FIPS_mode_set reports incorrect error message
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi! Some integration tests we run attempt to enable FIPS mode in OpenSSL, and assert that either our software continues to work, or that the error message emitted by OpenSSL is related to missing the FIPS module.
On Ubuntu 14.10, running FIPS_mode_set fails and produces an error like:
140225357260448
On Ubuntu 16.04 running OpenSSL/libssl1.0.0 version 1.0.2g-1ubuntu4.1, FIPS_mode_set fails, but does not produce an error message.
I have attached a C file which, when executed on both these platforms, will demonstrate this behavior.
I believe this may have been introduced by this ticket: https:/
It provides a patch called openssl-
+@@ -443,6 +430,7 @@ int FIPS_module_
+ fips_selftest_fail = 0;
+ ret = 1;
+ end:
++ ERR_clear_error(); /* clear above err msg; fips mode disabled for now */
+ fips_clear_
+ fips_w_unlock();
+ return ret;
This appears to be clearing the error messages we're asserting on before returning from FIPS_module_
For reference, here is our ticket where we are tracking this issue: https:/
tags: |
added: verification-done removed: verification-needed |
I purposely cleared this error message from the queue so that no one would be distracted or thwarted by the addition of the fips code while it is a work in progress and not complete. FIPS_module_ mode_set( ) at this point will always fail and return an error code.
But yes, I see in your test program that you also want to print the error message if
you get an error code.