Re: [Freesurfer] Freesurfer and crypt

2018-04-19 Thread Dicamillo, Robert 
Hi Bennet,

I’m attaching a compressed tar file, chklc_fips.tgz, that is an attempt at 
creating a binary
(chklc_fips) that uses its own local version of crypt.  See the README file 
when you
untar the archive.   This is not officially supported in any way, and while it 
can read
my license file in a non-FIPS environment, I cannot say if it will actually 
work for you.

- -rob


On Apr 19, 2018, at 10:14 AM, Bennet Fauber 
> wrote:


Hi, Rob,

The call to crypt() appears to be in FreeSurfer's license validation routine, 
since it is immediately after reading the license file.  In the sense that 
FreeSurfer cannot run without some sort of license, and that license validation 
is using the native Unix crypt() function to validate, it's not quite 
OpenSource.  I think someone at FreeSurfer would need to replace the single 
call to the crypt() function with some other function that isn't marked as 
'insecure' to bypass this.

I thought I saw something earlier on the mailing list about this, and that 
there was a workaround, but I am unable to locate it again.  Any chance this 
could get passed to the developer who maintains the license validation code?  
Depending on the code and their willingness to share, we might be able to 
contribute an alternative for systems with the elevated security.

This currently may not be a bit issue, but we are seeing increasing strictness 
on our end to comply with federal security guidelines, and it may not just be 
our Medical Center and local VA that are pushing these security measures.

This is what it looks like when it succeeds.

11527 open("/sw/arcts/centos7/freesurfer/6.0.0/license.txt", O_RDONLY) = 3
11527 fstat(3, {st_mode=S_IFREG|0644, st_size=52, ...}) = 0
11527 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) 
= 0x2b4bcc176000
11527 read(3, "ben...@umich.edu\n6925\n *CpU.rbF6"..., 
8192) = 52
11527 read(3, "", 8192) = 0
11527 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
11527 read(4, "0\n", 31)= 2
11527 close(4)  = 0
11527 close(3)  = 0
11527 munmap(0x2b4bcc176000, 8192)  = 0
11527 getcwd("/home/bennet/tmp/freesurfer", 4096) = 28
11527 open("/home/bennet/tmp/freesurfer/sample-001.mgz", O_RDONLY) = 3

I do not believe that this is something that can be 'whitelisted', as this is 
set in the Linux kernel at boot time.

Thanks,-- bennet


On Thu, Apr 12, 2018 at 11:29 AM, Dicamillo, Robert 
> wrote:
Hello Bennet,

Maybe someone else can chime in on this, as I have not worked on a system
with FIPS, but perhaps there is a way for the FIPS administrator to white list
all the Freesurfer binaries (and the license file), as security exempt.

I know some Enterprise/business applications like Adobe’s Acrobat, etc.,
(closed source) are built with code to work on FIPS compliant systems, but
I don’t see there is currently anything in Freesurfer (essentially open source),
code that knows about cryptographic modules, digital signatures, etc. to work on
a secure system.  Even turning on SElinux for linux OS can be an
issue for some programs.

Another thing to inquire about is if the IT folks maintain any non-secure 
servers,
, i.e., I would not assume that any application will just work in a secure 
environment.

- rob

> On Apr 12, 2018, at 10:51 AM, Bennet Fauber 
> > wrote:
>
> It appears that FreeSurfer is not compatible with systems for which
> FIPS level security is mandated.  In our case, I am told this is part
> of our data use agreement with the VA.
>
> We tried to run it, and I get the following stack trace showing what
> appears to be license validation using the crypt() function, which is
> blacklisted by the Linux kernel by the FIPS configuration.
>
> 28063 open("/opt/apps/freesurfer-6.0/freesurfer/license.txt", O_RDONLY) = 3
> 28063 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
> 28063 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa319883000
> 28063 read(3, 
> "issc-sysad...@umich.edu\n23098\n*C"..., 
> 4096) = 59
> 28063 read(3, "", 4096) = 0
> 28063 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> 28063 read(4, "1\n", 31)= 2
> 28063 close(4)  = 0
> 28063 write(1, "ERROR: crypt() returned null wit"..., 46) = 46
> 28063 exit_group(1)
>
> Is there a workaround so we can run FreeSurfer FIPS-enabled systems?
>
> Appreciate your consideration of this question,
>
> -- bennet
>
>
>
> On Thu, Mar 29, 2018 at 5:05 PM, Bennet Fauber 
> > wrote:
>> I have a couple of users here who are reporting that on machines with
>> FIPS enabled, which in turn disables certain cryptographic functions,
>> FreeSurfer core dumps with

Re: [Freesurfer] Freesurfer and crypt

2018-04-19 Thread Bennet Fauber 
External Email - Use Caution

Hi, Rob,

The call to crypt() appears to be in FreeSurfer's license validation
routine, since it is immediately after reading the license file.  In the
sense that FreeSurfer cannot run without some sort of license, and that
license validation is using the native Unix crypt() function to validate,
it's not quite OpenSource.  I think someone at FreeSurfer would need to
replace the single call to the crypt() function with some other function
that isn't marked as 'insecure' to bypass this.

