Re: FIPS premain signature question

2011-05-15 Thread raghib nasri 
I have also observed that changing my application code causes a different
HMAC sig generated by premain. So if it is covering just validated module
(fipscanister.o) then sig should remain same as i m using the same validated
module each time. Please clarify.

On Sun, May 15, 2011 at 4:41 AM, Dr. Stephen Henson wrote:

> On Fri, May 13, 2011, Todd Goyen wrote:
>
> > Can someone provide a brief explanation of the fips_premain.c
> functionality?
> >
> > I used it over a year ago and am a little hazy on the details.
> >
> > 1) A checksum of the executable was performed during the first compile
> step of fipsld
> > 2) That checksum was inserted into the binary during the second compile
> step
> > 3) When the program is run that checksum is checked when fips_mode is
> entered.
> >
> >
> > Presuming the above is correct, I also remember that toggling a few bits
> in the executeable (in a string for example) would cause FIPS mode to fail.
> However a new program I have just written doesn't exhibit this behavior.
> Have I got the functionality wrong? or is something else awry?
> >
>
> The hmac signature doesn't cover the whole binary just the validated module
> within the binary.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Open ssl FIS Mode

2011-04-24 Thread raghib nasri 
According to the users guide, openssl 1.0.0d is not supported with fips
object module. You have to use any 0.9.8j+ series of regular library but not
1.0.0+ . Verify it in the latest available users guide. All the procedures
are mentioned in the guide to link your application to the FIPS object
module. You have to strictly follow the guide and security policy.

On Fri, Apr 22, 2011 at 10:27 AM, kiran s  wrote:

> Hi Team,
>
>
> We are using  OpenSSL-Win32 (OpenSSL 1.0.0d)
>
> We downloaded openssl-fips-1.2.2.tar.gz .
>
> My application for which we are using OpenSSL needs to run in OpenSSL Fips
> mode.
>
> What is the procedure ? How do I call contents of openssl-fips-1.2.2.tar.gz
> from OpenSSL 1.0.0d and make my application compatible and assure it's using
> OpenSSL FIPS ?
>
>
>
> Please help us.
>
>
>
> Regards,
>
> Varma.
>

Re: FIPS statically linked canister

2011-04-12 Thread raghib nasri 
As per my knowledge you have to build your fipscanister.o as specified in
users guide. No static option at build time is allowed. You have to follow
word to word of users guide.Once you built fipscanister at right place, you
can use it to statically link directly with your application using the
fipsld utility or can statically link with your shared library.

On Tue, Apr 12, 2011 at 9:08 PM, John Foley  wrote:

>
> Section 4.2.1 of the FIPS User Guide states...
>
> Per the conditions of the FIPS 140­2 validation only two configuration
> commands may
> be used:
>./config fipscanisterbuild
> or
>./config fipscanisterbuild no­asm
>
>
> However, section 4.2.2 states...
>
> Note that  fipscanister.o can either be statically linked into an
> application binary executable,
> or statically linked into a shared library.
>
>
> This leads to the question of how we would build a statically linked
> OpenSSL library, such as using the following configuration...
>
>./config fipscanisterbuild -static
>
> My question is using the -static option to build the library a valid
> option for FIPS mode?  If not, why does section 4.2.2 state the canister
> can be statically linked?
>
> Thank you.
>
>
>
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Error in creating shared library using fipsld

2011-04-11 Thread raghib nasri 
Is it possible to build a shared library that incorporates fipscanister.o,
where fipscanister.o is already built as per rules specified in users guide
and security policy. Is that shared library will be a validated one to be
used by an independent application. I have my own shared library which is
statically linked with libcrypto.a but now i want to make it fips capable.
User guide mostly talks about static linking of object module directly with
the application using fipsld. For shared library do i still need to use
fipsld and if yes how to use it to correctly create a shared library.

On Mon, Apr 11, 2011 at 5:57 PM, raghib nasri  wrote:

> Hi,
>  I want to create shared library by statically linking my object file
> with libcrypto.a.  I am using the following command
>  FIPSLD_CC=g++ /usr/local/ssl/fips/bin/fipsld -shared -fPIC  -o
> libshared.so libfips.o -L/usr/local/ssl/fips/lib/libcrypto.a
>
> it gives the following error:
>
> /usr/local/ssl/fips/bin/fipsld: line 94:
> /usr/local/ssl/fips/bin/../fips/fips_standalone_sha1: No such file or
> directory
> 1d0
> < HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c
> /usr/local/ssl/fips/bin/../lib/fips_premain.c fingerprint mismatch
>
> Can anyone help me for the error and suggest correct way for building
> shared library for fips object module.
>
>

Error in creating shared library using fipsld

2011-04-11 Thread raghib nasri 
Hi,
 I want to create shared library by statically linking my object file
with libcrypto.a.  I am using the following command
 FIPSLD_CC=g++ /usr/local/ssl/fips/bin/fipsld -shared -fPIC  -o libshared.so
libfips.o -L/usr/local/ssl/fips/lib/libcrypto.a

it gives the following error:

/usr/local/ssl/fips/bin/fipsld: line 94:
/usr/local/ssl/fips/bin/../fips/fips_standalone_sha1: No such file or
directory
1d0
< HMAC-SHA1(fips_premain.c)= 9e5ddba185ac446e0cf36fcf8e1b3acffe5d0b2c
/usr/local/ssl/fips/bin/../lib/fips_premain.c fingerprint mismatch

Can anyone help me for the error and suggest correct way for building shared
library for fips object module.

