[openssl-users] Reasons to go from 2.0.9 FOM to 2.0.12 ?

2016-08-19 Thread jonetsu 
Hello,

We are using FOM 2.0.9 for an embedded product that will go for FIPS 
validation.  Validation of the full product, that is.  All development so far 
is with 2.0.9.  What would be the reasons, if any, to update to 2.0.12 before 
going to the lab ?

Thanks - comments much appreciated.



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: using libcrypto.so ?

2016-08-03 Thread jonetsu 
Thanks for the explanation.

> Just link against the library produced by the FIPS capable
> OpenSSL build.  If, for some reason, that only produced
> libcrypto.a, then you need to investigate why — perhaps you
> passed “no-shared” when running the config script?

The confusion came from trying to use methods such as FIPS_evp_sha1,
FIPS_evp_sha224, FIPS_evp_sha256.  As Steve replied yesterday, these should
not be used (is there any case in which they would ?) as the EVP_sha*
methods will automatically use the FIPS enabled ones when FIPS mode is
active.

For instance doing an 'objdump -T' on libcrypto.so.1.0.0 will show some
FIPS* methods, but not the sha* for instance.  Which now I see is a normal
thing since they are not to be used.

Thanks.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-using-libcrypto-so-tp67694p67705.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS mode: Need to use FIPS versions of (EVP) methods ?

2016-08-02 Thread jonetsu 
FIPS: Need to use FIPS versions of (EVP) methods ?

In FIPS mode, is there a need to use the FIPS_* methods instead of the
regular ones once FIPS_mode_set(1) was successfully executed ?  For
instance, is there a need to use FIPS_evp_sha1() instead of EVP_sha1()
?  Wouldn't the FIPS version of EVP_sha1() be used automatically when
in FIPS mode ?

Thanks.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-mode-Need-to-use-FIPS-versions-of-EVP-methods-tp67696.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: using libcrypto.so ?

2016-08-02 Thread jonetsu 
The current FIPS User Guide mentions:

  "3.3 Creation of Shared Libraries
  
  The FIPS Object Module is not directly usable as a shared
  library, but it can be linked into an application that is a
  shared library. A “FIPS compatible” OpenSSL distribution will
  automatically incorporate an available FIPS Object Module into
  the libcrypto shared library when built using the fips
  option (see §4.2.3)."

Does the first sentence mean that there should be an intermediate, user
created, .so that itself uses libcrypto.a ?

What does the second part mean ?  The FOM will be included in the shared
library (assuming the libcrypto.so file) ?  If so, then why wouldn't it be
available directly ?  A clarification in perhaps simpler terms over what
seems to be an explanation in the User Guide would be much appreciated.

In practical terms, is it possible for an application to link against a
libcrypto.so that provides all needed FIPS symbols ?  If it's not, can you
give an example overview in which an application already using OpenSSL
(libcrypto.so) but now supporting FIPS, can still use libcrypto.so with full
FIPS support ?  Is the only answer to now have the application linked
against libcrypto.a ?

Thanks !




--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-using-libcrypto-so-tp67694.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] linker input file unused/linking not done gcc warning

2016-08-02 Thread jonetsu 
Hello,

Is it normal to get a 'linker imput file unused because linking
not done' warning when compiling C code that uses OpenSSL in FIPS
mode, hence using fipsld ?

The object file is actually generated,a s well as the executable,
and it does execute in a meaningful manner.

The warning:

  [...]

  gcc: warning: /usr/include/openssl/: linker input file unused
  because linking not done

  FIPSLD_CC=gcc /usr/lib/ssl/fips-2.0/bin/fipsld -o
  fips_hmac-errCode fips_hmac-errCode.o /usr/lib/arm-li
  nux-gnueabihf/libcrypto.a -ldl -lz


The simple Makefile:

  OPENSSLDIR = /usr/lib/ssl
  LIBCRYPTO = /usr/lib/arm-linux-gnueabihf/libcrypto.a
  INCLUDES = /usr/include/openssl/

  CMD = fips_hmac-errCode
  OBJS = $(CMD).o
  $(CMD): $(OBJS)
  FIPSLD_CC=$(CC) $(OPENSSLDIR)/fips-2.0/bin/fipsld -o $(CMD)
$(OBJS) $(LIBCRYPTO) -ldl -lz

  $(OBJS): $(CMD).c
  $(CC) -c $(CMD).c $(INCLUDES)
  clean:
  rm $(OBJS)


Thanks.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/linker-input-file-unused-linking-not-done-gcc-warning-tp67693.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Simulating failure at run-time ?

2016-07-18 Thread jonetsu 
Hello,

Is it possible to simulate FIPS failure at run-time, at any given time ?  Or
does OpenSSL have to start in failure simulation mode ?  Also, is failure
simulation a standard part of a normal, non-debug, build ?

Thanks.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-Simulating-failure-at-run-time-tp67350.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS canister 2.0.12 and 186-4

2016-07-12 Thread jonetsu 
Hello,

Does 2.0.12 support 186-4 ?  Specifically, does it support the RSA requirements 
 ?

Thanks.



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS 186-4 support ?

2016-05-13 Thread jonetsu 
Hello,

Is there anything new regarding the prime number requirement handling for
FIPS 186-4, as far as supporting it ?  I asked some time ago. Just want to
see if anything has changed, if there's anything planned. - thanks !





--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-186-4-support-tp66153.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] TLS 1.0 in FIPS mode ?

2016-03-29 Thread jonetsu 
Hello,

Does OpenSSL allows TLS 1.0 when running in FIPS mode ?

Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/TLS-1-0-in-FIPS-mode-tp65343.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Difference in the methods for listing the FIPS ciphers

2016-01-08 Thread jonetsu 
Hello,

Using 1.0.1e running FIPS module 2.0.9, the following two
commands for querying the ciphers do not yield the same results.
There are more ciphers declared in the 'string' version.

The 'environment variable' version:

% OPENSSL_FIPS=1 openssl ciphers -v |

The 'string' version:

% openssl ciphers -v 'FIPS'

In the 'string' version only:
 

Is the 'environment variable' usage broken ?

Thanks.





