Re: Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Assuming your OpenSSL library is already FIPS capable you need to build and link with the FIPS container library enable the integrity check in your app.

Details are in section C.1 of the FIPS user guide at https://www.openssl.org/docs/fips/UserGuide-2.0.pdf


On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

Re: openssl-1.0.2r

Re: openssl-fips-2.0.16

OS: Linux Mint 19.1 (Ubuntu)

 

I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).

 

void __attribute__((constructor)) ForceFIPSModeOn()

{

   FIPS_mode_set(1);

   FIPS_selftest_check();

}

 

The build fails shortly after creating the executable ‘fips_premain_dso’.

 

fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

Aborted (core dumped)

 

I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:

 

Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
 failed FIPS_check_incore_fingerprint

 

I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.

 

If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.

 

How can I get my module initializer to pass the selftest?

 

Sent from Mail for Windows 10

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux