Re: FIPS 2.0: fipsld on cross-compile

[AJ]

Hi Steve,

Thanks for all the help -- I think I've things sorted out now.

Here are some of the issues I've had cross-compiling for Android.  Just some 
feedback -- maybe they'll help someone running into the same.

1) Building as shared libraries is straightforward, but they give versioned 
libraries (i.e. libcrypto.so.1.0.0).  Unfortunately, the Android packaging 
system only takes shared libraries ending with .so.  And just changing the name 
doesn't work, as during the linking phase, other libraries use the internal 
library name which also has the version number.  So, on loading the library, it 
thinks there is a mismatch.
As we cannot modify the build (to maintain FIPS validation), there are only 
hacky-type solutions -- such as changing filename at runtime.  As another user 
suggested, it would be helpful if version numbers could be put in front of the 
.so (i.e. libcrypto.1.0.0.so).

2) Building as static libraries requires using fipsld while linking to get the 
HMAC fingerprints.  I originally wanted to just wrap the 2 static libraries 
into a one shared library with everything.  I was using the -Wl,--whole-archive 
flags to get everything, which works fine using normal gcc.  But with fipsld, 
it complains about multiple definitions (of items in fipscanister.o).  You can 
specify --allow-multiple-definition to get past these warning, but then it will 
not get the right fingerprints.  It will fail fingerprint test on 
FIPS_mode_set(1).

3) I modified my builds to accommodate building with static libraries.  So I've 
now got the appropriate Makefile which calls to fipsld during linking into the 
JNI shared library.  This works fine, but is some work, as the normal Android 
ndk-build system will not support things like defining CC.  So you either need 
to hack the ndk-build files, or build it externally from the normal ndk-build 
system (as a prebuilt library).

4) In fipsld (line 116) calls "ar" to remove fipscanister.o.  This is a 
native-host call, and fails on MacOS building for Android.  [This does work 
fine on Linux building for Android however.]  This really should be calling the 
cross-compile "ar", and not the host version.
*** I can modify the fipsld script on MacOS to make this work, but will this 
invalidate the FIPS validation??? ***

Thanks to you and others for all the hard work putting out this great tool.

And a big thanks for all of the quick responses and support.

Regards,
AJ





- Original Message -
From: Dr. Stephen Henson 
To: openssl-users@openssl.org
Cc: 
Sent: Friday, July 20, 2012 4:22 PM
Subject: Re: FIPS 2.0:  fipsld on cross-compile

On Fri, Jul 20, 2012, AJ wrote:

> OK, that worked -- built my library using fipsld.  However, on running, I am 
> STILL getting fingerprint validation failure when calling FIPS_mode_set(1).
> 
> 1552985864:error:2D06B06F:FIPS 
> routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:229:
> 
> Any good ideas on how to debug why?
> 

Do you get this error with the openssl utility entering FIPS mode using the
commands I mentioned in a previous message?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                          majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: LWP and CURL connections stoped working.

[Benn Boulton]

hi

finally got openssl to stop giving me the
Verify return code: 20 (unable to get local issuer certificate)
and now get 0 OK response

it was a certificate file issue.

issued a lot of
 openssl s_client -CAfile "DIFFERENT CERT AND PEM FILES" -connect .
until I got the ok.

still trying to get LWP/PayflowPro.pm to work though. seams the
ssl_opts( SSL_ca_file => 'WORKING_CERT_FILE' )  is not taking as expected.

Benn

- Original Message - 
From: 
To: "Benn Boulton" ; 
Sent: Saturday, July 21, 2012 2:45 PM
Subject: Re: LWP and CURL connections stoped working.



thanks for the offer.

best I can determine something upgraded - lwp or openssl
and it doesn't handle the handshake properly.

glad you found a workaround.

eejack

At 09:36 AM 7/21/2012, Benn Boulton wrote:
>hi and thanksfor the suggestion but no help for me.
>
>What i ended up doing is to pass the transaction info to an other server I
>own that does not have the problem
>then send the transaction to paypal and return the response back to the
>original call
>
>The other server is SSL secured as well and still has Perl 5.8.8 installed
>
>I have set up the the pass through server to work for multiple paypal
>accounts.
>The original server that sends the request gets the responce and puts it
>back into a hash
>Very few additional lines of code
>basicly
>
>1  make a '&' seperated name=value string of the transaction
>- the string has additional fields for file name and debug/testing
>- the filename on the other server contains the login for paypal
>- so not paypal login info is passed over the first connection
>
>2 send re3quest to other server with CURL
> $response = `/path/to/specialcurlscript '$URL_to_other_server'
>'$TRANS_TEST''`;
>
>3 other server builds the request as needed by Payflow and calls
>pfpro($data) command
>
>4 other server converts HASH to '&' seperated 'name=value' string
>
>5 original server converts string back to HASH and continues as usual
>
>
>I can make my server available if needed www.comfortsignups.com
>
>---here are the orig script changes
>my $pfpdata = '';
>$pfpdata .= "AMT=$orderamount";
>$pfpdata .= "&TENDER=C";   # credit card
>$pfpdata .= "&TRXTYPE=S";   # sale
>$pfpdata .= "&TAXAMT=0.00";
>$pfpdata .= "&FIRSTNAME=$cardfname";
>$pfpdata .= "&LASTNAME=$cardlname";
>$pfpdata .= "&STREET=$cardaddress";
>$pfpdata .= "&ZIP=$cardzip";
>$pfpdata .= "&EMAIL=$cardemail";
>$pfpdata .= "&ACCT=$cardno";
>$pfpdata .= "&EXPDATE=$cardexp";
>$pfpdata .= "&CVV2=$securitycode";
>.
>.
>.
>$pfpdata .= "&pfprocfg=pfpro.cfg";   # extra to get PayPal login
>$pfpdata .= "&debug_level=0";# extra to turn on debug and
>testmode (OPTIONAL)
>
>$response = `/var/www/SpecialScripts/ccipfpro.pl '$url' '$pfpdata'`;
> chomp($response);
> $result = {};
> @results = split(/&/, $response);
> foreach my $pair (@results) {
>   ($param, $value) = split(/=/, $pair,2);
>$result->{$param} = $value;
>  }
>.
>.
>.
>
>--- here is the 'specialperlscript'
>#!/usr/bin/perl
>
>$url = @ARGV[0];
>$data = @ARGV[1];
>
> use WWW::Curl::Easy;
> my $curl = WWW::Curl::Easy->new;
> $curl->setopt(CURLOPT_URL, $url);
> $curl->setopt(CURLOPT_POST,1);
> $curl->setopt(CURLOPT_POSTFIELDS,$data);
> $curl->setopt(CURLOPT_RETURNTRANSFER,1);
> $return_code = $curl->perform;
> $response_code = $curl->getinfo(CURLINFO_HTTP_CODE);
>
>
>- Original Message -
>From: 
>To: 
>Sent: Friday, July 20, 2012 11:24 PM
>Subject: LWP and CURL connections stoped working.
>
>
>
>right now this looks like a solution for me.
>
>$ua->ssl_opts( SSL_version => 'TLSv1');
>
>I put it in right after I created the LWP useragent
>
>my $req;
>$req = HTTP::Request->new('POST', 'https://payflowpro.paypal.com/',
>$headers, $queryStr);
>my $ua = LWP::UserAgent->new;
>$ua->ssl_opts( SSL_version => 'TLSv1');
>
>I worked it out after I saw someone mentioned curl ( never used it 
>before ).
>
>curl https://payflowpro.paypal.com
>does not work.
>curl https://payflowpro.paypal.com -v -3
>does.
>
>
>hope this helps.
>
>eejack

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: create certificate request programmatically using OpenSSL API

[Ozweepay]

I wrote this a while ago, but I think it was trivially modified from
something I found online.  I added a few comments, which perhaps is 
helpful__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: LWP and CURL connections stoped working.

[eejack]

thanks for the offer.

best I can determine something upgraded - lwp or openssl
and it doesn't handle the handshake properly.

glad you found a workaround.

eejack

At 09:36 AM 7/21/2012, Benn Boulton wrote:

hi and thanksfor the suggestion but no help for me.

What i ended up doing is to pass the transaction info to an other server I
own that does not have the problem
then send the transaction to paypal and return the response back to the
original call

The other server is SSL secured as well and still has Perl 5.8.8 installed

I have set up the the pass through server to work for multiple paypal
accounts.
The original server that sends the request gets the responce and puts it
back into a hash
Very few additional lines of code
basicly

1  make a '&' seperated name=value string of the transaction
   - the string has additional fields for file name and debug/testing
   - the filename on the other server contains the login for paypal
   - so not paypal login info is passed over the first connection

2 send re3quest to other server with CURL
$response = `/path/to/specialcurlscript '$URL_to_other_server'
'$TRANS_TEST''`;

3 other server builds the request as needed by Payflow and calls
pfpro($data) command

4 other server converts HASH to '&' seperated 'name=value' string

5 original server converts string back to HASH and continues as usual


I can make my server available if needed www.comfortsignups.com

---here are the orig script changes
   my $pfpdata = '';
   $pfpdata .= "AMT=$orderamount";
   $pfpdata .= "&TENDER=C";   # credit card
   $pfpdata .= "&TRXTYPE=S";   # sale
   $pfpdata .= "&TAXAMT=0.00";
   $pfpdata .= "&FIRSTNAME=$cardfname";
   $pfpdata .= "&LASTNAME=$cardlname";
   $pfpdata .= "&STREET=$cardaddress";
   $pfpdata .= "&ZIP=$cardzip";
   $pfpdata .= "&EMAIL=$cardemail";
   $pfpdata .= "&ACCT=$cardno";
   $pfpdata .= "&EXPDATE=$cardexp";
   $pfpdata .= "&CVV2=$securitycode";
.
.
.
   $pfpdata .= "&pfprocfg=pfpro.cfg";   # extra to get PayPal login
   $pfpdata .= "&debug_level=0";# extra to turn on debug and
testmode (OPTIONAL)

   $response = `/var/www/SpecialScripts/ccipfpro.pl '$url' '$pfpdata'`;
chomp($response);
$result = {};
@results = split(/&/, $response);
foreach my $pair (@results) {
  ($param, $value) = split(/=/, $pair,2);
   $result->{$param} = $value;
 }
.
.
.

