FIPS fail - Openssl

This is a discussion on FIPS fail - Openssl ; Feel free to follow along with this e-mail: http://www.slproweb.com/download/bad_openssl.zip I just zipped up the contents of the 'out32dll' directory. What you see is what I've got in my out32dll directory. And now onto the main part of the e-mail. This ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: FIPS fail

  1. FIPS fail

    Feel free to follow along with this e-mail:

    http://www.slproweb.com/download/bad_openssl.zip

    I just zipped up the contents of the 'out32dll' directory. What you see
    is what I've got in my out32dll directory. And now onto the main part
    of the e-mail.


    This is my first time building FIPS but given that I generally know how
    to build pretty much anything OpenSSL, it probably isn't my fault
    (famous last words). The build process works fine up to this point:

    out32dll\fips_premain_dso.exe out32dll\libeay32.dll
    2348:error:25078067SO support routines:WIN32_LOAD:could not load the
    shared library:.\crypto\dso\dso_win32.c:147:filename(out3 2dll\libeay32.dll)
    2348:error:25070067SO support routinesSO_load:could not load the
    shared library:.\crypto\dso\dso_lib.c:244:
    Get hash failure at util\fipslink.pl line 48.
    NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x1'
    Stop.


    Looking at fipslink.pl, it looks like the first line displayed is the
    executable/command run. Running that command directly, I get the two
    error messages after Windows displays this message box:

    "Bad Image"
    "The application or DLL C:\[path]\openssl-0.9.7m\out32dll\libeay32.dll
    is not a valid Windows image. Please check this against your
    installation diskette."


    So, it is finding the DLL but refusing to load. It could be the fixed
    address issue and wanting to relocate, but using one of the tools I use,
    it is clear to me that something seriously hosed the file up somewhere
    along the line in the build process. There is a relocation table data
    directory entry but no relocation table (appears to be intentional file
    truncation) and a missing section. One of the tools I've used for years
    without problems is balking at the file. I'm not surprised that Windows
    isn't loading the DLL.


    VC++ 2008 Professional (not SP1)
    Windows XP SP2
    FIPS 1.1.2 w/ OpenSSL 0.9.7m
    fipscanister.o and other files reside on a CD-R (drive e built against
    the MSYS instructions in the User Guide for 1.1.1.
    perl Configure VC-WIN32 fips --with-fipslibdir=e:/
    Beyond that, regular build process using NASM (latest).
    Fresh 0.9.7m and FIPS 1.1.2 files, cross-referenced against the MD5 and
    SHA-1 hashes on the site (which, BTW, the website links are broken, I
    had to go through FTP).


    Additional tests:

    While paused at the message box, I ran a little tool I wrote many years ago:

    Process ID: 2904
    Module ID = 00400000, Module Name = FIPS_PREMAIN_DSO.EXE, Module
    Filename =
    c:\cfiles\projects\winssl\openssl-0.9.7m\out32dll\FIPS_PREMAIN_DSO.EXE
    Module ID = 7C900000, Module Name = ntdll.dll, Module Filename =
    C:\WINDOWS\system32\ntdll.dll
    Module ID = 7C800000, Module Name = kernel32.dll, Module Filename =
    C:\WINDOWS\system32\kernel32.dll
    Module ID = 08370000, Module Name = depends.dll, Module Filename =
    C:\PROGRA~1\MIAF9D~1\Common\Tools\depends.dll
    Module ID = 77DD0000, Module Name = ADVAPI32.dll, Module Filename =
    C:\WINDOWS\system32\ADVAPI32.dll
    Module ID = 77E70000, Module Name = RPCRT4.dll, Module Filename =
    C:\WINDOWS\system32\RPCRT4.dll
    Module ID = 77FE0000, Module Name = Secur32.dll, Module Filename =
    C:\WINDOWS\system32\Secur32.dll
    Module ID = 71AD0000, Module Name = WSOCK32.dll, Module Filename =
    C:\WINDOWS\system32\WSOCK32.dll
    Module ID = 71AB0000, Module Name = WS2_32.dll, Module Filename =
    C:\WINDOWS\system32\WS2_32.dll
    Module ID = 77C10000, Module Name = msvcrt.dll, Module Filename =
    C:\WINDOWS\system32\msvcrt.dll
    Module ID = 71AA0000, Module Name = WS2HELP.dll, Module Filename =
    C:\WINDOWS\system32\WS2HELP.dll
    Module ID = 7E410000, Module Name = USER32.dll, Module Filename =
    C:\WINDOWS\system32\USER32.dll
    Module ID = 77F10000, Module Name = GDI32.dll, Module Filename =
    C:\WINDOWS\system32\GDI32.dll
    Module ID = 78520000, Module Name = MSVCR90.dll, Module Filename =
    C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a 1e18e3b_9.0.30729.1_x-ww_6f74963e\MSVCR90.dll
    Module ID = 76390000, Module Name = IMM32.DLL, Module Filename =
    C:\WINDOWS\system32\IMM32.DLL
    Module ID = 629C0000, Module Name = LPK.DLL, Module Filename =
    C:\WINDOWS\system32\LPK.DLL
    Module ID = 74D90000, Module Name = USP10.dll, Module Filename =
    C:\WINDOWS\system32\USP10.dll


    No apparent base address conflicts with the loader and libeay32.dll
    (preferred base at the default 0x0FB00000).


    Dependency Walker was running the app. at the time and showed the
    following output:

    LoadLibraryA("out32dll\libeay32.dll") called from "FIPS_PREMAIN_DSO.EXE"
    at address 0x00412540.
    LoadLibraryA("out32dll\libeay32.dll") returned NULL. Error: %1 is not a
    valid Win32 application (193).

    --
    Thomas Hruska
    Shining Light Productions

    Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
    http://www.slproweb.com/

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: FIPS fail

    On Thu, Oct 02, 2008, Michael S. Zick wrote:

    >
    > 1.1.0 does not build shared. Build static or wait for 1.2.0


    Windows is an exception, it can be build shared in the 1.1.2 module.

    Steve.
    --
    Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    OpenSSL project core developer and freelance consultant.
    Homepage: http://www.drh-consultancy.demon.co.uk
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: FIPS fail

    On Fri, Oct 10, 2008, joshi chandran wrote:

    > Hi All,
    >
    > Can any body give me small program which set in fips mode and uses non fips
    > algorithm ,hence fails while running .
    >


    Well the standard OpenSSL utility will do that e.g.

    OPENSSL_FIPS=1 openssl md5 somefile

    Steve.
    --
    Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
    OpenSSL project core developer and freelance consultant.
    Homepage: http://www.drh-consultancy.demon.co.uk
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread