Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi
Hi All,

I have built Openssl-fips-2.0.10.tar on RHEL Linux (Same happens with Solaris 10). Then I built Openssl-1.0.1p using respective fips object module (i.e. Openssl-fips-2.0.10.tar).

Once I have built Openssl-1.0.1p, libcrypto.a and libssl.a has been created.
I need to join these 2 libraries and make it one.

I am doing it using "ar" command as follows:

ar -x libssl.a
ar -x libcrypto.a

Then combine all .o files to make third library:
ar -r libnew.a *.o

But when i use this libnew.a in my sample(contain FIPS_mode_set(1)), it compiles successfully but when execute the executable it throws error finger print does not match:fips.c:232

 Plz help.
 I need to combine both libaries and make it one.

Any help/suggestion?

--
Sahil Gandhi


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Jakob Bohm-7
On 24/06/2016 07:59, Sahil Gandhi wrote:

> Hi All,
>
> I have built Openssl-fips-2.0.10.tar on* RHEL Linux* (/_*Same happens
> with Solaris 10*_/). Then I built Openssl-1.0.1p using respective fips
> object module (i.e. Openssl-fips-2.0.10.tar).
>
> Once I have built Openssl-1.0.1p, libcrypto.a and libssl.a has been
> created.
> I need to join these 2 libraries and make it one.
>
> I am doing it using "ar" command as follows:
>
> ar -x libssl.a
> ar -x libcrypto.a
>
> Then combine all .o files to make third library:
> ar -r libnew.a *.o
>
> But when i use this libnew.a in my sample(contain FIPS_mode_set(1)),
> it compiles successfully but when execute the executable it throws
> error* finger print does not match:fips.c:232*
>
>  Plz help.
>  I need to combine both libaries and make it one.
>
> Any help/suggestion?
>

You forgot the special link step for FIPS enabled applications,
perhaps also some of the other required steps from the FIPS
module users guide.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi
Hi Jakob,

Could you please elaborate it? I am not getting it.
I might missing something but I did not get it.

Many Thanks Jakob for replying.

-Sahil

On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm <[hidden email]> wrote:
On 24/06/2016 07:59, Sahil Gandhi wrote:
Hi All,

I have built Openssl-fips-2.0.10.tar on* RHEL Linux* (/_*Same happens with Solaris 10*_/). Then I built Openssl-1.0.1p using respective fips object module (i.e. Openssl-fips-2.0.10.tar).

Once I have built Openssl-1.0.1p, libcrypto.a and libssl.a has been created.
I need to join these 2 libraries and make it one.

I am doing it using "ar" command as follows:

ar -x libssl.a
ar -x libcrypto.a

Then combine all .o files to make third library:
ar -r libnew.a *.o

But when i use this libnew.a in my sample(contain FIPS_mode_set(1)), it compiles successfully but when execute the executable it throws error* finger print does not match:fips.c:232*

 Plz help.
 I need to combine both libaries and make it one.

Any help/suggestion?


You forgot the special link step for FIPS enabled applications,
perhaps also some of the other required steps from the FIPS
module users guide.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Sahil Gandhi

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Steve Marquess-4
On 06/24/2016 03:10 AM, Sahil Gandhi wrote:

> Hi Jakob,
>
> Could you please elaborate it? I am not getting it.
> I might missing something but I did not get it.
>
> Many Thanks Jakob for replying.
>
> -Sahil
>
> On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 24/06/2016 07:59, Sahil Gandhi wrote:
>
>         Hi All,
>
>         I have built Openssl-fips-2.0.10.tar on* RHEL Linux* (/_*Same
>         happens with Solaris 10*_/). Then I built Openssl-1.0.1p using
>         respective fips object module (i.e. Openssl-fips-2.0.10.tar).
>
>         Once I have built Openssl-1.0.1p, libcrypto.a and libssl.a has
>         been created.
>         I need to join these 2 libraries and make it one.
>
>         I am doing it using "ar" command as follows:
>
>         ar -x libssl.a
>         ar -x libcrypto.a
>
>         Then combine all .o files to make third library:
>         ar -r libnew.a *.o
>
>         But when i use this libnew.a in my sample(contain
>         FIPS_mode_set(1)), it compiles successfully but when execute the
>         executable it throws error* finger print does not match:fips.c:232*
>
>          Plz help.
>          I need to combine both libaries and make it one.
>
>         Any help/suggestion?
>
>
>     You forgot the special link step for FIPS enabled applications,
>     perhaps also some of the other required steps from the FIPS
>     module users guide.
>

See https://openssl.org/docs/fips/UserGuide-2.0.pdf.

