Issue With continous PRNG test with Fips module of openssl

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue With continous PRNG test with Fips module of openssl

alok sharma-2
Hi,
      I am having my client server on Windows. The server is concurrent and having each thread for each connection. When the number of connection increases to 400-500 i.e having high thread load, my server crashes. I debuged it and found that it gives error (“random number generator:FIPS_RAND:prng error") when it tries to invoke  SSL_accept(). My server is Fips compliant.  I looked furthur inside openssl code and found issue with fips_rand() method (fips/rand/fips_rand.c). Following is my observation.
     The error is generated at following point
      fips_rand()
       {
.............................
............................

if (!ctx->test_mode)
            fips_get_dt(ctx);
        AES_encrypt(ctx->DT, I, &ctx->ks);
        for (i = 0; i < AES_BLOCK_LENGTH; i++)
            tmp[i] = I[i] ^ ctx->V[i];
        AES_encrypt(tmp, R, &ctx->ks);
        for (i = 0; i < AES_BLOCK_LENGTH; i++)
            tmp[i] = R[i] ^ I[i];
        AES_encrypt(tmp, ctx->V, &ctx->ks);
        /* Continuous PRNG test */
        if (ctx->second)
            {
            if (fips_prng_fail){
                memcpy(ctx->last, R, AES_BLOCK_LENGTH);
                RANDerr(RAND_F_FIPS_RAND,RAND_
R_PRNG_STUCK);
            }
            if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))    <------------------------------------------- The check is failing as the current encrypted and last one are same
                {
                    RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
                ctx->error = 1;
                fips_set_selftest_fail();
                return 0;
                }
            }
        memcpy(ctx->last, R, AES_BLOCK_LENGTH);
.......................................................................
......................................................................

      }
     
I think under heavy load openssl continous PRNG test is failing. It might be generating the same values as it applies AES encryption over the data taken from fips_get_dt(ctx). For windows platform this function takes GetSystemTimeAsFileTime(). like
..........
.........
#ifdef OPENSSL_SYS_WIN32
    GetSystemTimeAsFileTime(&ft);
    buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
    buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
    buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
    buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
    buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
    buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
    buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
    buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
.........................
.........................

Please help in this regard. I am using openssl version 0.9.8o.
Regards,
Alok
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

Jakob Bohm-7
On 9/14/2011 6:33 PM, alok sharma wrote:

> Hi,
>        I am having my client server on Windows. The server is concurrent and
> having each thread for each connection. When the number of connection
> increases to 400-500 i.e having high thread load, my server crashes. I
> debuged it and found that it gives error (“random number
> generator:FIPS_RAND:prng error") when it tries to invoke  SSL_accept(). My
> server is Fips compliant.  I looked furthur inside openssl code and found
> issue with fips_rand() method (fips/rand/fips_rand.c). Following is my
> observation.
>       The error is generated at following point
>        fips_rand()
>         {
> .............................
> ............................
>
> if (!ctx->test_mode)
>              fips_get_dt(ctx);
>          AES_encrypt(ctx->DT, I,&ctx->ks);
>          for (i = 0; i<  AES_BLOCK_LENGTH; i++)
>              tmp[i] = I[i] ^ ctx->V[i];
>          AES_encrypt(tmp, R,&ctx->ks);
>          for (i = 0; i<  AES_BLOCK_LENGTH; i++)
>              tmp[i] = R[i] ^ I[i];
>          AES_encrypt(tmp, ctx->V,&ctx->ks);
>          /* Continuous PRNG test */
>          if (ctx->second)
>              {
>              if (fips_prng_fail){
>                  memcpy(ctx->last, R, AES_BLOCK_LENGTH);
The above line may cause the next test to fail too if "fips_prng_fail"
was set by something else.

