RE: Incore.gz different signature from target machine
Thanks Steve, Following the FIPS_incore_fingerprint() gave a good insight about the data that is taken for calculating the digest. After dumping the data once in the target I was able to adjust the offset. But still I see binary content is slightly differed in the executable before loading and the content in the memory For eg the objdump information in the openssl lib before loading 000e4100 : e4100: 4b ff ff ec b e40ec 000e4104 : e4104: 7d 80 00 26 mfcrr12 e4108: 94 21 ff e8 stwur1,-24(r1) e410c: 7c 08 02 a6 mflrr0 e4110: 93 e1 00 14 stw r31,20(r1) e4114: 7c 7f 1b 78 mr r31,r3 e4118: 93 a1 00 0c stw r29,12(r1) e411c: 90 01 00 1c stw r0,28(r1) e4120: 91 81 00 08 stw r12,8(r1) e4124: 48 00 00 01 bl e4124 e4128: 7c 7d 1b 78 mr r29,r3 e412c: 48 00 00 01 bl e412c e4130: 2f 83 00 00 cmpwi cr7,r3,0 e4134: 2e 1d 00 00 cmpwi cr4,r29,0 e4138: 41 9e 00 14 beq-cr7,e414c e413c: 41 92 00 38 beq-cr4,e4174 e4140: 3d 20 00 00 lis r9,0 e4144: 93 e9 00 00 stw r31,0(r9) e4148: 41 92 00 24 beq-cr4,e416c e414c: 80 01 00 1c lwz r0,28(r1) e4150: 81 81 00 08 lwz r12,8(r1) . . . Whereas the objdump from the memory FIPS_text_start: 0x9f1700 4becb 0x9f16ec # instruction_pointer fips_set_mode: 0x9f1704 7d800026mfcrr12 0x9f1708 9421ffe8stwur1,-24(r1) 0x9f170c 7c0802a6mfspr r0,LR 0x9f1710 93e10014stw r31,20(r1) 0x9f1714 7c7f1b78or r31,r3,r3 0x9f1718 93a1000cstw r29,12(r1) 0x9f171c 9001001cstw r0,28(r1) 0x9f1720 91810008stw r12,8(r1) 0x9f1724 480008e5bl 0x9f2008 # fips_is_owning_thread value = 10426152 = 0x9f1728 = fips_set_mode + 0x24 Working: [Kernel]->l 0x9f1728 7c7d1b78or r29,r3,r3 0x9f172c 480008d1bl 0x9f1ffc # fips_is_started 0x9f1730 2f83cmpicrf7,0,r3,0x0 # 0 0x9f1734 2e1dcmpicrf4,0,r29,0x0 # 0 0x9f1738 419e0014bc 0xc,30, 0x9f174c # 0x009f174c 0x9f173c 41920038bc 0xc,18, 0x9f1774 # 0x009f1774 0x9f1740 3d200e86lis r9,0xe86 # 3718 0x9f1744 93e9ce40stw r31,-12736(r9) 0x9f1748 41920024bc 0xc,18, 0x9f176c # 0x009f176c 0x9f174c 8001001clwz r0,0x1c(r1) # 28 value = 10426192 = 0x9f1750 = fips_set_mode + 0x4c Working: [Kernel]->l 0x9f1750 81810008lwz r12,0x8(r1) # 8 The branching instructions and the offset to store the return address from the r31 are changed while loading in to memory, thus the resulting digest in both case are different. I guess this is normal when the ELF are relocated after loading or do I miss any option while compiling. I would appreciate any help/clue on this Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 13, 2010 9:59 PM To: openssl-users@openssl.org Subject: Re: Incore.gz different signature from target machine On Wed, Oct 13, 2010, john.mattapi...@wipro.com wrote: > I got the FIPS openssl integrated with my application. Unfortunately I > had to stick to build environment which is on sun solaris and my > target machine is a powerpc embedded system. Until now I had to > create the application in solaris machine execute in the target, after > getting the hmac signature recompiled the fips_premain.c with that > signature. After checking Dr.Steve's post I tried using incore.gz on my application. > Somehow the signatures are different > > I noticed that the 'file format' of the object I have is "elf32-big" > which is not handled in the script. I assume the INCORE_ADJUST should > be > -8 for that type of format too. I added that code but still it returns > a different signature that does not match with the generated signature > from the target. > > Any values I should check between the script's result on the host > machine vs code loaded in the target to make it match ? > There are several ways to do this. One is to not embed a signature and call the executable on the target: it should then output the expected signature. You can then tweak the offset so the two match. Alternatively check out the code in FIPS_incore_fingerprint(). You can write a simple program to dump the data that OpenSSL fingerprints, then modify the script to dump the same data for its external fingerprint. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Pro
Incore.gz different signature from target machine