The FIPS module requires special build-time voodoo to satisfy the
peculiar requirements of the FIPS 140-2 validation.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi
Hi Steve,

Could you please help me out?
I tried to re-read that part of user-guide but no success.
I know how to generate fingerprint but once i create new static library out of libcrypto.a and libssl.a.
And I do generate the finger print of that new library but don't know how to proceed further with that.

because if i use that new library(to create executable) as it is, it throws fingerprint mismatch error.
My sample source file has FIPS_mode_set(1) call only.

Thanks
Sahil

On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <[hidden email]> wrote:
On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
> Hi Jakob,
>
> Could you please elaborate it? I am not getting it.
> I might missing something but I did not get it.
>
> Many Thanks Jakob for replying.
>
> -Sahil
>
> On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 24/06/2016 07:59, Sahil Gandhi wrote:
>
>         Hi All,
>
>         I have built Openssl-fips-2.0.10.tar on* RHEL Linux* (/_*Same
>         happens with Solaris 10*_/). Then I built Openssl-1.0.1p using
>         respective fips object module (i.e. Openssl-fips-2.0.10.tar).
>
>         Once I have built Openssl-1.0.1p, libcrypto.a and libssl.a has
>         been created.
>         I need to join these 2 libraries and make it one.
>
>         I am doing it using "ar" command as follows:
>
>         ar -x libssl.a
>         ar -x libcrypto.a
>
>         Then combine all .o files to make third library:
>         ar -r libnew.a *.o
>
>         But when i use this libnew.a in my sample(contain
>         FIPS_mode_set(1)), it compiles successfully but when execute the
>         executable it throws error* finger print does not match:fips.c:232*
>
>          Plz help.
>          I need to combine both libaries and make it one.
>
>         Any help/suggestion?
>
>
>     You forgot the special link step for FIPS enabled applications,
>     perhaps also some of the other required steps from the FIPS
>     module users guide.
>

See https://openssl.org/docs/fips/UserGuide-2.0.pdf.

The FIPS module requires special build-time voodoo to satisfy the
peculiar requirements of the FIPS 140-2 validation.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Sahil Gandhi


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Jakob Bohm-7
On 24/06/2016 15:24, Sahil Gandhi wrote:

> Hi Steve,
>
> Could you please help me out?
> I tried to re-read that part of user-guide but no success.
> I know how to generate fingerprint but once i create new static
> library out of libcrypto.a and libssl.a.
> And I do generate the finger print of that new library but don't know
> how to proceed further with that.
>
> because if i use that new library(to create executable) as it is, it
> throws fingerprint mismatch error.
> My sample source file has FIPS_mode_set(1) call only.
>
Because fipscannister.o is not compiled as 100% position independent
code (and cannot legally be done so due to the bureaucratic rules of
the FIPS validation), every new program linked to the FIPS enabled
libcrypto.a will end up with a different fingerprint for the
fipscannister.

And if load address randomization is enabled in the operating system,
each new run of the program will end up with a different fingerprint
and thus not work.

The situation is slightly better for the libcrypto.so DLL, because
if load address randomization is turned off and it is ensured that
libcrypto.so will load at a particular address every time, there
will only be one fingerprint for each compiled libcrypto.so DLL.

> On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
>     > Hi Jakob,
>     >
>     > Could you please elaborate it? I am not getting it.
>     > I might missing something but I did not get it.
>     >
>     > Many Thanks Jakob for replying.
>     >
>     > -Sahil
>     >
>     > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
>     <[hidden email] <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>     >
>     >     On 24/06/2016 07:59, Sahil Gandhi wrote:
>     >
>     >         Hi All,
>     >
>     >         I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
>     (/_*Same
>     >         happens with Solaris 10*_/). Then I built Openssl-1.0.1p
>     using
>     >         respective fips object module (i.e.
>     Openssl-fips-2.0.10.tar).
>     >
>     >         Once I have built Openssl-1.0.1p, libcrypto.a and
>     libssl.a has
>     >         been created.
>     >         I need to join these 2 libraries and make it one.
>     >
>     >         I am doing it using "ar" command as follows:
>     >
>     >         ar -x libssl.a
>     >         ar -x libcrypto.a
>     >
>     >         Then combine all .o files to make third library:
>     >         ar -r libnew.a *.o
>     >
>     >         But when i use this libnew.a in my sample(contain
>     >         FIPS_mode_set(1)), it compiles successfully but when
>     execute the
>     >         executable it throws error* finger print does not
>     match:fips.c:232*
>     >
>     >          Plz help.
>     >          I need to combine both libaries and make it one.
>     >
>     >         Any help/suggestion?
>     >
>     >
>     >     You forgot the special link step for FIPS enabled applications,
>     >     perhaps also some of the other required steps from the FIPS
>     >     module users guide.
>     >
>
>     See https://openssl.org/docs/fips/UserGuide-2.0.pdf.
>
>     The FIPS module requires special build-time voodoo to satisfy the
>     peculiar requirements of the FIPS 140-2 validation.
>

