[openssl-users] Reasons to go from 2.0.9 FOM to 2.0.12 ?
Hello, We are using FOM 2.0.9 for an embedded product that will go for FIPS validation. Validation of the full product, that is. All development so far is with 2.0.9. What would be the reasons, if any, to update to 2.0.12 before going to the lab ? Thanks - comments much appreciated. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: using libcrypto.so ?
Thanks for the explanation. > Just link against the library produced by the FIPS capable > OpenSSL build. If, for some reason, that only produced > libcrypto.a, then you need to investigate why — perhaps you > passed “no-shared” when running the config script? The confusion came from trying to use methods such as FIPS_evp_sha1, FIPS_evp_sha224, FIPS_evp_sha256. As Steve replied yesterday, these should not be used (is there any case in which they would ?) as the EVP_sha* methods will automatically use the FIPS enabled ones when FIPS mode is active. For instance doing an 'objdump -T' on libcrypto.so.1.0.0 will show some FIPS* methods, but not the sha* for instance. Which now I see is a normal thing since they are not to be used. Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-using-libcrypto-so-tp67694p67705.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS mode: Need to use FIPS versions of (EVP) methods ?
FIPS: Need to use FIPS versions of (EVP) methods ? In FIPS mode, is there a need to use the FIPS_* methods instead of the regular ones once FIPS_mode_set(1) was successfully executed ? For instance, is there a need to use FIPS_evp_sha1() instead of EVP_sha1() ? Wouldn't the FIPS version of EVP_sha1() be used automatically when in FIPS mode ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-mode-Need-to-use-FIPS-versions-of-EVP-methods-tp67696.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: using libcrypto.so ?
The current FIPS User Guide mentions: "3.3 Creation of Shared Libraries The FIPS Object Module is not directly usable as a shared library, but it can be linked into an application that is a shared library. A “FIPS compatible” OpenSSL distribution will automatically incorporate an available FIPS Object Module into the libcrypto shared library when built using the fips option (see §4.2.3)." Does the first sentence mean that there should be an intermediate, user created, .so that itself uses libcrypto.a ? What does the second part mean ? The FOM will be included in the shared library (assuming the libcrypto.so file) ? If so, then why wouldn't it be available directly ? A clarification in perhaps simpler terms over what seems to be an explanation in the User Guide would be much appreciated. In practical terms, is it possible for an application to link against a libcrypto.so that provides all needed FIPS symbols ? If it's not, can you give an example overview in which an application already using OpenSSL (libcrypto.so) but now supporting FIPS, can still use libcrypto.so with full FIPS support ? Is the only answer to now have the application linked against libcrypto.a ? Thanks ! -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-using-libcrypto-so-tp67694.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] linker input file unused/linking not done gcc warning
Hello, Is it normal to get a 'linker imput file unused because linking not done' warning when compiling C code that uses OpenSSL in FIPS mode, hence using fipsld ? The object file is actually generated,a s well as the executable, and it does execute in a meaningful manner. The warning: [...] gcc: warning: /usr/include/openssl/: linker input file unused because linking not done FIPSLD_CC=gcc /usr/lib/ssl/fips-2.0/bin/fipsld -o fips_hmac-errCode fips_hmac-errCode.o /usr/lib/arm-li nux-gnueabihf/libcrypto.a -ldl -lz The simple Makefile: OPENSSLDIR = /usr/lib/ssl LIBCRYPTO = /usr/lib/arm-linux-gnueabihf/libcrypto.a INCLUDES = /usr/include/openssl/ CMD = fips_hmac-errCode OBJS = $(CMD).o $(CMD): $(OBJS) FIPSLD_CC=$(CC) $(OPENSSLDIR)/fips-2.0/bin/fipsld -o $(CMD) $(OBJS) $(LIBCRYPTO) -ldl -lz $(OBJS): $(CMD).c $(CC) -c $(CMD).c $(INCLUDES) clean: rm $(OBJS) Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/linker-input-file-unused-linking-not-done-gcc-warning-tp67693.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Simulating failure at run-time ?
Hello, Is it possible to simulate FIPS failure at run-time, at any given time ? Or does OpenSSL have to start in failure simulation mode ? Also, is failure simulation a standard part of a normal, non-debug, build ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-Simulating-failure-at-run-time-tp67350.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS canister 2.0.12 and 186-4
Hello, Does 2.0.12 support 186-4 ? Specifically, does it support the RSA requirements ? Thanks. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS 186-4 support ?
Hello, Is there anything new regarding the prime number requirement handling for FIPS 186-4, as far as supporting it ? I asked some time ago. Just want to see if anything has changed, if there's anything planned. - thanks ! -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-186-4-support-tp66153.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] TLS 1.0 in FIPS mode ?
