Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

OpenSSL - User mailing list

Re: openssl-1.0.2r

Re: openssl-fips-2.0.16

OS: Linux Mint 19.1 (Ubuntu)

 

I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).

 

void __attribute__((constructor)) ForceFIPSModeOn()

{

   FIPS_mode_set(1);

   FIPS_selftest_check();

}

 

The build fails shortly after creating the executable ‘fips_premain_dso’.

 

fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

Aborted (core dumped)

 

I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:

 

Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
 failed FIPS_check_incore_fingerprint

 

I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.

 

If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.

 

How can I get my module initializer to pass the selftest?

 

Sent from Mail for Windows 10

 

Reply | Threaded
Open this post in threaded view
|

Re: Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

OpenSSL - User mailing list
Assuming your OpenSSL library is already FIPS capable you need to build and link with the FIPS container library enable the integrity check in your app.

Details are in section C.1 of the FIPS user guide at https://www.openssl.org/docs/fips/UserGuide-2.0.pdf


On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <[hidden email]> wrote:

Re: openssl-1.0.2r

Re: openssl-fips-2.0.16

OS: Linux Mint 19.1 (Ubuntu)

 

I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).

 

void __attribute__((constructor)) ForceFIPSModeOn()

{

   FIPS_mode_set(1);

   FIPS_selftest_check();

}

 

The build fails shortly after creating the executable ‘fips_premain_dso’.

 

fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

Aborted (core dumped)

 

I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:

 

Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
 failed FIPS_check_incore_fingerprint

 

I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.

 

If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.

 

How can I get my module initializer to pass the selftest?

 

Sent from Mail for Windows 10

 

Reply | Threaded
Open this post in threaded view
|

Re: Trying to use a ((constructor)) to force libcrypto.so into FIPS mode

d3x0r
In reply to this post by OpenSSL - User mailing list


On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <[hidden email]> wrote:

Re: openssl-1.0.2r

Re: openssl-fips-2.0.16

OS: Linux Mint 19.1 (Ubuntu)

 

I have added a shared library initializer function to cryptlib.c to force OpenSSL into FIPS mode, without requiring a “module operator” to directly initiate (i.e. call FIPS_mode_set(1)).

 

void __attribute__((constructor)) ForceFIPSModeOn()

{

   FIPS_mode_set(1);

   FIPS_selftest_check();

}

 

The build fails shortly after creating the executable ‘fips_premain_dso’.

 

fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE

Aborted (core dumped)

 
I'm gonna guess that this is calling a function before OpenSSL Is initialized... did you also move your init code to a constructor?
 

 

I traced the problem to a failed FIPS_check_incore_fingerprint call. The embedded signature appears uninitialized:

 

Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
 failed FIPS_check_incore_fingerprint

 

I am at a loss to explain what is happening. Is my initializer running before the embedded sig is loaded? Or is there another issue.

 

If I remove the call to FIPS_selftest_check(), the link completes, but the selftest still fails, when it is initiated from the initializer. A “module operator” can still use the libcrypto.so services, because all subsequent selftests pass.

 

How can I get my module initializer to pass the selftest?

 

Sent from Mail for Windows 10