Jeff, The fipscanister's integrity test must be called before main(), and that's why fipsld does what it does. The process to load it and verify it is given (in source form) in the fips-1.2.0 package, and those bits can be located as well as the compiled bits of the canister itself.
I think that this discussion is good, because it will (hopefully) lead to a tool -- perhaps a script -- that can perform all of the tests that we can identify on an executable to determine if it's been statically linked with a correct fipscanister. (additional comments inline) -Kyle H On Thu, Dec 23, 2010 at 3:48 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
On Thu, Dec 23, 2010 at 5:56 PM, <aerow...@gmail.com> wrote:OPENSSL_FIPS=1 causes openssl to invoke FIPS_mode_set(1). Once that occurs, MD5 is a prohibited algorithm unless it's explicitly limited to the TLSv1 PRF (and that only because SHA is also used). If an MD5 operation completes successfully, it's not a FIPS canister that's running the cryptography. In other words: If it's FIPS, it will refuse to do it. If it doesn't refuse to do it, it's not FIPS.Ok. Suppose you download or purchase a component from a company that claims to offer FIPS validated implementation using OpenSSL sources. I'm not clear how "OPENSSL_FIPS=1" verifies the claim of FIPS validation on the binaries.
It doesn't do it if you can't use bin/openssl itself. That makes my suggestion a bit less than useful in your scenario.
Looking at it pragmatically: as a client, one can either base the decision on declaration or on demonstrable, observable, and well-defined behavior.A better perspective might be to look at it from a practical standpoint in the context of acceptance testing and quality assurance Perhaps the process should require presenting fipscanister.o and compiler/version statement in addition to the resulting binary.
as well as the signature of the person who performed the build, certifying that it was done in accordance with the security policy. Government is very big on personal responsibility.
If a company claims a FIPS validated module, I can always compile the canister using GCC X.Y.Z (or whatever compiler) and reproduce the object file, and then search for the bits in the resulting binary. The final test would simply be a breakpoint on FIPS_mode_set under GDB to ensure the function was called.
Or, you can accept the documentation provided (including said signature and certification), and use that as a legal defense if it ever comes up? (Yes, I agree that this option sucks -- but it's a paper trail and a valid CYA, if you don't have the time or the tools to run any verification of acceptability.)
Jeff
smime.p7s
Description: S/MIME Cryptographic Signature
