Re: [openssl-users] Getting General SSL Help

[Lion Kimbro]

Thank you everybody for your recommendations!  I've ordered a used copy of
Eric Rescorla's SSL and TLS, and have wishlisted Bulletproof SSL and TLS.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPSLD 2.0.5 (HP-UX AI64 11.23) fails to link with pthread error

[Tom Francis]

> On Mar 2, 2015, at 4:18 AM, Mrunal Nerpawar  wrote:
> 
> Thanks Tom for the reply.
> 
> I know I am replying really late, but the option you mentioned is tried but 
> is not working either. :(
> 
> Anything else i can try?

Since I no longer have access to that compiler, and I don’t generally bother 
with FIPS 140 anymore, I can’t be sure, but I suspect the problem is described 
here:

http://h21007.www2.hp.com/portal/download/files/prot/files/linker/onlinehelp/compileandlink.htm
 (see “Linker Thread-safe features”).

Originally, I was thinking this was an actual link error, but now that I think 
about it, it’s probably coming from when fips_premain_dso is run to determine 
the signature to be embedded.  And if that’s the case, you’re pretty much out 
of luck — there’s no way to modify fips_premain_dso to avoid the shl_load() 
call (not and still be following the security policy), and there’s no way to 
make shl_load() succeed. shl_load() simply doesn’t work with TLS.  If you could 
somehow change your use of OpenSSL and the FIPS Object Module such that OpenSSL 
is linked statically into an executable (that is, a complete executable, not a 
shared library) then you could probably make it work. :(

You can verify if that’s the case by adding more output to your fipsld script; 
I suspect you’ll see the failure from the line:

SIG=`”${PREMAIN_DSO}” “${TARGET}”`

There should be code in fipsld to error out if that failed, but perhaps that 
was disabled?  Anyway, if the error is not from invoking fips_premain_dso, then 
something else is wrong, and I’d suggest opening a support case with HP.

TOM

> -Mrunal
> 
> On Wed, Feb 25, 2015 at 8:31 AM, Tom Francis  
> wrote:
> Have you tried changing FIPSLD_CC and FIPSLD_LINK to include the necessary 
> options (e.g. -mt)?  Note: it might be simpler to modify fipsld instead, 
> depending on how easy/hard it is to maintain spaces properly when settings 
> FIPSLD_CC and FIPSLD_LINK.  Since the fipsld script is just a convenience 
> script to help you meet the requirements of the security policy, you’re free 
> to modify it.  Just don’t modify it such that the security policy is no 
> longer followed.  Generally speaking, adding more options to the compile and 
> link steps will be safe.
> 
> TOM
> 
> > On Feb 23, 2015, at 4:36 AM, Mrunal Nerpawar  wrote:
> >
> > Details
> > ==
> > Fips 2.0.5 configured with no-asm and threads.
> > Openssl 1.0.1H configured with shared, fips, threads no-asm (many alogos 
> > omitted)
> > compiler -  using aCC 6.25 on HPUX-IA64 11.23.
> >
> > bash-2.05$ aCC --version
> > aCC: HP C/aC++ B3910B A.06.25.02 [Nov 25 2010]
> > bash-2.05$
> >
> > product linking with fipsld fails with error ...
> > =
> > :DLFCN_LOAD:could not load the shared 
> > library:dso_dlfcn.c:187:filename(./objs/HP-UX-B.11.23-ia64-64/libDataSourceImpl.so.10.0.0):
> >   Cannot dlopen load module '/usr/lib/hpux32/libpthread.so.1' because it 
> > contains thread specific data.
> >
> > Options tried
> > ==
> > * Compiling Cxx sources with -mt.
> > * Linking with -lpthread,
> > * setting LD_PRELOAD.
> > None worked effectively. with LD_PRELOAD option, ended up getting error - 
> > undefined symbol Ztil, etc.
> >
> > complete error is as follows.
> > =
> >
> > Building shared library 
> > objs/HP-UX-B.11.23-ia64-64/libDataSourceImpl.so.10.0.0
> > FIPSLD_CC=aCC FIPSLD_LINK=aCC 
> > /unixhome/user/workspace/product/../3rdPt/Unix/HP-UX/ia64/OpenSource/ssl-1.0.1h/bin/fipsld
> >   +Z -b -g -O2 -AA -Wl,+s +tls=dynamic -o 
> > objs/HP-UX-B.11.23-ia64-64/libDataSourceImpl.so.10.0.0 
> > objs/HP-UX-B.11.23-ia64-64/stdafx.o objs/HP-UX-B.11.23-ia64-64/UserUtil.o 
> > objs/HP-UX-B.11.23-ia64-64/LSSpawner.o 
> > objs/HP-UX-B.11.23-ia64-64/LSFilter.o 
> > objs/HP-UX-B.11.23-ia64-64/LSCmdOutputParser.o 
> > objs/HP-UX-B.11.23-ia64-64/LSBuilderAndProcessor.o 
> > objs/HP-UX-B.11.23-ia64-64/LSBuilderAndProcessor_1.o 
> > objs/HP-UX-B.11.23-ia64-64/LSBuilderAndProcessor_2.o 
> > objs/HP-UX-B.11.23-ia64-64/GroupUtil.o 
> > objs/HP-UX-B.11.23-ia64-64/ShadowHelper.o 
> > objs/HP-UX-B.11.23-ia64-64/BlockedFiles.o 
> > objs/HP-UX-B.11.23-ia64-64/NISUtil.o objs/HP-UX-B.11.23-ia64-64/Utilities.o 
> > objs/HP-UX-B.11.23-ia64-64/MachineUtil.o 
> > objs/HP-UX-B.11.23-ia64-64/BvNetworkInfo.o 
> > objs/HP-UX-B.11.23-ia64-64/NSSwitch.o 
> > objs/HP-UX-B.11.23-ia64-64/FileUtil_1.o 
> > objs/HP-UX-B.11.23-ia64-64/FileUtil_2.o 
> > objs/HP-UX-B.11.23-ia64-64/SecurityThreatCheck.o 
> > objs/HP-UX-B.11.23-ia64-64/UserEnumerator.o 
> > objs/HP-UX-B.11.23-ia64-64/LocalUserEnumerator.o 
> > objs/HP-UX-B.11.23-ia64-64/UnixUserEnumerator.o 
> > objs/HP-UX-B.11.23-ia64-64/WinUserEnumerator.o 
> > objs/HP-UX-B.11.23-ia64-64/GetEntHandler.o 
> > objs/HP-UX-B.11.23-ia64-64/UnixShadowReader.o 
> > objs/HP-UX-B.11.23-ia64-64/EtcShadowReader.o 
> > objs/HP-UX-B.11.23-ia64-64/UnixEtcShadowReader.o 
> > objs/HP-UX-B.11.23-ia64-64/AIXShadowHelper.o 
> > objs/HP-U

