[openssl-users] Helps needed regarding the error "fingerprint does not match:fips.c:232:"
cloud force
cloud.force858 at gmail.com
Thu Feb 25 23:27:51 UTC 2016
By running the command fips_premain.dso, I found that my lib crypto.so
library file does not have the following two symbols:
FINGERPRINT_ascii_value
FINGERPRINT_remain
Could the missing of these two symbols caused the problems of fingerprint
mismatch which I ran into (during the run time)?
Where do these two symbols come from and what could cause them not being
added to the libcrypto.so?
Thanks for any suggestions and helps.
On Thu, Feb 25, 2016 at 11:03 AM, cloud force <cloud.force858 at gmail.com>
wrote:
> Thanks for the information.
>
> I checked the Makefile and build logs of both cases (i.e. built with
> Ubuntu packaging script and built with the standard way), and I saw the
> fipsld was run in both cases:
>
> Makefile for both:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT) @if [
> "$(SHLIB_TARGET)" != "" ]; then \ if [ "$(FIPSCANLIB)" = "libcrypto"
> ]; then \ FIPSLD_LIBCRYPTO=libcrypto.a ; \
> FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \ export CC
> FIPSLD_CC FIPSLD_LIBCRYPTO; \ fi; \ $(MAKE) -e
> SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \ (touch -c
> fips_premain_dso$(EXE_EXT) || :); \ echo "CC is $(CC)"; \ else
> \ echo "There's no support for shared libraries on this platform"
> >&2; \ exit 1; \ fi*
>
>
> Although it seemed like the FIPSLD_CC wasn't set in both cases, but I did
> see that the fipsld eventually got executed in both cases.
>
>
> I saw the following in both the build logs:
>
>
>
>
>
>
>
>
>
> *if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \ (cd ..;
> make libcrypto.so.1.0.0); \ fimake[3]: Entering directory
> `/home/Development/precise/amd64/openssl/openssl-1.0.1'[ -z "libcrypto" ]
> || gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wformat
> -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2
> -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_IA32_SSE2
> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
> -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
> -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> -Iinclude \ -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso
> \ /usr/local/ssl/fips-2.0/lib/fips_premain.c
> /usr/local/ssl/fips-2.0/lib/fipscanister.o \ libcrypto.a -ldl -lz*
>
> Also if I removed the fipsld binary from the /usr/local/ssl/fips-2.0/bin/
> directory, I saw the fipsld "File not found" errors in both cases, which
> also proved that the fipsld was ran.
>
> One major differences I could see was, in Ubuntu Makefile it uses *-Wl,
> --version-script=openssl.ld* in the *SHARED_LDFLAGS* and all the symbols
> were included in the openssl.ld file. I also added all the FIPS related
> symbols to this file as well, otherwise they all showed up as "t" instead
> of "T" when running nm on the libcrypto.so
>
>
> How does fipsld set the sig and FIPS_SIGNATURE and what's the right way to
> call it in the build script? e.g. How do I use it to set these signature in
> the command line?
> In addition to the fipsld command, is there any other possible reasons
> which would cause the signature not set correctly?
>
> Thanks and I truly appreciate the helps and suggestions.
>
>
>
> On Wed, Feb 24, 2016 at 6:36 PM, Dr. Stephen Henson <steve at openssl.org>
> wrote:
>
>> On Wed, Feb 24, 2016, cloud force wrote:
>>
>> > Actually it looks like when I ran the tests using the OpenSSL FIPS
>> library
>> > which I built using Ubuntu build script, the content of FIPS_SIGNATURE
>> > seemed to be empty.
>> >
>> > Can anyone tell me how was the value of sig and FIPS_SIGNATURE (near
>> fips.c
>> > line 222) was computed and assigned?
>> >
>>
>> They are set using the fipsld linker script. If you have changed the build
>> process so fipsld is no longer called that will cause the signature test
>> to
>> fail.
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
>
> --
> Thanks,
> Rich
>
>
--
Thanks,
Rich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160225/ccd809fe/attachment-0001.html>
More information about the openssl-users
mailing list