[openssl-users] Helps needed regarding the error "fingerprint does not match:fips.c:232:"

cloud force cloud.force858 at gmail.com
Thu Feb 25 19:03:42 UTC 2016

Thanks for the information.

I checked the Makefile and build logs of both cases (i.e. built with Ubuntu
packaging script and built with the standard way), and I saw the fipsld was
run in both cases:

Makefile for both:

*libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)    @if [
"$(SHLIB_TARGET)" != "" ]; then \        if [ "$(FIPSCANLIB)" = "libcrypto"
]; then \            FIPSLD_LIBCRYPTO=libcrypto.a ; \
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \            export CC
FIPSLD_CC FIPSLD_LIBCRYPTO; \        fi; \        $(MAKE) -e
SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \        (touch -c
fips_premain_dso$(EXE_EXT) || :); \        echo "CC is $(CC)"; \    else
\        echo "There's no support for shared libraries on this platform"
>&2; \        exit 1; \    fi*

Although it seemed like the FIPSLD_CC wasn't set in both cases, but I did
see that the fipsld eventually got executed in both cases.

I saw the following in both the build logs:

*if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \        (cd ..; make
libcrypto.so.1.0.0); \    fimake[3]: Entering directory
`/home/Development/precise/amd64/openssl/openssl-1.0.1'[ -z "libcrypto" ]
-Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2
-Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT  -DOPENSSL_IA32_SSE2
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-Iinclude \        -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso
\        /usr/local/ssl/fips-2.0/lib/fips_premain.c
/usr/local/ssl/fips-2.0/lib/fipscanister.o \        libcrypto.a -ldl -lz*

Also if I removed the fipsld binary from the /usr/local/ssl/fips-2.0/bin/
directory, I saw the fipsld "File not found" errors in both cases, which
also proved that the fipsld was ran.

One major differences I could see was, in Ubuntu Makefile it uses *-Wl,
--version-script=openssl.ld* in the *SHARED_LDFLAGS* and all the symbols
were included in the openssl.ld file. I also added all the FIPS related
symbols to this file as well, otherwise they all showed up as "t" instead
of "T" when running nm on the libcrypto.so

How does fipsld set the sig and FIPS_SIGNATURE and what's the right way to
call it in the build script? e.g. How do I use it to set these signature in
the command line?
In addition to the fipsld command, is there any other possible reasons
which would cause the signature not set correctly?

Thanks and I truly appreciate the helps and suggestions.

On Wed, Feb 24, 2016 at 6:36 PM, Dr. Stephen Henson <steve at openssl.org>

> On Wed, Feb 24, 2016, cloud force wrote:
> > Actually it looks like when I ran the tests using the OpenSSL FIPS
> library
> > which I built using Ubuntu build script, the content of FIPS_SIGNATURE
> > seemed to be empty.
> >
> > Can anyone tell me how was the value of sig and FIPS_SIGNATURE (near
> fips.c
> > line 222) was computed and assigned?
> >
> They are set using the fipsld linker script. If you have changed the build
> process so fipsld is no longer called that will cause the signature test to
> fail.
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160225/6aa40fa8/attachment-0001.html>

More information about the openssl-users mailing list