date:20110804

Re: FIPS CCM self-test failure

2011-08-04 Thread Tyrel Haveman

Is there someone in particular who would be optimal to look into this? I
have no knowledge of the code or algorithm in question here.

Tyrel

On Thu, Aug 4, 2011 at 4:48 PM, Dr. Stephen Henson wrote:

> On Thu, Aug 04, 2011, Tyrel Haveman wrote:
>
> > Hello,
> >
> > After building the FIPS module on Windows using the do_fips.bat script, I
> > run the fips_test_suite.exe. On most machines all tests succeed. But on
> one
> > machine I have, the CCM test fails (exact error below). I did a bit of
> > debugging and it looks like the functions are simply returning the wrong
> > encoded bytes.
> >
> > The only thing I can find that distinguishes this machine from the
> others,
> > where it succeeds, is that this machine has an Intel Core i7 CPU, while
> the
> > others are older CPUs. Out of curiousity I tried building with "no-asm"
> > (which I know is not supported), and then all the tests succeed on all
> the
> > machines. This leads me to believe that there's a problem with the
> assembly
> > code. Note that I tried both 32-bit and 64-bit builds and it's the same
> > problem with both.
> >
> > Here is where the error is being reported:
> > CCM  test started
> > CCM  test FAILED!!
> >
> ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194
> >
> > What do you think?
> >
>
> Could be a problem with the AES-NI support for CCM which is rather new.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   majord...@openssl.org
>

X509_NAME_print_ex_fp on Windows, was RE: Applink issues

2011-08-04 Thread Dave Thompson

>   From: owner-openssl-us...@openssl.org On Behalf Of Colin Rice
>   Sent: Thursday, 04 August, 2011 15:43

>   [including applink.c] fixes the sample program.
>   But it doesn't fix all of the original bug. We have an issue with 
> X509_print_name_ex_fp called with flags

You mean X509_NAME_print_ex_fp. C cares about details like that.

>   XN_FLAG_ONELINE is causing a crash during SSL_connect but calling 
> it with no flags works.

What version(s)? In 1.0.0d (and probably earlier but I didn't look) 
send_fp_chars calls plain fwrite instead of going through uplink 
as I believe it needs to for an app-supplied fp (on Windows DLL). 

I assume 'no flags' means 0 which is officially XN_FLAG_COMPAT. 
That uses the old non-ex code with a fileBIO, which uses UP_fwrite 
and therefore should work. (No flags at all wouldn't compile.) 

This looks like a bug to me, and I am copying to -dev (I hope). 
I think it will work if you similarly create a temporary fileBIO 
for X509_NAME_print_ex!not_fp! with all other args as desired.



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS CCM self-test failure

2011-08-04 Thread Kenneth Robinette

I see the same exact same thing.  I compile on a 32 bit XP system and test runs 
ok.  I copy the compiled exe's to a HP 64-bit Windows 7 machine with Intel 
i7-2600 and the test fails with same exact error.

Ken


--- On Thu, 8/4/11, Dr. Stephen Henson  wrote:

> From: Dr. Stephen Henson 
> Subject: Re: FIPS CCM self-test failure
> To: openssl-dev@openssl.org
> Date: Thursday, August 4, 2011, 6:48 PM
> On Thu, Aug 04, 2011, Tyrel Haveman
> wrote:
> 
> > Hello,
> > 
> > After building the FIPS module on Windows using the
> do_fips.bat script, I
> > run the fips_test_suite.exe. On most machines all
> tests succeed. But on one
> > machine I have, the CCM test fails (exact error
> below). I did a bit of
> > debugging and it looks like the functions are simply
> returning the wrong
> > encoded bytes.
> > 
> > The only thing I can find that distinguishes this
> machine from the others,
> > where it succeeds, is that this machine has an Intel
> Core i7 CPU, while the
> > others are older CPUs. Out of curiousity I tried
> building with "no-asm"
> > (which I know is not supported), and then all the
> tests succeed on all the
> > machines. This leads me to believe that there's a
> problem with the assembly
> > code. Note that I tried both 32-bit and 64-bit builds
> and it's the same
> > problem with both.
> > 
> > Here is where the error is being reported:
> > CCM  test started
> > CCM  test FAILED!!
> >
> ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194
> > 
> > What do you think?
> > 
> 
> Could be a problem with the AES-NI support for CCM which is
> rather new.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project           
>                
>      http://www.openssl.org
> Development Mailing List         
>              openssl-dev@openssl.org
> Automated List Manager         
>              
>    majord...@openssl.org
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS CCM self-test failure