Hello, Does OpenSSL allows TLS 1.0 when running in FIPS mode ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/TLS-1-0-in-FIPS-mode-tp65343.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Difference in the methods for listing the FIPS ciphers
Hello, Using 1.0.1e running FIPS module 2.0.9, the following two commands for querying the ciphers do not yield the same results. There are more ciphers declared in the 'string' version. The 'environment variable' version: % OPENSSL_FIPS=1 openssl ciphers -v | The 'string' version: % openssl ciphers -v 'FIPS' In the 'string' version only: Is the 'environment variable' usage broken ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/Difference-in-the-methods-for-listing-the-FIPS-ciphers-tp62089.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openSSL and SLOTH attack
> Does FIPS mode prevent use of MD5: Yes. > Does FIPS mode prevent insecure uses of SHA-1 (a FIPS > algorithm): No. > Does FIPS mode prevent the SSL/TLS handshake from using 96 bit > truncated HMAC values: Probably not. > Does FIPS mode prevent use of the insecurely designed > 'tls-unique' feature: Probably not. This is what I read so far, thanks for the confirmation. 1.01f though, will be good, will it, FIPS mode or not ? -- View this message in context: http://openssl.6102.n7.nabble.com/openSSL-and-SLOTH-attack-tp62055p62080.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openSSL and SLOTH attack
Does this mean that running 1.01e in FIPS mode is protected regarding this SLOTH attack ? -- View this message in context: http://openssl.6102.n7.nabble.com/openSSL-and-SLOTH-attack-tp62055p62074.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
Is there any current solution to have RSA 186-4 in OpenSSL FIPS (now, even if this means an upgrade ?) Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61769.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
Sorry, I forgot: What about the code itself, if we do not mind the validation ? Is the 185-4 RSA compatible code present in any OpenSSL/FIPS module ? -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61774.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
What would then be the permitting conditions to pursue a new validation ? If you don't mind me asking. I have read several notes you have on the subject and I agree that the whole thing is of Dedalus proportions. In a nutshell what would be these conditions ? Thanks, much appreciated. -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61772.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
Fair enough (in this context). But what about the code itself, is it ready to be RSA 186-4 compliant ? And, if we go through a validation, can OpenSSL benefit from it ? -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61776.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
Hello, I have read about the use of FIPS_rsa_x931_generate_key_ex() for 186-4 compliance. We are using OpenSSL 1.0.1e with the fips-2.0.9 module. Would it make functional sense using those versions to patch RSA_generate_key_ex() (../crypto/rsa/rsa_gen.c) to have: #ifdef OPENSSL_FIPS if (FIPS_mode()) return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb); #endif Instead of using FIPS_rsa_generate_key_ex() (and also adding the prototype for FIPS_rsa_x931_generate_key_ex() earlier in rsa_gen.c) Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to access a bug fix ?
Hello, I would like to see the bug fix for RT3515 'Use 3DES in pkcs12 if built with no-rc2' although the opnssl tree I got recently does not show it: % git status On branch master Your branch is up-to-date with 'origin/master'. % git show 92830dc1ca0bb2d12bf05a12ebb798709595fa5a fatal: bad object 92830dc1ca0bb2d12bf05a12ebb798709595fa5a I tried with checking out a few branches: remotes/origin/OpenSSL-fips-2_0-stable remotes/origin/OpenSSL_1_0_1-stable remotes/origin/OpenSSL_1_0_2-stable And still not shown. Did that bug fix ever made it to the OpenSSL tree as such, or was it bundled in the 33,000+ lines commit 7e1b7485706c2b11091b5fa897fe496a2faa56cc ? Alternatively, in which 1.0.1 version was this bug fix included ? I grepped the CHANGES file of some versions after 1.0.1e although these do not list the bug numbers. Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] (2013) : PKCS12 keystore creation failing in fips mode (RT3515)
Hello, There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL 1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to handle a certificate using a non-FIPS component. I think I found the commit that fixes this, although it is part of a quite huge commit of 33,065 lines (7e1b7485706c2b11091b5fa897fe496a2faa56cc) done earlier this year. There is perhaps a simpler commit that fixes only this issue (92830dc1ca0bb2d12bf05a12ebb798709595fa5a) although I can't see the commit in the git tree I have fetched last week, even by branching to remotes/origin/OpenSSL_1_0_1-stable. We are using 1.0.1.e. My question is, was bug RT3515 included in a later 1.0.1 release ? If so, which one ? (If you can also clear up why the patch is not seen... :) Much appreciated, thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Elliptic curves approved or recommended by government
In the NSA page referred above, the p-384 curves are specifically mentioned for DH. These would be the ones covered by the Suite B NSA license sub-licensed to OpenSSL, are they ? Is it possible to build OpenSSL in FIPS in such a way that only these curves will be used ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/Elliptic-curves-approved-or-recommended-by-government-tp60944p60946.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL public repository, bug tracker ?
