Re: Goodbye
I see a lot of slippery slope fallacy in this thread. A small verbiage change that hurts almost no one but increases inclusivity in an open source project shouldn't be controversial to anyone but those who have an ax to grind. On Fri, Jul 3, 2020, 8:51 AM Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > >- topic: Change some words by accepting PR#12089 > > >- > > >- 4 against, 3 for, no absensions > > > > I am at a loss for words. > > > > I can’t contribute to a project that feels this way. The OMC (list at > [1], a picture of some of them at [2] although it includes non-OMC members) > is, in my view, on the wrong side of history. I hope that in time, the four > men who voted against it will develop more – what, empathy? – and that > sometime in the future this PR [3], or similar, will be merged. Until > then, I will do what I have to in order to insure that Akamai’s needs for > FIPS are met and once 3.0 is released, I will be fully applying my modest > talents elsewhere. > > > > I have closed all non-FIPS PR’s, and as soon as I see this message in my > inbox, I will unsubscribe from this list. I can be reached as rsalz at > akamai.com. > > > > [1] https://www.openssl.org/community/omc.html > > [2] https://www.openssl.org/blog/blog/2019/05/23/f2f-committers-day/ > > [3] https://github.com/openssl/openssl/pull/12089 > > >
Re: [openssl-users] Building an application with OpenSSL and FIPS support.
I recompiled with dynamic libraries and after linking to them the program runs without issue. I'll keep trying to hunt down the issues with the static libs. Thanks for the help. Thanks, Matt Heimlich Linux Security Engineer SteelCloud LLC 703.999.4346 From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Dr. Stephen Henson <st...@openssl.org> Sent: Tuesday, October 11, 2016 10:35 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Building an application with OpenSSL and FIPSsupport. On Mon, Oct 10, 2016, Matthew Heimlich wrote: > $openssl version > > returns: > > OpenSSL 1.0.2j-fips > > My FIPS module version is openssl-fips-2.0.13 > > $OPENSSL_FIPS=1 openssl md5 /dev/null > > returns: > > Error setting digest md5 > 140066569107136:error:060A80A3:digital envelope > routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: > > $OPENSSL_FIPS=1 openssl sha1 /dev/null > > returns: > > SHA1(/dev/null)= da39a3ee5e6b4b0d3255bfef95601890afd80709 > > Do that appears to be working correctly. > Can you give more details of the steps you are using to link your application? If you're linking to the OpenSSL shared libraries then you don't need to use fipsld at all. I'd suggest you try that as a first step and see if your application works. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building an application with OpenSSL and FIPS support.
$openssl version returns: OpenSSL 1.0.2j-fips My FIPS module version is openssl-fips-2.0.13 $OPENSSL_FIPS=1 openssl md5 /dev/null returns: Error setting digest md5 140066569107136:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: $OPENSSL_FIPS=1 openssl sha1 /dev/null returns: SHA1(/dev/null)= da39a3ee5e6b4b0d3255bfef95601890afd80709 Do that appears to be working correctly. Thanks, Matt Heimlich From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Dr. Stephen Henson <st...@openssl.org> Sent: Monday, October 10, 2016 8:44 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Building an application with OpenSSL and FIPS support. On Fri, Oct 07, 2016, Matthew Heimlich wrote: > Which returns > > > Attempting to set FIPS mode to 1... > Last error was: 2d06b06f > FIPS_mode_set failed: 2d06b06f > FIPS mode is: 0??? > > So it would appear that my FIPS mode is never even being set, and walking > through the code would seem to confirm this. In addition, the error code > doesn't seem to be present in the FIPS documentation, but errstr informs me > that it is > > > error:2D06B06F:FIPS routines:DSA_BUILTIN_PARAMGEN2:fingerprint does not match > nonpic relocated??? > > Any tips on where to go from here? > Which versions of the FIPS module and OpenSSL are you using? In the FIPS capable OpenSSL try this: OPENSSL_FIPS=1 openssl md5 /dev/null OPENSSL_FIPS=1 openssl sha1 /dev/null Please give details of any errors you get. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building an application with OpenSSL and FIPS support.
Running fails specifically on the line:
if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, )) handleErrors();
Although I've added some additional debugging code at this point, including
this function:
int Check_Enable_FIPS(void)
{
int mode = FIPS_mode();
int ret = 0;
unsigned long err = 0;
if(mode == 0)
{
ret = FIPS_mode_set(1 /* on */);
printf("Attempting to set FIPS mode to 1...\n");
err = ERR_peek_last_error();
printf("Last error was: %lx\n", err);
if(ret != 1)
{
err = ERR_get_error();
}
} else {
ret = FIPS_mode_set(0 /* off */);
if(ret != 1)
{
err = ERR_get_error();
}
}
if(ret != 1)
{
printf("FIPS_mode_set failed: %lx\n", err);
}
printf("FIPS mode is: %d\n", FIPS_mode());
}
Which returns
Attempting to set FIPS mode to 1...
