Thanks for the information. I checked the Makefile and build logs of both cases (i.e. built with Ubuntu packaging script and built with the standard way), and I saw the fipsld was run in both cases: Makefile for both: *libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT) @if [ "$(SHLIB_TARGET)" != "" ]; then \ if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ FIPSLD_LIBCRYPTO=libcrypto.a ; \ FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \ export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \ fi; \ $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \ (touch -c fips_premain_dso$(EXE_EXT) || :); \ echo "CC is $(CC)"; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ exit 1; \ fi* Although it seemed like the FIPSLD_CC wasn't set in both cases, but I did see that the fipsld eventually got executed in both cases. I saw the following in both the build logs: *if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \ (cd ..; make libcrypto.so.1.0.0); \ fimake[3]: Entering directory `/home/Development/precise/amd64/openssl/openssl-1.0.1'[ -z "libcrypto" ] || gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -O3 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -Iinclude \ -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \ /usr/local/ssl/fips-2.0/lib/fips_premain.c /usr/local/ssl/fips-2.0/lib/fipscanister.o \ libcrypto.a -ldl -lz* Also if I removed the fipsld binary from the /usr/local/ssl/fips-2.0/bin/ directory, I saw the fipsld "File not found" errors in both cases, which also proved that the fipsld was ran. One major differences I could see was, in Ubuntu Makefile it uses *-Wl, --version-script=openssl.ld* in the *SHARED_LDFLAGS* and all the symbols were included in the openssl.ld file. I also added all the FIPS related symbols to this file as well, otherwise they all showed up as "t" instead of "T" when running nm on the libcrypto.so How does fipsld set the sig and FIPS_SIGNATURE and what's the right way to call it in the build script? e.g. How do I use it to set these signature in the command line? In addition to the fipsld command, is there any other possible reasons which would cause the signature not set correctly? Thanks and I truly appreciate the helps and suggestions. On Wed, Feb 24, 2016 at 6:36 PM, Dr. Stephen Henson <steve at openssl.org> wrote: > On Wed, Feb 24, 2016, cloud force wrote: > > > Actually it looks like when I ran the tests using the OpenSSL FIPS > library > > which I built using Ubuntu build script, the content of FIPS_SIGNATURE > > seemed to be empty. > > > > Can anyone tell me how was the value of sig and FIPS_SIGNATURE (near > fips.c > > line 222) was computed and assigned? > > > > They are set using the fipsld linker script. If you have changed the build > process so fipsld is no longer called that will cause the signature test to > fail. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160225/6aa40fa8/attachment-0001.html>