I got the FIPS openssl integrated with my application. Unfortunately I had to stick to build environment which is on sun solaris and my target machine is a powerpc embedded system. Until now I had to create the application in solaris machine execute in the target, after getting the hmac signature recompiled the fips_premain.c with that signature. After checking Dr.Steve's post I tried using incore.gz on my application. Somehow the signatures are different I noticed that the 'file format' of the object I have is "elf32-big" which is not handled in the script. I assume the INCORE_ADJUST should be -8 for that type of format too. I added that code but still it returns a different signature that does not match with the generated signature from the target. Any values I should check between the script's result on the host machine vs code loaded in the target to make it match ? Thanks John Paul Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
RE: FIPS mode - fails to read the RSA key
Again thank you Steve, Invoking "OpenSSL_add_all_algorithms()" made the certificate processing without any trouble. Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, October 08, 2010 4:09 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Fri, Oct 08, 2010, john.mattapi...@wipro.com wrote: > Thank you Steve, > > I had problem in creating certificate and key in FIPS mode. With your > suggestion now I am able to create FIPS supported certificate > > When I create it with a passphrase the key looks as below > > -BEGIN ENCRYPTED PRIVATE KEY- > MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA > .. > toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE > -END ENCRYPTED PRIVATE KEY- > > Now it fails at "PKCS8_decrypt" in "PEM_read_bio_PrivateKey". I > verified that passphase returned by the cb is as same as the one that > I used to create the certificate. Any hint if I miss something in the > key generation > > The command I used to create this key is > > ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem > -out wv-cert.pem > > If I create the key with out passphrase then the code hits this > snippet of the code (PEM_read_bio_PrivateKey) and works fine > .. > .. > p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); > if(!p8inf) goto p8err; > ret = EVP_PKCS82PKEY(p8inf); > .. > .. > Have you included OpenSSL_add_all_algorithms() in your code? If so then see the FAQ for details of how to print out error messages. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS Open SSL Build using VC++ on Windows
As far as I understand the HMAC-SHA1-SIG is something that is passed while compiling the fips_premain.c. And this is taken care by fipsld. Actually fipsld obtains this signature by executing the binary that is linked with fips_premain.o and recompiles the fips_premain.c by passing that signature .. I didn't find any issue while following the steps in the UserGuide.1.1 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Lee Merrill Sent: Tuesday, October 12, 2010 5:55 PM To: openssl-users@openssl.org Subject: Re: FIPS Open SSL Build using VC++ on Windows I had a problem after building as well, I built the fips-mode (version 1.2) of openssl on LInux via running "./config fipscanisterbuild" and then "make", this builds fine, and "make test" works, only fipscanister.o doesn't have the strings that fipsld expects, when I run "strings fipscanister.o | fgrep HMAC" all I see is "HMAC: digest not allowed in FIPS mode". The other strings I got before with fips openssl 1.1 which have the hash values (e.g. "HMAC-SHA1(fips_premain.c)= 6a08d15c578f1258246181bf52134ae974aa5a80") are not present. This causes fipsld to fail, any suggestions appreciated. Lee -- On 10/12/2010 07:07 AM, rajesh kumar wrote: Hi All, i am very new to OpenSSL build ... I have build the static build of FIPS Capable OpenSSL as mentioned in user guide 1.2. I have used following commands on VS2005 Command Prompt... Build FIPS Module : ms\do_fips no-asm Set Confiugration : perl Configure VC-WIN32 --with-fipslibdir="..\openssl-0.9.8l\out32dll" For not using Assembler : ms\do_ms Static Build : nmake -f ms\nt.mak InstallStatic All this seems to work but the issue is that when i link libeay32.lib and ssleay32.lib in application and when i am calling FIPS_mode_set() function to set/reset FIPS Mode. I am seeing following link error ... error LNK2019: unresolved external symbol _FIPS_mode referenced in function Can some one please let me know if i am missing anything... when i am looking at the do_fips.bat file; it internally calls ntdll.mak - i am not sure if fips module is always creating Dynamic mode where as my application links them static... quick reply would be really helpful Thanks, Rajesh. -- Unless otherwise stated, any views presented in this email are solely those of the author and do not necessarily represent those of the company. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
RE: FIPS mode - fails to read the RSA key
