2 files changed, 11 insertions, 1 deletions

diff --git a/util/fipstools/inject_hash/inject_hash.go b/util/fipstools/inject_hash/inject_hash.go
index 9c30836..ffae5e9 100644
--- a/util/fipstools/inject_hash/inject_hash.go
+++ b/util/fipstools/inject_hash/inject_hash.go
@@ -242,6 +242,9 @@ func do(outPath, oInput string, arInput string) error {
 		return errors.New("found two occurrences of uninitialised hash value in object file")
 	}
 
+	if _, exists := os.LookupEnv("BORINGSSL_FIPS_SHOW_HASH"); exists {
+		fmt.Printf("Module hash: %x\n", calculated)
+	}
 	copy(objectBytes[offset:], calculated)
 
 	return os.WriteFile(outPath, objectBytes, perm&0777)
diff --git a/util/fipstools/test_fips.c b/util/fipstools/test_fips.c
index bd0ec46..af01bfc 100644
--- a/util/fipstools/test_fips.c
+++ b/util/fipstools/test_fips.c
@@ -55,9 +55,16 @@ int main(int argc, char **argv) {
     printf("No module version set\n");
     goto err;
   }
-  printf("Module: '%s', version: %" PRIu32 "\n", FIPS_module_name(),
+  printf("Module: '%s', version: %" PRIu32 " hash:\n", FIPS_module_name(),
          module_version);
 
+#if !defined(OPENSSL_ASAN)
+  hexdump(FIPS_module_hash(), SHA256_DIGEST_LENGTH);
+#else
+  printf("(not available when compiled for ASAN)");
+#endif
+  printf("\n");
+
   static const uint8_t kAESKey[16] = "BoringCrypto Key";
   static const uint8_t kPlaintext[64] =
       "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!";