3

I’ve been banging my head against the wall for a while now. I have a library that depends on openssl (and by customer requirements FIPS enabled). Then I use that library from Java via JNI (Windows). I’ve tried all kind of things and I have narrowed down the problem to the following:

Whenever I try to load JUST the openssl library from Java with FIPS enabled, it gives the following error

java.lang.UnsatisfiedLinkError: C:\Users\Joaquin\Downloads\libeay32\q\x86\libeay32.dll: Attempt to access invalid address
    at java.lang.ClassLoader$NativeLibrary.load(Native Method)
    at java.lang.ClassLoader.loadLibrary0(Unknown Source)
    at java.lang.ClassLoader.loadLibrary(Unknown Source)
    at java.lang.Runtime.loadLibrary0(Unknown Source)
    at java.lang.System.loadLibrary(Unknown Source)
    at aspera.com.utilities.TestDllLoad.loadLibrary(TestDllLoad.java:31)
    at aspera.com.utilities.TestDllLoad.main(TestDllLoad.java:19)

If I use 1.7u80 JRE it loads fine. But it fails with JRE 1.8u65. Both x86.

If I compile libeay32 without FIPS then it works fine.

I thought it might have something to do with it being loaded in a fixed memory address (0xFB00000) so I tried others (0xA000000, 0x100000) and it still failed with the same error.

This is the code for loading the DLL:

/**
 * @param args the absolute path to the dll to test
 */
public static void main(String[] pArgs) {
    if (pArgs.length < 1) {
        System.out.println("Usage: TestDllLoad absolute/path/to/dll");
        System.exit(1);;
    }
    File dll = new File(pArgs[0]);
    try {
        Runtime.getRuntime().load(dll.getAbsolutePath());
    } catch (Throwable t) {
        t.printStackTrace();
    }
}

The OpenSsl version is 1.0.0.1q and FIPS 2.0.5

Any ideas or suggestions?

jww
  • 97,681
  • 90
  • 411
  • 885
Joaquin Fernandez
  • 63
  • 1
  • 4
  • Can you get your DLL to load into the JVM address space *without* `/FIXED`, then determine at what address it's located? Then use that address for your `/FIXED` argument? – Andrew Henle Dec 29 '15 at 14:43
  • It did work indeed, the address was `0x6fef0000`, and if I used that one while loading it would use any other and work just fine. The problem is that /FIXED is a requirement in this case – Joaquin Fernandez Dec 30 '15 at 11:18
  • Also, I enumerated all the modules loaded by the process (Java) when loading the DLL and looking at their memory addresses no one would collide with the base address + size of the DLL so I don't understand why is that happening – Joaquin Fernandez Dec 30 '15 at 11:30
  • Just [bike shedding](http://bikeshed.com/), but you might find you have better FIPS availability by wrapping Microsoft's CryptoNG or CryptoAPI. I've been in a similar spot, and quickly realized that OpenSSL was a pain point on a number of platforms. Linux is usually fine; its the other platforms that begin to sting. – jww Dec 31 '15 at 13:45
  • @jww I finally followed your suggestion, I couldn't figure out a way to properly load a FIPS enabled libeay32 with Java8 – Joaquin Fernandez Jan 07 '16 at 17:58

0 Answers0