--
View this message in context: 
http://openssl.6102.n7.nabble.com/Difference-in-the-methods-for-listing-the-FIPS-ciphers-tp62089.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread jonetsu 
> Does FIPS mode prevent use of MD5: Yes.

> Does FIPS mode prevent insecure uses of SHA-1 (a FIPS
> algorithm): No.

> Does FIPS mode prevent the SSL/TLS handshake from using 96 bit
> truncated HMAC values: Probably not.

> Does FIPS mode prevent use of the insecurely designed
> 'tls-unique' feature: Probably not.

This is what I read so far, thanks for the confirmation.  1.01f though, will
be good, will it, FIPS mode or not ?




--
View this message in context: 
http://openssl.6102.n7.nabble.com/openSSL-and-SLOTH-attack-tp62055p62080.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openSSL and SLOTH attack

2016-01-07 Thread jonetsu 
Does this mean that running 1.01e in FIPS mode is protected regarding this
SLOTH attack ?





--
View this message in context: 
http://openssl.6102.n7.nabble.com/openSSL-and-SLOTH-attack-tp62055p62074.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

2015-12-18 Thread jonetsu 
Is there any current solution to have RSA 186-4 in OpenSSL FIPS (now, even if
this means an upgrade ?)

Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61769.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

2015-12-18 Thread jonetsu 
Sorry, I forgot: What about the code itself, if we do not mind the validation
?  Is the 185-4 RSA compatible code present in any OpenSSL/FIPS module ?




--
View this message in context: 
http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61774.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

2015-12-18 Thread jonetsu 
What would then be the permitting conditions to pursue a new validation ?  If
you don't mind me asking.  I have read several notes you have on the subject
and I agree that the whole thing is of Dedalus proportions.  In a nutshell
what would be these conditions ?

Thanks, much appreciated.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61772.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

2015-12-18 Thread jonetsu 
Fair enough (in this context).  But what about the code itself, is it ready
to be RSA 186-4 compliant ?

And, if we go through a validation, can OpenSSL benefit from it ?





--
View this message in context: 
http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61776.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9

2015-12-17 Thread jonetsu 
Hello,


I have read about the use of FIPS_rsa_x931_generate_key_ex() for 186-4 
compliance.  We are using OpenSSL 1.0.1e with the fips-2.0.9 module.    Would 
it make functional sense using those versions to patch RSA_generate_key_ex() 
(../crypto/rsa/rsa_gen.c) to have: 


#ifdef OPENSSL_FIPS
if (FIPS_mode())
    return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb);
#endif


Instead of using FIPS_rsa_generate_key_ex()


(and also adding the prototype for FIPS_rsa_x931_generate_key_ex() earlier in 
rsa_gen.c)




Thanks.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to access a bug fix ?

2015-11-13 Thread jonetsu 
Hello,


 I would like to see the bug fix for RT3515 'Use 3DES in pkcs12 if built with 
no-rc2' although the opnssl tree I got recently does not show it:


% git status
On branch master
Your branch is up-to-date with 'origin/master'.


% git show 92830dc1ca0bb2d12bf05a12ebb798709595fa5a
fatal: bad object 92830dc1ca0bb2d12bf05a12ebb798709595fa5a


I tried with checking out a few branches:


  remotes/origin/OpenSSL-fips-2_0-stable
  remotes/origin/OpenSSL_1_0_1-stable
  remotes/origin/OpenSSL_1_0_2-stable


And still not shown.  Did that bug fix ever made it to the OpenSSL tree as 
such, or was it bundled in the 33,000+ lines commit 
7e1b7485706c2b11091b5fa897fe496a2faa56cc ?


Alternatively, in which 1.0.1 version was this bug fix included ?  I grepped 
the CHANGES file of some versions after 1.0.1e although these do not list the 
bug numbers.


Thanks.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] (2013) : PKCS12 keystore creation failing in fips mode (RT3515)

2015-11-11 Thread jonetsu 
Hello,


There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL 
1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to 
handle a certificate using a non-FIPS component.  I think I found the commit 
that fixes this, although it is part of a quite huge commit of 33,065 lines 
(7e1b7485706c2b11091b5fa897fe496a2faa56cc) done earlier this year.  


There is perhaps a simpler commit that fixes only this issue 
(92830dc1ca0bb2d12bf05a12ebb798709595fa5a) although I can't see the commit in 
the git tree I have fetched last week, even by branching to 
remotes/origin/OpenSSL_1_0_1-stable.


We are using 1.0.1.e.  My question is, was bug RT3515 included in a later 1.0.1 
release ?  If so, which one ?


(If you can also clear up why the patch is not seen... :)


Much appreciated, thanks.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Elliptic curves approved or recommended by government

2015-11-11 Thread jonetsu 
In the NSA page referred above, the p-384 curves are specifically mentioned
for DH.  These would be the ones covered by the Suite B NSA license
sub-licensed to OpenSSL, are they ?  Is it possible to build OpenSSL in FIPS
in such a way that only these curves will be used ?

Regards.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Elliptic-curves-approved-or-recommended-by-government-tp60944p60946.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL public repository, bug tracker ?

2015-10-28 Thread jonetsu 

Sorry if this is answered elsewhere ...


Is the version control repository as well as the bug tracker of public read 
access ?


Is it possible to find a specific commit in the OpenSSL repository that would 
hopefully fix a single discovered/reported bug ?


We have hit the 'FIPS_CIPHERINIT:disabled for fips' in the 1.0.1e version 
running in FIPS mode and would like to apply the cde fix that hopefully fixes 
only that problem.  Is it possible ?


Thanks.






___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] 'FIPS_CIPHERINIT:disabled' in fips mode error in 1.0.1e

2015-10-26 Thread jonetsu 

In 1.0.1e the following is observed when using OpenSSL in FIPS mode:


 % OPENSSL_FIPS=1 openssl pkcs12 -export -in
 /tmp/ipsec.d/certs/192.168.11.1 -inkey
 /tmp/ipsec.d/private/192.168.11.1 -name 192.168.11.1 -out
 /tmp/ipsec.d/192.168.11.1.p12 -password pass:""


 3067167952:error:060A60A3:digital envelope 
 routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142:
 3067167952:error:06074078:digital envelope


 routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205:
 3067167952:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor


 cipherinit error:p12_decr.c:83:
 3067167952:error:2306C067:PKCS12


 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175:
 3067167952:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt 
 error:p12_add.c:202:


In 'Re: PKCS12 keystore creation failing in fips mode' (May 29,
2013 9:15pm) the following is said:


  "That's a bug in 1.0.1 in that it tries to use an unapproved
  algorithm in FIPS mode.  Workaround: use the -descert option."


