[openssl-dev] [openssl.org #3978] RE: Openssl 1.0.2c include the FIPS 140-2 Object Module
Stephen Henson via RT
rt at openssl.org
Fri Aug 14 13:52:39 UTC 2015
On Tue Aug 04 03:24:21 2015, ashwini.vpatil at siemens.com wrote:
> Hello All,
>
> Following steps are done to check the FIPS feasibility .
>
> To check ASLR dependency the following link was referred.
> http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-
> Studio-2010-fails-self-tests-td36372.html
>
> Linker properties were changed in visual studio 2008 for the test
> application executable file.
> The following flag was disabled ( which was enabled by default in
> 2008VS)
> Linker> Advanced Properties>Disable the "Randomized Base Address
> Linker> property "
>
> I have followed the below steps Integration of FIPS Complaint compiled
> OPENSSL Library with Visual Studio 2008
> ====================================================================
>
> 1. Open Visual Studio 2008
>
> 2. File => New => Project => Visual C++ => Win 32 => Win32 Console
> Application=> Next => Empty Project => Finish
>
> 3. Right Click on source file => Add => Existing Items => C:\openssl-
> fips-2.0\fips\hmac\fips_hmactest.c
>
> 4. Right Click on Resources File => Add => Existing Items =>
> libeayfips32.lib, ssleay32.lib & libeaycompat32.lib (from C:\openssl-
> 1.0.1e-fips-compliant\out32) and C:\openssl-1.0.1e-
> simple\out32\libeay32.lib (OpenSSL simple Version)
>
> 5. Right Click on fips_hmactest.c=> Properties => C++ => General =>
> Additional Include Directories : C:\usr\local\ssl\include => Finish
>
> 6. Compile the Project => Works Fine
>
> We get the below error when run the exe:
> ERROR:2D06B06F:LIB-45,FUNC=107,REASON=111:FILE=fips.c line=232
>
FIPSerr(FIPS_F_FIPS_CHECK_INCORE_FINGERPRINT,FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
>
Your problem is that your link procedure doesn't embed the incore fingerprint
in the target binary.
You have two options.
The easiest is to link against the FIPS capable OpenSSL shared library instead
of the static one: the signature is already in the DLL so it should just work.
The second and much harder option is to follow the appropriate link procedure
to embed a signature in the target binary. There is a perl script called
fipslink.pl in the FIPS module which does this and examples in the static
makefile ms\nt.mak. You would have to customise the VC build procedure to do
something similar and/or link using a script instead.
Closing this as it isn't a bug report, please address and follow up to
openssl-users.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list