Thank you Steve, I had problem in creating certificate and key in FIPS mode. With your suggestion now I am able to create FIPS supported certificate When I create it with a passphrase the key looks as below -BEGIN ENCRYPTED PRIVATE KEY- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA .. toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE -END ENCRYPTED PRIVATE KEY- Now it fails at "PKCS8_decrypt" in "PEM_read_bio_PrivateKey". I verified that passphase returned by the cb is as same as the one that I used to create the certificate. Any hint if I miss something in the key generation The command I used to create this key is ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out wv-cert.pem If I create the key with out passphrase then the code hits this snippet of the code (PEM_read_bio_PrivateKey) and works fine .. .. p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); .. .. Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 9:48 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: > Thanks again > > I do have the env Variable OPENSSL_FIPS set to 1. And the key > generated is as below > > -BEGIN RSA PRIVATE KEY- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5 > > bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb > vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ > . > . > . > .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG > bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew== > -END RSA PRIVATE KEY- > > But still it fails at the same method "PEM_do_header" > If that happens the version of OpenSSL isn't in FIPS mode. You should get: -BEGIN PRIVATE KEY- and no Proc-Type, DEK-Info lines if it worked. If you also do: OPENSSL_FIPS=1 openssl md5 somefile it should fail with an error if FIPS mode is entered correctly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS mode - fails to read the RSA key
Thanks again I do have the env Variable OPENSSL_FIPS set to 1. And the key generated is as below -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5 bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ . . . .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew== -END RSA PRIVATE KEY- But still it fails at the same method "PEM_do_header" Any hint? Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 6:02 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: > Thanks Steve, > > I used the following commands to create the certificate using the > openssl built with FIPS support > > openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key > wv-key.pem -out wv-cert.pem -days 365 > > Do I miss any option to make it FIPS supported > The openssl utility is not in FIPS mode by default. You need to set the environment variable OPENSSL_FIPS to 1 when you call it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS mode - fails to read the RSA key
Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 4:36 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: > Hello there > > I am trying to use the OpenSSL-fips version 1.2 for our application ( > Webserver ) in Vxworks. I was able to integrate the library and > executing FIPS_mode_set is successful. After initializing the > SSL_library_init, The code tries to read the RSA key from a key.pem > file. > Technically you shouldn't use keys created outside FIPS mode in FIPS mode. In FIPS mode the "traditional" format is not supported because it used MD5 for key derivation. The more standard PKCS#8 mode using SHA1 for key derivation is use instead. You can convert keys using the pkcs8 command outside FIPS mode but again technically you aren't supposed to... Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS mode - fails to read the RSA key
Hello there I am trying to use the OpenSSL-fips version 1.2 for our application ( Webserver ) in Vxworks. I was able to integrate the library and executing FIPS_mode_set is successful. After initializing the SSL_library_init, The code tries to read the RSA key from a key.pem file. I notice that it uses the methods PEM_read_bio_RSAPrivateKey-> PEM_read_bio_PrivateKey -> PEM_bytes_read_bio ->PEM_do_header and the PEM_do_header fails always once I enable the FIPS_mode if not it succesfully decrypts the RSA Key I googled around and found a link where they faced a similar problem in OpenSSH. In which he changed the digest parameter from EVP_md5() to EVP_sha1() in method EVP_BytesToKey I tried the same but still it fails to decrypt the information from the key I would really appreciate if someone can throw some hint what I might be doing wrong Thanks John Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com