Hi Steve, Could you please elaborate in detail? Many Thanks, Sahil On Mon, Jun 27, 2016 at 12:49 PM, Sahil Gandhi <sahilgandhi87 at gmail.com> wrote: > Hi Jakob, > > Thanks a lot for your time and detailed explanation. > > Regards, > Sahil > > On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <jb-openssl at wisemo.com> wrote: > >> On 24/06/2016 15:24, Sahil Gandhi wrote: >> >>> Hi Steve, >>> >>> Could you please help me out? >>> I tried to re-read that part of user-guide but no success. >>> I know how to generate fingerprint but once i create new static library >>> out of libcrypto.a and libssl.a. >>> And I do generate the finger print of that new library but don't know >>> how to proceed further with that. >>> >>> because if i use that new library(to create executable) as it is, it >>> throws fingerprint mismatch error. >>> My sample source file has FIPS_mode_set(1) call only. >>> >>> Because fipscannister.o is not compiled as 100% position independent >> code (and cannot legally be done so due to the bureaucratic rules of >> the FIPS validation), every new program linked to the FIPS enabled >> libcrypto.a will end up with a different fingerprint for the >> fipscannister. >> >> And if load address randomization is enabled in the operating system, >> each new run of the program will end up with a different fingerprint >> and thus not work. >> >> The situation is slightly better for the libcrypto.so DLL, because >> if load address randomization is turned off and it is ensured that >> libcrypto.so will load at a particular address every time, there >> will only be one fingerprint for each compiled libcrypto.so DLL. >> >> On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <marquess at openssl.com >>> <mailto:marquess at openssl.com>> wrote: >>> >>> On 06/24/2016 03:10 AM, Sahil Gandhi wrote: >>> > Hi Jakob, >>> > >>> > Could you please elaborate it? I am not getting it. >>> > I might missing something but I did not get it. >>> > >>> > Many Thanks Jakob for replying. >>> > >>> > -Sahil >>> > >>> > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm >>> <jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com> >>> > <mailto:jb-openssl at wisemo.com <mailto:jb-openssl at wisemo.com>>> >>> wrote: >>> > >>> > On 24/06/2016 07:59, Sahil Gandhi wrote: >>> > >>> > Hi All, >>> > >>> > I have built Openssl-fips-2.0.10.tar on* RHEL Linux* >>> (/_*Same >>> > happens with Solaris 10*_/). Then I built Openssl-1.0.1p >>> using >>> > respective fips object module (i.e. >>> Openssl-fips-2.0.10.tar). >>> > >>> > Once I have built Openssl-1.0.1p, libcrypto.a and >>> libssl.a has >>> > been created. >>> > I need to join these 2 libraries and make it one. >>> > >>> > I am doing it using "ar" command as follows: >>> > >>> > ar -x libssl.a >>> > ar -x libcrypto.a >>> > >>> > Then combine all .o files to make third library: >>> > ar -r libnew.a *.o >>> > >>> > But when i use this libnew.a in my sample(contain >>> > FIPS_mode_set(1)), it compiles successfully but when >>> execute the >>> > executable it throws error* finger print does not >>> match:fips.c:232* >>> > >>> > Plz help. >>> > I need to combine both libaries and make it one. >>> > >>> > Any help/suggestion? >>> > >>> > >>> > You forgot the special link step for FIPS enabled applications, >>> > perhaps also some of the other required steps from the FIPS >>> > module users guide. >>> > >>> >>> See https://openssl.org/docs/fips/UserGuide-2.0.pdf. >>> >>> The FIPS module requires special build-time voodoo to satisfy the >>> peculiar requirements of the FIPS 140-2 validation. >>> >>> >> Enjoy >> >> Jakob >> -- >> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com >> Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 >> This public discussion message is non-binding and may contain errors. >> WiseMo - Remote Service Management for PCs, Phones and Embedded >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > > > -- > Sahil > > -- Sahil Gandhi Project Engineer R&D CDAC, Pune -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160627/662dcdc3/attachment-0001.html>
