Is this openssl fips 1.1.2 module generate position independent code ?
If so then i can inappropriate it in shared library generated by openssl
0.9.7m
Thanks
Joshi
IOn Thu, Sep 18, 2008 at 11:18 PM, joshi chandra <[EMAIL PROTECTED]
> wrote:
>
> when i have used shared option in the ./Configure , i was able to compile
> the
> openssl 0.9.7m successfully
> but when i tested the fips function in the test folder ,that time it was
> producing the error message and when i removed shared option by no-shared
> option in the ./Configure command in the openssl 0.9.7m,
> all the fips function in the test folder was successfully executed , is
> this
> beacuse of the linking problem
>
> The error message was
>
> ./fips_test_suite
> >> FIPS-mode test application
> >>
> >> 1. Non-Approved cryptographic operation test...
> >> a. Included algorithm (D-H)...successful
> >> 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212:
> >> 2. Automatic power-up self test...FAILED!
>
> Can you please tell me is the shared library is possible for openssl 0.9.7m
> which is using the openssl fips 1.1.2 module
>
> can u please explain this statement 'If it does consist of position
> independent
> code then you can incorporate it into a shared library just like any
> other object module, subject of course to the "fipsld" linking to set
> the in-core hash.'
>
> How to link fipsld to in-core hash
>
> Thanks in Advance
> Joshi Chandran
>
>
>
> Steve Marquess wrote:
> >
> > Carlo Milono wrote:
> >> How curious that this topic would come up today as I had a discussion on
> >> it just two days earlier.
> >> The OpenSSL FIPS 140-2 Security Policy Version 1.1.2 states:
> >>
> >> "The FIPS Object Module is not a static library. It may be incorporated
> >> into shared library files or runtime executable application files, but
> >> in any event can only be incorporated intact and in its entirety."
> >>
> >> This was leading me to believe that we could use this in a shared
> >> library mode; perhaps we need to understand the boundaries of what may
> >> be included in a shared library?
> >>
> >> How can we interpret the above quote?
> >
> > The FIPS Object Module is just that, an object module (fipscanister.o).
> > For v1.1.x it may or may not consist of position independent code,
> > depending on the platform. If it does consist of position independent
> > code then you can incorporate it into a shared library just like any
> > other object module, subject of course to the "fipsld" linking to set
> > the in-core hash.
> >
> > If it isn't position independent, then you're out of luck as the
> > Security Policy rules don't allow you to modify the build-time
> parameters.
> >
> > For v1.2 the FIPS Object Module is always generated as position
> > independent code. The corresponding "FIPS capable" OpenSSL
> > distributions ("fips" option) will automatically include it in the
> > libcrypto shared library.
> >
> > -Steve M.
> >
> > --
> > Steve Marquess
> > Open Source Software Institute
> > [EMAIL PROTECTED]
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager [EMAIL PROTECTED]
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19558250.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Regards
Joshi Chandran
