<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Re: openssl-1.0.2r</p>
<p class="MsoNormal">Re: openssl-fips-2.0.16</p>
<p class="MsoNormal">OS: Linux Mint 19.1 (Ubuntu)</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).
</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">void __attribute__((constructor)) ForceFIPSModeOn()</p>
<p class="MsoNormal" style="margin-left:.5in">{</p>
<p class="MsoNormal" style="margin-left:.5in"> FIPS_mode_set(1);</p>
<p class="MsoNormal" style="margin-left:.5in"> FIPS_selftest_check();</p>
<p class="MsoNormal" style="margin-left:.5in">}</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The build fails shortly after creating the executable ‘fips_premain_dso’.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE</p>
<p class="MsoNormal" style="margin-left:.5in">Aborted (core dumped)</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;background:#FCD116">Starting FIPS_selftest</span><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif"><br>
<span style="background:#FCD116">fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</span><br>
<span style="background:#FCD116">imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
</span><br>
<span style="background:#FCD116"> failed FIPS_check_incore_fingerprint</span><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">How can I get my module initializer to pass the selftest?</p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Sent from <a href="https://go.microsoft.com/fwlink/?LinkId=550986">
Mail</a> for Windows 10</p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>