[openssl-dev] [openssl.org #3745] OpenSSl Bug, affected release 0.9.8zd

Rath, Santosh via RT rt at openssl.org
Fri Mar 13 20:00:30 UTC 2015 

Thank you Stephen, 

Since the product is already build on openssl.0.9.8.r, and if we upgrade it to openssl0.1.1l  then there  could be lot of change in terms of API what our product use.
And one more pain point is the product is using .so  of  libcrypto and libssl. 

But when I   build the openssl with shared mode, then it is failing and reporting below errors.

gcc: /home/ratsa02/openssl/openssl-fips-2.0.2/fips_binary/fipsfips_premain.c: No such file or directory
gcc: /home/ratsa02/openssl/openssl-fips-2.0.2/fips_binary/fipsfipscanister.o: No such file or directory
make[2]: *** [fips_premain_dso] Error 1

 
Pleas shed some  advice here, because I struggling to figureout how to build those libraries.
Since my release is due in 4 dyas, I have to submit this in 4 days.

Thanks
Santosh
-----Original Message-----
From: Stephen Henson via RT [mailto:rt at openssl.org] 
Sent: Friday, March 13, 2015 3:34 AM
To: Rath, Santosh
Cc: openssl-dev at openssl.org
Subject: [openssl.org #3745] OpenSSl Bug, affected release 0.9.8zd 

On Thu Mar 12 22:16:37 2015, Santosh.Rath at ca.com wrote:
> Hi
>
> I have downloaded the openssl 0.9.8zd source.
> And I tried below steps to get it install.
>
> 1. ./config fipscanisterbuild
>
> I did not get any configuration error.
>
> 2. make
>
> I got the below linker error.
>
>
>
> make[2]: Entering directory `/home/ratsa02/openssl-0.9.8zd/test'
>
> ../fips/fipscanister.o: In function `RSA_padding_check_PKCS1_OAEP':
>
> (.text+0x140ab): undefined reference to `CRYPTO_memcmp'
>
> collect2: ld returned 1 exit status
>
> make[2]: *** [link_app.gnu] Error 1
>
> make[2]: Leaving directory `/home/ratsa02/openssl-0.9.8zd/test'
>
> make[1]: *** [fips_shatest] Error 2
>
> make[1]: Leaving directory `/home/ratsa02/openssl-0.9.8zd/test'
>
> make: *** [build_tests] Error 1
>
>
>
> Note: ( if I ran only configure without fipscanisterbuild option in 
> config, the I don't have any issues.'make' is working fine.
>
> But I need the libraries should fips compliance).
>

You don't use that build procedure if you want OpenSSL to be FIPS compliant.
You need to build the FIPS module from source first (obeying the security
policy) and link the FIPS capable OpenSSL to that. See the user guide for more details.

Note that OpenSSL 0.9.8 uses the much older 1.2 module. You should be using the
2.0 module instead and OpenSSL 1.0.1 or later.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-dev mailing list