Re: FIPS mode fails with fingerprint not matching error
> How do I make the FIPS module point to the FIPS capable version that has been > built? Look for the --with-fipslibdir option referenced in UserGuide 2.0. There is also a --with-fipsdir that I don't believe is talked about in the document. You might want to run ldd on your app executable to check which ssl it's linking in. It may be linking an older ssl version living on your machine that's not necessarily the one you just built. Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: AES-CMAC-128 equivalent to EVP_aes_128_cbc sent to CMAC?
> In implementing AES-CMAC-128 over a message, I assumed it would be > equivalent in OpenSSL to hand the EVP_aes_128_cbc() EVP_CIPHER to CMAC, as > I did not see a regular AES-128 EVP_CIPHER availble. It looks like sending AES-CBC into CMAC is the same thing as AES-CMAC-128. Question answered. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AES-CMAC-128 equivalent to EVP_aes_128_cbc sent to CMAC?
Hi folks, Thanks for your help with previous questions. I have a new one, which should hopefully be quick: In implementing AES-CMAC-128 over a message, I assumed it would be equivalent in OpenSSL to hand the EVP_aes_128_cbc() EVP_CIPHER to CMAC, as I did not see a regular AES-128 EVP_CIPHER availble. Perhaps this is incorrect, but it seems as if there are only a variety of modes of AES available to send to CMAC, rather than the most "basic" version of the cipher. Is there just a generic AES-128 EVP_CIPHER available to pass as an arg to CMAC? Thanks for insight. Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Easy way to turn on gdb symbols (and just gdb symbols?)
> Maybe I should add that I've verified that FIPS_mode is turned on right before > my failing MD4 calls (think OpenSSLDie()), and I didn't do anything special > to compile or turn on the MD4 algorithm.could that be where I'm missing a > step? Ah yes, now I see that what I am trying to do is perhaps impossible: "Other non-FIPS approved algorithms such a Blowfish, MD5, IDEA, RC4, etc. are disabled in FIPS mode." OK. Here is where I'm coming from: - I have a new version of a product that needs to use CMAC and CCM - but it also has to support older versions of a protocol that call for things like... MD4 - as far as I know, CMAC and CCM can only be used through validated fips code (right?)... - but if fips mode is turned on, MD4 is not available because it's not a validated algorithm. Steve, if you are there, do you have advice on what library I should have used to achieve these requirements? Or if I am to toggle between fips and not fips mode during run time? I was under the impression that moving the new openssl library into my product source would offer all of the old functionality I needed, as well as the new fips functionality. Is this not true? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Easy way to turn on gdb symbols (and just gdb symbols?)
> I'm seeing odd failures in the MD4/MD4_Init functions and I can't > debug them with gdb because I can't see what the source is doing. Maybe I should add that I've verified that FIPS_mode is turned on right before my failing MD4 calls (think OpenSSLDie()), and I didn't do anything special to compile or turn on the MD4 algorithm.could that be where I'm missing a step? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl bug database?
Actually, my real question was, where can I see a list of bugs that are already reported for openssl, so I can anticipate certain openssl functions failing? I wish I could contribute more to the source by reporting bugs, but I have so many of my own already...and would like to be able to see where they are going to happen next, if that's possible. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Easy way to turn on gdb symbols (and just gdb symbols?)
Hi folks, I'm looking to compile fips and openssl with gdb symbols. So far both compilations are unhappy with make CFLAGS=-g after doing my typical config stuff. I noticed there are some "debug" options for fips/Configure, if you look really hard in the Configure file...I think these typically include a gdb flag. The problem is, if I do cd fips ./Configure debug on my build machine (which is gcc version 4.1.2) and then do make I get gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include - DOPENSSL_FIPSCANISTER -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG - DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror -c -o bn_blind.o bn_blind.c gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include - DOPENSSL_FIPSCANISTER -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG - DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror -c -o bn_ctx.o bn_ctx.c cc1: warnings being treated as errors bn_ctx.c: In function ‘ctxdbg’: bn_ctx.c:163: warning: cast from pointer to integer of different size make[2]: *** [bn_ctx.o] Error 1 make[2]: Leaving directory `/home/cassie/fips-2.0/crypto/bn' make[1]: *** [fips] Error 1 make[1]: Leaving directory `/home/cassie/fips-2.0/crypto' make: *** [build_crypto] Error 1 which is an error I don't get if I just do a typical ./config. I'm guessing this is a gcc version problem. But I'm wondering if there is any simpler way to get gdb symbols compiled into fips 2.0 and openssl 1.0.1c that I'm overlooking. At the moment, I'm seeing odd failures in the MD4/MD4_Init functions and I can't debug them with gdb because I can't see what the source is doing. Any advice is greatly appreciated. Thanks. Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl bug database?
