Linking and execution problems with a FIPS-capable OpenSSL distribution

> Synopsis:
> --------
>
> Linking and execution problems with a FIPS-capable OpenSSL distribution.
>
> System:
> ------
>
> openSUSE 11.0 (i586)
> Linux version 2.6.25.20-0.4-pae
> gcc (SUSE Linux) 4.3.1
> OpenSSL 0.9.8g 19 Oct 2007 (currently installed)
>   Includes are in /usr/include/openssl
>   Libs are in /usr/lib
>
> Fips/OpenSSL Versions:
> ---------------------
>
> openssl-fips-1.2.tar.gz
> openssl-0.9.8l.tar.gz
>
> Goal of this post:
> -----------------
>
> 1. Additional clarification on the linking process as described in the User Guide and comment as to whether my workarounds are correct and in accordance with the Security Policy.
>
> 2. Help on overcoming the "fingerprint does not match" runtime error.
>
> Description:
> -----------
>
> I have read the UserGuide-1.2.pdf and SecurityPolicy-1.2.pdf numerous times and have also scoured the news groups searching for a solution to my problem.  
>
> I am trying to link fipscanister.o and libssl into a shared library, specifically, the ACE_SSL library that is part of the latest ACE distribution from the ACE/TAO group.  The User Guide is somewhat vague on whether this can be done.  From my understanding, linking fipscanister.o and libssl into a shared library is possible since my shared library is considered an application as defined in the User Guide.  
>
> So here is what I am doing...
>
> Per the User Guide, I do the usual after successfully performing the two verification steps:
>
> openssl-fips-1.2 # ./config fipscanisterbuild
> make
> make install
>
> openssl-0.9.8l # ./config fips
> make
> make install
>
> As a non-su user, I modify the environment per the User Guide as follows:
>
> export FIPSLD_CC=gcc
> export CC=/usr/local/ssl/fips/bin/fipsld
> export CXX=/usr/local/ssl/fips/bin/fipsld
>
> I also copied the openssl include directory from /usr/local/ssl/fips/include/openssl to /usr/local/include which will be found by gcc.  If I did not do this, gcc would find my existing openssl headers located at /usr/include/openssl.
>
> Finally, I modify my LD_LIBRARY_PATH environment variable to include /usr/local/ssl/fips/lib prior to the /usr/lib include so that ld will find the Fips-capable OpenSSL library.
>
> When I execute the ACE_SSL shared library make, I get the following output and error:
>
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS -D_GNU_SOURCE   -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_L$
> /usr/local/ssl/fips/bin/fipsld: line 94: /usr/local/ssl/fips/bin/../fips/fips_standalone_sha1: No such file or directory
> 1d0
> < HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c
> /usr/local/ssl/fips/bin/../lib/fips_premain.c fingerprint mismatch
>
>
> The fips_standalone_sha1 program is located in:
>
> /usr/local/src/openssl-fips-1.2/fips/fips_standalone_sha1
> /usr/local/src/openssl-0.9.8l/fips/fips_standalone_sha1
>  
> So, I modified the environment as follows to have access to fips_standalone_sha1:
>
> export FIPSLD_CC=gcc
> export CC=/usr/local/src/openssl-fips-1.2/fips/fipsld
> export CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld
>
> This succeeds in linking the shared library; however, it seems like the fips_standalone_sha1 and other dependent files should have been copied to /usr/local/ssl/fips/fips as the headers, modules, and libraries were.  It seems that the User Guide could add some explanation on the various duplicate file copies.
>
> Anyways, I then compile and link my application to the shared library created above using gcc/ld instead of fipsld.  I also tried compiling and linking my application with fipsld but it did not make a difference.
>
> When my application runs and calls FIPS_mode_set, I get an error of "fingerprint does not match."
>
> Relevant Environment When Building/Linking the ACE_SSL Shared Library
> with fipscanister.o and libssl:
> ---------------------------------------------------------------------
>
> LD_LIBRARY_PATH =
> :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\
> /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib:
> FIPSLD_CC=gcc
> CC=/usr/local/src/openssl-fips-1.2/fips/fipsld
> CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld
>
> Relevant Environment When Building/Linking my Application to the
> ACE_SSL dynamic library:
> ---------------------------------------------------------------------
>
> LD_LIBRARY_PATH =
> :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\
> /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib:
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@...
> Automated List Manager                           majordomo@...
>
>

