First off, I'd like to apologize if this is considered a re-post. I posted a
question a few days ago but my question has evolved significantly since then
so I decided to pose the new question in a new thread:
I'm trying to develop a very simple C program to practice calling
FIPS_mode_set(1).
--Errors--
The error that I always receive is:
5652:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips not
supported:.\crypto\o_fips.c:92:
--"o_fips.c"--
The error appears to stem from line 92 of o_fips.c. Here is the block from
o_fips.c containing line 92:
--Begin C code--
int FIPS_mode_set(int r)
{
OPENSSL_init();
#ifdef OPENSSL_FIPS
#ifndef FIPS_AUTH_USER_PASS
#define FIPS_AUTH_USER_PASS "Default FIPS Crypto
User
Password"
#endif
if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
return 0;
if (r)
RAND_set_rand_method(FIPS_rand_get_method());
else
RAND_set_rand_method(NULL);
return 1;
#else
if (r == 0)
return 1; //************line 92 follows
CRYPTOerr(CRYPTO_F_FIPS_MODE_SET,
CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
return 0;
#endif
}
--End C code--
Analysis of this block leads me to the conclusion that OPENSSL_FIPS must not
be defined.
This is an issue because my original code checks #ifdef OPENSSL_FIPS before
it even calls FIPS_mode_set(1) and always proceeds as if it *is* defined
How can this be?
Here is all of the additional information that I could anticipate anyone
would need:
My code:
--Begin C code--
//parts of this code come from
http://old.nabble.com/AES-cbc--How-to-Init-Openssl--td12475822.html
#include <stdio.h>
#include <string.h>
#include <openssl\err.h>
#include <openssl\fips.h>
#include <openssl\aes.h>
#include <openssl\applink.c>
int main(int argc, char *argv[])
{
//32byte key
unsigned char key[] =
{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31};
//16byte Initialization Vector
unsigned char iv[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
//plain txt input with padding buffer. Since the AES Block Size is
16bytes
and 'crypto' is only 6 bytes, it needs 10 bytes of padding
unsigned char
plaintxt[1024]="crypto\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a";
//output
unsigned char encrypted[1024];
AES_KEY aeskey;
//Setting up FIPS MODE:
CRYPTO_malloc_init();
//Check if OPENSSL_FIPS is defined
#ifdef OPENSSL_FIPS
printf("\nOPENSSL_FIPS is defined\n");
//Check if FIPS_mode is already engaged
if(FIPS_mode())
{
printf("FIPS_mode is already engaged\n");
}
else
{
//Attempt to enable FIPS_mode
printf("Attempting to enable FIPS MODE\n");
if(FIPS_mode_set(1))
{
printf("FIPS mode set successful\n");
}
else
{
//print errors
printf("FIPS mode set failure\n");
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
exit(2);
}
}
#else
printf("OPENSSL_FIPS is not defined");
#endif //OPENSSL_FIPS
//Perform AES 256bit Encryption
memset(encrypted, 0, sizeof(encrypted));
AES_set_encrypt_key(key, 256, &aeskey);
AES_cbc_encrypt(plaintxt, encrypted, 16, &aeskey, iv, AES_ENCRYPT);
//direct output to enc.bin
freopen ("enc.bin","w",stdout);
printf("%s", encrypted);
fclose (stdout);
printf("Printed encrypted string to enc.bin");
return(0);
}
--End C code--
--Environment Details--
I am using Visual Studio C++ to debug this program. To the search
directories for include I have added C:\usr\local\ssl\include and
C:\usr\local\ssl\fips-2.0\include. To the search directories for libraries I
have added C:\usr\local\ssl\lib and C:\usr\local\ssl\fips-2.0\lib. To the
additional dependencies I have added the paths to ssleay32.lib,
libeay32.lib, and fipscanister.lib.
--Other Info--
If you take out the 'exit(2)' line, the encryption will proceed correctly
even if the FIPS_mode_set(1) fails
enc.bin can be decrypted with the following command (the output should be
'crypto'):
openssl aes-256-cbc -d -in out.txt -K
000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -iv
000102030405060708090A0B0C0D0E0F
--Build Details--
Here is my exact build process/results:
On Windows XP 32bit Operating System
Download & Extract openssl-1.0.1c and openssl-fips-2.0
$cd C:\openssl-fips-2.0
$ms\do_fips
>FIPS BUILD SUCCESS
$out32dll\fips_test_suite
>All tests completed with 0 errors
$cd C:\openssl-1.0.1c
$perl Configure VC-WIN32 fips
>Configured for VC-WIN32
$ms\do_nasm
>completes with no errors
$nmake -f ms\ntdll.mak
>completes with no errors
$nmake -f ms\ntdll.mak test
>passed all tests
$nmake -f ms\ntdll.mak install
>completes with no errors
$cd C:\usr\local\ssl\bin
$openssl version -a
>OpenSSL 1.0.1c-fips...
$echo Hello World > hello.txt
$openssl md5 hello.txt
>works
$set OPENSSL_FIPS=1
$openssl md5 hello.txt
>Error disabled for fips
$openssl sha1 hello.txt
>works
Thanks for any advice,
-EJ
--
View this message in context:
http://old.nabble.com/Unusual-Fips-Mode-Set-Failure-tp34235609p34235609.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
