Hi Jakob, Thanks a lot for your time and detailed explanation. Regards, Sahil On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote: > On 24/06/2016 15:24, Sahil Gandhi wrote: > >> Hi Steve, >> >> Could you please help me out? >> I tried to re-read that part of user-guide but no success. >> I know how to generate fingerprint but once i create new static library >> out of libcrypto.a and libssl.a. >> And I do generate the finger print of that new library but don't know how >> to proceed further with that. >> >> because if i use that new library(to create executable) as it is, it >> throws fingerprint mismatch error. >> My sample source file has FIPS_mode_set(1) call only. >> >> Because fipscannister.o is not compiled as 100% position independent > code (and cannot legally be done so due to the bureaucratic rules of > the FIPS validation), every new program linked to the FIPS enabled > libcrypto.a will end up with a different fingerprint for the > fipscannister. > > And if load address randomization is enabled in the operating system, > each new run of the program will end up with a different fingerprint > and thus not work. > > The situation is slightly better for the libcrypto.so DLL, because > if load address randomization is turned off and it is ensured that > libcrypto.so will load at a particular address every time, there > will only be one fingerprint for each compiled libcrypto.so DLL. > > On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <marquess at openssl.com >> <mailto:marquess at openssl.com>> wrote: >> >> On 06/24/2016 03:10 AM, Sahil Gandhi wrote: >> > Hi Jakob, >> > >> > Could you please elaborate it? I am not getting it. >> > I might missing something but I did not get it. >> > >> > Many Thanks Jakob for replying. >> > >> > -Sahil >> > >> > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm >> <jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com> >> > <mailto:jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com>>> >> wrote: >> > >> > On 24/06/2016 07:59, Sahil Gandhi wrote: >> > >> > Hi All, >> > >> > I have built Openssl-fips-2.0.10.tar on* RHEL Linux* >> (/_*Same >> > happens with Solaris 10*_/). Then I built Openssl-1.0.1p >> using >> > respective fips object module (i.e. >> Openssl-fips-2.0.10.tar). >> > >> > Once I have built Openssl-1.0.1p, libcrypto.a and >> libssl.a has >> > been created. >> > I need to join these 2 libraries and make it one. >> > >> > I am doing it using "ar" command as follows: >> > >> > ar -x libssl.a >> > ar -x libcrypto.a >> > >> > Then combine all .o files to make third library: >> > ar -r libnew.a *.o >> > >> > But when i use this libnew.a in my sample(contain >> > FIPS_mode_set(1)), it compiles successfully but when >> execute the >> > executable it throws error* finger print does not >> match:fips.c:232* >> > >> > Plz help. >> > I need to combine both libaries and make it one. >> > >> > Any help/suggestion? >> > >> > >> > You forgot the special link step for FIPS enabled applications, >> > perhaps also some of the other required steps from the FIPS >> > module users guide. >> > >> >> See https://openssl.org/docs/fips/UserGuide-2.0.pdf. >> >> The FIPS module requires special build-time voodoo to satisfy the >> peculiar requirements of the FIPS 140-2 validation. >> >> > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- Sahil -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160627/e8689a42/attachment.html>
