Re: FIPS self-tests failing on Windows
On Tue, Sep 06, 2011, Tyrel Haveman wrote: > It looks like there's a failure in the FIPS module 2.0 self tests on Windows > currently. It happens on both x86 and AMD64. The failure is in the integrity > check. Complete output of fips_test_suite.exe is below. > > FIPS-mode test application > FIPS 2.0-dev unvalidated test module xx XXX > > 1. Non-Approved cryptographic operation test... > a. Included algorithm (D-H)..successful > POST started > Integrity test started > ERROR:2D06B06F:lib=45,func=107,reason=111:file=.\fips\fips.c:line=224 > Integrity test FAILED!! > DRBG AES-256-CTR DF test started > DRBG AES-256-CTR DF test OK > DRBG AES-256-CTR test started > DRBG AES-256-CTR test OK > DRBG SHA256 test started > DRBG SHA256 test OK > DRBG HMAC-SHA256 test started > DRBG HMAC-SHA256 test OK > X9.31 PRNG keylen=16 test started > X9.31 PRNG keylen=16 test OK > X9.31 PRNG keylen=24 test started > X9.31 PRNG keylen=24 test OK > X9.31 PRNG keylen=32 test started > X9.31 PRNG keylen=32 test OK > Digest SHA1 test started > Digest SHA1 test OK > Digest SHA1 test started > Digest SHA1 test OK > Digest SHA1 test started > Digest SHA1 test OK > HMAC SHA1 test started > HMAC SHA1 test OK > HMAC SHA224 test started > HMAC SHA224 test OK > HMAC SHA256 test started > HMAC SHA256 test OK > HMAC SHA384 test started > HMAC SHA384 test OK > HMAC SHA512 test started > HMAC SHA512 test OK > CMAC AES-128-CBC test started > CMAC AES-128-CBC test OK > CMAC AES-192-CBC test started > CMAC AES-192-CBC test OK > CMAC AES-256-CBC test started > CMAC AES-256-CBC test OK > CMAC DES-EDE3-CBC test started > CMAC DES-EDE3-CBC test OK > Cipher AES-128-ECB test started > Cipher AES-128-ECB test OK > CCM test started > CCM test OK > GCM test started > GCM test OK > XTS AES-128-XTS test started > XTS AES-128-XTS test OK > XTS AES-256-XTS test started > XTS AES-256-XTS test OK > Cipher DES-EDE3-ECB test started > Cipher DES-EDE3-ECB test OK > Cipher DES-EDE3-ECB test started > Cipher DES-EDE3-ECB test OK > Signature RSA test started > Signature RSA test OK > Signature ECDSA test started > Signature ECDSA test OK > Signature ECDSA test started > Signature ECDSA test OK > Signature DSA test started > Signature DSA test OK > POST Failed > 2. Automatic power-up self test...Failed! > *** Tests Failed *** Strange. No problems on either platform here. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS self-tests failing on Windows
Is this Windows 7? Try adding the FIXED flag to the Microsoft linker. Windows 7 will relocate DLLs (quite often). When this occurs, the FIPS signature will fail. On 09/06/2011 04:22 PM, Dr. Stephen Henson wrote: > On Tue, Sep 06, 2011, Tyrel Haveman wrote: > >> It looks like there's a failure in the FIPS module 2.0 self tests on Windows >> currently. It happens on both x86 and AMD64. The failure is in the integrity >> check. Complete output of fips_test_suite.exe is below. >> >> FIPS-mode test application >> FIPS 2.0-dev unvalidated test module xx XXX >> >> 1. Non-Approved cryptographic operation test... >> a. Included algorithm (D-H)..successful >> POST started >> Integrity test started >> ERROR:2D06B06F:lib=45,func=107,reason=111:file=.