Thanks for the quick reply!
To address your questions:
1. OPENSSL_FIPS does not appear to be defined in my Visual Studio
Properties. The only preprocessor listed in 'Preprocessor Definitions' was
'_MBCS'
2. The copy of fips.h that Visual Studio finds is the correct file
(C:\usr\local\ssl\fips-2.0\include\). It does not explicitly define
OPENSSL_FIPS but it #includes opensslconf.h which has the statement:
#ifndef OPENSSL_FIPS
#define OPENSSL_FIPS
#endif
3. When I originally built/installed OpenSSL, I did not have OPENSSL_FIPS
defined. I tried rebuilding with 'set OPENSSL_FIPS=1' as my first step and
everything went fine until 'nmake -f ms\ntdll.mak test' where some tests
resulted in errors saying that the algorithm is disabled for fips.
Regardless, I proceeded to test the application again but got the exact same
error. Next, I set OPENSSL_FIPS as a custom environment variable with the
value '1' but that did not appear to have any effect on the program either.
4. I enabled the \VERBOSE option as you suggested and confirmed that the
.lib files that it uses are, in fact, the .lib files in my compiled
directory (C:\usr\local\ssl\lib etc.)
Any suggestions for next steps?
Thanks
-EJ
Jakob Bohm-7 wrote:
>
> Obvious conclusion:
>
> The OpenSSL library or DLL you link to was compiled with OPENSSL_FIPS
> not set,
> but your code was compiled with OPENSSL_FIPS set.
>
> So either you are using a different copy of the compiled OpenSSL library
> than
> you think, or you have passed different options when compiling your
> program
> than you did when compiling OpenSSL.
>
> More specifically, check the following:
>
> 1. Is OPENSSL_FIPS defined in the Visual Studio Properties for your C file
> (In project view, right click your file, choose Properties, and look under
> C/C++, Preprocessor)?
>
> 2. In the C file editor, right click the filename in the line
> #include <openssl/fips.h> and select "Open Document". Then hover over the
> tab that shows fips.h to make sure it is using a copy of the openssl
> headers from the expected path. Also check if that file defines
> OPENSSL_FIPS unconditionally.
>
> 3. Did you build OpenSSL with FIPS enabled?
>
> 4. In the Properties for your C project, navigate to "Linker, General" and
> enable "Show Progress" (it may have a different name in different VS
> versions, but the command line equivalent is always "/VERBOSE").
>
> Then link your project again. The build log should contain a lot of
> details about which .obj and .lib files it uses from where, check that
> it mentions your compiled OpenSSL library and not some other copy.
>
> On 7/31/2012 8:01 PM, ejh891 wrote:
>> First off, I'd like to apologize if this is considered a re-post. I
>> posted a
>> question a few days ago but my question has evolved significantly since
>> then
>> so I decided to pose the new question in a new thread:
>>
>> I'm trying to develop a very simple C program to practice calling
>> FIPS_mode_set(1).
>>
>> --Errors--
>> The error that I always receive is:
>> 5652:error:0F06D065:common libcrypto routines:FIPS_mode_set:fips not
>> supported:.\crypto\o_fips.c:92:
>>
>> --"o_fips.c"--
>> The error appears to stem from line 92 of o_fips.c. Here is the block
>> from
>> o_fips.c containing line 92:
>>
>> --Begin C code--
>> int FIPS_mode_set(int r)
>> {
>> OPENSSL_init();
>> #ifdef OPENSSL_FIPS
>> #ifndef FIPS_AUTH_USER_PASS
>> #define FIPS_AUTH_USER_PASS "Default FIPS Crypto
>> User
>> Password"
>> #endif
>> if (!FIPS_module_mode_set(r, FIPS_AUTH_USER_PASS))
>> return 0;
>> if (r)
>> RAND_set_rand_method(FIPS_rand_get_method());
>> else
>> RAND_set_rand_method(NULL);
>> return 1;
>> #else
>> if (r == 0)
>> return 1; //************line 92 follows
>> CRYPTOerr(CRYPTO_F_FIPS_MODE_SET,
>> CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
>> return 0;
>> #endif
>> }
>> --End C code--
>>
>> Analysis of this block leads me to the conclusion that OPENSSL_FIPS must
>> not
>> be defined.
>>
>> This is an issue because my original code checks #ifdef OPENSSL_FIPS
>> before
>> it even calls FIPS_mode_set(1) and always proceeds as if it *is* defined
>>
>> How can this be?
