Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-12 Thread Matthew Heimlich 
I recompiled with dynamic libraries and after linking to them the program runs 
without issue. I'll keep trying to hunt down the issues with the static libs. 
Thanks for the help.

Thanks,

Matt Heimlich
Linux Security Engineer
SteelCloud LLC
703.999.4346


From: openssl-users  on behalf of Dr. 
Stephen Henson 
Sent: Tuesday, October 11, 2016 10:35 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Building an application with OpenSSL   and 
FIPSsupport.

On Mon, Oct 10, 2016, Matthew Heimlich wrote:

> $openssl version
>
> returns:
>
> OpenSSL 1.0.2j-fips
>
> My FIPS module version is openssl-fips-2.0.13
>
> $OPENSSL_FIPS=1 openssl md5 /dev/null
>
> returns:
>
> Error setting digest md5
> 140066569107136:error:060A80A3:digital envelope 
> routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
>
> $OPENSSL_FIPS=1 openssl sha1 /dev/null
>
> returns:
>
> SHA1(/dev/null)= da39a3ee5e6b4b0d3255bfef95601890afd80709
>
> Do that appears to be working correctly.
>

Can you give more details of the steps you are using to link your application?

If you're linking to the OpenSSL shared libraries then you don't need to use
fipsld at all. I'd suggest you try that as a first step and see if your
application works.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-11 Thread Dr. Stephen Henson 
On Mon, Oct 10, 2016, Matthew Heimlich wrote:

> $openssl version
> 
> returns:
> 
> OpenSSL 1.0.2j-fips
> 
> My FIPS module version is openssl-fips-2.0.13
> 
> $OPENSSL_FIPS=1 openssl md5 /dev/null
> 
> returns:
> 
> Error setting digest md5
> 140066569107136:error:060A80A3:digital envelope 
> routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
> 
> $OPENSSL_FIPS=1 openssl sha1 /dev/null
> 
> returns:
> 
> SHA1(/dev/null)= da39a3ee5e6b4b0d3255bfef95601890afd80709
> 
> Do that appears to be working correctly.
> 

Can you give more details of the steps you are using to link your application?

If you're linking to the OpenSSL shared libraries then you don't need to use
fipsld at all. I'd suggest you try that as a first step and see if your
application works.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-10 Thread Matthew Heimlich 
$openssl version

returns:

OpenSSL 1.0.2j-fips

My FIPS module version is openssl-fips-2.0.13

$OPENSSL_FIPS=1 openssl md5 /dev/null

returns:

Error setting digest md5
140066569107136:error:060A80A3:digital envelope 
routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

$OPENSSL_FIPS=1 openssl sha1 /dev/null

returns:

SHA1(/dev/null)= da39a3ee5e6b4b0d3255bfef95601890afd80709

Do that appears to be working correctly.

Thanks,

Matt Heimlich


From: openssl-users  on behalf of Dr. 
Stephen Henson 
Sent: Monday, October 10, 2016 8:44 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Building an application with OpenSSL and   FIPS
support.

On Fri, Oct 07, 2016, Matthew Heimlich wrote:

> Which returns
>
>
> Attempting to set FIPS mode to 1...
> Last error was: 2d06b06f
> FIPS_mode_set failed: 2d06b06f
> FIPS mode is: 0???
>
> So it would appear that my FIPS mode is never even being set, and walking 
> through the code would seem to confirm this. In addition, the error code 
> doesn't seem to be present in the FIPS documentation, but errstr informs me 
> that it is
>
>
> error:2D06B06F:FIPS routines:DSA_BUILTIN_PARAMGEN2:fingerprint does not match 
> nonpic relocated???
>
> Any tips on where to go from here?
>

Which versions of the FIPS module and OpenSSL are you using?

In the FIPS capable OpenSSL try this:

OPENSSL_FIPS=1 openssl md5 /dev/null
OPENSSL_FIPS=1 openssl sha1 /dev/null

Please give details of any errors you get.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-10 Thread Dr. Stephen Henson 
On Fri, Oct 07, 2016, Matthew Heimlich wrote:

> Which returns
> 
> 
> Attempting to set FIPS mode to 1...
> Last error was: 2d06b06f
> FIPS_mode_set failed: 2d06b06f
> FIPS mode is: 0???
> 
> So it would appear that my FIPS mode is never even being set, and walking 
> through the code would seem to confirm this. In addition, the error code 
> doesn't seem to be present in the FIPS documentation, but errstr informs me 
> that it is
> 
> 
> error:2D06B06F:FIPS routines:DSA_BUILTIN_PARAMGEN2:fingerprint does not match 
> nonpic relocated???
> 
> Any tips on where to go from here?
> 

Which versions of the FIPS module and OpenSSL are you using?