Re: [openssl-users] Testing FIPS mode using 0 randomness

[Tom Francis]

> On Mar 2, 2015, at 12:18 PM, jonetsu  wrote:
> 
> Hello,
> 
>   I tried a simple test to see if FIPS mode would fail, using the example 
> given in the FIPS user guide 2.0.  The test consisted of replacing the 
> /dev/random and /dev/urandom with /dev/zero.  I would have expected that no 
> source of randomness would make the tests ran at the call of FIPS_mode_set(1) 
> fail.
> 
> ex.:
> 
> cd dev
> rm random
> mknod -m 666 /dev/random c 1 5
> 
> Verify presence of zeroes all over:
> cat /dev/random | xxd
> 
> ./fips_hmac fips_hmac.o
> 
> If added a ret value to catch the return code from FIPS_mode_set(1).  Random 
> or no random, it always returns 1.  
> 
> Shouldn't randomness be an important part of the power-up tests ?  I 
> understand there are continuous RNG tests within OpenSSL FIPS mode, although 
> 'later on' (eg. continuous). Wouldn't these tests be part of the power-up 
> sequence as called by FIPS_mode_set(1) also ?

No.  The self-tests verify the output of the algorithms matches for given 
input.  This means when the PRNG is tested, it’s seeded with known values, and 
the output is checked against the correct output for the way it was seeded.  
Inputs from /dev/random, /dev/urandom, or any other “random” source are not 
used.

Remember, the goal of FIPS 140 is NOT “good security”, it’s “verifying that 
known cryptographic algorithms are used”.  If the input and output are not 
predictably the same, then how can you verify the algorithm used is the 
algorithm that’s supposed to be used?  And attempting to account in the tests 
for every possible input (what you’d have to do if you didn’t only test a small 
number of known inputs) would be impractical, at best. :)

TOM

> Thanks.
> 
> 
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] [openssl.org #3726] Cocoapods install BUG

[Erwann Abalea]

It seems all the tarballs have disappeared.