> Synopsis:
> --------
>
> Linking and execution problems with a FIPS-capable OpenSSL distribution.
>
> System:
> ------
>
> openSUSE 11.0 (i586)
> Linux version 2.6.25.20-0.4-pae
> gcc (SUSE Linux) 4.3.1
> OpenSSL 0.9.8g 19 Oct 2007 (currently installed)
>   Includes are in /usr/include/openssl
>   Libs are in /usr/lib
>
> Fips/OpenSSL Versions:
> ---------------------
>
> openssl-fips-1.2.tar.gz
> openssl-0.9.8l.tar.gz
>
> Goal of this post:
> -----------------
>
> 1. Additional clarification on the linking process as described in the User Guide and comment as to whether my workarounds are correct and in accordance with the Security Policy.
>
> 2. Help on overcoming the "fingerprint does not match" runtime error.
>
> Description:
> -----------
>
> I have read the UserGuide-1.2.pdf and SecurityPolicy-1.2.pdf numerous times and have also scoured the news groups searching for a solution to my problem.  
>
> I am trying to link fipscanister.o and libssl into a shared library, specifically, the ACE_SSL library that is part of the latest ACE distribution from the ACE/TAO group.  The User Guide is somewhat vague on whether this can be done.  From my understanding, linking fipscanister.o and libssl into a shared library is possible since my shared library is considered an application as defined in the User Guide.  
>
> So here is what I am doing...
>
> Per the User Guide, I do the usual after successfully performing the two verification steps:
>
> openssl-fips-1.2 # ./config fipscanisterbuild
> make
> make install
>
> openssl-0.9.8l # ./config fips
> make
> make install
>
> As a non-su user, I modify the environment per the User Guide as follows:
>
> export FIPSLD_CC=gcc
> export CC=/usr/local/ssl/fips/bin/fipsld
> export CXX=/usr/local/ssl/fips/bin/fipsld
>
> I also copied the openssl include directory from /usr/local/ssl/fips/include/openssl to /usr/local/include which will be found by gcc.  If I did not do this, gcc would find my existing openssl headers located at /usr/include/openssl.
>
> Finally, I modify my LD_LIBRARY_PATH environment variable to include /usr/local/ssl/fips/lib prior to the /usr/lib include so that ld will find the Fips-capable OpenSSL library.
>
> When I execute the ACE_SSL shared library make, I get the following output and error:
>
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS -D_GNU_SOURCE   -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_L$
> /usr/local/ssl/fips/bin/fipsld: line 94: /usr/local/ssl/fips/bin/../fips/fips_standalone_sha1: No such file or directory
> 1d0
> < HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c
> /usr/local/ssl/fips/bin/../lib/fips_premain.c fingerprint mismatch
>
>
> The fips_standalone_sha1 program is located in:
>
> /usr/local/src/openssl-fips-1.2/fips/fips_standalone_sha1
> /usr/local/src/openssl-0.9.8l/fips/fips_standalone_sha1
>  
> So, I modified the environment as follows to have access to fips_standalone_sha1:
>
> export FIPSLD_CC=gcc
> export CC=/usr/local/src/openssl-fips-1.2/fips/fipsld
> export CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld
>
> This succeeds in linking the shared library; however, it seems like the fips_standalone_sha1 and other dependent files should have been copied to /usr/local/ssl/fips/fips as the headers, modules, and libraries were.  It seems that the User Guide could add some explanation on the various duplicate file copies.
>
> Anyways, I then compile and link my application to the shared library created above using gcc/ld instead of fipsld.  I also tried compiling and linking my application with fipsld but it did not make a difference.
>
> When my application runs and calls FIPS_mode_set, I get an error of "fingerprint does not match."
>
> Relevant Environment When Building/Linking the ACE_SSL Shared Library
> with fipscanister.o and libssl:
> ---------------------------------------------------------------------
>
> LD_LIBRARY_PATH =
> :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\
> /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib:
> FIPSLD_CC=gcc
> CC=/usr/local/src/openssl-fips-1.2/fips/fipsld
> CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld
>
> Relevant Environment When Building/Linking my Application to the
> ACE_SSL dynamic library:
> ---------------------------------------------------------------------
>
> LD_LIBRARY_PATH =
> :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\
> /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib:
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@...
> Automated List Manager                           majordomo@...
>
>

