OpenSSL FIPS Capable and No Fingerprint

2013-06-25 Thread Jeffrey Walton 
Hi All,

When linking to the FIPS Capable shared object, the program fails its
fingerprint check:

$ arm-linux-androideabi-gcc --sysroot="$ANDROID_SYSROOT"
-I/usr/local/ssl/android-14/include fips_hmac.c -o fips_hmac.exe
/usr/local/ssl/android-14/lib/libcrypto.so.1.0.0
$ adb push /usr/local/ssl/android-14/lib/libcrypto.so.1.0.0 /data/local/tmp/
827 KB/s (2154388 bytes in 2.541s)
$ adb push fips_hmac.exe /data/local/tmp/
64 KB/s (6884 bytes in 0.103s)
$ adb shell
shell@android: $ cd /data/local/tmp
255|shell@android: $ LD_LIBRARY_PATH=./; ./fips_hmac.exe -v *
Attempting FIPS mode...
1076692172:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not
match:fips.c:232:
2|shell@android:/data/local/tmp $

Any ideas why the signature would be in the BSS (initialized to 0):

  $ arm-linux-androideabi-objdump -T libcrypto.so.1.0.0 | grep -i FIPS_signature
  001a9668 gDO .bss   0014 FIPS_signature

Should I be running fipsld somewhere (I thought that was done for the
shared object during make).

Below are the steps used to build the FIPS Object Module and FIPS Capable.

Jeff

 FIPS Object Module *

. ./setenv-android.sh
cd openssl-fips-2.0.4/
./config
make
sudo make install
sudo mv /usr/local/ssl/fips-2.0/ /usr/local/ssl/$ANDROID_API
sudo cp $FIPS_SIG /usr/local/ssl/$ANDROID_API/bin

* FIPS Capable *

. ./setenv-android.sh
cd openssl-1.0.1e/
./config fips shared -no-sslv2 -no-sslv3 -no-comp -no-hw -no-engines
--openssldir=/usr/local/ssl/$ANDROID_API
--with-fipsdir=/usr/local/ssl/$ANDROID_API
--with-fipslibdir=/usr/local/ssl/$ANDROID_API/lib/
make depend
make all
sudo -E make install CC=$ANDROID_TOOLCHAIN/arm-linux-androideabi-gcc
RANLIB=$ANDROID_TOOLCHAIN/arm-linux-androideabi-ranlib
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: repost: OpenSSL 1.0.1E and FIPS 2.0.x?

2013-06-25 Thread mclellan, dave 
Excellent.   Thank you very much.   very helpful and is exactly what we need to 
know. 

Dave 

+-+-+-+-+-+-+ 
Dave McLellan, Symmetrix Software Engineering
EMC Corporation, 176 South St, Hopkinton MA
Mail Stop 176-B1 1/P-36
office 508-249-1257, fax 508-497-8027
cell 978-500-2546
+-+-+-+-+-+-+ 


-Original Message-
From: Steve Marquess [mailto:marqu...@opensslfoundation.com] 
Sent: Tuesday, June 25, 2013 2:59 PM
To: openssl-users@openssl.org
Cc: mclellan, dave
Subject: Re: repost: OpenSSL 1.0.1E and FIPS 2.0.x?

On 06/25/2013 01:48 PM, mclellan, dave wrote:
> Sorry for the re-post, I thought someone would have some authoritative 
> answer, opinion, or experience with this subject of compatibility and 
> FIPS approval status when upgrading...
> 
> From: mclellan, dave Sent: Thursday, June 20, 2013 12:42 PM To:
> openssl-users@openssl.org Subject: OpenSSL 1.0.1E and FIPS 2.0.x?
> 
> I've searched archives for an answer, but found nothing obvious - if 
> we move from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do 
> we also have to move ahead to latest version of FIPS OM which appears 
> to be 2.0.4?

>From the perspective of the validity of the OpenSSL FIPS Object Module
2.0 validation, all other software including OpenSSL is out of scope of the 
validation. So policy isn't a constraint on your choice of OpenSSL version 
and/or revision, only technical compatibility.

The 2.0 FIPS module was designed to be compatible with the OpenSSL 1.0.1 
release (including all letter revisions), and hopefully also the upcoming 1.0.2 
release.

The letter revisions with OpenSSL 1.0.1 (the most recent being 1.0.1e) address 
bug and security fixes, so you'll want the latest revision. In the DoD and 
federal government arena security policies will usually require such upgrades.

The revisions of the FIPS module (the most recent being 2.0.5) are primarily 
for the purpose of adding support for new platforms. We incorporate the 
occasional minor bugfix when we can, but the fixes (including security fixes) 
we'd most like to include we usually can't due to the substantial restrictions 
on modifications to validated modules.

So, there is no reason to upgrade to the latest 2.0 FIPS module revision unless 
the specific platform(s) of interest require that revision. If you're building 
a FIPS module for the first time you might as well use the latest revision, but 
all earlier revisions 2.0, 2.0.1, etc. remain fully valid.

To summarize: always use the latest 1.0.1n revision of OpenSSL, but once you 
have built and fielded a specific revision 2.0.N of the FIPS module there is no 
reason to upgrade it even when upgrading to OpenSSL 1.0.1n.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Any issue in these instruction?

2013-06-25 Thread mehroz 
Thankyou Dave Thompson for your detailed answer.

Being new with openssl stuff, i have very little knowledge of what these
instruction were actually doing.
I have extracted set of these instruction from a script doing rsa with SHA1,
and i wanted it to convert to ECC with SHA256 based encryption and that's is
all. So, i just thought to change key type (EC) , at first and then move on
with sha256.

Can you give me an example how can i acquire the desired results from those
instructions?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Any-issue-in-these-instruction-tp45673p45705.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Need help in building OpenSSL on Win CE 6.0

2013-06-25 Thread Bankapur, Balaji (GE Healthcare) 
Hello,

I am trying to build OpenSSL for Win CE 6.0 on x86.

Tried the following steps.

Building wcecompat library
---

1. Downloaded wcecompat source from "https://github.com/mauricek/wcecompat/";

2. Open Visual studio 2005 command prompt.

3. Following environment setup has been done.

@call "D:\Program Files\Microsoft Visual Studio 8\VC\vcvarsall.bat"

@set OSVERSION=WCE600

@set PLATFORM=DO_X86_600

@set TARGETCPU=X86

@set GE_HALOSDK=D:\Program Files\Windows CE Tools\wce600\DO_X86_600

@set 
PATH=%VSINSTALLDIR%\Common7\IDE;%VCINSTALLDIR%\ce\bin\x86_cex86;%VCINSTALLDIR%\bin;%NASMINSTALLDIR%;%PATH%

@set INCLUDE=%GE_HALOSDK%\Include\x86;%VCINSTALLDIR%\ce\include;%INCLUDE%

@set LIB=%GE_HALOSDK%\Lib\x86;%VCINSTALLDIR%\ce\lib\x86;%LIB%

4. "cd" to wcecompat source directory.

5. Call "perl config.pl" --- Done success

6. Call "nmake" --- Done Success (wcecompat.lib and wcecompatex.lib lib 
files generated).

Building OpenSSL
--


1. Downloaded OpenSSL source 
(openssl-1.0.1e.tar.gz) 
from http://www.openssl.org/source/

2. Open Visual studio 2005 command prompt

3. Set the following environment

@call "D:\Program Files\Microsoft Visual Studio 8\VC\vcvarsall.bat"

@set OSVERSION=WCE600

@set PLATFORM=DO_X86_600

@set TARGETCPU=X86



@set WCECOMPAT=C:\wcecompat

@set GE_HALOSDK=D:\Program Files\Windows CE Tools\wce600\DO_X86_600

@set 
PATH=%VSINSTALLDIR%\Common7\IDE;%VCINSTALLDIR%\ce\bin\x86_cex86;%VCINSTALLDIR%\bin;%NASMINSTALLDIR%;%PATH%

@set INCLUDE=%GE_HALOSDK%\Include\x86;%VCINSTALLDIR%\ce\include;%INCLUDE%

@set LIB=%GE_HALOSDK%\Lib\x86;%VCINSTALLDIR%\ce\lib\x86;%LIB%

@set LIBPATH=%GE_HALOSDK%\Lib\x86;%VCINSTALLDIR%\ce\lib\x86;%LIBPATH%

4. "cd" to "openssl-1.0.1e" OpenSSL source directory

5. "perl Configure VC-CE".

6. "ms\do_ms.bat"

7. "nmake -f ms\cedll.mak"

8. The build process stops with following error.

cl /Fotmp32dll_X86\bss_dgram.obj  -Iinc32 -Itmp32dll_X86 /MC /O1i /W3 /W

X /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LEAN_AND_

MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT -D_WIN32_WCE=60

0 -DUNDER_CE=600 -DWCE_PLATFORM_DO_X86_600 -Dx86 -D_X86_ -D_i386_ -Di_386_ -IC:\

wcecompat/include -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_

NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll_X86/lib -D_WINDLL -D_DLL  -D

OPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\bio\bss_dgram.c

cl : Command line warning D9002 : ignoring unknown option '/MC'

bss_dgram.c

.\crypto\bio\bss_dgram.c(1852) : error C2220: warning treated as error - no 'obj

ect' file generated

.\crypto\bio\bss_dgram.c(1852) : warning C4996: '_ftime64': This function or var

iable may be unsafe. Consider using _ftime64_s instead. To disable deprecation,

use _CRT_SECURE_NO_WARNINGS. See online help for details.

D:\Program Files\Microsoft Visual Studio 8\VC\INCLUDE\sys/timeb.h(152) :

 see declaration of '_ftime64'

NMAKE : fatal error U1077: '"D:\Program Files\Microsoft Visual Studio 8\VC\bin\c

l.EXE"' : return code '0x2'

Stop.

9. Removed the /WX compile option from the cedll.mak and started the nmake 
again (mentioned in step 7)

10.  Got following error message
Building OpenSSL
cl /Fotmp32dll_X86\b_sock.obj  -Iinc32 -Itmp32dll_X86 /MC /O1i /W3 /GF /
Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LEAN_AND_MEAN -D
L_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT -D_WIN32_WCE=600 -DUND
ER_CE=600 -DWCE_PLATFORM_DO_X86_600 -Dx86 -D_X86_ -D_i386_ -Di_386_ -IC:\wcecomp
at/include -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAK
E -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll_X86/lib -D_WINDLL -D_DLL  -DOPENSSL
_BUILD_SHLIBCRYPTO -c .\crypto\bio\b_sock.c
cl : Command line warning D9002 : ignoring unknown option '/MC'
b_sock.c
.\crypto\bio\b_sock.c(195) : warning C4013: 'getservbyname' undefined; assuming
extern returning int
.\crypto\bio\b_sock.c(195) : warning C4047: '=' : 'servent *' differs in levels
of indirection from 'int'
.\crypto\bio\b_sock.c(629) : error C2079: 'sa_in6' uses undefined struct 'sockad
dr_in6'
.\crypto\bio\b_sock.c(776) : error C2224: left of '.sin6_addr' must have struct/
union type
.\crypto\bio\b_sock.c(776) : error C2224: left of '.sin6_addr' must have struct/
union type
.\crypto\bio\b_sock.c(776) : error C2168: 'memset' : too few actual parameters f
or intrinsic function
.\crypto\bio\b_sock.c(777) : error C2224: left of '.sin6_addr' must have struct/
union type
.\crypto\bio\b_sock.c(861) : error C2079: 'sa_in6' uses undefined struct 'sockad
dr_in6'
NMAKE : fatal error U1077: '"D:\Program Files\Microsoft Visual Studio 8\VC\bin\c
l.EXE"' : return code '0x2'
Stop.

Questions

1. Is there any OpenSSL version available which can be compiled without 
wcecompat library ?? My understanding is that wcecompa

Re: repost: OpenSSL 1.0.1E and FIPS 2.0.x?

