[openssl-users] Static FIPS Library with Address Randomization

Neptune pdrotter at us.ibm.com
Fri Mar 17 15:25:36 UTC 2017

Platform: Win32
FIPS Object Module: 2.0.13
OpenSSL: 1.0.2j

We've been using FIPS-capable OpenSSL for over a year now. Some of our
components are .dlls that statically link the libraries. Using the BASE:xxxx
linker flag (but not /FIXED) has worked well with only very occasional
address clashes.
The new year has brought a new requirement: NIAP. One of the NIAP
requirements is ASLR - address space layout randomization. Since turning on
these linker flags, the FIPS POST has been failing due to dll address being
randomized and no longer respecting the requested address in the BASE:xxxxx
linker flag. In order to get around this, I've had to add the /FIXED flag.
The address is no longer being randomized and the POST succeeds if the dll
loads...but therein lies the problem. When linking with the /FIXED flag, if
the BASE:xxxx address is not available, the dll will not load which is an
unacceptable problem and it is happening far too frequenctly.
It seems as though the requirements of FIPS-capable OpenSSL and NIAP address
randomization are at odds. Is there any way to satisfy both of these
requirements on Win32 and guarantee that the dll load?

Thanks - any ideas are greatly appreciated. Even if this is mission
impossible, at least I'll have something to report. If we need to apply for
an exception to one or more NIAP requirements so be it, but I want to
exhaust all possibilities.


View this message in context: http://openssl.6102.n7.nabble.com/Static-FIPS-Library-with-Address-Randomization-tp70129.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

More information about the openssl-users mailing list