d2i_RSAPrivateKey not working with compiler optmization 01

Hi All, We upgraded our device to use OpenSSL 1.1.1k from OpenSSL 1.0.2h. Device is on an ARM processor. Embedded web server comes to ready state with compiler optimization set to -O0. With value -O1 we are seeing issues in d2i_RSAPrivateKey. I wrote a sample test program as below. The test

Getting error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Hi All, We are trying to integrate OpenSSL 1.1.1i on our device that runs on the ARM platform. Device boots to ready state with OpenSSL 1.1.1i. However when we try to access the device EWS, we are getting below error error:0B080074:x509 certificate routines:X509_check_private_key:key values

Compilation error using OpenSSL 1.1.1i

Hi All, We are trying to compile OpenSSL 1.1.1i on our system. It is a hybrid system. Compiler is arm -gcc for WinCE 6.0 and the module that compiles openssl is on Vxworks 5.0 abstraction. I am getting the below error. Does anyone have inputs. Any help would be appreciated.

Question on RSA engine and Key strength

Hi All, We are writing a RSA engine for OpenSSL library to handle certificates up to 4096 bytes strength. We do support certificates up to 8k. How to we make engine to handle certificates only up to 4K and others handled by OpenSSL itself. Any help, inputs are appreciated. Thanks and Regards,

Query on engine support in OpenSSL 1.0.2h

Hi All, We currently use OpenSSL 1.0.2h, we are in the process of upgrading to OpenSSL 1.1.1. To address some legacy functionalities we are planning to write engines for OpenSSL 1.0.2h offload crypto operation to external components. We have few queries regarding the same 1. Can we offload

Re: [openssl-users] Building FIP enabled OpenSSL fails in Yocto-ARM build

FIPS_signature Regards Jayalakshmi On Thu, May 3, 2018 at 7:39 PM, Jayalakshmi bhat <bhat.jayalaks...@gmail.com > wrote: > Hi All, > > I am building FIPS supported OpenSSL in yocto for ARM architecture. I > tried using openssl-fips-2.0.13 and openssl-fips-2.0.4 > > > I

[openssl-users] Building FIP enabled OpenSSL fails in Yocto-ARM build

Hi All, I am building FIPS supported OpenSSL in yocto for ARM architecture. I tried using openssl-fips-2.0.13 and openssl-fips-2.0.4 I am building FIPS externally with the below environmental settings

[openssl-users] How to make OpenSSL engine usage application specific?

Hello All, We have 2 RSA OpenSSL engines in our product. Both the engines performs same RSA encyrpt/decrypt operations. For easy explaination I am naming engines as 1. RSA smart card engine 2. RSA TPM engine Engine usage is application specific.There are couple of applications dependent on RSA

[openssl-users] AES-CTR-256 test suite for FIPS

Hi All, We are using DRBG using AES-CTR-256 in FIPS mode. I could find test suite/file that takes CAVP test request and generating the response for DRBG using AES-CTR-256. However I am not finding any test suite/file that validates AES-CTR 128/192/256 bits. Please can any one let me know while

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Hi All, Thanks for the inputs, This gives me a good understanding on these ciphers usage. Thanks and Regards Jayalakshmi On Thu, Dec 7, 2017 at 10:31 PM, Jakob Bohm wrote: > On 07/12/2017 15:05, Michael Wojcik wrote: > >> From: openssl-users

Re: [openssl-users] [openssl-dev] A question DH parameter generation and usage

Hi Rich, Thanks for the reply. We are planning to use DHE_RSA based ciphers. Regards Jaya On Wed, Dec 6, 2017 at 7:20 PM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > You can re-use the keys, but then you get no forward secrecy, and sessions > generated with one

Re: [openssl-users] [openssl-dev] A question DH parameter generation and usage

Hi Michael, Thanks for very detailed answers. This will surely help me to investigate further. Regards Jaya On Wed, Dec 6, 2017 at 7:37 PM, Michael Wojcik < michael.woj...@microfocus.com> wrote: > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Salz, Rich via

Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

to:openssl-users-boun...@openssl.org] On > Behalf Of Jayalakshmi bhat > > Sent: Wednesday, December 06, 2017 01:07 > > > Does it mean to use ECC ciphers from OpenSSL does the end user needs to > get the license from Citricom? > > Consult a lawyer. Opinions on this topic

Re: [openssl-users] A question DH parameter generation and usage

2/2017 07:02, Jayalakshmi bhat wrote: > >> Hi, >> >> We are planning to use DHE_RSA TLS ciphers into our product. I have few >> questions on using DH parameter. We would like to use DH-2048. >> >> our product includes both TLS client and server applications. Th

[openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms

Hi, I have a question on ECC ciphers implementaion in OpenSSL. I do see README.ECC file in FIPS certfied OpenSSL crypto library. That says The OpenSSL Software Foundation has executed a sublicense agreement entitled "Elliptic Curve Cryptography Patent License Agreement" with the National

[openssl-users] A question DH parameter generation and usage

Hi, We are planning to use DHE_RSA TLS ciphers into our product. I have few questions on using DH parameter. We would like to use DH-2048. our product includes both TLS client and server applications. Thus any time there will be considerable number of active connectioons. I believe we can use

Re: [openssl-users] Wanted details on ./config or Configure options

hardware like aep, chill, cswift etc from compilation. Regards Jayalakshmi On Thu, Nov 2, 2017 at 4:38 PM, Jayalakshmi bhat <bhat.jayalaks...@gmail.com > wrote: > Hi Matt, > > Thanks for the reply. We dont want to turn off the engine fully. We have > TPM chip, that is part of Op

Re: [openssl-users] Wanted details on ./config or Configure options

-sureware no-hw-ubsec no-hw-zencod. However as of now using the above values with ./Configure is not turning off the compilation of the other hardware components. Regards Jaya On Thu, Nov 2, 2017 at 3:56 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 02/11/17 07:07, Jayalak

Re: [openssl-users] Wanted details on ./config or Configure options

-cswift no-hw-ibmca no-hw-ncipher no-hw-nuron no-hw-padlock no-hw-sureware no-hw-ubsec no-hw-zencod) does not seems to work. Is there any way to do it? Regards Jayalakshmi On Thu, Oct 26, 2017 at 4:09 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 25/10/17 18:02, Jayalakshmi bha

[openssl-users] OpenSSL engine and TPM usage.

Hi All, Our device uses TPM to protect certificate private keys. We have written engine interface to integrate TPM functionality into OpenSSL. Thus TPM gets loaded as an engine instance. Also we have mapped RSA operations to TPM APIS as like encryption/decryption etc. Now we are into few

Re: [openssl-users] Wanted details on ./config or Configure options

org> wrote: > > > On 24/10/17 07:06, Jayalakshmi bhat wrote: > > Hi All, > > > > I am looking for details on options used to disable or remove unwanted > > ciphers, components while openssl building. This is for OpenSSL 1.0.2h. > > I am seeing many thin

[openssl-users] Wanted details on ./config or Configure options

Hi All, I am looking for details on options used to disable or remove unwanted ciphers, components while openssl building. This is for OpenSSL 1.0.2h. I am seeing many things on internet. But most of them have minimum explanation, please can you tell me is there any link that I can refer.

[openssl-users] how to compile out selected ciphers

Hi All, I am trying to build openssl. As part of that I want to remove some ciphers like md4, rc5 etc. I tried ./config no-md5, no-rc5 and ./Configure no-md5, no-rc5. In both the case MD4 and RC5 directories are still getting compiled. Please can you let me know what could be going wrong.

[openssl-users] OpenSSL FIPS CAVP tests throws an error iob_func while linking

Hi All, I am trying to build CAVP test executable for WinCE. Most of the executable are built except 1-2. I am facing iob_func unresolved error. Every thing seems to be proper. Any idea or help is well appreciated. Regards Jaya -- openssl-users mailing list To unsubscribe:

[openssl-users] FIPS CAVP tests for WinCE.

Hi All, I am using OpenSSL-FIPS-2.0.4 library on ARM7 + WinCE 6.0 with "user affirm" the validation for Y per I.G. G.5. We want to run latest CAVP test suites. We have built the *build_algvs and other executable* for the above product/build environment. However when we are trying to execute the

Re: [openssl-users] OpenSSL 1.1.1 release timeframe

Hi Matt, I do understand. Thanks a lot for the reply. Regards Jayalakshmi On Thu, May 18, 2017 at 2:47 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 18/05/17 06:32, Jayalakshmi bhat wrote: > > Please can any one let me know the release date or time line for OpenSSL &

[openssl-users] OpenSSL 1.1.1 release timeframe

Hi All, Please can any one let me know the release date or time line for OpenSSL 1.1.1? Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL DRBG in FIPS mode confusion.

Hi All, OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have question associated with this. 1. OpenSSL wiki says : Default DRBG is 256-bit CTR AES *using a derivation function* 2. Where as the document http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf

[openssl-users] Certificates generated using 3k/4k CSR generated with OpenSSL fails on Windows 2008R2

Hi All, I am generating 1k/2k/3k/4k CSR's on our device using OpenSSL library. I am generating these CSR on our device. We have windows 2008 R2 servers and I am signing these CSR using certificate authority on windows server. I am setting only client and server authentication bits in the CSR

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

. Thanks every one for the valuable time and fruitful discussion. Regards Jaya On Sun, Dec 13, 2015 at 11:13 AM, Jayalakshmi bhat < bhat.jayalaks...@gmail.com> wrote: > Hi All, > > > > Thanks for all the responses. As mentioned by Matt in the discussion > thread,co

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Hi All, Thanks for all the responses. As mentioned by Matt in the discussion thread,constant_time_msb performs the copy the msb of the input to all of the other bits so the return value should either be one of 0x or 0x. I found another interesting thing,constant_time_msb

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

nssl.org> wrote: > > > On 09/12/15 23:13, Benjamin Kaduk wrote: > > On 12/09/2015 05:04 PM, Matt Caswell wrote: > >> > >> On 09/12/15 11:44, Jayalakshmi bhat wrote: > >>> Hi Matt, > >>> > >>> I could build and execute the constant_tim

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

ble (named according to CPU) with no arguments. > > I ask because your proposed fix may be affected by compiler and/or CPU > quirks. > > On 04/12/2015 12:31, Jayalakshmi bhat wrote: > > Hi Matt, > > Thanks a lot for the response. > > Is your application a client or

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Hi All, Is there inputs or suggestions. Thanks and Regards Jaya On Fri, Dec 4, 2015 at 11:37 AM, Jayalakshmi bhat < bhat.jayalaks...@gmail.com> wrote: > Hi Matt, > > s3_cbc.c uses the function constant_time_eq_8. I pulled only this > function definition from OpenSSL 1.0.1e i

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

there is something specific about your environment that is causing the > issue. Comments inserted below. > > On 04/12/15 06:53, Jayalakshmi bhat wrote: > > Hi All, > > > > > > > > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except > &

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Hi Matt, I replaced constant_time_eq_8 usage in s3_cbc.c with the implementation available in OpenSSL 1.0.1e. Things worked fine. Regards Jaya On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 04/12/15 11:31, Jayalakshmi bhat wrote: > > Hi

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

n (unsigned char)(constant_time_eq(a, b)); } Regards Jaya On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 04/12/15 11:31, Jayalakshmi bhat wrote: > > Hi Matt, > > > > Thanks a lot for the response. > > > > Is your appl

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

d by compiler and/or CPU > quirks. > > On 04/12/2015 12:31, Jayalakshmi bhat wrote: > > Hi Matt, > > Thanks a lot for the response. > > Is your application a client or a server? Are both ends using OpenSSL 1.0.2d? > If not, what is the other end using? > >>Our

[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Hi All, Recently we have ported OpenSSL 1.0.2d. Everything works perfect except the below explained issue. When we enable only TLS 1.0 protocol and select CBC ciphers, TLS handshake fails with the error "bad record mac". Error is in function static int ssl3_get_record(SSL *s). Error

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

if I do not install intermediate CA-2 things works fine. Any help is well appreciated. Regards Jayalakshmi On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 16/11/15 06:52, Jayalakshmi bhat wrote: > > Hi Victor, > > > > Tha

[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Hi All, In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a check * if (params->trust >0)* before invoking check_trust function. This has been removed in OpenSSL 1.0.2d. Does it mean applications are expected to set the X509_VERIFY_PARAM properly? Our application works

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

gt; wrote: > On Sun, Nov 15, 2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote: > > > In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert > had a > > check * if (params->trust >0)* before invoking check_trust function. > > The OpenSSL source

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

or the applications to set X509_VERIFY_PARAM in X509_STORE_CTX Regards Jayalakshmi On Mon, Nov 16, 2015 at 11:40 AM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > > > On Nov 16, 2015, at 12:14 AM, Jayalakshmi bhat < > bhat.jayalaks...@gmail.com> wrote: > >

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

tream versions) is not working the way you expect. > > On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote: > > > Our device acts as TLS/SSL client. The device receives chain of > > certificates as part of SSL handshake, when it is trying to get connected > &g

[openssl-users] CBC mode is not working in OpenSSL 1.0.2d

Hi All, I have ported OpenSSL 1.0.2d on our product. After that CBC mode is not working. Handshakes are failing with bad mac alert failure. When I checked the code mac retrieved from ssl3_cbc_copy_mac does not match with the calculated mac. Any help on this is appreciated. Thanks and Regards

[openssl-users] CBC mode does not work on OpenSSL 1.0.2d

Hi All, I have ported OpenSSL 1.0.2d on out device. When I am using any cipher (AES,3DES) in CBC mode I am ending with the result SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC in SSL_F_SSL3_GET_RECORD function. TLS 1.2 with working fine with AES_GCM ciphers. Has any one faced this issue?. Any help

[openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).

