linux - How to check FIPS 140-2 support in OpenSSL? -


we have client asking openssl fips (federal information processing standard) 140-2 compliant support validated cryptography use. how check whether openssl has fips complains providing fips validated cryptography or not?

os: redhat 5 linux

how check whether openssl has providing fips validated cryptography or not?

it depends on how , when want check. depends on application.

fips available not used. application must enable validated cryptography via fips_mode_set, , call must succeed.

if want check if fips capable library, such openssl 1.0.1e, configured use fips object module, can:

$ cat /usr/local/ssl/include/openssl/opensslconf.h  | grep -a 2 -i fips #ifndef openssl_fips # define openssl_fips #endif

openssl_fips tells fips capable library configured use fips object module. fips validated cryptography available.

openssl_fips not mean application using fips validated cryptography, though. application must call fips_mode_set, , function must return success.

at runtime, can print string associated following (its taken code use this):

ostringstream oss; oss << openssl_version_text; logversion(oss.str().c_str());

the code produce log entry similar following:

version: openssl 1.0.1f-fips 6 jan 2014

you can audit module few tricks. example, following test symbols must present if executable fips.

in case, i'm testing openssl fips capable shared object. if application links libcrypto.a, can audit program rather openssl shared object.

$ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_* 00000000000c7f60 t err_load_fips_strings 00000000000c2250 t fips_add_error_data 00000000000c3900 t fips_add_lock 0000000000082820 t fips_bn_bin2bn 0000000000082980 t fips_bn_bn2bin 0000000000082760 t fips_bn_clear 0000000000082350 t fips_bn_clear_free 00000000000823d0 t fips_bn_free 0000000000087c90 t fips_bn_generate_prime_ex 0000000000082790 t fips_bn_get_word 0000000000082d20 t fips_bn_is_bit_set 0000000000087c80 t fips_bn_is_prime_ex 0000000000087750 t fips_bn_is_prime_fasttest_ex ...

you have symbols fips_premain.c:

$ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_text_* 00000000000c4520 t fips_text_end 000000000007b340 t fips_text_start $ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_rodata* 00000000001e1e20 r fips_rodata_end 00000000001d8ce0 r fips_rodata_start $ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_signature* 00000000004696c0 b fips_signature $ nm /usr/local/ssl/lib/libcrypto.so | grep -i fips_incore* 000000000007b5a0 t fips_incore_fingerprint

now, sneaky. can check module includes self tests. example, fips_drbg_selftest.h include following bytes self tests:

0x2e,0xbf,0x98,0xf9,0x85,0x27,0x8b,0xff,0x36,0xb9,0x40,0x0b, 0xc0,0xa1,0xa0,0x13,0x20,0x06,0xcc,0xe6,0x2a,0x03,0x77,0x7d, 0xee,0xde,0xcc,0x34,0xe3,0xcd,0x77,0xea,0xd0,0x3e,0xbe,0xdd, 0xf6,0x15,0xfb,0xa7,0xd7,0x8e,0xd0,0x2e,0x2f,0x82,0x4c,0xc7, 0x87,0xb1,0x6f,0xc5,0xf8,0x5c,0x78,0xde,0x77,0x9b,0x15,0x9a, 0xb9,0x3c,0x38

and can verify developer ran incore or macho_incore on executable embed fips fingerprint dumping 20 bytes of symbol fips_signature. if 20 bytes of 0's (the default fips_premain.c), fingerprint not embedded , fips_mode_set fail. not possible use fips validated cryptography in case.

update: uploaded slide deck have on subject openssl wiki. called building applications using openssl validated cryptography: notes field developers , auditors. want review material starting around slide 18.

i built slide deck owasp there's no interest in receiving it. know stack overflow frowns upon links 1 on openssl wiki, don't know how provide 35+ slide deck here.


Comments

Post a Comment

Popular posts from this blog

html - How to style widget with post count different than without post count -

i have border below li elements in wordpress widget types appropriate. element inside set block gives them nice easy click full width. the problem, when choose option "show post count" when adding widget such categories or archives displays post count plain text after tag , because tag block pushes post number text line below. whether choose show post count or not show post count still gives exact same element identifyer example "widget_categories". how style post count not on next line still keep links non post count list items full width? here's example on sidebar www.bbmthemes.com/themes/modular/blog-standard/ in order solve problem need remove display:block; for ul.widgets ul a , add in it's place line-height: 33px; what going achieve have same visual effect. what going lose doing links going work on text , not on "box". the other way out of find post count coming , make changes this. example change text count i...
Read more

How to remove text and logo OR add Overflow on Android ActionBar using AppCompat on API 8? -

have researched death , cannot find answer. i have actionbar using appcompat. supporting api v7 (api v8 do). actionbar works api v11. api < v11 has problem of removing icon (and feature) actionbar without supplying overflow. big picture have app logo, app title, , 3 icons squidging same actionbar on low end phone. trying make room! i happy 1 of 2 solutions. either: a method of getting overflow functionality can retrieved pull down. (preferred) method of removing icon , text actionbar below current xml api 11+: <resources> <!-- base application theme api 11+. theme replaces appbasetheme res/values/styles.xml on api 11+ devices. --> <style name="appbasetheme" parent="theme.appcompat.light.darkactionbar"> <item name="android:actionbarstyle">@style/liteactionbarstyle</item> <item name="actionbarstyle">@style/liteactionbarstyle</item> </st...
Read more

IIS->Tomcat Redirect: multiple worker with default -

i trying configure multiple instances of tomcat (7) behind single domain in iis. tomcat instances both run on separate ports. have installed tomcat isapi_rediect.dll , configured iis. everything works redirector, except (you knew coming) being told "all other traffic must mapped 1 of 2 instances (they different applications). more accurate requests except specific pattern need mapped 1 worker , specific pattern (/rpt) needs go other worker. i have 2 workers defined in workers.properties: worker.list=ajp13_1,ajp13_2 worker.ajp13_1.port=8009 worker.ajp13_2.port=8010 and following in uriworkermap.properties: /wxx|/*=ajp13_1 /rpt|/*=ajp13_2 with this, seems fine. except (considerable) number of request not include wxx scope. need map rpt , sub content ajp3_2 , other requests ajp3_1. if add /|*=ajp13_1 then ajp3_2 becomes unreachable , wildchar match maps /rpt/* uri ajp3_1. is there way trying do? appreciate help- have spent time reading same references ...
Read more