Feature #6946

FIPS support?

Added by Vit Ondruch over 1 year ago. Updated 3 months ago.

[ruby-core:47345]
Status:Assigned
Priority:Normal
Assignee:Martin Bosslet
Category:ext
Target version:next minor

Description

=begin
Hi, running the test suite on FIPS enabled system using

$ find test/ -type f -name test_*.rb -exec make test-all TESTS="-v '{}'" \;

command with patch from #6938 applied, it gives me a plenty of errors (see attached output.txt file). There are two kind of errors as far as I understand, some are more or less test suite errors (e.g. #6938), which should be easy to fix, while some others (e.g. #6943) would need bigger changes.

Is there any chance that Ruby will provide better support for FIPS and there errors get fixed?
=end

output.txt Magnifier (114 KB) Vit Ondruch, 08/28/2012 09:31 PM

output-r36887.txt Magnifier (48.6 KB) Vit Ondruch, 09/04/2012 04:29 PM

output-r38509.txt Magnifier (44.3 KB) Vit Ondruch, 12/22/2012 01:44 AM

output-200p353.txt Magnifier - Ruby 2.0.0-p353 (39.5 KB) Vit Ondruch, 01/30/2014 12:29 PM

output-210p0.txt Magnifier - Ruby 2.1.0-o0 (473 KB) Vit Ondruch, 01/30/2014 03:11 PM


Related issues

Related to ruby-trunk - Bug #6938: [PATCH] Increase DH key size to fix test suite in FIPS mode Closed 08/28/2012
Related to ruby-trunk - Feature #6943: pstore in FIPS mode Assigned 08/28/2012

Associated revisions

Revision 36884
Added by emboss over 1 year ago

  • ext/openssl/extconf.rb: Detect OpenSSLFIPS macro
    ext/openssl/ossl.c: Expose OpenSSL::OPENSSL
    FIPS constant to
    indicate whether OpenSSL runs in FIPS mode.
    test/openssl/testpkeydh.rb: Generate 256 bit keys for
    non-FIPS installations to improve test performance (e.g. for
    rubyci).
    test/openssl/utils.rb: Replace DSS1 as certificate signature
    digest with SHA1 for FIPS installations when using DSA by
    introducing TestUtils::DSASIGNATUREDIGEST.
    test/openssl/testx509cert.rb:
    test/openssl/test
    x509crl.rb:
    test/openssl/testx509req.rb: Use DSASIGNATUREDIGEST
    NEWS: Introduce OpenSSL::OPENSSL
    FIPS

    These changes allow running the OpenSSL tests in FIPS mode
    while keeping a high performance for non-FIPS installations.
    Introduction of OpenSSL::OPENSSL_FIPS allows for applications
    to react to special requirements when using OpenSSL in FIPS mode.
    [Feature #6946]

  • Diese und die folgenden Zeilen werden ignoriert --

M ext/openssl/extconf.rb
M ext/openssl/ossl.c
M NEWS
M ChangeLog
M test/openssl/utils.rb
M test/openssl/testx509crl.rb
M test/openssl/test
x509req.rb
M test/openssl/testx509cert.rb
M test/openssl/test
pkey_dh.rb

Revision 36893
Added by emboss over 1 year ago

  • Reference feature #6946 in Changelog entry.

Revision 38480
Added by emboss over 1 year ago

  • ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS mode manually.
  • test/openssl/utils.rb: turn off FIPS mode for tests. This prevents OpenSSL installations with FIPS mode enabled by default from raising FIPS-related errors during the tests.
  • test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL installations. [Feature #6946]

Revision 38491
Added by emboss over 1 year ago

  • ext/openssl/ossl.c: do not use FIPSmodeset if not available.
  • test/openssl/utils.rb: revise comment about setting FIPS mode to false.
  • test/openssl/test_fips.rb: remove tests that cause errors on ruby-ci. [Feature #6946]

History

#1 Updated by Martin Bosslet over 1 year ago

  • Category set to ext
  • Assignee set to Martin Bosslet
  • Target version set to 2.0.0

Sure, I'll look into it while applying your patch from #6938!

#2 Updated by Martin Bosslet over 1 year ago

  • Status changed from Open to Assigned

#3 Updated by Martin Bosslet over 1 year ago

I believe the proper way to handle differences in FIPS mode is to expose a handle that
allows to detect whether we are running in FIPS mode or not. That way we can configure
appropriate algorithms and key sizes in the tests. This should make it possible to run
tests quickly when not using FIPS (as needed by rubyci) while still offering better
support for running the tests in FIPS mode. Working on that now.

#4 Updated by Vit Ondruch over 1 year ago

Sounds reasonable. Thank you!

#5 Updated by Anonymous over 1 year ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36884.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/openssl/extconf.rb: Detect OpenSSLFIPS macro
    ext/openssl/ossl.c: Expose OpenSSL::OPENSSL
    FIPS constant to
    indicate whether OpenSSL runs in FIPS mode.
    test/openssl/testpkeydh.rb: Generate 256 bit keys for
    non-FIPS installations to improve test performance (e.g. for
    rubyci).
    test/openssl/utils.rb: Replace DSS1 as certificate signature
    digest with SHA1 for FIPS installations when using DSA by
    introducing TestUtils::DSASIGNATUREDIGEST.
    test/openssl/testx509cert.rb:
    test/openssl/test
    x509crl.rb:
    test/openssl/testx509req.rb: Use DSASIGNATUREDIGEST
    NEWS: Introduce OpenSSL::OPENSSL
    FIPS

    These changes allow running the OpenSSL tests in FIPS mode
    while keeping a high performance for non-FIPS installations.
    Introduction of OpenSSL::OPENSSL_FIPS allows for applications
    to react to special requirements when using OpenSSL in FIPS mode.
    [Feature #6946]

  • Diese und die folgenden Zeilen werden ignoriert --

M ext/openssl/extconf.rb
M ext/openssl/ossl.c
M NEWS
M ChangeLog
M test/openssl/utils.rb
M test/openssl/testx509crl.rb
M test/openssl/test
x509req.rb
M test/openssl/testx509cert.rb
M test/openssl/test
pkey_dh.rb

#6 Updated by Martin Bosslet over 1 year ago

The applied changes now allow us to tweak algorithms/key lengths with respect to running in FIPS mode or not.

@Vit: Could you please confirm that this improves the situation with regard to OpenSSL tests? Could you provide me a list of the tests that still fail on your side? I'm using OpenSSL 1.0.1c and openssl-fips-2.0.1 on my side, but it let for example MD5 tests pass while it's not supposed to...

#7 Updated by Yui NARUSE over 1 year ago

  • Status changed from Closed to Assigned

#8 Updated by Anonymous over 1 year ago

  • Status changed from Assigned to Closed

This issue was solved with changeset r36893.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • Reference feature #6946 in Changelog entry.

#9 Updated by Martin Bosslet over 1 year ago

What a mess. Versions prior to 1.0.0 (FIPS, too) require DSS1 as the digest to be used in conjunction with DSA. DSS1 is just SHA-1 under a different name. Now while non-FIPS >= 1.0.0 allows both DSS1 and SHA-1, the FIPS version suddenly forbids DSS1 and now requires SHA-1... o_O

#10 Updated by Vit Ondruch over 1 year ago

It is getting better, but there is still a lot of failing tests. Please see attached output-r36887.txt. Thank you.

#11 Updated by Martin Bosslet over 1 year ago

vo.x (Vit Ondruch) wrote:

It is getting better, but there is still a lot of failing tests. Please see attached output-r36887.txt. Thank you.

Thank you for the list! Something is totally wrong with the FIPS module I compiled. It happily accepts MD5. May I ask what combination (FIPS and regular OpenSSL) you used to get those results?

#12 Updated by Vit Ondruch over 1 year ago

This is my OpenSSL version:

rpm -q openssl-libs

openssl-libs-1.0.1c-1.el7.x86_64

However, I am unsure, what other information you need. There is no FIPS Kernel module to my knowledge (but my knowledge is limited :/ ).

#13 Updated by Martin Bosslet over 1 year ago

  • Status changed from Open to Assigned

vo.x (Vit Ondruch) wrote:

This is my OpenSSL version:

rpm -q openssl-libs

openssl-libs-1.0.1c-1.el7.x86_64

However, I am unsure, what other information you need. There is no FIPS Kernel module to my knowledge (but my knowledge is limited :/ ).

OK, I see. So at least you are using the same basic OpenSSL library version as I am. I need to investigate if something went wrong while building my FIPS module. Thanks!

#14 Updated by Koichi Sasada over 1 year ago

ping. status?

#15 Updated by Yusuke Endoh over 1 year ago

Martin Bosslet, what's the status?

Yusuke Endoh mame@tsg.ne.jp

#16 Updated by Yusuke Endoh over 1 year ago

  • Target version changed from 2.0.0 to next minor

#17 Updated by Martin Bosslet over 1 year ago

I'm sorry for not responding earlier. The problem is that I simply can't get a FIPS version of OpenSSL linked with Ruby OpenSSL to complete this task. I'm trying OpenSSL 1.0.1c and openssl-fips-2.0.2. I can compile my 1.0.1c using the FIPS canister, and I also verified that FIPS mode is working correctly.

The problem is now linking the Ruby OpenSSL extension against it. I'm supposed to include /usr/local/ssl/fips-2.0/bin/ in $PATH and then to compile using

make CC=fipsld FIPSLD_CC=gcc

On my 32 bit Linux machine this gives me a segfault during the linking phase and on my 64 bit machine I get:

linking shared-object openssl.so
/usr/bin/ld: /tmp/cc1Oph68.o: relocation RX8664_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/tmp/cc1Oph68.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [openssl.so] Error 1

I checked, both the FIPS canister as well as OpenSSL were compiled using -fPIC, and -fPIC is also part of the CFLAGS in the Makefile generated for the OpenSSL extension. Ruby itself was compiled using -fPIC, too. The OpenSSL C library was linked statically (libcrypto.a & libssl.a). gcc version is

gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

I'd appreciate any help, I'm really stuck here. Has anyone got an idea what I do wrong or has anyone had success in linking Ruby OpenSSL to a FIPS version of native OpenSSL?

#18 Updated by Anonymous over 1 year ago

  • Status changed from Assigned to Closed

This issue was solved with changeset r38480.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS mode manually.
  • test/openssl/utils.rb: turn off FIPS mode for tests. This prevents OpenSSL installations with FIPS mode enabled by default from raising FIPS-related errors during the tests.
  • test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL installations. [Feature #6946]

#19 Updated by Martin Bosslet over 1 year ago

OK, finally got it working. I added OpenSSL.fipsmode= to enable/disable FIPS mode manually. The test suite now automatically disables FIPS mode when running the tests. This worked for my FIPS-enabled version of OpenSSL. I have also added a few tests that specifically assert some things that would be expected to fail in FIPS mode (testfips.rb).

@Vit: Could you please confirm that this works for you, too?

@mame: Sorry that I committed this to 2.0.0 even if you already assigned it for next minor. But I felt the approach to adding FIPS support so far was flawed (my mistake) and I wouldn't want a half-assed implementation see to make its way into 2.0.0 - I hope this is OK?

#20 Updated by Koichi Sasada over 1 year ago

Some CI servers fail with this modification.
http://rubyci.org/

and also on my development environment (Debian Squeeze) :)

$ make test-all
./ruby: symbol lookup error:
/mnt/sdb1/ruby/build/.ext/x8664-linux/openssl.so: undefined symbol:
FIPS
mode_set

Could you check it?

FYI:

$ LANG=C aptitude show openssl
Package: openssl
State: installed
Automatically installed: no
Version: 0.9.8o-4squeeze13
Priority: optional
Section: utils
Maintainer: Debian OpenSSL Team pkg-openssl-devel@lists.alioth.debian.org
Uncompressed Size: 2355 k
Depends: libc6 (>= 2.7), libssl0.9.8 (>= 0.9.8m-1), zlib1g (>= 1:1.1.4)
Suggests: ca-certificates
Conflicts: ssleay (< 0.9.2b)
Description: Secure Socket Layer (SSL) binary and related cryptographic tools
This package contains the openssl binary and related tools.

It is part of the OpenSSL implementation of SSL.

You need it to perform certain cryptographic actions like:
* Creation of RSA, DH and DSA key parameters;
* Creation of X.509 certificates, CSRs and CRLs;
* Calculation of message digests;
* Encryption and decryption with ciphers;
* SSL/TLS client and server tests;
* Handling of S/MIME signed or encrypted mail.

(2012/12/20 9:37), MartinBosslet (Martin Bosslet) wrote:

Issue #6946 has been updated by MartinBosslet (Martin Bosslet).

OK, finally got it working. I added OpenSSL.fipsmode= to enable/disable FIPS mode manually. The test suite now automatically disables FIPS mode when running the tests. This worked for my FIPS-enabled version of OpenSSL. I have also added a few tests that specifically assert some things that would be expected to fail in FIPS mode (testfips.rb).

@Vit: Could you please confirm that this works for you, too?

@mame: Sorry that I committed this to 2.0.0 even if you already assigned it for next minor. But I felt the approach to adding FIPS support so far was flawed (my mistake) and I wouldn't want a half-assed implementation see to make its way into 2.0.0 - I hope this is OK?

Feature #6946: FIPS support?
https://bugs.ruby-lang.org/issues/6946#change-34880

Author: vo.x (Vit Ondruch)
Status: Closed
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext
Target version: next minor

=begin
Hi, running the test suite on FIPS enabled system using

$ find test/ -type f -name test_*.rb -exec make test-all TESTS="-v '{}'" \;

command with patch from #6938 applied, it gives me a plenty of errors (see attached output.txt file). There are two kind of errors as far as I understand, some are more or less test suite errors (e.g. #6938), which should be easy to fix, while some others (e.g. #6943) would need bigger changes.

Is there any chance that Ruby will provide better support for FIPS and there errors get fixed?
=end

--
// SASADA Koichi at atdot dot net

#21 Updated by Martin Bosslet over 1 year ago

@ko1: It should work with OpenSSL versions that have no "FIPSmodeset" now, too. I removed the FIPS-related tests that caused errors on ruby-ci as well!

#22 Updated by Koichi Sasada over 1 year ago

After that, I got the following error.

make[2]: Entering directory `/mnt/sdb1/ruby/build/ext/openssl'
compiling ../../../trunk/ext/openssl/osslx509attr.c
compiling ../../../trunk/ext/openssl/ossl.c
compiling ../../../trunk/ext/openssl/ossl
pkeydh.c
compiling ../../../trunk/ext/openssl/ossl
x509req.c
compiling ../../../trunk/ext/openssl/osslcipher.c
../../../trunk/ext/openssl/ossl
cipher.c: In function 'osslgetgcmauthtag':
../../../trunk/ext/openssl/osslcipher.c:536: error: 'EVPCTRLGCMGETTAG' undeclared (first use in this function)
../../../trunk/ext/openssl/ossl
cipher.c:536: error: (Each undeclared identifier is reported only once
../../../trunk/ext/openssl/osslcipher.c:536: error: for each function it appears in.)
../../../trunk/ext/openssl/ossl
cipher.c: In function 'osslciphergetauthtag':
../../../trunk/ext/openssl/osslcipher.c:574: error: 'NIDaes128gcm' undeclared (first use in this function)
../../../trunk/ext/openssl/osslcipher.c:574: error: 'NIDaes192gcm' undeclared (first use in this function)
../../../trunk/ext/openssl/osslcipher.c:574: error: 'NIDaes256gcm' undeclared (first use in this function)
../../../trunk/ext/openssl/osslcipher.c: In function 'osslsetgcmauthtag':
../../../trunk/ext/openssl/ossl
cipher.c:585: error: 'EVPCTRLGCMSETTAG' undeclared (first use in this function)
../../../trunk/ext/openssl/osslcipher.c: In function 'osslciphersetauthtag':
../../../trunk/ext/openssl/ossl
cipher.c:616: error: 'NIDaes128gcm' undeclared (first use in this function)
../../../trunk/ext/openssl/ossl
cipher.c:616: error: 'NIDaes192gcm' undeclared (first use in this function)
../../../trunk/ext/openssl/ossl
cipher.c:616: error: 'NIDaes256gcm' undeclared (first use in this function)
../../../trunk/ext/openssl/ossl
cipher.c: In function 'osslcipherisauthenticated':
../../../trunk/ext/openssl/ossl
cipher.c:641: error: 'NIDaes128gcm' undeclared (first use in this function)
../../../trunk/ext/openssl/ossl
cipher.c:641: error: 'NIDaes192gcm' undeclared (first use in this function)
../../../trunk/ext/openssl/ossl
cipher.c:641: error: 'NIDaes256gcm' undeclared (first use in this function)
make[2]: *** [ossl
cipher.o] Error 1