It is not possible for us to upgrade OpenSSL, but it would be
possible to apply a patch.  Does a patch exist that fixes this
problem and if so, where can it be found ?  I do not know how
development is organized for OpenSSL (bug tracker, git ?)


Thanks !




___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CAVP protocol testing - what does it really consist of ?

2015-10-21 Thread jonetsu 

Hello,


Sorry if this is a bit beside OpenSSL per se, the idea behind this post is to 
perhaps have some information form the OpenSSL experience with FIPS validation. 
 There was so much effort put into FIPS compliance that it would not be 
far-fetched to consider that there is also knowledge about what seems to be 
/protocol/ testing.


I would like to know what's involved in the CAVP testing of the SSH protocol.  
I browsed the NIST CAVP web site, browsed some documents, although I haven't 
found any satisfying, technically-oriented, document on what has to be done if 
say, I have an editor opened with the SSH source code.  Not the fully gruesome 
details, but an overview of how such testing works.


Any comment appreciated !




___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] CAVP protocol testing - what does it really consist of ?

2015-10-21 Thread jonetsu 
> From: "Steve Marquess"  
> Date: 10/21/15 14:18 
> See Appendix B of the OpenSSL FIPS User Guide:

>   https://openssl.org/docs/fips/UserGuide-2.0.pdf

Thanks.

> The specific algorithm tests have changed quite a bit since then
> (constant change is part of the fun), but the general concept is the
> same. The algorithm testing is the easiest part of FIPS 140-2 validations.

What would you consider being the difficult parts ?

> Note the CAVP only tests specific cryptographic algorithms, not
> cryptographic protocol suites like SSH (secsh). OpenSSH itself is just
> application code from the perspective of FIPS 140-2 and thus out of
> scope ...


It has to do with NDcPP 1.0 I think.  Key agreement schemes and key derivation 
functions 
for several security-related communications protocols (SNMP, TLS, SSH, etc.) 
must now be tested as part of the algorithm test process.  





___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Behaviour facing a broken OCSP responder

2015-09-14 Thread jonetsu 
> From: "Salz, Rich"  
> Date: 09/14/15 16:07 

> Are you talking about the command-line?


Yes.


> It would be great if someone sent in a patch that standardized
> and documented exit codes, like 0 for got a "good"
> response, "1" for got a "bad" response, and 10 for got an
> unparseable response


Are these the only three error codes ?



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Behaviour facing a broken OCSP responder

2015-09-14 Thread jonetsu 
Hello,


The documentation does not seem too clear about what the behaviour exactly is 
when OpenSSL deals with a broken OCSP responder.  For instance, one that would 
send an OK without any contents.  We call openssl from an application and would 
like to know what is returned in such a case, or in the case of any broken 
responder.


Thanks.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

2015-08-19 Thread jonetsu 
Thanks for your comments - much appreciated.  What is exactly the poodle
patch and how doe sit come into providing some form of protection against
the BEAST attack ?




--
View this message in context: 
http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59743.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

2015-08-18 Thread jonetsu 
Does this mean, since the 'no insert fragments' is part of SSL_OP_ALL, that
OpenSSL is BEAST-proof since some time regarding it's use of TLS 1.0 and SSL
3.0 ?

Thanks.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59732.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

2015-08-18 Thread jonetsu 
OK.  So this means that the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not the
solution for the BEAST attack.  Is there a solution while keeping TLS 1.0
and SSL v3.0 ?

Thanks.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/BEAST-and-SSL-OP-DONT-INSERT-EMPTY-FRAGMENTS-tp59291p59734.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] BEAST and SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

2015-07-22 Thread jonetsu 
Hello,


Our Nessus version  6.4.1 is detecting a BEAST vulnerability against OpenSSL 
1.0.1e.  The source code defines SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS as 
0x0800L and several tests are made for this value in the code.  The CHANGES 
mentions though that this had some side effects, the option now being part of 
SSL_OP_ALL.  It would look like, from the scan, that the fragments are not 
enabled by default, could it be ?


Thanks.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] New FIPS 140-2 SE Validation Approved

2015-06-30 Thread jonetsu 
The validation is on the ARM platform using Linux 2.4.  I am one of those
'unlucky' having to deal with FIPS so please pardon any silly questions. 
Would this validation be limited to these two aspects ?  And, is there any
money-saving advantage at using an already validated OpenSSL when the whole
unit (embedded device) qill be going for validation ?  Eg. will it save lab
time if they know that the OpenSSL used is already validated ?

Regards.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/New-FIPS-140-2-SE-Validation-Approved-tp58909p58944.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SHA256() to EVP_* ?

2015-05-01 Thread jonetsu 
 Even a small convenience is still a convenience. 

And eventually they add up.

Thanks for the comments - it's appreciated.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774p57826.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Porting to EVP methods: AES_set_encrypt_key()

2015-04-29 Thread jonetsu 
Hello,

  The context is migrating an application to use EVP only methods.

AES_set_encrypt_key(...)

AES_cfb128_encrypt(...)

The AES_cfb128_encrypt() is pretty clear to migrate to EVP_*,
what about the AES_set_encrypt_key() ?  I haven't found yet any
correlation to the EVP methods, let alone an actal description of
AES_set_encrypt_key() purpose.  How is this translted to EVP ?

Thanks.





--
View this message in context: 
http://openssl.6102.n7.nabble.com/Porting-to-EVP-methods-AES-set-encrypt-key-tp57801.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SHA256() to EVP_* ?

2015-04-29 Thread jonetsu 
Thanks for the comments.

 If you are implementing HMAC, perhaps for PBKDF2 (which does
 that prehash-if-too-long), I hope you mean the code does...

Yes it does.

