Re: FIPS CCM self-test failure
On Thu, Aug 04, 2011, Tyrel Haveman wrote: Is there someone in particular who would be optimal to look into this? I have no knowledge of the code or algorithm in question here. What happens if you do: fips_test_suite post Please send the full output. Also temporarily in e_aes.c try changing the line: #define AESNI_CAPABLE (1(57-32)) to: #define AESNI_CAPABLE 0 and see if you still get that error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
SSL cipher mode
Hi, I want to make apache to use aes cipher for encryption in ctr mode (by default it is cbc mode). Cipher mode for aes is not specified in the cipher list. I know the mode is not being chosen in the hello process, but do you know when client and the server settle on the cipher mode they are about to use? If I know that I can hard code the settings to make apache use the ctr mode. Thanks Roham
Re: SSL cipher mode
On Thu, Aug 04, 2011, Roham Sameni wrote: Hi, I want to make apache to use aes cipher for encryption in ctr mode (by default it is cbc mode). Cipher mode for aes is not specified in the cipher list. I know the mode is not being chosen in the hello process, but do you know when client and the server settle on the cipher mode they are about to use? If I know that I can hard code the settings to make apache use the ctr mode. Since no standards exist which use AES and CTR mode you can't actually do this without violating the standards ciphersuites or introducing a non-standard experimental ciphersuite. So the question is why do you want to do that? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS CCM self-test failure
Dr. Henson Changing #define AESNI_CAPABLE 0 resolved the problem. All the tests run ok. Ken --- On Fri, 8/5/11, Dr. Stephen Henson st...@openssl.org wrote: From: Dr. Stephen Henson st...@openssl.org Subject: Re: FIPS CCM self-test failure To: openssl-dev@openssl.org Date: Friday, August 5, 2011, 6:08 AM On Thu, Aug 04, 2011, Tyrel Haveman wrote: Is there someone in particular who would be optimal to look into this? I have no knowledge of the code or algorithm in question here. What happens if you do: fips_test_suite post Please send the full output. Also temporarily in e_aes.c try changing the line: #define AESNI_CAPABLE (1(57-32)) to: #define AESNI_CAPABLE 0 and see if you still get that error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS CCM self-test failure
Dr. Henson The error happens in fips_aes_selftest.c, lines 157-159: if (memcmp(tag, ccm_tag, sizeof(ccm_tag)) || memcmp(out, ccm_ct, sizeof(ccm_ct))) goto err; If I comment out these three lines, all tests run ok. Ken --- On Fri, 8/5/11, Dr. Stephen Henson st...@openssl.org wrote: From: Dr. Stephen Henson st...@openssl.org Subject: Re: FIPS CCM self-test failure To: openssl-dev@openssl.org Date: Friday, August 5, 2011, 6:08 AM On Thu, Aug 04, 2011, Tyrel Haveman wrote: Is there someone in particular who would be optimal to look into this? I have no knowledge of the code or algorithm in question here. What happens if you do: fips_test_suite post Please send the full output. Also temporarily in e_aes.c try changing the line: #define AESNI_CAPABLE (1(57-32)) to: #define AESNI_CAPABLE 0 and see if you still get that error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS CCM self-test failure
The full output of fips_test_suite post is below. I tried changing AESNI_CAPABLE to 0 as you suggested, and all tests now succeed, as Ken also experienced. Here's the output of fips_test_suite: POST started DRBG AES-128-CTR DF test started DRBG AES-128-CTR DF test OK DRBG AES-192-CTR DF test started DRBG AES-192-CTR DF test OK DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK DRBG AES-128-CTR test started DRBG AES-128-CTR test OK DRBG AES-192-CTR test started DRBG AES-192-CTR test OK DRBG AES-256-CTR test started DRBG AES-256-CTR test OK DRBG SHA1 test started DRBG SHA1 test OK DRBG SHA224 test started DRBG SHA224 test OK DRBG SHA256 test started DRBG SHA256 test OK DRBG SHA384 test started DRBG SHA384 test OK DRBG SHA512 test started DRBG SHA512 test OK X9.31 PRNG keylen=16 test started X9.31 PRNG keylen=16 test OK X9.31 PRNG keylen=24 test started X9.31 PRNG keylen=24 test OK X9.31 PRNG keylen=32 test started X9.31 PRNG keylen=32 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK HMAC SHA1 test started HMAC SHA1 test OK HMAC SHA224 test started HMAC SHA224 test OK HMAC SHA256 test started HMAC SHA256 test OK HMAC SHA384 test started HMAC SHA384 test OK HMAC SHA512 test started HMAC SHA512 test OK CMAC AES-128-CBC test started CMAC AES-128-CBC test OK CMAC AES-192-CBC test started CMAC AES-192-CBC test OK CMAC AES-256-CBC test started CMAC AES-256-CBC test OK CMAC DES-EDE3-CBC test started CMAC DES-EDE3-CBC test OK Cipher AES-128-ECB test started Cipher AES-128-ECB test OK CCM test started CCM test FAILED!! ERROR:2D091086:lib=45,func=145,reason=134:file=.\fips\aes\fips_aes_selftest.c:line=194 GCM test started GCM test OK XTS AES-128-XTS test started XTS AES-128-XTS test OK XTS AES-256-XTS test started XTS AES-256-XTS test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Signature RSA test started Signature RSA test OK Signature ECDSA test started Signature ECDSA test OK Signature ECDSA test started Signature ECDSA test OK Signature DSA test started Signature DSA test OK POST Failed Power-up self test failed On Fri, Aug 5, 2011 at 4:08 AM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Aug 04, 2011, Tyrel Haveman wrote: Is there someone in particular who would be optimal to look into this? I have no knowledge of the code or algorithm in question here. What happens if you do: fips_test_suite post Please send the full output. Also temporarily in e_aes.c try changing the line: #define AESNI_CAPABLE (1(57-32)) to: #define AESNI_CAPABLE 0 and see if you still get that error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org