I have also observed that changing my application code causes a different HMAC sig generated by premain. So if it is covering just validated module (fipscanister.o) then sig should remain same as i m using the same validated module each time. Please clarify.
On Sun, May 15, 2011 at 4:41 AM, Dr. Stephen Henson <[email protected]>wrote: > On Fri, May 13, 2011, Todd Goyen wrote: > > > Can someone provide a brief explanation of the fips_premain.c > functionality? > > > > I used it over a year ago and am a little hazy on the details. > > > > 1) A checksum of the executable was performed during the first compile > step of fipsld > > 2) That checksum was inserted into the binary during the second compile > step > > 3) When the program is run that checksum is checked when fips_mode is > entered. > > > > > > Presuming the above is correct, I also remember that toggling a few bits > in the executeable (in a string for example) would cause FIPS mode to fail. > However a new program I have just written doesn't exhibit this behavior. > Have I got the functionality wrong? or is something else awry? > > > > The hmac signature doesn't cover the whole binary just the validated module > within the binary. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] >