\fips\fips.c:line=224 >> Integrity test FAILED!! >> DRBG AES-256-CTR DF test started >> DRBG AES-256-CTR DF test OK >> DRBG AES-256-CTR test started >> DRBG AES-256-CTR test OK >> DRBG SHA256 test started >> DRBG SHA256 test OK >> DRBG HMAC-SHA256 test started >> DRBG HMAC-SHA256 test OK >> X9.31 PRNG keylen=16 test started >> X9.31 PRNG keylen=16 test OK >> X9.31 PRNG keylen=24 test started >> X9.31 PRNG keylen=24 test OK >> X9.31 PRNG keylen=32 test started >> X9.31 PRNG keylen=32 test OK >> Digest SHA1 test started >> Digest SHA1 test OK >> Digest SHA1 test started >> Digest SHA1 test OK >> Digest SHA1 test started >> Digest SHA1 test OK >> HMAC SHA1 test started >> HMAC SHA1 test OK >> HMAC SHA224 test started >> HMAC SHA224 test OK >> HMAC SHA256 test started >> HMAC SHA256 test OK >> HMAC SHA384 test started >> HMAC SHA384 test OK >> HMAC SHA512 test started >> HMAC SHA512 test OK >> CMAC AES-128-CBC test started >> CMAC AES-128-CBC test OK >> CMAC AES-192-CBC test started >> CMAC AES-192-CBC test OK >> CMAC AES-256-CBC test started >> CMAC AES-256-CBC test OK >> CMAC DES-EDE3-CBC test started >> CMAC DES-EDE3-CBC test OK >> Cipher AES-128-ECB test started >> Cipher AES-128-ECB test OK >> CCM test started >> CCM test OK >> GCM test started >> GCM test OK >> XTS AES-128-XTS test started >> XTS AES-128-XTS test OK >> XTS AES-256-XTS test started >> XTS AES-256-XTS test OK >> Cipher DES-EDE3-ECB test started >> Cipher DES-EDE3-ECB test OK >> Cipher DES-EDE3-ECB test started >> Cipher DES-EDE3-ECB test OK >> Signature RSA test started >> Signature RSA test OK >> Signature ECDSA test started >> Signature ECDSA test OK >> Signature ECDSA test started >> Signature ECDSA test OK >> Signature DSA test started >> Signature DSA test OK >> POST Failed >> 2. Automatic power-up self test...Failed! >> *** Tests Failed *** > Strange. No problems on either platform here. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS self-tests failing on Windows
I ran the openssl-fips-2.0-test-20110906 version today on a 32-bit Dell XP system and the fips_test_suite ran ok with no errors. I just ran again and double checked the Integrity test and it was OK. Ken --- On Tue, 9/6/11, Dr. Stephen Henson wrote: > From: Dr. Stephen Henson > Subject: Re: FIPS self-tests failing on Windows > To: openssl-dev@openssl.org > Date: Tuesday, September 6, 2011, 3:22 PM > On Tue, Sep 06, 2011, Tyrel Haveman > wrote: > > > It looks like there's a failure in the FIPS module 2.0 > self tests on Windows > > currently. It happens on both x86 and AMD64. The > failure is in the integrity > > check. Complete output of fips_test_suite.exe is > below. > > > > FIPS-mode test > application > > FIPS 2.0-dev > unvalidated test module xx XXX > > > > 1. Non-Approved cryptographic operation test... > > a. Included > algorithm (D-H)..successful > > POST started > > > Integrity test started > > > ERROR:2D06B06F:lib=45,func=107,reason=111:file=.\fips\fips.c:line=224 > > > Integrity test FAILED!! > > > DRBG AES-256-CTR DF test started > > > DRBG AES-256-CTR DF test OK > > > DRBG AES-256-CTR test started > > > DRBG AES-256-CTR test OK > > > DRBG SHA256 test started > > > DRBG SHA256 test OK > > > DRBG HMAC-SHA256 test started > > > DRBG HMAC-SHA256 test OK > > > X9.31 PRNG keylen=16 test started > > > X9.31 PRNG keylen=16 test OK > > > X9.31 PRNG keylen=24 test started > > > X9.31 PRNG keylen=24 test OK > > > X9.31 PRNG keylen=32 test started > > > X9.31 PRNG keylen=32 test OK > > > Digest SHA1 test started > > > Digest SHA1 test OK > > > Digest SHA1 test started > > > Digest SHA1 test OK > > > Digest SHA1 test started > > > Digest SHA1 test OK > > > HMAC SHA1 test started > > > HMAC SHA1 test OK > > > HMAC SHA224 test started > > > HMAC SHA224 test OK > > > HMAC SHA256 test started > > > HMAC SHA256 test OK > > > HMAC SHA384 test started > > > HMAC SHA384 test OK > > > HMAC SHA512 test started > > > HMAC SHA512 test OK > > > CMAC AES-128-CBC test started > > > CMAC AES-128-CBC test OK > > > CMAC AES-192-CBC test started > > > CMAC AES-192-CBC test OK > > > CMAC AES-256-CBC test started > > > CMAC AES-256-CBC test OK > > > CMAC DES-EDE3-CBC test started > > > CMAC DES-EDE3-CBC test OK > > > Cipher AES-128-ECB test started > > > Cipher AES-128-ECB test OK > > > CCM test started > > > CCM test OK > > > GCM test started > > > GCM test OK > > > XTS AES-128-XTS test started > > > XTS AES-128-XTS test OK > > > XTS AES-256-XTS test started > > > XTS AES-256-XTS test OK > > > Cipher DES-EDE3-ECB test started > > > Cipher DES-EDE3-ECB test OK > > > Cipher DES-EDE3-ECB test started > > > Cipher DES-EDE3-ECB test OK > > > Signature RSA test started > > > Signature RSA test OK > > > Signature ECDSA test started > > > Signature ECDSA test OK > > > Signature ECDSA test started > > > Signature ECDSA test OK > > > Signature DSA test started > > > Signature DSA test OK > > POST Failed > > 2. Automatic power-up self test...Failed! > > *** Tests Failed *** > > Strange. No problems on either platform here. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project > > http://www.openssl.org > Development Mailing List > openssl-dev@openssl.org > Automated List Manager > > majord...@openssl.org > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS self-tests failing on Windows
Thanks for all the responses. This is on Windows 7 Enterprise, 64-bit, on a Core i7 CPU. I added /fixed in the linker flags like John suggested and it works now. If this is a known problem, why isn't it in the build process by default? Thanks again, Tyrel On Tue, Sep 6, 2011 at 1:32 PM, Kenneth Robinette wrote: > I ran the openssl-fips-2.0-test-20110906 version today on a 32-bit Dell XP > system and the fips_test_suite ran ok with no errors. I just ran again and > double checked the Integrity test and it was OK. > > Ken > > > --- On Tue, 9/6/11, Dr. Stephen Henson wrote: > > > From: Dr. Stephen Henson > > Subject: Re: FIPS self-tests failing on Windows > > To: openssl-dev@openssl.org > > Date: Tuesday, September 6, 2011, 3:22 PM > > On Tue, Sep 06, 2011, Tyrel Haveman > > wrote: > > > > > It looks like there's a failure in the FIPS module 2.0 > > self tests on Windows > > > currently. It happens on both x86 and AMD64. The > > failure is in the integrity > > > check. Complete output of fips_test_suite.exe is > > below. > > > > > > FIPS-mode test > > application > > > FIPS 2.0-dev > > unvalidated test module xx XXX > > > > > > 1. Non-Approved cryptographic operation test... > > > a. Included > > algorithm (D-H)..successful > > > POST started > > > > >Integrity test started > > > > > ERROR:2D06B06F:lib=45,func=107,reason=111:file=.