Linking of Shared Libraries
Could you some one explain me the steps for dynamic linking of openssl fips libraries into my application? I have generated following openssl and fips modules ssleay32.dll libeay32.dll ssleay32.lib libeay32.lib fipscanister.lib I am trying to execute my application with openssl fips 1.2 by linking above modules dynamically. But FIPS_mode_set(1) function is not setting the FIPS mode for reason. Could someone tell me if I am doing the right?
OPENSSL_config
I am trying to enable fips mode through OPENSSL_config and it is
failing. Could you any one throw more light on this? I am running on
windows 32 bit and using VC++ SP6.
Openssl.conf file
FIPS_conf = FIPS_options
[ FIPS_options ]
fips_mode = yes
Program
int main(){
int result;
OPENSSL_config(FIPS_conf);
#ifdef OPENSSL_FIPS
if (FIPS_mode())
{
printf(*** IN FIPS MODE ***\n);
}
#endif
}
FW: FIPS_mode_set(1) call Fails
Hello, I am using static FIPS modules on Windows XP 32 bit. I am trying to link with my application. I am following command in User Guide 1.2 for static linking. perl util\fipslink.pl /nologo /subsystem:console /machine:I386 /out:out32\md2test.exe /ENTRY:main what does /out: option mean. What shud I be specifying here. Go this option /out:out32\md2test.exe in google. What does FIPS_TARGET environmental variable mean? When I execute above perl command , I get following error. perl util\fipslink.pl /nologo /subsystem:console /machine:I386 /out:out32\md2test.exe /Entry:main Integrity check OK cl /c C:\SandBox\7_5_api\3rdparty\Microsoft\openssl\fips\path/fips_premain.c Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8804 for 80x86 Copyright (C) Microsoft Corp 1984-1998. All rights reserved. fips_premain.c link /nologo /subsystem:console /machine:I386 /out:out32\md2test.exe /Entry:main LINK : warning LNK4001: no object files specified; libraries used LINK : error LNK2001: unresolved external symbol _main out32\md2test.exe : fatal error LNK1120: 1 unresolved externals First stage Link failure at util\fipslink.pl line 42. Am I missing something in the Perl command line options? Thank you! Manjula -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, January 01, 2009 6:53 AM To: openssl-users@openssl.org Subject: Re: FIPS_mode_set(1) call Fails On Tue, Dec 30, 2008, Chikkanagappa, Manjula wrote: Hello Everyone! I have FIPS 1.2 modules and 0.9.8 stable development version (12/30/2008) OpenSSL modules. I am invoking FIPS_mode_set(1) in my application. The FIPS_mode_set(1) returns 0 all the time. I have written a small test program with just FIPS_mode_set(1) call. And the call still fails with return value o. Could you anyone throw more light on this problem? I am running on Windows XP and VC++ 6.0 SP6. Are you using shared libraries or static ones? What error code do you get? Check the FAQ for details. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS_mode_set(1) call Fails
Hello, I am using static FIPS modules on Windows XP 32 bit. I am trying to link with my application. I am following command in User Guide 1.2 for static linking. perl util\fipslink.pl /nologo /subsystem:console /machine:I386 /out:out32\md2test.exe /ENTRY:main what does /out: option mean. What shud I be specifying here. Go this option /out:out32\md2test.exe in google. What does FIPS_TARGET environmental variable mean? When I execute above perl command , I get following error. perl util\fipslink.pl /nologo /subsystem:console /machine:I386 /out:out32\md2test.exe /Entry:main Integrity check OK cl /c C:\SandBox\7_5_api\3rdparty\Microsoft\openssl\fips\path/fips_premain.c Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8804 for 80x86 Copyright (C) Microsoft Corp 1984-1998. All rights reserved. fips_premain.c link /nologo /subsystem:console /machine:I386 /out:out32\md2test.exe /Entry:main LINK : warning LNK4001: no object files specified; libraries used LINK : error LNK2001: unresolved external symbol _main out32\md2test.exe : fatal error LNK1120: 1 unresolved externals First stage Link failure at util\fipslink.pl line 42. Am I missing something in the Perl command line options? Thank you! Manjula -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, January 01, 2009 6:53 AM To: openssl-users@openssl.org Subject: Re: FIPS_mode_set(1) call Fails On Tue, Dec 30, 2008, Chikkanagappa, Manjula wrote: Hello Everyone! I have FIPS 1.2 modules and 0.9.8 stable development version (12/30/2008) OpenSSL modules. I am invoking FIPS_mode_set(1) in my application. The FIPS_mode_set(1) returns 0 all the time. I have written a small test program with just FIPS_mode_set(1) call. And the call still fails with return value o. Could you anyone throw more light on this problem? I am running on Windows XP and VC++ 6.0 SP6. Are you using shared libraries or static ones? What error code do you get? Check the FAQ for details. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS_mode_set(1) call Fails
Hello Everyone! I have FIPS 1.2 modules and 0.9.8 stable development version (12/30/2008) OpenSSL modules. I am invoking FIPS_mode_set(1) in my application. The FIPS_mode_set(1) returns 0 all the time. I have written a small test program with just FIPS_mode_set(1) call. And the call still fails with return value o. Could you anyone throw more light on this problem? I am running on Windows XP and VC++ 6.0 SP6. Thanks
RE: openssl-fips 1.2 questions
Hello Everyone, I am using OpenSSL FIPS 1.2 object module and OpenSSL 0.9.8 Stable distribution. When I build OpenSSL libraries using the 0.9.8 stable version, I see the following files in the output libeaycompat32.lib libeayfips32.lib When I do a Dumpbin on above library files, I see that they are same. Could anyone answer my questions below? 1) Why the two library files generated? Is there any difference between them? 2) Which library should I be using to make my OpenSSL application FIPS compliant? 3) Can I use the libraries as is or should I rename them to libeay32.lib. Thanks much, Manjula -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess Sent: Wednesday, December 17, 2008 6:46 PM To: openssl-users@openssl.org Subject: Re: openssl-fips 1.2 questions Victor Duchovni wrote: FYI, on page 35, Example 5.2b and the text below it are somewhat garbled, at least in the MacOSX PDF viewer... - OPENSSL(config(...) instead of OPENSSL_config(...) in the example Had several reports on that, fixing now. - In the PDF view, the closing ) of the OPENSSL_config(...) call is not visible. It is only visible when one uses copy/paste to yank the text. Hmm, looks OK to me in XPDF on Linux. The source document is an ODF file and I have had some PDF rendering issues before which went away with OO upgrades. - The 0.9.8i man page for OPENSSL_config, ... I'll defer to the OpenSSL team but will try to put together some strawman documentation. This likely will need to wait for Postfix 2.7 snapshots in the Spring of '09, because 0.9.8j is not out yet to validate this approach, and the documentation is rather incomplete... The strategy for Postfix would likely be an optional load of an administrator-specified _conf section (not performed if not explicitly set in main.cf), via an administrator specified openssl.cnf file (default system-wide openssl.cnf). This can enable FIPs mode provided fipscanister is linked-in, which would be a build-time option. If the exit on error language for OPENSSL_config() is correct, I can't use that, and have to use CONF_modules_load_file(3) instead. Does this sound about right? Yes it does. Note also that fipscanister can be referenced via a shared library (provided automatically with the FIPS capable 0.9.8j+ OpenSSL). I'm checking with Steve Henson on the exit on error behavior. It's a tricky business disabling disallowed functionality in FIPS mode and the existing API doesn't always provide a means to indicate that new type of failure. I remember at one point he was pondering both hard and soft error handling. I'd like to encourage the use of OPENSSL_config() as the preferred method for enabling FIPS mode. Perhaps a subsequent API call to test if FIPS mode was configured but FIPS mode failed...? But IMHO the hard failure should still be the default, so we'd need a Don't exit on me, I'll check for failure call before invoking OPENSSL_config(). Hmmm... -Steve M. -- Steve Marquess Open Source Software institute marqu...@oss-institute.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