Sorry if this is answered elsewhere ... Is the version control repository as well as the bug tracker of public read access ? Is it possible to find a specific commit in the OpenSSL repository that would hopefully fix a single discovered/reported bug ? We have hit the 'FIPS_CIPHERINIT:disabled for fips' in the 1.0.1e version running in FIPS mode and would like to apply the cde fix that hopefully fixes only that problem. Is it possible ? Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] 'FIPS_CIPHERINIT:disabled' in fips mode error in 1.0.1e
In 1.0.1e the following is observed when using OpenSSL in FIPS mode: % OPENSSL_FIPS=1 openssl pkcs12 -export -in /tmp/ipsec.d/certs/192.168.11.1 -inkey /tmp/ipsec.d/private/192.168.11.1 -name 192.168.11.1 -out /tmp/ipsec.d/192.168.11.1.p12 -password pass:"" 3067167952:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: 3067167952:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: 3067167952:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 3067167952:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175: 3067167952:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:202: In 'Re: PKCS12 keystore creation failing in fips mode' (May 29, 2013 9:15pm) the following is said: "That's a bug in 1.0.1 in that it tries to use an unapproved algorithm in FIPS mode. Workaround: use the -descert option." It is not possible for us to upgrade OpenSSL, but it would be possible to apply a patch. Does a patch exist that fixes this problem and if so, where can it be found ? I do not know how development is organized for OpenSSL (bug tracker, git ?) Thanks ! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CAVP protocol testing - what does it really consist of ?
Hello, Sorry if this is a bit beside OpenSSL per se, the idea behind this post is to perhaps have some information form the OpenSSL experience with FIPS validation. There was so much effort put into FIPS compliance that it would not be far-fetched to consider that there is also knowledge about what seems to be /protocol/ testing. I would like to know what's involved in the CAVP testing of the SSH protocol. I browsed the NIST CAVP web site, browsed some documents, although I haven't found any satisfying, technically-oriented, document on what has to be done if say, I have an editor opened with the SSH source code. Not the fully gruesome details, but an overview of how such testing works. Any comment appreciated ! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CAVP protocol testing - what does it really consist of ?
> From: "Steve Marquess"> Date: 10/21/15 14:18 > See Appendix B of the OpenSSL FIPS User Guide: > https://openssl.org/docs/fips/UserGuide-2.0.pdf Thanks. > The specific algorithm tests have changed quite a bit since then > (constant change is part of the fun), but the general concept is the > same. The algorithm testing is the easiest part of FIPS 140-2 validations. What would you consider being the difficult parts ? > Note the CAVP only tests specific cryptographic algorithms, not > cryptographic protocol suites like SSH (secsh). OpenSSH itself is just > application code from the perspective of FIPS 140-2 and thus out of > scope ... It has to do with NDcPP 1.0 I think. Key agreement schemes and key derivation functions for several security-related communications protocols (SNMP, TLS, SSH, etc.) must now be tested as part of the algorithm test process. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Behaviour facing a broken OCSP responder
> From: "Salz, Rich"> Date: 09/14/15 16:07 > Are you talking about the command-line? Yes. > It would be great if someone sent in a patch that standardized > and documented exit codes, like 0 for got a "good" > response, "1" for got a "bad" response, and 10 for got an > unparseable response Are these the only three error codes ? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Behaviour facing a broken OCSP responder
Hello, The documentation does not seem too clear about what the behaviour exactly is when OpenSSL deals with a broken OCSP responder. For instance, one that would send an OK without any contents. We call openssl from an application and would like to know what is returned in such a case, or in the case of any broken responder. Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
Thanks for your comments - much appreciated. What is exactly the poodle patch and how doe sit come into providing some form of protection against the BEAST attack ? -- View this message in context: http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59743.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
Does this mean, since the 'no insert fragments' is part of SSL_OP_ALL, that OpenSSL is BEAST-proof since some time regarding it's use of TLS 1.0 and SSL 3.0 ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59732.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
OK. So this means that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not the solution for the BEAST attack. Is there a solution while keeping TLS 1.0 and SSL v3.0 ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59734.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
Hello, Our Nessus version 6.4.1 is detecting a BEAST vulnerability against OpenSSL 1.0.1e. The source code defines SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as 0x0800L and several tests are made for this value in the code. The CHANGES mentions though that this had some side effects, the option now being part of SSL_OP_ALL. It would look like, from the scan, that the fragments are not enabled by default, could it be ? Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] New FIPS 140-2 SE Validation Approved
The validation is on the ARM platform using Linux 2.4. I am one of those 'unlucky' having to deal with FIPS so please pardon any silly questions. Would this validation be limited to these two aspects ? And, is there any money-saving advantage at using an already validated OpenSSL when the whole unit (embedded device) qill be going for validation ? Eg. will it save lab time if they know that the OpenSSL used is already validated ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/New-FIPS-140-2-SE-Validation-Approved-tp58909p58944.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SHA256() to EVP_* ?
Even a small convenience is still a convenience. And eventually they add up. Thanks for the comments - it's appreciated. -- View this message in context: http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774p57826.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Porting to EVP methods: AES_set_encrypt_key()
Hello, The context is migrating an application to use EVP only methods. AES_set_encrypt_key(...) AES_cfb128_encrypt(...) The AES_cfb128_encrypt() is pretty clear to migrate to EVP_*, what about the AES_set_encrypt_key() ? I haven't found yet any correlation to the EVP methods, let alone an actal description of AES_set_encrypt_key() purpose. How is this translted to EVP ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/Porting-to-EVP-methods-AES-set-encrypt-key-tp57801.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SHA256() to EVP_* ?
