I'm working with the Debian/Ubuntu openssl package for Ubuntu 13.10, Saucy,
version 1.0.1e. I'm trying to adapt the Debian package-build to produce a
FIPS-linked openssl.
I've followed the procedure to download, build and install the FIPS canister
v2.0.1 which was successful:
$ ../../openssl-fips-2.0.1/test/fips_algvs fips_test_suite post
FIPS-mode test application
FIPS 2.0.1 validated test module 12 Jun 2012
DRBG AES-256-CTR DF test started
DRBG AES-256-CTR DF test OK
POST started
Integrity test started
Integrity test OK
...
POST Success
Power-up self test successful
However, whilst building the shared-library version of openssl-1.0.1e (using a
modified Debian package) the tests fail with:
...
./Configure shared --prefix=/usr/local --openssldir=/usr/local/lib/ssl
--libdir=lib/x86_64-linux-gnu fips enable-ec_nistp_64_gcc_128
enable-ec_nistp_64_gcc_128 debian-amd64
...
test SSL protocol
test ssl3 is forbidden in FIPS mode
46912496303808:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:
test ssl2 is forbidden in FIPS mode
46912496303808:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:
test tls1
46912496303808:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:
make[2]: *** [test_ssl] Error 1
make[2]: Leaving directory `/home/all/SourceCode/openssl/openssl-1.0.1e.tj/test'
make[1]: *** [tests] Error 2
make[1]: Leaving directory `/home/all/SourceCode/openssl/openssl-1.0.1e.tj'
make: *** [build-stamp] Error 2
The Debian build script first builds the static library followed by the shared
library. It runs the tests after each variant is built. The tests succeed for
the static library:
...
./Configure no-shared --prefix=/usr/local --openssldir=/usr/local/lib/ssl
--libdir=lib/x86_64-linux-gnu fips enable-ec_nistp_64_gcc_128
enable-ec_nistp_64_gcc_128 debian-amd64
...
test SSL protocol
test ssl3 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
NONE
46912496300032:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1692:
46912496300032:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1692:
test ssl2 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
NONE
46912496300032:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1692:
46912496300032:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
mode:ssl_lib.c:1692:
test tls1
*** IN FIPS MODE ***
I've checked that the shared-library build test is linking against the correct
libcrypto.so:
$ ldd ../apps/openssl
linux-vdso.so.1 => (0x00007fffb61fe000)
libssl.so.1.0.0 =>
/home/all/SourceCode/openssl/openssl-1.0.1e.tj/test/../libssl.so.1.0.0
(0x00007f2376c5b000)
libcrypto.so.1.0.0 =>
/home/all/SourceCode/openssl/openssl-1.0.1e.tj/test/../libcrypto.so.1.0.0
(0x00007f2376810000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2376442000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f237623e000)
/lib64/ld-linux-x86-64.so.2 (0x00007f2376ec2000)
And that libcrypto contains the FIPS symbols:
$ objdump -t ../libcrypto.so.1.0.0 | grep -i fips | wc -l
812
>From reading the source-code of 'openssl-fips/fips/fips.c' it seems that the
>fingerprint is created based upon the position and address of the fips
>object-code in the library but I can't be sure.
I'm suspecting that the libcrypto.so build has munged the fingerprint-sensitive
layout of the fips symbols and thus caused the failed check but I need to know
precisely what the fingerprint is
generated against in the object file in order to figure out what might have
caused the problem. It could be a binutils/compiler/linker issue or it could be
something the Debian build scripts have done.
Can someone explain what the fingerprint is created against?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
