Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build
1,597 views
Skip to first unread message
Cassie Helms
Jul 25, 2012, 6:53:38 PM7/25/12
to
Hi folks,
I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and
libssl.so) into my product's build, but still get a "fingerprint does not match"
error when I call FIPS_mode_set(1). This is using a validated copy of FIPS 2.0
source and OpenSSL 1.0.1c.
The full error is:
25892:error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
match:fips.c:489:
During the build on a build machine, I execute the following --
for fips,
./config
make
make install (with an install prefix)
for openssl,
./config fips -d shared --with-fipsdir={.../usr/local/ssl/fips-2.0} --prefix=
{...}
make ... -I{fips include directory} depend
make ... -I{fips include directory}
make install
Everything appears to go well. fipscanister.o is generated, openssl is able to
find it, and libcrypto.so has similar fingerprint text as fipscanister.o after
doing an objdump on both of them. libssl.so and libcrypto.so get linked in with
the product source and put into an rpm. The rpm is installed and executed on a
different machine from building that does not have openssl or fips installed.
In the initialization sequence that calls FIPS_mode_set, I'm including
openssl/crypto.h and openssl/err.h. Unfortunately, even after all of this,
FIPS_mode_set is unhappy and returns the fingerprint does not match error. It is
my understanding that if I'm not statically linking openssl, I should not need
to use fipsld. I'm also not making use of fips_standalone_sha1 anywhere.
So what are the digests that actually need to be compared for fips to be
validated in a dynamic linking such as this? Is there a step I'm missing to
generate and/or install them?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and
libssl.so) into my product's build, but still get a "fingerprint does not match"
error when I call FIPS_mode_set(1). This is using a validated copy of FIPS 2.0
source and OpenSSL 1.0.1c.
The full error is:
25892:error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
match:fips.c:489:
During the build on a build machine, I execute the following --
for fips,
./config
make
make install (with an install prefix)
for openssl,
./config fips -d shared --with-fipsdir={.../usr/local/ssl/fips-2.0} --prefix=
{...}
make ... -I{fips include directory} depend
make ... -I{fips include directory}
make install
Everything appears to go well. fipscanister.o is generated, openssl is able to
find it, and libcrypto.so has similar fingerprint text as fipscanister.o after
doing an objdump on both of them. libssl.so and libcrypto.so get linked in with
the product source and put into an rpm. The rpm is installed and executed on a
different machine from building that does not have openssl or fips installed.
In the initialization sequence that calls FIPS_mode_set, I'm including
openssl/crypto.h and openssl/err.h. Unfortunately, even after all of this,
FIPS_mode_set is unhappy and returns the fingerprint does not match error. It is
my understanding that if I'm not statically linking openssl, I should not need
to use fipsld. I'm also not making use of fips_standalone_sha1 anywhere.
So what are the digests that actually need to be compared for fips to be
validated in a dynamic linking such as this? Is there a step I'm missing to
generate and/or install them?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Cassie Helms
Jul 25, 2012, 4:53:01 PM7/25/12
to
Hi folks,
I have a FIPS capable OpenSSL library, where libcrypto.so and libssl.so get
linked into my product during build. I'm using FIPS 2.0 and OpenSSL 1.0.1c.
To the best of my knowledge, on the build machine I can do the following:
for fips, I call
./config
make
make install
where I give install an install prefix
for openssl, I call
./config fips -d shared --with-fipsdir={install_prefix}/usr/local/ssl/fips-2.0 -
-prefix={blah}
This all works fine. fipscanister.o comes out, I point openssl to it, and
openssl makes some libraries. Doing an objdump on libcrypto.so reveals similar
fingerprint text as found in an objdump on fipscanister.o.
My total build generates an rpm of my source with the linked ssl libraries,
which I install on a different machine that does not have openssl or fips
installed.
Unfortunately, FIPS_mode_set(1) still fails for me with the following:
error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
match:fips.c:489:
It is my understanding that fipscanister.o gets generated with its SHA1 value
already embedded in it, and FIPS_mode_set generates its own fingerprint at
runtime to compare to the embedded value. In this manner, fipscanister.o should
be totally modular.
I am not statically linking and should not need to use fipsld. I also do not use
fips_standalone_sha1 at any point.
Am I missing a step somewhere that is critical to getting FIPS initialized at
runtime?
Thanks,
Cassie
I have a FIPS capable OpenSSL library, where libcrypto.so and libssl.so get
linked into my product during build. I'm using FIPS 2.0 and OpenSSL 1.0.1c.
To the best of my knowledge, on the build machine I can do the following:
for fips, I call
./config
make
make install
where I give install an install prefix
for openssl, I call
./config fips -d shared --with-fipsdir={install_prefix}/usr/local/ssl/fips-2.0 -
-prefix={blah}
This all works fine. fipscanister.o comes out, I point openssl to it, and
openssl makes some libraries. Doing an objdump on libcrypto.so reveals similar
fingerprint text as found in an objdump on fipscanister.o.
My total build generates an rpm of my source with the linked ssl libraries,
which I install on a different machine that does not have openssl or fips
installed.
Unfortunately, FIPS_mode_set(1) still fails for me with the following:
error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
match:fips.c:489:
already embedded in it, and FIPS_mode_set generates its own fingerprint at
runtime to compare to the embedded value. In this manner, fipscanister.o should
be totally modular.
I am not statically linking and should not need to use fipsld. I also do not use
fips_standalone_sha1 at any point.
Am I missing a step somewhere that is critical to getting FIPS initialized at
runtime?
Thanks,
Cassie
Dr. Stephen Henson
Jul 26, 2012, 9:09:55 AM7/26/12
to
On Wed, Jul 25, 2012, Cassie Helms wrote:
> Hi folks,
> I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and
> libssl.so) into my product's build, but still get a "fingerprint does not match"
> error when I call FIPS_mode_set(1). This is using a validated copy of FIPS 2.0
> source and OpenSSL 1.0.1c.
>
> The full error is:
>
> 25892:error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
> Hi folks,
> I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and
> libssl.so) into my product's build, but still get a "fingerprint does not match"
> error when I call FIPS_mode_set(1). This is using a validated copy of FIPS 2.0
> source and OpenSSL 1.0.1c.
>
> The full error is:
>
> match:fips.c:489:
>
> During the build on a build machine, I execute the following --
> for fips,
> ./config
> make
> make install (with an install prefix)
>
> for openssl,
> ./config fips -d shared --with-fipsdir={.../usr/local/ssl/fips-2.0} --prefix=
> {...}
> make ... -I{fips include directory} depend
> make ... -I{fips include directory}
> make install
>
> Everything appears to go well. fipscanister.o is generated, openssl is able to
> find it, and libcrypto.so has similar fingerprint text as fipscanister.o after
> doing an objdump on both of them. libssl.so and libcrypto.so get linked in with
> the product source and put into an rpm. The rpm is installed and executed on a
> different machine from building that does not have openssl or fips installed.
>
> In the initialization sequence that calls FIPS_mode_set, I'm including
> openssl/crypto.h and openssl/err.h. Unfortunately, even after all of this,
> FIPS_mode_set is unhappy and returns the fingerprint does not match error. It is
> my understanding that if I'm not statically linking openssl, I should not need
> to use fipsld. I'm also not making use of fips_standalone_sha1 anywhere.
>
> So what are the digests that actually need to be compared for fips to be
> validated in a dynamic linking such as this? Is there a step I'm missing to
> generate and/or install them?
>
What platform is the target system?
> for fips,
> ./config
> make
> make install (with an install prefix)
>
> for openssl,
> ./config fips -d shared --with-fipsdir={.../usr/local/ssl/fips-2.0} --prefix=
> {...}
> make ... -I{fips include directory} depend
> make ... -I{fips include directory}
> make install
>
> Everything appears to go well. fipscanister.o is generated, openssl is able to
> find it, and libcrypto.so has similar fingerprint text as fipscanister.o after
> doing an objdump on both of them. libssl.so and libcrypto.so get linked in with
> the product source and put into an rpm. The rpm is installed and executed on a
> different machine from building that does not have openssl or fips installed.
>
> In the initialization sequence that calls FIPS_mode_set, I'm including
> openssl/crypto.h and openssl/err.h. Unfortunately, even after all of this,
> FIPS_mode_set is unhappy and returns the fingerprint does not match error. It is
> my understanding that if I'm not statically linking openssl, I should not need
> to use fipsld. I'm also not making use of fips_standalone_sha1 anywhere.
>
> So what are the digests that actually need to be compared for fips to be
> validated in a dynamic linking such as this? Is there a step I'm missing to
> generate and/or install them?
