FIPS
capable OpenSSL library.
The same scenario works fine on Mac OS X (Leopard and Snow
Leopard).
So it looks like this problem is specific to Ubuntu Linux.
Do a file path_to/gcc see if it is a compiled program or a script.
Depending on the update age of your Ubuntu distribution, you may
find
that it is a script now.
That might make a difference if it is.
Mike
Is there a trick to make this work?
Here are the details:
$ make
gcc -c foo.cpp -fPIC -Wall -I./openssl-0.9.8o-fips/include -I.
rm -f libfoo.so
FIPSLD_CC=gcc ./openssl-0.9.8o-fips/bin/fipsld -shared -Wl,-
soname,libfoo.so.1 -o libfoo.so.1 foo.o \
./openssl-0.9.8o-fips/lib/libcrypto.a -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
gcc -o foobar foobar.cpp -Wall -I. -L. -lfoo -lstdc++
$ ./foobar
SSL: 0:755404910:fips.c:238:0:error:
2D06906E:lib(45):func(105):reason(110)
FIPS_mode_set(1) failed
$ ./cmd
FIPS mode is enabled.
$ cat foo.cpp
#include stdio.h
#include foo.h
#include openssl/err.h
#include openssl/evp.h
int
fips_check(void)
{
unsigned long fipscode;
unsigned long code;
if(1 == (fipscode = FIPS_mode_set(1))) {
printf(FIPS_mode_set(1) succeeded\n);
} else {
char err_msg[256+1];
int flags, line; char *report_data, *file;
code = ERR_get_error_line_data(
(const char**)file,
line,
(const char**)report_data,
flags);
ERR_error_string_n(code, err_msg, 256);
printf(SSL: %lu:%lu:%s:%d:%d:%s\n,
fipscode, code, file, line, flags, err_msg);
printf(FIPS_mode_set(1) failed\n);
}
return 0;
}
$ cat cmd.cpp
#include stdio.h
#include openssl/evp.h
int
main()
{
if (FIPS_mode_set(1) == 0) {
printf(Failed to enable FIPS mode\n);
} else {
printf(FIPS mode is enabled.\n);
}
}
$ cat foo.h
#ifdef __cplusplus
extern C {
#endif
int fips_check(void);
#ifdef __cplusplus
}
#endif
$ cat makefile
CC = gcc
OPENSSLDIR = ./openssl-0.9.8o-fips
LIBCRYPTO = $(OPENSSLDIR)/lib/libcrypto.a
INCLUDES = -I$(OPENSSLDIR)/include
OBJ = foo.o
LIB = libfoo.so.1
CMD = cmd
OPTS=-Wl,-soname,$(LIB)
all: foobar cmd
foobar: $(LIB) foobar2.cpp
$(CC) -o $@ $...@.cpp -Wall -I. -L. -lfoo -lstdc++
$(LIB): $(OBJ)
rm -f libfoo.so
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -shared $(FIPS_OPTS) $
(OPTS)
-o $(LIB) $(OBJ) \
$(LIBCRYPTO) -lstdc++
ln -s ./libfoo.so.1 ./libfoo.so
$(CMD): cmd.cpp
FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(CMD).cpp -
Wall \
$(INCLUDES) $(LIBCRYPTO) -lstdc++
$(OBJ): foo.cpp
$(CC) -c foo.cpp -fPIC -Wall $(INCLUDES) -I.
clean:
rm -rf $(LIB) $(OBJ) $(CMD) *.so foobar
$ uname -a
Linux ixoubuntu 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19
UTC 2010 i686 GNU/Linux
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION=Ubuntu 10.04 LTS
$ gcc --version
gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There
is NO
Re: SSL Negotiation Command Failed when sending mail via TLS
Hi, The error string you are giving is not part of the OpenSSL code, so we can't help you much. You have to give us the error code returned by what ever OpenSSL function you are using. A stripped down version of your code would also help better understand your approach. Under Windows, some problems can arise because conflicting versions of the OpenSSL dlls exist on different directories belonging to the PATH. try checking if the machine where the problem exists has only the version of dlls you are targeting. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 10/13/2010 11:23 PM, Roger Eckhard wrote: I am using the OpenSSL dlls libeay32 and ssleay32 to send SMTP email using TLS. My code works fine on most machines, but on one particular computer, it fails with the error: Start SSL negotiation command failed Whenever I try to connect to the mail server. All the machines are connecting to the same mail server (Gmail) so its not a problem on the server end. The problem machine is a Windows 7 32 bit install. Can anyone shed some light on what might cause this, or how I can best debug the problem? Thanks, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FW: TLS 1.1 / 1.0 Interoperation
I'm forwarding this to the users list so that others won't be confused
by the documentation as I was.
