Re: OCB Authenticated Encryption
On 03/28/2013 10:31 AM, Matt Caswell wrote: On 27 March 2013 21:03, Ben Laurie b...@links.org wrote: The OSF is not actually the one that would benefit from such a licence, so the whole idea that it (or we) should pay for one seems weird to me. Well, I wasn't actually suggesting that the OSF should pay for it itself, merely that the OSF could be the conduit for organising the licensing (in much the same way as it has been the conduit for organising the FIPS certification). The licensing only impacts US users of OpenSSL (as I understand it the patents under discussion here are only applicable within the US), and therefore the benefits would be largely felt by its customers -although in reality we all benefit by removing a blocker from integrating a mode into the code base with some significant advantages (OCB is supposedly significantly faster than GCM). If it comes to paying for it then I would hope that it may be possible to achieve sufficient corporate sponsorship to cover the costs (as I said in my original email). However, at this stage, all that is required is for someone to open a discussion with Phil Rogaway to see what can be achieved (maybe he will grant OpenSSL a waiver without any money changing hands at all). My suggestion is that that discussion could be initiated by the OSF (it seems a natural fit to me)...but really it could be anyone from the core dev team who can claim to speak for the project. I've sent Prof. Rogaway a note on this topic, but from his web site his intent seems pretty clear. It won't hurt to ask, though. As Ben noted we're not in a position to fund external costs for a product we give away for free. We have enough overhead expenses already for our modest budget. We can and do work with commercial or government sponsors that fund such expenses, but in this case I suspect money won't be the deciding factor. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c
Hi All, I installed openssl 1.0.1c with FIPS and it works fine. export OPENSSL_FIPS=1 [root@PC ~]# openssl SHA1 incore SHA1(incore)= b5acba7f6333aafdfe9804d2aebe373c39024bc3 [root@PC ~]# openssl md5 incore Error setting digest md5 139723413960360:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180: Also, ciphers option shows fewer ciphers. I compiled HTTPD 2.2.24 against this openssl. But HTTPD is not coming up with SSLFIPS on throwing following errors. [Mon Apr 01 19:07:46 2013] [emerg] FIPS mode failed [Mon Apr 01 19:07:46 2013] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match Here is the detail of build procedure i followed for httpd. 1)Set Env Variables export INCLUDES=-I/software/common/mod_ssl/mod_ssl-2.8.30-1.3.39/pkg.sslmod LIBS=-ldl export CPPFLAGS=-I/software/common/openssl/openssl-1.0.1c/include/openssl export LD_LIBRARY_PATH=/software/common/openssl/openssl-1.0.1c/ 2) ./configure --with-ssl=/software/common/openssl/openssl-1.0.1c --enable-so --enable-ssl --enable-shared=ssl 3) make Which resulted in libmod_ssl.a lib and httpd binary. Symbols in lib and binary are, [root@PC .libs]# nm -n -f 'sysv' libmod_ssl.a | grep FIPS ssl_cmd_SSLFIPS || U |NOTYPE| | |*UND* ssl_cmd_SSLFIPS |1130| T | FUNC|006d| |.text FIPS_mode || U |NOTYPE| | |*UND* FIPS_mode_set || U |NOTYPE| | |*UND* [root@PC httpd-2.2.24]# nm -n -f 'sysv' httpd | grep FIPS|grep .rodata FIPS_rodata_start |0062ecc0| R | OBJECT|0010| |.rodata FIPS_hmac_key |0062ecd0| r | OBJECT|0011| |.rodata FIPS_bn_version |0062eda0| R | OBJECT|0036| |.rodata FIPS_rodata_end |0063a040| R | OBJECT|0010| |.rodata Can someone help me with this? Thanks, Cipher -- View this message in context: http://openssl.6102.n7.nabble.com/Apache-2-2-24-doesnt-come-up-with-FIPS-capable-openssl-1-0-1c-tp44630.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3022] Binary curves broken in FIPS mode
Any thoughts on this issue? As things currently stand binary curves are pretty much unusable in a FIPS capable OpenSSL build. Thanks Matt On 22 March 2013 19:41, Matt Caswell via RT r...@openssl.org wrote: Hello When using OpenSSL-1.0.1e-fips a call to PEM_write_bio_PrivateKey silently fails and produces a corrupt pem file when using an EVP_PKEY_EC key and a binary curve. The same function works fine when not using a FIPS capable OpenSSL. I suspect the same problem will affect any ASN.1 routines that attempt to write the private key. Please see attached: * A test case c file that demonstrates the problem * Two example corrupt pem files * A patch to rectify the problem The patch has been tested against OpenSSL-1.0.1e and corrects the following: * Modifies eckey_param2type in ec_ameth.c to check for a 0 return from i2d_ECParameters to prevent a silent failure * Modifies the checks to see if the functions should have been called in EC_GROUP_get_trinomial_basis and EC_GROUP_get_pentanomial_basis within ec_asn1.c, so that they work in FIPS mode Please can someone apply this patch, as binary curves are currently broken in FIPS mode. Thanks Matt
[openssl.org #3022] Binary curves broken in FIPS mode
On Fri Mar 22 20:41:21 2013, fr...@baggins.org wrote: Hello When using OpenSSL-1.0.1e-fips a call to PEM_write_bio_PrivateKey silently fails and produces a corrupt pem file when using an EVP_PKEY_EC key and a binary curve. The same function works fine when not using a FIPS capable OpenSSL. I suspect the same problem will affect any ASN.1 routines that attempt to write the private key. Patch applied, many thanks for the report. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c
You have to statically link the openssl dynamic libraries -- View this message in context: http://openssl.6102.n7.nabble.com/Apache-2-2-24-doesnt-come-up-with-FIPS-capable-openssl-1-0-1c-tp44630p44634.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org