The man page (the one online from OpenSSL project - SHA256.html)
gives a description using SHA1() which computes a message digest.
Being generally new to OpenSSL at that level, what is then the
difference between using, say, SHA1() vs. using SHA1_Init,
SHA1_Update and SHA1_Final ?  Is it only that the latter allows
for continuously add data until _Final is called ?





--
View this message in context: 
http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774p57791.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread jonetsu 
 SSLv3 in the ciphersuite definition means it can be used in
 SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3,
 and then again for TLS1.0, and again for TLS1.1 etc - its just
 defined once and is reused across multiple protocol versions.

Yes, this is what I basically understood.  What was lacking then in my
undestanding, is that :

% OPENSSL_FIPS=1 openssl ciphers -v

Will not output strictly according to FIPS.  Maybe there's no easy way to do
that when the definition of a cipher states otherwise.

Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57764.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread jonetsu 
 That refers to the minimum version of the ciphersuite: it
 doesn't imply that it will only be used in SSLv3 (which is
 disabled in FIPS mode).

Hmmm...  I'm sorry but I do not really understand this.  Since openssl is
run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3
ciphers show up ?  If they have counterparts in TLS that could be used, why
wouldn't the TLS version show up instead ?

Thanks.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57762.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SHA256() to EVP_* ?

2015-04-28 Thread jonetsu 
Hello,

What would be the equivalent of the SHA256() function in the EVP
class of methods ?  EVP_sha256() could be it, although from the
short description in manual page it does not seemingly fit in,
returning a EVP_MD which is, if not mistaken, a env_md_st
structure.

The code I'm adapting to EVP has a first pass of shortening the
key if too long:

/* Change key if longer than 64 bytes */
if (klen  HMAC_INT_LEN) {
SHA256(key, klen, nkey);
key = nkey;
klen = SHA256_DIGEST_LENGTH;
}

Before proceeding with the usual SHA256_Init(),
SHA256_Update() (twice), and SHA256_Final.  All of which I have
tested with the corresponding EVP_* methods.  For the use of
SHA256() above, though, I'm puzzled regarding its EVP_*
counterpart.

Suggestions, comments appreciated.

Regards.





--
View this message in context: 
http://openssl.6102.n7.nabble.com/SHA256-to-EVP-tp57774.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread jonetsu 
Hi,

  ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)

https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0

Specifically:

FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
1.0, SSL
2.0, SSL 3.0, TLS 1.0

FCS_TLSS_EXT.2.2 The TSF shall deny connections from clients requesting SSL
1.0, SSL
2.0, SSL 3.0, TLS 1.0

In this case, would it be possible to simply compile OpenSSL without support
for SSL 3.0, while having FIPS mode taking care of the rest ?  I do not
remeber the exact option now, although I'm almost sure there's a compile
option to exclude SSL 3.0.  Am I right and would that work ?

Regards.






--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread jonetsu 
Hello,

 In FIPS mode SSL 3.0 is not allowed: that has always been the
 case.

% openssl version
OpenSSL 1.0.1f 6 Jan 2014

% OPENSSL_FIPS=1 openssl ciphers -v | grep SSL

ECDHE-RSA-AES256-SHASSLv3
ECDHE-ECDSA-AES256-SHA  SSLv3
DHE-RSA-AES256-SHA  SSLv3
DHE-DSS-AES256-SHA  SSLv3
[snipped]

All of the others are TLSv1.2.

Why is SSLv3.0 seen in FIPS mode on this install ?

 TLS 1.0 is currently permitted though. 

As far as OpenSSL is concerned, will any action to remove TLSv.10
only be taken when put into a FIPS frame, eg. the recent
NDCPPv1.0 is not enough ground to make a change ?

Regards.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57707.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Delete a post to openssl-user mailing list

2015-04-22 Thread jonetsu 
 What is the security risk? 

Management ?  :)






--
View this message in context: 
http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57670.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Delete a post to openssl-user mailing list

2015-04-22 Thread jonetsu 
It can be indeed easy to find out about companies in Hartford, CT but, I
still do not see any threat to any existing product.  'Having problems with
OpenSSL' is not good enough.

In any case, when concerned, do like many people and use a pseudo from
another mailing system.  Employees will not gain promotion points anyways by
having their real names in mailing lists.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57673.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS mode restrictions and DES

2015-04-14 Thread jonetsu 


 From: Steve Marquess marqu...@openssl.com 
 Date: 04/14/15 09:31 

 and note that of the 101 platforms (OEs) appearing there, most of
 those operating systems are neither CC certified nor have any other FIPS
 140-2 validated crypto. Keep in mind that at Level 1 the validation
 applies to the cryptographic module, not the calling application that
 uses that module nor the operating system that runs it.

I came across a Red Hat Security Policy document that clearly puts the XFRM out 
of the Security Policy domain.  See section 1.1.2, page 8, in:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf

This blurs the concept of FIPS validation.  Looks more and more that the 
validation will only care about what is being declared as going for validation. 
 In this case (policy might have changed since 2010) they simply say that no, 
we do not declare the crypto done via XFRM as part of the Security Policy.  And 
the FIPS lab says, OK, fine.  Hmmm

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS mode restrictions and DES

2015-04-14 Thread jonetsu 
Salz, Rich wrote
 As the old joke goes, if you have to ask, you can't afford it. 

Well, exploration can be free.  I noticed that Strongswan uses a plug-in
architecture for crypto that seemingly allows the use of OpenSSL instead of
the kernel for crypto operations, for use under FIPS.  Does anyone have an
idea of the order of magnitude in performance loss this could be for IPSec,
to use crypto from OpenSSL instead of the kernel ?

Regards.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57541.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS mode restrictions and DES

2015-04-13 Thread jonetsu 
Thanks for all the comments, they're much appreciated.  It is a Debian
system, so there is no Red Hat FIPS validation (or SuSE which also has one I
think) or validated components that can be used.

If I may, I'd like to ask about including the Linux kernel in the
validation.  Now, including glibc2 was a pretty bad idea, it cannot get
better with the kernel.  In this case, IPSec (libreswan) is using the
kernel's crypto functions.  So it seems there would be no way out of this
one.  Any insight on this matter ? - thanks.