>                  RANDerr(RAND_F_FIPS_RAND,RAND_
> R_PRNG_STUCK);
>              }
>              if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
> <------------------------------------------- The check is failing as the
> current encrypted and last one are same
>                  {
>                      RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
>                  ctx->error = 1;
>                  fips_set_selftest_fail();
>                  return 0;
>                  }
>              }
>          memcpy(ctx->last, R, AES_BLOCK_LENGTH);
> .......................................................................
> ......................................................................
>
>        }
>
> I think under heavy load openssl continous PRNG test is failing. It might be
> generating the same values as it applies AES encryption over the data taken
> from fips_get_dt(ctx).
Yes, that is (technically) how the code tests if the RNG is failing badly.
This is a symptom, not a cause.
The chance of this happening if the RNG is good for anything is
1 in 2**128 per test run, thus very unlikely, the chance of this
happening more
than once on the same (working) computer is astronomically small.

So the real problem is that this self-test seems to have found an actual
security problem.  Running this kind of test to discover such security
problems is a FIPS requirement.

What the error is apparently saying is that the PRNG as running on your
machine is *not* FIPS quality and must not be used for any government
work (and probably not for anything else either!).

>   For windows platform this function takes
> GetSystemTimeAsFileTime(). like
> ..........
> .........
> #ifdef OPENSSL_SYS_WIN32
>      GetSystemTimeAsFileTime(&ft);
>      buf[0] = (unsigned char) (ft.dwHighDateTime&  0xff);
>      buf[1] = (unsigned char) ((ft.dwHighDateTime>>  8)&  0xff);
>      buf[2] = (unsigned char) ((ft.dwHighDateTime>>  16)&  0xff);
>      buf[3] = (unsigned char) ((ft.dwHighDateTime>>  24)&  0xff);
>      buf[4] = (unsigned char) (ft.dwLowDateTime&  0xff);
>      buf[5] = (unsigned char) ((ft.dwLowDateTime>>  8)&  0xff);
>      buf[6] = (unsigned char) ((ft.dwLowDateTime>>  16)&  0xff);
>      buf[7] = (unsigned char) ((ft.dwLowDateTime>>  24)&  0xff);
> .........................
> .........................
If this is the only PRNG seeding used on your machine, then your setup
is very insecure.  As a bare minimum you should make sure the code that
grabs entropy from the Windows CryptoAPI PRNG (which is also FIPS
certified) is also enabled.

This seeding source is not very random at all, and it is only a (short)
matter
of time before it will produce something so predictable it should not
pass any
quality tests, including FIPS tests.

>
> Please help in this regard. I am using openssl version 0.9.8o.
> Regards,
> Alok
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

alok sharma-2
Hi Jacob,
    Thanks for such a detailed reply. But I am having one concern that how an application can know whether it si secure or not. Fips uses GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns, but my application is running even at faster rate so same value is being generated for current as well as for last request. Is there any provision inside Openssl which ensures that unique randon numbers will be generated or application need to add some delay for each new connection request.
Regards,
Alok

On Thu, Sep 15, 2011 at 6:02 PM, Jakob Bohm <[hidden email]> wrote:
On 9/14/2011 6:33 PM, alok sharma wrote:
Hi,
      I am having my client server on Windows. The server is concurrent and
having each thread for each connection. When the number of connection
increases to 400-500 i.e having high thread load, my server crashes. I
debuged it and found that it gives error (“random number
generator:FIPS_RAND:prng error") when it tries to invoke  SSL_accept(). My
server is Fips compliant.  I looked furthur inside openssl code and found
issue with fips_rand() method (fips/rand/fips_rand.c). Following is my
observation.
     The error is generated at following point
      fips_rand()
       {
.............................
............................

if (!ctx->test_mode)
            fips_get_dt(ctx);
        AES_encrypt(ctx->DT, I,&ctx->ks);
        for (i = 0; i<  AES_BLOCK_LENGTH; i++)
            tmp[i] = I[i] ^ ctx->V[i];
        AES_encrypt(tmp, R,&ctx->ks);
        for (i = 0; i<  AES_BLOCK_LENGTH; i++)
            tmp[i] = R[i] ^ I[i];
        AES_encrypt(tmp, ctx->V,&ctx->ks);
        /* Continuous PRNG test */
        if (ctx->second)
            {
            if (fips_prng_fail){
                memcpy(ctx->last, R, AES_BLOCK_LENGTH);
The above line may cause the next test to fail too if "fips_prng_fail" was set by something else.