2013-06-25 Thread Steve Marquess 
On 06/25/2013 01:48 PM, mclellan, dave wrote:
> Sorry for the re-post, I thought someone would have some
> authoritative answer, opinion, or experience with this subject of
> compatibility and FIPS approval status when upgrading...
> 
> From: mclellan, dave Sent: Thursday, June 20, 2013 12:42 PM To:
> openssl-users@openssl.org Subject: OpenSSL 1.0.1E and FIPS 2.0.x?
> 
> I've searched archives for an answer, but found nothing obvious - if
> we move from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do
> we also have to move ahead to latest version of FIPS OM which appears
> to be 2.0.4?

>From the perspective of the validity of the OpenSSL FIPS Object Module
2.0 validation, all other software including OpenSSL is out of scope of
the validation. So policy isn't a constraint on your choice of OpenSSL
version and/or revision, only technical compatibility.

The 2.0 FIPS module was designed to be compatible with the OpenSSL 1.0.1
release (including all letter revisions), and hopefully also the
upcoming 1.0.2 release.

The letter revisions with OpenSSL 1.0.1 (the most recent being 1.0.1e)
address bug and security fixes, so you'll want the latest revision. In
the DoD and federal government arena security policies will usually
require such upgrades.

The revisions of the FIPS module (the most recent being 2.0.5) are
primarily for the purpose of adding support for new platforms. We
incorporate the occasional minor bugfix when we can, but the fixes
(including security fixes) we'd most like to include we usually can't
due to the substantial restrictions on modifications to validated modules.

So, there is no reason to upgrade to the latest 2.0 FIPS module revision
unless the specific platform(s) of interest require that revision. If
you're building a FIPS module for the first time you might as well use
the latest revision, but all earlier revisions 2.0, 2.0.1, etc. remain
fully valid.

To summarize: always use the latest 1.0.1n revision of OpenSSL, but once
you have built and fielded a specific revision 2.0.N of the FIPS module
there is no reason to upgrade it even when upgrading to OpenSSL 1.0.1n.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

repost: OpenSSL 1.0.1E and FIPS 2.0.x?

2013-06-25 Thread mclellan, dave 
Sorry for the re-post, I thought someone would have some authoritative answer, 
opinion, or experience with this subject of compatibility and FIPS approval 
status when upgrading...

From: mclellan, dave
Sent: Thursday, June 20, 2013 12:42 PM
To: openssl-users@openssl.org
Subject: OpenSSL 1.0.1E and FIPS 2.0.x?

I've searched archives for an answer, but found nothing obvious - if we move 
from OpenSSL 1.0.1c (with FIPS OM 2.0) to OpenSSL 1.0.1e, do we also have to 
move ahead to latest version of FIPS OM which appears to be 2.0.4?

Thanks
+-+-+-+-+-+-+
Dave McLellan, Symmetrix Software Engineering
EMC Corporation, 176 South St, Hopkinton MA
Mail Stop 176-B1 1/P-36
office 508-249-1257, fax 508-497-8027
cell 978-500-2546
+-+-+-+-+-+-+

AW: Proplem with RSA_private_encrypt and OAEP

2013-06-25 Thread Robert Inzinger - SKIDATA 
>> Hi
>> 
>> I try to use RSA_private_encrypt and OAEP and always get the error at 
>> the call of RSA_private_encrypt :
>> 
>RSA_private_encrypt() is used for signing data whereas OAEP is a padding mode 
>used for encryption. You'd need to use RSA_public_encrypt and 
>RSA_private_decrypt >instead.
>
>Steve.

Thx for answer. I am a little bit confused. Is there any documentation how to 
use padding modes (especially OAEP and X 9.31) correctly?

Robert.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Deadlock in FIPS mode

2013-06-25 Thread Fredrik Jansson 
Hi!

I have managed to deadlock OpenSSL while running in FIPS mode.

The locking functions are setup according to mttest.c and th-lock.c using
pthread_mutex_.

Please note I have NOT explicitly set a thread id function.

Then env is:
openssl-1.0.1e
openssl-fips-2.0.5
RHEL 6 - 32 bit.

Please let me know if there is any other information I can provide.

