This explains it -- thank you -- I was using a static library -- so I would need to use fipsld, if I continue to use static.
However, knowing this, I wanted to try with shared OpenSSL library instead, but my build fails on "multiple definition" errors. The only difference I made, was to add "shared" to the config line, when building openssl-1.0.1c: ./config fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ shared make depend make make install Build log snippet: ============= if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \ (cd ..; make libcrypto.so.1.0.0); \ fi [ -z "libcrypto" ] || arm-linux-androideabi-gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -march=armv7-a -mandroid -I/Users/richard/android-ndk-r8/platforms/android-14/arch-arm/usr/include -B/Users/richard/android-ndk-r8/platforms/android-14/arch-arm/usr/lib -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -Iinclude \ -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \ /usr/local/ssl/fips-2.0/lib/fips_premain.c /usr/local/ssl/fips-2.0/lib/fipscanister.o \ libcrypto.a -ldl ar: fipscanister.o: not found in archive libcrypto.a(fipscanister.o): In function `fips_ec_gfp_simple_set_jprojective_coordinates_gfp': fips_canister.c:(.text+0x1b9ec): multiple definition of `fips_ec_gfp_simple_set_jprojective_coordinates_gfp' /usr/local/ssl/fips-2.0/lib//fipscanister.o:fips_canister.c:(.text+0x1b9ec): first defined here libcrypto.a(fipscanister.o): In function `fips_ec_point_set_affine_coordinates_gf2m': fips_canister.c:(.text+0x16448): multiple definition of `fips_ec_point_set_affine_coordinates_gf2m' /usr/local/ssl/fips-2.0/lib//fipscanister.o:fips_canister.c:(.text+0x16448): first defined here libcrypto.a(fipscanister.o): In function `FIPS_drbg_get_app_data': fips_canister.c:(.text+0x37f34): multiple definition of `FIPS_drbg_get_app_data' /usr/local/ssl/fips-2.0/lib//fipscanister.o:fips_canister.c:(.text+0x37f34): first defined here libcrypto.a(fipscanister.o): In function `fips_rsa_padding_add_none': fips_canister.c:(.text+0x283f8): multiple definition of `fips_rsa_padding_add_none' /usr/local/ssl/fips-2.0/lib//fipscanister.o:fips_canister.c:(.text+0x283f8): first defined here Any ideas? Thanks, AJ ----- Original Message ----- From: Dr. Stephen Henson <st...@openssl.org> To: openssl-users@openssl.org Cc: Sent: Wednesday, July 18, 2012 4:15 PM Subject: Re: FIPS: Incore fingerprint check fails on Android? On Wed, Jul 18, 2012, AJ wrote: > Its my application producing the error. > > I've been reading more... perhaps I need to get Android build to link via > fipsld to get the valid fingerprint? > > Does this sound right? Any tips? > How are you linking your application? If it is to the OpenSSL shared libraries then no further steps are needed as the fingerprint is embedded in the shared library. You should NOT use the fipsld utility to link. If you are linking against static libraries then you do need to make use of the fipsld utility. Check the OpenSSL utility can enter FIPS mode by doing something like this: OPENSSL_FIPS=1 openssl version -a OPENSSL_FIPS=1 openssl md5 somefile OPENSSL_FIPS=1 openssl sha1 somefile The md5 command should fail with an error message indicating that algorithm isn't allowed in FIPS mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