--
Erwann ABALEA

Le 02/03/2015 18:06, Alex Sklyar via RT a écrit :

Hello guys. There is a issue with openssl pod installing with cocoapods tool. 
The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Testing FIPS mode using 0 randomness

[jonetsu]

Hello,

  I tried a simple test to see if FIPS mode would fail, using the example given 
in the FIPS user guide 2.0.  The test consisted of replacing the /dev/random 
and /dev/urandom with /dev/zero.  I would have expected that no source of 
randomness would make the tests ran at the call of FIPS_mode_set(1) fail.

ex.:

cd dev
rm random
mknod -m 666 /dev/random c 1 5

Verify presence of zeroes all over:
cat /dev/random | xxd

./fips_hmac fips_hmac.o

If added a ret value to catch the return code from FIPS_mode_set(1).  Random or 
no random, it always returns 1.  

Shouldn't randomness be an important part of the power-up tests ?  I understand 
there are continuous RNG tests within OpenSSL FIPS mode, although 'later on' 
(eg. continuous). Wouldn't these tests be part of the power-up sequence as 
called by FIPS_mode_set(1) also ?

Thanks.


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] has anyone developed a standalone test for CVE-2014-8730?

[Brian Reichert]

On Sat, Feb 28, 2015 at 10:50:27PM +, Richard Moore wrote:
> I wrote a test using tlslite - only a few lines of code, so it should be
> pretty easy to reproduce.

Is your test something you could share?  :)

Coding, per se, doesn't scare me, but assuring I have a correct
grasp of the specifics what I'm implementing would take a while...

> 
> Rich.

-- 
Brian Reichert  
BSD admin/developer at large
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPSLD 2.0.5 (HP-UX AI64 11.23) fails to link with pthread error

[Mrunal Nerpawar]

Thanks Tom for the reply.

I know I am replying really late, but the option you mentioned is tried but
is not working either. :(

Anything else i can try?

-Mrunal

On Wed, Feb 25, 2015 at 8:31 AM, Tom Francis 
wrote:

