On Apr 3, 4:21 am, dav...@webmaster.com ("David Schwartz") wrote:
> > Can some one point me to instructions on how to create a shared object
> > that contains the fipscanister.o and passes the FIPS_mode_set() test
> > I can create executables using the ldfips script that pass the test but
> > when I attempt to create a fips compliant shared library (the FIPS User
> > Guide states this is possible) I get the following errors when calling
> > FIPS_mode_set()
> > 21086:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not
> > match:fips.c:212:
>
> Can you clarify what it is you are doing? Are you using "ldfips" to link the
> shared library? Are you using "ldfips" to link the executable? What platform
> is this? (And, if applicable, 32-bit or 64-bit?)
>
> DS
>

I'm trying to create a fips compliant library that applications can
link against. I know the FIPS Security Policy doesn't allow for the
use of the "./config fips shared" option but was hoping that I could
create my own shared library that statically links against
fipscanister.o and libcrypto.a I have been using the
"fipsld" (earlier typo) script to create fips compliant executables
that pass the FIPS_mode_set() test but haven't been successful using
it to create my own shared library. The library does get created but
fails with the above error when FIPS_mode_set() is called. I'm
running Linux - 32 bit.

On Apr 4, 1:52*am, "kinate...@gmail.com" wrote:
> On Apr 3, 4:21 am, dav...@webmaster.com ("David Schwartz") wrote:
>
> > > Can some one point me to instructions on how to create a shared object
> > > that contains the fipscanister.o and passes the FIPS_mode_set() test
> > > I can create executables using the ldfips script that pass the test but
> > > when I attempt to create afipscompliant shared library (theFIPSUser
> > > Guide states this is possible) I get the following errors when calling
> > > FIPS_mode_set()
> > > 21086:error:2A07806E:FIPSroutines:FIPS_check_dso:f ingerprint does not
> > > match:fips.c:212:
>
> > Can you clarify what it is you are doing? Are you using "ldfips" to linkthe
> > shared library? Are you using "ldfips" to link the executable? What platform
> > is this? (And, if applicable, 32-bit or 64-bit?)
>
> > DS
>
> I'm trying to create afipscompliant library that applications can
> link against. *I know theFIPSSecurity Policy doesn't allow for the
> use of the "./configfipsshared" option but was hoping that I could
> create my own shared library that statically links against
> fipscanister.o and libcrypto.a *I have been using the
> "fipsld" (earlier typo) script to createfipscompliant executables
> that pass the FIPS_mode_set() test but haven't been successful using
> it to create my own shared library. *The library does get created but
> fails with the above error when FIPS_mode_set() is called. * I'm
> running Linux *- 32 bit.


Did you modify the fipsld script for shared lib creation? because i am
not able create shared lib using fipsld, it hangs at the link step.
Can you provide me some help?

Thanks
Satyadev

On Apr 14, 1:38*am, satyade...@gmail.com wrote:
> On Apr 4, 1:52*am, "kinate...@gmail.com" wrote:
>
>
>
> > On Apr 3, 4:21 am, dav...@webmaster.com ("David Schwartz") wrote:
>
> > > > Can some one point me to instructions on how to create a shared object
> > > > that contains the fipscanister.o and passes the FIPS_mode_set() test
> > > > I can create executables using the ldfips script that pass the test but
> > > > when I attempt to create afipscompliant shared library (theFIPSUser
> > > > Guide states this is possible) I get the following errors when calling
> > > > FIPS_mode_set()
> > > > 21086:error:2A07806E:FIPSroutines:FIPS_check_dso:f ingerprint does not
> > > > match:fips.c:212:
>
> > > Can you clarify what it is you are doing? Are you using "ldfips" to link the
> > > shared library? Are you using "ldfips" to link the executable? What platform
> > > is this? (And, if applicable, 32-bit or 64-bit?)
>
> > > DS
>
> > I'm trying to create afipscompliant library that applications can
> > link against. *I know theFIPSSecurity Policy doesn't allow for the
> > use of the "./configfipsshared" option but was hoping that I could
> > create my own shared library that statically links against
> > fipscanister.o and libcrypto.a *I have been using the
> > "fipsld" (earlier typo) script to createfipscompliant executables
> > that pass the FIPS_mode_set() test but haven't been successful using
> > it to create my own shared library. *The library does get created but
> > fails with the above error when FIPS_mode_set() is called. * I'm
> > running Linux *- 32 bit.
>
> Did you modify the fipsld script for shared lib creation? because i am
> not able create shared lib using fipsld, it hangs at the link step.
> Can you provide me some help?
>
> Thanks
> Satyadev