Hello all, I have a question on FIPS. We have OpenSSL FIPS module integrated with our product. We have an option to enable/disable FIPS at run time. We are executing the following openSSL API's every time when FIPS status changes. { We have mapped OpenSSL crypto locks to mutex intenally. Hence

Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).

Hi Tom, Thanks a lot for clarifying the doubt. Regards Jayalakshmi On Thu, Sep 10, 2015 at 8:44 AM, Tom Francis <thomas.francis...@pobox.com> wrote: > > > On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat < > bhat.jayalaks...@gmail.com> wrote: > > > > Hello al

[openssl-users] question on Alternative chains certificate forgery (CVE-2015-1793)

Hi All, Does *a**lternative chains certificate forgery** issue* affects the OpenSSL stacks earlier than 1.0.1n releases Why I am asking this question is affected code seems to be available in earlier versions as well. Thanks and Regards Jayalakshmi

Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158)

. API's changed are EVP_MD_flags from evp_lib.c and pkey_fips_check_ctx from rsa_pmeth.c Regards Jayalakshmi On Fri, Jul 17, 2015 at 4:20 AM, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jul 16, 2015, Jayalakshmi bhat wrote: Hi All, I am using OpenSSL library for a SSL client

[openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158)

Hi All, I am using OpenSSL library for a SSL client performing mutual authentication. RSA certificate used is signed with SHA512 digest. When I switch to FIPS mode and perform re-authentication, I am hitting an error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA. Can any one

[openssl-users] a question on SSL_MAX_BUF_FREELIST_LEN_DEFAULT

Hi All, We are using OpenSSL on a multihome device. Device has 4 interfaces. Each network interface creates one SSL context (SSL_CTX) and supports 16 connections. As per OpenSSL implementation Each SSL context can maintain a free buffer list of 32. And this retained till SSL context (SSL_CTX) is

Re: [openssl-users] Encryption and Decryption using ECC based certificate private/public key pair

wrote: On Mon, Apr 27, 2015 at 12:54 AM, Jayalakshmi bhat bhat.jayalaks...@gmail.com wrote: Hello All, I am working on a project where there is need to encrypt and decrypt certain data using certificate public/private key pair. So far we were using RSA based certificates. OpenSSL

[openssl-users] Encryption and Decryption using ECC based certificate private/public key pair

Hello All, I am working on a project where there is need to encrypt and decrypt certain data using certificate public/private key pair. So far we were using RSA based certificates. OpenSSL provides good number of API's for RSA based encryption/decryption operation. Now we are planning to support

Re: OpenSSL engine support in OpenSSL FIPS Object Module

Hi Kyle, Thanks a lot for detailed explaination, it helped me lots. Regards Jayalakshmi On Sun, Jul 6, 2014 at 2:44 AM, Kyle Hamilton aerow...@gmail.com wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network

Re: OpenSSL engine support in OpenSSL FIPS Object Module

Hi Jakob, Thank you very much for detailed and helpful explanation. Regards Jayalakshmi On Sun, Jul 6, 2014 at 9:32 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 7/6/2014 10:44 AM, Kyle Hamilton wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We

OpenSSL engine support in OpenSSL FIPS Object Module

Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. I welcome all valuable inputs. Regards Jayalakshmi.

Re: OpenSSL engine support in OpenSSL FIPS Object Module

st...@openssl.org wrote: On Sat, Jul 05, 2014, Jayalakshmi bhat wrote: Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. If you

TPM support with OpenSSL FIPS Object Module

Hi All, We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our product. Recently we have added TPM support. TPM chip is not FIPS compliant. Hence in FIPS mode none of the SSL applications are working. I wanted inputs on the following questions. I would be grateful to receive

Re: TPM support with OpenSSL FIPS Object Module

:36 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 07/04/2014 10:44 AM, Dr. Stephen Henson wrote: On Fri, Jul 04, 2014, Jayalakshmi bhat wrote: Hi All, We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our product. Recently we have added TPM support

Re: TPM support with OpenSSL FIPS Object Module

. Stephen Henson st...@openssl.org wrote: On Fri, Jul 04, 2014, Jayalakshmi bhat wrote: Hi All, We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our product. Recently we have added TPM support. TPM chip is not FIPS compliant. Hence in FIPS mode none of the SSL

Re: TPM support with OpenSSL FIPS Object Module

Thanks a lot Steve for the quick response. On Fri, Jul 4, 2014 at 10:21 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 07/04/2014 12:06 PM, Jayalakshmi bhat wrote: Hi Steve, Thank you very much for the response. I have one more question. In order use a FIPS 140-2

FIPS support on a multi-home device

Hi All, We have a product that has 2 network interfaces i.e. wired and wireless. Both interfaces uses separate OpenSSL library. However FIPS validated OpenSSL crypto module is common for both interfaces as shown below. FIPS validated openSSL