[openssl-users] Forcing the FIPS module to fail (no way)
Alberto Roman Linacero
aroman at alienvault.com
Wed Sep 2 18:35:34 UTC 2015
Yep, I understand now. I thought that the whole binary file
application was signed, and not only the FIPS module part.
I already did some tests (with that string and also in different parts
of the code that belongs to the fipscanister.o), and it -correctly-
server:~# export OPENSSL_FIPS=1
server:~# openssl sha1 testfile
routines:FIPS_check_incore_fingerprint:fingerprint does not
Thanks a lot!!
2015-09-02 20:16 GMT+02:00 Dr. Stephen Henson <steve at openssl.org>:
> On Tue, Sep 01, 2015, Alberto Roman Linacero wrote:
>> So, it is possible in runtime to know if the FIPS module code has been
>> changed after compiling? I mean, after the openssl has been compiled
>> with the FIPS Object Module (./config fips & make & make install), the
>> 4 files in the FIPS Object Module (fipscanister* and so on) doesn't
>> need to be in the final system to let work the application (openssl
>> for instance).
>> Is there any way to know, at runtime, that the FIPS Object Module code
>> has not been changed?
> Yes the integrity test will fail.
> Just to clarify. When you link the FIPS module part of the code will
> correspond to the application (which may be OpenSSL itself or the
> OpenSSL shared library) and part of it will be the FIPS module code from
> fipscanister.o. If you change the part of the binary corresponding to
> fipscanister.o the integrity test will fail, if you change the part of the
> binary outside fipscanister.o it wont.
> For example there is a version string which says something like "FIPS 2.0.10
> validated module 14 May 2015", try changing that.
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Mobile: +34 605804179
Phone: + 91 5151344
Email: aroman at alienvault.com
More information about the openssl-users