On Fri, May 13, 2011, Todd Goyen wrote: > Can someone provide a brief explanation of the fips_premain.c functionality? > > I used it over a year ago and am a little hazy on the details. > > 1) A checksum of the executable was performed during the first compile step > of fipsld > 2) That checksum was inserted into the binary during the second compile step > 3) When the program is run that checksum is checked when fips_mode is entered. > > > Presuming the above is correct, I also remember that toggling a few bits in > the executeable (in a string for example) would cause FIPS mode to fail. > However a new program I have just written doesn't exhibit this behavior. Have > I got the functionality wrong? or is something else awry? >
The hmac signature doesn't cover the whole binary just the validated module within the binary. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