Paul
-Original Message-
From: owner-openssl-...@openssl.org
[mailto:owner-openssl-...@openssl.org] On Behalf Of Paul Suhler
Sent: Wednesday, October 13, 2010 11:10 AM
To: openssl-...@openssl.org
Subject: RE: TLS 1.1 / 1.0 Interoperation
Hi, Mounir.
Thanks for your help; we can now negotiate between 1.0 and 1.1. My only
comment is that -- based on our testing -- only SSLv23_{server,
client}_method allows negotiation. TLSv1_*_method will *not* accept TLS
1.1 connections. And SSL3_*_method will not accept TLS connections.
This is actually documented in
http://www.openssl.org/docs/ssl/SSL_CTX_new.html, although it doesn't
(yet) mention TLS 1.1. For the benefit of whoever works on that
documentation I'd recommend that it be changed to specify 1.0:
TLSv1_method(void), TLSv1_server_method(void), TLSv1_client_method(void)
A TLS/SSL connection established with these methods will only understand
the TLSv1.0 protocol. A client will send out TLSv1.0 client hello
messages and will indicate that it only understands TLSv1.0. A server
will only understand TLSv1.0 client hello messages. This especially
means, that it will not understand SSLv2 client hello messages which are
widely used for compatibility reasons, see SSLv23_*_method(). It will
also not understand SSLv3 client hello messages.
And if you really want consistency, change TLSv1_method to
TLSv1_0_method, etc.
Unless the intention is really that TLSv1_method will accept 1.1, but
that's a lot more work.
Cheers,
Paul
_
Paul A. Suhler | Firmware Engineer | Quantum Corporation | Office:
949.856.7748 | paul.suh...@quantum.com Preserving the World's Most
Important Data. Yours.(tm)
-Original Message-
From: owner-openssl-...@openssl.org
[mailto:owner-openssl-...@openssl.org] On Behalf Of Mounir IDRASSI
Sent: Sunday, October 10, 2010 3:58 PM
To: openssl-...@openssl.org
Subject: Re: TLS 1.1 / 1.0 Interoperation
Hi Paul,
The use of an XXX_server_method function in a server defines the minimal
client version it supports.
SSLv23_server_method = SSLv2
SSLv3_server_method = SSLv3
TLSv1_server_method = TLS 1.0
TLSv1_1_server_method = TLS 1.1.
Thus, the error you are getting is normal: you told OpenSSL to support
only TLS 1.1 and that's why TLS 1.0 clients are rejected.
Use TLSv1_server_method if you want to support both TLS 1.0 and TLS 1.1
clients.
By the way, setting SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 is useless since
the server only supports TLS 1.0/1.1.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 10/10/2010 6:28 AM, Paul Suhler wrote:
Hi, Mounir.
In the server, I use TLSv1_1_server_method, resulting in s-version ==
0x0302 (TLS 1.1). In the client, I use TLSv1_client_method to get TLS
1.0. When the server sees s-client_version == 0x0301, shouldn't it
change s-version to 0x0301 and operate thereafter in 1.0 mode?
Thanks for the warning about the double free.
