On Sat, Oct 16, 2010, Grant Averett wrote: > > Hello, I've successfully built the validated FIPS object module and OpenSSL > 0.9.8o on Windows with Visual Studio 2008 many times (both an x86 and x64 > version) without issue and I can successfully build both with Visual Studio > 2010. However, the FIPS module built with Visual Studio 2010 fails the FIPS > test suite (out32dll\fips_test_suite.exe) and if I use the generated object > module to build FIPS validated OpenSSL DLLs, those DLLs also fail the self > test and can't be used to enable FIPS mode (OpenSSL reports "the fingerprint > does not match"). > > > "out32dll\fips_test_suite.exe" reports the following output when run right > after "ms\do_fips.bat": 1. Non-Approved cryptographic operation test... > a. Included algorithm (D-H)...successful2. Automatic power-up self > test...ERROR:2d06906e:lib=45,func=105,reason=110:file=.\fips\fips.c:line=238:FAILED! > > > The only difference between a working FIPS build and the failed build is the > Visual Studio environment. The working version is built using Visual Studio > 2008 SP1 and the failed with 2010 (both using the Professional edition and > both on Windows 7). I've done a little investigation and it appears the > 2010 version of libeay32.dll is being relocated from the correct preferred > base address of 0xFB00000 to a different address. I have no idea why this is > happening and nothing I do seems to prevent the relocation. I made sure to > turn off image randomization and even tried changing the base address of the > DLL during building using the command line option but it still gets > relocated when I try to use it. If I use the Visual Studio 2008-generated > DLLs in place of the 2010 DLLs then they work fine and are not relocated. > It is very strange. However, since the FIPS module itself fails the FIP > self-test I'm not sure this is significant. If I use a static library > instead of the shared library OpenSSL DLL build the results are still the > same when I try to enable FIPS mode... "the fingerprint does not match". > I'm getting the "FIPS_R_FINGERPRINT_DOES_NOT_MATCH" error and not the > "FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED" error so I have a > feeling fixing the canister problem will fix the relocation issue with the > DLL. > > I've tried everything I can think of and I'm running out of ideas. Does > anyone have any suggestions on what could be the problem? Has anyone > successfully built and tested the FIPS canister with Visual Studio 2010? >
I don't have access to Visual Studio 2010 so I can't reproduce this, I'm wondering if some new feature in Windows 7 which VS 2010 makes use of is interfering with the fingerprinting process. What happens if you specify /FIXED when you build the DLL? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org