<div dir="ltr">Thanks for the information.<div><br></div><div>I checked the Makefile and build logs of both cases (i.e. built with Ubuntu packaging script and built with the standard way), and I saw the fipsld was run in both cases:</div><div><br></div><div>Makefile for both:</div><div><br></div><div><b><span style="">libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)</span><br style=""><span style=""> @if [ "$(SHLIB_TARGET)" != "" ]; then \</span><br style=""><span style=""> if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \</span><br style=""><span style=""> FIPSLD_LIBCRYPTO=libcrypto.a ; \</span><br style=""><span style=""> FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \</span><br style=""><span style=""> export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \</span><br style=""><span style=""> fi; \</span><br style=""><span style=""> $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \</span><br style=""><span style=""> (touch -c fips_premain_dso$(EXE_EXT) || :); \</span><br style=""><span style=""> echo "CC is $(CC)"; \</span><br style=""><span style=""> else \</span><br style=""><span style=""> echo "There's no support for shared libraries on this platform" >&2; \</span><br style=""><span style=""> exit 1; \</span><br style=""><span style=""> fi</span></b><br></div><div><span style=""><br></span></div><div><span style=""><br></span></div><div><span style="">Although it seemed like the </span>FIPSLD_CC wasn't set in both cases, but I did see that the fipsld eventually got executed in both cases.</div><div><br></div><div><br></div><div>I saw the following in both the build logs:</div><div><br></div><div><br style=""><b><span style="">if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \</span><br style=""><span style=""> (cd ..; make libcrypto.so.1.0.0); \</span><br style=""><span style=""> fi</span><br style=""><span style="">make[3]: Entering directory `/home/Development/precise/</span><span style="">amd64/openssl/openssl-1.0.1'</span><br style=""><span style="">[ -z "libcrypto" ] || gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/</span><span style="">include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -Iinclude \</span><br style=""><span style=""> -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \</span><br style=""><span style=""> /usr/local/ssl/fips-2.0/lib/</span><span style="">fips_premain.c /usr/local/ssl/fips-2.0/lib/</span><span style="">fipscanister.o \</span><br style=""><span style=""> libcrypto.a -ldl -lz</span></b><br style=""></div><div><br></div><div>Also if I removed the fipsld binary from the /usr/local/ssl/fips-2.0/bin/ directory, I saw the fipsld "File not found" errors in both cases, which also proved that the fipsld was ran.</div><div><br></div><div>One major differences I could see was, in Ubuntu Makefile it uses <i><b>-Wl, --version-script=openssl.ld</b></i> in the <i><b>SHARED_LDFLAGS</b></i> and all the symbols were included in the openssl.ld file. I also added all the FIPS related symbols to this file as well, otherwise they all showed up as "t" instead of "T" when running nm on the libcrypto.so</div><div><br></div><div><br></div><div>How does fipsld set the sig and FIPS_SIGNATURE and what's the right way to call it in the build script? e.g. How do I use it to set these signature in the command line?</div><div>In addition to the fipsld command, is there any other possible reasons which would cause the signature not set correctly?</div><div><br></div><div>Thanks and I truly appreciate the helps and suggestions.</div><div><br></div><div><span style=""><br></span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 24, 2016 at 6:36 PM, Dr. Stephen Henson <span dir="ltr"><<a href="mailto:steve@openssl.org" target="_blank">steve@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, Feb 24, 2016, cloud force wrote:<br>
<br>
> Actually it looks like when I ran the tests using the OpenSSL FIPS library<br>
> which I built using Ubuntu build script, the content of FIPS_SIGNATURE<br>
> seemed to be empty.<br>
><br>
> Can anyone tell me how was the value of sig and FIPS_SIGNATURE (near fips.c<br>
> line 222) was computed and assigned?<br>
><br>
<br>
</span>They are set using the fipsld linker script. If you have changed the build<br>
process so fipsld is no longer called that will cause the signature test to<br>
fail.<br>
<div class="HOEnZb"><div class="h5"><br>
Steve.<br>
--<br>
Dr Stephen N. Henson. OpenSSL project core developer.<br>
Commercial tech support now available see: <a href="http://www.openssl.org" rel="noreferrer" target="_blank">http://www.openssl.org</a><br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Thanks,<div>Rich</div><div><br></div></div></div>
</div>