Using FIPS capable OpenSSL through Java JNI
Susumu Sai
"3392:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match nonpic relocated:.\fips\fips.c:236"
which means it failed the base address check.
Based on OpenSSL FIPS document, I changed to use a different base address such as 0x75000000, then yes it works.
Just wandering:
(1) Why FIPS capable OpenSSL is doing base address check?
(2) Any recommend way to use FIPS capable OpenSSL through Java?
__________________________________________________________________
Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark your favourite sites. Download it now
http://ca.toolbar.yahoo.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org
Dr. Stephen Henson
> When I use FIPS capable OpenSSL through Java JNI, I got error:
> "3392:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match nonpic relocated:.\fips\fips.c:236"
> which means it failed the base address check.
> Based on OpenSSL FIPS document, I changed to use a different base address such as 0x75000000, then yes it works.
> Just wandering:
> (1) Why FIPS capable OpenSSL is doing base address check?
>
You only get the address check if the in core integrity check fails. The
reason it does that is to provide a useful diagnostic as to why it has failed.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Iain
> On Mon, Mar 29, 2010, Susumu Sai wrote:
> > "3392:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match nonpic relocated:.\fips\fips.c:236"
> > which means it failed the base address check.
> > Based on OpenSSL FIPS document, I changed to use a different base address such as 0x75000000, then yes it works.
> > Just wandering:
> > (1) Why FIPS capable OpenSSL is doing base address check?
>
> You only get the address check if the in core integrity check fails. The
> reason it does that is to provide a useful diagnostic as to why it has failed.
>
I succeded in getting this to work using fipsld and also including the
link option "-Wl,-Bsymbolic", this was from thread in
"mailing.openssl.users " titled "FIPS compliant shared object Options
" but to be honest I'm not 100% sure if this still creates a valid
FIPS shared library that can be used in a project requiring full FIPS
140-2 compliance?
Coulter, Iain
>> "3392:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint
>> does not match nonpic relocated:.\fips\fips.c:236"
>> which means it failed the base address check.
>> Based on OpenSSL FIPS document, I changed to use a different base address
>> such as 0x75000000, then yes it works.
>> Just wandering:
>> (1) Why FIPS capable OpenSSL is doing base address check?
>>
>
> You only get the address check if the in core integrity check fails. The
> reason it does that is to provide a useful diagnostic as to why it has failed.
>
Coulter, Iain
Just found out that the thread I commented on is only visible via google
groups?
On openssl-dev the thread I referred to is here:
http://www.mail-archive.com/openss...@openssl.org/msg52448.html
But google groups thread has about 5 other responses?
http://groups.google.com/group/mailing.openssl.users/browse_thread/threa
d/f7dc6346ffe97750/f75a0e078101eca1?lnk=gst&q=FIPS+shared#f75a0e078101ec
a1
--
Iain