new FIPS module

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

new FIPS module

Steve Marquess-4
As always, if you don't care about FIPS 140 then count yourself lucky
and move on.

Work on the new FIPS module has so far taken a backseat to higher
priority topics like the 1.1 release and security vulnerabilities, but
we should start to make some progress soon. I've put together a rough
wiki page outlining some goals for the new FIPS module:

  https://wiki.openssl.org/index.php/FIPS_module_3.0

Within the very tight constraints of schedule, resources, and what is
permitted by FIPS 140, we want this FIPS module to be as widely useful
as possible.

If we've omitted anything of vital importance please speak up.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: new FIPS module

Jakob Bohm-7
On 27/09/2016 15:41, Steve Marquess wrote:

> As always, if you don't care about FIPS 140 then count yourself lucky
> and move on.
>
> Work on the new FIPS module has so far taken a backseat to higher
> priority topics like the 1.1 release and security vulnerabilities, but
> we should start to make some progress soon. I've put together a rough
> wiki page outlining some goals for the new FIPS module:
>
>    https://wiki.openssl.org/index.php/FIPS_module_3.0
>
> Within the very tight constraints of schedule, resources, and what is
> permitted by FIPS 140, we want this FIPS module to be as widely useful
> as possible.
>
> If we've omitted anything of vital importance please speak up.
Here's one practical thing (as a suggestion):

- To ensure compatibility with platform ASLR, build the FIPS cannister
  as completely position independent code with no relocations whenever
  platforms allow.  This probably requires that the FIPS cannister
  makes all calls to outside libraries as callbacks to function pointers
  supplied during module init, or at least via a function table that is
  outside the hashed FIPS cannister.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: new FIPS module

Zeke Evans-2
In reply to this post by Steve Marquess-4
> As always, if you don't care about FIPS 140 then count yourself lucky and
> move on.
>
> Work on the new FIPS module has so far taken a backseat to higher priority
> topics like the 1.1 release and security vulnerabilities, but we should start to
> make some progress soon. I've put together a rough wiki page outlining
> some goals for the new FIPS module:
>
>   https://wiki.openssl.org/index.php/FIPS_module_3.0
>
> Within the very tight constraints of schedule, resources, and what is
> permitted by FIPS 140, we want this FIPS module to be as widely useful as
> possible.
>
> If we've omitted anything of vital importance please speak up.

The fixed base address requirement causes problems for large Windows x86 applications and there isn't a great work around.  It isn't clear to me if item 2 " Support compilation in various forms" will address this or not.  An option to compile the fips module as a dll instead of a static lib would be nice or at least allow the fips capable module to be rebased.

Zeke Evans
Senior Software Engineer
Micro Focus
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: new FIPS module

Steve Marquess-4
On 09/27/2016 10:57 AM, Zeke Evans wrote:
>> ...
>
> The fixed base address requirement causes problems for large Windows
> x86 applications and there isn't a great work around.  It isn't clear
> to me if item 2 " Support compilation in various forms" will address
> this or not.  An option to compile the fips module as a dll instead
> of a static lib would be nice or at least allow the fips capable
> module to be rebased.

As I understand it (not being a Windows person), we don't have any
options good across the Windows ecosystem. Apparently PIC isn't possible
on Win32, for instance.

Hopefully Andy will weigh in. If there is a graceful way to accommodate
Windows we'd gladly do it.

As for DLLs, the fipscanister.o code can always be embedded within a DLL
or shared library. It's the rebasing that's the problem.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: new FIPS module

Troy Smoke
In reply to this post by Steve Marquess-4
I am in the position of evaluating products that have (or claim to have) implemented the OpenSSL FIPS module.

I would like to be able to be able to run a command or run the FIPS self-test on command, for the purpose of verifying if OpenSSL is operating in FIPS mode. 

This may not be important for most users, but I would consider it of vital importance from a testing perspective. This is also assuming that such a command/procedure would be allowed under the FIPS certification.

Thanks, zoddoz

>As always, if you don't care about FIPS 140 then count yourself lucky and move >on.
>
>Work on the new FIPS module has so far taken a backseat to higher priority >topics like the 1.1 release and security vulnerabilities, but we should start to >make some progress soon. I've put together a rough wiki page outlining some >goals for the new FIPS module:
>
>Caution-https://wiki.openssl.org/index.php/FIPS_module_3.0
>
>Within the very tight constraints of schedule, resources, and what is permitted >by FIPS 140, we want this FIPS module to be as widely useful as possible.
>
>If we've omitted anything of vital importance please speak up.
>
>-Steve M.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: new FIPS module

Steve Marquess-4
On 09/29/2016 12:40 PM, Troy Smoke wrote:
> I am in the position of evaluating products that have (or claim to have)
> implemented the OpenSSL FIPS module.
>
> I would like to be able to be able to run a command or run the FIPS
> self-test on command, for the purpose of verifying if OpenSSL is
> operating in FIPS mode.
>
> ...

Keep in mind that "OpenSSL" itself doesn't "operate in FIPS mode".
OpenSSL is a set of shared libraries which may be instantiated different
ways by different calling applications. Application A may enable FIPS
mode while application B referencing the same shared libraries doesn't.
"OpenSSL" itself is never "operating in FIPS mode" independently of any
applications; the term is meaningful only in the context of a specific
application/process.

A related question is "Does this OpenSSL install support use of the FIPS
module"? We call OpenSSL built that way a "FIPS capable" OpenSSL;
"capable" because calling applications can elect to enable FIPS mode (or
not).

To see if a specific install of OpenSSL 1.0.1/1.0.2 was built as FIPS
capable, you can run the command (application):

  OPENSSL_FIPS=1 openssl md5 < /dev/null

It will throw errors if the "openssl" command is from a FIPS capable
OpenSSL; either for a self test failure (unlikely) or because of the
disallowed algorithm. If not from a FIPS capable OpenSSL you just see
the message "FIPS mode not supported."

Note that tells you nothing about whether another application has
enabled FIPS mode, though. For that you need to look under the hood of
that application (i.e. ask the vendor).

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users