Re: Basic Question
Thanks to all for the information that was exchanged. It did help me understand. Bob Bell On Thu, May 28, 2009 at 2:05 PM, Bob Bell rt.bob.b...@gmail.com wrote: Folks - I have a basic question relative to the FIPS openSSL lib and US export control law. As I understand it, in order for the openSSL lib to run as a FIPS certified module, it must be configured to be loaded as a dynamically linked library. If that is so, how do you get a export classification of less than RESTRICTED since the library contains strong crypto, and the lib could be used to encrypt user data at rates which exceed the positive list restrictions? Bob Bell
Re: Basic Question
OpenSSL is publicly available code and thus has an export exemption. Things linked with it, however, may not be, depending on their configuration. -Kyle H On Thu, May 28, 2009 at 1:05 PM, Bob Bell rt.bob.b...@gmail.com wrote: Folks - I have a basic question relative to the FIPS openSSL lib and US export control law. As I understand it, in order for the openSSL lib to run as a FIPS certified module, it must be configured to be loaded as a dynamically linked library. If that is so, how do you get a export classification of less than RESTRICTED since the library contains strong crypto, and the lib could be used to encrypt user data at rates which exceed the positive list restrictions? Bob Bell __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Basic Question
Folks - I have a basic question relative to the FIPS openSSL lib and US export control law. As I understand it, in order for the openSSL lib to run as a FIPS certified module, it must be configured to be loaded as a dynamically linked library. If that is so, how do you get a export classification of less than RESTRICTED since the library contains strong crypto, and the lib could be used to encrypt user data at rates which exceed the positive list restrictions? Bob Bell
Re: Basic Question
On Thu May 28 2009, Bob Bell wrote: Folks - I have a basic question relative to the FIPS openSSL lib and US export control law. As I understand it, in order for the openSSL lib to run as a FIPS certified module, it must be configured to be loaded as a dynamically linked library. If that is so, how do you get a export classification of less than RESTRICTED since the library contains strong crypto, and the lib could be used to encrypt user data at rates which exceed the positive list restrictions? Because the source code is available. Bob Bell __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basic Question
On Thu, May 28, 2009, Bob Bell wrote: I have a basic question relative to the FIPS openSSL lib and US export control law. As I understand it, in order for the openSSL lib to run as a FIPS certified module, it must be configured to be loaded as a dynamically linked library. No that isn't correct. You can statically link an application but you need to modify the linking procedure to use fipsld or an equivalent. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basic Question
Still now i was believing that to all the application should link to libcrypto library at the compilation so that it can check the fipscanister.o hash value in the library with the prevouisly stored fips . As the user guide says 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated and verified against the installed digest to ensure the integrity of the FIPS Object Module. *for doing this , library libcrypto.a should be linked at the compile time. With out linking application with libcrypto.a will that make them fips capable application . Please correct me if i am wrong* 2. A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must be generatedand embedded in the application executable object for use by the FIPS_mode_set() function at runtime initialization. In our application , we normally do not link with libcrypto.a at compile time . We do the dynamic loading . Whether is it possible to link dynamically and have fips capabability in the application .From my understanding , it is not possible ? Please correct me if i am wrong Thanks Rajan On Fri, May 29, 2009 at 3:50 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, May 28, 2009, Bob Bell wrote: I have a basic question relative to the FIPS openSSL lib and US export control law. As I understand it, in order for the openSSL lib to run as a FIPS certified module, it must be configured to be loaded as a dynamically linked library. No that isn't correct. You can statically link an application but you need to modify the linking procedure to use fipsld or an equivalent. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basic Question
On Fri, May 29, 2009, tensy joseph wrote: Still now i was believing that to all the application should link to libcrypto library at the compilation so that it can check the fipscanister.o hash value in the library with the prevouisly stored fips . As the user guide says 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated and verified against the installed digest to ensure the integrity of the FIPS Object Module. *for doing this , library libcrypto.a should be linked at the compile time. With out linking application with libcrypto.a will that make them fips capable application . Please correct me if i am wrong* 2. A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must be generatedand embedded in the application executable object for use by the FIPS_mode_set() function at runtime initialization. In our application , we normally do not link with libcrypto.a at compile time . We do the dynamic loading . Whether is it possible to link dynamically and have fips capabability in the application .From my understanding , it is not possible ? Please correct me if i am wrong That is true but the application can be the libcrypto shared library which has already checked the hash at link time. For the 1.1.2 module shared library builds weren't possibly on most platforms, with the 1.2 module they are with a few exceptions. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basic Question
