Re: [openssl-users] OpenSSL FIPS mode system integration
On Fri, Feb 20, 2015, jonetsu wrote:
> On Feb 19, 2015 10:50am Henrik Grindal Bakken wrote:
>
> > I'm not sure it will be called on every conceivable error in
> > the FIPS module, but what I do in similar situations is
> > something like this:
>
> > static int post_cb(int op, int id, int subid, void *ex)
> > {
> > if (op == FIPS_POST_FAIL)
> > system("/bin/fipserror");
> > return 1;
> > }
>
> > And there somewhere:
>
> > FIPS_post_set_callback(post_cb)
>
> This is very interesting, thanks. Following this hint, in the same vein the
> FIPS code also has:
>
> FIPS_drbg_set_callbacks()
>
> Although this one looks more like an entropy callback than
> anythong that could be used to know about status.
>
> The FIPS User Guide mentions both, although the information on
> FIPS_post_set_callback() is not much at all. Is there another
> source than the User Guide 2.0, for detailed descriptions of
> these FIPS-related methods ? For isnatnce, the 'op' variable of
> FIPS_post_set_callback() is not described at all. Any manual or
> info pages ? Could be other potentially interesting methods in there.
>
The main prupose of FIPS_post_set_callback() was to show how the
self tests were progressing to the labs and how it behaves correctly
when failure is induced in each self test.
This is demonstrated by fips_test_suite which has an example of a POST
callback.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
On Feb 19, 2015 10:50am Henrik Grindal Bakken wrote:
> I'm not sure it will be called on every conceivable error in
> the FIPS module, but what I do in similar situations is
> something like this:
> static int post_cb(int op, int id, int subid, void *ex)
> {
> if (op == FIPS_POST_FAIL)
> system("/bin/fipserror");
> return 1;
> }
> And there somewhere:
> FIPS_post_set_callback(post_cb)
This is very interesting, thanks. Following this hint, in the same vein the
FIPS code also has:
FIPS_drbg_set_callbacks()
Although this one looks more like an entropy callback than
anythong that could be used to know about status.
The FIPS User Guide mentions both, although the information on
FIPS_post_set_callback() is not much at all. Is there another
source than the User Guide 2.0, for detailed descriptions of
these FIPS-related methods ? For isnatnce, the 'op' variable of
FIPS_post_set_callback() is not described at all. Any manual or
info pages ? Could be other potentially interesting methods in there.
--
View this message in context:
http://openssl.6102.n7.nabble.com/openssl-users-OpenSSL-FIPS-mode-system-integration-tp56563p56586.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
"jone...@teksavvy.com"
writes:
> Hello,
>
> Could you please comment on the following ? Any suggestion, insight,
> hint, is greatly appreciated.
>
> In FIPS mode, the OS, the device, must be aware of crypto errors, and
> adopt a certain behaviour when one occurs. Like shutting down all
> data output interfaces.
>
> This means that when using OpenSSL, a link must be made between
> OpenSSL (or the application using it) and the OS, if only to signal
> the OS of such errors.
I'm not sure it will be called on every conceivable error in the FIPS
module, but what I do in similar situations is something like this:
static int post_cb(int op, int id, int subid, void *ex)
{
if (op == FIPS_POST_FAIL)
system("/bin/fipserror");
return 1;
}
And there somewhere:
FIPS_post_set_callback(post_cb);
--
Henrik Grindal Bakken
PGP ID: 8D436E52
Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
-Original Message- > From: "Marcus Meissner" > To: openssl-users@openssl.org > Date: 02/19/15 08:07 > Subject: Re: [openssl-users] OpenSSL FIPS mode system integration > Well, the writing is that the "crypto module" must stop operating > on error. > We solved this by calling abort(); in the openssl library on FIPS > related error conditions. H... What I have written from a consultancy compliance report is that all crypto operations must stop and, all data output of the designed Data Output interface(s) must also stop. Hence my concern for the OS knowing about FIPS crypto test results. Thanks for your comment. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
On 02/19/2015 05:19 AM, jone...@teksavvy.com wrote: > ...This means that when using OpenSSL, a link must be made between > OpenSSL (or the application using it) and the OS, if only to signal > the OS of such errors. Ummm, no. The FIPS module stops functioning (i.e. doesn't perform any useful crypto operations) in the (highly unlikely) event of POST, KAT, or continuous test errors. Your application might as well curl up and die at that point (hint: look at the error codes from the API calls, in particular FIPS_mode_set()), but the module itself will fail without any intervention. > ... > I would like to modify the FIPS OpenSSL library ... That's a non-starter right there: the instant you modify the FIPS module, at all or for any reason, it instantly becomes "non validated". Without the all-important "validated" status that code is worthless and there is no reason to use it (unless you want to pay and wait for your own custom validation of the modified code). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
On Thu, Feb 19, 2015 at 05:19:37AM -0500, jone...@teksavvy.com wrote: > Hello, > > Could you please comment on the following ? Any suggestion, insight, > hint, is greatly appreciated. > > In FIPS mode, the OS, the device, must be aware of crypto errors, and > adopt a certain behaviour when one occurs. Like shutting down all > data output interfaces. > > This means that when using OpenSSL, a link must be made between > OpenSSL (or the application using it) and the OS, if only to signal > the OS of such errors. > > I would like to modify the FIPS OpenSSL library in such a way that a > OS-specific action is taken when a FIPS error is detected. That > action could be writing a file, writing a specific log msg, sending a > signal to an application, etc. To continue in the same vein, are > there major exit points in the library that could reduce the amount of > modifications to be made ? Is error information inh FIPS mode > traveling in the library in such a way that it could be examined and > acted upon at a precise point, covering all error conditions ? > > Are these mainlines making sense, based on your experience with the > OpenSSL library ? > > Another way would be to modify the applications that uses the OpenSSL > library. I tend to think that it would be more efficient and easier on > maintenance to modify the OpenSSL library. But then, the complexity > of tapping on (every) exit point from the library could be > overwhelming, when compared to the source code of several > applications. Well, the writing is that the "crypto module" must stop operating on error. We solved this by calling abort(); in the openssl library on FIPS related error conditions. Ciao, Marcus ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
