RE: FIPS linked as a shared library

[Bancroft, Matthew]

Would you elaborate what is meant by 'strict binding' please.

I have tried compiling with '-z now', I have tried RTLD_LAZY and 
RTLD_NOW as flags to dlopen and the env var LD_BIND_NOW also had 
no effect. I have reproduced the same issue of the shared lib
Failing on both x86 and mips.

Has anyone created and used a shared library?

-Matt Bancroft

 -Original Message-
 From: owner-openssl-us...@openssl.org 
 [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kyle Hamilton
 Sent: 18 January 2010 20:43
 To: openssl-users
 Subject: Re: FIPS linked as a shared library
 
 The way that the FIPS module verifies its signature is that it forces
 itself to load (via a pre-main() section) and then calculate the
 checksum of the image in-core.  Probably the reason why you're running
 into issues is because of the fixup step of the dynamic linker.
 
 If you expect to use FIPS, you should link it as a hard dependency
 (also known as 'strict binding', as opposed to 'lazy binding') so that
 it can be loaded as early as possible, to minimize the chances of the
 linker needing to run fixups after application-code memory allocation.
  As you've found, the image in-core *must* match the original image
 in-core when the signature was generated, and the linker changes the
 pointers of where things are located when it has to.
 
 -Kyle H
 
 On Mon, Jan 18, 2010 at 2:48 AM, Bancroft, Matthew
 matt.bancr...@siemens-enterprise.com wrote:
  Hello,
 
  I have generated the fipscanister.o and all associated 
 files as described in
  the user guide. All the checks ran ok. I have created an 
 application using
  the fipscanister.o which works fine. When I create the 
 shared library the
  run time check called when FIPS_mode_set() is called fails. 
 I have found
  that depending on where I am loading the library in my code 
 the signature
  generated is different.
 
  Hence my question, Is it really possible to create a shared 
 library, and not
  an application, using the FIPS module?
 
  The make file for the shared lib looks like this:
 
  CC = gcc
  LIBOBJS= $(BIN)/fipsShared.o
 
  libfipsShared.so: fipsShared.o
   FIPSLD_CC=$(CC) /openssl-fips-1.2/fips/fipsld -shared -o $@ $^
  -DDEBUG_FINGERPRINT_PREMAIN /openssl-fips-1.2/libcrypto.a
 
  The build platform is a native MIPS, gcc-3.4.4, make 3.81, 
 uclibc.0.9.28.
 
  Regards,
 
  Matt Bancroft
 
  matt.bancr...@siemens-enterprise.com
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org
 __
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

FIPS linked as a shared library

[Bancroft, Matthew]

Hello,

I have generated the fipscanister.o and all associated files as described in 
the user guide. All the checks ran ok. I have created an application using the 
fipscanister.o which works fine. When I create the shared library the run time 
check called when FIPS_mode_set() is called fails. I have found that depending 
on where I am loading the library in my code the signature generated is 
different.

Hence my question, Is it really possible to create a shared library, and not an 
application, using the FIPS module?

The make file for the shared lib looks like this:

CC = gcc
LIBOBJS= $(BIN)/fipsShared.o

libfipsShared.so: fipsShared.o
 FIPSLD_CC=$(CC) /openssl-fips-1.2/fips/fipsld -shared -o $@ $^ 
-DDEBUG_FINGERPRINT_PREMAIN /openssl-fips-1.2/libcrypto.a

The build platform is a native MIPS, gcc-3.4.4, make 3.81, uclibc.0.9.28.

Regards,

Matt Bancroft

matt.bancr...@siemens-enterprise.commailto:matt.bancr...@siemens-enterprise.com