Re: FIPS questions
Troy Monaghen wrote: 2) I have a multi-threaded AIX application for which I needed to add a couple of compiler flags in the OpenSSL Configure script in order to support threading under AIX. After the FIPS code is validated would making this change be allowed within the security policy? Yes. Would the source code maintainers be interested in adding these flags to the distribution? FWIW I have included the change below. I imagine that threading should be an option. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: FIPS questions
Title: RE: FIPS questions Troy Monaghen wrote: 1) I don't see any Diffie-Hellman code in the fips part of the source tree except for the dh_test() function in fips_test_suite.c. Will DH be available to use in an application that will be running in FIPS mode without violating the security policy? DH will not be available in FIPS mode (the reference in fips_test_suite.c is to prove to NIST that it is disabled in FIPS mode). Leaving it out was, frankly, a stupid oversight. No testing would have been needed, we would only have had to put the relevant source files in the ./fips/ tree with an entry in the fingerprint.sha1 file. But by the time we realized this oversight we were out of time, money, and patience. This FIPS-140 validation is *very* time consuming, with a lot of false starts and rework. Ben and I have been working on this for over 18 months, with both of us donating a _lot_ more time than we ever intended to. We just ran out of steam. Now that this effort is close to completion we are seeing some interest in expanding the scope of the validation. With the difficult and expensive part already done those requests will be relatively easy to satisfy with contributions of money and/or labor. And I would expect to include DH in any follow-on validation. -Steve M.
FIPS questions
I have a couple of questions about the FIPS-140 stuff: 1) I don't see any Diffie-Hellman code in the fips part of the source tree except for the dh_test() function in fips_test_suite.c. Will DH be available to use in an application that will be running in FIPS mode without violating the security policy? 2) I have a multi-threaded AIX application for which I needed to add a couple of compiler flags in the OpenSSL Configure script in order to support threading under AIX. After the FIPS code is validated would making this change be allowed within the security policy? Would the source code maintainers be interested in adding these flags to the distribution? FWIW I have included the change below. diff -r1.314.2.85.2.14 Configure 448c448 aix43-cc, cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::, -- aix43-cc, cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::-qthreaded -D_THREAD_SAFE:::BN_LLONG RC4_CHAR::dlfcn:aix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::, Thanks! Troy Monaghen __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A couple more FIPS questions
Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Tue, 09 Sep 2003 13:55:43 -0600, Verdon Walker [EMAIL PROTECTED] said: VWalker I have downloaded the latest FIPS snapshot (9/9) and I have a couple VWalker more questions about it: VWalker VWalker 1) How do I build it? If I just do a ./config (Linux) and VWalkermake, it will build everything, but I'm not sure I'm VWalkergetting all the FIPS stuff. Do I need to specify VWalkersomething like ./config -DFIPS to get it to build the VWalkerFIPS cryptography module? ./config fips I added the configuration option fips when I noticed that just saying -DFIPS wasn't enough. VWalker 2) It doesn't appear that optimized assembly code is part of VWalkerthe FIPS module. Is that correct? That's correct if you use the configuration option fips. If you just did './config -DFIPS', you'll get conflicts, or whatever you're lucky to end up with (you'll see the conflicts if you also use the configuration option shared). VWalker 3) Once I have the FIPS crypto built, how do I use OpenSSL so VWalkerthat all SSL crypto work is done using that FIPS crypto? You have to specify a crypto suite that only contains DSA, DES (and variants thereof, like DES3), AES and SHA1. Those and RAND are all that are currently implemented as FIPS modules. Actually, you can use RSA for signatures, too, but I forgot about it as there's no validation suite. I'll be adding it soon. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A couple more FIPS questions
