Re: fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build

Thu, 26 Jul 2012 06:10:57 -0700 

On Wed, Jul 25, 2012, Cassie Helms wrote:

> Hi folks,
> I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and 
> libssl.so) into my product's build, but still get a "fingerprint does not 
> match" 
> error when I call FIPS_mode_set(1). This is using a validated copy of FIPS 
> 2.0 
> source and OpenSSL 1.0.1c.
> 
> The full error is:
> 
> 25892:error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not 
> match:fips.c:489:
> 
> During the build on a build machine, I execute the following --
> for fips,
> ./config
> make
> make install (with an install prefix)
> 
> for openssl,
> ./config fips -d shared --with-fipsdir={.../usr/local/ssl/fips-2.0} --prefix=
> {...}
> make ... -I{fips include directory} depend
> make ... -I{fips include directory}
> make install
> 
> Everything appears to go well. fipscanister.o is generated, openssl is able 
> to 
> find it, and libcrypto.so has similar fingerprint text as fipscanister.o 
> after 
> doing an objdump on both of them. libssl.so and libcrypto.so get linked in 
> with 
> the product source and put into an rpm. The rpm is installed and executed on 
> a 
> different machine from building that does not have openssl or fips installed.
> 
> In the initialization sequence that calls FIPS_mode_set, I'm including 
> openssl/crypto.h and openssl/err.h. Unfortunately, even after all of this, 
> FIPS_mode_set is unhappy and returns the fingerprint does not match error. It 
> is 
> my understanding that if I'm not statically linking openssl, I should not 
> need 
> to use fipsld. I'm also not making use of fips_standalone_sha1 anywhere. 
> 
> So what are the digests that actually need to be compared for fips to be 
> validated in a dynamic linking such as this? Is there a step I'm missing to 
> generate and/or install them?
> 

What platform is the target system?

After you build the validated module do this:

make build_algvs

This should build an fips_algvs binary in the test directory. Copy that to
the target system and run:

./fips_algvs fips_test_suite post

Then post the results.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to