I thought I saw something earlier on the mailing list about this, and that
there was a workaround, but I am unable to locate it again.  Any chance
this could get passed to the developer who maintains the license validation
code?  Depending on the code and their willingness to share, we might be
able to contribute an alternative for systems with the elevated security.

This currently may not be a bit issue, but we are seeing increasing
strictness on our end to comply with federal security guidelines, and it
may not just be our Medical Center and local VA that are pushing these
security measures.

This is what it looks like when it succeeds.

11527 open("/sw/arcts/centos7/freesurfer/6.0.0/license.txt", O_RDONLY) = 3
11527 fstat(3, {st_mode=S_IFREG|0644, st_size=52, ...}) = 0
11527 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2b4bcc176000
11527 read(3, "ben...@umich.edu\n6925\n *CpU.rbF6"..., 8192) = 52
11527 read(3, "", 8192) = 0
11527 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
11527 read(4, "0\n", 31)= 2
11527 close(4)  = 0
11527 close(3)  = 0
11527 munmap(0x2b4bcc176000, 8192)  = 0
11527 getcwd("/home/bennet/tmp/freesurfer", 4096) = 28
11527 open("/home/bennet/tmp/freesurfer/sample-001.mgz", O_RDONLY) = 3

I do not believe that this is something that can be 'whitelisted', as this
is set in the Linux kernel at boot time.

Thanks,-- bennet


On Thu, Apr 12, 2018 at 11:29 AM, Dicamillo, Robert <
rdicami...@mgh.harvard.edu> wrote:

> Hello Bennet,
>
> Maybe someone else can chime in on this, as I have not worked on a system
> with FIPS, but perhaps there is a way for the FIPS administrator to white
> list
> all the Freesurfer binaries (and the license file), as security exempt.
>
> I know some Enterprise/business applications like Adobe’s Acrobat, etc.,
> (closed source) are built with code to work on FIPS compliant systems, but
> I don’t see there is currently anything in Freesurfer (essentially open
> source),
> code that knows about cryptographic modules, digital signatures, etc. to
> work on
> a secure system.  Even turning on SElinux for linux OS can be an
> issue for some programs.
>
> Another thing to inquire about is if the IT folks maintain any non-secure
> servers,
> , i.e., I would not assume that any application will just work in a secure
> environment.
>
> - rob
>
> > On Apr 12, 2018, at 10:51 AM, Bennet Fauber  wrote:
> >
> > It appears that FreeSurfer is not compatible with systems for which
> > FIPS level security is mandated.  In our case, I am told this is part
> > of our data use agreement with the VA.
> >
> > We tried to run it, and I get the following stack trace showing what
> > appears to be license validation using the crypt() function, which is
> > blacklisted by the Linux kernel by the FIPS configuration.
> >
> > 28063 open("/opt/apps/freesurfer-6.0/freesurfer/license.txt", O_RDONLY)
> = 3
> > 28063 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
> > 28063 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> > MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa319883000
> > 28063 read(3, "issc-sysad...@umich.edu\n23098\n*C"..., 4096) = 59
> > 28063 read(3, "", 4096) = 0
> > 28063 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> > 28063 read(4, "1\n", 31)= 2
> > 28063 close(4)  = 0
> > 28063 write(1, "ERROR: crypt() returned null wit"..., 46) = 46
> > 28063 exit_group(1)
> >
> > Is there a workaround so we can run FreeSurfer FIPS-enabled systems?
> >
> > Appreciate your consideration of this question,
> >
> > -- bennet
> >
> >
> >
> > On Thu, Mar 29, 2018 at 5:05 PM, Bennet Fauber  wrote:
> >> I have a couple of users here who are reporting that on machines with
> >> FIPS enabled, which in turn disables certain cryptographic functions,
> >> FreeSurfer core dumps with a call to the crypt() function, which FIPS
> >> disables.
> >>
> >> Someone speculated based on output from strace that this is FreeSurfer
> >> possibly attempting to validate its license.
> >>
> >> Is this a known problem?  Is there a solution?
> >>
> >> We have a university compliance office and possibly similar people
> >> from our local VA who are insisting that FIPS be enabled.
> >>
> >> If you need more information, please let me know and I will try to
> >> obtain it for you.
> >>
>

Re: [Freesurfer] Freesurfer and crypt

2018-04-12 Thread Dicamillo, Robert 
Hello Bennet,

Maybe someone else can chime in on this, as I have not worked on a system
with FIPS, but perhaps there is a way for the FIPS administrator to white list 
all the Freesurfer binaries (and the license file), as security exempt.

