On Sat, Feb 16, 2013, Gwendolyn Hunt wrote: > Folks, > I have run into an issue with FIPS Object Module that has me stumped. I have > a multi-platform non-gui C++ application that uses boost::asio with OpenSSL > under the covers for network communications. It is mature code over two > years old. For Windows it is built on Windows XPSP3 for both 32-bit and > 64-bit platforms and for Linux on RHEL5.3 for 32-bit and 64-bit platforms. > Nightly, we run extended automated tests on all our platforms. For Windows we > test the application on both 32-bit and 64-bit variants of Windows XP, 2003, > 2008, Vista and Windows 7. The automated testing heavily exercises SSL > communications. > > A couple of weeks ago I updated OpenSSL to v1.0.1c and added the FIPS Object > Module v2.0.1. After building a FIPS Capable OpenSSL as specified it was > straightforward to add FIPS mode to my application. The change was seamless > with full operation on all Linux platforms, all Windows 64-bit platforms but > we had issues with FIPS on 32-bit Windows 2008, Vista and Windows 7 > platforms. It works on 32-bit Windows XP and 2003 but not on the newer > 32-bit versions of Windows. I tried all combinations of static and dll > linkage, release and debug builds and the results were 100% deterministic: > On the newer Windows 32-bit platforms FIPS_mode_set() always fails with > error: "error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not match". > > Next I tried both OpenSSL 1.0.1d and 1.0.1e with FIPS 2.0.2 and had the same > results. Lastly, to make sure it wasn't my application that is causing the > issue I wrote a simple test application that does one thing, call > FIPS_mode_set(). The failure pattern was exactly the same. Works on all > 64-bit Windows, works on 32-bit Windows XP and 2003 but fails on Windows > 2008, Vista and Windows 7. > > Anyone have any ideas? >
It could the the ASLR issue. To address that you need to turn off ASLR in your application or the FIPS capable OpenSSL build. The /fixed option to the linker will do this: see the archives for more details. I thought we did this by default now in the FIPS capable OpenSSL for 32 bit windows builds: apparently not. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
