Re: FIPS: Incore fingerprint check fails on Android?

Wed, 18 Jul 2012 12:25:38 -0700 

I'm running on 4.0.4 and 2.3.4, with same results on both.



----- Original Message -----
From: Jeffrey Walton <noloa...@gmail.com>
To: openssl-users@openssl.org
Cc: 
Sent: Wednesday, July 18, 2012 2:27 PM
Subject: Re: FIPS: Incore fingerprint check fails on Android?

On Wed, Jul 18, 2012 at 11:15 AM, Aunt Jomamma <aunt.joma...@yahoo.com> wrote:
> Sorry if this is duplicate, but I had an issue with the mailer, and not sure 
> if this went...
>
> I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android using 
> ndk-r8.
> I am doing cross-compile on Mac OSX.
>
> However, I cannot pass FIPS_mode_set(1).
> I get the following error: "FIPS 
> routines:FIPS_check_incore_fingerprint:fingerprint does not match"
>
> I am using the incore script provided from openssl-fips-2.0/util/incore.
>
> My setup is as follows:
>
>     # Edit this to wherever you unpacked the NDK
>     export ANDROID_NDK=/home/android-ndk-r8
>
>     # Edit to wherever you put incore script
>     export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore
>
>     
>PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin:$PATH;
> export PATH
>     export MACHINE=armv7l
>     export RELEASE=2.6.32.GMU
>     export SYSTEM=android
>     export ARCH=arm
>     export CROSS_COMPILE="arm-linux-androideabi-"
>     export ANDROID_DEV="$ANDROID_NDK/platforms/android-14/arch-arm/usr"
>     export HOSTCC=gcc
>
> Any ideas why I cannot pass incore fingerprint validation?  Do I need 
> anything special wrt incore on cross-compile?
>
What Android OS is being used on the device?

Android 4.1 recently achieved full ASLR. ASLR might be the problem
since randomizing shared objects and program load adresses is
diametrically opposed to the FIPS check.

A thread on recent platform security changes can be found at
http://groups.google.com/group/android-security-discuss/browse_thread/thread/d585aa8062964673.

Jeff
______________________________________________________________________
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                          majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to