Re: Compilation Error in application referencing FIPS Object Module using g++

2011-03-09 Thread raghib nasri 
Now I don't think its possible. I am statically linking application with
object module and library and if you have observed fipsld, first time its
compiling and linking the application without any preprocessor symbol. At
that time fips_premain.c observes that no HMAC defined and generates the 40
char HMAC that serves as output for the application (for the first time
compilation only.) In fipsld, this output is assigned to SIG variable and
for later stage compilation , SIG is assigned to preprocessor symblo
HMAC_SHA1_SIG. And now premain.c behaves in different way since HMAC defined
now. So ultimately there is nothing to change in fipsld to get 40 chars HMAC
and I have to depend on gcc for fips_premain.c compilation. Well thanks
Stephen for your interest and guidance and if you to make some correction
please convey.

On Wed, Mar 9, 2011 at 8:51 PM, Dr. Stephen Henson wrote:

> On Wed, Mar 09, 2011, raghib nasri wrote:
>
> > Thanks Stephen
> > I have modified fipsld to compile only fips_premain.c with gcc and my
> rest
> > of the application is still using g++ for compilation and linking. But I
> am
> > not able to sort out exactly how to modify the part that will result in
> > embedding signature of exact 40 characters, in case I want to use only
> g++.
> >
>
> Well this in untested...
>
> The fipsld script embeds the signature in fips_premain.c by setting the
> preprocessor symbol HMAC_SHA1_SIG. The normal format we have is
> "<40 hex digits>" which ends up with 40 characters and the extra null.
>
> If you modify that to an alternative format such as...
>
> {'a','0','c',...}
>
> with exactly 40 characters it should work.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Compilation Error in application referencing FIPS Object Module using g++

2011-03-09 Thread raghib nasri 
Thanks Stephen
I have modified fipsld to compile only fips_premain.c with gcc and my rest
of the application is still using g++ for compilation and linking. But I am
not able to sort out exactly how to modify the part that will result in
embedding signature of exact 40 characters, in case I want to use only g++.


On Tue, Mar 8, 2011 at 12:45 AM, Dr. Stephen Henson wrote:

> On Mon, Mar 07, 2011, raghib nasri wrote:
>
> > Do you mean to say I should modify fipsld to use gcc for compiling
> > fips_premain.c. Or is there any way to still use g++ for my application
> with
> > minimal  change in fipsld.  Please suggest.
> >
>
> Well two options, one is to change it to use gcc just for the compilation
> of
> fips_premain.c, the other is to modify the part that embeds the signature
> so
> it uses 40 characters instead of 40+1 null.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Compilation Error in application referencing FIPS Object Module using g++

2011-03-07 Thread raghib nasri 
Do you mean to say I should modify fipsld to use gcc for compiling
fips_premain.c. Or is there any way to still use g++ for my application with
minimal  change in fipsld.  Please suggest.

On Mon, Mar 7, 2011 at 9:15 PM, Dr. Stephen Henson wrote:

> On Mon, Mar 07, 2011, raghib nasri wrote:
>
> > Hi,
> >I am using FIPS Object Module and encountered an error while
> > compiling my application using g++.
> >?fips_premain.c:71: error: initializer-string for array of chars
> is
> > too long?
> >I cannot change fips_premain.c  since its part of FIPS validation
> I
> > guess.
> >Please suggest any sollution.
>
> Although you can't modify fips_premain.c you can modify fipsld: which
> doesn't
> have to the be the standard one as long as it follows the rules in the
> security policy.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Compilation Error in application referencing FIPS Object Module using g++

2011-03-06 Thread raghib nasri 
Hi,
   I am using FIPS Object Module and encountered an error while
compiling my application using g++.
   “fips_premain.c:71: error: initializer-string for array of chars is
too long”
   I cannot change fips_premain.c  since its part of FIPS validation I
guess.
   Please suggest any sollution.

fips_premain.c compilation issue with g++

2011-02-28 Thread raghib nasri 
Hi,
   I have installed fips object module 1.2.2 with
compatible standard openssl library version 0.9.8r, supposed to be the
latest FIPS capable installation. I have written a simple application for
fips mode verification. Its working fine when compiling with gcc but i need
to use g++ with which its rightly giving the error that initializer string
too long for the array FINGERPRINT_ascii_value[40] defined in
fips_premain.c. Obviously i cannot modify this since the file itself is a
part of validation.
  This issue has been raised years ago but all threads ended up
with suggesting to modify fipsld (since this script is not part of
validation) so that premain.c is compiled with gcc and rest of the
application with g++.   Is there any alternative solution ?  I have a doubt
that if there any modification takes place in fips_premain.c while
installation of object module which i got missed and my post installation
premain.c file still containing a string that otherwise supposed to be
replaced by a shorter HMAC string .
-Raghib