Thanks Andy, helpful as always.
Is incore part of the validation, or is it like fipsld - allowed to be
modified as needed without invalidating FIPS certification?
Kevin
On Sat, Mar 10, 2012 at 3:44 AM, Andy Polyakov <ap...@openssl.org> wrote:
>> While investigating this I realized I did not really know when
>> FINGERPRINT_premain is supposed to be called. With my small app I see
>> it get called when I execute the app (because I stuck some debug
>> printfs in fips_premain.c). But with the main app - which is called by
>> some system startup chicanery I'm not too familiar with - it is not
>> called. So perhaps that is the issue. I'm not familiar with what the
>> fips_premain.c code seems to be doing with the function declaration,
>> using the __attribute__((constructor)), so maybe that is interfering
>> with the way the system starts up this app.
>>
>> Suggestions and enlightening explanation appreciated.
>
> As for enlightening you're on your own. I mean
> __attribute__((constructor)) means that run-time is expected to call it
> prior main(), but *why* it doesn't do that in your particular situation
> is something for you to figure out. As for suggestions extend
> util/incore to embed not only FINGERPRINT_ascii_value but even binary
> FIPS_signature. Add following two lines after last print
>
> seek(FD,$FIPS_signature->{st_offset},0) or die "$!";
> print FD $fingerprint or die "$!";
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