                RANDerr(RAND_F_FIPS_RAND,RAND_
R_PRNG_STUCK);
            }
            if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
<------------------------------------------- The check is failing as the
current encrypted and last one are same
                {
                    RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
                ctx->error = 1;
                fips_set_selftest_fail();
                return 0;
                }
            }
        memcpy(ctx->last, R, AES_BLOCK_LENGTH);
.......................................................................
......................................................................

      }

I think under heavy load openssl continous PRNG test is failing. It might be
generating the same values as it applies AES encryption over the data taken
from fips_get_dt(ctx).
Yes, that is (technically) how the code tests if the RNG is failing badly.
This is a symptom, not a cause.
The chance of this happening if the RNG is good for anything is
1 in 2**128 per test run, thus very unlikely, the chance of this happening more
than once on the same (working) computer is astronomically small.

So the real problem is that this self-test seems to have found an actual
security problem.  Running this kind of test to discover such security
problems is a FIPS requirement.

What the error is apparently saying is that the PRNG as running on your
machine is *not* FIPS quality and must not be used for any government
work (and probably not for anything else either!).

 For windows platform this function takes
GetSystemTimeAsFileTime(). like
..........
.........
#ifdef OPENSSL_SYS_WIN32
    GetSystemTimeAsFileTime(&ft);
    buf[0] = (unsigned char) (ft.dwHighDateTime&  0xff);
    buf[1] = (unsigned char) ((ft.dwHighDateTime>>  8)&  0xff);
    buf[2] = (unsigned char) ((ft.dwHighDateTime>>  16)&  0xff);
    buf[3] = (unsigned char) ((ft.dwHighDateTime>>  24)&  0xff);
    buf[4] = (unsigned char) (ft.dwLowDateTime&  0xff);
    buf[5] = (unsigned char) ((ft.dwLowDateTime>>  8)&  0xff);
    buf[6] = (unsigned char) ((ft.dwLowDateTime>>  16)&  0xff);
    buf[7] = (unsigned char) ((ft.dwLowDateTime>>  24)&  0xff);
.........................
.........................
If this is the only PRNG seeding used on your machine, then your setup
is very insecure.  As a bare minimum you should make sure the code that
grabs entropy from the Windows CryptoAPI PRNG (which is also FIPS
certified) is also enabled.

This seeding source is not very random at all, and it is only a (short) matter
of time before it will produce something so predictable it should not pass any
quality tests, including FIPS tests.



Please help in this regard. I am using openssl version 0.9.8o.
Regards,
Alok


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

Jakob Bohm-7
On 9/19/2011 8:49 AM, alok sharma wrote:

> Hi Jacob,
>     Thanks for such a detailed reply. But I am having one concern that
> how an application can know whether it si secure or not. Fips uses
> GetSystemTimeAsFileTime() for PRNG test which is having granuality of
> 1 ns, but my application is running even at faster rate so same value
> is being generated for current as well as for last request. Is there
> any provision inside Openssl which ensures that unique randon numbers
> will be generated or application need to add some delay for each new
> connection request.
> Regards,
> Alok
>
1. While the GetSystemTimeAsFileTime() returns the calendar date and
time in units of 0.1 microsecond (100 ns), the value is NOT really that
precise, as it only increments a few hundred or thousand times per
second.  Besides, anyone with a clock of his own will know the
approximate value.  Someone more familiar with the OpenSSL version you
use should be able to tell you what other (and better!) sources of raw
entropy OpenSSL can be configured to use.

2. Random values are not necessarily unique.  Getting the same value as
before must have exactly the same probability as getting any other
specific value. (A random byte will be the same as the previous one 1
time out of 256 on average, a random 16 bit value 1 in 65536 etc.).  To
be secure, it must be completely unpredictable with actual probabilities
equal for all values of a given length.

