Re: Unusual Fips Mode Set Failure

Jakob Bohm Tue, 31 Jul 2012 12:20:00 -0700

Obvious conclusion:

The OpenSSL library or DLL you link to was compiled with OPENSSL_FIPSnot set,

but your code was compiled with OPENSSL_FIPS set.

So either you are using a different copy of the compiled OpenSSL librarythan

you think, or you have passed different options when compiling your program
than you did when compiling OpenSSL.

More specifically, check the following:

1. Is OPENSSL_FIPS defined in the Visual Studio Properties for your C file
(In project view, right click your file, choose Properties, and look under
C/C++, Preprocessor)?

2. In the C file editor, right click the filename in the line
#include <openssl/fips.h> and select "Open Document". Then hover over the
tab that shows fips.h to make sure it is using a copy of the openssl
headers from the expected path.  Also check if that file defines
OPENSSL_FIPS unconditionally.

3. Did you build OpenSSL with FIPS enabled?

4. In the Properties for your C project, navigate to "Linker, General" and
enable "Show Progress" (it may have a different name in different VS
versions, but the command line equivalent is always "/VERBOSE").

Then link your project again.  The build log should contain a lot of
details about which .obj and .lib files it uses from where, check that
it mentions your compiled OpenSSL library and not some other copy.

On 7/31/2012 8:01 PM, ejh891 wrote:

First off, I'd like to apologize if this is considered a re-post. I posted a
question a few days ago but my question has evolved significantly since then
so I decided to pose the new question in a new thread:

I'm trying to develop a very simple C program to practice calling
FIPS_mode_set(1).

--Errors--
The error that I always receive is:
5652:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips not
supported:.\crypto\o_fips.c:92:

--"o_fips.c"--
The error appears to stem from line 92 of o_fips.c. Here is the block from
o_fips.c containing line 92:

--Begin C code--
int FIPS_mode_set(int r)
         {
         OPENSSL_init();
        #ifdef OPENSSL_FIPS
                #ifndef FIPS_AUTH_USER_PASS
                        #define FIPS_AUTH_USER_PASS        "Default FIPS Crypto 
User
Password"
                #endif
                if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
                        return 0;
                if (r)
                        RAND_set_rand_method(FIPS_rand_get_method());
                else
                        RAND_set_rand_method(NULL);
                return 1;
        #else
                if (r == 0)
                        return 1; //************line 92 follows
                CRYPTOerr(CRYPTO_F_FIPS_MODE_SET,
CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
                return 0;
        #endif
}
--End C code--

Analysis of this block leads me to the conclusion that OPENSSL_FIPS must not
be defined.

This is an issue because my original code checks #ifdef OPENSSL_FIPS before
it even calls FIPS_mode_set(1) and always proceeds as if it *is* defined

How can this be?

Here is all of the additional information that I could anticipate anyone
would need:

My code:
--Begin C code--
//parts of this code come from
http://old.nabble.com/AES-cbc--How-to-Init-Openssl--td12475822.html
#include <stdio.h>
#include <string.h>
#include <openssl\err.h>
#include <openssl\fips.h>
#include <openssl\aes.h>
#include <openssl\applink.c>

int main(int argc, char *argv[])
{
        //32byte key
        unsigned char key[] =
{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31};

        //16byte Initialization Vector
        unsigned char iv[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};

        //plain txt input with padding buffer. Since the AES Block Size is 
16bytes
and 'crypto' is only 6 bytes, it needs 10 bytes of padding
        unsigned char
plaintxt[1024]="crypto\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a";

        //output
        unsigned char encrypted[1024];

        AES_KEY aeskey;

        //Setting up FIPS MODE:
        CRYPTO_malloc_init();

//Check if OPENSSL_FIPS is defined
#ifdef OPENSSL_FIPS
        printf("\nOPENSSL_FIPS is defined\n");
                                
                //Check if FIPS_mode is already engaged
                if(FIPS_mode())
                {
                        printf("FIPS_mode is already engaged\n");
                }
                else
                {
                        //Attempt to enable FIPS_mode
                        printf("Attempting to enable FIPS MODE\n");
                        if(FIPS_mode_set(1))
                        {
                                printf("FIPS mode set successful\n");
                        }
                        else
                        {
                                //print errors
                                printf("FIPS mode set failure\n");
                                ERR_load_crypto_strings();
                                ERR_print_errors_fp(stderr);
                                exit(2);
                        }
                }
#else
        printf("OPENSSL_FIPS is not defined");
#endif //OPENSSL_FIPS

        //Perform AES 256bit Encryption
        memset(encrypted, 0, sizeof(encrypted));

        AES_set_encrypt_key(key, 256, &aeskey);

        AES_cbc_encrypt(plaintxt, encrypted, 16, &aeskey, iv, AES_ENCRYPT);

        //direct output to enc.bin
        freopen ("enc.bin","w",stdout);
        printf("%s", encrypted);
        fclose (stdout);
        printf("Printed encrypted string to enc.bin");

        return(0);
}
--End C code--

--Environment Details--
I am using Visual Studio C++ to debug this program. To the search
directories for include I have added C:\usr\local\ssl\include and
C:\usr\local\ssl\fips-2.0\include. To the search directories for libraries I
have added C:\usr\local\ssl\lib and C:\usr\local\ssl\fips-2.0\lib. To the
additional dependencies I have added the paths to ssleay32.lib,
libeay32.lib, and fipscanister.lib.

--Other Info--
If you take out the 'exit(2)' line, the encryption will proceed correctly
even if the FIPS_mode_set(1) fails

enc.bin can be decrypted with the following command (the output should be
'crypto'):
openssl aes-256-cbc -d -in out.txt -K
000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -iv
000102030405060708090A0B0C0D0E0F

--Build Details--
Here is my exact build process/results:
On Windows XP 32bit Operating System
Download & Extract openssl-1.0.1c and openssl-fips-2.0
$cd C:\openssl-fips-2.0
$ms\do_fips
  >FIPS BUILD SUCCESS
$out32dll\fips_test_suite
  >All tests completed with 0 errors
$cd C:\openssl-1.0.1c
$perl Configure VC-WIN32 fips
  >Configured for VC-WIN32
$ms\do_nasm
  >completes with no errors
$nmake -f ms\ntdll.mak
  >completes with no errors
$nmake -f ms\ntdll.mak test
  >passed all tests
$nmake -f ms\ntdll.mak install
  >completes with no errors
$cd C:\usr\local\ssl\bin
$openssl version -a
  >OpenSSL 1.0.1c-fips...
$echo Hello World > hello.txt
$openssl md5 hello.txt
  >works
$set OPENSSL_FIPS=1
$openssl md5 hello.txt
  >Error disabled for fips
$openssl sha1 hello.txt
  >works

Thanks for any advice,

-EJ


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: Unusual Fips Mode Set Failure

Reply via email to