Yep, I understand now. I thought that the whole binary file application was signed, and not only the FIPS module part. I already did some tests (with that string and also in different parts of the code that belongs to the fipscanister.o), and it -correctly- fails. server:~# export OPENSSL_FIPS=1 server:~# openssl sha1 testfile 139697803871912:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232: Thanks a lot!! 2015-09-02 20:16 GMT+02:00 Dr. Stephen Henson <steve at openssl.org>: > On Tue, Sep 01, 2015, Alberto Roman Linacero wrote: > >> So, it is possible in runtime to know if the FIPS module code has been >> changed after compiling? I mean, after the openssl has been compiled >> with the FIPS Object Module (./config fips & make & make install), the >> 4 files in the FIPS Object Module (fipscanister* and so on) doesn't >> need to be in the final system to let work the application (openssl >> for instance). >> >> Is there any way to know, at runtime, that the FIPS Object Module code >> has not been changed? >> > > Yes the integrity test will fail. > > Just to clarify. When you link the FIPS module part of the code will > correspond to the application (which may be OpenSSL itself or the > OpenSSL shared library) and part of it will be the FIPS module code from > fipscanister.o. If you change the part of the binary corresponding to > fipscanister.o the integrity test will fail, if you change the part of the > binary outside fipscanister.o it wont. > > For example there is a version string which says something like "FIPS 2.0.10 > validated module 14 May 2015", try changing that. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Alberto Rom?n Engineering team http://www.alienvault.com Mobile: +34 605804179 Phone: + 91 5151344 Email: aroman at alienvault.com
