Trying to use a ((constructor)) to force libcrypto.so into FIPS mode
Larry Jordan
lj at acronisscs.com
Thu Jun 6 21:34:28 UTC 2019
Re: openssl-1.0.2r
Re: openssl-fips-2.0.16
OS: Linux Mint 19.1 (Ubuntu)
I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).
void __attribute__((constructor)) ForceFIPSModeOn()
{
FIPS_mode_set(1);
FIPS_selftest_check();
}
The build fails shortly after creating the executable ‘fips_premain_dso’.
fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:
Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
failed FIPS_check_incore_fingerprint
I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.
If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.
How can I get my module initializer to pass the selftest?
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190606/3dc3eb90/attachment.html>
More information about the openssl-users
mailing list