\fips\fips.c:line=224 > > > > >Integrity test FAILED!! > > > > >DRBG AES-256-CTR DF test started > > > > >DRBG AES-256-CTR DF test OK > > > > >DRBG AES-256-CTR test started > > > > >DRBG AES-256-CTR test OK > > > > >DRBG SHA256 test started > > > > >DRBG SHA256 test OK > > > > >DRBG HMAC-SHA256 test started > > > > >DRBG HMAC-SHA256 test OK > > > > >X9.31 PRNG keylen=16 test started > > > > >X9.31 PRNG keylen=16 test OK > > > > >X9.31 PRNG keylen=24 test started > > > > >X9.31 PRNG keylen=24 test OK > > > > >X9.31 PRNG keylen=32 test started > > > > >X9.31 PRNG keylen=32 test OK > > > > >Digest SHA1 test started > > > > >Digest SHA1 test OK > > > > >Digest SHA1 test started > > > > >Digest SHA1 test OK > > > > >Digest SHA1 test started > > > > >Digest SHA1 test OK > > > > >HMAC SHA1 test started > > > > >HMAC SHA1 test OK > > > > >HMAC SHA224 test started > > > > >HMAC SHA224 test OK > > > > >HMAC SHA256 test started > > > > >HMAC SHA256 test OK > > > > >HMAC SHA384 test started > > > > >HMAC SHA384 test OK > > > > >HMAC SHA512 test started > > > > >HMAC SHA512 test OK > > > > >CMAC AES-128-CBC test started > > > > >CMAC AES-128-CBC test OK > > > > >CMAC AES-192-CBC test started > > > > >CMAC AES-192-CBC test OK > > > > >CMAC AES-256-CBC test started > > > > >CMAC AES-256-CBC test OK > > > > >CMAC DES-EDE3-CBC test started > > > > >CMAC DES-EDE3-CBC test OK > > > > >Cipher AES-128-ECB test started > > > > >Cipher AES-128-ECB test OK > > > > >CCM test started > > > > >CCM test OK > > > > >GCM test started > > > > >GCM test OK > > > > >XTS AES-128-XTS test started > > > > >XTS AES-128-XTS test OK > > > > >XTS AES-256-XTS test started > > > > >XTS AES-256-XTS test OK > > > > >Cipher DES-EDE3-ECB test started > > > > >Cipher DES-EDE3-ECB test OK > > > > >Cipher DES-EDE3-ECB test started > > > > >Cipher DES-EDE3-ECB test OK > > > > >Signature RSA test started > > > > >Signature RSA test OK > > > > >Signature ECDSA test started > > > > >Signature ECDSA test OK > > > > >Signature ECDSA test started > > > > >Signature ECDSA test OK > > > > >Signature DSA test started > > > > >Signature DSA test OK > > > POST Failed > > > 2. Automatic power-up self test...Failed! > > > *** Tests Failed *** > > > > Strange. No problems on either platform here. > > > > Steve. > > -- > > Dr Stephen N. Henson. OpenSSL project core developer. > > Commercial tech support now available see: http://www.openssl.org > > __ > > OpenSSL Project > > > > http://www.openssl.org > > Development Mailing List > > openssl-dev@openssl.org > > Automated List Manager > > > >majord...@openssl.org > > > __ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >
Re: FIPS self-tests failing on Windows
On Tue, Sep 06, 2011, John Foley wrote: > Is this Windows 7? Try adding the FIXED flag to the Microsoft linker. > Windows 7 will relocate DLLs (quite often). When this occurs, the FIPS > signature will fail. > > The fips_test_suite.exe executable is statically linked to fipscanister.lib Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS self-tests failing on Windows
That may be the case, but it fixed my problem nevertheless. On Tue, Sep 6, 2011 at 7:43 PM, Dr. Stephen Henson wrote: > On Tue, Sep 06, 2011, John Foley wrote: > > > Is this Windows 7? Try adding the FIXED flag to the Microsoft linker. > > Windows 7 will relocate DLLs (quite often). When this occurs, the FIPS > > signature will fail. > > > > > > The fips_test_suite.exe executable is statically linked to fipscanister.lib > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >
Re: FIPS self-tests failing on Windows
On Tue, Sep 06, 2011, Tyrel Haveman wrote: > That may be the case, but it fixed my problem nevertheless. > OK I've added this option to the FIPS build. It should appear in the next snapshots. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
