FIPS_mode_set(1) failing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS_mode_set(1) failing

Ken Goldman-2
This call fails on two platforms with:

fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS
SELFTEST FAILURE

         (or line 139)

The openssl installs are:

OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL 1.0.2g-fips 1 Mar 2016

Any hints?  Do I have to call a self test before entering FIPS mode?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS_mode_set(1) failing

Murugesh
Hi,

On invoking FIPS_mode_set(1), the self test would be run internally
first. The test would be run for all modules like dsa, rsa, rng, etc.
This error indicates a failure in any of these self test run.

Try to view the "FIPSerr" which could show you which module's test
actually failed; so you can take necessary action.

Thanks,
Murugesh P.

On 3/6/18, Ken Goldman <[hidden email]> wrote:

> This call fails on two platforms with:
>
> fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS
> SELFTEST FAILURE
>
>          (or line 139)
>
> The openssl installs are:
>
> OpenSSL 1.0.1e-fips 11 Feb 2013
> OpenSSL 1.0.2g-fips 1 Mar 2016
>
> Any hints?  Do I have to call a self test before entering FIPS mode?
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS_mode_set(1) failing

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of murugesh pitchaiah
>
> On 3/6/18, Ken Goldman <[hidden email]> wrote:
> > This call fails on two platforms with:
> >
> > fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS
> > SELFTEST FAILURE
>
> On invoking FIPS_mode_set(1), the self test would be run internally
> first. The test would be run for all modules like dsa, rsa, rng, etc.
> This error indicates a failure in any of these self test run.

Also note that the OpenSSL FIPS validations are for specific platforms. OpenSSL FIPS has not been validated on every platform that OpenSSL can be built on (that would be infeasible). The FIPS 140-2 Level 1 self-test is sensitive to build and load conditions, so it's entirely possible that it fails on some platforms where the work hasn't been done to get the FIPS container to the state where it will pass validation. At least that's my understanding; I'm not a FIPS 140 expert.

In any case, if OpenSSL doesn't have an active FIPS 140-2 validation for the "two platforms" Ken mentioned, then there's not much point in getting the self-test to pass. Even in FIPS mode OpenSSL won't be FIPS-validated on that platform and products using it can't claim they have FIPS-validated cryptography.

That said, I know some developers and customers want "FIPS mode" even when there is no FIPS validation, sometimes to suppress algorithms they don't want used, and sometimes just to check a tickbox. While I don't approve (FIPS 140-2 is badly outdated and ill-suited to software implementations, and a distraction from real security), this is sometimes a requirement.

--
Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users