On Mon, May 23, 2011, ciphertexto wrote: > Hello, > > Does any one know how can any application work 100% reliably with a > FIPS-capable OpenSSL given the following requirement from page 33 of the > OpenSSL UserGuide at http://www.openssl.org/docs/fips/UserGuide.pdf: > > =============== > "The standard OpenSSL build with the fips option will use a base address for > libeay32.dll of 0xFB00000 by default. This value was chosen because it is > unlikely to conflict with other dynamically loaded libraries. In the event of > a clash with another dynamically loaded library which will trigger runtime > relocation of libeay32.dll the integrity check will fail with the error > > FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELATED > > A base address conflict can be resolved by shuffling the other DLLs or re > compiling OpenSSL with an alternative base address specified with the with > baseaddr= option. > > Note that the developer can identify which DLLs are relocated with the > Process Explorer utility > fromhttp://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx."; > ================= > > I am hitting this problem sporadically with my application on various Windows > flavors. The dynamic loader on Windows changes the base address of > libeay32.dll whenever it wants to. > > As a result, my application stops working because FIPS_mode_set() fails. So > I am ending up with an unreliable application. > > I have no control on all of the dynamically loaded libraries in a system so I > unable shuffle the other DLLs as suggested in the user guide. > > And changing the base address at build time is also not guaranteed to work > 100% reliably because it could also conflict with some other DLL's base > address. > > So what to do? Is there some trick/workaround to make this work? >
Try specifying the /FIXED and/or /DYNAMICBASE:NO options when you build the DLL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
