Synopsis: -------- Linking and execution problems with a FIPS-capable OpenSSL distribution.
System: ------ openSUSE 11.0 (i586) Linux version 2.6.25.20-0.4-pae gcc (SUSE Linux) 4.3.1 OpenSSL 0.9.8g 19 Oct 2007 (currently installed) Includes are in /usr/include/openssl Libs are in /usr/lib Fips/OpenSSL Versions: --------------------- openssl-fips-1.2.tar.gz openssl-0.9.8l.tar.gz Goal of this post: ----------------- 1. Additional clarification on the linking process as described in the User Guide and comment as to whether my workarounds are correct and in accordance with the Security Policy. 2. Help on overcoming the "fingerprint does not match" runtime error. Description: ----------- I have read the UserGuide-1.2.pdf and SecurityPolicy-1.2.pdf numerous times and have also scoured the news groups searching for a solution to my problem. I am trying to link fipscanister.o and libssl into a shared library, specifically, the ACE_SSL library that is part of the latest ACE distribution from the ACE/TAO group. The User Guide is somewhat vague on whether this can be done. From my understanding, linking fipscanister.o and libssl into a shared library is possible since my shared library is considered an application as defined in the User Guide. So here is what I am doing... Per the User Guide, I do the usual after successfully performing the two verification steps: openssl-fips-1.2 # ./config fipscanisterbuild make make install openssl-0.9.8l # ./config fips make make install As a non-su user, I modify the environment per the User Guide as follows: export FIPSLD_CC=gcc export CC=/usr/local/ssl/fips/bin/fipsld export CXX=/usr/local/ssl/fips/bin/fipsld I also copied the openssl include directory from /usr/local/ssl/fips/include/openssl to /usr/local/include which will be found by gcc. If I did not do this, gcc would find my existing openssl headers located at /usr/include/openssl. Finally, I modify my LD_LIBRARY_PATH environment variable to include /usr/local/ssl/fips/lib prior to the /usr/lib include so that ld will find the Fips-capable OpenSSL library. When I execute the ACE_SSL shared library make, I get the following output and error: /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe -D_REENTRANT -DA$ /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe -D_REENTRANT -DA$ /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe -D_REENTRANT -DA$ /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe -D_REENTRANT -DA$ /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe -D_REENTRANT -DA$ /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe -D_REENTRANT -DA$ /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe -D_REENTRANT -DA$ /usr/local/ssl/fips/bin/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS -D_GNU_SOURCE -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_L$ /usr/local/ssl/fips/bin/fipsld: line 94: /usr/local/ssl/fips/bin/../fips/fips_standalone_sha1: No such file or directory 1d0 < HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c /usr/local/ssl/fips/bin/../lib/fips_premain.c fingerprint mismatch The fips_standalone_sha1 program is located in: /usr/local/src/openssl-fips-1.2/fips/fips_standalone_sha1 /usr/local/src/openssl-0.9.8l/fips/fips_standalone_sha1 So, I modified the environment as follows to have access to fips_standalone_sha1: export FIPSLD_CC=gcc export CC=/usr/local/src/openssl-fips-1.2/fips/fipsld export CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld This succeeds in linking the shared library; however, it seems like the fips_standalone_sha1 and other dependent files should have been copied to /usr/local/ssl/fips/fips as the headers, modules, and libraries were. It seems that the User Guide could add some explanation on the various duplicate file copies. Anyways, I then compile and link my application to the shared library created above using gcc/ld instead of fipsld. I also tried compiling and linking my application with fipsld but it did not make a difference. When my application runs and calls FIPS_mode_set, I get an error of "fingerprint does not match." Relevant Environment When Building/Linking the ACE_SSL Shared Library with fipscanister.o and libssl: --------------------------------------------------------------------- LD_LIBRARY_PATH = :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\ /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib: FIPSLD_CC=gcc CC=/usr/local/src/openssl-fips-1.2/fips/fipsld CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld Relevant Environment When Building/Linking my Application to the ACE_SSL dynamic library: --------------------------------------------------------------------- LD_LIBRARY_PATH = :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\ /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib: ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
