Trying to use a ((constructor)) to force libcrypto.so into FIPS mode
Andrew Tucker
andrew.tucker at salesforce.com
Fri Jun 7 17:34:26 UTC 2019
Assuming your OpenSSL library is already FIPS capable you need to build and
link with the FIPS container library enable the integrity check in your app.
Details are in section C.1 of the FIPS user guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <
openssl-users at openssl.org> wrote:
> Re: openssl-1.0.2r
>
> Re: openssl-fips-2.0.16
>
> OS: Linux Mint 19.1 (Ubuntu)
>
>
>
> I have added a shared library initializer function to cryptlib.c to force
> OpenSSL into FIPS mode, without requiring a “module operator” to directly
> initiate (i.e. call FIPS_mode_set(1)).
>
>
>
> void __attribute__((constructor)) ForceFIPSModeOn()
>
> {
>
> FIPS_mode_set(1);
>
> FIPS_selftest_check();
>
> }
>
>
>
> The build fails shortly after creating the executable ‘fips_premain_dso’.
>
>
>
> fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST
> FAILURE
>
> Aborted (core dumped)
>
>
>
> I traced the problem to a failed FIPS_check_incore_fingerprint call. The
> embedded signature appears uninitialized:
>
>
>
> Starting FIPS_selftest
> fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
> failed FIPS_check_incore_fingerprint
>
>
>
> I am at a loss to explain what is happening. Is my initializer running
> before the embedded sig is loaded? Or is there another issue.
>
>
>
> If I remove the call to FIPS_selftest_check(), the link completes, but the
> selftest still fails, when it is initiated from the initializer. A “module
> operator” can still use the libcrypto.so services, because all subsequent
> selftests pass.
>
>
>
> How can I get my module initializer to pass the selftest?
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190607/712679e0/attachment-0001.html>
More information about the openssl-users
mailing list