Regards.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57533.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS mode restrictions and DES

2015-04-13 Thread jonetsu 
Thanks for the comments - much appreciated.

The following question might be on the naive side of things, but then I'm
all new to this.  Since crypt() in glibc2 supports SHA-256 and SHA-512 for
password, and assuming that these two are FIPS compatible, what would be the
(financial) overhead of having the crypto part of glibc2 go through
validation ?  It sounds very odd, not to mention very expensive, but I'm
asking nevertheless, in case there is a possibility.  In other words, is the
only practical and viable option regarding this to re-implement crypt()
using EVP methods ?  - thanks.

Regards.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57527.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS errors: finding causes for failure

2015-04-01 Thread jonetsu 
Hello,

  As part of development, still using the fips_hmac test code, this time on a 
target unit using 1.0.1e, the following errors are shown at the console:

3069614096:error:2D088086:FIPS
routines:FIPS_selftest_x931:selftest
failed:fips_rand_selftest.c:171:

3069614096:error:2D082086:FIPS
routines:FIPS_selftest_cmac:selftest
failed:fips_cmac_selftest.c:178:

3069614096:error:2D080086:FIPS
routines:FIPS_selftest_aes:selftest
failed:fips_aes_selftest.c:97:

3069614096:error:2D090086:FIPS
routines:FIPS_selftest_aes_xts:selftest
failed:fips_aes_selftest.c:383:

3069614096:error:2D083086:FIPS
routines:FIPS_selftest_des:selftest
failed:fips_des_selftest.c:102:

What is the troubleshooting path from here ?  Is it only by going to the 
appropriate code line ?  In the first case, the FIPS_selftest_x931() is 
concerned, with the 171 line being: 
FIPSerr(FIPS_F_FIPS_SELFTEST_X931,FIPS_R_SELFTEST_FAILED).  Which basically 
means that the actual test code has to be examined. There is documentation in 
the User Guide, section 6.3.1, although it does not seem to be practical to 
find out the cause of the failure.  There are seemingly no log messages 
generated.  Information that would give hints as to why a specific test could 
fail would be useful.  In this case, there's mention of the V seed value being 
corrupted but only for simulation mode.

In short, how to find what could be the cause(s) of FIPS test(s) failure(s) ?

Regards.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: Any setup required for using a default DRBG ?

2015-03-26 Thread jonetsu 


 From: jonetsu jone...@teksavvy.com 
 Date: 03/26/15 11:11 

   Is FIPS_mode_set(1) taking care of setting up a default DRBG ?  

Yes. It does.  When using post_cb() from fips_test_suite.c in for instance the 
fips_hmac.c demo, with only but a FIPS_mode_set(1) call, it is reported that 
the four DRBGs are tested: DRBG AES-256-CTR DF, DRBG AES-256-CTR, DRBG SHA256 
and DRBG HMAC-SHA256, amongst others.

After FIPS_mode_set(1) is executed along with the POST tests, a call to 
RAND_pseudo_bytes() will not run the tests again.  In this context, when do 
occur the DRBG continuous tests as shown in table 6b of the 2.0.9 Security 
Policy ?  Is there a need to actually call FIPS_selftest() ?

Regards.





___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Any setup required for using a default DRBG ?

2015-03-26 Thread jonetsu 
Hello,

  Is FIPS_mode_set(1) taking care of setting up a default DRBG ?  Would a 
subsequent call to RAND_pseudo_bytes() for instance be using the default DRBG ( 
256-bit CTR AES ?) There are quite a few DRBG-related FIPS methods described in 
the User Guide, and one that is called FIPS_get_default_drbg().  Does this have 
to be actually called ?  I'm asking since I added in crypto/o_fips.c a 
FIPS_post_set_callback() in FIPS_set_mode() with a case switch on 
FIPS_TEST_DRBG (amongst others).  SHA256, HMAC-SHA256, AES-128-CBC, AES-256-CTR 
amongst others are reported to be tested, although there's no sign of the 
FIPS_TEST_DRBG.  Nor FIPS_TEST_CONTINUOUS for that matter.  Wouldn't the DRBG 
be tested in a 'continuous' way before each use ?  - thanks.

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Which DRBG is default ?

2015-03-25 Thread jonetsu 
Hello,

  When an application does not define OPENSSL_DRBG_DEFAULT_TYPE nor 
OPENSSL_DRBG_DEFAULT_FLAGS nor any compilation options (if applicable), is the 
default DRBG the 256 bit CTR AES (+ deviation function) in FIPS mode ?

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS Linux kernel documentation ?

2015-03-25 Thread jonetsu 
Hello,

  This is not about OpenSSL, although from experience, maybe some know the 
answer. Does anyone know if actual documentation exists for the Linux kernel 
FIPS mode apart from the source itself ?  There is nothing in Documentation/ as 
per 3.18.2.  - thanks.

Regards.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: Which DRBG ?

2015-03-24 Thread jonetsu 


 From: Steve Marquess marqu...@openssl.com 
 Date: 03/24/15 12:38 

 
 No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of early
 2014) for use as-is in doing copycat validations. Some non-trivial code
 hacks will be necessary.
 
 We'll do a new open source based validation to succeed the 2.0 FIPS
 module (#1747 validation) at the first opportunity, but that opportunity
 has not yet presented itself.

I still do not know that much about the validation in practical terms. If our 
units go through validation, can this benefit OpenSSL ?

Also, to go back to the SP 800-90 vs. SP 800-90A regarding the DRBGs, do you 
know how would the OpenSSL SP 800-90 validation fare in a FIPS testing lab 
since the Dual EC was removed and the other three were not touched ?

Regards.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: Which DRBG ?

2015-03-24 Thread jonetsu 


 From: Steve Marquess marqu...@openssl.com 
 Date: 03/24/15 09:22 

 At the time that validation was obtained the four (at the time) DRBGs
 were specified by SP800-90. That document was subsequently reissued in
 several pieces; the current SP800-90A now contains the specifications
 for the three surviving DRBGs (the fatally tainted Dual EC DRBG having
 been removed from the formal standards and also from the OpenSSL FIPS
 Object Module).