> Have you tried changing FIPSLD_CC and FIPSLD_LINK to include the necessary
> options (e.g. -mt)?  Note: it might be simpler to modify fipsld instead,
> depending on how easy/hard it is to maintain spaces properly when settings
> FIPSLD_CC and FIPSLD_LINK.  Since the fipsld script is just a convenience
> script to help you meet the requirements of the security policy, you’re
> free to modify it.  Just don’t modify it such that the security policy is
> no longer followed.  Generally speaking, adding more options to the compile
> and link steps will be safe.
>
> TOM
>
> > On Feb 23, 2015, at 4:36 AM, Mrunal Nerpawar  wrote:
> >
> > Details
> > ==
> > Fips 2.0.5 configured with no-asm and threads.
> > Openssl 1.0.1H configured with shared, fips, threads no-asm (many alogos
> omitted)
> > compiler -  using aCC 6.25 on HPUX-IA64 11.23.
> >
> > bash-2.05$ aCC --version
> > aCC: HP C/aC++ B3910B A.06.25.02 [Nov 25 2010]
> > bash-2.05$
> >
> > product linking with fipsld fails with error ...
> > =
> > :DLFCN_LOAD:could not load the shared
> library:dso_dlfcn.c:187:filename(./objs/HP-UX-B.11.23-ia64-64/libDataSourceImpl.so.10.0.0):
> Cannot dlopen load module '/usr/lib/hpux32/libpthread.so.1' because it
> contains thread specific data.
> >
> > Options tried
> > ==
> > * Compiling Cxx sources with -mt.
> > * Linking with -lpthread,
> > * setting LD_PRELOAD.
> > None worked effectively. with LD_PRELOAD option, ended up getting error
> - undefined symbol Ztil, etc.
> >
> > complete error is as follows.
> > =
> >
> > Building shared library
> objs/HP-UX-B.11.23-ia64-64/libDataSourceImpl.so.10.0.0
> > FIPSLD_CC=aCC FIPSLD_LINK=aCC
> /unixhome/user/workspace/product/../3rdPt/Unix/HP-UX/ia64/OpenSource/ssl-1.0.1h/bin/fipsld
> +Z -b -g -O2 -AA -Wl,+s +tls=dynamic -o
> objs/HP-UX-B.11.23-ia64-64/libDataSourceImpl.so.10.0.0
> objs/HP-UX-B.11.23-ia64-64/stdafx.o objs/HP-UX-B.11.23-ia64-64/UserUtil.o
> objs/HP-UX-B.11.23-ia64-64/LSSpawner.o
> objs/HP-UX-B.11.23-ia64-64/LSFilter.o
> objs/HP-UX-B.11.23-ia64-64/LSCmdOutputParser.o
> objs/HP-UX-B.11.23-ia64-64/LSBuilderAndProcessor.o
> objs/HP-UX-B.11.23-ia64-64/LSBuilderAndProcessor_1.o
> objs/HP-UX-B.11.23-ia64-64/LSBuilderAndProcessor_2.o
> objs/HP-UX-B.11.23-ia64-64/GroupUtil.o
> objs/HP-UX-B.11.23-ia64-64/ShadowHelper.o
> objs/HP-UX-B.11.23-ia64-64/BlockedFiles.o
> objs/HP-UX-B.11.23-ia64-64/NISUtil.o objs/HP-UX-B.11.23-ia64-64/Utilities.o
> objs/HP-UX-B.11.23-ia64-64/MachineUtil.o
> objs/HP-UX-B.11.23-ia64-64/BvNetworkInfo.o
> objs/HP-UX-B.11.23-ia64-64/NSSwitch.o
> objs/HP-UX-B.11.23-ia64-64/FileUtil_1.o
> objs/HP-UX-B.11.23-ia64-64/FileUtil_2.o
> objs/HP-UX-B.11.23-ia64-64/SecurityThreatCheck.o
> objs/HP-UX-B.11.23-ia64-64/UserEnumerator.o
> objs/HP-UX-B.11.23-ia64-64/LocalUserEnumerator.o
> objs/HP-UX-B.11.23-ia64-64/UnixUserEnumerator.o
> objs/HP-UX-B.11.23-ia64-64/WinUserEnumerator.o
> objs/HP-UX-B.11.23-ia64-64/GetEntHandler.o
> objs/HP-UX-B.11.23-ia64-64/UnixShadowReader.o
> objs/HP-UX-B.11.23-ia64-64/EtcShadowReader.o
> objs/HP-UX-B.11.23-ia64-64/UnixEtcShadowReader.o
> objs/HP-UX-B.11.23-ia64-64/AIXShadowHelper.o
> objs/HP-UX-B.11.23-ia64-64/HPLoginsShadowHelper.o
> objs/HP-UX-B.11.23-ia64-64/HPTcbShadowHelper.o
> objs/HP-UX-B.11.23-ia64-64/UnixHPShadowReader.o
> objs/HP-UX-B.11.23-ia64-64/ProcessUtil.o
> objs/HP-UX-B.11.23-ia64-64/FieldUtils.o
> objs/HP-UX-B.11.23-ia64-64/LoggedInUserInfo.o
> objs/HP-UX-B.11.23-ia64-64/TcpdRulesParser.o
> objs/HP-UX-B.11.23-ia64-64/DirectoryUtil.o
> objs/HP-UX-B.11.23-ia64-64/Timestamp.o
> objs/HP-UX-B.11.23-ia64-64/Timespan.o
> objs/HP-UX-B.11.23-ia64-64/NumberFormatter.o
> objs/HP-UX-B.11.23-ia64-64/DateTimeParser.o
> objs/HP-UX-B.11.23-ia64-64/DateTimeFormatter.o
> objs/HP-UX-B.11.23-ia64-64/DateTimeFormat.o
> objs/HP-UX-B.11.23-ia64-64/DateTime.o objs/HP-UX-B.11.23-ia64-64/Timezone.o
> objs/HP-UX-B.11.23-ia64-64/LocalDateTime.o
> objs/HP-UX-B.11.23-ia64-64/RFUtilities.o
> objs/HP-UX-B.11.23-ia64-64/OpenPortUtil.o
> objs/HP-UX-B.11.23-ia64-64/AIXStanzaReader.o
> objs/HP-UX-B.11.23-ia64-64/Bugcheck.o objs/HP-UX-B.11.23-ia64-64/DateTime.o
> objs/HP-UX-B.11.23-ia64-64/Debugger.o
> objs/HP-UX-B.11.23-ia64-64/Exception.o
> objs/HP-UX-B.11.23-ia64-64/GroupEnumerator.o
> objs/HP-UX-B.11.23-ia64-64/UnixGroupEnumerator.o
> objs/HP-UX-B.11.23-ia64-64/FileInfoFetcher.o
> objs/HP-UX-B.11.23-ia64-64/UnixFileInfoAccessor.o
> objs/HP-UX-B.11.23-ia64-64/FileStatSysCallProcessor.o
> objs/HP-UX-B.11.23-ia64-64/StatSysCallFileInfoFetcherImpl.o
> objs/HP-UX-B.11.23-ia64-64/FileInfoAccessor.o
> objs/HP-UX-B.11.23-ia64-64/FileProcessorObjectFactory.o
> objs/HP-UX-B.11.23-ia64-64/UUID.o objs/HP-UX-B.11.23-ia64-64/RandomStream.o
> objs/HP-UX-B.11.23-ia64-64/Random.o objs/HP