[openssl-users] Forcing the FIPS module to fail (no way)

Dr. Stephen Henson steve at openssl.org
Tue Sep 1 17:53:01 UTC 2015

On Tue, Sep 01, 2015, Alberto Roman Linacero wrote:

> Hi there, I'd like to know how to make fail some application compiled
> with the FIPS module, I need to make that test for a certification
> process but my tests doesn't get the application fail.
> When some application is compiled with fipscanister.o  it stores
> inside the application a FIPS_signature. Then, when the application
> calls to FIPS_mode_set(1) that HMAC-SHA1 signature is checked and if
> the application binary has been modified it will lead to an error.
> But I'm not able to generate that error. To test it, I compiled
> openssl with fips support , then I started FIPS mode, brutally changed
> some random bits in the apps/openssl binary, and then I tried a simple
> hash1:
> server:~/openssl-1.0.1p# export OPENSSL_FIPS=1
> server:~/openssl-1.0.1p# vi apps/openssl
> server:~/openssl-1.0.1p# apps/openssl sha1 NEWS
> SHA1(NEWS)= 163e5a1ff9b2b06dafdc8783ce91c4d0a49f55db
> Why it is not failing? The fips self-tests should show some kind of
> error, AFAIK. (obviously I can easily get a segfault, but that's not
> what I want).

The FIPS signature checks for changes in the FIPS module code itself not
the whole binary. So if you change some code that isn't part of the FIPS
module the integrity test will not fail.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list