This was tracked down to the makefile's `install` rule. The rule
builds components rather than only copying the executable and axillary
files.
The original `install` rule (fails the fingerprint check):
install: all install_docs install_sw
The modified `install` rule (passes the fingerprint check):
install: install_docs install_sw
Once the rule was changed, dynamic linking to the shared object worked
as expected:
$ adb shell
shell@android: $ cd /data/local/tmp
shell@android: $ LD_LIBRARY_PATH=./; ./fips-test.exe
.rodata start: 0x401a4820
.rodata end: 0x401ae9e4
.text start: 0x400911c0
.text end: 0x400d03fc
Embedded: e1696e03f17341b925a1933b23c3b13856610728
Calculated: e1696e03f17341b925a1933b23c3b13856610728
Attempting to enable FIPS mode
FIPS mode enabled
We still need the `sudo -E` with arguments during install since the
makefile does not specify full pathnames:
sudo -E make install \
CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc \
RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib \
On Tue, Jun 25, 2013 at 8:46 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> Hi All,
>
> When linking to the FIPS Capable shared object, the program fails its
> fingerprint check:
>
> $ arm-linux-androideabi-gcc --sysroot="$ANDROID_SYSROOT"
> -I/usr/local/ssl/android-14/include fips_hmac.c -o fips_hmac.exe
> /usr/local/ssl/android-14/lib/libcrypto.so.1.0.0
> $ adb push /usr/local/ssl/android-14/lib/libcrypto.so.1.0.0 /data/local/tmp/
> 827 KB/s (2154388 bytes in 2.541s)
> $ adb push fips_hmac.exe /data/local/tmp/
> 64 KB/s (6884 bytes in 0.103s)
> $ adb shell
> shell@android: $ cd /data/local/tmp
> 255|shell@android: $ LD_LIBRARY_PATH=./; ./fips_hmac.exe -v *
> Attempting FIPS mode...
> 1076692172:error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not
> match:fips.c:232:
> 2|shell@android:/data/local/tmp $
>
> Any ideas why the signature would be in the BSS (initialized to 0):
>
> $ arm-linux-androideabi-objdump -T libcrypto.so.1.0.0 | grep -i
> FIPS_signature
> 001a9668 g DO .bss 00000014 FIPS_signature
>
> Should I be running fipsld somewhere (I thought that was done for the
> shared object during make).
>
> Below are the steps used to build the FIPS Object Module and FIPS Capable.
>
> Jeff
>
> **** FIPS Object Module *****
>
> . ./setenv-android.sh
> cd openssl-fips-2.0.4/
> ./config
> make
> sudo make install
> sudo mv /usr/local/ssl/fips-2.0/ /usr/local/ssl/$ANDROID_API
> sudo cp $FIPS_SIG /usr/local/ssl/$ANDROID_API/bin
>
> ***** FIPS Capable *****
>
> . ./setenv-android.sh
> cd openssl-1.0.1e/
> ./config fips shared -no-sslv2 -no-sslv3 -no-comp -no-hw -no-engines
> --openssldir=/usr/local/ssl/$ANDROID_API
> --with-fipsdir=/usr/local/ssl/$ANDROID_API
> --with-fipslibdir=/usr/local/ssl/$ANDROID_API/lib/
> make depend
> make all
> sudo -E make install CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc
> RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
