Thanks Andy, helpful as always. Is incore part of the validation, or is it like fipsld - allowed to be modified as needed without invalidating FIPS certification?
Kevin On Sat, Mar 10, 2012 at 3:44 AM, Andy Polyakov <ap...@openssl.org> wrote: >> While investigating this I realized I did not really know when >> FINGERPRINT_premain is supposed to be called. With my small app I see >> it get called when I execute the app (because I stuck some debug >> printfs in fips_premain.c). But with the main app - which is called by >> some system startup chicanery I'm not too familiar with - it is not >> called. So perhaps that is the issue. I'm not familiar with what the >> fips_premain.c code seems to be doing with the function declaration, >> using the __attribute__((constructor)), so maybe that is interfering >> with the way the system starts up this app. >> >> Suggestions and enlightening explanation appreciated. > > As for enlightening you're on your own. I mean > __attribute__((constructor)) means that run-time is expected to call it > prior main(), but *why* it doesn't do that in your particular situation > is something for you to figure out. As for suggestions extend > util/incore to embed not only FINGERPRINT_ascii_value but even binary > FIPS_signature. Add following two lines after last print > > seek(FD,$FIPS_signature->{st_offset},0) or die "$!"; > print FD $fingerprint or die "$!"; > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org