Re: openssl-1.0.2r
Re: openssl-fips-2.0.16
OS: Linux Mint 19.1 (Ubuntu)
I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).
void __attribute__((constructor)) ForceFIPSModeOn()
{
FIPS_mode_set(1);
FIPS_selftest_check();
}
The build fails shortly after creating the executable ‘fips_premain_dso’.
fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:
Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
failed FIPS_check_incore_fingerprint
I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.
If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.
How can I get my module initializer to pass the selftest?
Sent from Mail for Windows 10
Assuming your OpenSSL library is already FIPS capable you need to build and link with the FIPS container library enable the integrity check in your app.
Details are in section C.1 of the FIPS user guide at https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
