Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

[J Decker]

On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <
openssl-users at openssl.org> wrote:

> Re: openssl-1.0.2r
>
> Re: openssl-fips-2.0.16
>
> OS: Linux Mint 19.1 (Ubuntu)
>
>
>
> I have added a shared library initializer function to cryptlib.c to force
> OpenSSL into FIPS mode, without requiring a “module operator” to directly
> initiate (i.e. call FIPS_mode_set(1)).
>
>
>
> void __attribute__((constructor)) ForceFIPSModeOn()
>
> {
>
>    FIPS_mode_set(1);
>
>    FIPS_selftest_check();
>
> }
>
>
>
> The build fails shortly after creating the executable ‘fips_premain_dso’.
>
>
>
> fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST
> FAILURE
>
> Aborted (core dumped)
>

I'm gonna guess that this is calling a function before OpenSSL Is
initialized... did you also move your init code to a constructor?


>
>
> I traced the problem to a failed FIPS_check_incore_fingerprint call. The
> embedded signature appears uninitialized:
>
>
>
> Starting FIPS_selftest
> fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
>  failed FIPS_check_incore_fingerprint
>
>
>
> I am at a loss to explain what is happening. Is my initializer running
> before the embedded sig is loaded? Or is there another issue.
>
>
>
> If I remove the call to FIPS_selftest_check(), the link completes, but the
> selftest still fails, when it is initiated from the initializer. A “module
> operator” can still use the libcrypto.so services, because all subsequent
> selftests pass.
>
>
>
> How can I get my module initializer to pass the selftest?
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190607/3f8e7408/attachment.html>