Re: [openssl-users] FIPS mode restrictions and DES

[Kevin Fowler]

Two things to consider with IPSec: key exchange mechanisms as provided by
packages like StrongSwan, and the actual encryption/authentication of
packets that is typically being done by the kernel stack and I believe is
based on the Kernel Crypto API. So I believe to do IPSec you do need both
crypto libraries to be FIPS-validated, perhaps as separate crypto
modules.

Kevin

On Tue, Apr 14, 2015 at 8:51 AM, jonetsu jone...@teksavvy.com wrote:

 Salz, Rich wrote
  As the old joke goes, if you have to ask, you can't afford it.

 Well, exploration can be free.  I noticed that Strongswan uses a plug-in
 architecture for crypto that seemingly allows the use of OpenSSL instead of
 the kernel for crypto operations, for use under FIPS.  Does anyone have an
 idea of the order of magnitude in performance loss this could be for IPSec,
 to use crypto from OpenSSL instead of the kernel ?

 Regards.




 --
 View this message in context:
 http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57541.html
 Sent from the OpenSSL - User mailing list archive at Nabble.com.
 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS mode restrictions and DES

[Kevin Fowler]

Two things to consider with IPSec: key exchange mechanisms as provided by
packages like StrongSwan, and the actual encryption/authentication of
packets that is typically being done by the kernel stack and I believe is
based on the Kernel Crypto API. So I believe to do IPSec you do need both
crypto libraries to be FIPS-validated, perhaps as separate crypto
modules.

Kevin

On Tue, Apr 14, 2015 at 8:51 AM, jonetsu jone...@teksavvy.com wrote:

 Salz, Rich wrote
  As the old joke goes, if you have to ask, you can't afford it.

 Well, exploration can be free.  I noticed that Strongswan uses a plug-in
 architecture for crypto that seemingly allows the use of OpenSSL instead of
 the kernel for crypto operations, for use under FIPS.  Does anyone have an
 idea of the order of magnitude in performance loss this could be for IPSec,
 to use crypto from OpenSSL instead of the kernel ?

 Regards.




 --
 View this message in context:
 http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57541.html
 Sent from the OpenSSL - User mailing list archive at Nabble.com.
 ___
 openssl-users mailing list
 To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: OpenSSL PKI Tutorial updated

[Kevin Fowler]

In the Simple PKI example, step 5.4 View PKCS#7 bundle, the -in option
points to ca directory, but the bundle was created in step 4.3 Create
PKCS#7 bundle in the certs directory. I.e.:

Step 4.3:

openssl crl2pkcs7 -nocrl \
-certfile ca/signing-ca.crt \
-certfile ca/root-ca.crt \
-out certs/signing-ca-chain.p7c \ certs directory
-outform der

Step 5.4:

openssl pkcs7 \
-in ca/signing-ca-chain.p7c \    ca directory
-inform der \
-noout \
-text \
-print_certs

So far though, this has been a helpful tutorial for a noob to PKI. Thanks!
Kevin



On Sun, Apr 21, 2013 at 5:56 AM, Stefan H. Holek ste...@epy.co.at wrote:

 Hi All!

 I have updated the OpenSSL PKI tutorial at readthedocs. The tutorial takes
 a novel approach without ever referring to openssl.cnf or CA.pl (yuck). You
 can find it here:

 https://pki-tutorial.readthedocs.org/

 Thanks to everyone who has provided feedback for the first version. I
 heard your call for more verbosity! The first two examples now have much
 more detailed instructions, and I hope that by the third example you won't
 need instructions anymore. ;-)

 Cheers,
 Stefan

 --
 Stefan H. Holek
 ste...@epy.co.at

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

Any OpenSSL update when FIPS object module v2.0 is released?

[Kevin Fowler]

When the validation is obtained for FIPS Object Module v2.0, and that
version is officially released, will there also be an update to OpenSSL? Or
are those two now independent as long as v1.0.1 is used with the FIPS
module?

Thanks,
Kevin

Re: FIPS fingerprint in .data not .rodata

[Kevin Fowler]

On Tue, Feb 21, 2012 at 1:11 PM, Andy Polyakov ap...@openssl.org wrote:
 Though in FIPS 2.0 there is new option that might work in this case.
 Besides switching to another compiler that is. Introduced to rectify
 situation with rodata segments not being position-independent on Win64,
 defining __fips_constseg might prove useful even in this situation. See
 if defining it in fips/fipssyms.h to __attribute__((section(.rodata)))
 makes it work. Keep in mind that me suggesting this doesn't make it
 validated. If it works, it still has to be separately validated by
 authorities.

 Ok, so I did this and added it to appropriate locations in
 fips_canister.c
 Right, you need the __attribute__ in question even for
 FIPS_rodata_[start|end]. I failed to mention this. Good catch.


 Well, this idea at first looked like it would do the trick, however,
 when the __attribute__((section(.rodata))) call makes a .rodata
 section, it isn't *the* .rodata section, it is just *a* .rodata
 section and in fact is made writeable,

 Well, then it's tough break, switch to another compiler.

 Of course one can name section something else, e.g. .rofips, and write
 a script that would set the read-only flag in fipscanister.o after it's
 linked. Or! It would be possible to modify incore to set the flag. I
 mean fipscanister.o can have .rofips that is not read-only, but it can
 become read-only in applications and shared lib in the process of
 embedding the signature. Well, whatever you do requires code change, so
 you have to validate it separately (change letter through
 opensslfoundation.com might be alternative)...


Another option (but shoot it down if its bogus :-): I noticed that if I compile
fipscanister.o without -fPIC, then the const variables do get placed in
the (really readonly) .rodata section as desired. I thought maybe if I did
that and went the static route - build libcrypto with no-shared and link
libcrypto.a statically into my app - then maybe I would have a validate-able
solution. I checked that the FIPS-bounded .text and .rodata regions are
the same for the app and the fipscanister.o, and the app integrity
test passes and fips mode gets enabled on the target.

Per your comment below, FIPS_text_start (and end) also looks
correct in the disassembled code:

0181ae34 FIPS_text_start:
 181ae34:   3c 60 01 82 lis r3,386  (0x182)
 181ae38:   38 63 ae 40 addir3,r3,-20928( - 0x51c0)
 181ae3c:   4e 80 00 20 blr( = 0x181ae40)

0181ae40 FIPS_text_startX:
 181ae40:   7c 08 02 a6 mflrr0
 181ae44:   48 00 00 05 bl  181ae48 FIPS_text_startX+0x8
 181ae48:   7c 68 02 a6 mflrr3
 181ae4c:   7c 08 03 a6 mtlrr0
 181ae50:   4e 80 00 20 blr

I am expecting to have to do a change letter validation - just trying
to minimize the necessary changes so that it will qualify for that option
rather than a full-blown validation - which probably would not be viable for us.

I assume that if a target can't support shared libraries properly then it is
still ok to have the static alternative validated..?

 The assembler code looks correct for FIPS_text_startX returning its
 memory location.

 The question was if FIPS_text_start returns FIPS_text_startX's address
 [of its first instruction], *not* what does FIPS_text_startX return!
 __
 OpenSSL Project                                 http://www.openssl.org
 Development Mailing List                       openssl-...@openssl.org
 Automated List Manager                           majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS fingerprint in .data not .rodata

[Kevin Fowler]

On Tue, Feb 21, 2012 at 3:51 PM, Andy Polyakov ap...@openssl.org wrote:
 Another option (but shoot it down if its bogus :-): I noticed that if I 
 compile
 fipscanister.o without -fPIC, then the const variables do get placed in
 the (really readonly) .rodata section as desired. I thought maybe if I did
 that and went the static route - build libcrypto with no-shared and link
 libcrypto.a statically into my app - then maybe I would have a validate-able
 solution.

 The prime reason for why FIPS 2.0 module is compiled with -fPIC is to
 make it versatile. Idea is to validate *single* fipscanister.o usable in
 either context, statically-linked application or dynamic library.
 Reasoning is that while it's plain inappropriate to use non-PIC code in
 dynamic library, linking PIC statically was proven to work on all tested
 platforms, therefore -fPIC.

 This naturally means that if you are positively not interested in
 unified/versatile fipscanister.o nothing prevents you from giving up on
 -fPIC and targeting statically-linked application only. I.e. introducing
 config-line without -fPIC through change letter is as validate-able as
 anything else.

That is certainly sensible. But for my present needs, the static would
be just fine - I really need something as a bridge to a newer OS/gcc
version I'll be doing at a later point, and on which the -fPIC option
will likely be supported better...

I'll keep your last suggestion above in my back pocket though. Thanks
for your insight and keeping me on a correct track.


 Per your comment below, FIPS_text_start (and end) also looks
 correct in the disassembled code:

 0181ae34 FIPS_text_start:
 ...

 Yes, it looks proper.
 __
 OpenSSL Project                                 http://www.openssl.org
 Development Mailing List                       openssl-...@openssl.org
 Automated List Manager                           majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS fingerprint in .data not .rodata

[Kevin Fowler]

On Mon, Feb 20, 2012 at 5:18 AM, Andy Polyakov ap...@openssl.org wrote:

  Though in FIPS 2.0 there is new option that might work in this case.
  Besides switching to another compiler that is. Introduced to rectify
  situation with rodata segments not being position-independent on Win64,
  defining __fips_constseg might prove useful even in this situation. See
  if defining it in fips/fipssyms.h to __attribute__((section(.rodata)))
  makes it work. Keep in mind that me suggesting this doesn't make it
  validated. If it works, it still has to be separately validated by
  authorities.
 
  Ok, so I did this and added it to appropriate locations in
  fips_canister.c

 Right, you need the __attribute__ in question even for
 FIPS_rodata_[start|end]. I failed to mention this. Good catch.


Well, this idea at first looked like it would do the trick, however,
when the __attribute__((section(.rodata))) call makes a .rodata
section, it isn't *the* .rodata section, it is just *a* .rodata
section and in fact is made writeable, e.g.,

       .file   fips_aes_selftest.c
gcc2_compiled.:
    .section    .rodata,aw
    .type    tests,@object
tests:
    .byte 0
...

The objdump -h also shows for this section:
 11 .rodata   c724  018725d0  018725d0  000725d0  2**3
  CONTENTS, ALLOC, LOAD, DATA

so not READONLY.

The assembler, which apparently recognizes .rodata for what it is,
generates a warning about setting incorrect attributes for .rodata
section.


  all with some #if's to try to limit the changes to
  my platform, and it seems to work. I say seems because it looks -
  to me - pretty much like it did before when I thought it was
  working, except that the .o file doesn't have a symbol per
  function. etc.
 
  So I don't know how to check if the sequestered code is located
  between the FIPS_text endpoints. I guess I can dump the
  fipscontainer.o symbols, and then dump the symbols in an executable
  that statically links it, and check that there has been no
  rearranging. I'm not sure how to check an executable that
  dynamically links libcrypto.so, since I do not have e.g., objdump
  or the like on the embedded target.

 But there ought to be cross-compile objdump you can run on the system
 you're cross-compiling on.

  How would you go about verifying this?
 
