Re: FIPS_mod_set() before/after SSL_library_init() ?
Robert Sicoie wrote: > Hi, > > I'm building cURL with FIPS capable OpenSSL module. I'm calling > FIPS_mode_set function to enable FIPS somewhere after SSL_library_init() > has already been called. The binary file is working fine, but is there a > problem that the FIPS mode is turned on after SSL_library_init() but > before connecting to the remote host? > > FIPS_mode_set function must be called before SSL_library_init()? > No, FIPS_mode_set() can be called afterwards. In can even be called long afterwards, after performing crypto operations in regular (non-FIPS) mode. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: FIPS_mod_set() before/after SSL_library_init() ?
Steve: As I think you know, I've built FIPS-capable libcurl for Windows and curl for HP-UX. I'm currently building FIPS-capable curl on Solaris 9 and, among other mods to curl, I inserted the call to FIPS_mode_set() after the call to Curl_pretransfer(data) in the function Curl_perform() in the file lib/transfer.c. When I read this thread, I was curious, so I searched in *.c and *.h files in my 7.18.2 curl project for SSL_library_init() and failed to find it. Then searched for it in openssl-0.9.7m and failed to find it there either. So, before I go any further, what am I missing here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Marquess Sent: Sunday, September 14, 2008 2:36 PM To: openssl-users@openssl.org Subject: Re: FIPS_mod_set() before/after SSL_library_init() ? Robert Sicoie wrote: > Hi, > > I'm building cURL with FIPS capable OpenSSL module. I'm calling > FIPS_mode_set function to enable FIPS somewhere after SSL_library_init() > has already been called. The binary file is working fine, but is there a > problem that the FIPS mode is turned on after SSL_library_init() but > before connecting to the remote host? > > FIPS_mode_set function must be called before SSL_library_init()? > No, FIPS_mode_set() can be called afterwards. In can even be called long afterwards, after performing crypto operations in regular (non-FIPS) mode. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: FIPS_mod_set() before/after SSL_library_init() ?
Steve: Never mind. My search was erroneous and I found the aliases (i.e., #define OpenSSL_add_ssl_algorithms()SSL_library_init(), etc). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Welling, Conrad Gerhart Sent: Tuesday, September 16, 2008 1:41 PM To: openssl-users@openssl.org Subject: RE: FIPS_mod_set() before/after SSL_library_init() ? Steve: As I think you know, I've built FIPS-capable libcurl for Windows and curl for HP-UX. I'm currently building FIPS-capable curl on Solaris 9 and, among other mods to curl, I inserted the call to FIPS_mode_set() after the call to Curl_pretransfer(data) in the function Curl_perform() in the file lib/transfer.c. When I read this thread, I was curious, so I searched in *.c and *.h files in my 7.18.2 curl project for SSL_library_init() and failed to find it. Then searched for it in openssl-0.9.7m and failed to find it there either. So, before I go any further, what am I missing here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Marquess Sent: Sunday, September 14, 2008 2:36 PM To: openssl-users@openssl.org Subject: Re: FIPS_mod_set() before/after SSL_library_init() ? Robert Sicoie wrote: > Hi, > > I'm building cURL with FIPS capable OpenSSL module. I'm calling > FIPS_mode_set function to enable FIPS somewhere after SSL_library_init() > has already been called. The binary file is working fine, but is there a > problem that the FIPS mode is turned on after SSL_library_init() but > before connecting to the remote host? > > FIPS_mode_set function must be called before SSL_library_init()? > No, FIPS_mode_set() can be called afterwards. In can even be called long afterwards, after performing crypto operations in regular (non-FIPS) mode. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: FIPS_mod_set() before/after SSL_library_init() ?