I want to make sure I don't potentially report openssl bugs that someone else has already reported. Is there a database of open openssl bugs that I haven't seen the link to, somewhere? Thanks, Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build
Eventually I solved this problem. Here is the set of commands I need to use to generate the shared fips-capable openssl libraries: su cd fips // wherever that may be ./config make make install // this installs fipscanister.o and adjacent files into /usr/local/ssl/fips-2.0/ cd openssl // still as root ./config fips shared make depend make make install // this installs libssl.so* and libcrypto.so* into /usr/local/ssl/lib // I couldn’t get ldconfig to work for me, so I did this export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH When I make my tiny application, I use the following directive in my Makefile: DRIVER = encryption_driver #export FIPSLD_CC = gcc // don't need this for .so #export CC = fipsld // don't need this for .so CC = gcc CFLAGS = -Wall INCLUDES = -I/usr/local/ssl/include/ LFLAGS = -L/usr/local/ssl/lib LIBS = -lcrypto -lssl -ldl $(DRIVER): $(DRIVER).c $(DRIVER).h $(CC) $(CFLAGS) -o $@ $(INCLUDES) $(LFLAGS) $(LIBS) $^ Subsequently, a call to FIPS_mode_set in my encryption_driver returns without error. This was very difficult to debug in my actual product build sequence. Several executables are generated from the build and it turns out some were linking in an old version of openssl in some archaic location on the build machine (boo!) I made a lot of calls to ldd to discover this. Hopefully this is helpful to someone else out there... Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Compiling openssl 1.0.1c with fips 2.0.1
> ar: creating ../libcrypto.a > [ -z "/usr/local/ssl/fips-2.0/lib" ] || ar r ../libcrypto.a /usr/local/ssl/fips-2.0/libfipscanister.o > ar: /usr/local/ssl/fips-2.0/libfipscanister.o: No such file or directory Here is your problem, perhaps -- missing a slash at the end of lib. Should be pointing to /usr/local/ssl/fips-2.0/lib/fipscanister.o instead of /usr/local/ssl/fips-2.0/libfipscanister.o I suspect when you run a regular "make" it can't find fipscanister.o either. May want to verify. Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build
Dr. Stephen Henson writes: > > Integrity test started > > ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229 > > Integrity test Failed Incorrectly!! > > Well that error indicates the fingerprint error. The question is what is > different about the two build processes? The difference seems to be in the sequence of building things. In the main build, I do 1. fipscanister.o 2. fips_algvs 3. openssl + fipscanister.o module If I use the copy of fips_algvs tool generated in step 2, I get the error on the target system. The build is set up such that I have source and build output leftover in debug directories. If I go back manually to the debugging source for fips and do a make build_algvs, like so 4. fips_algvs and use that copy of the tool, no error comes out on the target system. Much head scratching. And I still don't know what "digests" are getting compared during this FIPS_mode_set step. What is an incore fingerprint anyway? Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build
Cassie Helms writes: > Built fips_algvs on build system and scp'd to target system as suggested. Hmm. I incorporated building fips_algvs into my build system and ran it from the rpm install on the target machine. I get different results now -- can anyone point to what this might indicate, coupled with the fips fingerprint error? # fips_algvs fips_test_suite post FIPS-mode test application FIPS 2.0 validated module 14 Mar 2012 DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK POST started Integrity test started ERROR:2D06B06F:lib=45,func=107,reason=111:file=fips.c:line=229 Integrity test Failed Incorrectly!! DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK DRBG AES-256-CTR test started DRBG AES-256-CTR test OK DRBG SHA256 test started DRBG SHA256 test OK DRBG HMAC-SHA256 test started DRBG HMAC-SHA256 test OK DRBG P-256 SHA256 test started