 
  So I did what I mentioned above, more or less following the idea in
  IncoreTutorial document,

 I don't know what IncoreTutorial document is. What is it?

This is in the docs section for the previous validation.
http://opensslfoundation.com/testing/validation-1.2/docs/


  and could show that the symbols between
  FIPS_start/end are exactly the same in fipscontainer.o, libcrypto.so,
  and an app that statically links libcrypto.a. Same for
  FIPS_rodata_start/end. And it runs on the target. For the app the app
  symbols (and non-fipscanister crypto) are outside the sequestered
  area.
 
  I'm not sure what else to do to verify that it is correct now. Please
  suggest any additional tests I can do.

 The ultimate test is to run it under debugger and verify that value
 returned by FIPS_text_start is indeed pointer to first instruction of
 FIPS_text_startX. Set break point to FIPS_text_start, single-step till
 it returns, note the value in r3 register, 'disassemble
 FIPS_text_startX' and compare addresses. It's also possible to verify by
 examining disassembled code (objdump -d) and if necessary relocation
 tables (more than likely necessary in shared library case), but it's
 more complicated (specially in shared library case).

The assembler code looks correct for FIPS_text_startX returning its
memory location.

 __
 OpenSSL Project                                 http://www.openssl.org
 Development Mailing List                       openssl-...@openssl.org
 Automated List Manager                           majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS fingerprint in .data not .rodata

[Kevin Fowler]

On Sat, Feb 18, 2012 at 6:13 PM, Andy Polyakov ap...@openssl.org wrote:

  The key thing I realized is that the incore script that comes with the
 FIPS
  Object Module v2.0  tarball
  handles both native AND cross-compile scenarios.

 Even though FIPS 2.0 util/incore is capable of handling arbitrary ELF
 binary (native or not), it's not used in non-cross-compile/native cases,
 as there *are* configurations when it won't work. In other words above
 statement does no hold universally true and FIPS 2.0 util/incore script
 is supported and should be used only in cross-compile environments
 targeting ELF, moreover, not *any* environment, but in explicitly
 verified (see below).


Thanks for clarifying that. I was being ELF-centric.


  After I had gotten the extra -f options from Harvey for this platform
  (BSD-powerpc),

 Using -f[data|function]-sections options is inappropriate as they
 undermine the idea of capturing fipscanister code and rodata between
 start/end symbols. It was bad advice/idea, do *not* use those options.


Ok...so the original issue was that no .rodata section was being created,
so no incore script (of any kind) worked. I had the impression that there
needed
to be a read-only data section to protect certain data. So what would you
suggest I try - what has been done with other compilers that do this?
I can't (don't want to?) believe this just dead-ends with no solution.



  I learned a lot of interesting things along the way, so aside from time
  spent and the bruised forehead,
  everything is good.

 I'm not convinced that it is:-) Just because it appears working it
 doesn't necessarily mean it's doing the right thing. Every
 cross-compiler has to be explicitly verified, which is why there is no
 generic one-size-fits-all support for cross-compiling.


Ok, I get that - but the criteria needed to achieve explicit verification
for a given cross-compilation scenario is not clear to me.


  I have now had to add one line to config, Configure,
  and fips_canister.c in the
  FIPS module to get it to work on my target. Oh well.

 Keep in mind that it will be counted as validated only as long as you
 don't change it.


Yes, I am aware of that - I realize the changes mandated additional testing.


 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-...@openssl.org
 Automated List Manager   majord...@openssl.org

Re: FIPS fingerprint in .data not .rodata

[Kevin Fowler]

On Sun, Feb 19, 2012 at 11:52 AM, Andy Polyakov ap...@openssl.org wrote:

  After I had gotten the extra -f options from Harvey for this platform
  (BSD-powerpc),
  Using -f[data|function]-sections options is inappropriate as they
  undermine the idea of capturing fipscanister code and rodata between
  start/end symbols. It was bad advice/idea, do *not* use those options.
 
  Ok...so the original issue was that no .rodata section was being created,
  so no incore script (of any kind) worked. I had the impression that
 there needed
  to be a read-only data section to protect certain data.

 This is correct impression, but it doesn't make -fdata-sections
 appropriate.

  So what would you
  suggest I try - what has been done with other compilers that do this?

 Well, it says what has been done [in the single case encountered by
 then] in User Guide 1.2: users are advised to *use another compiler*, in
 other words nothing.

  I can't (don't want to?) believe this just dead-ends with no solution.

 But you can/do accept that compiler has to be ANSI C-compliant in order
 to compile OpenSSL. Indeed, I don't hear you complaining about OpenSSL
 being impossible to compile with KR C. In other words it's perfectly
 reasonable to impose some requirements on compiler, isn't it? And so
 just like compiler is required to be ANSI C to compile OpenSSL at all,
 it's required to discriminate read-only data (by placing it to dedicated
 segment) to compile FIPS module in particular. If your compiler doesn't
 meet the minimal requirement, tough break, but that's the way it is.

 Though in FIPS 2.0 there is new option that might work in this case.
 Besides switching to another compiler that is. Introduced to rectify
 situation with rodata segments not being position-independent on Win64,
 defining __fips_constseg might prove useful even in this situation. See
 if defining it in fips/fipssyms.h to __attribute__((section(.rodata)))
 makes it work. Keep in mind that me suggesting this doesn't make it
 validated. If it works, it still has to be separately validated by
 authorities.


Ok, so I did this and added it to appropriate locations in fips_canister.c
all with some #if's
to try to limit the changes to my platform, and it seems to work. I say
seems because
it looks - to me - pretty much like it did before when I thought it was
working, except
that the .o file doesn't have a symbol per function. etc.