3. OpenSSL, like most such libraries, use the raw entropy sources (such
as GetSystemTimeAsFileTime() and much better ones) as input to a
cryptographic random generation algorithm which produces a sequence of
almost-unpredictable values even if it does not get new entropy input
for some (short) amount of time.  This is standard procedure because
really good sources of entropy tend to operate quite slowly,
perhaps giving only a few bits of fresh entropy per second.

> On Thu, Sep 15, 2011 at 6:02 PM, Jakob Bohm <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 9/14/2011 6:33 PM, alok sharma wrote:
>
>         Hi,
>               I am having my client server on Windows. The server is
>         concurrent and
>         having each thread for each connection. When the number of
>         connection
>         increases to 400-500 i.e having high thread load, my server
>         crashes. I
>         debuged it and found that it gives error (“random number
>         generator:FIPS_RAND:prng error") when it tries to invoke
>          SSL_accept(). My
>         server is Fips compliant.  I looked furthur inside openssl
>         code and found
>         issue with fips_rand() method (fips/rand/fips_rand.c).
>         Following is my
>         observation.
>              The error is generated at following point
>               fips_rand()
>                {
>         .............................
>         ............................
>
>         if (!ctx->test_mode)
>                     fips_get_dt(ctx);
>                 AES_encrypt(ctx->DT, I,&ctx->ks);
>                 for (i = 0; i<  AES_BLOCK_LENGTH; i++)
>                     tmp[i] = I[i] ^ ctx->V[i];
>                 AES_encrypt(tmp, R,&ctx->ks);
>                 for (i = 0; i<  AES_BLOCK_LENGTH; i++)
>                     tmp[i] = R[i] ^ I[i];
>                 AES_encrypt(tmp, ctx->V,&ctx->ks);
>                 /* Continuous PRNG test */
>                 if (ctx->second)
>                     {
>                     if (fips_prng_fail){
>                         memcpy(ctx->last, R, AES_BLOCK_LENGTH);
>
>     The above line may cause the next test to fail too if
>     "fips_prng_fail" was set by something else.
>
>                         RANDerr(RAND_F_FIPS_RAND,RAND_
>         R_PRNG_STUCK);
>                     }
>                     if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
>         <----------------------------- -------------- The check is
>         failing as the
>         current encrypted and last one are same
>                         {
>                             RANDerr(RAND_F_FIPS_RAND,RAND_ R_PRNG_STUCK);
>                         ctx->error = 1;
>                         fips_set_selftest_fail();
>                         return 0;
>                         }
>                     }
>                 memcpy(ctx->last, R, AES_BLOCK_LENGTH);
>         .............................. ..............................
>         ...........
>         .............................. ..............................
>         ..........
>
>               }
>
>         I think under heavy load openssl continous PRNG test is
>         failing. It might be
>         generating the same values as it applies AES encryption over
>         the data taken
>         from fips_get_dt(ctx).
>
>     Yes, that is (technically) how the code tests if the RNG is
>     failing badly.
>     This is a symptom, not a cause.
>     The chance of this happening if the RNG is good for anything is
>     1 in 2**128 per test run, thus very unlikely, the chance of this
>     happening more
>     than once on the same (working) computer is astronomically small.
>
>     So the real problem is that this self-test seems to have found an
>     actual
>     security problem.  Running this kind of test to discover such security
>     problems is a FIPS requirement.
>
>     What the error is apparently saying is that the PRNG as running on
>     your
>     machine is *not* FIPS quality and must not be used for any government
>     work (and probably not for anything else either!).
>
>          For windows platform this function takes
>         GetSystemTimeAsFileTime(). like
>         ..........
>         .........
>         #ifdef OPENSSL_SYS_WIN32
>             GetSystemTimeAsFileTime(&ft);
>             buf[0] = (unsigned char) (ft.dwHighDateTime&  0xff);
>             buf[1] = (unsigned char) ((ft.dwHighDateTime>>  8)&  0xff);
>             buf[2] = (unsigned char) ((ft.dwHighDateTime>>  16)&  0xff);
>             buf[3] = (unsigned char) ((ft.dwHighDateTime>>  24)&  0xff);
>             buf[4] = (unsigned char) (ft.dwLowDateTime&  0xff);
>             buf[5] = (unsigned char) ((ft.dwLowDateTime>>  8)&  0xff);
>             buf[6] = (unsigned char) ((ft.dwLowDateTime>>  16)&  0xff);
>             buf[7] = (unsigned char) ((ft.dwLowDateTime>>  24)&  0xff);
>         .........................
>         .........................
>
>     If this is the only PRNG seeding used on your machine, then your setup
>     is very insecure.  As a bare minimum you should make sure the code
>     that
>     grabs entropy from the Windows CryptoAPI PRNG (which is also FIPS
>     certified) is also enabled.
>
>     This seeding source is not very random at all, and it is only a
>     (short) matter
>     of time before it will produce something so predictable it should
>     not pass any
>     quality tests, including FIPS tests.
>
>
>
>         Please help in this regard. I am using openssl version 0.9.8o.
>         Regards,
>         Alok
>
>
>     ______________________________ ______________________________
>     __________
>     OpenSSL Project http://www.openssl.org
>     User Support Mailing List [hidden email]
>     <mailto:[hidden email]>
>     Automated List Manager [hidden email]
>     <mailto:[hidden email]>
>
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

