Re: openssl-1.0.2r
Re: openssl-fips-2.0.16
OS: Linux Mint 19.1 (Ubuntu)
I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).
void __attribute__((constructor)) ForceFIPSModeOn()
{
FIPS_mode_set(1);
FIPS_selftest_check();
}
The build fails shortly after creating the executable ‘fips_premain_dso’.
fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:
Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
failed FIPS_check_incore_fingerprint
I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.
If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.
How can I get my module initializer to pass the selftest?
Sent from Mail for Windows 10
