Re: Assertion failure (FIPS mode with wpa_supplicant)

2009-08-16 Thread Jouni Malinen
On Thu, Jul 23, 2009 at 12:27:56PM -0500, Michael Kurecka wrote: > I have no problem what I have so far. It is a stripped down version with > openssl FIPS. Where shall I send it? If you are willing to license the wpa_supplicant/hostapd changes under the license used in the project, please send a

Re: Assertion failure

2009-07-27 Thread Michael Kurecka
That seemed to work using export LD_LIBRARY_PATH=/usr/local/ssl/fips/lib I'm not getting the assertion failure but I am now getting a segmentation fault "in memcpy () from /lib/libc.so.6" which I need to look into. Back to my previous question of -- Is my script wrong or am I doing something wrong

Re: Assertion failure

2009-07-27 Thread Dr. Stephen Henson
On Mon, Jul 27, 2009, Michael Kurecka wrote: > I tried > > export LD_LIBRARY_PATH=/usr/local/ssl/fips > and > export LD_LIBRARY_PATH=/usr/local/ssl/fips/bin > and > export LD_LIBRARY_PATH=/usr/local/ssl/fips-1.0 > You need to set that to a directory that contains libssl.so.0.9.8 that is FIPS ca

Re: Assertion failure

2009-07-27 Thread Michael Kurecka
I tried export LD_LIBRARY_PATH=/usr/local/ssl/fips and export LD_LIBRARY_PATH=/usr/local/ssl/fips/bin and export LD_LIBRARY_PATH=/usr/local/ssl/fips-1.0 and all three failed to avert the assertion failure. How can I be assured that the FIPS library is being run? Self-tests seem to run and pass wh

Re: Assertion failure

2009-07-24 Thread Dr. Stephen Henson
On Fri, Jul 24, 2009, Michael Kurecka wrote: > I did not see anything which I assume means I am using the standard > libssl. How do I correct this? Well it is part of the link process when you build the application. It needs to link and use the version of libssl in the 0.9.8k distribution and not

Re: Assertion failure

2009-07-24 Thread Michael Kurecka
I did not see anything which I assume means I am using the standard libssl. How do I correct this? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users

Re: Assertion failure

2009-07-24 Thread Dr. Stephen Henson
On Fri, Jul 24, 2009, Michael Kurecka wrote: > I finally succeeded in adding debug to openssl, but it doesn't seem to > be working completely. I was able to set the breakpoint at the point > you mentioned Dr. Henson but I'm not sure how that will tell me what > is being called. I am not able to br

Re: Assertion failure

2009-07-24 Thread Michael Kurecka
I finally succeeded in adding debug to openssl, but it doesn't seem to be working completely. I was able to set the breakpoint at the point you mentioned Dr. Henson but I'm not sure how that will tell me what is being called. I am not able to break on ssl3_init_finished_mac, ssl3_connect or SSL_con

Re: Assertion failure

2009-07-24 Thread Dr. Stephen Henson
On Fri, Jul 24, 2009, Michael Kurecka wrote: > Failed again with a different error: > Erk, OK. I'd suggest starting with linux-generic32 and deleting -fomit-frame-pointer and -O3 from Makefile and adding -g Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support

Re: Assertion failure

2009-07-24 Thread Dr. Stephen Henson
On Fri, Jul 24, 2009, Michael Kurecka wrote: > Dr. Henson, > I tried the change for MD5 you mentioned of using the EVP interface, > but it isn't working as I am getting the forbidden algorithm error. Below > is the new code. The init is passing but it is failing on the update. I > noticed t

Re: Assertion failure

2009-07-24 Thread Michael Kurecka
Dr. Henson, I tried the change for MD5 you mentioned of using the EVP interface, but it isn't working as I am getting the forbidden algorithm error. Below is the new code. The init is passing but it is failing on the update. I noticed that the flag is cleared after the init so I set the EVP_

Re: Assertion failure

2009-07-24 Thread Michael Kurecka
Failed again with a different error: make[1]: Entering directory `/usr/src/openssl/crypto' ( echo "#ifndef MK1MF_BUILD"; \ echo ' /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \ echo ' #define CFLAGS "gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_

Re: Assertion failure

2009-07-23 Thread Dr. Stephen Henson
On Thu, Jul 23, 2009, Michael Kurecka wrote: > > Dr. Henson: > > I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you > mentioned and that worked OK but I got the following error when I ran make. > Argh... don't have a debug configuration for that platform. Try deleting the

Re: Assertion failure

2009-07-23 Thread Michael Kurecka
Jouni, I have no problem what I have so far. It is a stripped down version with openssl FIPS. Where shall I send it? Dr. Henson: I did the ./Configure debug-linux-elf-noefence fipscanisterbuild as you mentioned and that worked OK but I got the following error when I ran make. #make if [ -n "l

Re: Assertion failure

2009-07-23 Thread Dr. Stephen Henson
On Thu, Jul 23, 2009, Michael Kurecka wrote: > Just to be clear > > my current config is: > ./config fipscanisterbuild no-asm (in the FIPS 1.2 directory) > make > ./config fips (in the 0.9.8k directory) > make > > I attempted: > ./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory) >

Re: Assertion failure

2009-07-23 Thread Jouni Malinen
On Thu, Jul 23, 2009 at 12:51:53PM +0200, Dr. Stephen Henson wrote: > Yes in FIPS mode non-compliant ciphersuites are disabled and so should never > be seen. If there is some way to use them which is triggering this in > unmodified OpenSSL 0.9.8k I'd like to know what it is as that's a bug which >

Re: Assertion failure

2009-07-23 Thread Michael Kurecka
Just to be clear my current config is: ./config fipscanisterbuild no-asm (in the FIPS 1.2 directory) make ./config fips (in the 0.9.8k directory) make I attempted: ./config -d fipscanisterbuild no-asm (in the FIPS 1.2 directory) make ./config -d fips (in the 0.9.8k directory) make but it said th

Re: Assertion failure

2009-07-23 Thread Dr. Stephen Henson
On Thu, Jul 23, 2009, Michael Kurecka wrote: > > Dr. Steve: > > How do I enable debug? I want to make sure I have it set right as it takes a > while to rebuild. I'd recommend using OpenSSL 0.9.8k throughout for that you should be able to use: ./config -d fipscanisterbuild BLOODY BIG SODDING E

Re: Assertion failure

2009-07-23 Thread Dr. Stephen Henson
On Thu, Jul 23, 2009, Michael Kurecka wrote: > Dr Henson wrote: > > >No that wont bypass the MD5 check. You can use EVP and set the flag > >EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that... > > I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I > can't find the EVP_

Re: Assertion failure

2009-07-23 Thread Michael Kurecka
Dr Henson wrote: >No that wont bypass the MD5 check. You can use EVP and set the flag >EVP_MD_CTX_NON_FIPS_ALLOW if you really want to do that... I do need to bypass MD5 because MD5 for RADIUS is FIPS compliant, but I can't find the EVP_MD_CTX_NON_FIPS_ALLOW flag anywhere. Where is the flag and h

RE: Assertion failure

2009-07-23 Thread Will Bickford
If you look at the Configure script you will see different debug options that the developers have setup. Search the Configure file for lines with 'debug-' in them. You can adjust the Configure script to setup your own as well, just follow the pattern. There are quite a few different configs avai

RE: Assertion failure

2009-07-23 Thread Will Bickford
Dr. Steve: How do I enable debug? I want to make sure I have it set right as it takes a while to rebuild.

