On Tue, Sep 25, 2012, blaan...@rockwellcollins.com wrote: > I've been using openssl-fips for a couple of years. I'm looking to > upgrade to 2.0 because of the slow (~10 seconds) integrity check on my > platforms when using version 1.2 when I call "FIPS_mode_set()". > > I've got the FIPS canister built, and I've got the openssl 1.0.1c > libraries all compiled, and all of my apps are now linking just fine. > Unfortunately there are some runtime issues I'm seeing, seemingly related > to the EVP_MC_CTX initialization (or lack thereof) prior to calling > EVP_DigestInit. The man page says that EVP_DigestInit will initialize the > input EVP_MD_CTX structure. In the openssl source code that is indeed the > case -- EVP_DigestInit immediately calls "EVP_MD_CTX_init" and everything > is happy. > > However, when I'm using the new 2.0 openssl FIPS module, it seems to me > like it doesn't do a similar initialization -- it's probably calling > FIPS_digestinit in the background due to the re-definition of > EVP_DigestInit to FIPS_digestinit in openssl/fipssyms.h or something. Most > apps (for instance, openssh) depend on this CTX initialization, and > without it they tend to seg fault randomly on me. The code in the apps > will often do something like this -- creating a CTX structure on the stack > and using it immediately: > > EVP_MD_CTX md; > EVP_DigestInit(&md, kex->evp_md); > > Again, this works fine with the non-FIPS version of openssl, and even > worked fine in older FIPS openssl (version 1.2). However, now I get seg > faults. > > I put together a patch for openssh that initializes every EVP_MD_CTX right > after creation (using the EVP_MD_CTX_init function), and now openssh works > just great! All of my seg faults in openssh have gone away. However, > I've got a pile of other apps (python, php, net-snmmp, etc) which are also > skipping the call to "EVP_MD_CTX_init". I don't think it's appropriate > (or maintainable) for me to patch every single app that ever uses an > EVP_MD_CTX. What have other users been doing to solve this problem? > > And finally, I don't know if this question is more well suited for the > -dev or the -users mailing list, so I put it in -users and expect that it > can be copied to -dev if needed. >
That shouldn't be happening at all. The translation of OpenSSL calls to the FIPS_* form should only occur in the FIPS module itself, the FIPS capable OpenSSL should have the same functionality as normal but it will call the FIPS_* functions when necessary. I'm not sure how that could happen unless you're somehow pulling in the name translation from the module by including the private headers and setting defines. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org