Re: FIPS_mode_set(1) failing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf
> Of murugesh pitchaiah
>
> On 3/6/18, Ken Goldman <kgoldman@xxxxxxxxxx> wrote:
> > This call fails on two platforms with:
> >
> > fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS
> > SELFTEST FAILURE
> 
> On invoking FIPS_mode_set(1), the self test would be run internally
> first. The test would be run for all modules like dsa, rsa, rng, etc.
> This error indicates a failure in any of these self test run.

Also note that the OpenSSL FIPS validations are for specific platforms. OpenSSL FIPS has not been validated on every platform that OpenSSL can be built on (that would be infeasible). The FIPS 140-2 Level 1 self-test is sensitive to build and load conditions, so it's entirely possible that it fails on some platforms where the work hasn't been done to get the FIPS container to the state where it will pass validation. At least that's my understanding; I'm not a FIPS 140 expert.

In any case, if OpenSSL doesn't have an active FIPS 140-2 validation for the "two platforms" Ken mentioned, then there's not much point in getting the self-test to pass. Even in FIPS mode OpenSSL won't be FIPS-validated on that platform and products using it can't claim they have FIPS-validated cryptography.

That said, I know some developers and customers want "FIPS mode" even when there is no FIPS validation, sometimes to suppress algorithms they don't want used, and sometimes just to check a tickbox. While I don't approve (FIPS 140-2 is badly outdated and ill-suited to software implementations, and a distraction from real security), this is sometimes a requirement.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux