Re: FIPS CCM self-test failure
Is there someone in particular who would be optimal to look into this? I have no knowledge of the code or algorithm in question here. Tyrel On Thu, Aug 4, 2011 at 4:48 PM, Dr. Stephen Henson wrote: > On Thu, Aug 04, 2011, Tyrel Haveman wrote: > > > Hello, > > > > After building the FIPS module on Windows using the do_fips.bat script, I > > run the fips_test_suite.exe. On most machines all tests succeed. But on > one > > machine I have, the CCM test fails (exact error below). I did a bit of > > debugging and it looks like the functions are simply returning the wrong > > encoded bytes. > > > > The only thing I can find that distinguishes this machine from the > others, > > where it succeeds, is that this machine has an Intel Core i7 CPU, while > the > > others are older CPUs. Out of curiousity I tried building with "no-asm" > > (which I know is not supported), and then all the tests succeed on all > the > > machines. This leads me to believe that there's a problem with the > assembly > > code. Note that I tried both 32-bit and 64-bit builds and it's the same > > problem with both. > > > > Here is where the error is being reported: > > CCM test started > > CCM test FAILED!! > > > ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194 > > > > What do you think? > > > > Could be a problem with the AES-NI support for CCM which is rather new. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org >
X509_NAME_print_ex_fp on Windows, was RE: Applink issues
> From: owner-openssl-us...@openssl.org On Behalf Of Colin Rice > Sent: Thursday, 04 August, 2011 15:43 > [including applink.c] fixes the sample program. > But it doesn't fix all of the original bug. We have an issue with > X509_print_name_ex_fp called with flags You mean X509_NAME_print_ex_fp. C cares about details like that. > XN_FLAG_ONELINE is causing a crash during SSL_connect but calling > it with no flags works. What version(s)? In 1.0.0d (and probably earlier but I didn't look) send_fp_chars calls plain fwrite instead of going through uplink as I believe it needs to for an app-supplied fp (on Windows DLL). I assume 'no flags' means 0 which is officially XN_FLAG_COMPAT. That uses the old non-ex code with a fileBIO, which uses UP_fwrite and therefore should work. (No flags at all wouldn't compile.) This looks like a bug to me, and I am copying to -dev (I hope). I think it will work if you similarly create a temporary fileBIO for X509_NAME_print_ex!not_fp! with all other args as desired. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS CCM self-test failure
I see the same exact same thing. I compile on a 32 bit XP system and test runs ok. I copy the compiled exe's to a HP 64-bit Windows 7 machine with Intel i7-2600 and the test fails with same exact error. Ken --- On Thu, 8/4/11, Dr. Stephen Henson wrote: > From: Dr. Stephen Henson > Subject: Re: FIPS CCM self-test failure > To: openssl-dev@openssl.org > Date: Thursday, August 4, 2011, 6:48 PM > On Thu, Aug 04, 2011, Tyrel Haveman > wrote: > > > Hello, > > > > After building the FIPS module on Windows using the > do_fips.bat script, I > > run the fips_test_suite.exe. On most machines all > tests succeed. But on one > > machine I have, the CCM test fails (exact error > below). I did a bit of > > debugging and it looks like the functions are simply > returning the wrong > > encoded bytes. > > > > The only thing I can find that distinguishes this > machine from the others, > > where it succeeds, is that this machine has an Intel > Core i7 CPU, while the > > others are older CPUs. Out of curiousity I tried > building with "no-asm" > > (which I know is not supported), and then all the > tests succeed on all the > > machines. This leads me to believe that there's a > problem with the assembly > > code. Note that I tried both 32-bit and 64-bit builds > and it's the same > > problem with both. > > > > Here is where the error is being reported: > > CCM test started > > CCM test FAILED!! > > > ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194 > > > > What do you think? > > > > Could be a problem with the AES-NI support for CCM which is > rather new. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project > > http://www.openssl.org > Development Mailing List > openssl-dev@openssl.org > Automated List Manager > > majord...@openssl.org > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS CCM self-test failure
On Thu, Aug 04, 2011, Tyrel Haveman wrote: > Hello, > > After building the FIPS module on Windows using the do_fips.bat script, I > run the fips_test_suite.exe. On most machines all tests succeed. But on one > machine I have, the CCM test fails (exact error below). I did a bit of > debugging and it looks like the functions are simply returning the wrong > encoded bytes. > > The only thing I can find that distinguishes this machine from the others, > where it succeeds, is that this machine has an Intel Core i7 CPU, while the > others are older CPUs. Out of curiousity I tried building with "no-asm" > (which I know is not supported), and then all the tests succeed on all the > machines. This leads me to believe that there's a problem with the assembly > code. Note that I tried both 32-bit and 64-bit builds and it's the same > problem with both. > > Here is where the error is being reported: > CCM test started > CCM test FAILED!! > ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194 > > What do you think? > Could be a problem with the AES-NI support for CCM which is rather new. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Pairwise consistency X FIPS_mode_set
Hi, Do the conditional tests only run if I call *FIPS_mode_set* function previously in my application? Thanks in advance, Tatiana
FIPS CCM self-test failure
Hello, After building the FIPS module on Windows using the do_fips.bat script, I run the fips_test_suite.exe. On most machines all tests succeed. But on one machine I have, the CCM test fails (exact error below). I did a bit of debugging and it looks like the functions are simply returning the wrong encoded bytes. The only thing I can find that distinguishes this machine from the others, where it succeeds, is that this machine has an Intel Core i7 CPU, while the others are older CPUs. Out of curiousity I tried building with "no-asm" (which I know is not supported), and then all the tests succeed on all the machines. This leads me to believe that there's a problem with the assembly code. Note that I tried both 32-bit and 64-bit builds and it's the same problem with both. Here is where the error is being reported: CCM test started CCM test FAILED!! ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194 What do you think? Thanks, Tyrel
Re: Fipscheck X FIPS_incore_fingerprint
On Wed, 2011-08-03 at 17:40 -0300, Tatiana Evers wrote: > Hi Tomas, > > > You said that OpenSSH do not use the FIPS_incore_fingerprint call. But > it does FIPS_mode_set call and that does FIPS_incore_fingerprint call. > > > int FIPS_mode_set(int onoff) > { > int fips_set_owning_thread(); > int fips_clear_owning_thread(); > int ret = 0; > > > fips_w_lock(); > fips_set_started(); > fips_set_owning_thread(); > > > if(onoff) > { > unsigned char buf[48]; > > > fips_selftest_fail = 0; > > > > if(!FIPS_check_incore_fingerprint()) > { > fips_selftest_fail = 1; > ret = 0; > goto end; > } > > } > > > Did Red Hat Enterprise Linux OpenSSL and OpenSSH modules modify > FIPS_mode_set function, and this OpenSSL don't > use FIPS_check_incore_fingerprint() call ? Yes, we modified the OpenSSL code and the Red Hat Enterprise Linux OpenSSL FIPS module is validated independently from the OpenSSL upstream FIPS module. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org