It was a mistake. Any help on the actual issue? ----- Original Message ----- From: "Michael S. Zick" <open...@morethan.org> To: openssl-users@openssl.org Sent: Sunday, November 8, 2009 5:51:45 AM GMT -07:00 US/Canada Mountain Subject: Re: Linking and execution problems with a FIPS-capable OpenSSL distribution
Any reason for the double posting? Wouldn't just one address do? Mike On Fri November 6 2009, Daugherty wrote: > Synopsis: > -------- > > Linking and execution problems with a FIPS-capable OpenSSL distribution. > > System: > ------ > > openSUSE 11.0 (i586) > Linux version 2.6.25.20-0.4-pae > gcc (SUSE Linux) 4.3.1 > OpenSSL 0.9.8g 19 Oct 2007 (currently installed) > Includes are in /usr/include/openssl > Libs are in /usr/lib > > Fips/OpenSSL Versions: > --------------------- > > openssl-fips-1.2.tar.gz > openssl-0.9.8l.tar.gz > > Goal of this post: > ----------------- > > 1. Additional clarification on the linking process as described in the User > Guide and comment as to whether my workarounds are correct and in accordance > with the Security Policy. > > 2. Help on overcoming the "fingerprint does not match" runtime error. > > Description: > ----------- > > I have read the UserGuide-1.2.pdf and SecurityPolicy-1.2.pdf numerous times > and have also scoured the news groups searching for a solution to my problem. > > > I am trying to link fipscanister.o and libssl into a shared library, > specifically, the ACE_SSL library that is part of the latest ACE distribution > from the ACE/TAO group. The User Guide is somewhat vague on whether this can > be done. From my understanding, linking fipscanister.o and libssl into a > shared library is possible since my shared library is considered an > application as defined in the User Guide. > > So here is what I am doing... > > Per the User Guide, I do the usual after successfully performing the two > verification steps: > > openssl-fips-1.2 # ./config fipscanisterbuild > make > make install > > openssl-0.9.8l # ./config fips > make > make install > > As a non-su user, I modify the environment per the User Guide as follows: > > export FIPSLD_CC=gcc > export CC=/usr/local/ssl/fips/bin/fipsld > export CXX=/usr/local/ssl/fips/bin/fipsld > > I also copied the openssl include directory from > /usr/local/ssl/fips/include/openssl to /usr/local/include which will be found > by gcc. If I did not do this, gcc would find my existing openssl headers > located at /usr/include/openssl. > > Finally, I modify my LD_LIBRARY_PATH environment variable to include > /usr/local/ssl/fips/lib prior to the /usr/lib include so that ld will find > the Fips-capable OpenSSL library. > > When I execute the ACE_SSL shared library make, I get the following output > and error: > > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden > -fvisibility-inlines-hidden -W -Wall -Wpointer-arith -O3 -ggdb -pipe > -D_REENTRANT -DA$ > /usr/local/ssl/fips/bin/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS > -D_GNU_SOURCE -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_L$ > /usr/local/ssl/fips/bin/fipsld: line 94: > /usr/local/ssl/fips/bin/../fips/fips_standalone_sha1: No such file or > directory > 1d0 > < HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c > /usr/local/ssl/fips/bin/../lib/fips_premain.c fingerprint mismatch > > > The fips_standalone_sha1 program is located in: > > /usr/local/src/openssl-fips-1.2/fips/fips_standalone_sha1 > /usr/local/src/openssl-0.9.8l/fips/fips_standalone_sha1 > > So, I modified the environment as follows to have access to > fips_standalone_sha1: > > export FIPSLD_CC=gcc > export CC=/usr/local/src/openssl-fips-1.2/fips/fipsld > export CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld > > This succeeds in linking the shared library; however, it seems like the > fips_standalone_sha1 and other dependent files should have been copied to > /usr/local/ssl/fips/fips as the headers, modules, and libraries were. It > seems that the User Guide could add some explanation on the various duplicate > file copies. > > Anyways, I then compile and link my application to the shared library created > above using gcc/ld instead of fipsld. I also tried compiling and linking my > application with fipsld but it did not make a difference. > > When my application runs and calls FIPS_mode_set, I get an error of > "fingerprint does not match." > > Relevant Environment When Building/Linking the ACE_SSL Shared Library > with fipscanister.o and libssl: > --------------------------------------------------------------------- > > LD_LIBRARY_PATH = > :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\ > /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib: > FIPSLD_CC=gcc > CC=/usr/local/src/openssl-fips-1.2/fips/fipsld > CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld > > Relevant Environment When Building/Linking my Application to the > ACE_SSL dynamic library: > --------------------------------------------------------------------- > > LD_LIBRARY_PATH = > :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\ > /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib: > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org