Last error was: 2d06b06f
FIPS_mode_set failed: 2d06b06f
FIPS mode is: 0
So it would appear that my FIPS mode is never even being set, and walking
through the code would seem to confirm this. In addition, the error code
doesn't seem to be present in the FIPS documentation, but errstr informs me
that it is
error:2D06B06F:FIPS routines:DSA_BUILTIN_PARAMGEN2:fingerprint does not match
nonpic relocated
Any tips on where to go from here?
Thanks,
Matt Heimlich
From: openssl-users <openssl-users-boun...@openssl.org> on behalf of Ethan Rahn
<ethan.r...@gmail.com>
Sent: Friday, October 7, 2016 4:01 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Building an application with OpenSSL and FIPS
support.
Matt,
What part of the selftest fails? Can you step through it with a debugger?
Cheers,
Ethan
On Fri, Oct 7, 2016 at 10:56 AM, Matthew Heimlich
<mheiml...@steelcloud.com<mailto:mheiml...@steelcloud.com>> wrote:
I'm on RHEL7. I've got a very simple encryption/decryption program that works
fine without FIPS support enabled, but fails when it is:
#include
#include
#include
#include
void handleErrors(void)
{
ERR_print_errors_fp(stderr);
abort();
}
int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char *key,
unsigned char *iv, unsigned char *ciphertext)
{
EVP_CIPHER_CTX *ctx;
int len;
int ciphertext_len;
/* Create and initialise the context */
if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();
/* Initialise the encryption operation. IMPORTANT - ensure you use a key
* and IV size appropriate for your cipher
* In this example we are using 256 bit AES (i.e. a 256 bit key). The
* IV size for *most* modes is the same as the block size. For AES this
* is 128 bits */
if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
handleErrors();
/* Provide the message to be encrypted, and obtain the encrypted output.
* EVP_EncryptUpdate can be called multiple times if necessary
*/
if(1 != EVP_EncryptUpdate(ctx, ciphertext, , plaintext, plaintext_len))
handleErrors();
ciphertext_len = len;
/* Finalise the encryption. Further ciphertext bytes may be written at
* this stage.
*/
if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, )) handleErrors();
ciphertext_len += len;
/* Clean up */
EVP_CIPHER_CTX_free(ctx);
return ciphertext_len;
}
int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *key,
unsigned char *iv, unsigned char *plaintext)
{
EVP_CIPHER_CTX *ctx;
int len;
int plaintext_len;
/* Create and initialise the context */
if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();
/* Initialise the decryption operation. IMPORTANT - ensure you use a key
* and IV size appropriate for your cipher
* In this example we are using 256 bit AES (i.e. a 256 bit key). The
* IV size for *most* modes is the same as the block size. For AES this
* is 128 bits */
if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
handleErrors();
/* Provide the message to be decrypted, and obtain the plaintext output.
* EVP_DecryptUpdate can be called multiple times if necessary
*/
if(1 != EVP_DecryptUpdate(ctx, plaintext, , ciphertext, ciphertext_len))
handleErrors();
plaintext_len = len;
/* Finalise the decryption. Further plaintext bytes may be written at
* this stage.
*/
if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, )) handleErrors();
plaintext_len += len;
/* Clean up */
EVP_CIPHER_CTX_free(ctx);
return plaintext_len;
}
int main (void)
{
/* Force FIPS initialization */
FIPS_mode_set(1);
/* Set up the key and iv. Do I need to say to not hard code these in a
* real application? :-)
*/
/* A 256 bit key */
unsigned char *key = (unsigned char *)"01234567890123456789012345678901";
/* A 128 bit IV */
unsigned char *iv = (unsigned char *)"01234567890123456";
/* Message to be e
[openssl-users] Building an application with OpenSSL and FIPS support.
