On Wed, Jul 18, 2012 at 3:24 PM, AJ <[email protected]> wrote: > I'm running on 4.0.4 and 2.3.4, with same results on both. Android 4.0 got most of ASLR in place (Android 4.1 finished the randomization and fixed a kernel mis-configuration): http://source.android.com/tech/security/index.html#memory-management-security-enhancements and https://blog.duosecurity.com/2012/02/a-look-at-aslr-in-android-ice-cream-sandwich-4-0/.
I suspect ASLR is giving you problems (presuming OpenSSL is working as intended). What load address did fipsld use? What address is the executable being loaded at? Jeff > ----- Original Message ----- > From: Jeffrey Walton <[email protected]> > To: [email protected] > Cc: > Sent: Wednesday, July 18, 2012 2:27 PM > Subject: Re: FIPS: Incore fingerprint check fails on Android? > > On Wed, Jul 18, 2012 at 11:15 AM, Aunt Jomamma <[email protected]> wrote: >> Sorry if this is duplicate, but I had an issue with the mailer, and not sure >> if this went... >> >> I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android >> using ndk-r8. >> I am doing cross-compile on Mac OSX. >> >> However, I cannot pass FIPS_mode_set(1). >> I get the following error: "FIPS >> routines:FIPS_check_incore_fingerprint:fingerprint does not match" >> >> I am using the incore script provided from openssl-fips-2.0/util/incore. >> >> My setup is as follows: >> >> # Edit this to wherever you unpacked the NDK >> export ANDROID_NDK=/home/android-ndk-r8 >> >> # Edit to wherever you put incore script >> export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore >> >> >> PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin:$PATH; >> export PATH >> export MACHINE=armv7l >> export RELEASE=2.6.32.GMU >> export SYSTEM=android >> export ARCH=arm >> export CROSS_COMPILE="arm-linux-androideabi-" >> export ANDROID_DEV="$ANDROID_NDK/platforms/android-14/arch-arm/usr" >> export HOSTCC=gcc >> >> Any ideas why I cannot pass incore fingerprint validation? Do I need >> anything special wrt incore on cross-compile? >> > What Android OS is being used on the device? > > Android 4.1 recently achieved full ASLR. ASLR might be the problem > since randomizing shared objects and program load adresses is > diametrically opposed to the FIPS check. > > A thread on recent platform security changes can be found at > http://groups.google.com/group/android-security-discuss/browse_thread/thread/d585aa8062964673. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
