FIPS Capable OpenSSL cross-compiled: fingerprint issue

I found the problem! I will try to explain the whole debugging process and solution.

Introduction:

When OpenSSL is configured to work with FIPS, at compile time the Makefile calls the fipsld utility , which performs FIPS Object Module validation and generates a new HMAC-SHA-1 digest for the executable application (as described in the official OpenSSL User Guide https: //www.openssl. org / docs / fips / UserGuide-2.0.pdf ) <us>
The fipsld command requires the CC and FIPSLD_CC environment variables to be set , with the latter taking precedence.
You will find something like this in the Makefile:

libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
    @if [ "$(SHLIB_TARGET)" != "" ]; then \
        if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
            FIPSLD_LIBCRYPTO=libcrypto.a ; \
            FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
            export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
        fi; \
        $(MAKE) -e SHLIBDIRS=crypto  CC="$${CC:-$(CC)}" build-shared && \
        (touch -c fips_premain_dso$(EXE_EXT) || :); \
    else \
        echo "There no support for shared libraries on this platform" >&2; \
        exit 1; \
    fi

      

        
        
        
      

    

The fipsld utility then calls the wrapper script, incore , which is used to embed the expected FIPS module module fingerprint into the OpenSSL shared object. It is important to specify the increment path through the FIPS_SIG env variable , for example:

export FIPS_SIG=$PWD/openssl­fips­2.0/util/incore

      

        
        
        
      

    

DEBUGGING:

Debugging incore script, I saw the script was trying to insert the signature into the shared object at offset 0x001EE6B0, and the FIPS_signature symbol inside the shared object was located at a different offset, to be more specific at 0x001F0630:

objdump -t libcrypto.so.1.0.0 | grep FIPS_signature
001f0630 g     O .data  00000014              FIPS_signature

readelf -a libcrypto.so.1.0.0 | grep FIPS_signature
   870: 001f0630    20 OBJECT  GLOBAL DEFAULT   18 FIPS_signature
  3925: 001f0630    20 OBJECT  GLOBAL DEFAULT   18 FIPS_signature

      

        
        
        
      

    

Also, when dumping the shared object, I could not find the generated signature at offset 0x001EE6B0, so I concluded that the shared object was edited after the signature embedding procedure by some other process.

DECISION:

I used the Makefile for the OpenSSL package, formatted like this:

$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)
    <options>
    all
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)
    <options>
    build-shared
rm $(PKG_BUILD_DIR)/libssl.so.*.*.*
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)
    <options>
    do_linux-shared
$(MAKE) -C $(PKG_BUILD_DIR)
    <options>
    install

      

        
        
        
      

    

As expected, make build-shared and make do_linux-shared are responsible for incorrectly modifying a shared object.
NOTIFICATION that makes the assembly shared is called without using the appropriate environment variables.

I changed the package Makefile:

$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)
    <options>
    all
$(MAKE) -C $(PKG_BUILD_DIR)
    <options>
    install

      

        
        
        
      

    

The function now FIPS_check_incore_fingerprint(void)

returns with success and everything works fine!

Note:

The following guide for Android devices was very helpful in finding the right solution. https://wiki.openssl.org/index.php/FIPS_Library_and_Android