Thanks for the comments. If you are implementing HMAC, perhaps for PBKDF2 (which does that prehash-if-too-long), I hope you mean the code does... Yes it does. The man page (the one online from OpenSSL project - SHA256.html) gives a description using SHA1() which computes a message digest. Being generally new to OpenSSL at that level, what is then the difference between using, say, SHA1() vs. using SHA1_Init, SHA1_Update and SHA1_Final ? Is it only that the latter allows for continuously add data until _Final is called ? -- View this message in context: http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774p57791.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
SSLv3 in the ciphersuite definition means it can be used in SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3, and then again for TLS1.0, and again for TLS1.1 etc - its just defined once and is reused across multiple protocol versions. Yes, this is what I basically understood. What was lacking then in my undestanding, is that : % OPENSSL_FIPS=1 openssl ciphers -v Will not output strictly according to FIPS. Maybe there's no easy way to do that when the definition of a cipher states otherwise. Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57764.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
That refers to the minimum version of the ciphersuite: it doesn't imply that it will only be used in SSLv3 (which is disabled in FIPS mode). Hmmm... I'm sorry but I do not really understand this. Since openssl is run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3 ciphers show up ? If they have counterparts in TLS that could be used, why wouldn't the TLS version show up instead ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57762.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SHA256() to EVP_* ?
Hello, What would be the equivalent of the SHA256() function in the EVP class of methods ? EVP_sha256() could be it, although from the short description in manual page it does not seemingly fit in, returning a EVP_MD which is, if not mistaken, a env_md_st structure. The code I'm adapting to EVP has a first pass of shortening the key if too long: /* Change key if longer than 64 bytes */ if (klen HMAC_INT_LEN) { SHA256(key, klen, nkey); key = nkey; klen = SHA256_DIGEST_LENGTH; } Before proceeding with the usual SHA256_Init(), SHA256_Update() (twice), and SHA256_Final. All of which I have tested with the corresponding EVP_* methods. For the use of SHA256() above, though, I'm puzzled regarding its EVP_* counterpart. Suggestions, comments appreciated. Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
Hi, ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 Specifically: FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 FCS_TLSS_EXT.2.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 In this case, would it be possible to simply compile OpenSSL without support for SSL 3.0, while having FIPS mode taking care of the rest ? I do not remeber the exact option now, although I'm almost sure there's a compile option to exclude SSL 3.0. Am I right and would that work ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
Hello, In FIPS mode SSL 3.0 is not allowed: that has always been the case. % openssl version OpenSSL 1.0.1f 6 Jan 2014 % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL ECDHE-RSA-AES256-SHASSLv3 ECDHE-ECDSA-AES256-SHA SSLv3 DHE-RSA-AES256-SHA SSLv3 DHE-DSS-AES256-SHA SSLv3 [snipped] All of the others are TLSv1.2. Why is SSLv3.0 seen in FIPS mode on this install ? TLS 1.0 is currently permitted though. As far as OpenSSL is concerned, will any action to remove TLSv.10 only be taken when put into a FIPS frame, eg. the recent NDCPPv1.0 is not enough ground to make a change ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57707.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
What is the security risk? Management ? :) -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57670.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
It can be indeed easy to find out about companies in Hartford, CT but, I still do not see any threat to any existing product. 'Having problems with OpenSSL' is not good enough. In any case, when concerned, do like many people and use a pseudo from another mailing system. Employees will not gain promotion points anyways by having their real names in mailing lists. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57673.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS mode restrictions and DES
From: Steve Marquess marqu...@openssl.com Date: 04/14/15 09:31 and note that of the 101 platforms (OEs) appearing there, most of those operating systems are neither CC certified nor have any other FIPS 140-2 validated crypto. Keep in mind that at Level 1 the validation applies to the cryptographic module, not the calling application that uses that module nor the operating system that runs it. I came across a Red Hat Security Policy document that clearly puts the XFRM out of the Security Policy domain. See section 1.1.2, page 8, in: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf This blurs the concept of FIPS validation. Looks more and more that the validation will only care about what is being declared as going for validation. In this case (policy might have changed since 2010) they simply say that no, we do not declare the crypto done via XFRM as part of the Security Policy. And the FIPS lab says, OK, fine. Hmmm Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS mode restrictions and DES
Salz, Rich wrote As the old joke goes, if you have to ask, you can't afford it. Well, exploration can be free. I noticed that Strongswan uses a plug-in architecture for crypto that seemingly allows the use of OpenSSL instead of the kernel for crypto operations, for use under FIPS. Does anyone have an idea of the order of magnitude in performance loss this could be for IPSec, to use crypto from OpenSSL instead of the kernel ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57541.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS mode restrictions and DES
Thanks for all the comments, they're much appreciated. It is a Debian system, so there is no Red Hat FIPS validation (or SuSE which also has one I think) or validated components that can be used. If I may, I'd like to ask about including the Linux kernel in the validation. Now, including glibc2 was a pretty bad idea, it cannot get better with the kernel. In this case, IPSec (libreswan) is using the kernel's crypto functions. So it seems there would be no way out of this one. Any insight on this matter ? - thanks. Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57533.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS mode restrictions and DES
Thanks for the comments - much appreciated. The following question might be on the naive side of things, but then I'm all new to this. Since crypt() in glibc2 supports SHA-256 and SHA-512 for password, and assuming that these two are FIPS compatible, what would be the (financial) overhead of having the crypto part of glibc2 go through validation ? It sounds very odd, not to mention very expensive, but I'm asking nevertheless, in case there is a possibility. In other words, is the only practical and viable option regarding this to re-implement crypt() using EVP methods ? - thanks. Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57527.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS errors: finding causes for failure
Hello, As part of development, still using the fips_hmac test code, this time on a target unit using 1.0.1e, the following errors are shown at the console: 3069614096:error:2D088086:FIPS routines:FIPS_selftest_x931:selftest failed:fips_rand_selftest.c:171: 3069614096:error:2D082086:FIPS routines:FIPS_selftest_cmac:selftest failed:fips_cmac_selftest.c:178: 3069614096:error:2D080086:FIPS routines:FIPS_selftest_aes:selftest failed:fips_aes_selftest.c:97: 3069614096:error:2D090086:FIPS routines:FIPS_selftest_aes_xts:selftest failed:fips_aes_selftest.c:383: 3069614096:error:2D083086:FIPS routines:FIPS_selftest_des:selftest failed:fips_des_selftest.c:102: What is the troubleshooting path from here ? Is it only by going to the appropriate code line ? In the first case, the FIPS_selftest_x931() is concerned, with the 171 line being: FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED). Which basically means that the actual test code has to be examined. There is documentation in the User Guide, section 6.3.1, although it does not seem to be practical to find out the cause of the failure. There are seemingly no log messages generated. Information that would give hints as to why a specific test could fail would be useful. In this case, there's mention of the V seed value being corrupted but only for simulation mode. In short, how to find what could be the cause(s) of FIPS test(s) failure(s) ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Any setup required for using a default DRBG ?
From: jonetsu jone...@teksavvy.com Date: 03/26/15 11:11 Is FIPS_mode_set(1) taking care of setting up a default DRBG ? Yes. It does. When using post_cb() from fips_test_suite.c in for instance the fips_hmac.c demo, with only but a FIPS_mode_set(1) call, it is reported that the four DRBGs are tested: DRBG AES-256-CTR DF, DRBG AES-256-CTR, DRBG SHA256 and DRBG HMAC-SHA256, amongst others. After FIPS_mode_set(1) is executed along with the POST tests, a call to RAND_pseudo_bytes() will not run the tests again. In this context, when do occur the DRBG continuous tests as shown in table 6b of the 2.0.9 Security Policy ? Is there a need to actually call FIPS_selftest() ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Any setup required for using a default DRBG ?
Hello, Is FIPS_mode_set(1) taking care of setting up a default DRBG ? Would a subsequent call to RAND_pseudo_bytes() for instance be using the default DRBG ( 256-bit CTR AES ?) There are quite a few DRBG-related FIPS methods described in the User Guide, and one that is called FIPS_get_default_drbg(). Does this have to be actually called ? I'm asking since I added in crypto/o_fips.c a FIPS_post_set_callback() in FIPS_set_mode() with a case switch on FIPS_TEST_DRBG (amongst others). SHA256, HMAC-SHA256, AES-128-CBC, AES-256-CTR amongst others are reported to be tested, although there's no sign of the FIPS_TEST_DRBG. Nor FIPS_TEST_CONTINUOUS for that matter. Wouldn't the DRBG be tested in a 'continuous' way before each use ? - thanks. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Which DRBG is default ?
Hello, When an application does not define OPENSSL_DRBG_DEFAULT_TYPE nor OPENSSL_DRBG_DEFAULT_FLAGS nor any compilation options (if applicable), is the default DRBG the 256 bit CTR AES (+ deviation function) in FIPS mode ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS Linux kernel documentation ?
Hello, This is not about OpenSSL, although from experience, maybe some know the answer. Does anyone know if actual documentation exists for the Linux kernel FIPS mode apart from the source itself ? There is nothing in Documentation/ as per 3.18.2. - thanks. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Which DRBG ?
From: Steve Marquess marqu...@openssl.com Date: 03/24/15 12:38 No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of early 2014) for use as-is in doing copycat validations. Some non-trivial code hacks will be necessary. We'll do a new open source based validation to succeed the 2.0 FIPS module (#1747 validation) at the first opportunity, but that opportunity has not yet presented itself. I still do not know that much about the validation in practical terms. If our units go through validation, can this benefit OpenSSL ? Also, to go back to the SP 800-90 vs. SP 800-90A regarding the DRBGs, do you know how would the OpenSSL SP 800-90 validation fare in a FIPS testing lab since the Dual EC was removed and the other three were not touched ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Which DRBG ?
From: Steve Marquess marqu...@openssl.com Date: 03/24/15 09:22 At the time that validation was obtained the four (at the time) DRBGs were specified by SP800-90. That document was subsequently reissued in several pieces; the current SP800-90A now contains the specifications for the three surviving DRBGs (the fatally tainted Dual EC DRBG having been removed from the formal standards and also from the OpenSSL FIPS Object Module). If it concerns only the removal of the Dual EC, then it should be OK, technically. Not on paper. Now the code for the OpenSSL FIPS module can no longer be used as-is for new private label or copycat validations, but that's for different reasons and not because of the DRBGs. I've read the User Guide bit on private label validations. In the case of a product that consists of a dedicated unit, what would be the best approach ? So far I have considered using the OpenSSL FIPS module as is, in the hope that its FIPS validation would save costs at the testing lab. Is this still feasible ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Which DRBG ?