So I don't know how to check if the sequestered code is located between the
FIPS_text
endpoints. I guess I can dump the fipscontainer.o symbols, and then dump
the symbols
in an executable that statically links it, and check that there has been no
rearranging.
I'm not sure how to check an executable that dynamically links
libcrypto.so, since I
do not have e.g., objdump or the like on the embedded target.

How would you go about verifying this?


  I learned a lot of interesting things along the way, so aside from time
  spent and the bruised forehead,
  everything is good.
  I'm not convinced that it is:-) Just because it appears working it
  doesn't necessarily mean it's doing the right thing. Every
  cross-compiler has to be explicitly verified, which is why there is no
  generic one-size-fits-all support for cross-compiling.
 
 
  Ok, I get that - but the criteria needed to achieve explicit verification
  for a given cross-compilation scenario is not clear to me.

 Criteria is very simple (and is not specific to cross-compile case(*)):
 machine instructions comprising FIPS module has to reside between
 addresses returned by FIPS_text_start and FIPS_text_end. Similar applies
 to constant data, but it's the code segment that can tricky. Question
 here is how do you know that current implementation of
 FIPS_text_[start|end] actually does that on arbitrary platform? And the
 answer is you don't. You don't know if FIPS_text_start returns address
 on a machine instruction to start with, nor that linker doesn't
 rearrange code(**) in such manner that machine instructions end up
 outside the addresses in question. It was fortunate that current
 implementation worked on cross-compiler platforms we've looked at so
 far(***), but we can/may *not* assume that it holds universally true and
 provide one-size-fits-all support for cross-compiling. Admittedly it's
 very likely that current implementation would work even on platform in
 question, but it can't be established without verifying.

 (*) What is specific to cross-compile case is that addresses returned by
 FIPS_text_[start|end] has be those of instructions constituting
 FIPS_text_[start|end]X.

 (**) Which is the very reason why -f*-segments options are
 inappropriate, they [are documented to] facilitate rearranging of
 code/data at linker stage.

 (***) It worked because ld -r merged .text segments without changing
 their order and that FIPS_text_[start|end] did return addresses of
 machine instructions.
 __
 OpenSSL 

Re: FIPS fingerprint in .data not .rodata

[Kevin Fowler]

On Sun, Feb 19, 2012 at 3:50 PM, Kevin Fowler kevpfow...@gmail.com wrote:



 On Sun, Feb 19, 2012 at 11:52 AM, Andy Polyakov ap...@openssl.org wrote:

  After I had gotten the extra -f options from Harvey for this
 platform
  (BSD-powerpc),
  Using -f[data|function]-sections options is inappropriate as they
  undermine the idea of capturing fipscanister code and rodata between
  start/end symbols. It was bad advice/idea, do *not* use those options.
 
  Ok...so the original issue was that no .rodata section was being
 created,
  so no incore script (of any kind) worked. I had the impression that
 there needed
  to be a read-only data section to protect certain data.

 This is correct impression, but it doesn't make -fdata-sections
 appropriate.

  So what would you
  suggest I try - what has been done with other compilers that do this?

 Well, it says what has been done [in the single case encountered by
 then] in User Guide 1.2: users are advised to *use another compiler*, in
 other words nothing.

  I can't (don't want to?) believe this just dead-ends with no solution.

 But you can/do accept that compiler has to be ANSI C-compliant in order
 to compile OpenSSL. Indeed, I don't hear you complaining about OpenSSL
 being impossible to compile with KR C. In other words it's perfectly
 reasonable to impose some requirements on compiler, isn't it? And so
 just like compiler is required to be ANSI C to compile OpenSSL at all,
 it's required to discriminate read-only data (by placing it to dedicated
 segment) to compile FIPS module in particular. If your compiler doesn't
 meet the minimal requirement, tough break, but that's the way it is.

 Though in FIPS 2.0 there is new option that might work in this case.
 Besides switching to another compiler that is. Introduced to rectify
 situation with rodata segments not being position-independent on Win64,
 defining __fips_constseg might prove useful even in this situation. See
 if defining it in fips/fipssyms.h to __attribute__((section(.rodata)))
 makes it work. Keep in mind that me suggesting this doesn't make it
 validated. If it works, it still has to be separately validated by
 authorities.


 Ok, so I did this and added it to appropriate locations in fips_canister.c
 all with some #if's
 to try to limit the changes to my platform, and it seems to work. I say
 seems because
 it looks - to me - pretty much like it did before when I thought it was
 working, except
 that the .o file doesn't have a symbol per function. etc.

 So I don't know how to check if the sequestered code is located between
 the FIPS_text
 endpoints. I guess I can dump the fipscontainer.o symbols, and then dump
 the symbols
 in an executable that statically links it, and check that there has been
 no rearranging.
 I'm not sure how to check an executable that dynamically links
 libcrypto.so, since I
 do not have e.g., objdump or the like on the embedded target.

 How would you go about verifying this?


So I did what I mentioned above, more or less following the idea in
IncoreTutorial document,
and could show that the symbols between FIPS_start/end are exactly the same
in fipscontainer.o, libcrypto.so, and an app that statically links
libcrypto.a. Same for FIPS_rodata_start/end. And
it runs on the target. For the app the app symbols (and non-fipscanister
crypto) are outside the
sequestered area.

I'm not sure what else to do to verify that it is correct now. Please
suggest any additional
tests I can do.

