On Mon, May 16, 2011 at 1:15 AM, raghib nasri <raghibna...@gmail.com> wrote: > I have also observed that changing my application code causes a different > HMAC sig generated by premain. So if it is covering just validated module > (fipscanister.o) then sig should remain same as i m using the same validated > module each time. Please clarify. If the linker places the object code in a different position, the mac will be different.
Jeff > > On Sun, May 15, 2011 at 4:41 AM, Dr. Stephen Henson <st...@openssl.org> > wrote: >> >> On Fri, May 13, 2011, Todd Goyen wrote: >> >> > Can someone provide a brief explanation of the fips_premain.c >> > functionality? >> > >> > I used it over a year ago and am a little hazy on the details. >> > >> > 1) A checksum of the executable was performed during the first compile >> > step of fipsld >> > 2) That checksum was inserted into the binary during the second compile >> > step >> > 3) When the program is run that checksum is checked when fips_mode is >> > entered. >> > >> > >> > Presuming the above is correct, I also remember that toggling a few bits >> > in the executeable (in a string for example) would cause FIPS mode to fail. >> > However a new program I have just written doesn't exhibit this behavior. >> > Have I got the functionality wrong? or is something else awry? >> > >> >> The hmac signature doesn't cover the whole binary just the validated >> module >> within the binary. >> >> Steve. >> [SNIP] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