Hello, Following on the 'SP800-90 DRBG in OpenSSL FIPS 140 for SP800-90A?' topic, the OpenSSL source code does not seem to mention SP 800-90A. Only SP 800-90. So the certifications were made for SP 800-90, is that right ? Also, does it depend on the application to choose which DRBG and moreover, for regular FIPS uses, does it matter which DRBG is used since they are all approved ? One more question: is there a way for us to actually know/test which one id used by an application ? I currently am using a FIPS_post_set_callback() placed in FIPS_mode_set() - can this be useful to identify which DRBG is used ? Maybe FIPS_drbg_set_callbacks() could be more useful ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Runtime list of FIPS ciphers
From: Dr. Stephen Henson st...@openssl.org Date: 03/20/15 12:48 OPENSSL_FIPS=1 openssl ciphers -v openssl ciphers -v FIPS Thanks, this works great, on the workstation where I have installed at default development location /usr/loca/ssl/, using OpenSSL 1.0.1.k. However, we have built Debian packages for the target unit, using 1.0.1e. While the example fips_hmac runs fine, we have a problem with openssl itself, which seems to be that the openssl shared object is somehow not FIPS enabled, or, is 1.0.1e lacking in any respect to FIPS mode ? : % ./fips_hmac -v gcrypt_pkglist FIPS mode enabled ret: 1 51dedc633485ccb55f4624763e9d118d6df15b3c % OPENSSL_FIPS=1 openssl ciphers -v 3069818064:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1729: % ldd fips_hmac libcrypto.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6dbc000) % ldd /usr/bin/openssl libssl.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0 (0xb6f5e000) libcrypto.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6e03000) % openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Runtime list of FIPS ciphers
Hello, I have the impression that the 'ciphers -v' option to openssl, when OpenSSL is compiled in FIPS mode, lists more than FIPS-only. There are RC5 and RC4 in there, for instance. Is there a specific openssl command that will list only the ones that are FIPS-allowed ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'
Hello, There is a problem with compiling the openssl-1.0.1e.tar.gz sources against the FIPS 2.0 canister. On my machine the following is declared global: 000dd3c0 T private_AES_set_decrypt_key 000dd0f0 T private_AES_set_encrypt_key On another machine, they are declared local and the apps build fails: 000dd3c0 t private_AES_set_decrypt_key 000dd0f0 t private_AES_set_encrypt_key What is the mecanism that determines which is global and which is local and what does it depend on to make its decision ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'
Hello, There is a problem with compiling the openssl-1.0.1e.tar.gz sources against the FIPS 2.0 canister. On my machine the following is declared global: 000dd3c0 T private_AES_set_decrypt_key 000dd0f0 T private_AES_set_encrypt_key On another machine, they are declared local and the apps build fails: 000dd3c0 t private_AES_set_decrypt_key 000dd0f0 t private_AES_set_encrypt_key What is the mechanism that determines which is global and which is local and what does it depend on to make its decision ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Problem building 1.0.1e: 'T' vs. 't'
From: Dr. Stephen Henson st...@openssl.org Date: 03/17/15 12:28 What are the two platforms? That is what does: First of all, I'm very, very sorry to have posted duplicates of the question. The web-access email client is, was, a bit on the fuzzy side, stalling and reporting errors. It turns out, at the end of much puzzling and searching, that the difference is in the Debian packaging. The Debian folks have added some per-method version mechanism to be assured that the APIs are still compatible between OpenSSL number versions. That mechanism does not recognize the FIPS renaming of some methods hence tags them as local. We fixed that and it could be that the fix can be given to Debian as it should be transparent to non-FIPS OpenSSL Debian builds. Again, sorry for the multiple posts ! Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Problem building 1.0.1e : 'T' vs. 't'
Hello, There is a problem with compiling the openssl-1.0.1e.tar.gz sources against the FIPS 2.0 canister. On my machine the following is declared global: 000dd3c0 T private_AES_set_decrypt_key 000dd0f0 T private_AES_set_encrypt_key On another machine, they are declared local and the apps build fails: 000dd3c0 t private_AES_set_decrypt_key 000dd0f0 t private_AES_set_encrypt_key What is the mecanism that determines which is global and which is local and what does it depend on to make its decision ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'
Hello, There is a problem with compiling the openssl-1.0.1e.tar.gz sources against the FIPS 2.0 canister. On my machine the following is declared global: 000dd3c0 T private_AES_set_decrypt_key 000dd0f0 T private_AES_set_encrypt_key On another machine, they are declared local and the apps build fails: 000dd3c0 t private_AES_set_decrypt_key 000dd0f0 t private_AES_set_encrypt_key What is the mecanism that determines which is global and which is local and what does it depend on to make its decision ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Converting AES_ctr128_encrypt() to EVP_ methods
Hello, An application that needs converting to FIPS is currently using AES_ctr128_encrypt(). That function calls in turn CRYPTO_ctr128_encrypt() which then does some internal computations. They are not documented in the 'full list of crypto APIs'. What would be the FIPS-compatible EVP equivalent(s) ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: ECC licensing
Hello, The licenses, patents for ECC was noticed. In short, if we do not care about this in the sense of not willing to be in any patent infringement situation down the road, the -ecb archive should be used, is that right ? Also, there is a mention of a NSA-PLA.pdf agreemnet statement. The file is not found. Is this still valid in some ways ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Common method executed in case of error