Do you need other information?

(2012/12/20 16:03), MartinBosslet (Martin Bosslet) wrote:

Issue #6946 has been updated by MartinBosslet (Martin Bosslet).

@ko1: It should work with OpenSSL versions that have no "FIPSmodeset" now, too. I removed the FIPS-related tests that caused errors on ruby-ci as well!

Feature #6946: FIPS support?
https://bugs.ruby-lang.org/issues/6946#change-34888

Author: vo.x (Vit Ondruch)
Status: Closed
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext
Target version: next minor

=begin
Hi, running the test suite on FIPS enabled system using

$ find test/ -type f -name test_*.rb -exec make test-all TESTS="-v '{}'" \;

command with patch from #6938 applied, it gives me a plenty of errors (see attached output.txt file). There are two kind of errors as far as I understand, some are more or less test suite errors (e.g. #6938), which should be easy to fix, while some others (e.g. #6943) would need bigger changes.

Is there any chance that Ruby will provide better support for FIPS and there errors get fixed?
=end

--
// SASADA Koichi at atdot dot net

#23 Updated by Koichi Sasada over 1 year ago

(2012/12/20 16:14), SASADA Koichi wrote:

After that, I got the following error.

This issue was introduced at r38488 ?

--
// SASADA Koichi at atdot dot net

#24 Updated by Martin Bosslet over 1 year ago

2012/12/20 SASADA Koichi ko1@atdot.net

After that, I got the following error.

...

make[2]: *** [ossl_cipher.o] Error 1

Do you need other information?

No, I forgot to #ifdef... sorry! Fixing...

-Martin

#25 Updated by Usaku NAKAMURA over 1 year ago

Hello,

In message " Re: [ruby-trunk - Feature #6946] FIPS support?"
on Dec.20,2012 16:32:23, martin.bosslet@gmail.com wrote:

No, I forgot to #ifdef... sorry! Fixing...

here is a patch.

Index: ext/openssl/osslcipher.c
===================================================================
--- ext/openssl/ossl
cipher.c (revision 38491)
+++ ext/openssl/osslcipher.c (working copy)
@@ -482,6 +482,7 @@ ossl
ciphersetiv(VALUE self, VALUE iv)
return iv;
}

+#ifdef EVPCTRLGCMGETTAG
/*
* call-seq:
* cipher.authdata = string -> string
@@ -644,6 +645,12 @@ ossl
cipherisauthenticated(VALUE self)
return Qfalse;
}
}
+#else /* EVPCTRLGCMGETTAG /
+# define osslciphersetauthdata rbfnotimplement
+# define osslciphersetauthtag rbfnotimplement
+# define osslciphergetauthtag rbfnotimplement
+# define osslcipherisauthenticated rbf_notimplement
+#endif /
EVPCTRLGCMGETTAG */

