[openssl-users] Static FIPS Library with Address Randomization

Michael Wojcik Michael.Wojcik at microfocus.com
Tue Mar 21 13:02:22 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of William A Rowe Jr
> Sent: Monday, March 20, 2017 20:59
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Static FIPS Library with Address Randomization
> Note you may not modify the openssl-FIPS build files or process.
> However, building the openssl host container of the FIPS library build,
> you may pin the DLL file with link flags and dodge this relocation.

Yes. That's what /BASE:x /FIXED does, which causes the problem (address not available at runtime) which the OP was trying to work around. We're just back where we started.

The simple fact of the matter is that the FIPS requirements do not play well with the PE DLL design. Arguably the PE DLL design itself is at fault (PE relocations also inhibit sharing text pages among processes, for example), but it is what it is. In 32-bit, address space is a scarce resource, and OSes make various compromises in managing it. The real problem is that FIPS 140-2 was written primarily for hardware and doesn't accommodate software well. And, many have argued, doesn't really do anything useful anyway - which is no help whatsoever if your customer is required to have it, or insists on it anyway.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list