>
After you build the validated module do this:
make build_algvs
This should build an fips_algvs binary in the test directory. Copy that to
the target system and run:
./fips_algvs fips_test_suite post
Then post the results.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Cassie Helms
Jul 26, 2012, 11:44:29 AM7/26/12
to
> What platform is the target system?
cat /etc/*-release: RHEL Server 5.5 (Tikanga)
uname -mrs: Linux 2.6.18-194.el5 x86_64
Build system specs are the same as these.
> After you build the validated module do this:
>
> make build_algvs
>
> This should build an fips_algvs binary in the test directory. Copy that to
> the target system and run:
>
> ./fips_algvs fips_test_suite post
./fips_algvs fips_test_suite post
FIPS-mode test application
FIPS 2.0 validated module 14 Mar 2012
DRBG AES-256-CTR DF test started
DRBG AES-256-CTR DF test OK
POST started
Integrity test started
Integrity test OK
DRBG AES-256-CTR DF test started
DRBG AES-256-CTR DF test OK
DRBG AES-256-CTR test started
DRBG AES-256-CTR test OK
DRBG SHA256 test started
DRBG SHA256 test OK
DRBG HMAC-SHA256 test started
DRBG HMAC-SHA256 test OK
DRBG P-256 SHA256 test started
DRBG P-256 SHA256 test OK
X9.31 PRNG keylen=16 test started
X9.31 PRNG keylen=16 test OK
X9.31 PRNG keylen=24 test started
X9.31 PRNG keylen=24 test OK
X9.31 PRNG keylen=32 test started
X9.31 PRNG keylen=32 test OK
Digest SHA1 test started
Digest SHA1 test OK
Digest SHA1 test started
Digest SHA1 test OK
Digest SHA1 test started
Digest SHA1 test OK
HMAC SHA1 test started
HMAC SHA1 test OK
HMAC SHA224 test started
HMAC SHA224 test OK
HMAC SHA256 test started
HMAC SHA256 test OK
HMAC SHA384 test started
HMAC SHA384 test OK
HMAC SHA512 test started
HMAC SHA512 test OK
CMAC AES-128-CBC test started
CMAC AES-128-CBC test OK
CMAC AES-192-CBC test started
CMAC AES-192-CBC test OK
CMAC AES-256-CBC test started
CMAC AES-256-CBC test OK
CMAC DES-EDE3-CBC test started
CMAC DES-EDE3-CBC test OK
Cipher AES-128-ECB test started
Cipher AES-128-ECB test OK
CCM test started
CCM test OK
GCM test started
GCM test OK
XTS AES-128-XTS test started
XTS AES-128-XTS test OK
XTS AES-256-XTS test started
XTS AES-256-XTS test OK
Cipher DES-EDE3-ECB test started
Cipher DES-EDE3-ECB test OK
Cipher DES-EDE3-ECB test started
Cipher DES-EDE3-ECB test OK
Signature RSA test started
Signature RSA test OK
Signature ECDSA P-224 test started
Signature ECDSA P-224 test OK
Signature ECDSA K-233 test started
Signature ECDSA K-233 test OK
Signature DSA test started
Signature DSA test OK
ECDH P-224 test started
ECDH P-224 test OK
POST Success
Power-up self test successful
Thanks for looking at this.
Cassie Helms
Jul 26, 2012, 11:48:44 AM7/26/12
to
Apologies, this thread is a duplicate of the one Dr. Henson is already
responding to. The authentication system made it unclear whether or
not my original question would post yesterday. Please do not respond
to this thread.
Cassie
responding to. The authentication system made it unclear whether or
not my original question would post yesterday. Please do not respond
to this thread.
Cassie
Cassie Helms
Jul 27, 2012, 3:54:58 PM7/27/12
to
Cassie Helms <cassie.helms@...> writes:
> Built fips_algvs on build system and scp'd to target system as suggested.
Hmm. I incorporated building fips_algvs into my build system and ran it from the
> Built fips_algvs on build system and scp'd to target system as suggested.
rpm install on the target machine. I get different results now -- can anyone
point to what this might indicate, coupled with the fips fingerprint error?
# fips_algvs fips_test_suite post
FIPS-mode test application
FIPS 2.0 validated module 14 Mar 2012
DRBG AES-256-CTR DF test started
DRBG AES-256-CTR DF test OK
POST started
Integrity test started
Integrity test Failed Incorrectly!!
Power-up self test failed
Old results below --
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@...
> OpenSSL Project http://www.openssl.org
> Automated List Manager majordomo@...
