Building FIP enabled OpenSSL fails in Yocto-ARM build

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Building FIP enabled OpenSSL fails in Yocto-ARM build

Jayalakshmi bhat
Hi All,

I am building FIPS supported OpenSSL in yocto for ARM architecture. I tried using openssl-fips-2.0.13 and openssl-fips-2.0.4


I am building FIPS externally with the below environmental  settings
------------------------ ------------------------ ------------------------ ------------------------ ------------------------
PATH=/yocto/gcc/gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabihf/bin:$PATH

export PATH
export FIPS_SIG=/yocto/openssl-fips-2.0.4/util/incore
export MACHINE=armv71
export RELEASE=4.9.13
export SYSTEM=Linux
export ARCH=arm
export CROSS_COMPILE=arm-linux-gnueabihf-
export HOSTCC=gcc
export FIPSDIR=/yocto/meta/recipes-connectivity/openssl/fips2.0

Build commands for FIPS library 

./config -mfloat-abi=hard
make
make install
------------------------

Then I am building OpenSSL 1.0.2h with the below environment settings

export FIPSDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0"
export FIPSLIBDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0/lib/"
export FIPS_SIG="/yocto/meta/recipes-connectivity/openssl/fips2.0/bin/incore"

Build command to build OpenSSL.

perl ./Configure ${EXTRA_OECONF} fips shared --with-fipsdir=${FIPSDIR} --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target

Build is successful. without any error.  But when I try executing 

export OPENSSL_FIPS=1
openssl -v

I am getting 

3069334736:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:244

I am not understand what could be going wrong. Any help is appreciated 

Regards
Jayalakshmi

        
   

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Building FIP enabled OpenSSL fails in Yocto-ARM build

Jayalakshmi bhat
Hi All,

In addition to the my previous mail, this is additional info

objdump -t libcrypto.so.1.0.0 | grep FIPS_signature
001ad8b0 l     O .data  00000014              FIPS_signature

readelf -a libcrypto.so.1.0.0 | grep FIPS_signature
11812: 001ad8b0    20 OBJECT  LOCAL  DEFAULT   23 FIPS_signature


Regards
Jayalakshmi

On Thu, May 3, 2018 at 7:39 PM, Jayalakshmi bhat <[hidden email]> wrote:
Hi All,

I am building FIPS supported OpenSSL in yocto for ARM architecture. I tried using openssl-fips-2.0.13 and openssl-fips-2.0.4


I am building FIPS externally with the below environmental  settings
------------------------ ------------------------ ------------------------ ------------------------ ------------------------
PATH=/yocto/gcc/gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabihf/bin:$PATH

export PATH
export FIPS_SIG=/yocto/openssl-fips-2.0.4/util/incore
export MACHINE=armv71
export RELEASE=4.9.13
export SYSTEM=Linux
export ARCH=arm
export CROSS_COMPILE=arm-linux-gnueabihf-
export HOSTCC=gcc
export FIPSDIR=/yocto/meta/recipes-connectivity/openssl/fips2.0

Build commands for FIPS library 

./config -mfloat-abi=hard
make
make install
------------------------

Then I am building OpenSSL 1.0.2h with the below environment settings

export FIPSDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0"
export FIPSLIBDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0/lib/"
export FIPS_SIG="/yocto/meta/recipes-connectivity/openssl/fips2.0/bin/incore"

Build command to build OpenSSL.

perl ./Configure ${EXTRA_OECONF} fips shared --with-fipsdir=${FIPSDIR} --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target

Build is successful. without any error.  But when I try executing 

export OPENSSL_FIPS=1
openssl -v

I am getting 

3069334736:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:244

I am not understand what could be going wrong. Any help is appreciated 

Regards
Jayalakshmi

        
   


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users