FIPS_mode_set(1) error:00000000:lib(0):func(0):reason(0)

Question

I'm trying to enable FIPS mode with this code:

#include <openssl/crypto.h>
#include <openssl/err.h>
#include <stdio.h>

int main ( int argc, char *argv[] )
{
#ifdef OPENSSL_FIPS 
    int mode, result;

    // Get FIPS mode
    if(strcmp("get",argv[1]) == 0)
    {
        mode = FIPS_mode();
        if(mode == 0)
        {
            printf("*** FIPS module is disabled. ***\n");
        }
        if(mode == 1)
        {
            printf("*** FIPS module is enabled. ***\n");
        }
    }

    // Set FIPS mode
    else if(strcmp("set",argv[1]) == 0)
    {
        if(strcmp("0",argv[2]) == 0)
        {
            printf("*** Disabling FIPS module. ***\n");
            result = FIPS_mode_set(0);
            if(result != 1)
            {
                ERR_load_crypto_strings();
                printf("*** Failed to disable FIPS module. ***\n"); 
                printf("%s\n", ERR_error_string(ERR_get_error(), NULL));
                return 1;
            }
        }
        else if (strcmp("1",argv[2]) == 0)
        {
            printf("*** Enabling FIPS module. ***\n");
            result = FIPS_mode_set(1);  
            if(result != 1)
            {
                ERR_load_crypto_strings();
                printf("*** Failed to enable FIPS module. ***\n");  
                printf("%s\n", ERR_error_string(ERR_get_error(), NULL));
                return 1;
            }   
        }
        else
        {
            printf("*** Error: unsupported option. ***\n");
            return 1;
        }
    }

    // Unsupported option
    else
    {
        printf("*** Error: unsupported option. ***\n");
        return 1;
    }

    return 0;

#else 
        printf("OPENSSL_FIPS is not defined"); 

#endif //OPENSSL_FIPS 
}

And with this Makefile:

CC=gcc
OPENSSLDIR=/usr/local/ssl
LIBS=$(OPENSSLDIR)/lib/libcrypto.a $(OPENSSLDIR)/lib/libssl.a -ldl 
INCLUDES=-I$(OPENSSLDIR)/include
CMD=fipsctl

OBJS=$(CMD).o

$(CMD): $(OBJS)
    FIPSLD_CC=$(CC) $(OPENSSLDIR)/bin/fipsld -o $(CMD) $(OBJS) -ldl \
    $(LIBS)

$(OBJS): $(CMD).c
    $(CC) -c $(CMD).c $(INCLUDES)

clean:
    rm -Rf *.o $(CMD)

It compiles without errors. When I try to enable FIPS mode, I get this output:

arm:~/nitere/new$ ./fipsctl set 1
*** Enabling FIPS module. ***
*** Failed to enable FIPS module. ***
error:00000000:lib(0):func(0):reason(0)

But FIPS is still disabled:

arm:~/nitere/new$ ./fipsctl get
*** FIPS module is disabled. ***

Does somebody knows what is wrong?

Any tip will be very helpful,

Thanks.

Note that successfully setting _FIPS_ mode only affects the program that calls the `FIPS_mode_set` func (till the program ends, or another call is made), so it's not global/persistent. Also, i see that your _FIPS_ capable _OpenSSL_ libs are static: for that you need to follow the [instructions](https://www.openssl.org/docs/fips/UserGuide-2.0.pdf)(_Chapter 5.3 - Generate Application Executable Object_), or it would be better to build the shared version. What does `OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl md5 /usr/local/ssl/bin/openssl` output? — CristiFati, Sep 14 '16 at 09:59

FIPS_mode_set(1) error:00000000:lib(0):func(0):reason(0)

0 Answers0