I'm working with the Debian/Ubuntu openssl package for Ubuntu 13.10, Saucy, version 1.0.1e. I'm trying to adapt the Debian package-build to produce a FIPS-linked openssl.
I've followed the procedure to download, build and install the FIPS canister v2.0.1 which was successful: $ ../../openssl-fips-2.0.1/test/fips_algvs fips_test_suite post FIPS-mode test application FIPS 2.0.1 validated test module 12 Jun 2012 DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK POST started Integrity test started Integrity test OK ... POST Success Power-up self test successful However, whilst building the shared-library version of openssl-1.0.1e (using a modified Debian package) the tests fail with: ... ./Configure shared --prefix=/usr/local --openssldir=/usr/local/lib/ssl --libdir=lib/x86_64-linux-gnu fips enable-ec_nistp_64_gcc_128 enable-ec_nistp_64_gcc_128 debian-amd64 ... test SSL protocol test ssl3 is forbidden in FIPS mode 46912496303808:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232: test ssl2 is forbidden in FIPS mode 46912496303808:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232: test tls1 46912496303808:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232: make[2]: *** [test_ssl] Error 1 make[2]: Leaving directory `/home/all/SourceCode/openssl/openssl-1.0.1e.tj/test' make[1]: *** [tests] Error 2 make[1]: Leaving directory `/home/all/SourceCode/openssl/openssl-1.0.1e.tj' make: *** [build-stamp] Error 2 The Debian build script first builds the static library followed by the shared library. It runs the tests after each variant is built. The tests succeed for the static library: ... ./Configure no-shared --prefix=/usr/local --openssldir=/usr/local/lib/ssl --libdir=lib/x86_64-linux-gnu fips enable-ec_nistp_64_gcc_128 enable-ec_nistp_64_gcc_128 debian-amd64 ... test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 46912496300032:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1692: 46912496300032:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1692: test ssl2 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 46912496300032:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1692: 46912496300032:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1692: test tls1 *** IN FIPS MODE *** I've checked that the shared-library build test is linking against the correct libcrypto.so: $ ldd ../apps/openssl linux-vdso.so.1 => (0x00007fffb61fe000) libssl.so.1.0.0 => /home/all/SourceCode/openssl/openssl-1.0.1e.tj/test/../libssl.so.1.0.0 (0x00007f2376c5b000) libcrypto.so.1.0.0 => /home/all/SourceCode/openssl/openssl-1.0.1e.tj/test/../libcrypto.so.1.0.0 (0x00007f2376810000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2376442000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f237623e000) /lib64/ld-linux-x86-64.so.2 (0x00007f2376ec2000) And that libcrypto contains the FIPS symbols: $ objdump -t ../libcrypto.so.1.0.0 | grep -i fips | wc -l 812 >From reading the source-code of 'openssl-fips/fips/fips.c' it seems that the >fingerprint is created based upon the position and address of the fips >object-code in the library but I can't be sure. I'm suspecting that the libcrypto.so build has munged the fingerprint-sensitive layout of the fips symbols and thus caused the failed check but I need to know precisely what the fingerprint is generated against in the object file in order to figure out what might have caused the problem. It could be a binutils/compiler/linker issue or it could be something the Debian build scripts have done. Can someone explain what the fingerprint is created against? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org