<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">The current FIPS only supports dynamic libraries.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">You should try to get the email disclaimer removed when you post to a public email list.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Emre BAYRAM <emreba@NETAS.com.tr><br>
<b>Reply-To: </b>openssl-users <openssl-users@openssl.org><br>
<b>Date: </b>Thursday, January 25, 2018 at 1:30 AM<br>
<b>To: </b>openssl-users <openssl-users@openssl.org><br>
<b>Subject: </b>[openssl-users] Building/Running fips enabled Openssl application<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Hi there,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">To add our application openssl fips capabilities we did the followings .
<o:p></o:p></p>
<p class="MsoNormal">We have openssl-1.0.2n version and openssl-fips.2.0.16 version
<o:p></o:p></p>
<p class="MsoNormal">Firtsly :<o:p></o:p></p>
<p class="MsoNormal">When we are compiling openssl and fips we run this commands :
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">./config –shared --with-fipsdir=/root/openssl_files/ssl/fips2.0 -D_GNU_SOURCE
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">Make <o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">Make install<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">./config fips --openssldir=/root/openssl_files/ssl --with-fipsdir=/root/openssl_files/ssl/fips2.0 -D_GNU_SOURCE<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Make <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Make install<o:p></o:p></p>
<p class="MsoNormal">Secondly (openssl Test) :<o:p></o:p></p>
<p class="MsoNormal">After that we test it with:<o:p></o:p></p>
<p class="MsoNormal"> OPENSSL_FIPS=1 ./openssl md5 <file> <o:p></o:p></p>
<p class="MsoNormal"> It didn’t work as we expected<o:p></o:p></p>
<p class="MsoNormal"> ./openssl md5 <file><o:p></o:p></p>
<p class="MsoNormal"> It worked as we expected<o:p></o:p></p>
<p class="MsoNormal">Thirdly (combine with our app):<o:p></o:p></p>
<p class="MsoNormal"> As you see above we install the opensl at this specific path “/root/openssl_files/ssl” then we copy all files to application’s resource folder then we
<o:p></o:p></p>
<p class="MsoNormal">compile our application with openssl static libraries (*.a).
<o:p></o:p></p>
<p class="MsoNormal"> Compile command :<o:p></o:p></p>
<p class="MsoNormal"> LIBS = -lpthread ./lib/libssl.a ./lib/libcrypto.a -ldl ./lib/libsrtp.a ./ice/libre.a<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">INCLUDES = -I./$(OPENSSL_SRC_DIR_NAME)/include \<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> -I./$(OPENSSL_SRC_DIR_NAME)/crypto \<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> -I./$(OPENSSL_SRC_DIR_NAME)/crypto/include \<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"> …<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">CFLAGS = -g -Wall<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">gcc $(INCLUDES) $(CFLAGS) -o <myApp.c><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">Our app uses openssl as static library ( ! ) . We call this function “FIPS_mode_set(1)” in our source code to enable fips mode and then we run our app, we get the following error message “139847561533096:error:2D06B06F:FIPS
routines:DSA_BUILTIN_PARAMGEN2:fingerprint does not match nonpic relocated:fips.c:232:” .
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:.5in">Are we wrong about compiling the openssl ? or compiling our app ? and is there anyway to enable fips mode without adding code line ?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;color:silver">Bu e-posta mesajı ve ekleri gönderildiği kişi ya da kuruma özeldir ve gizlidir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. Eğer mesajın gönderildiği
alıcı değilseniz bu elektronik postanın içeriğini açıklamanız, kopyalamanız, yönlendirmeniz ve kullanmanız kesinlikle yasaktır ve bu elektronik postayı ve eklerini derhal silmeniz gerekmektedir. NETAŞ TELEKOMÜNİKASYON A.Ş. bu mesajın içerdiği bilgilerin doğruluğu
veya eksiksiz olduğu konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne şekilde olursa olsun içeriğinden, iletilmesinden, alınmasından, saklanmasından ve kullanılmasından sorumlu değildir. Bu mesajdaki görüşler gönderen kişiye ait olup,
NETAŞ TELEKOMÜNİKASYON A.Ş.’nin görüşlerini yansıtmayabilir. <br>
------------------------------------------------------- <br>
This e-mail and its attachments are private and confidential and intended for the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to
any third party is strictly prohibited. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited, and the e-mail should immediately be deleted. NETAŞ TELEKOMÜNİKASYON
A.Ş. makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the transmission, reception, storage or use of such information
in any way whatsoever. The opinions expressed in this message are those of the sender and may not necessarily reflect the opinions of NETAŞ TELEKOMÜNİKASYON A.Ş.
<o:p></o:p></span></p>
</div>
</div>
</body>
</html>