Cheers,
Paul
__
__
_
Paul A. Suhler | Firmware Engineer | Quantum Corporation | Office:
949.856.7748 | paul.suh...@quantum.com Preserving the World's Most
Important Data. Yours.(tm)
-Original Message-
From: owner-openssl-...@openssl.org
[mailto:owner-openssl-...@openssl.org] On Behalf Of Mounir IDRASSI
Sent: Saturday, October 09, 2010 6:37 PM
To: openssl-...@openssl.org
Subject: Re: TLS 1.1 / 1.0 Interoperation
Hi Paul,
I was not able to reproduce your problem using that snapshot. I set up
an SSL server using SSLv23_server_method and set the options
SSL_OP_ALL
| SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 as you did : I always have
s-version equal to 0x0301 as expected and the test you mentioned is
s-OK
since s-client_version is also equal to 0x0301.
Same test can be done using the command line :
openssl s_server -accept 443 -key server.pem -cert server.pem -no_ssl2
-no_ssl3 -bugs
Can you post a sample code that exposes the problem?
By the way, I detected a double free in the implementation of
ssl3_send_server_key_exchange in this snapshot. I'll see if it has
been already corrected, otherwise I'll send a patch for it.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 08/10/2010 18:55, Paul Suhler wrote:
Hi, everyone.
[I'm re-sending this to the developers list.]
I've found that when a server built with
openssl-1.0.1-stable-SNAP-20101004 receives a Client Hello from a
client specifying TLS 1.0 (version = 0x0301), the connection is
rejected for a bad version. This appears to be implemented in
ssl3_get_client_hello()
by:
if ((s-version == DTLS1_VERSION s-client_version
s-version) ||
(s-version != DTLS1_VERSION s-client_version
s-version))
Re: Suspicious Cert - Nokia cell phone refuses to accept the Cert
Hi Stefan, The value of the Basic Constraint extension of this website self-signed certificate is End Entity and, more importantly, it is set to Critical. So, technically speaking, this certificate can not be a CA and it can't certify itself. The Nokia implementation seems to be strict compared with others but it can't be blamed for checking the correctness of a certificate. The administrators of this website can solve this issue by creating a new certificate without the Basic Constraint extension. A more clean solution would be to a have the server's certificate issued by a root CA of their own, like in any normal PKI architecture. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 10/13/2010 7:11 PM, Stefan Bauer wrote: Dear Openssl-Users, i recently came across a problem with the offered ssl-cert on www.mastersnet.de It's a self signed cert and all of the nokia cell phones, i get my hands on refuse to accept this cert when trying to import it manually in the cert store. It is working without problems for example with a signed cert from cacert (where the root-CA-cert is also not in the default cert store) I'm asking for your help hereby, if some of you could please have a look at this cert and tell me, if there is something suspicous, leading to the reported problem. It might be a bug in the nokia cell phones. It's working with iPhone or windows mobile devices. Thanks in advance Stefan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X
On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote: On 10/13/2010 3:31 PM, Bill Durant wrote: I am interested in building the static version of the FIPS-capable OpenSSL as an universal binary. Three builds, per spec, of the FIPS canister. No tweaks, no exceptions to the security policy. Then it's possible but non-trivial to integrate these three components into any OpenSSL you would like to invent. Thanks. That is exactly the approach that I am currently taking (will use lipo(1) to aggregate the FIPS-capable OpenSSL static libs to see if that works)... Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X
On Oct 13, 2010, at 5:27 PM, William A. Rowe Jr. wrote: On 10/13/2010 7:22 PM, Bill Durant wrote: On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote: On 10/13/2010 3:31 PM, Bill Durant wrote: I am interested in building the static version of the FIPS- capable OpenSSL as an universal binary. Three builds, per spec, of the FIPS canister. No tweaks, no exceptions to the security policy. Then it's possible but non-trivial to integrate these three components into any OpenSSL you would like to invent. Thanks. That is exactly the approach that I am currently taking (will use lipo(1) to aggregate the FIPS-capable OpenSSL static libs to see if that works)... That may not be sufficient, can ldfips be modified(?), it's certainly needed to link static to the fips canister. I'd put your energies into building a dylib which would give you a smidge more flexibility. I don't know what ldfips will do. I will have to try it to see. I think creating universal binaries with dylib will be more straight forward but I would prefer static libs instead in order to guarantee that my app will use the correct libcrypto lib (I am trying not to rely on the dynamic loader to determine which to use -- my lib or the system's lib). Thanks, Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