--- here is the 'specialperlscript'
#!/usr/bin/perl

$url = @ARGV[0];
$data = @ARGV[1];

use WWW::Curl::Easy;
my $curl = WWW::Curl::Easy->new;
$curl->setopt(CURLOPT_URL, $url);
$curl->setopt(CURLOPT_POST,1);
$curl->setopt(CURLOPT_POSTFIELDS,$data);
$curl->setopt(CURLOPT_RETURNTRANSFER,1);
$return_code = $curl->perform;
$response_code = $curl->getinfo(CURLINFO_HTTP_CODE);


- Original Message -
From: 
To: 
Sent: Friday, July 20, 2012 11:24 PM
Subject: LWP and CURL connections stoped working.



right now this looks like a solution for me.

$ua->ssl_opts( SSL_version => 'TLSv1');

I put it in right after I created the LWP useragent

my $req;
$req = HTTP::Request->new('POST', 'https://payflowpro.paypal.com/',
$headers, $queryStr);
my $ua = LWP::UserAgent->new;
$ua->ssl_opts( SSL_version => 'TLSv1');

I worked it out after I saw someone mentioned curl ( never used it before ).

curl https://payflowpro.paypal.com
does not work.
curl https://payflowpro.paypal.com -v -3
does.


hope this helps.

eejack

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

setting up an openssl client/server connection

[Matthias Apitz]

Hello,

I'm trying to build openssl keys to be used in a client/server connection
and neeed some step by step guide for this, as I'm doing it for the
first time.

I found and started with the following procedure:

http://acs.lbl.gov/~boverhof/openssl_certs.html

Generating Client/Server certificates with a local CA

Generate a CA

1)openssl req -out ca.pem -new -x509

  -generates CA file "ca.pem" and CA key "privkey.pem"

Generate server certificate/key pair - no password required.

2) openssl genrsa -out server.key 1024
3) openssl req -key server.key -new -out server.req
4) openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial 
file.srl -out server.pem

   (contents of "file.srl" is a two digit number.  eg. "00")

Generate client certificate/key pair

5) Either choose to encrypt the key(a) or not(b)
   a. Encrypt the client key with a passphrase
   openssl genrsa -des3 -out client.key 1024
   b. Don't encrypt the client key  (I used this)
   openssl genrsa -out client.key 1024
6) openssl req -key client.key -new -out client.req
7) openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial 
file.srl -out client.pem
   
Then I copy over the files client.pem and server.pem to the example
software (openssl-examples-20020110):

$ cp server.pem client.pem openssl-examples-20020110
$ cd openssl-examples-20020110

but the server can't understand the file server.pem:

$ ./wserver
Can't read key file
4783:error:0906D06C:PEM routines:PEM_read_bio:no start
line:/usr/home/guru/myThings/FreeBSD/9-CURRENT/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:650:Expecting:
ANY PRIVATE KEY
4783:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:/usr/home/guru/myThings/FreeBSD/9-CURRENT/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:

$ cat server.pem
-BEGIN CERTIFICATE-
MIIB+TCCAWICAQMwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDAeFw0xMjA3MjExNTM0MTZaFw0xMjA4MjAxNTM0MTZaMEUxCzAJBgNVBAYTAkFV
MRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRz
IFB0eSBMdGQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSYH6rEOJHR86gi
IvkPlWIFTSjAdxw/M/RWiRVSF7nPyDrdjfZ6T6uCGu+gax72SOt3uGCGKKtWa58z
1R9EVvU5OhJNUDXU72yFAKpcAH04ysdf2eNyInMbj+s+DYNukrVofTnrkqjAq2YS
0fOQmH2LbmjKTn4Ia9d9iEFXvR4/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAT3Vm
EonQgYTwnktQMeRi7Uo40IYVXd3rNHeJFobVszP7ladNtBdjRAhD+03rbXBahxDA
IGo68N8LdS5wxdUjQizmyTCsBJI2oTpQeSkZ0BrDExs8NCz8OzhskdMdgRw3JUXD
tM6F1CUQbvpelHg9Yg3ILA5a4LE+nH774SyL+cE=
-END CERTIFICATE-

Perhaps something is wrong with the way used to generate the keys, but
what?

I checked the few *.txt files in http://www.openssl.org/docs/HOWTO/
and they seems to be usefull, but the file certificates.txt makes in the
critical point a refernce to "...another HOWTO " which is
not there :-(

Thanks

matthias

-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e  - w http://www.unixarea.de/
UNIX since V7 on PDP-11 | UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2 | FreeBSD since 2.2.5
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org