<div dir="ltr">By running the command fips_premain.dso, I found that my lib crypto.so library file does not have the following two symbols:<div><br></div><div>FINGERPRINT_ascii_value</div><div>FINGERPRINT_remain</div><div><br></div><div>Could the missing of these two symbols caused the problems of fingerprint mismatch which I ran into (during the run time)?</div><div><br></div><div>Where do these two symbols come from and what could cause them not being added to the libcrypto.so?</div><div><br></div><div><br></div><div>Thanks for any suggestions and helps.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 25, 2016 at 11:03 AM, cloud force <span dir="ltr"><<a href="mailto:cloud.force858@gmail.com" target="_blank">cloud.force858@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for the information.<div><br></div><div>I checked the Makefile and build logs of both cases (i.e. built with Ubuntu packaging script and built with the standard way), and I saw the fipsld was run in both cases:</div><div><br></div><div>Makefile for both:</div><div><br></div><div><b><span>libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)</span><br><span> @if [ "$(SHLIB_TARGET)" != "" ]; then \</span><br><span> if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \</span><br><span> FIPSLD_LIBCRYPTO=libcrypto.a ; \</span><br><span> FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \</span><br><span> export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \</span><br><span> fi; \</span><br><span> $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \</span><br><span> (touch -c fips_premain_dso$(EXE_EXT) || :); \</span><br><span> echo "CC is $(CC)"; \</span><br><span> else \</span><br><span> echo "There's no support for shared libraries on this platform" >&2; \</span><br><span> exit 1; \</span><br><span> fi</span></b><br></div><div><span><br></span></div><div><span><br></span></div><div><span>Although it seemed like the </span>FIPSLD_CC wasn't set in both cases, but I did see that the fipsld eventually got executed in both cases.</div><div><br></div><div><br></div><div>I saw the following in both the build logs:</div><div><br></div><div><br><b><span>if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \</span><br><span> (cd ..; make libcrypto.so.1.0.0); \</span><br><span> fi</span><br><span>make[3]: Entering directory `/home/Development/precise/</span><span>amd64/openssl/openssl-1.0.1'</span><br><span>[ -z "libcrypto" ] || gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/</span><span>include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -Iinclude \</span><br><span> -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \</span><br><span> /usr/local/ssl/fips-2.0/lib/</span><span>fips_premain.c /usr/local/ssl/fips-2.0/lib/</span><span>fipscanister.o \</span><br><span> libcrypto.a -ldl -lz</span></b><br></div><div><br></div><div>Also if I removed the fipsld binary from the /usr/local/ssl/fips-2.0/bin/ directory, I saw the fipsld "File not found" errors in both cases, which also proved that the fipsld was ran.</div><div><br></div><div>One major differences I could see was, in Ubuntu Makefile it uses <i><b>-Wl, --version-script=openssl.ld</b></i> in the <i><b>SHARED_LDFLAGS</b></i> and all the symbols were included in the openssl.ld file. I also added all the FIPS related symbols to this file as well, otherwise they all showed up as "t" instead of "T" when running nm on the libcrypto.so</div><div><br></div><div><br></div><div>How does fipsld set the sig and FIPS_SIGNATURE and what's the right way to call it in the build script? e.g. How do I use it to set these signature in the command line?</div><div>In addition to the fipsld command, is there any other possible reasons which would cause the signature not set correctly?</div><div><br></div><div>Thanks and I truly appreciate the helps and suggestions.</div><div><br></div><div><span><br></span></div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Wed, Feb 24, 2016 at 6:36 PM, Dr. Stephen Henson <span dir="ltr"><<a href="mailto:steve@openssl.org" target="_blank">steve@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Wed, Feb 24, 2016, cloud force wrote:<br>
<br>
> Actually it looks like when I ran the tests using the OpenSSL FIPS library<br>
> which I built using Ubuntu build script, the content of FIPS_SIGNATURE<br>
> seemed to be empty.<br>
><br>
> Can anyone tell me how was the value of sig and FIPS_SIGNATURE (near fips.c<br>
> line 222) was computed and assigned?<br>
><br>
<br>
</span>They are set using the fipsld linker script. If you have changed the build<br>
process so fipsld is no longer called that will cause the signature test to<br>
fail.<br>
<div><div><br>
Steve.<br>
--<br>
Dr Stephen N. Henson. OpenSSL project core developer.<br>
Commercial tech support now available see: <a href="http://www.openssl.org" rel="noreferrer" target="_blank">http://www.openssl.org</a><br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div><div dir="ltr">Thanks,<div>Rich</div><div><br></div></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Thanks,<div>Rich</div><div><br></div></div></div>
</div>