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi
Hi Jakob,

Thanks a lot for your time and detailed explanation.

Regards,
Sahil

On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <[hidden email]> wrote:
On 24/06/2016 15:24, Sahil Gandhi wrote:
Hi Steve,

Could you please help me out?
I tried to re-read that part of user-guide but no success.
I know how to generate fingerprint but once i create new static library out of libcrypto.a and libssl.a.
And I do generate the finger print of that new library but don't know how to proceed further with that.

because if i use that new library(to create executable) as it is, it throws fingerprint mismatch error.
My sample source file has FIPS_mode_set(1) call only.

Because fipscannister.o is not compiled as 100% position independent
code (and cannot legally be done so due to the bureaucratic rules of
the FIPS validation), every new program linked to the FIPS enabled
libcrypto.a will end up with a different fingerprint for the
fipscannister.

And if load address randomization is enabled in the operating system,
each new run of the program will end up with a different fingerprint
and thus not work.

The situation is slightly better for the libcrypto.so DLL, because
if load address randomization is turned off and it is ensured that
libcrypto.so will load at a particular address every time, there
will only be one fingerprint for each compiled libcrypto.so DLL.

On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <[hidden email] <mailto:[hidden email]>> wrote:

    On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
    > Hi Jakob,
    >
    > Could you please elaborate it? I am not getting it.
    > I might missing something but I did not get it.
    >
    > Many Thanks Jakob for replying.
    >
    > -Sahil
    >
    > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
    <[hidden email] <mailto:[hidden email]>
    > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
    >
    >     On 24/06/2016 07:59, Sahil Gandhi wrote:
    >
    >         Hi All,
    >
    >         I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
    (/_*Same
    >         happens with Solaris 10*_/). Then I built Openssl-1.0.1p
    using
    >         respective fips object module (i.e.
    Openssl-fips-2.0.10.tar).
    >
    >         Once I have built Openssl-1.0.1p, libcrypto.a and
    libssl.a has
    >         been created.
    >         I need to join these 2 libraries and make it one.
    >
    >         I am doing it using "ar" command as follows:
    >
    >         ar -x libssl.a
    >         ar -x libcrypto.a
    >
    >         Then combine all .o files to make third library:
    >         ar -r libnew.a *.o
    >
    >         But when i use this libnew.a in my sample(contain
    >         FIPS_mode_set(1)), it compiles successfully but when
    execute the
    >         executable it throws error* finger print does not
    match:fips.c:232*
    >
    >          Plz help.
    >          I need to combine both libaries and make it one.
    >
    >         Any help/suggestion?
    >
    >
    >     You forgot the special link step for FIPS enabled applications,
    >     perhaps also some of the other required steps from the FIPS
    >     module users guide.
    >

    See https://openssl.org/docs/fips/UserGuide-2.0.pdf.

    The FIPS module requires special build-time voodoo to satisfy the
    peculiar requirements of the FIPS 140-2 validation.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Sahil


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi
Hi Steve,

Could you please elaborate in detail?

Many Thanks,
Sahil

On Mon, Jun 27, 2016 at 12:49 PM, Sahil Gandhi <[hidden email]> wrote:
Hi Jakob,

Thanks a lot for your time and detailed explanation.

Regards,
Sahil

On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <[hidden email]> wrote:
On 24/06/2016 15:24, Sahil Gandhi wrote:
Hi Steve,

Could you please help me out?
I tried to re-read that part of user-guide but no success.
I know how to generate fingerprint but once i create new static library out of libcrypto.a and libssl.a.
And I do generate the finger print of that new library but don't know how to proceed further with that.

because if i use that new library(to create executable) as it is, it throws fingerprint mismatch error.
My sample source file has FIPS_mode_set(1) call only.

Because fipscannister.o is not compiled as 100% position independent
code (and cannot legally be done so due to the bureaucratic rules of
the FIPS validation), every new program linked to the FIPS enabled
libcrypto.a will end up with a different fingerprint for the
fipscannister.

And if load address randomization is enabled in the operating system,
each new run of the program will end up with a different fingerprint
and thus not work.

The situation is slightly better for the libcrypto.so DLL, because
if load address randomization is turned off and it is ensured that
libcrypto.so will load at a particular address every time, there
will only be one fingerprint for each compiled libcrypto.so DLL.

On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <[hidden email] <mailto:[hidden email]>> wrote:

    On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
    > Hi Jakob,
    >
    > Could you please elaborate it? I am not getting it.
    > I might missing something but I did not get it.
    >
    > Many Thanks Jakob for replying.
    >
    > -Sahil
    >
    > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
    <[hidden email] <mailto:[hidden email]>
    > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
    >
    >     On 24/06/2016 07:59, Sahil Gandhi wrote:
    >
    >         Hi All,
    >
    >         I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
    (/_*Same
    >         happens with Solaris 10*_/). Then I built Openssl-1.0.1p
    using
    >         respective fips object module (i.e.
    Openssl-fips-2.0.10.tar).
    >
    >         Once I have built Openssl-1.0.1p, libcrypto.a and
    libssl.a has
    >         been created.
    >         I need to join these 2 libraries and make it one.
    >
    >         I am doing it using "ar" command as follows:
    >
    >         ar -x libssl.a
    >         ar -x libcrypto.a
    >
    >         Then combine all .o files to make third library:
    >         ar -r libnew.a *.o
    >
    >         But when i use this libnew.a in my sample(contain
    >         FIPS_mode_set(1)), it compiles successfully but when
    execute the
    >         executable it throws error* finger print does not
    match:fips.c:232*
    >
    >          Plz help.
    >          I need to combine both libaries and make it one.
    >
    >         Any help/suggestion?
    >
    >
    >     You forgot the special link step for FIPS enabled applications,
    >     perhaps also some of the other required steps from the FIPS
    >     module users guide.
    >

    See https://openssl.org/docs/fips/UserGuide-2.0.pdf.

    The FIPS module requires special build-time voodoo to satisfy the
    peculiar requirements of the FIPS 140-2 validation.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Sahil




--
Sahil Gandhi
Project Engineer
R&D CDAC, Pune

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Ken Chow
I think you should refer the way of building Android application https://wiki.openssl.org/index.php/Android .

Trying to warp libcryto.so to your dynamic library by the specified FIPS compiler, once you successfully generated your dynamic library, then no need to specify FIPS compiler for compiling your execute program any more, and it worked for me, whatever under linux(gcc) or android(NDK).



2016-06-27 16:37 GMT+08:00 Sahil Gandhi <[hidden email]>:
Hi Steve,

Could you please elaborate in detail?

Many Thanks,
Sahil

On Mon, Jun 27, 2016 at 12:49 PM, Sahil Gandhi <[hidden email]> wrote:
Hi Jakob,

Thanks a lot for your time and detailed explanation.

Regards,
Sahil

On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <[hidden email]> wrote:
On 24/06/2016 15:24, Sahil Gandhi wrote:
Hi Steve,

Could you please help me out?
I tried to re-read that part of user-guide but no success.
I know how to generate fingerprint but once i create new static library out of libcrypto.a and libssl.a.
And I do generate the finger print of that new library but don't know how to proceed further with that.

because if i use that new library(to create executable) as it is, it throws fingerprint mismatch error.
My sample source file has FIPS_mode_set(1) call only.

Because fipscannister.o is not compiled as 100% position independent
code (and cannot legally be done so due to the bureaucratic rules of
the FIPS validation), every new program linked to the FIPS enabled
libcrypto.a will end up with a different fingerprint for the
fipscannister.

And if load address randomization is enabled in the operating system,
each new run of the program will end up with a different fingerprint
and thus not work.

The situation is slightly better for the libcrypto.so DLL, because
if load address randomization is turned off and it is ensured that
libcrypto.so will load at a particular address every time, there
will only be one fingerprint for each compiled libcrypto.so DLL.

