I am attempting to build a FIPS-capable Openssl for an XScale processor (ARMV4I) running under Windows CE 5.0 (using openssl-1.0.1c and openssl-fips-2.0.1), that was successful.
Then I built the latest Stunnel (just released few days ago) with FIPS option turned on.
The build appears to complete successfully. However, at run-time, entering FIPS mode fails and the following messages are produced:
error stack: 2D079089 : error:2D079089:FIPS routines:fips_pkey_signature_test:test failure
FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match
I have reviewed the build instructions outlined in the OpenSSL FIPS user guide carefully and believe all the build instructions have been adhered to. What needs to be changed for the signature to be properly embedded?
Robert Bao
Tyco
Robert Bao wrote:
I am attempting to build a FIPS-capable Openssl for an XScale processor (ARMV4I) running under Windows CE 5.0 (using openssl-1.0.1c and openssl-fips-2.0.1), that was successful.
[cut]
FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match
I had this error (WIN32 build, but the build process is the same according to https://openssl.org/docs/fips/UserGuide-2.0.pdf) when my FIPS-capable OpenSSL was broken. Although compilation phase reported success, the built-in FIPS tests failed. Obviously stunnel was also unable to initialize FIPS mode.
What this error means is that in-memory image of the FIPS module was found to be different from the one acquired during the original build. In my case the problem was caused by the linker enabling ASLR by default. Downgrading the compiler suite fixed the problem without violating FIPS policy (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf), as ASLR is disabled in older linkers by default.
Mike
Hi Mike,
Thanks a lot for your reply and help.
According to the engineer who actually is trying to make this work for our WinCE environment, the way you resolved your problem is for a native Windows environment that unfortunately doesn't apply to our cross-compile build (for WinCE).
Best regards, Robert
-----Original Message----- From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Michal Trojnara Sent: Wednesday, October 17, 2012 3:50 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Need help building FIPS capable Stunnel forWindows CE
Robert Bao wrote:
I am attempting to build a FIPS-capable Openssl for an XScale processor (ARMV4I) running under Windows CE 5.0 (using openssl-1.0.1c and openssl-fips-2.0.1), that was successful.
[cut]
FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match
I had this error (WIN32 build, but the build process is the same according to https://openssl.org/docs/fips/UserGuide-2.0.pdf) when my FIPS-capable OpenSSL was broken. Although compilation phase reported success, the built-in FIPS tests failed. Obviously stunnel was also unable to initialize FIPS mode.
What this error means is that in-memory image of the FIPS module was found to be different from the one acquired during the original build. In my case the problem was caused by the linker enabling ASLR by default. Downgrading the compiler suite fixed the problem without violating FIPS policy (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pd f), as ASLR is disabled in older linkers by default.
Mike
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Bao, Robert -
Michal Trojnara