From: Dr. Stephen Henson st...@openssl.org Date: 03/10/15 20:04 I mean you could add a callback to FIPS_mode_set using FIPS_post_set_callback: see the fips_test_suite.c application for an example. The supplied callback is called during each POST, continuous RNG and pairwise consistency checks. The op value is set to FIPS_POST_FAIL if any test fails. This is basically what was also suggested by Henrik in a related thread recently, which I understood being implemented in an application. The variation here would be that the callback is part of the library, located in FIPS_mode_set() in o_fips.c, with the callback itself being defined elsewhere in the same file. A potentially useful case for some applications that do not need to be further modified would be for the library to automatically know that it has to run in FIPS mode. Eg. to automatically call FIPS_mode_set() at load time, based on a env. var. or some other external sign. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: Common method executed in case of error
Hello, Is there a method that is always in the path of execution when a crypto error occurs ? The reason for asking is that I would like to very slightly modify the OpenSSL FIPS version so that it will write a file in tmpfs when an error occurs. That place will be observed by another app using inotify. Granted, modifying OpenSSL FIPS will void its FIPS certification. But then, the whole unit will be validated. Having a single place to modify would be quite an extraordinary thing. I have asked recently about a related topic and got some replies regarding the modification of applications, although modifying the library would provide a single package to modify. Steve has replied that indeed the validation will be lost - I wonder if that would have any impact on the total validation costs for a whole unit, OS and apps ? Would a non-modified FIPS OpenSSL library reduce the validation costs ? Any comments and suggestions welcomed, regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Common method executed in case of error
From: Steve Marquess marqu...@openssl.com Date: 03/10/15 08:56 Hello, Thanks for your reply. You're talking about a Level 2 validation (or higher)? You most definitely do *not* want to include the OS or applications in the cryptographic module boundary for Level 1. It's a level 2. The behaviour of the unit as a whole is validated. As an example amongst many, there will be no Linux console prompt available in FIPS mode. I think you're going to be shocked at the cost (in time and money) to validate a hacked OpenSSL FIPS module, compared to using it as-is or a change letter update. That brings a question. I'm currently using 1.0.1k with the 2.0 FIPS module for development purposes. This may seem a bit blunt, but, is it possible at all to use 1.0.1k to benefit from the FIPS validation ? Based on recent comments I would think not. Going back to a pre-heartbleed version ? Is there any way to benefit from the gained OpenSSL FIPS validation at all ? That's because the CMVP has introduced a number of new requirements since the current FIPS module was validated (in 2012), and any new validation will now need to satisfy those. Again, is there any benefit to be gained from using a once validated OpenSSL FIPS ? What would be the bugs fixed/ security updates trade-off ? That means not only non-trivial code hacks unrelated to yours, but also a new paper shuffle for the arm waving (DTR) components of the validation process. The cost of the latter dwarfs the former; which is why we have not attempted a new validation ourselves. Hmmm... If this goes through, would it be possible for OpenSSL to benefit from any validation our unit can get ? But, that cost could be dwarfed in turn by that of a Level 2 or 3 validation of a turnkey system including OS and apps. Thanks again for your comments, much appreciated. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Common method executed in case of error
Is there a method that is always in the path of execution when a crypto error occurs ? It looks like fips_set_selftest_fail() would be a likely candidate where to create an empty file on a tmpfs in order to let the OS know about the error. Comments and suggestions welcomed. Based on your experience with FIPS validation process, and many customers/sponsors, do you think that having a ever so slightly modified OpenSSL FIPS code would increase validation costs for a whole unit (OS and apps) ? Recently Steve, I think, has mentioned that the cost for an initial OpenSSL FIPS validation was well into the 6 numbers. Would this type of figure be added to a project if OpenSSL FIPS is modified ? I think the labs could go with a diff and see how simple the modification is. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: Common method executed in case of error
From: Dr. Stephen Henson st...@openssl.org Date: 03/10/15 10:21 Although you cannot modify the FIPS module itself without voiding the validation you *can* change the FIPS capable OpenSSL. You might (for example) change FIPS_mode_set() to always add a callback which logs any errors. I see. So this would actually enable benefiting (saving validation costs) from an intact recent OpenSSL 1.0.1k with all security fixes. FIPS_mode_set() is very straightforward to patch although it would only catch startup errors. Not the eventual errors from tests that are executed before each crypto use. And not the continuous RNG tests. Within the scope of OpenSSL itself, there is a fips_cipher_abort() that is called for each algo. That macro could perhaps be a good place. Although it would still not catch continuous RNG test failures. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Testing FIPS mode using 0 randomness
