<div dir="ltr">Assuming your OpenSSL library is already FIPS capable you need to build and link with the FIPS container library enable the integrity check in your app.<div><br></div><div>Details are in section C.1 of the FIPS user guide at <a href="https://www.openssl.org/docs/fips/UserGuide-2.0.pdf">https://www.openssl.org/docs/fips/UserGuide-2.0.pdf</a></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <<a href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-3304074819742590777WordSection1">
<p class="MsoNormal">Re: openssl-1.0.2r</p>
<p class="MsoNormal">Re: openssl-fips-2.0.16</p>
<p class="MsoNormal">OS: Linux Mint 19.1 (Ubuntu)</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).
</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:0.5in">void __attribute__((constructor)) ForceFIPSModeOn()</p>
<p class="MsoNormal" style="margin-left:0.5in">{</p>
<p class="MsoNormal" style="margin-left:0.5in"> FIPS_mode_set(1);</p>
<p class="MsoNormal" style="margin-left:0.5in"> FIPS_selftest_check();</p>
<p class="MsoNormal" style="margin-left:0.5in">}</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The build fails shortly after creating the executable ‘fips_premain_dso’.</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:0.5in">fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE</p>
<p class="MsoNormal" style="margin-left:0.5in">Aborted (core dumped)</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-left:0.5in"><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif;background:rgb(252,209,22)">Starting FIPS_selftest</span><span style="font-size:10.5pt;font-family:"Segoe UI",sans-serif"><br>
<span style="background:rgb(252,209,22)">fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
</span><br>
<span style="background:rgb(252,209,22)">imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
</span><br>
<span style="background:rgb(252,209,22)"> failed FIPS_check_incore_fingerprint</span><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">How can I get my module initializer to pass the selftest?</p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Sent from <a href="https://go.microsoft.com/fwlink/?LinkId=550986" target="_blank">
Mail</a> for Windows 10</p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</blockquote></div>