openssl-fips configure parameters to force IANA cipher suite compliance
I want to build an openssl-fips canister to force IANA cipher suite compliance. With the help of an openssl-iana mapping (https://testssl.sh/openssl-iana.mapping.html) I can identify the corresponding OpenSSL cipher suites. IANA OpenSSL TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246 [0x2f] AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 [0x3c] AES128-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 [0x3d] AES256-SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 [0x9d] AES256-GCM-SHA384 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246 [0x67] DHE-RSA-AES128-SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as defined in RFC 5246 [0x6b] DHE-RSA-AES256-SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5288 [0x9f] DHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 [0xc023] ECDHE-ECDSA-AES128-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 [0xc02b] ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 [0xc024] ECDHE-ECDSA-AES256-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 [0xc02c] ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289 [0xc027] ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289 [0xc02f] ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289 [0xc028] ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289 [0xc030] ECDHE-RSA-AES256-GCM-SHA384 How would I configure openssl-fips to force this precise compliance, eliminating all other cipher suites? Thank you. --Larry C++ Developer
Trying to use a ((constructor)) to force libcrypto.so into FIPS mode
Re: openssl-1.0.2r
Re: openssl-fips-2.0.16
OS: Linux Mint 19.1 (Ubuntu)
I have added a shared library initializer function to cryptlib.c to force
OpenSSL into FIPS mode, without requiring a “module operator” to directly
initiate (i.e. call FIPS_mode_set(1)).
void __attribute__((constructor)) ForceFIPSModeOn()
{
FIPS_mode_set(1);
FIPS_selftest_check();
}
The build fails shortly after creating the executable ‘fips_premain_dso’.
fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST
FAILURE
Aborted (core dumped)
I traced the problem to a failed FIPS_check_incore_fingerprint call. The
embedded signature appears uninitialized:
Starting FIPS_selftest
fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
failed FIPS_check_incore_fingerprint
I am at a loss to explain what is happening. Is my initializer running before
the embedded sig is loaded? Or is there another issue.
If I remove the call to FIPS_selftest_check(), the link completes, but the
selftest still fails, when it is initiated from the initializer. A “module
operator” can still use the libcrypto.so services, because all subsequent
selftests pass.
How can I get my module initializer to pass the selftest?
Sent from Mail for Windows 10