Best regards,
Fredrik

My callstacks look like:

Thread 17 (Thread 0xad841b70 (LWP 13059)):
#0  0x00147424 in __kernel_vsyscall ()
#1  0x00a24059 in __lll_lock_wait () from /lib/libpthread.so.0
#2  0x00a1f400 in _L_lock_698 () from /lib/libpthread.so.0
#3  0x00a1f2d1 in pthread_mutex_lock () from /lib/libpthread.so.0
#4  0x0024b395 in CRYPTO_lock () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#5  0x002499ba in FIPS_lock () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#6  0x002456ba in fips_drbg_bytes () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#7  0x002d51c0 in RAND_bytes () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0

Thread 11 (Thread 0xa98ffb70 (LWP 13066)):
#0  0x00147424 in __kernel_vsyscall ()
#1  0x00a24059 in __lll_lock_wait () from /lib/libpthread.so.0
#2  0x00a1f400 in _L_lock_698 () from /lib/libpthread.so.0
#3  0x00a1f2d1 in pthread_mutex_lock () from /lib/libpthread.so.0
#4  0x0024b395 in CRYPTO_lock () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#5  0x002d3ed0 in ssleay_rand_bytes () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#6  0x002d4f46 in drbg_get_entropy () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#7  0x0023f217 in fips_get_entropy () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#8  0x0023f3cb in drbg_reseed () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#9  0x0023fc14 in FIPS_drbg_generate () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#10 0x00245733 in fips_drbg_bytes () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#11 0x002d51c0 in RAND_bytes () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#12 0x00c9f3df in dtls1_enc () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#13 0x00c9b341 in do_dtls1_write () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#14 0x00c9b615 in dtls1_write_bytes () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#15 0x00c9b68a in dtls1_write_app_data_bytes () from
/opt/ct_mvpn/lib/libssl.so.1.0.0
#16 0x00c85b2a in ssl3_write () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#17 0x00ca0df9 in SSL_write () from /opt/ct_mvpn/lib/libssl.so.1.0.0

Thread 9 (Thread 0xa751db70 (LWP 13095)):
#0  0x00147424 in __kernel_vsyscall ()
#1  0x00a24059 in __lll_lock_wait () from /lib/libpthread.so.0
#2  0x00a1f400 in _L_lock_698 () from /lib/libpthread.so.0
#3  0x00a1f2d1 in pthread_mutex_lock () from /lib/libpthread.so.0
#4  0x0024b395 in CRYPTO_lock () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#5  0x002499ba in FIPS_lock () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#6  0x002456ba in fips_drbg_bytes () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#7  0x00245817 in fips_drbg_pseudo () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#8  0x002d5200 in RAND_pseudo_bytes () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#9  0x00c78b5f in ssl3_get_client_hello () from
/opt/ct_mvpn/lib/libssl.so.1.0.0
#10 0x00c97189 in dtls1_accept () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#11 0x00ca445a in SSL_accept () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#12 0x00c9a129 in dtls1_listen () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#13 0x00c9a1d8 in dtls1_ctrl () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#14 0x00ca3673 in SSL_ctrl () from /opt/ct_mvpn/lib/libssl.so.1.0.0

Thread 8 (Thread 0xa6b1cb70 (LWP 13096)):
#0  0x00147424 in __kernel_vsyscall ()
#1  0x00a24059 in __lll_lock_wait () from /lib/libpthread.so.0
#2  0x00a1f400 in _L_lock_698 () from /lib/libpthread.so.0
#3  0x00a1f2d1 in pthread_mutex_lock () from /lib/libpthread.so.0
#4  0x0024b395 in CRYPTO_lock () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#5  0x002d3989 in ssleay_rand_add () from
/opt/ct_mvpn/lib/libcrypto.so.1.0.0
#6  0x002d4e06 in drbg_rand_add () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#7  0x00245561 in fips_drbg_add () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#8  0x002d5180 in RAND_add () from /opt/ct_mvpn/lib/libcrypto.so.1.0.0
#9  0x00c96720 in dtls1_accept () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#10 0x00ca445a in SSL_accept () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#11 0x00c9a129 in dtls1_listen () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#12 0x00c9a1d8 in dtls1_ctrl () from /opt/ct_mvpn/lib/libssl.so.1.0.0
#13 0x00ca3673 in SSL_ctrl () from /opt/ct_mvpn/lib/libssl.so.1.0.0