I have not seen an answer to this mail. Wouldn't applying "PIC" accomplish the same thing?
Thank you, -Pandit ________________________________ From: William A. Rowe Jr. <wr...@rowe-clan.net> To: openssl-users@openssl.org Cc: Kyle Hamilton <aerow...@gmail.com> Sent: Mon, January 18, 2010 6:20:11 PM Subject: Re: FIPS linked as a shared library On 1/18/2010 2:42 PM, Kyle Hamilton wrote: > The way that the FIPS module verifies its signature is that it forces > itself to load (via a pre-main() section) and then calculate the > checksum of the image in-core. Probably the reason why you're running > into issues is because of the fixup step of the dynamic linker. > > If you expect to use FIPS, you should link it as a hard dependency > (also known as 'strict binding', as opposed to 'lazy binding') so that > it can be loaded as early as possible, to minimize the chances of the > linker needing to run fixups after application-code memory allocation. > As you've found, the image in-core *must* match the original image > in-core when the signature was generated, and the linker changes the > pointers of where things are located when it has to. Wouldn't applying the PIC compiler flag across all .o's accomplish the same thing? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
