[openssl-users] FIPS_check_incore_fingerprint: fingerprint does not match

Marcos Bontempo marcosbontempo at hotmail.com
Sun Dec 27 18:08:42 UTC 2015 

I changed my Makefile to use fipsld, but I'm still getting the same error. 
Before compiling, I run this script:______________________________________________________________#! /bin/bash
################################# OpenSSL directory
if [ -z $OPENSSLDIR ] && [ -d /usr/local/ssl ]; then  OPENSSLDIR=/usr/local/sslfi
if [ -z "$OPENSSLDIR" ]; then  echo "Could not locate OpenSSL installation directory"fi
################################# OpenSSL and fipsld
export FIPS_SIG=`find $OPENSSLDIR/fips-2.0 -iname incore 2>/dev/null`export FIPSLIBDIR=`find $OPENSSLDIR/fips-2.0 -iname lib 2>/dev/null`
if [ -z "$FIPS_SIG" ]; then  echo "Could not locate 'incore' in $OPENSSLDIR/fips-2.0"fi
if [ -z "$FIPSLIBDIR" ]; then  echo "Could not locate 'FIPS library directory' in $OPENSSLDIR/fips-2.0"fi
set  -x______________________________________________________________
Here is my Makefile:
______________________________________________________________CC=gccOPENSSLDIR=/usr/local/sslLIBS=$(OPENSSLDIR)/lib/libcrypto.a $(OPENSSLDIR)/lib/libssl.a -ldlFIPSLIBDIR=$(OPENSSLDIR)/libINCLUDES=-I$(OPENSSLDIR)/includeCMD=fipsctl
OBJS=$(CMD).o
$(CMD): $(OBJS)        FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(OBJS)  \        $(LIBS)
$(OBJS): $(CMD).c        $(CC) -c $(CMD).c $(INCLUDES)
clean:        rm -Rf *.o $(CMD)______________________________________________________________
What is wrong? I only want to build the simplest application using FIPS.

From: marcosbontempo at hotmail.com
To: openssl-users at openssl.org
Subject: RE: [openssl-users] FIPS_check_incore_fingerprint: fingerprint does not match
Date: Wed, 23 Dec 2015 08:25:41 -0200




Thanks for the answer! I searched about the FIPS linker script but I couldn't find any content. Can you tell how can I run it?

To: openssl-users at openssl.org
From: jb-openssl at wisemo.com
Date: Wed, 23 Dec 2015 02:58:22 +0100
Subject: Re: [openssl-users] FIPS_check_incore_fingerprint: fingerprint does not match


  

    
  
  
    On 23/12/2015 01:26, Marcos Bontempo
      wrote:

    
    
      
      Hello,
        

        
        I'm getting this error when call the function
          FIPS_mode_set(1):
        

        
        error:2D06B06F:FIPS
          routines:FIPS_check_incore_fingerprint:fingerprint does not
          match
        

        
        Does anybody know how to correct it?
        

        
      
    
    

    You forgot to run the special "FIPS" linker script on your 

      application, which sets the value of that fingerprint based 

      on the load address and relocations of your application.

      

      Note, that this means that the design of the FIPS module 

      security policy is incompatible with ASLR on almost every 

      operating system having that feature.

      

    
    Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 
  


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151227/b27e9c1e/attachment.html>

More information about the openssl-users mailing list