Hi, I've been playing around with the FIPS stuff, and figured I'd
mention a few things I've run into ... they may be bugs, or just
user error ;)
1) I had to modify the 'fipsld' script that comes with the distribution
to work with autoconf/automake/libtool applications, since libtool
does not honor the LD variable for generating executables, only for
generating libraries/shared objects. It instead using the CC
variable to do the linking of executables. The 'fipsld' script
though can't make it through autoconfs tests because those tests
have no need to be linked against libcrypto, which is required. My
test just makes sure libcrypto is specified, if not, it simply passes
everything back onto the real CC or FIPSLD_CC ... I just added the
section below towards the top of the 'fipsld' script, and it seems
to get through autoconf stuff for me when I specify CC as 'fipsld':
case "$*" in
*libcrypto.a*)
;;
*-lcrypto*)
;;
*)
exec ${CC} $*
;;
esac
2) On Linux systems which do not utilize the NPTL threading model,
getpid() returns a different PID for each thread. If you perform
any crypto commands which require the RNG from any thread other
than which called FIPS_mode_set(), you will get this error:
error:24066067:random number generator:FIPS_RAND_BYTES:prng not rekeyed
This does not happen on NPTL-enabled systems or non-linux systems,
obviously. I'm not sure of a proper workaround, mainly because I
don't know the reasoning behind per-pid initialization. Infact, I
could find nothing that describes how to re-initialize FIPS mode for
another PID.
3) This is related to #2, but with 'daemonizing' an application. If you
enter FIPS mode and run some commands before 'daemonizing' an
application (e.g. double fork() ), once you're a daemon, any crypto
functions which require the RNG will fail with the same message as
#2. The workaround is to call FIPS_mode_set(0) to unset FIPS mode,
right before you 'daemonize' then call FIPS_mode_set(1) right
afterwards in order to re-set FIPS mode. This appears to work.
Again, this probably wouldn't be a huge deal if there was a way to
reinitialize the FIPS RNG for the new PID, I'm not sure what would
be proper for seeding it and calling FIPS_set_prng_key() ...
4) Windows ... whew. Compile the FIPS-1.0 code using MSYS first, then
take the latest snapshot of 0.9.7 (soon to be j?), Configure
--with-fipslibdir=, make it with VC, then manually copy over
another object file (_chkstk.o), and finish the compilation.
I guess I'm confused on why you can't build the FIPS module with
VC, but only with MSYS? Is there a technical reason why it cannot
be done, or is it simply that the script which validates the FIPS
source hasn't been ported to a more windows-centric style?
Also, I haven't found anything yet which describes how to build
a FIPS executable under windows (my own app, etc). There's the
'fipsld' script on Unix/Linux, but I'm not too sure how to
accomplish that in Windows using VC (especially if it's a
Visual Studio project file!).
Thanks for any pointers!
-Brad
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
