Thanks a lot, David !!!!!
This mail will definitely throw me miles ahead.
Thanks
Ramaniganth V.S.
Nortel : 6-877-8976
Wipro : +91-80-28520408 Xtn: 81109
Mobile: +91-9972227096
Loc.: T8-1F-A-079, EC-3, Wipro Tech., #72, Keonics Electronics City,
Hosur Main Rd, Bangalore - 560 100.
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David McKinley
Sent: Saturday, July 21, 2007 10:02 PM
To: openssl-users@openssl.org
Subject: RE: OpenSSL FIPS Query
Ramaniganth,
I worked on enhancing net-snmp to work with OpenSSL in FIPS mode
a few months ago. After seeming to get it to work, the project was
shelved, so the code never got published. But, I can tell you the
approach I took.
First, I would echo the advice from David Schwartz to carefully
read and understand the OpenSSL FIPS security policy and user's guide -
this is a very important first step if you are going to attempt this.
There are two things that net-snmp needs to do in order to work
in FIPS mode. At startup, it needs to call FIPS_mode_set(1) to put the
OpenSSL library in FIPS mode, and then it needs to avoid calling
non-FIPS algorithms - in particular MD5 and DES. Actually, I'm a little
confused about whether DES has to be avoided or not, but we made the
decision that when in FIPS mode we would only allow AES to be used for
encryption.
To call FIPS_mode_set, I added a function in snmplib/scapi.c
named "sc_fips()". This function uses a static variable to tell whether
or not it has been previously called, and simply returns immediately on
all calls after the first one, with a value indicating whether or not
FIPS mode is enabled. On the first call, it checks an environment
variable, "NETSNMP_FIPS" to see whether or not FIPS mode is being
requested; if not, it just returns, indicating that FIPS mode is not
enabled. This is similar to the way the openssl utility works (using an
environment variable to request that it operate in FIPS mode). If the
environment variable is set, then FIPS_mode_set() is called, and if
successful, a return is made indicating that FIPS mode is now enabled.
If FIPS_mode_set() returns an error, the program aborts with an error.
I then inserted calls to this function prior to each place in
the code where calls to OpenSSL functions were made. This insures that
if FIPS mode is requested, then FIPS_mode_set() will be called prior to
calling any other OpenSSL function, but it will only be called once. Of
course, when there are a series of calls to OpenSSL functions within a
single function, it is sufficient to call sc_fips() just once in that
function before any of the OpenSSL calls are made. The places where
OpenSSL function calls are made can be found pretty easily by scanning
for the "USE_OPENSSL" compile flag. There seem to be just two modules:
snmplib/keytools.c and snmplib/scapi.c. By doing the initialization
this way, it works for all application code that links with the library
- not just snmpd, but also snmpget, snmpwalk, etc.
The next problem is to make sure that non-FIPS algorithms are
avoided when in FIPS mode. There are already compile-time flags that
can be set to disable calling MD5 and DES - "DISABLE_MD5" and
"DISABLE_DES". So, one way to create a FIPS net-snmp would be to build
it with those flags set. That is, run configure with --disable-md5 and
--disable-des options. We wanted to be able to select FIPS mode at run
time, though, through the environment variable described above, so I
couldn't compile MD5 and DES support out, but rather needed to add logic
to make sure these calls were avoided whenever - but only when - running
in FIPS mode.
To do that conveniently, I added these macro definitions to
/include/net-snmp/library/scapi.h:
#define NOT_FIPS_AND !sc_fips() &&
#define FIPS_OR sc_fips() ||
#define FIPS_ENABLE sc_fips()
Then, searching through the source for all instances of
DISABLE_MD5 or DISABLE_DES, I added logic to make the same disable
decision at run time using one of those macros. For example, in
snmplib/scapi.c, you'll find this function:
int
sc_get_properlength(const oid * hashtype, u_int
hashtype_len)
{
DEBUGTRACE;
/*
* Determine transform type hash length.
*/
#ifndef DISABLE_MD5
if (ISTRANSFORM(hashtype, HMACMD5Auth)) {
return BYTESIZE(SNMP_TRANS_AUTHLEN_HMACMD5);
} else
#endif
if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
return BYTESIZE(SNMP_TRANS_AUTHLEN_HMACSHA1);
}
return SNMPERR_GENERR;
}
This was changed to:
int
sc_get_properlength(const oid * hashtype, u_int
hashtype_len)
{
DEBUGTRACE;
/*
* Determine transform type hash length.
*/
#ifndef DISABLE_MD5
if (NOT_FIPS_AND ISTRANSFORM(hashtype, HMACMD5Auth))
{
return BYTESIZE(SNMP_TRANS_AUTHLEN_HMACMD5);
} else
#endif
if (ISTRANSFORM(hashtype, HMACSHA1Auth)) {
return BYTESIZE(SNMP_TRANS_AUTHLEN_HMACSHA1);
}
return SNMPERR_GENERR;
}
As a result, the MD5 HMAC function is only used if FIPS mode is
not selected. If FIPS mode is selected, it acts the same as if the code
was built with the DISABLE_MD5 flag set. Similar changes were made
everywhere the DISABLE_MD5 or DISABLE_DES compile flags were found.
Finally, note that each reference to "NOT_FIPS_AND", "FIPS_OR",
or "FIPS_ENABLE" results in a call to sc_fips(). Thus, these tests can
double as the required calls to enable fips mode in the first place.
Hope this helps with your project. As noted at the top, we
didn't actually get to final release on this, so it never went through
formal testing or customer acceptance. But, it did seem to work in
preliminary testing.
Good Luck!
David McKinley
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Saturday, July 21, 2007 7:02 AM
To: openssl-users@openssl.org
Subject: OpenSSL FIPS Query
Hi,
NetSNMP is the open source SNMP management Kit which
uses OpenSSL Libcrypto.
I would like to know what changes I have to make in the
NetSnmp to access the FIPS compatible OpenSSL Libraries.
Thanks
Ramaniganth V.S.
Nortel : 6-877-8976
Wipro : +91-80-28520408 Xtn: 81109
Mobile: +91-9972227096
Loc.: T8-1F-A-079, EC-3, Wipro Tech., #72, Keonics
Electronics City, Hosur Main Rd, Bangalore - 560 100.
The information contained in this electronic message and any attachments
to this message are intended for the exclusive use of the addressee(s)
and may contain proprietary, confidential or privileged information. If
you are not the intended recipient, you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately and
destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient
should check this email and any attachments for the presence of viruses.
The company accepts no liability for any damage caused by any virus
transmitted by this email.
www.wipro.com
The information contained in this electronic message and any attachments to
this message are intended for the exclusive use of the addressee(s) and may
contain proprietary, confidential or privileged information. If you are not the
intended recipient, you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately and destroy all copies of this message and
any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should
check this email and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted by this
email.
www.wipro.com
