[openssl-users] Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi sahilgandhi87 at gmail.com
Mon Jun 27 08:37:27 UTC 2016 

Hi Steve,

Could you please elaborate in detail?

Many Thanks,
Sahil

On Mon, Jun 27, 2016 at 12:49 PM, Sahil Gandhi <sahilgandhi87 at gmail.com>
wrote:

> Hi Jakob,
>
> Thanks a lot for your time and detailed explanation.
>
> Regards,
> Sahil
>
> On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>
>> On 24/06/2016 15:24, Sahil Gandhi wrote:
>>
>>> Hi Steve,
>>>
>>> Could you please help me out?
>>> I tried to re-read that part of user-guide but no success.
>>> I know how to generate fingerprint but once i create new static library
>>> out of libcrypto.a and libssl.a.
>>> And I do generate the finger print of that new library but don't know
>>> how to proceed further with that.
>>>
>>> because if i use that new library(to create executable) as it is, it
>>> throws fingerprint mismatch error.
>>> My sample source file has FIPS_mode_set(1) call only.
>>>
>>> Because fipscannister.o is not compiled as 100% position independent
>> code (and cannot legally be done so due to the bureaucratic rules of
>> the FIPS validation), every new program linked to the FIPS enabled
>> libcrypto.a will end up with a different fingerprint for the
>> fipscannister.
>>
>> And if load address randomization is enabled in the operating system,
>> each new run of the program will end up with a different fingerprint
>> and thus not work.
>>
>> The situation is slightly better for the libcrypto.so DLL, because
>> if load address randomization is turned off and it is ensured that
>> libcrypto.so will load at a particular address every time, there
>> will only be one fingerprint for each compiled libcrypto.so DLL.
>>
>> On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <marquess at openssl.com
>>> <mailto:marquess at openssl.com>> wrote:
>>>
>>>     On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
>>>     > Hi Jakob,
>>>     >
>>>     > Could you please elaborate it? I am not getting it.
>>>     > I might missing something but I did not get it.
>>>     >
>>>     > Many Thanks Jakob for replying.
>>>     >
>>>     > -Sahil
>>>     >
>>>     > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
>>>     <jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com>
>>>     > <mailto:jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com>>>
>>> wrote:
>>>     >
>>>     >     On 24/06/2016 07:59, Sahil Gandhi wrote:
>>>     >
>>>     >         Hi All,
>>>     >
>>>     >         I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
>>>     (/_*Same
>>>     >         happens with Solaris 10*_/). Then I built Openssl-1.0.1p
>>>     using
>>>     >         respective fips object module (i.e.
>>>     Openssl-fips-2.0.10.tar).
>>>     >
>>>     >         Once I have built Openssl-1.0.1p, libcrypto.a and
>>>     libssl.a has
>>>     >         been created.
>>>     >         I need to join these 2 libraries and make it one.
>>>     >
>>>     >         I am doing it using "ar" command as follows:
>>>     >
>>>     >         ar -x libssl.a
>>>     >         ar -x libcrypto.a
>>>     >
>>>     >         Then combine all .o files to make third library:
>>>     >         ar -r libnew.a *.o
>>>     >
>>>     >         But when i use this libnew.a in my sample(contain
>>>     >         FIPS_mode_set(1)), it compiles successfully but when
>>>     execute the
>>>     >         executable it throws error* finger print does not
>>>     match:fips.c:232*
>>>     >
>>>     >          Plz help.
>>>     >          I need to combine both libaries and make it one.
>>>     >
>>>     >         Any help/suggestion?
>>>     >
>>>     >
>>>     >     You forgot the special link step for FIPS enabled applications,
>>>     >     perhaps also some of the other required steps from the FIPS
>>>     >     module users guide.
>>>     >
>>>
>>>     See https://openssl.org/docs/fips/UserGuide-2.0.pdf.
>>>
>>>     The FIPS module requires special build-time voodoo to satisfy the
>>>     peculiar requirements of the FIPS 140-2 validation.
>>>
>>>
>> Enjoy
>>
>> Jakob
>> --
>> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
>> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
>> This public discussion message is non-binding and may contain errors.
>> WiseMo - Remote Service Management for PCs, Phones and Embedded
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
>
> --
> Sahil
>
>


-- 
Sahil Gandhi
Project Engineer
R&D CDAC, Pune
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160627/662dcdc3/attachment-0001.html>

More information about the openssl-users mailing list