/*
* call-seq:

Regards,
--
U.Nakamura usa@garbagecollect.jp

#26 Updated by Martin Bosslet over 1 year ago

Thanks, I fixed it already - I used roughly the same approach as usa :)

2012/12/20 U.Nakamura usa@garbagecollect.jp

Hello,

In message " Re: [ruby-trunk - Feature #6946] FIPS
support?"
on Dec.20,2012 16:32:23, martin.bosslet@gmail.com wrote:

No, I forgot to #ifdef... sorry! Fixing...

here is a patch.

Index: ext/openssl/ossl_cipher.c

--- ext/openssl/osslcipher.c (revision 38491)
+++ ext/openssl/ossl
cipher.c (working copy)
@@ -482,6 +482,7 @@ osslcipherset_iv(VALUE self, VALUE iv)
return iv;
}

+#ifdef EVPCTRLGCMGETTAG
/*
* call-seq:
* cipher.authdata = string -> string
@@ -644,6 +645,12 @@ ossl
cipherisauthenticated(VALUE self)
return Qfalse;
}
}
+#else /* EVPCTRLGCMGETTAG /
+# define osslciphersetauthdata rbfnotimplement
+# define osslciphersetauthtag rbfnotimplement
+# define osslciphergetauthtag rbfnotimplement
+# define osslcipherisauthenticated rbf_notimplement
+#endif /
EVPCTRLGCMGETTAG */

/*
* call-seq:

Regards,

U.Nakamura usa@garbagecollect.jp

#27 Updated by Koichi Sasada over 1 year ago

(2012/12/20 16:45), Martin Boßlet wrote:

Thanks, I fixed it already - I used roughly the same approach as usa :)

Thank you! Now, it works!

--
// SASADA Koichi at atdot dot net

#28 Updated by Vit Ondruch over 1 year ago

MartinBosslet (Martin Bosslet) wrote:

@Vit: Could you please confirm that this works for you, too?

Marting, thank you for your effort. I'll look into it ASAP. Unfortunately I am not sure if I will be able to check it before the end of the year, but I'll try to do my best.

#29 Updated by Martin Bosslet over 1 year ago

vo.x (Vit Ondruch) wrote:

Marting, thank you for your effort. I'll look into it ASAP. Unfortunately I am not sure if I will be able to check it before the end of the year, but I'll try to do my best.

You're welcome! And - no problem. It would be nice if you can confirm that disabling FIPS mode manually does the trick, but no hurry! Happy Holidays!

#30 Updated by Martin Bosslet over 1 year ago

@ko1, @usa: Sorry guys, for breaking the build! But rubyci seems to be free of OpenSSL-related pain again ;)

#31 Updated by Vit Ondruch over 1 year ago

MartinBosslet (Martin Bosslet) wrote:

@Vit: Could you please confirm that this works for you, too?

Martin, there are good news and bad news. The good news is that there is no core dump anymore! That is definitely major improvement. However, there is still plenty of test suite errors, some of them newly introduced. Do you think it is possible to eliminate them?

There is plenty plenty of "Failed to generate key: key size too small" and "key too short" errors for example, which should be pretty easy to solve IMO.

Anyway, I appreciate your effort.

#32 Updated by Vit Ondruch 3 months ago

I am back with FIPS tests. I am testing "ruby 2.0.0p353 (2013-11-22) [x86_64-linux]" on RHEL7 and there are still some issue. However the overall state is now much better then my initial report. Thank you, especially Martin, for the effort.

I'll try to test Ruby 2.1 as well, when I get chance.

#33 Updated by Vit Ondruch 3 months ago

Seems that Ruby 2.1.0 has some regression. Especially RubyGems throws for each test case "/lib/rubygems/test_case.rb:1329:in `initialize': Neither PUB key nor PRIV key: nested asn1 error (OpenSSL::PKey::RSAError)" error.

Also available in: Atom PDF