2011-08-04 Thread Dr. Stephen Henson

On Thu, Aug 04, 2011, Tyrel Haveman wrote:

> Hello,
> 
> After building the FIPS module on Windows using the do_fips.bat script, I
> run the fips_test_suite.exe. On most machines all tests succeed. But on one
> machine I have, the CCM test fails (exact error below). I did a bit of
> debugging and it looks like the functions are simply returning the wrong
> encoded bytes.
> 
> The only thing I can find that distinguishes this machine from the others,
> where it succeeds, is that this machine has an Intel Core i7 CPU, while the
> others are older CPUs. Out of curiousity I tried building with "no-asm"
> (which I know is not supported), and then all the tests succeed on all the
> machines. This leads me to believe that there's a problem with the assembly
> code. Note that I tried both 32-bit and 64-bit builds and it's the same
> problem with both.
> 
> Here is where the error is being reported:
> CCM  test started
> CCM  test FAILED!!
> ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194
> 
> What do you think?
> 

Could be a problem with the AES-NI support for CCM which is rather new.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Pairwise consistency X FIPS_mode_set

2011-08-04 Thread Tatiana Evers

Hi,

Do the conditional tests only run if I call *FIPS_mode_set* function
previously in my application?

Thanks in advance,

Tatiana

FIPS CCM self-test failure

2011-08-04 Thread Tyrel Haveman

Hello,

After building the FIPS module on Windows using the do_fips.bat script, I
run the fips_test_suite.exe. On most machines all tests succeed. But on one
machine I have, the CCM test fails (exact error below). I did a bit of
debugging and it looks like the functions are simply returning the wrong
encoded bytes.

The only thing I can find that distinguishes this machine from the others,
where it succeeds, is that this machine has an Intel Core i7 CPU, while the
others are older CPUs. Out of curiousity I tried building with "no-asm"
(which I know is not supported), and then all the tests succeed on all the
machines. This leads me to believe that there's a problem with the assembly
code. Note that I tried both 32-bit and 64-bit builds and it's the same
problem with both.

Here is where the error is being reported:
CCM  test started
CCM  test FAILED!!
ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194

What do you think?

Thanks,
Tyrel

Re: Fipscheck X FIPS_incore_fingerprint

2011-08-04 Thread Tomas Mraz

On Wed, 2011-08-03 at 17:40 -0300, Tatiana Evers wrote:
> Hi Tomas,
> 
> 
> You said that OpenSSH do not use the FIPS_incore_fingerprint call. But
> it does FIPS_mode_set call and that does FIPS_incore_fingerprint call.
> 
> 
> int FIPS_mode_set(int onoff)
> {
> int fips_set_owning_thread();
> int fips_clear_owning_thread();
> int ret = 0;
> 
> 
> fips_w_lock();
> fips_set_started();
> fips_set_owning_thread();
> 
> 
> if(onoff)
> {
> unsigned char buf[48];
> 
> 
> fips_selftest_fail = 0;
> 
> 
> 
> if(!FIPS_check_incore_fingerprint())
> {
> fips_selftest_fail = 1;
> ret = 0;
> goto end;
> }
> 
> }
> 
> 
> Did Red Hat Enterprise Linux OpenSSL and OpenSSH modules modify
> FIPS_mode_set function, and this OpenSSL don't
> use FIPS_check_incore_fingerprint() call ? 

Yes, we modified the OpenSSL code and the Red Hat Enterprise Linux
OpenSSL FIPS module is validated independently from the OpenSSL upstream
FIPS module. 
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS CCM self-test failure

X509_NAME_print_ex_fp on Windows, was RE: Applink issues

Re: FIPS CCM self-test failure

Re: FIPS CCM self-test failure

Pairwise consistency X FIPS_mode_set

FIPS CCM self-test failure

Re: Fipscheck X FIPS_incore_fingerprint

7 matches

Site Navigation

Mail list logo

Footer information