DRBG P-256 SHA256 test OK X9.31 PRNG keylen=16 test started X9.31 PRNG keylen=16 test OK X9.31 PRNG keylen=24 test started X9.31 PRNG keylen=24 test OK X9.31 PRNG keylen=32 test started X9.31 PRNG keylen=32 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK HMAC SHA1 test started HMAC SHA1 test OK HMAC SHA224 test started HMAC SHA224 test OK HMAC SHA256 test started HMAC SHA256 test OK HMAC SHA384 test started HMAC SHA384 test OK HMAC SHA512 test started HMAC SHA512 test OK CMAC AES-128-CBC test started CMAC AES-128-CBC test OK CMAC AES-192-CBC test started CMAC AES-192-CBC test OK CMAC AES-256-CBC test started CMAC AES-256-CBC test OK CMAC DES-EDE3-CBC test started CMAC DES-EDE3-CBC test OK Cipher AES-128-ECB test started Cipher AES-128-ECB test OK CCM test started CCM test OK GCM test started GCM test OK XTS AES-128-XTS test started XTS AES-128-XTS test OK XTS AES-256-XTS test started XTS AES-256-XTS test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Signature RSA test started Signature RSA test OK Signature ECDSA P-224 test started Signature ECDSA P-224 test OK Signature ECDSA K-233 test started Signature ECDSA K-233 test OK Signature DSA test started Signature DSA test OK ECDH P-224 test started ECDH P-224 test OK POST Failed Power-up self test failed Old results below -- > ./fips_algvs fips_test_suite post > FIPS-mode test application > FIPS 2.0 validated module 14 Mar 2012 > > DRBG AES-256-CTR DF test started > DRBG AES-256-CTR DF test OK > POST started > Integrity test started > Integrity test OK > DRBG AES-256-CTR DF test started > DRBG AES-256-CTR DF test OK > DRBG AES-256-CTR test started > DRBG AES-256-CTR test OK > DRBG SHA256 test started > DRBG SHA256 test OK > DRBG HMAC-SHA256 test started > DRBG HMAC-SHA256 test OK > DRBG P-256 SHA256 test started > DRBG P-256 SHA256 test OK > X9.31 PRNG keylen=16 test started > X9.31 PRNG keylen=16 test OK > X9.31 PRNG keylen=24 test started > X9.31 PRNG keylen=24 test OK > X9.31 PRNG keylen=32 test started > X9.31 PRNG keylen=32 test OK > Digest SHA1 test started > Digest SHA1 test OK > Digest SHA1 test started > Digest SHA1 test OK > Digest SHA1 test started > Digest SHA1 test OK > HMAC SHA1 test started > HMAC SHA1 test OK > HMAC SHA224 test started > HMAC SHA224 test
Re: fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build
Apologies, this thread is a duplicate of the one Dr. Henson is already responding to. The authentication system made it unclear whether or not my original question would post yesterday. Please do not respond to this thread. Cassie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build
> What platform is the target system? cat /etc/*-release: RHEL Server 5.5 (Tikanga) uname -mrs: Linux 2.6.18-194.el5 x86_64 Build system specs are the same as these. > After you build the validated module do this: > > make build_algvs > > This should build an fips_algvs binary in the test directory. Copy that to > the target system and run: > > ./fips_algvs fips_test_suite post Built fips_algvs on build system and scp'd to target system as suggested. ./fips_algvs fips_test_suite post FIPS-mode test application FIPS 2.0 validated module 14 Mar 2012 DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK POST started Integrity test started Integrity test OK DRBG AES-256-CTR DF test started DRBG AES-256-CTR DF test OK DRBG AES-256-CTR test started DRBG AES-256-CTR test OK DRBG SHA256 test started DRBG SHA256 test OK DRBG HMAC-SHA256 test started DRBG HMAC-SHA256 test OK DRBG P-256 SHA256 test started DRBG P-256 SHA256 test OK X9.31 PRNG keylen=16 test started X9.31 PRNG keylen=16 test OK X9.31 PRNG keylen=24 test started X9.31 PRNG keylen=24 test OK X9.31 PRNG keylen=32 test started X9.31 PRNG keylen=32 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK Digest SHA1 test started Digest SHA1 test OK HMAC SHA1 test started HMAC SHA1 test OK HMAC SHA224 test started HMAC SHA224 test OK HMAC SHA256 test started HMAC SHA256 test OK HMAC SHA384 test started HMAC SHA384 test OK HMAC SHA512 test started HMAC SHA512 test OK CMAC AES-128-CBC test started CMAC AES-128-CBC test OK CMAC AES-192-CBC test