[openssl-users] Need help understanding tradeoffs of "-dsaparam" in dhparam

2015-10-27 Thread Ethan Rahn
Hello, I'm trying to understand the tradeoffs of using "-dsaparam" in the openssl "dhparam" command. I know that it won't create a strong prime , but I'm not understanding the tradeoffs with that very well. The wikipedia page says that primes with the

Re: [openssl-users] Openssl FIPS uses /dev/urandom by default?

2015-11-12 Thread Ethan Rahn
xxiao, Are you sure you can't modify that? My understanding of FIPS mode is that you cannot modify the FIPS code canister, which entropy sources are not a part of. Cheers, Ethan On Thu, Nov 12, 2015 at 8:08 AM, xxiao8 wrote: > in e_os.h I saw > == > #ifndef DEVRANDOM >

Re: [openssl-users] force to use /dev/random for openssl fips module

2015-12-10 Thread Ethan Rahn
xxiao, have you changed the code to also increase the timeout and not try to use other devices to get entropy? If /dev/random is blocking at the time, it may run into issues trying to look for other sources of entropy than giving up. On Tue, Dec 8, 2015 at 8:25 PM, xxiao8

Re: [openssl-users] Digest MD5 forbidden in FIPS mode

2016-01-18 Thread Ethan Rahn
MD5 is not considered a safe function to use hence it is forbidden in FIPS mode. Can you use a different hash function ( such as SHA-something ) for your use case? On Mon, Jan 18, 2016 at 4:43 PM, Marcos Bontempo wrote: > Hello, > > I wrote a C code which enter in

Re: [openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

2016-03-14 Thread Ethan Rahn
Is there a reason why you cannot build it from a controlled build environment and record the hash of the final .so? It seems that it would be pretty non-trivial if not impossible to pull a .o file from a .so in the exact same format that it went in, such that you could check the hash. Being able

Re: [openssl-users] Should openssl publish the commit #'s that fixed each CVE?

2017-01-26 Thread Ethan Rahn
s-boun...@openssl.org] *On > Behalf Of *Ethan Rahn > *Sent:* Thursday, January 26, 2017 10:40 AM > *To:* openssl-users@openssl.org > *Subject:* [openssl-users] Should openssl publish the commit #'s that > fixed each CVE? > > > > Hello, > > > > When looking

[openssl-users] Should openssl publish the commit #'s that fixed each CVE?

2017-01-26 Thread Ethan Rahn
Hello, When looking a the latest security announcement, something that I notice is that it's hard to find the actual commits that fixed an issue. If you search git.openssl.org you can find some of them if they are mentioned in the change message, but it still requires some active effort. Would

Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-07 Thread Ethan Rahn
Matt, What part of the selftest fails? Can you step through it with a debugger? Cheers, Ethan On Fri, Oct 7, 2016 at 10:56 AM, Matthew Heimlich wrote: > I'm on RHEL7. I've got a very simple encryption/decryption program that > works fine without FIPS support

[openssl-users] Seeking to understand difference in RSA key gen between X9.31 and FIPS 186-4

2016-10-12 Thread Ethan Rahn
Hey Openssl-User's, I'm trying to understand the difference between how primes are generated in RSA X9.31 ANSI standards ( which I don't have access to ) and FIPS 186-4 ( found here: http://csrc.nist.gov/groups/STM/cavp/documents/dss2/rsa2vs.pdf ) In the code at

Re: [openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs

2017-03-11 Thread Ethan Rahn
Wow, That was quite the oversight of mine. That fixed the issue. Thanks so much, I appreciate your patience in dealing with my confusion over the APIs! Cheers, Ethan On Sat, Mar 11, 2017 at 12:28 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 11/03/17 18:38, E

Re: [openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs

2017-03-11 Thread Ethan Rahn
, "Failed to derive shared secret\n" ); ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); return 0; } else { fprintf( stderr, "FOUND IT!\n" ); } bin2hex( sharedSecret, sharedSecretHex, sharedSecretLen ); return 1; } On Fri, Mar 10

[openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs

2017-03-10 Thread Ethan Rahn
Hello Openssl-users, I'm trying to write some code that derives the shared secret for 2 elliptic curve keys ( i.e. does ECDH ) I am doing the following to load up both the local and remote EC key ( code shown for local side ): EC_KEY* localEC = EC_KEY_new_by_curve_name( curveName );

Re: Poll on manpages

2020-01-28 Thread Ethan Rahn
Rich, If no-one else tells you, keeping the docs up to date is amazing work and thank you for it. My general thought is that all docs should be consistent with one another for ease of cross referncing and skimming and the manpages should follow the same layout. Cheers, Ethan On Tue, Jan 28,

Re: Blog post

2021-06-17 Thread Ethan Rahn
Hello Matt, Love the blog post, and of course a hearty thanks to everyone who worked on the project to get it to this point. Is the plan still to continue with the FIPS 140-2 validation instead of 140-3? Apologies for the lack of a first party source but