Thanks again for your guidance.
Kevin



  I learned a lot of interesting things along the way, so aside from
 time
  spent and the bruised forehead,
  everything is good.
  I'm not convinced that it is:-) Just because it appears working it
  doesn't necessarily mean it's doing the right thing. Every
  cross-compiler has to be explicitly verified, which is why there is no
  generic one-size-fits-all support for cross-compiling.
 
 
  Ok, I get that - but the criteria needed to achieve explicit
 verification
  for a given cross-compilation scenario is not clear to me.

 Criteria is very simple (and is not specific to cross-compile case(*)):
 machine instructions comprising FIPS module has to reside between
 addresses returned by FIPS_text_start and FIPS_text_end. Similar applies
 to constant data, but it's the code segment that can tricky. Question
 here is how do you know that current implementation of
 FIPS_text_[start|end] actually does that on arbitrary platform? And the
 answer is you don't. You don't know if FIPS_text_start returns address
 on a machine instruction to start with, nor that linker doesn't
 rearrange code(**) in such manner that machine instructions end up
 outside the addresses in question. It was fortunate that current
 implementation worked on cross-compiler platforms we've looked at so
 far(***), but we can/may *not* assume that it holds universally true and
 provide one-size-fits-all support for cross-compiling. Admittedly it's
 very likely that current implementation

Re: FIPS fingerprint in .data not .rodata

[Kevin Fowler]

On Fri, Feb 17, 2012 at 10:25 PM, Dr. Stephen Henson st...@openssl.orgwrote:

 On Fri, Feb 17, 2012, Kevin Fowler wrote:

  Thanks Harvey,
  This seems to have worked as far as getting the .rodata section used.
 This
  is what I see now:
 
  001b5740 g O .rodata0010 FIPS_rodata_start
  001b5750 l O .rodata0011 FIPS_hmac_key
  001b57bc g O .rodata0036 FIPS_bn_version
  001c1e08 g O .rodata0010 FIPS_rodata_end
  001fb1cc g O .data  0014 FIPS_signature
 
  My problem now is that when I build an executable (I'm using the simple
  hmac.c example in the user guide, with the Makefile modified to use a
  shared library) that uses the shared libcrypto.so, and run it on my
 target,
  it just spits out a hash value, no matter what options I give it. For
  example:
 
  # ./hmac
  334286d0c4ca79f97921fa782c7269e972e0a420
 
  Before I used the suggested -f options, this app at least worked for
  non-fips and gave me an error when enabling fips mode. Now I don't
  understand what it is doing, but I think it is trying to tell me
 something!!
 
  I've tried messing around with different INCORE_ADJUST values, but that
  does not seem to make any difference. I don't really understand how
 incore2
  is supposed to work: it calculates a lot of stuff and dumps out values
 but
  never appears to modify the executable or library.
 
  I've also tried static linking of libcrypto.a into the executable - same
  result.
 

 You need to use the fipsld script to link the target. It obtains the
 signature and embeds it. You need to set FIPS_SIG environment variable to
 point to the incore script.

 Steve.


Yes, I was doing that, but I was getting the procedure for the older
FIPS/OpenSSL version mixed up
with the one for the new FIPS/OpenSSL version.

The key thing I realized is that the incore script that comes with the FIPS
Object Module v2.0  tarball
handles both native AND cross-compile scenarios. I had thought for
cross-compiling we needed to
replace it with the incore2 script on the website (like I think incore.gz
was needed with the previous
FIPS release..?).

After I had gotten the extra -f options from Harvey for this platform
(BSD-powerpc), I kept trying to
get it to work with the incore2 script, but didn't really know what to do
with it. I ended up embedding
the signature by-hand by running a test app on my target, getting the
hash it spat out, and
then rebuilding the libcrypto.so with -DHASH_SHA1_SIG set to that hash.

Then, while solving the what should INCODE_ADJUST be for my platform
issue, the answer I figured
out helped me to see that the FIPS_text_startX/endX symbols used by the
latest incore script for v2.0
solves the whole problem for cross-compiled binaries and embeds the correct
signature in the correct
location without all the by-hand stuff.

I rebuilt the whole thing pointing FIPS_SIG to the correct incore script,
with the necessary compiler
options from Harvey for this platform/compiler, and then everything worked
fine automatically.

I learned a lot of interesting things along the way, so aside from time
spent and the bruised forehead,
everything is good. I have now had to add one line to config, Configure,
and fips_canister.c in the
FIPS module to get it to work on my target. Oh well.

Kevin

--
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-...@openssl.org
 Automated List Manager   majord...@openssl.org

Re: FIPS fingerprint in .data not .rodata

[Kevin Fowler]

Thanks Harvey,
This seems to have worked as far as getting the .rodata section used. This
is what I see now:

001b5740 g O .rodata0010 FIPS_rodata_start
001b5750 l O .rodata0011 FIPS_hmac_key
001b57bc g O .rodata0036 FIPS_bn_version
001c1e08 g O .rodata0010 FIPS_rodata_end
001fb1cc g O .data  0014 FIPS_signature

My problem now is that when I build an executable (I'm using the simple
hmac.c example in the user guide, with the Makefile modified to use a
shared library) that uses the shared libcrypto.so, and run it on my target,
it just spits out a hash value, no matter what options I give it. For
example:

# ./hmac
334286d0c4ca79f97921fa782c7269e972e0a420

Before I used the suggested -f options, this app at least worked for
non-fips and gave me an error when enabling fips mode. Now I don't
understand what it is doing, but I think it is trying to tell me something!!

I've tried messing around with different INCORE_ADJUST values, but that
does not seem to make any difference. I don't really understand how incore2
is supposed to work: it calculates a lot of stuff and dumps out values but
never appears to modify the executable or library.

I've also tried static linking of libcrypto.a into the executable - same
result.