On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <[hidden email] <mailto:[hidden email]>> wrote:

    On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
    > Hi Jakob,
    >
    > Could you please elaborate it? I am not getting it.
    > I might missing something but I did not get it.
    >
    > Many Thanks Jakob for replying.
    >
    > -Sahil
    >
    > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
    <[hidden email] <mailto:[hidden email]>
    > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
    >
    >     On 24/06/2016 07:59, Sahil Gandhi wrote:
    >
    >         Hi All,
    >
    >         I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
    (/_*Same
    >         happens with Solaris 10*_/). Then I built Openssl-1.0.1p
    using
    >         respective fips object module (i.e.
    Openssl-fips-2.0.10.tar).
    >
    >         Once I have built Openssl-1.0.1p, libcrypto.a and
    libssl.a has
    >         been created.
    >         I need to join these 2 libraries and make it one.
    >
    >         I am doing it using "ar" command as follows:
    >
    >         ar -x libssl.a
    >         ar -x libcrypto.a
    >
    >         Then combine all .o files to make third library:
    >         ar -r libnew.a *.o
    >
    >         But when i use this libnew.a in my sample(contain
    >         FIPS_mode_set(1)), it compiles successfully but when
    execute the
    >         executable it throws error* finger print does not
    match:fips.c:232*
    >
    >          Plz help.
    >          I need to combine both libaries and make it one.
    >
    >         Any help/suggestion?
    >
    >
    >     You forgot the special link step for FIPS enabled applications,
    >     perhaps also some of the other required steps from the FIPS
    >     module users guide.
    >

    See https://openssl.org/docs/fips/UserGuide-2.0.pdf.

    The FIPS module requires special build-time voodoo to satisfy the
    peculiar requirements of the FIPS 140-2 validation.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct <a href="tel:%2B45%2031%2013%2016%2010" value="+4531131610" target="_blank">+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Sahil




--
Sahil Gandhi
Project Engineer
R&D CDAC, Pune

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi
Hi Ken,

Sorry for the late reply. I really appreciate your suggestion but I some how need to have static library not the dynamic one.

Thanks & Regards,
-Sahil

On Mon, Jun 27, 2016 at 2:43 PM, Ken Chow <[hidden email]> wrote:
I think you should refer the way of building Android application https://wiki.openssl.org/index.php/Android .

Trying to warp libcryto.so to your dynamic library by the specified FIPS compiler, once you successfully generated your dynamic library, then no need to specify FIPS compiler for compiling your execute program any more, and it worked for me, whatever under linux(gcc) or android(NDK).



2016-06-27 16:37 GMT+08:00 Sahil Gandhi <[hidden email]>:
Hi Steve,

Could you please elaborate in detail?

Many Thanks,
Sahil

On Mon, Jun 27, 2016 at 12:49 PM, Sahil Gandhi <[hidden email]> wrote:
Hi Jakob,

Thanks a lot for your time and detailed explanation.

Regards,
Sahil

On Fri, Jun 24, 2016 at 7:13 PM, Jakob Bohm <[hidden email]> wrote:
On 24/06/2016 15:24, Sahil Gandhi wrote:
Hi Steve,

Could you please help me out?
I tried to re-read that part of user-guide but no success.
I know how to generate fingerprint but once i create new static library out of libcrypto.a and libssl.a.
And I do generate the finger print of that new library but don't know how to proceed further with that.

because if i use that new library(to create executable) as it is, it throws fingerprint mismatch error.
My sample source file has FIPS_mode_set(1) call only.

Because fipscannister.o is not compiled as 100% position independent
code (and cannot legally be done so due to the bureaucratic rules of
the FIPS validation), every new program linked to the FIPS enabled
libcrypto.a will end up with a different fingerprint for the
fipscannister.

And if load address randomization is enabled in the operating system,
each new run of the program will end up with a different fingerprint
and thus not work.

The situation is slightly better for the libcrypto.so DLL, because
if load address randomization is turned off and it is ensured that
libcrypto.so will load at a particular address every time, there
will only be one fingerprint for each compiled libcrypto.so DLL.

