Is this openssl fips 1.1.2 module generate position independent code ? If so then i can inappropriate it in shared library generated by openssl 0.9.7m
Thanks Joshi IOn Thu, Sep 18, 2008 at 11:18 PM, joshi chandra <[EMAIL PROTECTED] > wrote: > > when i have used shared option in the ./Configure , i was able to compile > the > openssl 0.9.7m successfully > but when i tested the fips function in the test folder ,that time it was > producing the error message and when i removed shared option by no-shared > option in the ./Configure command in the openssl 0.9.7m, > all the fips function in the test folder was successfully executed , is > this > beacuse of the linking problem > > The error message was > > ./fips_test_suite > >> FIPS-mode test application > >> > >> 1. Non-Approved cryptographic operation test... > >> a. Included algorithm (D-H)...successful > >> 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212: > >> 2. Automatic power-up self test...FAILED! > > Can you please tell me is the shared library is possible for openssl 0.9.7m > which is using the openssl fips 1.1.2 module > > can u please explain this statement 'If it does consist of position > independent > code then you can incorporate it into a shared library just like any > other object module, subject of course to the "fipsld" linking to set > the in-core hash.' > > How to link fipsld to in-core hash > > Thanks in Advance > Joshi Chandran > > > > Steve Marquess wrote: > > > > Carlo Milono wrote: > >> How curious that this topic would come up today as I had a discussion on > >> it just two days earlier. > >> The OpenSSL FIPS 140-2 Security Policy Version 1.1.2 states: > >> > >> "The FIPS Object Module is not a static library. It may be incorporated > >> into shared library files or runtime executable application files, but > >> in any event can only be incorporated intact and in its entirety." > >> > >> This was leading me to believe that we could use this in a shared > >> library mode; perhaps we need to understand the boundaries of what may > >> be included in a shared library? > >> > >> How can we interpret the above quote? > > > > The FIPS Object Module is just that, an object module (fipscanister.o). > > For v1.1.x it may or may not consist of position independent code, > > depending on the platform. If it does consist of position independent > > code then you can incorporate it into a shared library just like any > > other object module, subject of course to the "fipsld" linking to set > > the in-core hash. > > > > If it isn't position independent, then you're out of luck as the > > Security Policy rules don't allow you to modify the build-time > parameters. > > > > For v1.2 the FIPS Object Module is always generated as position > > independent code. The corresponding "FIPS capable" OpenSSL > > distributions ("fips" option) will automatically include it in the > > libcrypto shared library. > > > > -Steve M. > > > > -- > > Steve Marquess > > Open Source Software Institute > > [EMAIL PROTECTED] > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > > > -- > View this message in context: > http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19558250.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran