On 12/27/2013 05:37 PM, Ursa Major wrote: > > Hi , > > I am new to openssl, and am very keen to learn how how the integrity > checking is performed. > In my understanding, the incore computes the integrity of the codes > and placed them in an .hmac file (I am not sure if my understanding > is correct). How is the text segment and data segment being loaded > for the integrity test (they should be the exact copy of the > 'executables', but won't that be a circular proving as it embeds > itself within itself)? What are the contents of the segments? What > is the mechanism of the working?
IMHO this question would be more appropriate for the openssl-users list. I presume you're asking about the OpenSSL FIPS Object Module integrity test, which is part of the mandated POST (Power On Self Test) process. The implementation of that integrity test is documented at a conceptual level in the FIPS module User Guide: http://www.openssl.org/docs/fips/UserGuide-2.0.pdf Simply put, at build time an HMAC-SHA1 digest is calculated over the TEXT and RODATA segments of object code, and stored in the FIPS module. One or both of two different techniques can be used for determining that digest. Typically the "premain" intermediate executable is used for native compilation and an "incore" utility for cross-compilation. At runtime the stored digest is calculated over the TEXT and RODATA segments of live memory and compared with the previously stored value. That mechanism is of course also fully exposed in the source code: http://www.openssl.org/source/openssl-fips-2.0.5.tar.gz In particular look at fips.c, fips_premain.c, fipsld, and incore (for ELF). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