Steve, Maybe the answer to your question is in these two paragraphs from the 'OpenSSL FIPS 140-2 Security Policy' guide. http://www.openssl.org/docs/fips/SecurityPolicy-1.1.2.pdf 2.5 Approved Mode of Operation A single initialization call, FIPS_mode_set(), is required to initialize the Module for operation in the FIPS 140-2 Approved mode, referred to herein as "FIPS mode". When the Module is in FIPS mode all security functions and cryptographic algorithms are performed in Approved mode, with the exception of DES which is not allowed in the Approved FIPS mode of operation, and its use will result in the module operating in a non-Approved state. Use of the FIPS_mode_set() function call is described in the User Guide, Reference 14. The Module is not in FIPS mode until FIPS mode is initialized. The FIPS mode initialization is performed when the application invokes the FIPS_mode_set() call. Prior to this invocation the Module is uninitialized with the internal global flag FIPS_mode set to FALSE indicating non-FIPS mode by default. The FIPS_mode_set() function verifies the integrity of the runtime executable using a HMAC-SHA-1 digest computed at build time. If this computed HMAC-SHA-1 digest matches the stored known digest then the power-up self-test, consisting of the algorithm specific Pairwise Consistency and Known Answer tests, is performed. If any component of the power-up self-test fails the internal global error flag FIPS_selftest_fail is set to prevent subsequent invocation of any cryptographic function calls. If all components of the power-up self-test are successful then FIPS_mode_set() sets the FIPS_mode flag to TRUE and the Module is in FIPS mode. >> My interpretation of this was to call FIPS_mode_set() before SSL_library_init() Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Welling, Conrad Gerhart Sent: Tuesday, September 16, 2008 4:41 PM To: openssl-users@openssl.org Subject: RE: FIPS_mod_set() before/after SSL_library_init() ? Steve: As I think you know, I've built FIPS-capable libcurl for Windows and curl for HP-UX. I'm currently building FIPS-capable curl on Solaris 9 and, among other mods to curl, I inserted the call to FIPS_mode_set() after the call to Curl_pretransfer(data) in the function Curl_perform() in the file lib/transfer.c. When I read this thread, I was curious, so I searched in *.c and *.h files in my 7.18.2 curl project for SSL_library_init() and failed to find it. Then searched for it in openssl-0.9.7m and failed to find it there either. So, before I go any further, what am I missing here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Marquess Sent: Sunday, September 14, 2008 2:36 PM To: openssl-users@openssl.org Subject: Re: FIPS_mod_set() before/after SSL_library_init() ? Robert Sicoie wrote: > Hi, > > I'm building cURL with FIPS capable OpenSSL module. I'm calling > FIPS_mode_set function to enable FIPS somewhere after SSL_library_init() > has already been called. The binary file is working fine, but is there a > problem that the FIPS mode is turned on after SSL_library_init() but > before connecting to the remote host? > > FIPS_mode_set function must be called before SSL_library_init()? > No, FIPS_mode_set() can be called afterwards. In can even be called long afterwards, after performing crypto operations in regular (non-FIPS) mode. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.21/1675 - Release Date: 9/16/2008 7:06 PM
RE: FIPS_mod_set() before/after SSL_library_init() ?
Steve, et. al.: After the first missive, I sent another which didn't get posted, to wit: I remembered that there are aliases for SSL_library_init() so, of course, please disregard my query. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Saju Sent: Tuesday, September 16, 2008 5:33 PM To: openssl-users@openssl.org Subject: RE: FIPS_mod_set() before/after SSL_library_init() ? Steve, Maybe the answer to your question is in these two paragraphs from the 'OpenSSL FIPS 140-2 Security Policy' guide. http://www.openssl.org/docs/fips/SecurityPolicy-1.1.2.pdf 2.5 Approved Mode of Operation A single initialization call, FIPS_mode_set(), is required to initialize the Module for operation in the FIPS 140-2 Approved mode, referred to herein as "FIPS mode". When the Module is in FIPS mode all security functions and cryptographic algorithms are performed in Approved mode, with the exception of DES which is not allowed in the Approved FIPS mode of operation, and its use will result in the module operating in a non-Approved state. Use of the FIPS_mode_set() function call is described in the User Guide, Reference 14. The Module is not in FIPS mode until FIPS mode is initialized. The FIPS mode initialization is performed when the application invokes the FIPS_mode_set() call. Prior to this invocation the Module is uninitialized with the internal global flag FIPS_mode set to FALSE indicating non-FIPS mode by default. The FIPS_mode_set() function verifies the integrity of the runtime executable using a HMAC-SHA-1 digest computed at build time. If this computed HMAC-SHA-1 digest matches the stored known digest then the power-up self-test, consisting of the algorithm specific Pairwise Consistency and Known Answer tests, is performed. If any component of the power-up self-test fails the internal global error flag FIPS_selftest_fail is set to prevent subsequent invocation of any cryptographic function calls. If all components of the power-up self-test are successful then FIPS_mode_set() sets the FIPS_mode flag to TRUE and the Module is in FIPS mode. >> My interpretation of this was to call FIPS_mode_set() before SSL_library_init() Saju -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Welling, Conrad Gerhart Sent: Tuesday, September 16, 2008 4:41 PM To: openssl-users@openssl.org Subject: RE: FIPS_mod_set() before/after SSL_library_init() ? Steve: As I think you know, I've built FIPS-capable libcurl for Windows and curl for HP-UX. I'm currently building FIPS-capable curl on Solaris 9 and, among other mods to curl, I inserted the call to FIPS_mode_set() after the call to Curl_pretransfer(data) in the function Curl_perform() in the file lib/transfer.c. When I read this thread, I was curious, so I searched in *.c and *.h files in my 7.18.2 curl project for SSL_library_init() and failed to find it. Then searched for it in openssl-0.9.7m and failed to find it there either. So, before I go any further, what am I missing here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Marquess Sent: Sunday, September 14, 2008 2:36 PM To: openssl-users@openssl.org Subject: Re: FIPS_mod_set() before/after SSL_library_init() ? Robert Sicoie wrote: > Hi, > > I'm building cURL with FIPS capable OpenSSL module. I'm calling > FIPS_mode_set function to enable FIPS somewhere after SSL_library_init() > has already been called. The binary file is working fine, but is there a > problem that the FIPS mode is turned on after SSL_library_init() but > before connecting to the remote host? > > FIPS_mode_set function must be called before SSL_library_init()? > No, FIPS_mode_set() can be called afterwards. In can even be called long afterwards, after performing crypto operations in regular (non-FIPS) mode. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.21/1675 - Release Date: 9/16/2008 7:06 PM