If it concerns only the removal of the Dual EC, then it should be OK, 
technically.   
Not on paper.
 
 Now the code for the OpenSSL FIPS module can no longer be used as-is for
 new private label or copycat validations, but that's for different
 reasons and not because of the DRBGs.

I've read the User Guide bit on private label validations.  In the case of a 
product that consists of a dedicated unit, what would be the best approach ?  
So far I have considered using the OpenSSL FIPS module as is, in the hope that 
its FIPS validation would save costs at the testing lab.  Is this still 
feasible ?

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Which DRBG ?

2015-03-23 Thread jonetsu 
Hello,

Following on the 'SP800-90 DRBG in OpenSSL FIPS 140 for SP800-90A?' topic, the 
OpenSSL source code does not seem to mention SP 800-90A.  Only SP 800-90.  So 
the certifications were made for SP 800-90, is that right ?

Also, does it depend on the application to choose which DRBG and moreover, for 
regular FIPS uses, does it matter which DRBG is used since they are all 
approved ?

One more question: is there a way for us to actually know/test which one id 
used by an application ?  I currently am using a FIPS_post_set_callback() 
placed in FIPS_mode_set() - can this be useful to identify which DRBG is used ? 
 Maybe FIPS_drbg_set_callbacks() could be more useful ?

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Runtime list of FIPS ciphers

2015-03-20 Thread jonetsu 


 From: Dr. Stephen Henson st...@openssl.org 
 Date: 03/20/15 12:48 
 
  OPENSSL_FIPS=1 openssl ciphers -v
  openssl ciphers -v FIPS

Thanks, this works great, on the workstation where I have installed at default 
development location /usr/loca/ssl/, using OpenSSL 1.0.1.k.  

However, we have built Debian packages for the target unit, using 1.0.1e.  
While the example fips_hmac runs fine, we have a problem with openssl itself, 
which seems to be that the openssl shared object is somehow not FIPS enabled, 
or, is 1.0.1e lacking in any respect to FIPS mode ? :

% ./fips_hmac -v gcrypt_pkglist

 FIPS mode enabled
 ret: 1
 51dedc633485ccb55f4624763e9d118d6df15b3c


% OPENSSL_FIPS=1 openssl ciphers -v

 3069818064:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips 
mode:ssl_lib.c:1729:


% ldd fips_hmac

 libcrypto.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 
(0xb6dbc000)

% ldd /usr/bin/openssl

 libssl.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0 (0xb6f5e000)
 libcrypto.so.1.0.0 = /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 
(0xb6e03000)


% openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013



  

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Runtime list of FIPS ciphers

2015-03-20 Thread jonetsu 
Hello,

  I have the impression that the 'ciphers -v' option to openssl, when OpenSSL 
is compiled in FIPS mode, lists more than FIPS-only.  There are RC5 and RC4 in 
there, for instance.  Is there a specific openssl command that will list only 
the ones that are FIPS-allowed  ?

Regards.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'

2015-03-17 Thread jonetsu 
Hello,

There is a problem with compiling the openssl-1.0.1e.tar.gz
sources against the FIPS 2.0 canister.

On my machine the following is declared global:

000dd3c0 T private_AES_set_decrypt_key
000dd0f0 T private_AES_set_encrypt_key

On another machine, they are declared local and the apps build
fails:

000dd3c0 t private_AES_set_decrypt_key
000dd0f0 t private_AES_set_encrypt_key

What is the mecanism that determines which is global and which is
local and what does it depend on to make its decision ?

Regards.




___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'

2015-03-17 Thread jonetsu 
Hello,

There is a problem with compiling the openssl-1.0.1e.tar.gz
sources against the FIPS 2.0 canister.

On my machine the following is declared global:

 000dd3c0 T private_AES_set_decrypt_key
 000dd0f0 T private_AES_set_encrypt_key

On another machine, they are declared local and the apps build
fails:

 000dd3c0 t private_AES_set_decrypt_key
 000dd0f0 t private_AES_set_encrypt_key

What is the mechanism that determines which is global and which is
local and what does it depend on to make its decision ?

Regards.




___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: Problem building 1.0.1e: 'T' vs. 't'

2015-03-17 Thread jonetsu 


 From: Dr. Stephen Henson st...@openssl.org 
 Date: 03/17/15 12:28 

 What are the two platforms? That is what does:

First of all, I'm very, very sorry to have posted duplicates of the question.  
The web-access email client is, was, a bit on the fuzzy side, stalling and 
reporting errors.

It turns out, at the end of much puzzling and searching, that the difference is 
in the Debian packaging.  The Debian folks have added some per-method version 
mechanism to be assured that the APIs are still compatible between OpenSSL 
number versions.  That mechanism does not recognize the FIPS renaming of some 
methods hence tags them as local.  We fixed that and it could be that the fix 
can be given to Debian as it should be transparent to non-FIPS OpenSSL Debian 
builds.

Again, sorry for the multiple posts !

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Problem building 1.0.1e : 'T' vs. 't'

2015-03-17 Thread jonetsu 
Hello,

There is a problem with compiling the openssl-1.0.1e.tar.gz
sources against the FIPS 2.0 canister.

On my machine the following is declared global:

000dd3c0 T private_AES_set_decrypt_key
000dd0f0 T private_AES_set_encrypt_key

On another machine, they are declared local and the apps build
fails:

000dd3c0 t private_AES_set_decrypt_key
000dd0f0 t private_AES_set_encrypt_key

What is the mecanism that determines which is global and which is
local and what does it depend on to make its decision ?

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Error compiling 1.0.1e: 'T' vs. 't'

2015-03-17 Thread jonetsu 

Hello,

There is a problem with compiling the openssl-1.0.1e.tar.gz
sources against the FIPS 2.0 canister.

On my machine the following is declared global:

 000dd3c0 T private_AES_set_decrypt_key
 000dd0f0 T private_AES_set_encrypt_key

On another machine, they are declared local and the apps build
fails:

 000dd3c0 t private_AES_set_decrypt_key
 000dd0f0 t private_AES_set_encrypt_key

What is the mecanism that determines which is global and which is
local and what does it depend on to make its decision ?