Dr. Stephen Henson
In reply to this post by alok sharma-2
On Mon, Sep 19, 2011, alok sharma wrote:

> Hi Jacob,
>     Thanks for such a detailed reply. But I am having one concern that how
> an application can know whether it si secure or not. Fips uses
> GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns,
> but my application is running even at faster rate so same value is being
> generated for current as well as for last request. Is there any provision
> inside Openssl which ensures that unique randon numbers will be generated or
> application need to add some delay for each new connection request.
> Regards,
>

OpenSSL uses more than just GetSystemTimeAsFileTime it also makes use of a
counter value which is incremented on each use. This is all done under a lock
so the values should never repeat even if the time value does.

If you are getting continuous PRNG test failures then I suspect your locking
callbacks aren't functioning correctly and you are getting race conditions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

alok sharma-2
Hi,
    So is there any method on Windows to generate non-predictable randomnumbers. I think mostly FileSytem time is used to seed randomness which is failing in my case.
Regards,
Alok

On Mon, Sep 19, 2011 at 4:52 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Mon, Sep 19, 2011, alok sharma wrote:

> Hi Jacob,
>     Thanks for such a detailed reply. But I am having one concern that how
> an application can know whether it si secure or not. Fips uses
> GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns,
> but my application is running even at faster rate so same value is being
> generated for current as well as for last request. Is there any provision
> inside Openssl which ensures that unique randon numbers will be generated or
> application need to add some delay for each new connection request.
> Regards,
>

OpenSSL uses more than just GetSystemTimeAsFileTime it also makes use of a
counter value which is incremented on each use. This is all done under a lock
so the values should never repeat even if the time value does.

If you are getting continuous PRNG test failures then I suspect your locking
callbacks aren't functioning correctly and you are getting race conditions.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

Jeffrey Walton-3
On Fri, Sep 23, 2011 at 4:59 AM, alok sharma <[hidden email]> wrote:
>     So is there any method on Windows to generate non-predictable
> randomnumbers. I think mostly FileSytem time is used to seed randomness
> which is failing in my case.
One typically uses CryptGenRandom.

Jeff

> On Mon, Sep 19, 2011 at 4:52 PM, Dr. Stephen Henson <[hidden email]>
> wrote:
>>
>> On Mon, Sep 19, 2011, alok sharma wrote:
>>
>> > Hi Jacob,
>> >     Thanks for such a detailed reply. But I am having one concern that
>> > how
>> > an application can know whether it si secure or not. Fips uses
>> > GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1
>> > ns,
>> > but my application is running even at faster rate so same value is being
>> > generated for current as well as for last request. Is there any
>> > provision
>> > inside Openssl which ensures that unique randon numbers will be
>> > generated or
>> > application need to add some delay for each new connection request.
>> > Regards,
>> >
>>
>> OpenSSL uses more than just GetSystemTimeAsFileTime it also makes use of a
>> counter value which is incremented on each use. This is all done under a
>> lock
>> so the values should never repeat even if the time value does.
>>
>> If you are getting continuous PRNG test failures then I suspect your
>> locking
>> callbacks aren't functioning correctly and you are getting race
>> conditions.
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    [hidden email]
>> Automated List Manager                           [hidden email]
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

