Re: [openssl-users] Changing malloc/debug stuff
On Thu, Dec 17, 2015 at 09:28:28AM +, Salz, Rich wrote: > I want to change the memory alloc/debug things. > > Right now there are several undocumented functions to allow you to > swap-out the malloc/realloc/free routines, wrappers that call those > routines, debug versions of those wrappers, and functions to set the > set-options versions of those functions. Yes, really :) Is anyone > using that stuff? This is another one of those things that isn't easy to deal with sanely the way OpenSSL is actually used (i.e., by other libraries as well as by apps). > I want to change the model so that there are three wrappers around > malloc/realloc/free, and that the only thing you can do is change that > wrapper. This is vastly simpler and easier to understand. I also > documented it. A version can be found at > https://github.com/openssl/openssl/pull/450 This seems much more sane. Nico -- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Segfault in libcrypto.so
On 12/18/2015 1:00 AM, Alex william wrote: I receive this error message: segfault at efe000 ip 7ffb571e479c sp 7ffced00dcf0 error 4 in libcrypto.so.1.0.0[7ffb57166000+1cb000] And the collector stops immediately. Has anyone encountered this error or can someone help please? In my experience, when a working program begins to segfault, it's usually that it was built with one version of openssl but is linking with a different version. You may even have two versions of openssl installed. Try cleaning up you openssl install as needed, and then rebuilding the program. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
Is there any current solution to have RSA 186-4 in OpenSSL FIPS (now, even if this means an upgrade ?) Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61769.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
> What would then be the permitting conditions to pursue a new validation ? > If you don't mind me asking. I have read several notes you have on the > subject and I agree that the whole thing is of Dedalus proportions. In a > nutshell what would be these conditions ? In a nutshell: someone willing to spend the money (low six figures) without adding requirements that violates the spirit of our open source philosophy, and while knowing that the project might fail for non-technical reasons. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
Sorry, I forgot: What about the code itself, if we do not mind the validation ? Is the 185-4 RSA compatible code present in any OpenSSL/FIPS module ? -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61774.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
What would then be the permitting conditions to pursue a new validation ? If you don't mind me asking. I have read several notes you have on the subject and I agree that the whole thing is of Dedalus proportions. In a nutshell what would be these conditions ? Thanks, much appreciated. -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61772.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
On 12/18/2015 11:03 AM, jonetsu wrote: > Is there any current solution to have RSA 186-4 in OpenSSL FIPS (now, even if > this means an upgrade ?) We aren't allowed to update existing validations to include that type of "cryptographically significant" change, just like we aren't allowed to fix vulnerabilities (e.g. Lucky 13). So no. We will address all new FIPS 140-2 requirements, and known vulnerabilities, and support of OpenSSL 1.1, if and when we're in a position to pursue a new open source based validation to succeed the current #1747/#2398/#2473. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL FIPS Object Module 2.011 approved
The 2.0.11 revision of the OpenSSL FIPS Object Module v2.0 has been approved: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2398 Note that this is the same module as for the #1747 and #2374 validations; the proliferation of validation numbers is due to the "hostage" situation[1]. The 2.0.11 revision introduces support for eleven new platforms. It will build and execute correctly for any platforms supported by the 2.0.10 or earlier revisions of that module, for either the #1747 or #2473 validations, but a module built from the 2.0.11 tarball will not be righteous for any platform not listed in the #2398 validation. Even though that module will be functionally identical; yes that's confusing as we now have multiple flavors of magical pixie dust. So the rule of thumb is use the 2.0.11 tarball only for the platforms listed with the #2398 validation, even though it will work for any of the platforms included with any of the validations. Use the 2.0.10 tarball for everything else. Note this latest validation update does not address the "X9.31 RNG transition"; that paperwork is pending at the test lab for the OpenSSL FIPS module and its three validations (#1747, #2398, #2473). -Steve M. [1] For masochists only: http://openssl.com/fips/aftermath.html -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
On 12/18/2015 01:10 PM, Salz, Rich wrote: >> What would then be the permitting conditions to pursue a new >> validation ? If you don't mind me asking. I have read several >> notes you have on the subject and I agree that the whole thing is >> of Dedalus proportions. In a nutshell what would be these >> conditions ? > > In a nutshell: someone willing to spend the money (low six figures) > without adding requirements that violates the spirit of our open > source philosophy, and while knowing that the project might fail for > non-technical reasons. I'll also note that each of the previous five open source based validations had one or more U.S. government sponsors with an interest in a successful outcome. I believe that interest, expressed and exercised in ways I was not fully privy to, was the key element in those successful outcomes. We will undertake another tilt a the windmill with the prerequisites Rich noted above, but I think a successful outcome for the sixth such validation will also require the engagement of politically adept stakeholders. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
Fair enough (in this context). But what about the code itself, is it ready to be RSA 186-4 compliant ? And, if we go through a validation, can OpenSSL benefit from it ? -- View this message in context: http://openssl.6102.n7.nabble.com/RSA-and-FIPS-186-4-in-OpenSSL-1-0-1e-fips-2-0-9-tp61753p61776.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RSA and FIPS 186-4 in OpenSSL 1.0.1e/fips-2.0.9
On 12/18/2015 12:58 PM, jonetsu wrote: > Fair enough (in this context). But what about the code itself, is it ready > to be RSA 186-4 compliant ? We think we know how to write the code that would be necessary, for FIPS 186-4 and all the other new requirements, though you can never be sure until *your* specific module has been formally validated. Given the capriciousness of the FIPS 140-2 validation process, which I've commented on frequently, the fact that someone else did something in *their* validation doesn't necessarily mean a lot for *your* validation. But, without an open source based validation in which such code would have any general utility, we see no point in writing FIPS specific code. We're not in the business of doing speculative software development. > > And, if we go through a validation, can OpenSSL benefit from it ? By "we" do you mean some sort of proprietary commercial validation? Those don't contribute at all to the availability of a no-cost open source validated module; code is worthless (even "open source" code) for the purposes of satisfying the USG/DoD FIPS 140-2 procurement requirements if it hasn't been sprinkled with the magical pixie dust of FIPS 140-2 validation. Writing the code isn't trivial, but that has never been the hard part... -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Segfault in libcrypto.so
I think you would probably do better to contact support for wanguard than for openssl. Possible issues could involve ABI incompatibility or library selection incompatibility; since there's no way for us to know how wanguard is structured (we can't track every product that uses openssl), they're more familiar with its error modes and how to work through them. -Kyle H On 12/17/2015 10:00 PM, Alex william wrote: > Hello, > > I have been trying to install a product named wanguard and each time > am starting a collector I receive this error message: > segfault at efe000 ip 7ffb571e479c sp 7ffced00dcf0 error 4 in > libcrypto.so.1.0.0[7ffb57166000+1cb000] > And the collector stops immediately. > > Has anyone encountered this error or can someone help please? > > Thanks. > > Regards, > Alex > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