Regards.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Converting AES_ctr128_encrypt() to EVP_ methods

2015-03-16 Thread jonetsu 
Hello,

An application that needs converting to FIPS is currently using
AES_ctr128_encrypt().  That function calls in turn
CRYPTO_ctr128_encrypt() which then does some internal
computations.  They are not documented in the 'full list of
crypto APIs'.  What would be the FIPS-compatible EVP
equivalent(s) ?

Regards.




___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: ECC licensing

2015-03-16 Thread jonetsu 
Hello,

  The licenses, patents for ECC was noticed.  In short, if we do not care about 
this in the sense of not willing to be in any patent infringement situation 
down the road, the -ecb archive should be used, is that right ?  Also, there is 
a mention of a NSA-PLA.pdf agreemnet statement.  The file is not found.  Is 
this still valid in some ways ?

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-12 Thread jonetsu 


 From: Dr. Stephen Henson st...@openssl.org 
 Date: 03/10/15 20:04 

 I mean you could add a callback to FIPS_mode_set using
 FIPS_post_set_callback: see the fips_test_suite.c application
 for an example. The supplied callback is called during each
 POST, continuous RNG and pairwise consistency checks. The op
 value is set to FIPS_POST_FAIL if any test fails.

This is basically what was also suggested by Henrik in a related
thread recently, which I understood being implemented in an
application.  The variation here would be that the callback is
part of the library, located in FIPS_mode_set() in o_fips.c, with
the callback itself being defined elsewhere in the same file.

A potentially useful case for some applications that do not need
to be further modified would be for the library to automatically
know that it has to run in FIPS mode.  Eg. to automatically call
FIPS_mode_set() at load time, based on a env. var. or some other
external sign.




___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread jonetsu 
Hello,

  Is there a method that is always in the path of execution when a crypto error 
occurs ?  The reason for asking is that I would like to very slightly modify 
the OpenSSL FIPS version so that it will write a file in tmpfs when an error 
occurs.  That place will be observed by another app using inotify.  Granted, 
modifying OpenSSL FIPS will void its FIPS certification.  But then, the whole 
unit will be validated.  Having a single place to modify would be quite an 
extraordinary thing.  I have asked recently about a related topic and got some 
replies regarding the modification of applications, although modifying the 
library would provide a single package to modify.  Steve has replied that 
indeed the validation will be lost - I wonder if that would have any impact on 
the total validation costs for a whole unit, OS and apps ?  Would a 
non-modified FIPS OpenSSL library reduce the
validation costs ?

Any comments and suggestions welcomed, regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread jonetsu 


 From: Steve Marquess marqu...@openssl.com 
 Date: 03/10/15 08:56 

Hello,

  Thanks for your reply.

 You're talking about a Level 2 validation (or higher)? You most
 definitely do *not* want to include the OS or applications in the
 cryptographic module boundary for Level 1.

It's a level 2.  The behaviour of the unit as a whole is
validated.  As an example amongst many, there will be no Linux
console prompt available in FIPS mode.

 I think you're going to be shocked at the cost (in time and money) to
 validate a hacked OpenSSL FIPS module, compared to using it as-is or a
 change letter update.

That brings a question.  I'm currently using 1.0.1k with the 2.0
FIPS module for development purposes.  This may seem a bit blunt,
but, is it possible at all to use 1.0.1k to benefit from the FIPS
validation ?  Based on recent comments I would think not.  Going
back to a pre-heartbleed version ?  Is there any way to benefit
from the gained OpenSSL FIPS validation at all ?

 That's because the CMVP has introduced a number of new
 requirements since the current FIPS module was validated (in
 2012), and any new validation will now need to satisfy
 those.

Again, is there any benefit to be gained from using a once
validated OpenSSL FIPS ?  What would be the bugs fixed/ security
updates trade-off ?

 That means not only non-trivial code hacks unrelated to yours,
 but also a new paper shuffle for the arm waving (DTR)
 components of the validation process.  The cost of the latter
 dwarfs the former; which is why we have not attempted a new
 validation ourselves.

Hmmm... If this goes through, would it be possible for OpenSSL to
benefit from any validation our unit can get ?

 But, that cost could be dwarfed in turn by that of a Level 2 or 3
 validation of a turnkey system including OS and apps.

Thanks again for your comments, much appreciated.

Regards.







___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread jonetsu 


 Is there a method that is always in the path of execution when a crypto error 
 occurs ?  

It looks like fips_set_selftest_fail() would be a likely candidate where to 
create an empty file on a tmpfs in order to let the OS know about the error.

Comments and suggestions welcomed.  Based on your experience with FIPS 
validation process, and many customers/sponsors, do you think that having a 
ever so slightly modified OpenSSL FIPS code would increase validation costs for 
a whole unit (OS and apps) ?  Recently Steve, I think, has mentioned that the 
cost for an initial OpenSSL FIPS validation was well into the 6 numbers.  Would 
this type of figure be added to a project if OpenSSL FIPS is modified ?  I 
think the labs could go with a diff and see how simple the modification is.

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS: Common method executed in case of error

2015-03-10 Thread jonetsu 


 From: Dr. Stephen Henson st...@openssl.org 
 Date: 03/10/15 10:21 

 Although you cannot modify the FIPS module itself without voiding the
 validation you *can* change the FIPS capable OpenSSL.

 You might (for example) change FIPS_mode_set() to always add a callback
 which logs any errors.

I see.  So this would actually enable benefiting (saving
validation costs) from an intact recent OpenSSL 1.0.1k with all
security fixes.

FIPS_mode_set() is very straightforward to patch although it
would only catch startup errors.  Not the eventual errors from
tests that are executed before each crypto use.  And not the
continuous RNG tests.

Within the scope of OpenSSL itself, there is a
fips_cipher_abort() that is called for each algo.  That macro
could perhaps be a good place.  Although it would still not catch
continuous RNG test failures.

Regards.