Dr. Stephen Henson
In reply to this post by alok sharma-2
On Fri, Sep 23, 2011, alok sharma wrote:

> Hi,
>     So is there any method on Windows to generate non-predictable
> randomnumbers. I think mostly FileSytem time is used to seed randomness
> which is failing in my case.
>

As I indicated this shouldn't be happening if you've set up locking callbacks
correctly. Have you set up any locking callbacks?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

alok sharma-2
I am using the openssl fips version for my application.So, I have not made any change in openssl or Fips code. Just enabling fips and using SSL API exposed for client server model. But through debugger I have found that my application is crashing giving error message inside Fips_rand() at following line.

fips_rand()
       {
.............................
............................

if (!ctx->test_mode)
            fips_get_dt(ctx);
        AES_encrypt(ctx->DT, I, &ctx->ks);
        for (i = 0; i < AES_BLOCK_LENGTH; i++)
            tmp[i] = I[i] ^ ctx->V[i];
        AES_encrypt(tmp, R, &ctx->ks);
        for (i = 0; i < AES_BLOCK_LENGTH; i++)
            tmp[i] = R[i] ^ I[i];
        AES_encrypt(tmp, ctx->V, &ctx->ks);
        /* Continuous PRNG test */
        if (ctx->second)
            {
            if (fips_prng_fail){
                memcpy(ctx->last, R, AES_BLOCK_LENGTH);
                RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
            }
            if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))    <-----------------------------

-------------- The check is failing as the current encrypted and last one are same
                {
                    RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
                ctx->error = 1;
                fips_set_selftest_fail();
                return 0;
                }
            }
        memcpy(ctx->last, R, AES_BLOCK_LENGTH);

Regards,
Alok


On Fri, Sep 23, 2011 at 4:46 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Fri, Sep 23, 2011, alok sharma wrote:

> Hi,
>     So is there any method on Windows to generate non-predictable
> randomnumbers. I think mostly FileSytem time is used to seed randomness
> which is failing in my case.
>

As I indicated this shouldn't be happening if you've set up locking callbacks
correctly. Have you set up any locking callbacks?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

Dr. Stephen Henson
On Fri, Sep 23, 2011, alok sharma wrote:

> I am using the openssl fips version for my application.So, I have not made
> any change in openssl or Fips code. Just enabling fips and using SSL API
> exposed for client server model. But through debugger I have found that my
> application is crashing giving error message inside Fips_rand() at following
> line.
>

You do not need to change the OpenSSL or the FIPS code. If your application is
multithreaded you *MUST* set up a proper locking callback or OpenSSL will not
function properly. This applies to FIPS and non-FIPS applications.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

alok sharma-2
Hi,
     The error message comes when we invoke SSL_accept() API. But taking lock on it will affect performance as it performs network operation inside this API (like client hello message and other). So if network is overloaded then mutex hold time will be too large. I have observed that in worst case it holds lock for around 5-6 mins.
Regards,
Alok

On Fri, Sep 23, 2011 at 5:04 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Fri, Sep 23, 2011, alok sharma wrote:

> I am using the openssl fips version for my application.So, I have not made
> any change in openssl or Fips code. Just enabling fips and using SSL API
> exposed for client server model. But through debugger I have found that my
> application is crashing giving error message inside Fips_rand() at following
> line.
>

You do not need to change the OpenSSL or the FIPS code. If your application is
multithreaded you *MUST* set up a proper locking callback or OpenSSL will not
function properly. This applies to FIPS and non-FIPS applications.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

Dr. Stephen Henson
On Fri, Sep 23, 2011, alok sharma wrote:

> Hi,
>      The error message comes when we invoke SSL_accept() API. But taking
> lock on it will affect performance as it performs network operation inside
> this API (like client hello message and other). So if network is overloaded
> then mutex hold time will be too large. I have observed that in worst case
> it holds lock for around 5-6 mins.

