> From: owner-openssl-us...@openssl.org On Behalf Of David Stafford > Sent: Thursday, 12 August, 2010 11:31 > To: openssl-users > Subject: openssl-fips-1.2.crossbuild.diff.gz signature incorrect > > When attempting to verify the hmac signature of the file > "openssl-fips-1.2.crossbuild.diff.gz" I get a wrong value. At least > it's wrong when compared with the Security Policy document. > > Also, the file when retrieved from the web is not compressed as the > file name might imply, but merely a text format patch file. > The patch works fine, but does not match the signature as published. > Check your client. The file is in fact a gzip-compressed patch=text file. It is served with content-type: text/plain and content-encoding: x-gzip . Some clients may (sometimes?) interpret content-encoding as transport and decompress before storing locally. If so, the decompressed data (of course) does not have the same hash(es). Even though its contents are equally correct and useful. Or conceivably if you're going through a proxy it might do this, although re-encoding resources (bodies) is a pretty aggressive and even antisocial thing for a proxy to do. In extremis try tcpdump/wireshark/etc to see exactly what you get.
> When I check the signature of the file "openssl-fips-1.2.tar.gz" I do > get the correct value. > > I attempt to compute the signature pf the crossbuild patch as > published and get the following result: > > openssl sha1 -hmac etaonrishdlcupfm > openssl-fips-1.2.crossbuild.diff.gz > HMAC-SHA1(openssl-fips-1.2.crossbuild.diff.gz)= > 304eb3fae1578bd46c6e30699d2bb53606f8dec2 > Note that method is only for the signature shown in the Policy for that specific file (fips-1.2 tarball). The signatures on www.openssl.org/source for all the files there are plain sha1 and md5 digests, not HMACs. For example openssl-fips-1.2.tar.gz.md5 is 1a5642f0a6c1154fa9f839a0d9c606e9 and openssl-fips-1.2.tar.gz.sha1 is f09c3040da6cdd8bdd8c9cf01af8f14f89ee84d1 which is a different value than the sha1-hmac for same file. I'm not sure why they even used an HMAC in the Policy. Probably the 'priests' just liked it. It doesn't add anything. Any actual security comes from having the digest, *or* HMAC, protected by a different means than the subject data. And unfortunately having both of them on the same website, even though it is a fine website, doesn't really do that. The PGP-signing does; but then you need PGP (or GPG). Comparing multiple mirrors defends against an attack on only one website (or a handful), but is more work, and defeats the traditional bandwith-saving purpose of mirrors. Life is imperfect. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org