Tested with snapshots 20120216
After compiling openssl-fips-2.0 I get a working fips_test_suite. I
compile openssl-1.0.1 and then link a simple a simple application (we'll
can fips_can_test, see below).
compiling like so:
CC=/usr/local/ssl32/bin/fipsld FIPSLD_CC="gcc -m32"
/usr/local/ssl32/bin/fipsld fips_can_test.c \
-L /usr/lib -lcrypto -o fips_can_test32 -I/usr/include
-I/usr/local/ssl32/include
I get a failure when calling FIPS_selftest(). I pulled the code that is
the FIPS_selftest and upon breaking out the tests, specifically RSA,
ECDSA and DSA fail (reason not stated). The call to FIPS_mode_set(1)
and FIPS_mode() both succeed. FIPS_mode_set appears to internally call
FIPS_selftest() which must pass for the FIPS_mode_set(1) to succeed. I
am confused as to why I cannot call FIPS_selftest() at will with
success. The UserGuide says I should be able to call this anytime
although the example of entering FIPS mode does not suggest calling it
as a verification method.
Thanks,
Woody
---begin---
#include <stdio.h>
#include <assert.h>
#include <ctype.h>
#include <string.h>
#include <stdlib.h>
#include <openssl/err.h>
#include <openssl/fips.h>
int main(){
if (!FIPS_mode_set(1)) {
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
printf("NotOK: FIPS_mode_set\n");
exit(1);
}
if (!FIPS_mode()) {
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
printf("NotOk: FIPS_mode check failed.");
exit(1);
}
fips_post_begin();
if(!FIPS_check_incore_fingerprint())
fprintf(stderr,"FIPS_check_incore_fingerprint failed\n");
if (!FIPS_selftest_drbg())
fprintf(stderr,"FIPS_selftest_drbg failed\n");
if (!FIPS_selftest_x931())
fprintf(stderr,"FIPS_selftest_x931 failed\n");
if (!FIPS_selftest_sha1())
fprintf(stderr,"FIPS_selftest_sha1 failed\n");
if (!FIPS_selftest_hmac())
fprintf(stderr,"FIPS_selftest_hmac failed\n");
if (!FIPS_selftest_cmac())
fprintf(stderr,"FIPS_selftest_cmac failed\n");
if (!FIPS_selftest_aes())
fprintf(stderr,"FIPS_selftest_aes failed\n");
if (!FIPS_selftest_aes_ccm())
fprintf(stderr,"FIPS_selftest_aes_ccm failed\n");
if (!FIPS_selftest_aes_gcm())
fprintf(stderr,"FIPS_selftest_aes_gcm failed\n");
if (!FIPS_selftest_aes_xts())
fprintf(stderr,"FIPS_selftest_aes_xts failed\n");
if (!FIPS_selftest_des())
fprintf(stderr,"FIPS_selftest_des failed\n");
if (!FIPS_selftest_rsa())
fprintf(stderr,"FIPS_selftest_rsa failed\n");
if (!FIPS_selftest_ecdsa())
fprintf(stderr,"FIPS_selftest_ecdsa failed\n");
if (!FIPS_selftest_dsa())
fprintf(stderr,"FIPS_selftest_dsa failed\n");
if (!FIPS_selftest_ecdh())
fprintf(stderr,"FIPS_selftest_ecdh failed\n");
fips_post_end();
if (!FIPS_selftest()) {
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
printf("NotOK: selftest\n");
exit(1);
}
printf("Ok\n");
exit(0);
}
---end---
--
Gatewood Green
Principal Software Engineer
NitroSecurity, now part of McAfee
o: 2085528269
c: 2082067455
e: gatewood_gr...@mcafee.com
w: http://www.nitrosecurity.com/
Imagine, if you will, a world in which there are no hypothetical situations...
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