My libcrypto.a is a shared library and also fipscansiter.o has been incorporated in a shared library libcrypto.a .So to get the fipscanister.o at compile time , it need to link with libcrypto.a at the compile time in order to check hmac-sha1 integrity test of fipscanister.o embedded in the libcrypto.a with the previously stored fipscansiter.sha value . Please correct me if i am wrong Thanks Rajan On Fri, May 29, 2009 at 4:46 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Fri, May 29, 2009, tensy joseph wrote: Still now i was believing that to all the application should link to libcrypto library at the compilation so that it can check the fipscanister.o hash value in the library with the prevouisly stored fips . As the user guide says 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated and verified against the installed digest to ensure the integrity of the FIPS Object Module. *for doing this , library libcrypto.a should be linked at the compile time. With out linking application with libcrypto.a will that make them fips capable application . Please correct me if i am wrong* 2. A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must be generatedand embedded in the application executable object for use by the FIPS_mode_set() function at runtime initialization. In our application , we normally do not link with libcrypto.a at compile time . We do the dynamic loading . Whether is it possible to link dynamically and have fips capabability in the application .From my understanding , it is not possible ? Please correct me if i am wrong That is true but the application can be the libcrypto shared library which has already checked the hash at link time. For the 1.1.2 module shared library builds weren't possibly on most platforms, with the 1.2 module they are with a few exceptions. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basic Question
I have gone through the user guide again , i am little confused now . This statement makes me confuse A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must be generated and embedded in the application executable object for use by the FIPS_mode_set() function at runtime initialization. So if i do dlopen of libcrypto libary and load the FIPS_mode_set dynamically.In this case , it will not embedd the sha digest in the application executable. In this scenario, i cannot load this symbol FIPS_mode_set dynamically and it need to be availbable at the compilation time, will need to link to libcrypto.a at compile time. Please advice Thanks Rajan On Fri, May 29, 2009 at 5:50 PM, tensy joseph rajanchit...@gmail.comwrote: My libcrypto.a is a shared library and also fipscansiter.o has been incorporated in a shared library libcrypto.a .So to get the fipscanister.o at compile time , it need to link with libcrypto.a at the compile time in order to check hmac-sha1 integrity test of fipscanister.o embedded in the libcrypto.a with the previously stored fipscansiter.sha value . Please correct me if i am wrong Thanks Rajan On Fri, May 29, 2009 at 4:46 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Fri, May 29, 2009, tensy joseph wrote: Still now i was believing that to all the application should link to libcrypto library at the compilation so that it can check the fipscanister.o hash value in the library with the prevouisly stored fips . As the user guide says 1. The HMAC-SHA-1 digest of the FIPS Object Module file must be calculated and verified against the installed digest to ensure the integrity of the FIPS Object Module. *for doing this , library libcrypto.a should be linked at the compile time. With out linking application with libcrypto.a will that make them fips capable application . Please correct me if i am wrong* 2. A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must be generatedand embedded in the application executable object for use by the FIPS_mode_set() function at runtime initialization. In our application , we normally do not link with libcrypto.a at compile time . We do the dynamic loading . Whether is it possible to link dynamically and have fips capabability in the application .From my understanding , it is not possible ? Please correct me if i am wrong That is true but the application can be the libcrypto shared library which has already checked the hash at link time. For the 1.1.2 module shared library builds weren't possibly on most platforms, with the 1.2 module they are with a few exceptions. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basic Question
On Fri, May 29, 2009, tensy joseph wrote: I have gone through the user guide again , i am little confused now . This statement makes me confuse A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must be generated and embedded in the application executable object for use by the FIPS_mode_set() function at runtime initialization. So if i do dlopen of libcrypto libary and load the FIPS_mode_set dynamically.In this case , it will not embedd the sha digest in the application executable. In this scenario, i cannot load this symbol FIPS_mode_set dynamically and it need to be availbable at the compilation time, will need to link to libcrypto.a at compile time. What platform is that? libcrypto.a is normally a static library, libcrypto.so (or various other diverse extensions) is normally the shared library. When you build a FIPS capable version of OpenSSL using a shared library build the application is the shared library itself and the digest has already been embedded by the build procedure. So you just have to link (dynamically if you wish) against the shared library in the usual way. If the digest wasn't embedded properly FIPS_mode_set(1) would fail. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basic Question
The platform is AIX. I have used the fipsld to link the application and
digest was properly embedded in the application executable.
I have wriitten a small pbm to test this.
main()
{
int (*dlsym_fips_mode_set)(int);
void *handle=dlopen(/usr/lib/libcrypto.a(libcrypto.so.0.9.8,RT_LAZY);
dlsym_fips_mode_set=dlsym(handle,FIPS_set_mode);
if(dlsym_fips_mode_set(1))
{
printf(in fips mode\n);
}
}
I have generate the above program object file using cc and then i used the
fipsld to geneate the executable .
it was sucessfully entering into the fips mode .
I have generate a shared library of fips capable of openssl 9.8k and
fipscanister object module was embeeded in the shared library
of openssl 9.8k shared library. So i think fipsld is mainly used to embedded
the digest into execuatble by calculating the sha value of the
fipscanister.o (which is stored in the user machine) which is compared with
the fipscanister.o.sha1 (which is stored in the user machine).
