RE: FIPS compliant shared object - Openssl

This is a discussion on RE: FIPS compliant shared object - Openssl ; > Can some one point me to instructions on how to create a shared object > that contains the fipscanister.o and passes the FIPS_mode_set() test > I can create executables using the ldfips script that pass the test but > ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: RE: FIPS compliant shared object

  1. RE: FIPS compliant shared object


    > Can some one point me to instructions on how to create a shared object
    > that contains the fipscanister.o and passes the FIPS_mode_set() test
    > I can create executables using the ldfips script that pass the test but
    > when I attempt to create a fips compliant shared library (the FIPS User
    > Guide states this is possible) I get the following errors when calling
    > FIPS_mode_set()


    > 21086:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not
    > match:fips.c:212:


    Can you clarify what it is you are doing? Are you using "ldfips" to link the
    shared library? Are you using "ldfips" to link the executable? What platform
    is this? (And, if applicable, 32-bit or 64-bit?)

    DS


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org

  2. Re: FIPS compliant shared object

    On Apr 3, 4:21 am, dav...@webmaster.com ("David Schwartz") wrote:
    > > Can some one point me to instructions on how to create a shared object
    > > that contains the fipscanister.o and passes the FIPS_mode_set() test
    > > I can create executables using the ldfips script that pass the test but
    > > when I attempt to create a fips compliant shared library (the FIPS User
    > > Guide states this is possible) I get the following errors when calling
    > > FIPS_mode_set()
    > > 21086:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not
    > > match:fips.c:212:

    >
    > Can you clarify what it is you are doing? Are you using "ldfips" to link the
    > shared library? Are you using "ldfips" to link the executable? What platform
    > is this? (And, if applicable, 32-bit or 64-bit?)
    >
    > DS
    >


    I'm trying to create a fips compliant library that applications can
    link against. I know the FIPS Security Policy doesn't allow for the
    use of the "./config fips shared" option but was hoping that I could
    create my own shared library that statically links against
    fipscanister.o and libcrypto.a I have been using the
    "fipsld" (earlier typo) script to create fips compliant executables
    that pass the FIPS_mode_set() test but haven't been successful using
    it to create my own shared library. The library does get created but
    fails with the above error when FIPS_mode_set() is called. I'm
    running Linux - 32 bit.

  3. Re: FIPS compliant shared object

    On Apr 4, 1:52*am, "kinate...@gmail.com" wrote:
    > On Apr 3, 4:21 am, dav...@webmaster.com ("David Schwartz") wrote:
    >
    > > > Can some one point me to instructions on how to create a shared object
    > > > that contains the fipscanister.o and passes the FIPS_mode_set() test
    > > > I can create executables using the ldfips script that pass the test but
    > > > when I attempt to create afipscompliant shared library (theFIPSUser
    > > > Guide states this is possible) I get the following errors when calling
    > > > FIPS_mode_set()
    > > > 21086:error:2A07806E:FIPSroutines:FIPS_check_dso:f ingerprint does not
    > > > match:fips.c:212:

    >
    > > Can you clarify what it is you are doing? Are you using "ldfips" to linkthe
    > > shared library? Are you using "ldfips" to link the executable? What platform
    > > is this? (And, if applicable, 32-bit or 64-bit?)

    >
    > > DS

    >
    > I'm trying to create afipscompliant library that applications can
    > link against. *I know theFIPSSecurity Policy doesn't allow for the
    > use of the "./configfipsshared" option but was hoping that I could
    > create my own shared library that statically links against
    > fipscanister.o and libcrypto.a *I have been using the
    > "fipsld" (earlier typo) script to createfipscompliant executables
    > that pass the FIPS_mode_set() test but haven't been successful using
    > it to create my own shared library. *The library does get created but
    > fails with the above error when FIPS_mode_set() is called. * I'm
    > running Linux *- 32 bit.



