Re: Openssl-1.0.1/FIPS-2.0 FIPS_selftest() fails after successful FIPS_mode_set(1)

Gatewood_Green Fri, 24 Feb 2012 12:34:40 -0800

What is your test environment and method?  We've tried this in both our
embedded OS (minimized LFS style build) and OpenSUSE.  Both ways the
result is the same.


Focusing on the PRNG, We cannot get FIPS_rand_status() to report 1. 
Tried both on hardware and in VMs.

Moved to the 20120222 snapshots.

# cd openssl-fips-2.0-test-20120222/
# ./config --prefix=/usr/local/ssl32
# make
# make install
# rm -f /usr/local/ssl32/include/opensslv.h  ###version conflict###

# cd ../openssl-1.0.1-stable-SNAP-20120222/
# ./config --prefix=/usr --libdir=/usr/lib \
   -m32 shared zlib-dynamic fips \
   --with-fipsdir=/usr/local/ssl32 \
   --with-fipslibdir=/usr/local/ssl32/lib
# make depend
# make
# make test
# make install

# cd ../
# FIPSLD_CC='gcc -m32' /usr/local/ssl32/bin/fipsld fips_can_test.c \
   -lcrypto -o fips_can_test32 -I/usr/local/ssl32/include

# ./fips_can_test32
FIPS_mode_set succeeded
FIPS_mode succeeded
FIPS_rand_status failed, strength: 256
RAND_status failed
Got 0 random bytes
FIPS_selftest_rsa failed
FIPS_selftest_ecdsa failed
FIPS_selftest_dsa failed
NotOK: selftest

#

32 or 64 bit, the result is the same.

Thanks,

Woody

Dr. Stephen Henson wrote on 02/18/2012 11:04 AM:
>
> On Fri, Feb 17, 2012, gatewood_gr...@mcafee.com wrote:
>
> > Tested with snapshots 20120216
> >
> > After compiling openssl-fips-2.0 I get a working fips_test_suite.  I
> > compile openssl-1.0.1 and then link a simple a simple application (we'll
> > can fips_can_test, see below).
> >
> > compiling like so:
> >
> > CC=/usr/local/ssl32/bin/fipsld FIPSLD_CC="gcc -m32"
> > /usr/local/ssl32/bin/fipsld fips_can_test.c \
> >    -L /usr/lib -lcrypto -o fips_can_test32 -I/usr/include
> > -I/usr/local/ssl32/include
> >
>
> Hmm... works fine here. The only thing I can immediately think of is
> that the
> PRNG seeding doesn't function correctly. Those specific tests require
> the PRNG
> (DRBG in this case) to produce random data for the operation.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>


-- 

Gatewood Green
Principal Software Engineer
NitroSecurity, now part of McAfee
o: 2085528269
c: 2082067455
e: gatewood_gr...@mcafee.com
w: http://www.nitrosecurity.com/


Imagine, if you will, a world in which there are no hypothetical situations...

#include <stdio.h>
#include <assert.h>
#include <ctype.h>
#include <string.h>
#include <stdlib.h>
#include <openssl/err.h>
#include <openssl/fips.h>
#include <openssl/rand.h>

int main(){

   int strength;
   int randbts;
   unsigned char buf[40];

   if (!FIPS_mode_set(1)) {
      ERR_load_crypto_strings();
      ERR_print_errors_fp(stderr);
      fprintf(stderr,"NotOK: FIPS_mode_set\n");
      exit(1);
   } else {
      fprintf(stderr,"FIPS_mode_set succeeded\n");
   }

   if (!FIPS_mode()) {
      ERR_load_crypto_strings();
      ERR_print_errors_fp(stderr);
      fprintf(stderr,"NotOk: FIPS_mode check failed.\n");
      exit(1);
   } else {
      fprintf(stderr,"FIPS_mode succeeded\n");
   }

   strength = FIPS_rand_strength();
   if (FIPS_rand_status() != 1)
      fprintf(stderr,"FIPS_rand_status failed, strength: %i\n",strength);

   if (RAND_status() == 1) {
      fprintf(stderr,"RAND_status succeeded\n");
   } else {
      fprintf(stderr,"RAND_status failed\n");
   }

   memset(buf, '\0', sizeof(buf));
   randbts = FIPS_rand_bytes(buf,20);
   fprintf(stderr,"Got %i random bytes\n",randbts);

   fips_post_begin();
   if(!FIPS_check_incore_fingerprint())
      fprintf(stderr,"FIPS_check_incore_fingerprint failed\n");
   if (!FIPS_selftest_drbg())
      fprintf(stderr,"FIPS_selftest_drbg failed\n");
   if (!FIPS_selftest_x931())
      fprintf(stderr,"FIPS_selftest_x931 failed\n");
   if (!FIPS_selftest_sha1())
      fprintf(stderr,"FIPS_selftest_sha1 failed\n");
   if (!FIPS_selftest_hmac())
      fprintf(stderr,"FIPS_selftest_hmac failed\n");
   if (!FIPS_selftest_cmac())
      fprintf(stderr,"FIPS_selftest_cmac failed\n");
   if (!FIPS_selftest_aes())
      fprintf(stderr,"FIPS_selftest_aes failed\n");
   if (!FIPS_selftest_aes_ccm())
      fprintf(stderr,"FIPS_selftest_aes_ccm failed\n");
   if (!FIPS_selftest_aes_gcm())
      fprintf(stderr,"FIPS_selftest_aes_gcm failed\n");
   if (!FIPS_selftest_aes_xts())
      fprintf(stderr,"FIPS_selftest_aes_xts failed\n");
   if (!FIPS_selftest_des())
      fprintf(stderr,"FIPS_selftest_des failed\n");
   if (!FIPS_selftest_rsa())
      fprintf(stderr,"FIPS_selftest_rsa failed\n");
   if (!FIPS_selftest_ecdsa())
      fprintf(stderr,"FIPS_selftest_ecdsa failed\n");
   if (!FIPS_selftest_dsa())
      fprintf(stderr,"FIPS_selftest_dsa failed\n");
   if (!FIPS_selftest_ecdh())
      fprintf(stderr,"FIPS_selftest_ecdh failed\n");
   fips_post_end();

   if (!FIPS_selftest()) {
      ERR_load_crypto_strings();
      ERR_print_errors_fp(stderr);
      fprintf(stderr,"NotOK: selftest\n");
      exit(1);
   }

   printf("Ok\n");
   exit(0);
}

signature.asc
Description: OpenPGP digital signature

Re: Openssl-1.0.1/FIPS-2.0 FIPS_selftest() fails after successful FIPS_mode_set(1)

Reply via email to