[openssl-users] Forcing the FIPS module to fail (no way)

Alberto Roman Linacero aroman at alienvault.com
Tue Sep 1 17:28:35 UTC 2015

Hi there, I'd like to know how to make fail some application compiled
with the FIPS module, I need to make that test for a certification
process but my tests doesn't get the application fail.

When some application is compiled with fipscanister.o  it stores
inside the application a FIPS_signature. Then, when the application
calls to FIPS_mode_set(1) that HMAC-SHA1 signature is checked and if
the application binary has been modified it will lead to an error.

But I'm not able to generate that error. To test it, I compiled
openssl with fips support , then I started FIPS mode, brutally changed
some random bits in the apps/openssl binary, and then I tried a simple

server:~/openssl-1.0.1p# export OPENSSL_FIPS=1
server:~/openssl-1.0.1p# vi apps/openssl
server:~/openssl-1.0.1p# apps/openssl sha1 NEWS
SHA1(NEWS)= 163e5a1ff9b2b06dafdc8783ce91c4d0a49f55db

Why it is not failing? The fips self-tests should show some kind of
error, AFAIK. (obviously I can easily get a segfault, but that's not
what I want).

Also, editing the openssl binary I can see the etaonrishdlcupfm signature.

Then, I tried a similar thing with stunnel4, that links to a
libcrypto.so.1.0.0 compiled with fips support (that file also has the
etaonrishdlcupfm signature). I modified some bits in the
libcrypto.so.1.0.0 file and stunnel is not giving any error, its log
says that it enters into FIPS mode correctly.

So, why is not the FIPS module failing to start? Why it doesn't alerts
me about the application manipulation?

Thanks in advance and best regards,


More information about the openssl-users mailing list