I'm trying to enable FIPS on simple code with the following:
test.cpp:
#include <openssl/ssl.h>
#include <iostream>
#include <openssl/fips.h>
// OpenSsl includes
#include <openssl/bio.h>
#include <openssl/engine.h>
using namespace std;
void main()
{
SSL_library_init();
if (!FIPS_mode_set(1))
{
cout << "!FIPS_mode_set(1) FAILED" << endl;
}
else
{
cout << "(!FIPS_mode_set(1)) SUCCEED" << endl;
}
}
FIPS setting:
set INC_D=\openssl_fips\openssl-1.0.2h\inc32
set INCL_D=\openssl_fips\openssl-1.0.2h\tmp32
set LIB_CFLAG= /Zl /Zi
set INC=-I %INC_D% -I %INCL_D%
set CFLAG=/MT /Ox -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I\usr\local\ssl\fips-2.0\include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE
set SHLIB_CFLAGS=%INC% %CFLAG% %LIB_CFLAG%
set FIPSLIB_D=\usr\local\ssl\fips-2.0\lib
set FIPS_CC=cl
set FIPS_CC_ARGS=/Fo\openssl_test\ %SHLIB_CFLAGS% -c
set FIPS_LINK="\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\link.exe"
set FIPS_SHA1_EXE=\usr\local\ssl\fips-2.0\bin\fips_standalone_sha1.exe
set FIPS_SIG=\Perl64\bin\perl \openssl_fips\openssl-fips-2.0.9\util\msincore
set PREMAIN_DSO_EXE=
set FIPS_TARGET=\openssl_test\test.exe
test_conf.rsp:
/fixed /OUT:"\openssl_test\test.exe" /INCREMENTAL:NO /LIBPATH:"\usr\local\ssl\lib" /LIBPATH:"\usr\local\ssl\fips-2.0\lib" /LIBPATH:"\openssl_fips\openssl-1.0.2h\out32" /DEBUG /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /NXCOMPAT /MACHINE:X86
ws2_32.lib
shell32.lib
advapi32.lib
gdi32.lib
User32.lib
ssleay32.lib
libeayfips32.lib
fipscanister.lib
libeaycompat32.lib
".\test.obj"
".\fips_premain.obj"
compile test.cpp:
cl -I \usr\local\ssl\include -I \usr\local\ssl\fips-2.0\include /LIBPATH:C:\WinDDK\7600.16385.1\lib\win7\i386 Mswsock.lib imagehlp.lib Netapi32.lib \usr\local\ssl\lib\libeayfips32.lib \usr\local\ssl\lib\ssleay32.lib \usr\local\ssl\fips-2.0\lib\fipscanister.lib crypt32.lib version.lib kernel32.lib Wtsapi32.lib Iphlpapi.lib Fwpuclnt.lib uuid.lib Rpcrt4.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib Ws2_32.lib test.cpp
link fips_premain.c:
/usr/local/ssl/fips-2.0/bin/
fipslink.pl @"test_conf.rsp"
The above steps completed successfully, yet running test.exe return error:
c:\openssl_test>test.exe
299280:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:.\fips\fips.c:232:
!FIPS_mode_set(1) FAILED!
Please suggest me if I'm missing anything
Ohad