You don't lock the SSL_accept API.

In an multithreaded application OpenSSL needs to use locks internally to avoid
race conditions. In order to do this an application needs to supply a set of
locking callbacks which OpenSSL makes use of internally. The locking  times
should always be very short for these cases: they are typically used to ensure
reference counts are incremented and decremented properly. If you don't set
these up OpenSSL will be unstable in multithreaded applications: one symptom
of this is how the FIPS PRNG behaves.

For more details see the archives and documentation. For example: the
"threads" manual page.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

alok sharma-2
Hi,
     Ok I got your point. I think it will be helpful.Do you have any link or precedure to setup these call backs or these are just function pointers which needs to be initialized at ssl initialization time.
Regards,
Alok

On Fri, Sep 23, 2011 at 5:22 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Fri, Sep 23, 2011, alok sharma wrote:

> Hi,
>      The error message comes when we invoke SSL_accept() API. But taking
> lock on it will affect performance as it performs network operation inside
> this API (like client hello message and other). So if network is overloaded
> then mutex hold time will be too large. I have observed that in worst case
> it holds lock for around 5-6 mins.

You don't lock the SSL_accept API.

In an multithreaded application OpenSSL needs to use locks internally to avoid
race conditions. In order to do this an application needs to supply a set of
locking callbacks which OpenSSL makes use of internally. The locking  times
should always be very short for these cases: they are typically used to ensure
reference counts are incremented and decremented properly. If you don't set
these up OpenSSL will be unstable in multithreaded applications: one symptom
of this is how the FIPS PRNG behaves.

For more details see the archives and documentation. For example: the
"threads" manual page.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

Dr. Stephen Henson
On Fri, Sep 23, 2011, alok sharma wrote:

> Hi,
>      Ok I got your point. I think it will be helpful.Do you have any link or
> precedure to setup these call backs or these are just function pointers
> which needs to be initialized at ssl initialization time.

See the FAQ:

http://www.openssl.org/support/faq.html#PROG1

The manual page here:

http://www.openssl.org/docs/crypto/threads.html

and a simple example in crypto\threads\mttest.c

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Issue With continous PRNG test with Fips module of openssl

alok sharma-2
Hi,
   Thanks for the help, it resolved my problem.
Regards,
Alok


On Fri, Sep 23, 2011 at 5:59 PM, Dr. Stephen Henson <[hidden email]> wrote:
On Fri, Sep 23, 2011, alok sharma wrote:

> Hi,
>      Ok I got your point. I think it will be helpful.Do you have any link or
> precedure to setup these call backs or these are just function pointers
> which needs to be initialized at ssl initialization time.

See the FAQ:

http://www.openssl.org/support/faq.html#PROG1

The manual page here:

http://www.openssl.org/docs/crypto/threads.html

and a simple example in crypto\threads\mttest.c

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Issue With continous PRNG test with Fips module of openssl

Steffen DETTMER
In reply to this post by alok sharma-2
* Alok wrote:
> * On Fri, Sep 23, 2011 at 5:22 PM, Dr. Stephen Henson wrote:
> > You don't lock the SSL_accept API.
> > [...]
> > For more details see the archives and documentation.
> > For example: the "threads" manual page.

> Hi,
>      Ok I got your point. I think it will be helpful.Do you
> have any link or precedure to setup these call backs

Yes, he does have a link and he *even already posted it*,
see above. It is the "threads" manual page.

http://tinyurl.com/42s2gmd

SCNR.

oki,

Steffen

 
About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 15 million terminals deployed in more than 125 countries. Over 3,000 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue.
http://www.ingenico.com/.
 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
 P Please consider the environment before printing this e-mail
 
 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]