In the FIPS capable OpenSSL try this:

OPENSSL_FIPS=1 openssl md5 /dev/null
OPENSSL_FIPS=1 openssl sha1 /dev/null

Please give details of any errors you get.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-07 Thread Matthew Heimlich 
Running fails specifically on the line:


if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, )) handleErrors();


Although I've added some additional debugging code at this point, including 
this function:


int Check_Enable_FIPS(void)
{
int mode = FIPS_mode();
int ret = 0;
unsigned long err = 0;

if(mode == 0)
{
ret = FIPS_mode_set(1 /* on */);
printf("Attempting to set FIPS mode to 1...\n");
err = ERR_peek_last_error();
printf("Last error was: %lx\n", err);
if(ret != 1)
{
err = ERR_get_error();
}
} else {
ret = FIPS_mode_set(0 /* off */);
if(ret != 1)
{
err = ERR_get_error();
}
}

if(ret != 1)
{
printf("FIPS_mode_set failed: %lx\n", err);
}


printf("FIPS mode is: %d\n", FIPS_mode());
}​​

Which returns


Attempting to set FIPS mode to 1...
Last error was: 2d06b06f
FIPS_mode_set failed: 2d06b06f
FIPS mode is: 0​


So it would appear that my FIPS mode is never even being set, and walking 
through the code would seem to confirm this. In addition, the error code 
doesn't seem to be present in the FIPS documentation, but errstr informs me 
that it is


error:2D06B06F:FIPS routines:DSA_BUILTIN_PARAMGEN2:fingerprint does not match 
nonpic relocated​



Any tips on where to go from here?

Thanks,

Matt Heimlich

From: openssl-users  on behalf of Ethan Rahn 

Sent: Friday, October 7, 2016 4:01 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Building an application with OpenSSL and FIPS 
support.

Matt,

What part of the selftest fails? Can you step through it with a debugger?

Cheers,

Ethan

On Fri, Oct 7, 2016 at 10:56 AM, Matthew Heimlich 
> wrote:

I'm on RHEL7. I've got a very simple encryption/decryption program that works 
fine without FIPS support enabled, but fails when it is:

#include 
#include 
#include 
#include 

void handleErrors(void)
{
ERR_print_errors_fp(stderr);
abort();
}

int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char *key,
unsigned char *iv, unsigned char *ciphertext)
{
  EVP_CIPHER_CTX *ctx;

  int len;

  int ciphertext_len;

  /* Create and initialise the context */
  if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();

  /* Initialise the encryption operation. IMPORTANT - ensure you use a key
   * and IV size appropriate for your cipher
   * In this example we are using 256 bit AES (i.e. a 256 bit key). The
   * IV size for *most* modes is the same as the block size. For AES this
   * is 128 bits */
  if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
handleErrors();

  /* Provide the message to be encrypted, and obtain the encrypted output.
   * EVP_EncryptUpdate can be called multiple times if necessary
   */
  if(1 != EVP_EncryptUpdate(ctx, ciphertext, , plaintext, plaintext_len))
handleErrors();
  ciphertext_len = len;

  /* Finalise the encryption. Further ciphertext bytes may be written at
   * this stage.
   */
  if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, )) handleErrors();
  ciphertext_len += len;

  /* Clean up */
  EVP_CIPHER_CTX_free(ctx);

  return ciphertext_len;
}

int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *key,
  unsigned char *iv, unsigned char *plaintext)
{
  EVP_CIPHER_CTX *ctx;

  int len;

  int plaintext_len;

  /* Create and initialise the context */
  if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();

  /* Initialise the decryption operation. IMPORTANT - ensure you use a key
   * and IV size appropriate for your cipher
   * In this example we are using 256 bit AES (i.e. a 256 bit key). The
   * IV size for *most* modes is the same as the block size. For AES this
   * is 128 bits */
  if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
handleErrors();

  /* Provide the message to be decrypted, and obtain the plaintext output.
   * EVP_DecryptUpdate can be called multiple times if necessary
   */
  if(1 != EVP_DecryptUpdate(ctx, plaintext, , ciphertext, ciphertext_len))
handleErrors();
  plaintext_len = len;

  /* Finalise the decryption. Further plaintext bytes may be written at
   * this stage.
   */
  if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, )) handleErrors();
  plaintext_len += len;

  /* Clean up */
  EVP_CIPHER_CTX_free(ctx);

  return plaintext_len;
}

int main (void)
{
  /* Force FIPS initialization */
  FIPS_mode_set(1);
  /* Set up the key and iv. Do I need to say to not hard code these in a
   * real application? :-)
   */

  /* A 256 bit key */
  unsigned char *key = (unsigned char *)"01234567890123456789012345678901";

  /* A 128 bit IV */
  unsigned char *iv = (unsigned char *)"01234567890123456";

  /* Message to be encrypted */
  unsigned char *plaintext =
(unsigned char *)"The quick

Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-07 Thread Ethan Rahn 
Matt,

What part of the selftest fails? Can you step through it with a debugger?

