[openssl-users] Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi sahilgandhi87 at gmail.com
Wed Jun 29 11:09:38 UTC 2016


Hi Ken,

Sorry for the late reply. I really appreciate your suggestion but I some
how need to have static library not the dynamic one.

Thanks & Regards,
-Sahil

On Mon, Jun 27, 2016 at 2:43 PM, Ken Chow <kenchow.cn at gmail.com> wrote:

> I think you should refer the way of building Android application
> https://wiki.openssl.org/index.php/Android .
>
> Trying to warp libcryto.so to your dynamic library by the specified FIPS
> compiler, once you successfully generated your dynamic library, then no
> need to specify FIPS compiler for compiling your execute program any more,
> and it worked for me, whatever under linux(gcc) or android(NDK).
>
>
> <http://about.me/kenchowcn>
>
>
> Ken Chow
> about.me/kenchowcn
> [image: Ken Chow on about.me]
>   <http://about.me/kenchowcn>
>
> 2016-06-27 16:37 GMT+08:00 Sahil Gandhi <sahilgandhi87 at gmail.com>:
>
>> Hi Steve,
>>
>> Could you please elaborate in detail?
>>
>> Many Thanks,
>> Sahil
>>
>> On Mon, Jun 27, 2016 at 12:49 PM, Sahil Gandhi <sahilgandhi87 at gmail.com>
>> wrote:
>>
>>> Hi Jakob,
>>>
>>> Thanks a lot for your time and detailed explanation.
>>>
>>> Regards,
>>> Sahil
>>>
>>> On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <jb-openssl at wisemo.com>
>>> wrote:
>>>
>>>> On 24/06/2016 15:24, Sahil Gandhi wrote:
>>>>
>>>>> Hi Steve,
>>>>>
>>>>> Could you please help me out?
>>>>> I tried to re-read that part of user-guide but no success.
>>>>> I know how to generate fingerprint but once i create new static
>>>>> library out of libcrypto.a and libssl.a.
>>>>> And I do generate the finger print of that new library but don't know
>>>>> how to proceed further with that.
>>>>>
>>>>> because if i use that new library(to create executable) as it is, it
>>>>> throws fingerprint mismatch error.
>>>>> My sample source file has FIPS_mode_set(1) call only.
>>>>>
>>>>> Because fipscannister.o is not compiled as 100% position independent
>>>> code (and cannot legally be done so due to the bureaucratic rules of
>>>> the FIPS validation), every new program linked to the FIPS enabled
>>>> libcrypto.a will end up with a different fingerprint for the
>>>> fipscannister.
>>>>
>>>> And if load address randomization is enabled in the operating system,
>>>> each new run of the program will end up with a different fingerprint
>>>> and thus not work.
>>>>
>>>> The situation is slightly better for the libcrypto.so DLL, because
>>>> if load address randomization is turned off and it is ensured that
>>>> libcrypto.so will load at a particular address every time, there
>>>> will only be one fingerprint for each compiled libcrypto.so DLL.
>>>>
>>>> On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <marquess at openssl.com
>>>>> <mailto:marquess at openssl.com>> wrote:
>>>>>
>>>>>     On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
>>>>>     > Hi Jakob,
>>>>>     >
>>>>>     > Could you please elaborate it? I am not getting it.
>>>>>     > I might missing something but I did not get it.
>>>>>     >
>>>>>     > Many Thanks Jakob for replying.
>>>>>     >
>>>>>     > -Sahil
>>>>>     >
>>>>>     > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
>>>>>     <jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com>
>>>>>     > <mailto:jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com>>>
>>>>> wrote:
>>>>>     >
>>>>>     >     On 24/06/2016 07:59, Sahil Gandhi wrote:
>>>>>     >
>>>>>     >         Hi All,
>>>>>     >
>>>>>     >         I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
>>>>>     (/_*Same
>>>>>     >         happens with Solaris 10*_/). Then I built Openssl-1.0.1p
>>>>>     using
>>>>>     >         respective fips object module (i.e.
>>>>>     Openssl-fips-2.0.10.tar).
>>>>>     >
>>>>>     >         Once I have built Openssl-1.0.1p, libcrypto.a and
>>>>>     libssl.a has
>>>>>     >         been created.
>>>>>     >         I need to join these 2 libraries and make it one.
>>>>>     >
>>>>>     >         I am doing it using "ar" command as follows:
>>>>>     >
>>>>>     >         ar -x libssl.a
>>>>>     >         ar -x libcrypto.a
>>>>>     >
>>>>>     >         Then combine all .o files to make third library:
>>>>>     >         ar -r libnew.a *.o
>>>>>     >
>>>>>     >         But when i use this libnew.a in my sample(contain
>>>>>     >         FIPS_mode_set(1)), it compiles successfully but when
>>>>>     execute the
>>>>>     >         executable it throws error* finger print does not
>>>>>     match:fips.c:232*
>>>>>     >
>>>>>     >          Plz help.
>>>>>     >          I need to combine both libaries and make it one.
>>>>>     >
>>>>>     >         Any help/suggestion?
>>>>>     >
>>>>>     >
>>>>>     >     You forgot the special link step for FIPS enabled
>>>>> applications,
>>>>>     >     perhaps also some of the other required steps from the FIPS
>>>>>     >     module users guide.
>>>>>     >
>>>>>
>>>>>     See https://openssl.org/docs/fips/UserGuide-2.0.pdf.
>>>>>
>>>>>     The FIPS module requires special build-time voodoo to satisfy the
>>>>>     peculiar requirements of the FIPS 140-2 validation.
>>>>>
>>>>>
>>>> Enjoy
>>>>
>>>> Jakob
>>>> --
>>>> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
>>>> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
>>>> This public discussion message is non-binding and may contain errors.
>>>> WiseMo - Remote Service Management for PCs, Phones and Embedded
>>>>
>>>> --
>>>> openssl-users mailing list
>>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>>>
>>>
>>>
>>>
>>> --
>>> Sahil
>>>
>>>
>>
>>
>> --
>> Sahil Gandhi
>> Project Engineer
>> R&D CDAC, Pune
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>


-- 
Sahil Gandhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160629/bfd22325/attachment-0001.html>


More information about the openssl-users mailing list