make test fails for FIPS-capable OpenSSL build
Hi, I successfully built the FIPS 2.0 module (2010), its tests passed, and it was installed correctly in /usr/local/ssl/fips-2.0. I then build openssl 1.0.1 (2010): ./config fips shared make which all seems to go ok Then I do: make test and eventually get this error: ... Testing key generation with NIST Binary-Curve B-571 ok cat base64 aes-128-cbc 3086473868:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: bad decrypt 3086592652:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: 3086592652:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535: ./p ./p.aes-128-cbc.clear differ: byte 1, line 1 make[1]: *** [test_enc] Error 1 It appears that EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag is not getting set, but I'm not familiar enough yet with the code to understand what I may be doing wrong. I have OPENSSL_FIPS set to 1 in my environment. I am building/running on CentOS 5.6. Thanks, Kevin
Re: make test fails for FIPS-capable OpenSSL build
On Mon, Nov 14, 2011, Kevin Fowler wrote: Hi, I successfully built the FIPS 2.0 module (2010), its tests passed, and it was installed correctly in /usr/local/ssl/fips-2.0. I then build openssl 1.0.1 (2010): ./config fips shared make which all seems to go ok Then I do: make test and eventually get this error: ... Testing key generation with NIST Binary-Curve B-571 ok cat base64 aes-128-cbc 3086473868:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: bad decrypt 3086592652:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: 3086592652:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535: ./p ./p.aes-128-cbc.clear differ: byte 1, line 1 make[1]: *** [test_enc] Error 1 It appears that EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag is not getting set, but I'm not familiar enough yet with the code to understand what I may be doing wrong. I have OPENSSL_FIPS set to 1 in my environment. I am building/running on CentOS 5.6. Don't set OPENSSL_FIPS=1 before calling make test as not all the tests work in FIPS mode. The tests will swicth to FIPS mode themselves if this is being tested. Though currently only a TLS test does this. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: make test fails for FIPS-capable OpenSSL build
Thank you - that was my problem On Tue, Nov 15, 2011 at 9:43 AM, Dr. Stephen Henson st...@openssl.org wrote: On Mon, Nov 14, 2011, Kevin Fowler wrote: Hi, I successfully built the FIPS 2.0 module (2010), its tests passed, and it was installed correctly in /usr/local/ssl/fips-2.0. I then build openssl 1.0.1 (2010): ./config fips shared make which all seems to go ok Then I do: make test and eventually get this error: ... Testing key generation with NIST Binary-Curve B-571 ok cat base64 aes-128-cbc 3086473868:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: bad decrypt 3086592652:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: 3086592652:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535: ./p ./p.aes-128-cbc.clear differ: byte 1, line 1 make[1]: *** [test_enc] Error 1 It appears that EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag is not getting set, but I'm not familiar enough yet with the code to understand what I may be doing wrong. I have OPENSSL_FIPS set to 1 in my environment. I am building/running on CentOS 5.6. Don't set OPENSSL_FIPS=1 before calling make test as not all the tests work in FIPS mode. The tests will swicth to FIPS mode themselves if this is being tested. Though currently only a TLS test does this. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
make test fails for FIPS-capable OpenSSL build
Hi, I successfully built the FIPS 2.0 module (2010), its tests passed, and it was installed correctly in /usr/local/ssl/fips-2.0. I then build openssl 1.0.1 (2010): ./config fips shared make which all seems to go ok Then I do: make test and eventually get this error: ... Testing key generation with NIST Binary-Curve B-571 ok cat base64 aes-128-cbc 3086473868:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: bad decrypt 3086592652:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: 3086592652:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:535: ./p ./p.aes-128-cbc.clear differ: byte 1, line 1 make[1]: *** [test_enc] Error 1 It appears that EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag is not getting set, but I'm not familiar enough yet with the code to understand what I may be doing wrong. I have OPENSSL_FIPS set to 1 in my environment. I am building/running on CentOS 5.6. Thanks, Kevin