Help appreciated!
Kevin

On Thu, Feb 16, 2012 at 4:47 PM, Harvey Shepherd 
harvey.sheph...@aviatnet.com wrote:

 Hi Kevin,

 I encountered this problem when compiling the 1.2.3 FIPS object module
 some time ago, with exactly the same compiler. After some experimentation I
 managed to get it to embed the fingerprint correctly using the following
 compiler options:

 -fno-common -fdata-sections -ffunction-sections

 I also needed to change the INCORE_ADJUST setting to an 8 byte offset for
 my processor as follows:

 diff --git a/current/appfs/openssl-fips/incore
 b/current/appfs/openssl-fips/incore
 index 07df989..61f68b9
 100755 (executable)
 --- a/current/appfs/openssl-fips/incore
 +++ b/current/appfs/openssl-fips/incore
 @@ -6,6 +6,7 @@

  DEBUG=

 +CROSS_COMPILE=ppc_8xx-
  OBJCOPY=${CROSS_COMPILE}objcopy
  OBJDUMP=${CROSS_COMPILE}objdump

 @@ -58,6 +59,7 @@ if [ -z $INCORE_ADJUST ]; then
  elf64-x86-64) INCORE_ADJUST=4;;
  #elf32-littlearm|elf32-little|elf32-bigarm) INCORE_ADJUST=-36;;
  elf32-littlearm|elf32-little|elf32-bigarm) INCORE_ADJUST=-8;;
 +elf32-powerpc) INCORE_ADJUST=8;;
esac

  fi

 I'm not really an expert in this area, but it worked for me, so give it a
 try.

 Regards,
 Harvey



 I am building a cross-compiled FIPS-capable libcrypto.so with the 1.0.1beta
 OpenSSL and 2.0 FIPS Object Module.

 The build is being done on a linux (CentOS) host for a PowerPC target
 running
 netbsd 1.6.2 (yes, I know, its old).

 gcc being used:
 $ ${CROSS_COMPILE}gcc -v
 gcc version 2.95.3 20010315 (release) (NetBSD nb3)
 (yes, I know, also old)

 I can successfully build fipscontainer.o, and then build fips_algvs, which
 runs successfuly on the target system. This made me think that the
 fingerprint was working correctly...

 Later (when building libcrypto.so) I realized I was using the native
 incore
 script instead of the cross-compile incore script. I switched to the
 cross-compile incore script, but that failed to embed a fingerprint in
 the (FIPS-capable) libcrypto.so.


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

fips-capable libcrypto.so build in netbsd

[Kevin Fowler]

Using FIPS module and FIPS capable OpenSSL (2.0/1.0.1) on a NetBSD platform.

I build FIPS module by hand to follow the build instructions, and copy it
into a tips sub-directory in openssl directory. I would like to build the
libcrypto.so library as part of the NetBSD cross-compile build (i.e.,
launched from src/lib/libcrypto/Makefile), so it can be built as needed for
different processors.

NetBSD uses its own makefile approach using perl scripts to launch builds,
and using generic src/share/mk/bsd.*.mk makefiles. I was thinking I could
modify only the lib/libcrypto/Makefile file and leave the generic makefiles
alone, but am struggling with the final linking step rules using fipsld.

Has anyone else done this in NetBSD builds?

Alternatively, I could also build the library by hand and coax the main
build into just installing libcrypto.so instead of building it.

Suggestions welcome! I've searched but cannot find any sign of anyone
coping with similar issues.
Kevin

FIPS/OpenSSL include directories

[Kevin Fowler]

When I build the FIPS module and install, it populates a
fips-2.0/include/openssl directory with a set of header files.

When I build the FIPS-capable OpenSSL library libcrypto, it has the
fips-2.0 include director in its CFLAGS, but at the end. Since the FIPS
include directory has a subset of the files in the usual include/openssl
directory, and since the FIPS include directory comes last in CFLAGS, it
seems that the FIPS include files are never used. So, I don't see why it is
even listed in CFLAGS.

E.g,
powerpc--netbsd-gcc -I.. -I../.. -I../modes -I../asn1 -I../evp*
 -I../../include * -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -pthread
-D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -O3
-fomit-frame-pointer -Wall *-I/usr/local/ssl/fips-2.0/include*   -c -o
i_cbc.o i_cbc.c

But my real question is, when writing an application that uses the
FIPS-capable libcrypto, should that application pick up the header files in
the usual include/openssl directory, or the header files in the
fips-2.0/include/openssl directory? While some files are identical, a few
have differences. Is this a benign issue when using the FIPS-capable
libcrypto, even when FIPS mode is enabled? I.e., once I have the library,
do I ever need the fips-2.0/include/openssl versions?

Thanks,
Kevin

Re: FIPS/OpenSSL include directories

[Kevin Fowler]

I'm asking here about the header files with the same name in both
directories. I see that there are three fips-specific header files in the
fips-2.0 include directory - which I would guess is what is getting picked
up by the last -I in CFLAGS...


On Sun, Jan 29, 2012 at 2:19 PM, Kevin Fowler kevpfow...@gmail.com wrote:

 When I build the FIPS module and install, it populates a
 fips-2.0/include/openssl directory with a set of header files.

 When I build the FIPS-capable OpenSSL library libcrypto, it has the
 fips-2.0 include director in its CFLAGS, but at the end. Since the FIPS
 include directory has a subset of the files in the usual include/openssl
 directory, and since the FIPS include directory comes last in CFLAGS, it
 seems that the FIPS include files are never used. So, I don't see why it is
 even listed in CFLAGS.