Hello, I tried a simple test to see if FIPS mode would fail, using the example given in the FIPS user guide 2.0. The test consisted of replacing the /dev/random and /dev/urandom with /dev/zero. I would have expected that no source of randomness would make the tests ran at the call of FIPS_mode_set(1) fail. ex.: cd dev rm random mknod -m 666 /dev/random c 1 5 Verify presence of zeroes all over: cat /dev/random | xxd ./fips_hmac fips_hmac.o If added a ret value to catch the return code from FIPS_mode_set(1). Random or no random, it always returns 1. Shouldn't randomness be an important part of the power-up tests ? I understand there are continuous RNG tests within OpenSSL FIPS mode, although 'later on' (eg. continuous). Wouldn't these tests be part of the power-up sequence as called by FIPS_mode_set(1) also ? Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS methods and symlinks
Hello, To grasp how FIPS methods are called, and following one method as an example, HMAC_Update() in hmac.c, we can see that if FIPS mode is active then FIPS_hmac_update() will be called. This is fine although searching the sources for the physical definiton of FIPS_hmac_update() does not yield any results. How does the symbolic links function, what ends up being executed in this case and through which path ? Thanks, regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
On Feb 19, 2015 10:50am Henrik Grindal Bakken wrote: I'm not sure it will be called on every conceivable error in the FIPS module, but what I do in similar situations is something like this: static int post_cb(int op, int id, int subid, void *ex) { if (op == FIPS_POST_FAIL) system(/bin/fipserror); return 1; } And there somewhere: FIPS_post_set_callback(post_cb) This is very interesting, thanks. Following this hint, in the same vein the FIPS code also has: FIPS_drbg_set_callbacks(args) Although this one looks more like an entropy callback than anythong that could be used to know about status. The FIPS User Guide mentions both, although the information on FIPS_post_set_callback() is not much at all. Is there another source than the User Guide 2.0, for detailed descriptions of these FIPS-related methods ? For isnatnce, the 'op' variable of FIPS_post_set_callback() is not described at all. Any manual or info pages ? Could be other potentially interesting methods in there. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-OpenSSL-FIPS-mode-system-integration-tp56563p56586.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
From: Dr. Stephen Henson st...@openssl.org To: openssl-users@openssl.org Date: 02/19/15 11:34 Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting The low level cipher and digest APIs cannot be used in FIPS mode: you have to use EVP. That's quite an important point. It brings a question: how are the 'continuous' FIPS tests performed ? Are they automatically called at the beginning of an EVP_* method ? Do they run periodically in the background ? Both ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
-Original Message- From: Salz, Rich rs...@akamai.com To: openssl-users@openssl.org Date: 02/19/15 07:43 Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting For that matter and in a general sense, so far I've seen that many encryption methods do not return any error code. How does error reporting generally works ? Really? Which ones? For instance, any of the void DES_*_encrypt(). This cursory observation is also supported by a vendor application code such as: static void des_encrypt(char key1[8], char key2[8], char key3[8], char ivec[8], char *input, char *output, int len, int encrypt) { [snip] DES_set_key(des_key1, schedule1); DES_set_key(des_key2, schedule2); DES_set_key(des_key3, schedule3); DES_ede3_cbc_encrypt((unsigned char *)input, (unsigned char *)output, len, schedule1, schedule2, schedule3, des_ivec, encrypt); } This is basically why I'm wondering about how errors propagate in the OpenSSL library. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
-Original Message- From: Marcus Meissner meiss...@suse.de To: openssl-users@openssl.org Date: 02/19/15 08:07 Subject: Re: [openssl-users] OpenSSL FIPS mode system integration Well, the writing is that the crypto module must stop operating on error. We solved this by calling abort(); in the openssl library on FIPS related error conditions. H... What I have written from a consultancy compliance report is that all crypto operations must stop and, all data output of the designed Data Output interface(s) must also stop. Hence my concern for the OS knowing about FIPS crypto test results. Thanks for your comment. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Using FIPS mode and modifying apps
Steve Marquess marqu...@openssl.comwrote on 01/27/15 09:18: Thank you (and Tom) for your comments - much appreciated. Tom Francis nailed the answer to this one. We did design the FIPS module + FIPS capable OpenSSL combination to make it possible to have a system wide FIPS mode capability, but that presumes that the system maintainer (i.e. OS distribution maintainer) has done the review and modification of each application that uses cryptography to make sure it is compatible with the many restrictions of FIPS mode. Yes, I understand the concern. Does this mean that the FIPS checks will be done today on OpenSSL library startup w/o the need for an application to use FIPS_mode_set() ? I'm asking since the OpenSSL FIPS User Guide 2.0 only mentions using FIPS_mode_set() (and FIPS_selftest()). Might have to do with your comment below. That is indeed the assumption: that commercial versions of RH and SuSE have modified all impacted OSS applications to operate in FIPS mode. If they haven't they are deceiving their customers and the U.S. government. I see. There is a set of SuSE OpenSSH FIPS patches from 9 months ago, though. Please read the first two sentences on that web page, right at the top. OK! Regarding the second sentence :) ... what is the current status ? Is OpenSSL transparently executing FIPS checks when in FIPS mode ? And, why would there be any validation (as opposed to functional tests) to be done since these checks are the same as they were before I presume, just done automatically this time around. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users