I know some Enterprise/business applications like Adobe’s Acrobat, etc.,
(closed source) are built with code to work on FIPS compliant systems, but
I don’t see there is currently anything in Freesurfer (essentially open source),
code that knows about cryptographic modules, digital signatures, etc. to work on
a secure system.  Even turning on SElinux for linux OS can be an
issue for some programs.

Another thing to inquire about is if the IT folks maintain any non-secure 
servers,
, i.e., I would not assume that any application will just work in a secure 
environment.

- rob

> On Apr 12, 2018, at 10:51 AM, Bennet Fauber  wrote:
> 
> It appears that FreeSurfer is not compatible with systems for which
> FIPS level security is mandated.  In our case, I am told this is part
> of our data use agreement with the VA.
> 
> We tried to run it, and I get the following stack trace showing what
> appears to be license validation using the crypt() function, which is
> blacklisted by the Linux kernel by the FIPS configuration.
> 
> 28063 open("/opt/apps/freesurfer-6.0/freesurfer/license.txt", O_RDONLY) = 3
> 28063 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
> 28063 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa319883000
> 28063 read(3, "issc-sysad...@umich.edu\n23098\n*C"..., 4096) = 59
> 28063 read(3, "", 4096) = 0
> 28063 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> 28063 read(4, "1\n", 31)= 2
> 28063 close(4)  = 0
> 28063 write(1, "ERROR: crypt() returned null wit"..., 46) = 46
> 28063 exit_group(1)
> 
> Is there a workaround so we can run FreeSurfer FIPS-enabled systems?
> 
> Appreciate your consideration of this question,
> 
> -- bennet
> 
> 
> 
> On Thu, Mar 29, 2018 at 5:05 PM, Bennet Fauber  wrote:
>> I have a couple of users here who are reporting that on machines with
>> FIPS enabled, which in turn disables certain cryptographic functions,
>> FreeSurfer core dumps with a call to the crypt() function, which FIPS
>> disables.
>> 
>> Someone speculated based on output from strace that this is FreeSurfer
>> possibly attempting to validate its license.
>> 
>> Is this a known problem?  Is there a solution?
>> 
>> We have a university compliance office and possibly similar people
>> from our local VA who are insisting that FIPS be enabled.
>> 
>> If you need more information, please let me know and I will try to
>> obtain it for you.
>> 
>> Thanks,-- bennet
> ___
> Freesurfer mailing list
> Freesurfer@nmr.mgh.harvard.edu
> https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer


___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

Re: [Freesurfer] Freesurfer and crypt

2018-04-12 Thread Bennet Fauber 
It appears that FreeSurfer is not compatible with systems for which
FIPS level security is mandated.  In our case, I am told this is part
of our data use agreement with the VA.

We tried to run it, and I get the following stack trace showing what
appears to be license validation using the crypt() function, which is
blacklisted by the Linux kernel by the FIPS configuration.

28063 open("/opt/apps/freesurfer-6.0/freesurfer/license.txt", O_RDONLY) = 3
28063 fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
28063 mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa319883000
28063 read(3, "issc-sysad...@umich.edu\n23098\n*C"..., 4096) = 59
28063 read(3, "", 4096) = 0
28063 open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
28063 read(4, "1\n", 31)= 2
28063 close(4)  = 0
28063 write(1, "ERROR: crypt() returned null wit"..., 46) = 46
28063 exit_group(1)

Is there a workaround so we can run FreeSurfer FIPS-enabled systems?

Appreciate your consideration of this question,

-- bennet



On Thu, Mar 29, 2018 at 5:05 PM, Bennet Fauber  wrote:
> I have a couple of users here who are reporting that on machines with
> FIPS enabled, which in turn disables certain cryptographic functions,
> FreeSurfer core dumps with a call to the crypt() function, which FIPS
> disables.
>
> Someone speculated based on output from strace that this is FreeSurfer
> possibly attempting to validate its license.
>
> Is this a known problem?  Is there a solution?
>
> We have a university compliance office and possibly similar people
> from our local VA who are insisting that FIPS be enabled.
>
> If you need more information, please let me know and I will try to
> obtain it for you.
>
> Thanks,-- bennet
___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

[Freesurfer] Freesurfer and crypt

2018-03-29 Thread Bennet Fauber 
I have a couple of users here who are reporting that on machines with
FIPS enabled, which in turn disables certain cryptographic functions,
FreeSurfer core dumps with a call to the crypt() function, which FIPS
disables.

Someone speculated based on output from strace that this is FreeSurfer
possibly attempting to validate its license.

Is this a known problem?  Is there a solution?

We have a university compliance office and possibly similar people
from our local VA who are insisting that FIPS be enabled.

If you need more information, please let me know and I will try to
obtain it for you.

Thanks,-- bennet
___
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer


The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.