Re: Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

Re: openssl-1.0.2r

Re: openssl-fips-2.0.16

OS: Linux Mint 19.1 (Ubuntu)

 

I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).

 

void __attribute__((constructor)) ForceFIPSModeOn()

{

   FIPS_mode_set(1);

   FIPS_selftest_check();

}

 

The build fails shortly after creating the executable ‘fips_premain_dso’.

 

fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

Aborted (core dumped)

 
I'm gonna guess that this is calling a function before OpenSSL Is initialized... did you also move your init code to a constructor?
 

 

I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:

 

Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
 failed FIPS_check_incore_fingerprint

 

I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.

 

If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.

 

How can I get my module initializer to pass the selftest?

 

Sent from Mail for Windows 10

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux