Re: Building/Running fips enabled Openssl application

["Salz, Rich via openssl-users" <openssl-users@xxxxxxxxxxx>]

The current FIPS only supports dynamic libraries.

 

You should try to get the email disclaimer removed when you post to a public email list.

 

 

From: Emre BAYRAM <emreba@xxxxxxxxxxxx>
Reply-To: openssl-users <openssl-users@xxxxxxxxxxx>
Date: Thursday, January 25, 2018 at 1:30 AM
To: openssl-users <openssl-users@xxxxxxxxxxx>
Subject: [openssl-users] Building/Running fips enabled Openssl application

 

Hi there,

 

To add our application openssl fips capabilities we did the followings .

We have openssl-1.0.2n version and openssl-fips.2.0.16 version

Firtsly :

When we are compiling openssl and fips we run this commands :

./config –shared --with-fipsdir=/root/openssl_files/ssl/fips2.0 -D_GNU_SOURCE

Make

Make install

 

./config fips --openssldir=/root/openssl_files/ssl --with-fipsdir=/root/openssl_files/ssl/fips2.0 -D_GNU_SOURCE

Make

Make install

Secondly (openssl Test) :

After that we test it with:

                OPENSSL_FIPS=1 ./openssl md5 <file>

                                It didn’t work as we expected

                ./openssl md5 <file>

                                It worked as we expected

Thirdly (combine with our app):

                As you see above we install the opensl at this specific path “/root/openssl_files/ssl” then we copy all files to application’s resource folder then we

compile our application with openssl static libraries (*.a).

                Compile command :

                LIBS = -lpthread ./lib/libssl.a ./lib/libcrypto.a -ldl ./lib/libsrtp.a ./ice/libre.a

INCLUDES =  -I./$(OPENSSL_SRC_DIR_NAME)/include \

            -I./$(OPENSSL_SRC_DIR_NAME)/crypto \

            -I./$(OPENSSL_SRC_DIR_NAME)/crypto/include \

                …

CFLAGS = -g -Wall

gcc $(INCLUDES) $(CFLAGS) -o <myApp.c>

 

Our app uses openssl as static library ( ! ) . We call this function “FIPS_mode_set(1)” in our source code to enable fips mode and then we run our app, we get the following error message “139847561533096:error:2D06B06F:FIPS routines:DSA_BUILTIN_PARAMGEN2:fingerprint does not match nonpic relocated:fips.c:232:” .

Are we wrong about compiling the openssl ? or compiling our app ? and is there anyway to enable fips mode without adding code line ?

 

Bu e-posta mesajı ve ekleri gönderildiği kişi ya da kuruma özeldir ve gizlidir. Ayrıca hukuken de gizli olabilir. Hiçbir şekilde üçüncü kişilere açıklanamaz ve yayınlanamaz. Eğer mesajın gönderildiği alıcı değilseniz bu elektronik postanın içeriğini açıklamanız, kopyalamanız, yönlendirmeniz ve kullanmanız kesinlikle yasaktır ve bu elektronik postayı ve eklerini derhal silmeniz gerekmektedir. NETAŞ TELEKOMÜNİKASYON A.Ş. bu mesajın içerdiği bilgilerin doğruluğu veya eksiksiz olduğu konusunda herhangi bir garanti vermemektedir. Bu nedenle bu bilgilerin ne şekilde olursa olsun içeriğinden, iletilmesinden, alınmasından, saklanmasından ve kullanılmasından sorumlu değildir. Bu mesajdaki görüşler gönderen kişiye ait olup, NETAŞ TELEKOMÜNİKASYON A.Ş.’nin görüşlerini yansıtmayabilir.
-------------------------------------------------------
This e-mail and its attachments are private and confidential and intended for the exclusive use of the individual or entity to whom it is addressed. It may also be legally confidential. Any disclosure, distribution or other dissemination of this message to any third party is strictly prohibited. If you are not the intended recipient you are hereby notified that any dissemination, forwarding, copying or use of any of the information is strictly prohibited, and the e-mail should immediately be deleted. NETAŞ TELEKOMÜNİKASYON A.Ş. makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained therein or for the transmission, reception, storage or use of such information in any way whatsoever. The opinions expressed in this message are those of the sender and may not necessarily reflect the opinions of NETAŞ TELEKOMÜNİKASYON A.Ş.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users