Hi folks,
I have a FIPS capable OpenSSL library, where libcrypto.so and libssl.so get
linked into my product during build. I'm using FIPS 2.0 and OpenSSL 1.0.1c.
To the best of my knowledge, on the build machine I can do the following:
for fips, I call
./config
make
make install
where I give install an install prefix
for openssl, I call
./config fips -d shared --with-fipsdir={install_prefix}/usr/local/ssl/fips-2.0 -
-prefix={blah}
This all works fine. fipscanister.o comes out, I point openssl to it, and
openssl makes some libraries. Doing an objdump on libcrypto.so reveals similar
fingerprint text as found in an objdump on fipscanister.o.
My total build generates an rpm of my source with the linked ssl libraries,
which I install on a different machine that does not have openssl or fips
installed.
Unfortunately, FIPS_mode_set(1) still fails for me with the following:
error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
match:fips.c:489:
It is my understanding that fipscanister.o gets generated with its SHA1 value
already embedded in it, and FIPS_mode_set generates its own fingerprint at
runtime to compare to the embedded value. In this manner, fipscanister.o should
be totally modular.
I am not statically linking and should not need to use fipsld. I also do not
use
fips_standalone_sha1 at any point.
Am I missing a step somewhere that is critical to getting FIPS initialized at
runtime?
Thanks,
Cassie
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