 E.g,
 powerpc--netbsd-gcc -I.. -I../.. -I../modes -I../asn1 -I../evp*
  -I../../include * -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -pthread
 -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -O3
 -fomit-frame-pointer -Wall *-I/usr/local/ssl/fips-2.0/include*   -c -o
 i_cbc.o i_cbc.c

 But my real question is, when writing an application that uses the
 FIPS-capable libcrypto, should that application pick up the header files in
 the usual include/openssl directory, or the header files in the
 fips-2.0/include/openssl directory? While some files are identical, a few
 have differences. Is this a benign issue when using the FIPS-capable
 libcrypto, even when FIPS mode is enabled? I.e., once I have the library,
 do I ever need the fips-2.0/include/openssl versions?

 Thanks,
 Kevin

FIPS cross-compile: issue with location of system include files

[Kevin Fowler]

I think I know the answer to this but I'm hoping I am wrong.

I am building the FIPS Object Module v2.0 (a recent snapshot) on an
x86-linux2 host for an embedded PowerPC target running NetBSD. There is a
well-established and intricate build process already in place for the
product, and I am trying to build the FIPS module outside of that process
but using the same cross-compiler.

That existing build process puts the system include files in a special
directory, which is passed to gcc with a -I.

When I build the FIPS module, there are several environment variables that
can be set in order to get the cross-compile to work, except for the
location of those system include files(?).

My question is whether I am missing something - i.e., an environment
variable - that I can set to indicate the location of that directory,
without impacting the (future) validated status of the module. Or is there
a simpler solution I am overlooking?

If not, I expect I will need to modify the Makefile, and thus invalidate
the module...

Kevin

Re: FIPS cross-compile: issue with location of system include files

[Kevin Fowler]

I copied all the system header files from their special home into the
location the powerpc--netbsd-gcc was looking for them, and then I could do
the ./config no-asm; make successfully.

I am thinking that is a legal approach for building the FIPS Object Module.

If so, I answered my own question...
Kevin


On Wed, Nov 30, 2011 at 12:01 PM, Kevin Fowler kevpfow...@gmail.com wrote:

 I think I know the answer to this but I'm hoping I am wrong.

 I am building the FIPS Object Module v2.0 (a recent snapshot) on an
 x86-linux2 host for an embedded PowerPC target running NetBSD. There is a
 well-established and intricate build process already in place for the
 product, and I am trying to build the FIPS module outside of that process
 but using the same cross-compiler.

 That existing build process puts the system include files in a special
 directory, which is passed to gcc with a -I.

 When I build the FIPS module, there are several environment variables that
 can be set in order to get the cross-compile to work, except for the
 location of those system include files(?).

 My question is whether I am missing something - i.e., an environment
 variable - that I can set to indicate the location of that directory,
 without impacting the (future) validated status of the module. Or is there
 a simpler solution I am overlooking?

 If not, I expect I will need to modify the Makefile, and thus invalidate
 the module...

 Kevin

B_ENDIAN for powerpc on fips/openssl

[Kevin Fowler]

I noticed that for the FIPS Object module for ./config no-asm the endian
flag is removed from CFLAGS.

But in openssl, this is not the case. So, e.g. for linux-ppc, openssl build
has -DB_ENDIAN flag, but fips build has no such flag.

I'm guessing that the powerpc gcc may default to big-endian, so this may
not be an issue. But, since it appeared inconsistent I thought I'd mention
it.

Thanks,
Kevin

Re: understanding fipsld usage

[Kevin Fowler]

Thanks Steve, I have a follow-up below - just checking I have it straight.

On Mon, Nov 21, 2011 at 10:11 AM, Dr. Stephen Henson st...@openssl.org wrote:
 On Fri, Nov 18, 2011, Kevin Fowler wrote:

 Let me first say I have read the User Guide and Security Policy
 repeatedly, as well as the Incore Tutorial, looked through this users
 group, and read anything else I could find - so I'm not being lazy,
 although my questions may be pedestrian... Please correct any
 misunderstandings along the way.

 I understand that when fipscanister.o is built, its SHA1 digest is
 calculated and saved. Then when an application links to
 fipscanister.o, fipsld is used, which checks that the SHA1 is correct,
 and then calculates the digest for the application and rebuilds it
 with that digest embedded. Then, when the application is run and calls
 FIPS_mode_set(), the digest is calculated and checked against the
 embedded value.

 I think that openssl itself is an example of an application built with
 the fipscanister.o, is that correct?


 It depends on what you mean by openssl and the build options. If you are
 performing a shared library build then fipscanister.o is embedded in the
 libcrypto shared library. For a static build every application including the
 openssl utility statically includes fipscanister.o


Ok, so:
 - if I do a shared build of OpenSSL (./config fips shared), then the
libcrypto.so that is produced contains the FIPS Object Module, and
fipsld will have embedded the digest in that library.
 - if I do a static build of OpenSSL (.config tips), then the
libcrypto.a that is produced does not contain the FIPS Object Module.
Later linking to an application will require fipscanister.o, -L
lcrypto, and the use of fipsld to embed the digest in the application.
An example of this is the hello application in the Incore Tutorial
document.

 When OpenSSL is built, it produces, among other things, the
 libcrypto.a static library, which contains what was sequestered in
 fipscanister.o.Is that correct?

 Now I have a big application to build, and it will have the
 FIPS-capable OpenSSL in it. When I do the build, I think the
 instructions say that the SHA1 digest has to be re-calculated on this
 application, and that value embedded where the previous standalone
 value was. Is that correct?

 Is my application pulling in the FIPS stuff by linking in the libcrypto.a?

 If my application is just too large and complex, do I pretty much need
 to go with the shared library, and avoid the part where the digest is
 recalculated/re-embedded in the application itself?


