[openssl-users] openssl-1.0.1r fips anomaly

Heberlein, Kurt William kurt.w.heberlein at hpe.com
Wed Apr 13 21:54:35 UTC 2016 

Hi,
  I'm trying to dig through a problem where building the FIPS capable version of OpenSSL-1.0.1r is not generating the correct code.

I have done the following:
Created the fips canister according to the instructions in the User Guide, and installed it.
Then in the openssl source, I use ./config fips no-ec2m shared --with-fipsdir=/usr/local/ssl/fips-2.0 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/
    I always get a libcrypto.a that fails FIPS_mode_set as not supported.
If I leave the shared parameter off, I get the desired FIPS support, but in non-PIC code.  Since my need is to produce a .so of my own with the libcrypto.a statically linked into it that doesn't work.

Digging into this a little, I see the FIPS_mode_set() definition in crypto/o_fips.c is gated by finding a definition of OPENSSL_FIPS.    I do see that in the generated opensslconf.h.
I can't quite see why the shared versus non-shared would create a problem.     I didn't have this trouble with the earlier version 1.0.1j of openssl, or at least I didn't see it.. was PIC code still generated at that release for non-shared?

As an aside, I did notice an anomaly in crypto/cryptlib.h near line 72:
#include <openssl/crypto.h>
#include <openssl/buffer.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/opensslconf.h>

However, in crypto.h decisions are made based on the definition of OPENSSL_FIPS, which is not defined until opensslconf.h is read at line 76, so the behavior of crypto.h seems to be not as intended.
Thoughts, flames?
Thanks, -Kurt



Kurt Heberlein
Master Technologist
3PAR R&D
   HPE Storage
   www.hpe.com/storage<http://www.hpe.com/storage>

   +1 512 319 4462 (office)
   +1 510 685 1141 (mobile)

    kurt dot w dot heberlein at-sign hpe dot com

   [cid:image001.png at 01D195A5.27BD87D0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160413/e0221611/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 9864 bytes
Desc: image001.png
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160413/e0221611/attachment-0001.png>

More information about the openssl-users mailing list