Re: Assertion failure

2009-07-23 Thread Michael Kurecka
David Schwartz wrote: >Most likely, you're getting a connection from a non-FIPS endpoint that's >forcing you to use a protocol that's not FIPS compliant. I'm not sure why >you're seeing what you're seeing though -- it should just have reported that >it was unable to negotiate compatible protocols

Re: Assertion failure

2009-07-23 Thread Dr. Stephen Henson
On Wed, Jul 22, 2009, David Schwartz wrote: > > Michael Kurecka wrote: > > > Thank you for your help that is definitely a point in the right > > direction; however, it leaves me more baffled. I found the only > > SSL_CTX_new function that is in the code and it is being passed > > the TLSv1_metho

RE: Assertion failure

2009-07-22 Thread David Schwartz
Michael Kurecka wrote: > Thank you for your help that is definitely a point in the right > direction; however, it leaves me more baffled. I found the only > SSL_CTX_new function that is in the code and it is being passed > the TLSv1_method not an SSLv*_method which is what it should be > accordin

Re: Assertion failure

2009-07-22 Thread Dr. Stephen Henson
On Fri, Jul 17, 2009, Michael Kurecka wrote: > I am trying to run wpa_supplicant in FIPS mode. The stack trace of the > failure is below. I'm assuming that an algorithm not supported by FIPS > is being used but I'm not sure which one since I thought I removed > them all. I replaced SHA-1 with > >

Re: Assertion failure

2009-07-22 Thread Michael Kurecka
> > > What determines which SSL version is used? Is it the CTX object, > > a configuration setting, etc.? I've tried tracing the code on > > the OpenSSL side but it has me baffled even with a stack trace > > I'm having trouble understanding its path. I would appreciate > > any help you can give on

RE: Assertion failure

2009-07-21 Thread David Schwartz
Michael Kurecka wrote: > Thank you David for your bluntness. Trust me, I'm aware of how > significant making wpa_supplicant FIPSable is. I've been working > on it for several months. Over the past few months I've been in > the process of removing non-compliant code, updating MD5 to SHA-1, > etc.

Re: Re: Assertion failure

2009-07-21 Thread Dr. Stephen Henson
On Tue, Jul 21, 2009, carlyo...@keycomm.co.uk wrote: > > TLS 1.0 DOES use MD5 and SHA-1 in combination, and - despite MD5 not being > allowed by the FIPS 140-2 standard - it is allowed in this case because the > combined 'strength" of the two, when used in unison, is not less than SHA-1 > itself.

Re: Re: Assertion failure

2009-07-21 Thread carlyoung
I'm not going to comment on David's assertion's or anything about wpa_supplicants, but lets take a step back: SSL is NOT allowed in FIPS 140-2 compliant modes; TLS 1.0 IS allowed in FIPS 140-2 when using FIPS-approved security functions (see the FIPS 140-2 implementation guide). TLS 1.0 is som

Re: Assertion failure

2009-07-21 Thread Michael Kurecka
Thank you David for your bluntness. Trust me, I'm aware of how significant making wpa_supplicant FIPSable is. I've been working on it for several months. Over the past few months I've been in the process of removing non-compliant code, updating MD5 to SHA-1, etc. I'm close for the AP side with host

RE: Assertion failure

2009-07-20 Thread David Schwartz
Michael Kurecka: > How do I disable SSLv3 so that I can use FIPS? Sorry to be blunt, but you don't. A FIPS wpa_supplicant is a significant task, you can't just flip a few switches and make one appear. DS __ OpenSSL Project

Re: Assertion failure

2009-07-20 Thread Michael Kurecka
How do I disable SSLv3 so that I can use FIPS? On Fri, Jul 17, 2009 at 4:22 PM, David Schwartz wrote: > > Michael Kurecka: > > > I am trying to run wpa_supplicant in FIPS mode. > > Why? > > > I don't think the MD5 function is even called > > MD5 is part of SSLv3. > > #6 0x4003e6b8 in ssl3_connec

RE: Assertion failure

2009-07-17 Thread David Schwartz
Michael Kurecka: > I am trying to run wpa_supplicant in FIPS mode. Why? > I don't think the MD5 function is even called MD5 is part of SSLv3. #6 0x4003e6b8 in ssl3_connect () from /usr/lib/libssl.so.0.9.8#7 0x4004ebf4 in SSL_connect () from /usr/lib/libssl.so.0.9.8#8 0x000526c0 in tls_conne