> Synopsis:
> --------
>
> Linking and execution problems with a FIPS-capable OpenSSL distribution.
>
> System:
> ------
>
> openSUSE 11.0 (i586)
> Linux version 2.6.25.20-0.4-pae
> gcc (SUSE Linux) 4.3.1
> OpenSSL 0.9.8g 19 Oct 2007 (currently installed)
>   Includes are in /usr/include/openssl
>   Libs are in /usr/lib
>
> Fips/OpenSSL Versions:
> ---------------------
>
> openssl-fips-1.2.tar.gz
> openssl-0.9.8l.tar.gz
>
> Goal of this post:
> -----------------
>
> 1. Additional clarification on the linking process as described in the User Guide and comment as to whether my workarounds are correct and in accordance with the Security Policy.
>
> 2. Help on overcoming the "fingerprint does not match" runtime error.
>
> Description:
> -----------
>
> I have read the UserGuide-1.2.pdf and SecurityPolicy-1.2.pdf numerous times and have also scoured the news groups searching for a solution to my problem.  
>
> I am trying to link fipscanister.o and libssl into a shared library, specifically, the ACE_SSL library that is part of the latest ACE distribution from the ACE/TAO group.  The User Guide is somewhat vague on whether this can be done.  From my understanding, linking fipscanister.o and libssl into a shared library is possible since my shared library is considered an application as defined in the User Guide.  
>
> So here is what I am doing...
>
> Per the User Guide, I do the usual after successfully performing the two verification steps:
>
> openssl-fips-1.2 # ./config fipscanisterbuild
> make
> make install
>
> openssl-0.9.8l # ./config fips
> make
> make install
>
> As a non-su user, I modify the environment per the User Guide as follows:
>
> export FIPSLD_CC=gcc
> export CC=/usr/local/ssl/fips/bin/fipsld
> export CXX=/usr/local/ssl/fips/bin/fipsld
>
> I also copied the openssl include directory from /usr/local/ssl/fips/include/openssl to /usr/local/include which will be found by gcc.  If I did not do this, gcc would find my existing openssl headers located at /usr/include/openssl.
>
> Finally, I modify my LD_LIBRARY_PATH environment variable to include /usr/local/ssl/fips/lib prior to the /usr/lib include so that ld will find the Fips-capable OpenSSL library.
>
> When I execute the ACE_SSL shared library make, I get the following output and error:
>
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -fvisibility=hidden -fvisibility-inlines-hidden -W -Wall -Wpointer-arith  -O3 -ggdb -pipe -D_REENTRANT -DA$
> /usr/local/ssl/fips/bin/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS -D_GNU_SOURCE   -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_L$
> /usr/local/ssl/fips/bin/fipsld: line 94: /usr/local/ssl/fips/bin/../fips/fips_standalone_sha1: No such file or directory
> 1d0
> < HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c
> /usr/local/ssl/fips/bin/../lib/fips_premain.c fingerprint mismatch
>
>
> The fips_standalone_sha1 program is located in:
>
> /usr/local/src/openssl-fips-1.2/fips/fips_standalone_sha1
> /usr/local/src/openssl-0.9.8l/fips/fips_standalone_sha1
>  
> So, I modified the environment as follows to have access to fips_standalone_sha1:
>
> export FIPSLD_CC=gcc
> export CC=/usr/local/src/openssl-fips-1.2/fips/fipsld
> export CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld
>
> This succeeds in linking the shared library; however, it seems like the fips_standalone_sha1 and other dependent files should have been copied to /usr/local/ssl/fips/fips as the headers, modules, and libraries were.  It seems that the User Guide could add some explanation on the various duplicate file copies.
>
> Anyways, I then compile and link my application to the shared library created above using gcc/ld instead of fipsld.  I also tried compiling and linking my application with fipsld but it did not make a difference.
>
> When my application runs and calls FIPS_mode_set, I get an error of "fingerprint does not match."
>
> Relevant Environment When Building/Linking the ACE_SSL Shared Library
> with fipscanister.o and libssl:
> ---------------------------------------------------------------------
>
> LD_LIBRARY_PATH =
> :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\
> /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib:
> FIPSLD_CC=gcc
> CC=/usr/local/src/openssl-fips-1.2/fips/fipsld
> CXX=/usr/local/src/openssl-fips-1.2/fips/fipsld
>
> Relevant Environment When Building/Linking my Application to the
> ACE_SSL dynamic library:
> ---------------------------------------------------------------------
>
> LD_LIBRARY_PATH =
> :/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers_Linux/lib:/usr/lib/oracle/xe/app/oracle/product/10.2.0\
> /server/lib:/usr/local/ssl/fips/lib:/usr/local/lib:/usr/lib:
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@...
> Automated List Manager                           majordomo@...
>
>

> Another mistake I made was specifying FIPSLD_CC=gcc instead of FIPSLD_CC=g++.
>
> Now, when I link, I get the following error:
>
> /usr/local/src/openssl-fips-1.2/fips/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS -D_GNU_SOURCE   -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers$
> /usr/local/src/openssl-fips-1.2/fips/../fips/fips_premain.c:71: error: initializer-string for array of chars is too long
>
> I have seen another posting referencing the gcc/g++ differences related to this error.  I believe it had to do with not being able to fix the error since the source file changes would invalidate the FIPS modules.
>
> Is there any work around besides compiling with gcc instead of g++?
>

> Another mistake I made was specifying FIPSLD_CC=gcc instead of FIPSLD_CC=g++.
>
> Now, when I link, I get the following error:
>
> /usr/local/src/openssl-fips-1.2/fips/fipsld -Wl,-O3 -D_REENTRANT -DACE_HAS_AIO_CALLS -D_GNU_SOURCE   -I/home/linuxbuild/ntsdev/3rdParty/ACE_wrappers$
> /usr/local/src/openssl-fips-1.2/fips/../fips/fips_premain.c:71: error: initializer-string for array of chars is too long
>
> I have seen another posting referencing the gcc/g++ differences related to this error.  I believe it had to do with not being able to fix the error since the source file changes would invalidate the FIPS modules.
>
> Is there any work around besides compiling with gcc instead of g++?
>