Hi folks,
I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and
libssl.so) into my product's build, but still get a "fingerprint does not
match"
error when I call FIPS_mode_set(1). This is using a validated copy of FIPS 2.0
source and OpenSSL 1.0.1c.
The full error is:
25892:error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
match:fips.c:489:
During the build on a build machine, I execute the following --
for fips,
./config
make
make install (with an install prefix)
for openssl,
./config fips -d shared --with-fipsdir={.../usr/local/ssl/fips-2.0} --prefix=
{...}
make ... -I{fips include directory} depend
make ... -I{fips include directory}
make install
Everything appears to go well. fipscanister.o is generated, openssl is able to
find it, and libcrypto.so has similar fingerprint text as fipscanister.o after
doing an objdump on both of them. libssl.so and libcrypto.so get linked in with
the product source and put into an rpm. The rpm is installed and executed on a
different machine from building that does not have openssl or fips installed.
In the initialization sequence that calls FIPS_mode_set, I'm including
openssl/crypto.h and openssl/err.h. Unfortunately, even after all of this,
FIPS_mode_set is unhappy and returns the fingerprint does not match error. It
is
my understanding that if I'm not statically linking openssl, I should not need
to use fipsld. I'm also not making use of fips_standalone_sha1 anywhere.
So what are the digests that actually need to be compared for fips to be
validated in a dynamic linking such as this? Is there a step I'm missing to
generate and/or install them?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
