[openssl-users] Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)
Sahil Gandhi
sahilgandhi87 at gmail.com
Mon Jun 27 07:19:21 UTC 2016
Hi Jakob,
Thanks a lot for your time and detailed explanation.
Regards,
Sahil
On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote:
> On 24/06/2016 15:24, Sahil Gandhi wrote:
>
>> Hi Steve,
>>
>> Could you please help me out?
>> I tried to re-read that part of user-guide but no success.
>> I know how to generate fingerprint but once i create new static library
>> out of libcrypto.a and libssl.a.
>> And I do generate the finger print of that new library but don't know how
>> to proceed further with that.
>>
>> because if i use that new library(to create executable) as it is, it
>> throws fingerprint mismatch error.
>> My sample source file has FIPS_mode_set(1) call only.
>>
>> Because fipscannister.o is not compiled as 100% position independent
> code (and cannot legally be done so due to the bureaucratic rules of
> the FIPS validation), every new program linked to the FIPS enabled
> libcrypto.a will end up with a different fingerprint for the
> fipscannister.
>
> And if load address randomization is enabled in the operating system,
> each new run of the program will end up with a different fingerprint
> and thus not work.
>
> The situation is slightly better for the libcrypto.so DLL, because
> if load address randomization is turned off and it is ensured that
> libcrypto.so will load at a particular address every time, there
> will only be one fingerprint for each compiled libcrypto.so DLL.
>
> On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <marquess at openssl.com
>> <mailto:marquess at openssl.com>> wrote:
>>
>> On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
>> > Hi Jakob,
>> >
>> > Could you please elaborate it? I am not getting it.
>> > I might missing something but I did not get it.
>> >
>> > Many Thanks Jakob for replying.
>> >
>> > -Sahil
>> >
>> > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
>> <jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com>
>> > <mailto:jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com>>>
>> wrote:
>> >
>> > On 24/06/2016 07:59, Sahil Gandhi wrote:
>> >
>> > Hi All,
>> >
>> > I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
>> (/_*Same
>> > happens with Solaris 10*_/). Then I built Openssl-1.0.1p
>> using
>> > respective fips object module (i.e.
>> Openssl-fips-2.0.10.tar).
>> >
>> > Once I have built Openssl-1.0.1p, libcrypto.a and
>> libssl.a has
>> > been created.
>> > I need to join these 2 libraries and make it one.
>> >
>> > I am doing it using "ar" command as follows:
>> >
>> > ar -x libssl.a
>> > ar -x libcrypto.a
>> >
>> > Then combine all .o files to make third library:
>> > ar -r libnew.a *.o
>> >
>> > But when i use this libnew.a in my sample(contain
>> > FIPS_mode_set(1)), it compiles successfully but when
>> execute the
>> > executable it throws error* finger print does not
>> match:fips.c:232*
>> >
>> > Plz help.
>> > I need to combine both libaries and make it one.
>> >
>> > Any help/suggestion?
>> >
>> >
>> > You forgot the special link step for FIPS enabled applications,
>> > perhaps also some of the other required steps from the FIPS
>> > module users guide.
>> >
>>
>> See https://openssl.org/docs/fips/UserGuide-2.0.pdf.
>>
>> The FIPS module requires special build-time voodoo to satisfy the
>> peculiar requirements of the FIPS 140-2 validation.
>>
>>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
Sahil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160627/e8689a42/attachment.html>
More information about the openssl-users
mailing list