Dr. Stephen Henson
Jul 27, 2012, 4:32:46 PM7/27/12
to
On Fri, Jul 27, 2012, Cassie Helms wrote:
> Cassie Helms <cassie.helms@...> writes:
>
> > Built fips_algvs on build system and scp'd to target system as suggested.
>
> Hmm. I incorporated building fips_algvs into my build system and ran it from the
> rpm install on the target machine. I get different results now -- can anyone
> point to what this might indicate, coupled with the fips fingerprint error?
>
> # fips_algvs fips_test_suite post
>
> FIPS-mode test application
> FIPS 2.0 validated module 14 Mar 2012
>
> DRBG AES-256-CTR DF test started
> DRBG AES-256-CTR DF test OK
> POST started
> Integrity test started
> ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229
> Integrity test Failed Incorrectly!!
Well that error indicates the fingerprint error. The question is what is
> Cassie Helms <cassie.helms@...> writes:
>
> > Built fips_algvs on build system and scp'd to target system as suggested.
>
> Hmm. I incorporated building fips_algvs into my build system and ran it from the
> rpm install on the target machine. I get different results now -- can anyone
> point to what this might indicate, coupled with the fips fingerprint error?
>
> # fips_algvs fips_test_suite post
>
> FIPS-mode test application
> FIPS 2.0 validated module 14 Mar 2012
>
> DRBG AES-256-CTR DF test started
> DRBG AES-256-CTR DF test OK
> POST started
> Integrity test started
> ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229
> Integrity test Failed Incorrectly!!
different about the two build processes?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Cassie Helms
Jul 27, 2012, 4:54:40 PM7/27/12
to
Dr. Stephen Henson <steve@...> writes:
> > Integrity test started
> > ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229
> > Integrity test Failed Incorrectly!!
>
> Well that error indicates the fingerprint error. The question is what is
> different about the two build processes?
The difference seems to be in the sequence of building things. In the main
> > Integrity test started
> > ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229
> > Integrity test Failed Incorrectly!!
>
> Well that error indicates the fingerprint error. The question is what is
> different about the two build processes?
build, I do
1. fipscanister.o
2. fips_algvs
3. openssl + fipscanister.o module
If I use the copy of fips_algvs tool generated in step 2, I get the error on the
target system.
The build is set up such that I have source and build output leftover in debug
directories. If I go back manually to the debugging source for fips and do a
make build_algvs, like so
4. fips_algvs
and use that copy of the tool, no error comes out on the target system.
Much head scratching. And I still don't know what "digests" are getting compared
during this FIPS_mode_set step. What is an incore fingerprint anyway?
Cassie
Dr. Stephen Henson
Jul 28, 2012, 6:58:04 AM7/28/12
to
On Fri, Jul 27, 2012, Cassie Helms wrote:
> Dr. Stephen Henson <steve@...> writes:
>
> > > Integrity test started
> > > ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229
> > > Integrity test Failed Incorrectly!!
> >
> > Well that error indicates the fingerprint error. The question is what is
> > different about the two build processes?
>
> The difference seems to be in the sequence of building things. In the main
> build, I do
>
> 1. fipscanister.o
> 2. fips_algvs
> 3. openssl + fipscanister.o module
>
> If I use the copy of fips_algvs tool generated in step 2, I get the error on the
> target system.
>
> The build is set up such that I have source and build output leftover in debug
> directories. If I go back manually to the debugging source for fips and do a
> make build_algvs, like so
>
> 4. fips_algvs
>
> and use that copy of the tool, no error comes out on the target system.
>
What sequence of commands do you use in each case?
>
> > > Integrity test started
> > > ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229
> > > Integrity test Failed Incorrectly!!
> >
> > Well that error indicates the fingerprint error. The question is what is
> > different about the two build processes?
>
> The difference seems to be in the sequence of building things. In the main
> build, I do
>
> 1. fipscanister.o
> 2. fips_algvs
> 3. openssl + fipscanister.o module
>
> If I use the copy of fips_algvs tool generated in step 2, I get the error on the
> target system.
>
> The build is set up such that I have source and build output leftover in debug
> directories. If I go back manually to the debugging source for fips and do a
> make build_algvs, like so
>
> 4. fips_algvs
>
> and use that copy of the tool, no error comes out on the target system.
>
> Much head scratching. And I still don't know what "digests" are getting compared
> during this FIPS_mode_set step. What is an incore fingerprint anyway?
>
security policy and user guide.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
0 new messages