 If you're library links against the OpenSSL shared library you don't need to
 bother with any of this as the fingerprint is embedded in that shared library
 by the build process.

 If you want to statically link against OpenSSL you do need to address this.
 If you're using a Unix like system then making some minor adjustments to the
 final linking to use fipsld and set a few environement variables is
 sufficient. If you want to integrate this with some IDE or you are using
 Windows with an IDE then this is a bit trickier and you might need to develop
 your own procedure following the security policy requirements.

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project                                 http://www.openssl.org
 User Support Mailing List                    openssl-users@openssl.org
 Automated List Manager                           majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

understanding fipsld usage

[Kevin Fowler]

Let me first say I have read the User Guide and Security Policy
repeatedly, as well as the Incore Tutorial, looked through this users
group, and read anything else I could find - so I'm not being lazy,
although my questions may be pedestrian... Please correct any
misunderstandings along the way.

I understand that when fipscanister.o is built, its SHA1 digest is
calculated and saved. Then when an application links to
fipscanister.o, fipsld is used, which checks that the SHA1 is correct,
and then calculates the digest for the application and rebuilds it
with that digest embedded. Then, when the application is run and calls
FIPS_mode_set(), the digest is calculated and checked against the
embedded value.

I think that openssl itself is an example of an application built with
the fipscanister.o, is that correct?

When OpenSSL is built, it produces, among other things, the
libcrypto.a static library, which contains what was sequestered in
fipscanister.o.Is that correct?

Now I have a big application to build, and it will have the
FIPS-capable OpenSSL in it. When I do the build, I think the
instructions say that the SHA1 digest has to be re-calculated on this
application, and that value embedded where the previous standalone
value was. Is that correct?

Is my application pulling in the FIPS stuff by linking in the libcrypto.a?

If my application is just too large and complex, do I pretty much need
to go with the shared library, and avoid the part where the digest is
recalculated/re-embedded in the application itself?

Thanks
Kevin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

make test fails for FIPS-capable OpenSSL build

[Kevin Fowler]

Hi,
I successfully built the FIPS 2.0 module (2010), its tests passed, and
it was installed correctly in /usr/local/ssl/fips-2.0.

I then build openssl 1.0.1 (2010):

./config fips shared
make

which all seems to go ok

Then I do:
make test

and eventually get this error:

...
Testing key generation with NIST Binary-Curve B-571  ok
cat
base64
aes-128-cbc
3086473868:error:060A80A3:digital envelope
routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
bad decrypt
3086592652:error:060A80A3:digital envelope
routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
3086592652:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:evp_enc.c:535:
./p ./p.aes-128-cbc.clear differ: byte 1, line 1
make[1]: *** [test_enc] Error 1

It appears that EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag is not getting set, but
I'm not familiar enough yet with the code to understand what I may be doing
wrong. I have OPENSSL_FIPS set to 1 in my environment. I am
building/running on CentOS 5.6.

Thanks,
Kevin

Re: make test fails for FIPS-capable OpenSSL build

[Kevin Fowler]

Thank you - that was my problem

On Tue, Nov 15, 2011 at 9:43 AM, Dr. Stephen Henson st...@openssl.org wrote:
 On Mon, Nov 14, 2011, Kevin Fowler wrote:

 Hi,
 I successfully built the FIPS 2.0 module (2010), its tests passed, and
 it was installed correctly in /usr/local/ssl/fips-2.0.

 I then build openssl 1.0.1 (2010):

 ./config fips shared
 make

 which all seems to go ok

 Then I do:
 make test

 and eventually get this error:

 ...
 Testing key generation with NIST Binary-Curve B-571  ok
 cat
 base64
 aes-128-cbc
 3086473868:error:060A80A3:digital envelope
 routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
 bad decrypt
 3086592652:error:060A80A3:digital envelope
 routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
 3086592652:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
 decrypt:evp_enc.c:535:
 ./p ./p.aes-128-cbc.clear differ: byte 1, line 1
 make[1]: *** [test_enc] Error 1

 It appears that EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag is not getting set, but
 I'm not familiar enough yet with the code to understand what I may be doing
 wrong. I have OPENSSL_FIPS set to 1 in my environment. I am
 building/running on CentOS 5.6.


 Don't set OPENSSL_FIPS=1 before calling make test as not all the tests work
 in FIPS mode.

 The tests will swicth to FIPS mode themselves if this is being tested. Though
 currently only a TLS test does this.

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project                                 http://www.openssl.org
 User Support Mailing List                    openssl-users@openssl.org
 Automated List Manager                           majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

make test fails for FIPS-capable OpenSSL build

[Kevin Fowler]

Hi,
I successfully built the FIPS 2.0 module (2010), its tests passed, and
it was installed correctly in /usr/local/ssl/fips-2.0.

I then build openssl 1.0.1 (2010):

./config fips shared
make

which all seems to go ok

Then I do:
make test

and eventually get this error:

...
Testing key generation with NIST Binary-Curve B-571  ok
cat
base64
aes-128-cbc
3086473868:error:060A80A3:digital envelope
routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
bad decrypt
3086592652:error:060A80A3:digital envelope
routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
3086592652:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:evp_enc.c:535:
./p ./p.aes-128-cbc.clear differ: byte 1, line 1
make[1]: *** [test_enc] Error 1

It appears that EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag is not getting set, but
I'm not familiar enough yet with the code to understand what I may be doing
wrong. I have OPENSSL_FIPS set to 1 in my environment. I am
building/running on CentOS 5.6.

Thanks,
Kevin