This was tracked down to the makefile's `install` rule. The rule builds components rather than only copying the executable and axillary files.
The original `install` rule (fails the fingerprint check): install: all install_docs install_sw The modified `install` rule (passes the fingerprint check): install: install_docs install_sw Once the rule was changed, dynamic linking to the shared object worked as expected: $ adb shell shell@android: $ cd /data/local/tmp shell@android: $ LD_LIBRARY_PATH=./; ./fips-test.exe .rodata start: 0x401a4820 .rodata end: 0x401ae9e4 .text start: 0x400911c0 .text end: 0x400d03fc Embedded: e1696e03f17341b925a1933b23c3b13856610728 Calculated: e1696e03f17341b925a1933b23c3b13856610728 Attempting to enable FIPS mode FIPS mode enabled We still need the `sudo -E` with arguments during install since the makefile does not specify full pathnames: sudo -E make install \ CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc \ RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib \ On Tue, Jun 25, 2013 at 8:46 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > Hi All, > > When linking to the FIPS Capable shared object, the program fails its > fingerprint check: > > $ arm-linux-androideabi-gcc --sysroot="$ANDROID_SYSROOT" > -I/usr/local/ssl/android-14/include fips_hmac.c -o fips_hmac.exe > /usr/local/ssl/android-14/lib/libcrypto.so.1.0.0 > $ adb push /usr/local/ssl/android-14/lib/libcrypto.so.1.0.0 /data/local/tmp/ > 827 KB/s (2154388 bytes in 2.541s) > $ adb push fips_hmac.exe /data/local/tmp/ > 64 KB/s (6884 bytes in 0.103s) > $ adb shell > shell@android: $ cd /data/local/tmp > 255|shell@android: $ LD_LIBRARY_PATH=./; ./fips_hmac.exe -v * > Attempting FIPS mode... > 1076692172:error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not > match:fips.c:232: > 2|shell@android:/data/local/tmp $ > > Any ideas why the signature would be in the BSS (initialized to 0): > > $ arm-linux-androideabi-objdump -T libcrypto.so.1.0.0 | grep -i > FIPS_signature > 001a9668 g DO .bss 00000014 FIPS_signature > > Should I be running fipsld somewhere (I thought that was done for the > shared object during make). > > Below are the steps used to build the FIPS Object Module and FIPS Capable. > > Jeff > > **** FIPS Object Module ***** > > . ./setenv-android.sh > cd openssl-fips-2.0.4/ > ./config > make > sudo make install > sudo mv /usr/local/ssl/fips-2.0/ /usr/local/ssl/$ANDROID_API > sudo cp $FIPS_SIG /usr/local/ssl/$ANDROID_API/bin > > ***** FIPS Capable ***** > > . ./setenv-android.sh > cd openssl-1.0.1e/ > ./config fips shared -no-sslv2 -no-sslv3 -no-comp -no-hw -no-engines > --openssldir=/usr/local/ssl/$ANDROID_API > --with-fipsdir=/usr/local/ssl/$ANDROID_API > --with-fipslibdir=/usr/local/ssl/$ANDROID_API/lib/ > make depend > make all > sudo -E make install CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc > RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org