>>
>> Here is all of the additional information that I could anticipate anyone
>> would need:
>>
>> My code:
>> --Begin C code--
>> //parts of this code come from
>> http://old.nabble.com/AES-cbc--How-to-Init-Openssl--td12475822.html
>> #include <stdio.h>
>> #include <string.h>
>> #include <openssl\err.h>
>> #include <openssl\fips.h>
>> #include <openssl\aes.h>
>> #include <openssl\applink.c>
>>
>> int main(int argc, char *argv[])
>> {
>> //32byte key
>> unsigned char key[] =
>> {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31};
>>
>> //16byte Initialization Vector
>> unsigned char iv[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
>>
>> //plain txt input with padding buffer. Since the AES Block Size is
>> 16bytes
>> and 'crypto' is only 6 bytes, it needs 10 bytes of padding
>> unsigned char
>> plaintxt[1024]="crypto\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a";
>>
>> //output
>> unsigned char encrypted[1024];
>>
>> AES_KEY aeskey;
>>
>> //Setting up FIPS MODE:
>> CRYPTO_malloc_init();
>>
>> //Check if OPENSSL_FIPS is defined
>> #ifdef OPENSSL_FIPS
>> printf("\nOPENSSL_FIPS is defined\n");
>>
>> //Check if FIPS_mode is already engaged
>> if(FIPS_mode())
>> {
>> printf("FIPS_mode is already engaged\n");
>> }
>> else
>> {
>> //Attempt to enable FIPS_mode
>> printf("Attempting to enable FIPS MODE\n");
>> if(FIPS_mode_set(1))
>> {
>> printf("FIPS mode set successful\n");
>> }
>> else
>> {
>> //print errors
>> printf("FIPS mode set failure\n");
>> ERR_load_crypto_strings();
>> ERR_print_errors_fp(stderr);
>> exit(2);
>> }
>> }
>> #else
>> printf("OPENSSL_FIPS is not defined");
>> #endif //OPENSSL_FIPS
>>
>> //Perform AES 256bit Encryption
>> memset(encrypted, 0, sizeof(encrypted));
>>
>> AES_set_encrypt_key(key, 256, &aeskey);
>>
>> AES_cbc_encrypt(plaintxt, encrypted, 16, &aeskey, iv, AES_ENCRYPT);
>>
>> //direct output to enc.bin
>> freopen ("enc.bin","w",stdout);
>> printf("%s", encrypted);
>> fclose (stdout);
>> printf("Printed encrypted string to enc.bin");
>>
>> return(0);
>> }
>> --End C code--
>>
>> --Environment Details--
>> I am using Visual Studio C++ to debug this program. To the search
>> directories for include I have added C:\usr\local\ssl\include and
>> C:\usr\local\ssl\fips-2.0\include. To the search directories for
>> libraries I
>> have added C:\usr\local\ssl\lib and C:\usr\local\ssl\fips-2.0\lib. To the
>> additional dependencies I have added the paths to ssleay32.lib,
>> libeay32.lib, and fipscanister.lib.
>>
>> --Other Info--
>> If you take out the 'exit(2)' line, the encryption will proceed correctly
>> even if the FIPS_mode_set(1) fails
>>
>> enc.bin can be decrypted with the following command (the output should be
>> 'crypto'):
>> openssl aes-256-cbc -d -in out.txt -K
>> 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F -iv
>> 000102030405060708090A0B0C0D0E0F
>>
>> --Build Details--
>> Here is my exact build process/results:
>> On Windows XP 32bit Operating System
>> Download & Extract openssl-1.0.1c and openssl-fips-2.0
>> $cd C:\openssl-fips-2.0
>> $ms\do_fips
>> >FIPS BUILD SUCCESS
>> $out32dll\fips_test_suite
>> >All tests completed with 0 errors
>> $cd C:\openssl-1.0.1c
>> $perl Configure VC-WIN32 fips
>> >Configured for VC-WIN32
>> $ms\do_nasm
>> >completes with no errors
>> $nmake -f ms\ntdll.mak
>> >completes with no errors
>> $nmake -f ms\ntdll.mak test
>> >passed all tests
>> $nmake -f ms\ntdll.mak install
>> >completes with no errors
>> $cd C:\usr\local\ssl\bin
>> $openssl version -a
>> >OpenSSL 1.0.1c-fips...
>> $echo Hello World > hello.txt
>> $openssl md5 hello.txt
>> >works
>> $set OPENSSL_FIPS=1
>> $openssl md5 hello.txt
>> >Error disabled for fips
>> $openssl sha1 hello.txt
>> >works
>>
>> Thanks for any advice,
>>
>> -EJ
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
> Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
>
--
View this message in context:
http://old.nabble.com/Unusual-Fips-Mode-Set-Failure-tp34235609p34241045.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