In message [EMAIL PROTECTED] on Wed, 10 Sep 2003 09:45:29 +0100, Ben Laurie [EMAIL PROTECTED] said: ben Richard Levitte - VMS Whacker wrote: ben In message [EMAIL PROTECTED] on Tue, 09 Sep 2003 13:55:43 -0600, Verdon Walker [EMAIL PROTECTED] said: ben ben VWalker 3) Once I have the FIPS crypto built, how do I use OpenSSL so ben VWalkerthat all SSL crypto work is done using that FIPS crypto? ben ben You have to specify a crypto suite that only contains DSA, DES (and ben variants thereof, like DES3), AES and SHA1. Those and RAND are all ben that are currently implemented as FIPS modules. ben ben Actually, you can use RSA for signatures, too, but I forgot about it as ben there's no validation suite. I'll be adding it soon. Along with fips/aes/fips_aes_data/list, I presume? -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A couple more FIPS questions
Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Wed, 10 Sep 2003 09:45:29 +0100, Ben Laurie [EMAIL PROTECTED] said: ben Richard Levitte - VMS Whacker wrote: ben In message [EMAIL PROTECTED] on Tue, 09 Sep 2003 13:55:43 -0600, Verdon Walker [EMAIL PROTECTED] said: ben ben VWalker 3) Once I have the FIPS crypto built, how do I use OpenSSL so ben VWalkerthat all SSL crypto work is done using that FIPS crypto? ben ben You have to specify a crypto suite that only contains DSA, DES (and ben variants thereof, like DES3), AES and SHA1. Those and RAND are all ben that are currently implemented as FIPS modules. ben ben Actually, you can use RSA for signatures, too, but I forgot about it as ben there's no validation suite. I'll be adding it soon. Along with fips/aes/fips_aes_data/list, I presume? Actually, we should get rid of that directory. The tests should run on the fips/testvectors data, and we should have the response files in there to check against. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
A couple more FIPS questions
I have downloaded the latest FIPS snapshot (9/9) and I have a couple more questions about it: 1) How do I build it? If I just do a ./config (Linux) and make, it will build everything, but I'm not sure I'm getting all the FIPS stuff. Do I need to specify something like ./config -DFIPS to get it to build the FIPS cryptography module? 2) It doesn't appear that optimized assembly code is part of the FIPS module. Is that correct? 3) Once I have the FIPS crypto built, how do I use OpenSSL so that all SSL crypto work is done using that FIPS crypto? Thanks. Verdon Walker (801) 861-2633 [EMAIL PROTECTED] Novell, Inc., the leading provider of information solutions http://www.novell.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A couple more FIPS questions
In message [EMAIL PROTECTED] on Tue, 09 Sep 2003 13:55:43 -0600, Verdon Walker [EMAIL PROTECTED] said: VWalker I have downloaded the latest FIPS snapshot (9/9) and I have a couple VWalker more questions about it: VWalker VWalker 1) How do I build it? If I just do a ./config (Linux) and VWalkermake, it will build everything, but I'm not sure I'm VWalkergetting all the FIPS stuff. Do I need to specify VWalkersomething like ./config -DFIPS to get it to build the VWalkerFIPS cryptography module? ./config fips I added the configuration option fips when I noticed that just saying -DFIPS wasn't enough. VWalker 2) It doesn't appear that optimized assembly code is part of VWalkerthe FIPS module. Is that correct? That's correct if you use the configuration option fips. If you just did './config -DFIPS', you'll get conflicts, or whatever you're lucky to end up with (you'll see the conflicts if you also use the configuration option shared). VWalker 3) Once I have the FIPS crypto built, how do I use OpenSSL so VWalkerthat all SSL crypto work is done using that FIPS crypto? You have to specify a crypto suite that only contains DSA, DES (and variants thereof, like DES3), AES and SHA1. Those and RAND are all that are currently implemented as FIPS modules. -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A couple more FIPS questions
Verdon Walker wrote: I have downloaded the latest FIPS snapshot (9/9) and I have a couple more questions about it: 1) How do I build it? If I just do a ./config (Linux) and make, it will build everything, but I'm not sure I'm getting all the FIPS stuff. Do I need to specify something like ./config -DFIPS to get it to build the FIPS cryptography module? ./config fips 2) It doesn't appear that optimized assembly code is part of the FIPS module. Is that correct? Correct. 3) Once I have the FIPS crypto built, how do I use OpenSSL so that all SSL crypto work is done using that FIPS crypto? I'll be commiting a README.FIPS, but in the meantime, you could look at the code that does the validation tests (fips/des/fips_desmovs.c, for example). Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]