[openssl-users] FIPS & FIPS_SIgnature
Jason Talley
jbtalley98 at gmail.com
Fri Jun 3 20:30:46 UTC 2016
Hello all,
I have successfully compiled/linked w/ fipsld and FIPS_mode_set(1) returns
true.
I'm trying to understand what the FIPS_signature variable represents. Can
it be used to verify/match against the FIPS library somehow? Is it
supposed to match the sha/mac from the fips build? Or should this value
simply be unique per release - especially in a static build. (So, if I
were to dynamically link, this would stay the same, and in theory, if
someone tried to preload a different library, then the fingerprints would
likely mismatch and result in a failure to enable).
If I dump out the value to truly convince myself that FIPS is enabled, I
see:
FIPS version part of OpenSSL 1.0.2h-fips 3 May 2016.
Signature: dd:4a:38:e6:5d:db:d3:80:c2:aa:8d:20:c2:01:31:26:83:44:fd:1e:
If I run OPENSSL_FIPS=1 openssl md5 - then I also get denied b/c FIPS mode
is enabled.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160603/335454a6/attachment.html>
More information about the openssl-users
mailing list