___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Testing FIPS mode using 0 randomness

2015-03-02 Thread jonetsu 
Hello,

  I tried a simple test to see if FIPS mode would fail, using the example given 
in the FIPS user guide 2.0.  The test consisted of replacing the /dev/random 
and /dev/urandom with /dev/zero.  I would have expected that no source of 
randomness would make the tests ran at the call of FIPS_mode_set(1) fail.

ex.:

cd dev
rm random
mknod -m 666 /dev/random c 1 5

Verify presence of zeroes all over:
cat /dev/random | xxd

./fips_hmac fips_hmac.o

If added a ret value to catch the return code from FIPS_mode_set(1).  Random or 
no random, it always returns 1.  

Shouldn't randomness be an important part of the power-up tests ?  I understand 
there are continuous RNG tests within OpenSSL FIPS mode, although 'later on' 
(eg. continuous). Wouldn't these tests be part of the power-up sequence as 
called by FIPS_mode_set(1) also ?

Thanks.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS methods and symlinks

2015-02-24 Thread jonetsu 
Hello,

  To grasp how FIPS methods are called, and following one method
as an example, HMAC_Update() in hmac.c, we can see that if FIPS
mode is active then FIPS_hmac_update() will be called.  This is
fine although searching the sources for the physical definiton of
FIPS_hmac_update() does not yield any results.  How does the
symbolic links function, what ends up being executed in this case
and through which path ?

Thanks, regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL FIPS mode system integration

2015-02-20 Thread jonetsu 
On Feb 19, 2015 10:50am Henrik Grindal Bakken wrote:

 I'm not sure it will be called on every conceivable error in
 the FIPS module, but what I do in similar situations is
 something like this:

 static int post_cb(int op, int id, int subid, void *ex)
 {
 if (op == FIPS_POST_FAIL)
 system(/bin/fipserror);
 return 1;
 }

 And there somewhere:

 FIPS_post_set_callback(post_cb)

This is very interesting, thanks.  Following this hint, in the same vein the
FIPS code also has:

FIPS_drbg_set_callbacks(args)

Although this one looks more like an entropy callback than
anythong that could be used to know about status.

The FIPS User Guide mentions both, although the information on
FIPS_post_set_callback() is not much at all.  Is there another
source than the User Guide 2.0, for detailed descriptions of
these FIPS-related methods ?  For isnatnce, the 'op' variable of 
FIPS_post_set_callback() is not described at all.  Any manual or 
info pages ?  Could be other potentially interesting methods in there. 





--
View this message in context: 
http://openssl.6102.n7.nabble.com/openssl-users-OpenSSL-FIPS-mode-system-integration-tp56563p56586.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS, continuous tests, and error reporting

2015-02-19 Thread jonetsu 


 From: Dr. Stephen Henson st...@openssl.org 
 To: openssl-users@openssl.org 
 Date: 02/19/15 11:34 
 Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting 
 
 The low level cipher and digest APIs cannot be used in FIPS mode: you have to
 use EVP.

That's quite an important point.  It brings a question: how are the 
'continuous' FIPS tests performed ?  Are they automatically called at the 
beginning of an EVP_* method ?  Do they run periodically in the background ?  
Both ?

Regards.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS, continuous tests, and error reporting

2015-02-19 Thread jonetsu 


-Original Message- 
 From: Salz, Rich rs...@akamai.com 
 To: openssl-users@openssl.org 
 Date: 02/19/15 07:43 
 Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting 
 
  For that matter and in a general sense, so far I've seen that many 
  encryption
  methods do not return any error code.  How does error reporting generally
  works ?
 
 Really?  Which ones?

For instance, any of the void DES_*_encrypt().  This cursory observation is 
also supported by a vendor application code such as:

 static void des_encrypt(char key1[8], char key2[8], char key3[8], char ivec[8],
 char *input, char *output, int len,
 int encrypt)
 {

   [snip]

    DES_set_key(des_key1, schedule1);
    DES_set_key(des_key2, schedule2);
    DES_set_key(des_key3, schedule3);
    DES_ede3_cbc_encrypt((unsigned char *)input, (unsigned char *)output, len,
 schedule1, schedule2, schedule3, des_ivec,
 encrypt);
 }


This is basically why I'm wondering about how errors propagate in the OpenSSL 
library.




___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL FIPS mode system integration

2015-02-19 Thread jonetsu 


-Original Message- 
 From: Marcus Meissner meiss...@suse.de 
 To: openssl-users@openssl.org 
 Date: 02/19/15 08:07 
 Subject: Re: [openssl-users] OpenSSL FIPS mode system integration 

 Well, the writing is that the crypto module must stop operating
 on error.
 
 We solved this by calling abort(); in the openssl library on FIPS
 related error conditions.

H... What I have written from a consultancy compliance report is that all 
crypto operations must stop and, all data output of the designed Data Output 
interface(s) must also stop.  Hence my concern for the OS knowing about FIPS 
crypto test results.  Thanks for your comment.




___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-27 Thread jonetsu 
Steve Marquess marqu...@openssl.comwrote on 01/27/15 09:18:
Thank you (and Tom) for your comments - much appreciated.

 Tom Francis nailed the answer to this one. We did design the FIPS module
 + FIPS capable OpenSSL combination to make it possible to have a
 system wide FIPS mode capability, but that presumes that the system
 maintainer (i.e. OS distribution maintainer) has done the review and
 modification of each application that uses cryptography to make sure it
 is compatible with the many restrictions of FIPS mode.

Yes, I understand the concern.  Does this mean that the FIPS checks will be 
done today on OpenSSL library startup w/o the need for an application to use 
FIPS_mode_set() ?  I'm asking since the OpenSSL FIPS User Guide 2.0 only 
mentions using FIPS_mode_set() (and FIPS_selftest()).  Might have to do with 
your comment below.
 
 That is indeed the assumption: that commercial versions of RH and SuSE
 have modified all impacted OSS applications to operate in FIPS mode. If
 they haven't they are deceiving their customers and the U.S. government.

I see. There is a set of SuSE OpenSSH FIPS patches from 9 months ago, though.
 
 Please read the first two sentences on that web page, right at the top.

OK!  Regarding the second sentence :) ... what is the current status ?  Is 
OpenSSL transparently executing FIPS checks when in FIPS mode ?  And, why would 
there be any validation (as opposed to functional tests) to be done since these 
checks are the same as they were before I presume, just done automatically this 
time around.

Regards.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users