I have another doudt , if the application is in the fips mode , will the
cryptography operation are done by the fipscanister.o stored in the
libcrypto.a ?
Thanks in advance
Rajan
.
On Fri, May 29, 2009 at 7:10 PM, Dr. Stephen Henson st...@openssl.orgwrote:
On Fri, May 29, 2009, tensy joseph wrote:
I have gone through the user guide again , i am little confused now .
This
statement makes me confuse
A HMAC-SHA1 digest of the FIPS Object Module code and read-only data must
be
generated and embedded in the application executable object for use by
the FIPS_mode_set()
function at runtime initialization.
So if i do dlopen of libcrypto libary and load the FIPS_mode_set
dynamically.In this case , it will not embedd the sha digest
in the application executable. In this scenario, i cannot load this
symbol
FIPS_mode_set dynamically and it need to be availbable at the compilation
time, will need to link to libcrypto.a at compile time.
What platform is that? libcrypto.a is normally a static library,
libcrypto.so
(or various other diverse extensions) is normally the shared library.
When you build a FIPS capable version of OpenSSL using a shared library
build
the application is the shared library itself and the digest has already
been
embedded by the build procedure. So you just have to link (dynamically if
you
wish) against the shared library in the usual way. If the digest wasn't
embedded properly FIPS_mode_set(1) would fail.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: Basic question on version number..
The decision in the case of OpenSSL was that 1.x would have a stable API, permitting shared libraries to be used interchangeably. OpenSSL does not have a stable API yet, officially. If that's the rationale, I eagerly await 1.0. The lack of a stable API has hurt me far too many times. I encourage the developers to freeze the existing API. Shared library is currently an experimental feature. The only reason to have them would be to conserve memory on systems where several program are using OpenSSL. Binary backward compatibility can't be guaranteed before OpenSSL version 1.0. I think this was the original idea. For me, the more important reason to use a shared library is the ability to upgrade the library when I don't have access to the source/object code that uses the library.
Re: Basic question on version number..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Goldman wrote: | The decision in the case of OpenSSL was that 1.x would have a stable API, | permitting shared libraries to be used interchangeably. OpenSSL does not | have a stable API yet, officially. | | If that's the rationale, I eagerly await 1.0. Be prepared to wait a long time... I don't think we see a OpenSSL 1.0 anytime soon. If you think that a 0.9.9 indicates a pending 1.0, you are wrong. The OpenSSL version numbering allows something like a version 0.255.255 ... So I expect that the release after 0.9.9 will be a 0.9.10... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIsYd92iGqZUF3qPYRAmFNAJ0d5F8fOB1ihoRg37VDc7uNIhSC3wCfe/Z8 qFcrCJO2nkk8NCl2Z1osryk= =FoPM -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Basic question on version number..
Hi, Why the latest version is still 0.9.x, why it hasn't bumped up to 1.x in last 8 years. Generally 1.x defines a stable version. hmm, I personally would not get hung up on '1.x is stable' - having used dozens of platforms and software versions to run network delivery solutions I can tell you that NOTHING means that stuff is 'stable' - certainly there are more BETA releases with 1.x numbers than there are sub 1.x releases :-) anyhow, the reasoning for the OpenSSL never going above 1.0 right now has been given in another post - but rest assured, they'll have a dilemna with defining what is 2.0 once they have finally breached the 'over 1.x the libraries are more flexible' mantra alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Basic question on version number..
We're thinking of using openssl in our company but wondering about the version number. Rach, OpenSSL is a great product. It is very widely used and adopted throughout the world. If you ripped it off the face of the planet right now, it would be catastrophic because so many people and systems and programs and etc. depend on it. Care none what version numbering scheme they use. Joe --
Basic question on version number..
Hi, We're thinking of using openssl in our company but wondering about the version number. Why the latest version is still 0.9.x, why it hasn't bumped up to 1.x in last 8 years. Generally 1.x defines a stable version. Any insight would be helpful in making a decision. Thanks, Rach
RE: Basic question on version number..
Hi, We're thinking of using openssl in our company but wondering about the version number. Why the latest version is still 0.9.x, why it hasn't bumped up to 1.x in last 8 years. Generally 1.x defines a stable version. Any insight would be helpful in making a decision. Thanks, Rach http://thedailywtf.com/Articles/One_Version_to_Rule_Them_All.aspx The decision in the case of OpenSSL was that 1.x would have a stable API, permitting shared libraries to be used interchangeably. OpenSSL does not have a stable API yet, officially. Shared library is currently an experimental feature. The only reason to have them would be to conserve memory on systems where several program are using OpenSSL. Binary backward compatibility can't be guaranteed before OpenSSL version 1.0. OpenSSL, however, is very solid and probably the best-tested SSL implementation in existence. I, personally, would be much more concerned about the risk of *security* problems. OpenSSL's software is openly available and has stood the test of time. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