I'm on RHEL7. I've got a very simple encryption/decryption program that works
fine without FIPS support enabled, but fails when it is:
#include
#include
#include
#include
void handleErrors(void)
{
ERR_print_errors_fp(stderr);
abort();
}
int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char *key,
unsigned char *iv, unsigned char *ciphertext)
{
EVP_CIPHER_CTX *ctx;
int len;
int ciphertext_len;
/* Create and initialise the context */
if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();
/* Initialise the encryption operation. IMPORTANT - ensure you use a key
* and IV size appropriate for your cipher
* In this example we are using 256 bit AES (i.e. a 256 bit key). The
* IV size for *most* modes is the same as the block size. For AES this
* is 128 bits */
if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
handleErrors();
/* Provide the message to be encrypted, and obtain the encrypted output.
* EVP_EncryptUpdate can be called multiple times if necessary
*/
if(1 != EVP_EncryptUpdate(ctx, ciphertext, , plaintext, plaintext_len))
handleErrors();
ciphertext_len = len;
/* Finalise the encryption. Further ciphertext bytes may be written at
* this stage.
*/
if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, )) handleErrors();
ciphertext_len += len;
/* Clean up */
EVP_CIPHER_CTX_free(ctx);
return ciphertext_len;
}
int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *key,
unsigned char *iv, unsigned char *plaintext)
{
EVP_CIPHER_CTX *ctx;
int len;
int plaintext_len;
/* Create and initialise the context */
if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();
/* Initialise the decryption operation. IMPORTANT - ensure you use a key
* and IV size appropriate for your cipher
* In this example we are using 256 bit AES (i.e. a 256 bit key). The
* IV size for *most* modes is the same as the block size. For AES this
* is 128 bits */
if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
handleErrors();
/* Provide the message to be decrypted, and obtain the plaintext output.
* EVP_DecryptUpdate can be called multiple times if necessary
*/
if(1 != EVP_DecryptUpdate(ctx, plaintext, , ciphertext, ciphertext_len))
handleErrors();
plaintext_len = len;
/* Finalise the decryption. Further plaintext bytes may be written at
* this stage.
*/
if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, )) handleErrors();
plaintext_len += len;
/* Clean up */
EVP_CIPHER_CTX_free(ctx);
return plaintext_len;
}
int main (void)
{
/* Force FIPS initialization */
FIPS_mode_set(1);
/* Set up the key and iv. Do I need to say to not hard code these in a
* real application? :-)
*/
/* A 256 bit key */
unsigned char *key = (unsigned char *)"01234567890123456789012345678901";
/* A 128 bit IV */
unsigned char *iv = (unsigned char *)"01234567890123456";
/* Message to be encrypted */
unsigned char *plaintext =
(unsigned char *)"The quick brown fox jumps over the lazy dog";
/* Buffer for ciphertext. Ensure the buffer is long enough for the
* ciphertext which may be longer than the plaintext, dependant on the
* algorithm and mode
*/
unsigned char ciphertext[128];
/* Buffer for the decrypted text */
unsigned char decryptedtext[128];
int decryptedtext_len, ciphertext_len;
/* Initialise the library */
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
OPENSSL_config(NULL);
/* Encrypt the plaintext */
ciphertext_len = encrypt (plaintext, strlen ((char *)plaintext), key, iv,
ciphertext);
/* Do something useful with the ciphertext here */
printf("Ciphertext is:\n");
BIO_dump_fp (stdout, (const char *)ciphertext, ciphertext_len);
/* Decrypt the ciphertext */
decryptedtext_len = decrypt(ciphertext, ciphertext_len, key, iv,
decryptedtext);
/* Add a NULL terminator. We are expecting printable text */
decryptedtext[decryptedtext_len] = '\0';
/* Show the decrypted text */
printf("Decrypted text is:\n");
printf("%s\n", decryptedtext);
/* Clean up */
EVP_cleanup();
ERR_free_strings();
return 0;
}
As you can see, just the demo code with FIPS enabled. Without FIPS, my output
is:
Ciphertext is:
- e0 6f 63 a7 11 e8 b7 aa-9f 94 40 10 7d 46 80 a1 .oc...@.}F..
0010 - 17 99 43 80 ea 31 d2 a2-99 b9 53 02 d4 39 b9 70 ..C..1S..9.p
0020 - 2c 8e 65 a9 92 36 ec 92-07 04 91 5c f1 a9 8a 44 ,.e..6.\...D
Decrypted text is:
The quick brown fox jumps over the lazy dog
With FIPS, compilation goes fine, but generates the following when run:
139686960322208:error:2D0A0086:FIPS routines:FIPS_cipher:selftest
failed:fips_enc.c:336:
139686960322208:error:2D0A0086:FIPS routines:FIPS_cipher:selftest
failed:fips_enc.c:336:
I've tried both as a C project, and as a C++ project, pointing the CC env
variable