To use fipsld unmodified you must do the follow steps:
1. Ensure that your target name starts with libcrypto... i.e.
libcryptothingy.so
2. Execute the fipsld within the source code of the openssl fips.
3. Reference the libcrypto.a within the source code of the openssl
fips.
4. Add the following arguments to the linking command "-Wl,-Bsymbolic -
Wl,--no-whole-archive".
5. Make

my linking command line looks something like this:
FIPSLD_CC=gcc /source/openssl-fips-1.1.2//fips-1.0/fipsld -shared -o
libcryptothingy.so -Wl,-Bsymbolic -Wl,--no-whole-archive foobar.o /
source/openssl-fips-1.1.2//libssl.a /source/openssl-fips-1.1.2//
libcrypto.a -lz -lstdc++

Where the actual link command looks like this:
gcc /source/openssl-fips-1.1.2//fips-1.0/../fips-1.0/fipscanister.o -
DHMAC_SHA1_SIG="f3583ba794c8132c4a20f63e906d23da2a0004d6" /source/
openssl-fips-1.1.2//fips-1.0/../fips-1.0/fips_premain.c -shared -o
libcryptothingy.so -Wl,-Bsymbolic -Wl,--no-whole-archive foobar.o /
source/openssl-fips-1.1.2//libssl.a /source/openssl-fips-1.1.2//
libcrypto.a -lz -lstdc++

I hope that this helps

grant

On Apr 30, 12:22*am, grant.fo...@gmail.com wrote:
> On Apr 14, 1:38*am, satyade...@gmail.com wrote:
>
>
>
>
>
> > On Apr 4, 1:52*am, "kinate...@gmail.com" wrote:
>
> > > On Apr 3, 4:21 am, dav...@webmaster.com ("David Schwartz") wrote:
>
> > > > > Can some one point me to instructions on how to create a shared object
> > > > > that contains the fipscanister.o and passes the FIPS_mode_set() test
> > > > > I can create executables using the ldfips script that pass the test but
> > > > > when I attempt to create afipscompliant shared library (theFIPSUser
> > > > > Guide states this is possible) I get the following errors when calling
> > > > > FIPS_mode_set()
> > > > > 21086:error:2A07806E:FIPSroutines:FIPS_check_dso:f ingerprint does not
> > > > > match:fips.c:212:
>
> > > > Can you clarify what it is you are doing? Are you using "ldfips" to link the
> > > > shared library? Are you using "ldfips" to link the executable? What platform
> > > > is this? (And, if applicable, 32-bit or 64-bit?)
>
> > > > DS
>
> > > I'm trying to create afipscompliant library that applications can
> > > link against. *I know theFIPSSecurity Policy doesn't allow for the
> > > use of the "./configfipsshared" option but was hoping that I could
> > > create my own shared library that statically links against
> > > fipscanister.o and libcrypto.a *I have been using the
> > > "fipsld" (earlier typo) script to createfipscompliant executables
> > > that pass the FIPS_mode_set() test but haven't been successful using
> > > it to create my own shared library. *The library does get created but
> > > fails with the above error when FIPS_mode_set() is called. * I'm
> > > running Linux *- 32 bit.
>
> > Did you modify the fipsld script for shared lib creation? because i am
> > not able create shared lib using fipsld, it hangs at the link step.
> > Can you provide me some help?
>
> > Thanks
> > Satyadev
>
> To use fipsld unmodified you must do the follow steps:
> 1. Ensure that your target name starts with libcrypto... i.e.
> libcryptothingy.so
> 2. Execute the fipsld within the source code of the openssl fips.
> 3. Reference the libcrypto.a within the source code of the openssl
> fips.
> 4. Add the following arguments to the linking command "-Wl,-Bsymbolic -
> Wl,--no-whole-archive".
> 5. Make
>
> my linking command line looks something like this:
> FIPSLD_CC=gcc /source/openssl-fips-1.1.2//fips-1.0/fipsld -shared -o
> libcryptothingy.so -Wl,-Bsymbolic -Wl,--no-whole-archive *foobar.o /
> source/openssl-fips-1.1.2//libssl.a /source/openssl-fips-1.1.2//
> libcrypto.a -lz -lstdc++
>
> Where the actual link command looks like this:
> gcc /source/openssl-fips-1.1.2//fips-1.0/../fips-1.0/fipscanister.o -
> DHMAC_SHA1_SIG="f3583ba794c8132c4a20f63e906d23da2a0004d6" /source/
> openssl-fips-1.1.2//fips-1.0/../fips-1.0/fips_premain.c -shared -o
> libcryptothingy.so -Wl,-Bsymbolic -Wl,--no-whole-archive foobar.o /
> source/openssl-fips-1.1.2//libssl.a /source/openssl-fips-1.1.2//
> libcrypto.a -lz -lstdc++
>
> I hope that this helps
>
> grant- Hide quoted text -
>
> - Show quoted text -


Hi Grant,

Thanks for your response. I am trying to build it on solaris platform
and when i provide these options to the linker , though it get
executed ( not hanging now) but not able to creat share library. so i
doubt we are going to create fips compliant shared lib.linking step
throws below mentioned error

15895:error:2507006CSO support routinesSO_load:functionality not
supported:dso_lib.c:239:
unable to collect signature

let me know if you faced same issue.

Thanks
Satyadev