Cheers,

Ethan

On Fri, Oct 7, 2016 at 10:56 AM, Matthew Heimlich 
wrote:

> I'm on RHEL7. I've got a very simple encryption/decryption program that
> works fine without FIPS support enabled, but fails when it is:
>
> #include 
> #include 
> #include 
> #include 
>
> void handleErrors(void)
> {
> ERR_print_errors_fp(stderr);
> abort();
> }
>
> int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char 
> *key,
> unsigned char *iv, unsigned char *ciphertext)
> {
>   EVP_CIPHER_CTX *ctx;
>
>   int len;
>
>   int ciphertext_len;
>
>   /* Create and initialise the context */
>   if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();
>
>   /* Initialise the encryption operation. IMPORTANT - ensure you use a key
>* and IV size appropriate for your cipher
>* In this example we are using 256 bit AES (i.e. a 256 bit key). The
>* IV size for *most* modes is the same as the block size. For AES this
>* is 128 bits */
>   if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
> handleErrors();
>
>   /* Provide the message to be encrypted, and obtain the encrypted output.
>* EVP_EncryptUpdate can be called multiple times if necessary
>*/
>   if(1 != EVP_EncryptUpdate(ctx, ciphertext, , plaintext, plaintext_len))
> handleErrors();
>   ciphertext_len = len;
>
>   /* Finalise the encryption. Further ciphertext bytes may be written at
>* this stage.
>*/
>   if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, )) handleErrors();
>   ciphertext_len += len;
>
>   /* Clean up */
>   EVP_CIPHER_CTX_free(ctx);
>
>   return ciphertext_len;
> }
>
> int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *key,
>   unsigned char *iv, unsigned char *plaintext)
> {
>   EVP_CIPHER_CTX *ctx;
>
>   int len;
>
>   int plaintext_len;
>
>   /* Create and initialise the context */
>   if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();
>
>   /* Initialise the decryption operation. IMPORTANT - ensure you use a key
>* and IV size appropriate for your cipher
>* In this example we are using 256 bit AES (i.e. a 256 bit key). The
>* IV size for *most* modes is the same as the block size. For AES this
>* is 128 bits */
>   if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
> handleErrors();
>
>   /* Provide the message to be decrypted, and obtain the plaintext output.
>* EVP_DecryptUpdate can be called multiple times if necessary
>*/
>   if(1 != EVP_DecryptUpdate(ctx, plaintext, , ciphertext, ciphertext_len))
> handleErrors();
>   plaintext_len = len;
>
>   /* Finalise the decryption. Further plaintext bytes may be written at
>* this stage.
>*/
>   if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, )) handleErrors();
>   plaintext_len += len;
>
>   /* Clean up */
>   EVP_CIPHER_CTX_free(ctx);
>
>   return plaintext_len;
> }
>
> int main (void)
> {
>   /* Force FIPS initialization */
>   FIPS_mode_set(1);
>   /* Set up the key and iv. Do I need to say to not hard code these in a
>* real application? :-)
>*/
>
>   /* A 256 bit key */
>   unsigned char *key = (unsigned char *)"01234567890123456789012345678901";
>
>   /* A 128 bit IV */
>   unsigned char *iv = (unsigned char *)"01234567890123456";
>
>   /* Message to be encrypted */
>   unsigned char *plaintext =
> (unsigned char *)"The quick brown fox jumps over the lazy 
> dog";
>
>   /* Buffer for ciphertext. Ensure the buffer is long enough for the
>* ciphertext which may be longer than the plaintext, dependant on the
>* algorithm and mode
>*/
>   unsigned char ciphertext[128];
>
>   /* Buffer for the decrypted text */
>   unsigned char decryptedtext[128];
>
>   int decryptedtext_len, ciphertext_len;
>
>   /* Initialise the library */
>   ERR_load_crypto_strings();
>   OpenSSL_add_all_algorithms();
>   OPENSSL_config(NULL);
>
>   /* Encrypt the plaintext */
>   ciphertext_len = encrypt (plaintext, strlen ((char *)plaintext), key, iv,
> ciphertext);
>
>   /* Do something useful with the ciphertext here */
>   printf("Ciphertext is:\n");
>   BIO_dump_fp (stdout, (const char *)ciphertext, ciphertext_len);
>
>   /* Decrypt the ciphertext */
>   decryptedtext_len = decrypt(ciphertext, ciphertext_len, key, iv,
> decryptedtext);
>
>   /* Add a NULL terminator. We are expecting printable text */
>   decryptedtext[decryptedtext_len] = '\0';
>
>   /* Show the decrypted text */
>   printf("Decrypted text is:\n");
>   printf("%s\n", decryptedtext);
>
>   /* Clean up */
>   EVP_cleanup();
>   ERR_free_strings();
>
>   return 0;
> }
>
> As you can see, just the demo code with FIPS enabled. Without FIPS, my
> output is:
>
> Ciphertext is:
>  - e0 6f 63 a7 11 e8 b7 aa-9f 94 40 10 7d 46 80 a1   .oc...@.}F..
> 0010 - 17 99 43 80 ea 31 d2 a2-99 b9 53 02 d4 39 b9 70   ..C..1S..9.p
> 0020 - 2c