On Fri, Jun 24, 2016 at 4:14 PM, Steve Marquess <[hidden email] <mailto:[hidden email]>> wrote:

    On 06/24/2016 03:10 AM, Sahil Gandhi wrote:
    > Hi Jakob,
    >
    > Could you please elaborate it? I am not getting it.
    > I might missing something but I did not get it.
    >
    > Many Thanks Jakob for replying.
    >
    > -Sahil
    >
    > On Fri, Jun 24, 2016 at 11:57 AM, Jakob Bohm
    <[hidden email] <mailto:[hidden email]>
    > <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
    >
    >     On 24/06/2016 07:59, Sahil Gandhi wrote:
    >
    >         Hi All,
    >
    >         I have built Openssl-fips-2.0.10.tar on* RHEL Linux*
    (/_*Same
    >         happens with Solaris 10*_/). Then I built Openssl-1.0.1p
    using
    >         respective fips object module (i.e.
    Openssl-fips-2.0.10.tar).
    >
    >         Once I have built Openssl-1.0.1p, libcrypto.a and
    libssl.a has
    >         been created.
    >         I need to join these 2 libraries and make it one.
    >
    >         I am doing it using "ar" command as follows:
    >
    >         ar -x libssl.a
    >         ar -x libcrypto.a
    >
    >         Then combine all .o files to make third library:
    >         ar -r libnew.a *.o
    >
    >         But when i use this libnew.a in my sample(contain
    >         FIPS_mode_set(1)), it compiles successfully but when
    execute the
    >         executable it throws error* finger print does not
    match:fips.c:232*
    >
    >          Plz help.
    >          I need to combine both libaries and make it one.
    >
    >         Any help/suggestion?
    >
    >
    >     You forgot the special link step for FIPS enabled applications,
    >     perhaps also some of the other required steps from the FIPS
    >     module users guide.
    >

    See https://openssl.org/docs/fips/UserGuide-2.0.pdf.

    The FIPS module requires special build-time voodoo to satisfy the
    peculiar requirements of the FIPS 140-2 validation.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct <a href="tel:%2B45%2031%2013%2016%2010" value="+4531131610" target="_blank">+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Sahil




--
Sahil Gandhi
Project Engineer
R&D CDAC, Pune

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




--
Sahil Gandhi

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Steve Marquess-4
On 06/29/2016 07:09 AM, Sahil Gandhi wrote:
> Hi Ken,
>
> Sorry for the late reply. I really appreciate your suggestion but I some
> how need to have static library not the dynamic one.

You can statically link an application with the FIPS module, using the
special "fipsld" link process, but you cannot put the FIPS module in a
conventional static library (as managed with "ar").

Unfortunately the requirements of FIPS 140-2 conflict in several ways
with standard software engineering practice; it is the tail that wags
the dog.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi
Hi Steve,

Thanks for the reply.

Regards,
Sahil

On Wed, Jun 29, 2016 at 6:25 PM, Steve Marquess <[hidden email]> wrote:
On 06/29/2016 07:09 AM, Sahil Gandhi wrote:
> Hi Ken,
>
> Sorry for the late reply. I really appreciate your suggestion but I some
> how need to have static library not the dynamic one.

You can statically link an application with the FIPS module, using the
special "fipsld" link process, but you cannot put the FIPS module in a
conventional static library (as managed with "ar").

Unfortunately the requirements of FIPS 140-2 conflict in several ways
with standard software engineering practice; it is the tail that wags
the dog.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Sahil Gandhi
Project Engineer
R&D CDAC, Pune

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding FIPS capable openssl (I want to combine libcrypto.a and libssl.a)

Sahil Gandhi
Hi All,

I am now able to solve this problem, myself.
We need to do changes in fipsld script. 
Change 'crypto' or 'libcrypto' to whatever name (u want to specify for the lib) in fipsld utility script and that's it.

Thanks,
-Sahil Gandhi

On Thu, Jun 30, 2016 at 9:28 AM, Sahil Gandhi <[hidden email]> wrote:
Hi Steve,

Thanks for the reply.

Regards,
Sahil

On Wed, Jun 29, 2016 at 6:25 PM, Steve Marquess <[hidden email]> wrote:
On 06/29/2016 07:09 AM, Sahil Gandhi wrote:
> Hi Ken,
>
> Sorry for the late reply. I really appreciate your suggestion but I some
> how need to have static library not the dynamic one.

You can statically link an application with the FIPS module, using the
special "fipsld" link process, but you cannot put the FIPS module in a
conventional static library (as managed with "ar").

Unfortunately the requirements of FIPS 140-2 conflict in several ways
with standard software engineering practice; it is the tail that wags
the dog.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Sahil Gandhi
Project Engineer
R&D CDAC, Pune



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users