    Did you modify the fipsld script for shared lib creation? because i am
    not able create shared lib using fipsld, it hangs at the link step.
    Can you provide me some help?

    Thanks
    Satyadev

  4. Re: FIPS compliant shared object

    On Apr 14, 1:38*am, satyade...@gmail.com wrote:
    > On Apr 4, 1:52*am, "kinate...@gmail.com" wrote:
    >
    >
    >
    > > On Apr 3, 4:21 am, dav...@webmaster.com ("David Schwartz") wrote:

    >
    > > > > Can some one point me to instructions on how to create a shared object
    > > > > that contains the fipscanister.o and passes the FIPS_mode_set() test
    > > > > I can create executables using the ldfips script that pass the test but
    > > > > when I attempt to create afipscompliant shared library (theFIPSUser
    > > > > Guide states this is possible) I get the following errors when calling
    > > > > FIPS_mode_set()
    > > > > 21086:error:2A07806E:FIPSroutines:FIPS_check_dso:f ingerprint does not
    > > > > match:fips.c:212:

    >
    > > > Can you clarify what it is you are doing? Are you using "ldfips" to link the
    > > > shared library? Are you using "ldfips" to link the executable? What platform
    > > > is this? (And, if applicable, 32-bit or 64-bit?)

    >
    > > > DS

    >
    > > I'm trying to create afipscompliant library that applications can
    > > link against. *I know theFIPSSecurity Policy doesn't allow for the
    > > use of the "./configfipsshared" option but was hoping that I could
    > > create my own shared library that statically links against
    > > fipscanister.o and libcrypto.a *I have been using the
    > > "fipsld" (earlier typo) script to createfipscompliant executables
    > > that pass the FIPS_mode_set() test but haven't been successful using
    > > it to create my own shared library. *The library does get created but
    > > fails with the above error when FIPS_mode_set() is called. * I'm
    > > running Linux *- 32 bit.

    >
    > Did you modify the fipsld script for shared lib creation? because i am
    > not able create shared lib using fipsld, it hangs at the link step.
    > Can you provide me some help?
    >
    > Thanks
    > Satyadev


    To use fipsld unmodified you must do the follow steps:
    1. Ensure that your target name starts with libcrypto... i.e.
    libcryptothingy.so
    2. Execute the fipsld within the source code of the openssl fips.
    3. Reference the libcrypto.a within the source code of the openssl
    fips.
    4. Add the following arguments to the linking command "-Wl,-Bsymbolic -
    Wl,--no-whole-archive".
    5. Make

    my linking command line looks something like this:
    FIPSLD_CC=gcc /source/openssl-fips-1.1.2//fips-1.0/fipsld -shared -o
    libcryptothingy.so -Wl,-Bsymbolic -Wl,--no-whole-archive foobar.o /
    source/openssl-fips-1.1.2//libssl.a /source/openssl-fips-1.1.2//
    libcrypto.a -lz -lstdc++

    Where the actual link command looks like this:
    gcc /source/openssl-fips-1.1.2//fips-1.0/../fips-1.0/fipscanister.o -
    DHMAC_SHA1_SIG="f3583ba794c8132c4a20f63e906d23da2a0004d6" /source/
    openssl-fips-1.1.2//fips-1.0/../fips-1.0/fips_premain.c -shared -o
    libcryptothingy.so -Wl,-Bsymbolic -Wl,--no-whole-archive foobar.o /
    source/openssl-fips-1.1.2//libssl.a /source/openssl-fips-1.1.2//
    libcrypto.a -lz -lstdc++

    I hope that this helps

    grant

  5. Re: FIPS compliant shared object

    On Apr 30, 12:22*am, grant.fo...@gmail.com wrote:
    > On Apr 14, 1:38*am, satyade...@gmail.com wrote:
    >
    >
    >
    >
    >
    > > On Apr 4, 1:52*am, "kinate...@gmail.com" wrote:

    >
    > > > On Apr 3, 4:21 am, dav...@webmaster.com ("David Schwartz") wrote:

    >
    > > > > > Can some one point me to instructions on how to create a shared object
    > > > > > that contains the fipscanister.o and passes the FIPS_mode_set() test
    > > > > > I can create executables using the ldfips script that pass the test but
    > > > > > when I attempt to create afipscompliant shared library (theFIPSUser
    > > > > > Guide states this is possible) I get the following errors when calling
    > > > > > FIPS_mode_set()
    > > > > > 21086:error:2A07806E:FIPSroutines:FIPS_check_dso:f ingerprint does not
    > > > > > match:fips.c:212:

    >
    > > > > Can you clarify what it is you are doing? Are you using "ldfips" to link the
    > > > > shared library? Are you using "ldfips" to link the executable? What platform
    > > > > is this? (And, if applicable, 32-bit or 64-bit?)

    >
    > > > > DS

    >
    > > > I'm trying to create afipscompliant library that applications can
    > > > link against. *I know theFIPSSecurity Policy doesn't allow for the
    > > > use of the "./configfipsshared" option but was hoping that I could
    > > > create my own shared library that statically links against
    > > > fipscanister.o and libcrypto.a *I have been using the
    > > > "fipsld" (earlier typo) script to createfipscompliant executables
    > > > that pass the FIPS_mode_set() test but haven't been successful using
    > > > it to create my own shared library. *The library does get created but
    > > > fails with the above error when FIPS_mode_set() is called. * I'm
    > > > running Linux *- 32 bit.

    >
    > > Did you modify the fipsld script for shared lib creation? because i am
    > > not able create shared lib using fipsld, it hangs at the link step.
    > > Can you provide me some help?

    >
    > > Thanks
    > > Satyadev

    >
    > To use fipsld unmodified you must do the follow steps:
    > 1. Ensure that your target name starts with libcrypto... i.e.
    > libcryptothingy.so
    > 2. Execute the fipsld within the source code of the openssl fips.
    > 3. Reference the libcrypto.a within the source code of the openssl
    > fips.
    > 4. Add the following arguments to the linking command "-Wl,-Bsymbolic -
    > Wl,--no-whole-archive".
    > 5. Make
    >
    > my linking command line looks something like this:
    > FIPSLD_CC=gcc /source/openssl-fips-1.1.2//fips-1.0/fipsld -shared -o
    > libcryptothingy.so -Wl,-Bsymbolic -Wl,--no-whole-archive *foobar.o /
    > source/openssl-fips-1.1.2//libssl.a /source/openssl-fips-1.1.2//
    > libcrypto.a -lz -lstdc++
    >
    > Where the actual link command looks like this:
    > gcc /source/openssl-fips-1.1.2//fips-1.0/../fips-1.0/fipscanister.o -
    > DHMAC_SHA1_SIG="f3583ba794c8132c4a20f63e906d23da2a0004d6" /source/
    > openssl-fips-1.1.2//fips-1.0/../fips-1.0/fips_premain.c -shared -o
    > libcryptothingy.so -Wl,-Bsymbolic -Wl,--no-whole-archive foobar.o /
    > source/openssl-fips-1.1.2//libssl.a /source/openssl-fips-1.1.2//
    > libcrypto.a -lz -lstdc++
    >
    > I hope that this helps
    >
    > grant- Hide quoted text -
    >
    > - Show quoted text -



    Hi Grant,

    Thanks for your response. I am trying to build it on solaris platform
    and when i provide these options to the linker , though it get
    executed ( not hanging now) but not able to creat share library. so i
    doubt we are going to create fips compliant shared lib.linking step
    throws below mentioned error

    15895:error:2507006CSO support routinesSO_load:functionality not
    supported:dso_lib.c:239:
    unable to collect signature

    let me know if you faced same issue.

    Thanks
    Satyadev


+ Reply to Thread