tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Tue, 18 Jun 2013 17:23:57 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Steve,

On 6/18/13 12:58 PM, Steve Nickels wrote:
> Christopher Schultz wrote:
>>>> Do you think there are ways it could be improved? Better
>>>> error checking, etc.? I implemented it as simply as I
>>>> possibly could.
>>> 
>>> The biggest problem seems to be that something in Tomcat on
>>> Windows is interfering with OpenSSL's normal base address
>>> request (0xFB00000). Normally this doesn't matter, but with the
>>> FIPS build, if the base address of the library is moved from
>>> what it expects, the result is a fingerprint error when FIPS
>>> mode is enabled.
>> 
>> This could be a problem on *NIX as well -- any library may be
>> re-located by the loader for any reason.
> 
> It's possible this could be a problem on *NIX, but it's my 
> understanding that this error is pretty specific to Windows. The 
> documentation for OpenSSL FIPS says that the 
> FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED error code is a 
> "Microsoft Windows specific error".

Interesting. I'll have to read a bit more about that.

>>> I ran the openssl utility on the same system as Tomcat, and
>>> Process Explorer shows that its copy of libeay32.dll stays at
>>> the correct address. Additionally, I tested the FIPS-compatible
>>> libeay32.dll on a different server with Tomcat, and had the
>>> same problem. This seems to indicate that the memory address
>>> issue is specific to Tomcat, not the server.
>> 
>> Or running within a JVM which has a significant amount of native
>> code that gets loaded first, which may cause the loader to
>> re-locate the library when it finally gets loaded.
>> 
>> Any interest in trying some Java-based testing using
>> libtcnative?
> 
> I'm game, if you let me know what you'd like me to do. : )

All you should have to do is write a small Java program that calls
AprLifecycleListener.lifecycleEvent with an event of type
BEFORE_INIT_EVENT.

You'll of course have to call things like setFIPSMode(true), etc.

I wonder if you did that without the rest of Tomcat loaded if anything
would change. I would bet that it's more likely that the bulk of the
JVM is causing the re-location of the library than anything else.

Interesting thread:
http://comments.gmane.org/gmane.comp.encryption.openssl.devel/18309

Look at Andy Polyakov's comment from 18 Oct 2010 23:25 where he says:

"
In order for this to work it is implied that compiler
moves relocatable data from .rdata segment. Unix compiler actually do
that, but apparently not Windows :-(.
"

It also looks like OpenSSL has updated their build scripts for Visual
Studio, but it's possible that the FIPS version predates that patch.

>>> I can't tell from Process Explorer why libeay32.dll is being
>>> rebased (I didn't see any other libraries under tomcat7.exe
>>> that were obviously taking up the same address space). I think
>>> it's going to take someone with more experience with both
>>> Windows and Tomcat than
>> I
>>> to figure that one out. I suppose it might be worthy of a bug
>>> report, at least.
>> 
>> That would be good -- bug reports have more visibility than
>> mailing list posts, and it's a good place to collect information
>> all in one place.
> 
> I submitted bug 55113 for this.
> (https://issues.apache.org/bugzilla/show_bug.cgi?id=55113)

I saw that, thanks.

>> I'm curious: what base address did you use when you changed it?
> 
> The one that worked for me was 0x6FB00000.

Did you just choose one randomly?

I wonder if you follow the suggestions from the aforementioned thread
for re-building everything with the /FIXED switch. That seems to have
fixed everyone's issues, but you have to be sure to build everything
very carefully or one component can still be relocatable. tcnative of
course does not care.

>> That's a good point. Could you log that in Bugzilla as well?
>> There are (brief) building instructions on
>> http://tomcat.apache.org/native-doc/ but they should probably
>> also be in the BUILDING file.
> 
> Submitted bug 55114 for this.
> (https://issues.apache.org/bugzilla/show_bug.cgi?id=55114)

Cool. It's likely to be fixed in a different way (by including both
*NIX and Windows building instructions instead of including only the
Windows build instructions) but at least you won't have to go to the
web site when you have a perfectly good file already downloaded.

>>> If there's a good place to put a wiki page about this, let me
>>> know, and I can try to add something.
>> 
>> Really anywhere under http://wiki.apache.org/tomcat/FAQ would be
>> great. If I were looking for information about this, I'm not sure
>> where I'd look first. Perhaps under "Security"?
> 
> If I get a chance, I'll try and add something here.

Cool, thanks.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRwJesAAoJEBzwKT+lPKRY8FgP/3R7y0R0xTHEkbnQmyYfSPXP
3ClMJFJQPh+Co/FE+uw3su/c1+0/ajf3t5Fvv3XIEKKbgMxu8wOLSM9oVzQ6ITEP
QeHqy9+MPCAezcxZnysg2q/O5Bcuc+S/xEYpg3PH7qo/CGYVSPj25MvZxUM+murS
L86kosspQLmq6mxgWqsHZVZ7AL5o6eO/cI4ThntGdBTRT4ErM4Lc6fuC2n/h//Js
VzHa49OywAnpM8/Pyfh18ewlVtvJ+BEETs+LnsAk3Ifz9WnhlvgDlIjAj8S2fPUL
ukrPET3zhVVWMtKc2iHBKAaI97U89Wk1M3bGyEoO6YIyVUVQyt7Ajy05J0Bze3Dz
2ncbdtKExZONqR/xe9QP9fBX5R2tyh9qSBDG31hRpy3FbA3YLelpm8/Rlnm2Ou/x
AZ3u1DIfmJjkEBt/QpQcGu4nlyxHz9LmGH0kzzQYUgU1XAB/p3wWBjYpQXQ/C/gh
H+Qc4QgaZEJ6GAvfFgrvGENwRI+AqSqeZBWK199fNsJORmmusyDlg8xOpvSDwcmE
OP/02qm4CPtTinH2oJC6Vt/c3rPGNWWmnZ/q07hD+KDURcD7K2O/gN7jOdb642A/
fvt+eY5mvVa51isLsGzM2hRyHK/WXCHxq12ipqxLqN+u096VWJMRkUAJHYDFazrw
O2Bu+Wz78O04p5XZiZYL
=qMI+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message