started CMAC AES-192-CBC test OK CMAC AES-256-CBC test started CMAC AES-256-CBC test OK CMAC DES-EDE3-CBC test started CMAC DES-EDE3-CBC test OK Cipher AES-128-ECB test started Cipher AES-128-ECB test OK CCM test started CCM test OK GCM test started GCM test OK XTS AES-128-XTS test started XTS AES-128-XTS test OK XTS AES-256-XTS test started XTS AES-256-XTS test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Cipher DES-EDE3-ECB test started Cipher DES-EDE3-ECB test OK Signature RSA test started Signature RSA test OK Signature ECDSA P-224 test started Signature ECDSA P-224 test OK Signature ECDSA K-233 test started Signature ECDSA K-233 test OK Signature DSA test started Signature DSA test OK ECDH P-224 test started ECDH P-224 test OK POST Success Power-up self test successful Thanks for looking at this. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build
Hi folks,
I have a FIPS capable OpenSSL library, where libcrypto.so and libssl.so get
linked into my product during build. I'm using FIPS 2.0 and OpenSSL 1.0.1c.
To the best of my knowledge, on the build machine I can do the following:
for fips, I call
./config
make
make install
where I give install an install prefix
for openssl, I call
./config fips -d shared --with-fipsdir={install_prefix}/usr/local/ssl/fips-2.0 -
-prefix={blah}
This all works fine. fipscanister.o comes out, I point openssl to it, and
openssl makes some libraries. Doing an objdump on libcrypto.so reveals similar
fingerprint text as found in an objdump on fipscanister.o.
My total build generates an rpm of my source with the linked ssl libraries,
which I install on a different machine that does not have openssl or fips
installed.
Unfortunately, FIPS_mode_set(1) still fails for me with the following:
error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
match:fips.c:489:
It is my understanding that fipscanister.o gets generated with its SHA1 value
already embedded in it, and FIPS_mode_set generates its own fingerprint at
runtime to compare to the embedded value. In this manner, fipscanister.o should
be totally modular.
I am not statically linking and should not need to use fipsld. I also do not
use
fips_standalone_sha1 at any point.
Am I missing a step somewhere that is critical to getting FIPS initialized at
runtime?
Thanks,
Cassie
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
fingerprint does not match on FIPS_mode_set when FIPS + openssl is dynamically linked into build
Hi folks,
I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and
libssl.so) into my product's build, but still get a "fingerprint does not
match"
error when I call FIPS_mode_set(1). This is using a validated copy of FIPS 2.0
source and OpenSSL 1.0.1c.
The full error is:
25892:error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
match:fips.c:489:
During the build on a build machine, I execute the following --
for fips,
./config
make
make install (with an install prefix)
for openssl,
./config fips -d shared --with-fipsdir={.../usr/local/ssl/fips-2.0} --prefix=
{...}
make ... -I{fips include directory} depend
make ... -I{fips include directory}
make install
Everything appears to go well. fipscanister.o is generated, openssl is able to
find it, and libcrypto.so has similar fingerprint text as fipscanister.o after
doing an objdump on both of them. libssl.so and libcrypto.so get linked in with
the product source and put into an rpm. The rpm is installed and executed on a
different machine from building that does not have openssl or fips installed.
In the initialization sequence that calls FIPS_mode_set, I'm including
openssl/crypto.h and openssl/err.h. Unfortunately, even after all of this,
FIPS_mode_set is unhappy and returns the fingerprint does not match error. It
is
my understanding that if I'm not statically linking openssl, I should not need
to use fipsld. I'm also not making use of fips_standalone_sha1 anywhere.
So what are the digests that actually need to be compared for fips to be
validated in a dynamic linking such as this? Is there a step I'm missing to
generate and/or install them?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
