Re: [openssl-users] new FIPS module
On 09/29/2016 12:40 PM, Troy Smoke wrote: > I am in the position of evaluating products that have (or claim to have) > implemented the OpenSSL FIPS module. > > I would like to be able to be able to run a command or run the FIPS > self-test on command, for the purpose of verifying if OpenSSL is > operating in FIPS mode. > > ... Keep in mind that "OpenSSL" itself doesn't "operate in FIPS mode". OpenSSL is a set of shared libraries which may be instantiated different ways by different calling applications. Application A may enable FIPS mode while application B referencing the same shared libraries doesn't. "OpenSSL" itself is never "operating in FIPS mode" independently of any applications; the term is meaningful only in the context of a specific application/process. A related question is "Does this OpenSSL install support use of the FIPS module"? We call OpenSSL built that way a "FIPS capable" OpenSSL; "capable" because calling applications can elect to enable FIPS mode (or not). To see if a specific install of OpenSSL 1.0.1/1.0.2 was built as FIPS capable, you can run the command (application): OPENSSL_FIPS=1 openssl md5 < /dev/null It will throw errors if the "openssl" command is from a FIPS capable OpenSSL; either for a self test failure (unlikely) or because of the disallowed algorithm. If not from a FIPS capable OpenSSL you just see the message "FIPS mode not supported." Note that tells you nothing about whether another application has enabled FIPS mode, though. For that you need to look under the hood of that application (i.e. ask the vendor). -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] new FIPS module
I am in the position of evaluating products that have (or claim to have) implemented the OpenSSL FIPS module. I would like to be able to be able to run a command or run the FIPS self-test on command, for the purpose of verifying if OpenSSL is operating in FIPS mode. This may not be important for most users, but I would consider it of vital importance from a testing perspective. This is also assuming that such a command/procedure would be allowed under the FIPS certification. Thanks, zoddoz >As always, if you don't care about FIPS 140 then count yourself lucky and move >on. > >Work on the new FIPS module has so far taken a backseat to higher priority >topics like the 1.1 release and security vulnerabilities, but we should start to >make some progress soon. I've put together a rough wiki page outlining some >goals for the new FIPS module: > >Caution-https://wiki.openssl.org/index.php/FIPS_module_3.0 > >Within the very tight constraints of schedule, resources, and what is permitted >by FIPS 140, we want this FIPS module to be as widely useful as possible. > >If we've omitted anything of vital importance please speak up. > >-Steve M. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] new FIPS module
On 09/27/2016 10:57 AM, Zeke Evans wrote: >> ... > > The fixed base address requirement causes problems for large Windows > x86 applications and there isn't a great work around. It isn't clear > to me if item 2 " Support compilation in various forms" will address > this or not. An option to compile the fips module as a dll instead > of a static lib would be nice or at least allow the fips capable > module to be rebased. As I understand it (not being a Windows person), we don't have any options good across the Windows ecosystem. Apparently PIC isn't possible on Win32, for instance. Hopefully Andy will weigh in. If there is a graceful way to accommodate Windows we'd gladly do it. As for DLLs, the fipscanister.o code can always be embedded within a DLL or shared library. It's the rebasing that's the problem. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] new FIPS module
> As always, if you don't care about FIPS 140 then count yourself lucky and > move on. > > Work on the new FIPS module has so far taken a backseat to higher priority > topics like the 1.1 release and security vulnerabilities, but we should start > to > make some progress soon. I've put together a rough wiki page outlining > some goals for the new FIPS module: > > https://wiki.openssl.org/index.php/FIPS_module_3.0 > > Within the very tight constraints of schedule, resources, and what is > permitted by FIPS 140, we want this FIPS module to be as widely useful as > possible. > > If we've omitted anything of vital importance please speak up. The fixed base address requirement causes problems for large Windows x86 applications and there isn't a great work around. It isn't clear to me if item 2 " Support compilation in various forms" will address this or not. An option to compile the fips module as a dll instead of a static lib would be nice or at least allow the fips capable module to be rebased. Zeke Evans Senior Software Engineer Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] new FIPS module
On 27/09/2016 15:41, Steve Marquess wrote: As always, if you don't care about FIPS 140 then count yourself lucky and move on. Work on the new FIPS module has so far taken a backseat to higher priority topics like the 1.1 release and security vulnerabilities, but we should start to make some progress soon. I've put together a rough wiki page outlining some goals for the new FIPS module: https://wiki.openssl.org/index.php/FIPS_module_3.0 Within the very tight constraints of schedule, resources, and what is permitted by FIPS 140, we want this FIPS module to be as widely useful as possible. If we've omitted anything of vital importance please speak up. Here's one practical thing (as a suggestion): - To ensure compatibility with platform ASLR, build the FIPS cannister as completely position independent code with no relocations whenever platforms allow. This probably requires that the FIPS cannister makes all calls to outside libraries as callbacks to function pointers supplied during module init, or at least via a function table that is outside the hashed FIPS cannister. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] new FIPS module
As always, if you don't care about FIPS 140 then count yourself lucky and move on. Work on the new FIPS module has so far taken a backseat to higher priority topics like the 1.1 release and security vulnerabilities, but we should start to make some progress soon. I've put together a rough wiki page outlining some goals for the new FIPS module: https://wiki.openssl.org/index.php/FIPS_module_3.0 Within the very tight constraints of schedule, resources, and what is permitted by FIPS 140, we want this FIPS module to be as widely useful as possible. If we've omitted anything of vital importance please speak up. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users