On 21/03/2017 14:02, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of William A Rowe Jr
Sent: Monday, March 20, 2017 20:59
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Static FIPS Library with Address Randomization
Note you may not modify the openssl-FIPS build files or process.
However, building the openssl host container of the FIPS library build,
you may pin the DLL file with link flags and dodge this relocation.
Yes. That's what /BASE:x /FIXED does, which causes the problem (address not
available at runtime) which the OP was trying to work around. We're just back
where we started.
The simple fact of the matter is that the FIPS requirements do not play well
with the PE DLL design. Arguably the PE DLL design itself is at fault (PE
relocations also inhibit sharing text pages among processes, for example), but
it is what it is. In 32-bit, address space is a scarce resource, and OSes make
various compromises in managing it. The real problem is that FIPS 140-2 was
written primarily for hardware and doesn't accommodate software well. And, many
have argued, doesn't really do anything useful anyway - which is no help
whatsoever if your customer is required to have it, or insists on it anyway.
I don't believe it is a shortcoming of FIPS 140-2 as much as it
is a shortcoming of how the OpenSSL library verifies the hash of
the FIPS blob. Specifically, that the has verification is done
on the runtime-relocated code block, not on it's
unrelocated/normalized form.
If there is a conformant way to change the code that checks the
FIPS blob, so it checks the "relocated-to-base-0" form along with
the list of blob-relative relocation offsets used for that
normalization, then the blob hash should work fine with runtime
relocation to an available address, address-layout randomization
etc. The list of relocation offsets could be trivially extracted
from the relocation data in any non-fixed PE file linked against
that particular blob, sorted by address and filtered to only
include those offsets that fall within the blob.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
