Re: [openssl-users] FIPS mode: Need to use FIPS versions of (EVP) methods ?
On Tue, Aug 02, 2016, jonetsu wrote: > FIPS: Need to use FIPS versions of (EVP) methods ? > > In FIPS mode, is there a need to use the FIPS_* methods instead of the > regular ones once FIPS_mode_set(1) was successfully executed ? For > instance, is there a need to use FIPS_evp_sha1() instead of EVP_sha1() > ? Wouldn't the FIPS version of EVP_sha1() be used automatically when > in FIPS mode ? > The FIPS implementation of sha1 is automatically used in FIPS mode yes. You shouldn't use FIPS_evp_sha1() etc. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS mode: Need to use FIPS versions of (EVP) methods ?
FIPS: Need to use FIPS versions of (EVP) methods ? In FIPS mode, is there a need to use the FIPS_* methods instead of the regular ones once FIPS_mode_set(1) was successfully executed ? For instance, is there a need to use FIPS_evp_sha1() instead of EVP_sha1() ? Wouldn't the FIPS version of EVP_sha1() be used automatically when in FIPS mode ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-mode-Need-to-use-FIPS-versions-of-EVP-methods-tp67696.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] linker input file unused/linking not done gcc warning
On 08/02/2016 10:38 AM, jonetsu wrote: > Hello, > > Is it normal to get a 'linker imput file unused because linking > not done' warning when compiling C code that uses OpenSSL in FIPS > mode, hence using fipsld ? > > The object file is actually generated,a s well as the executable, > and it does execute in a meaningful manner. > > The warning: > > [...] > > gcc: warning: /usr/include/openssl/: linker input file unused > because linking not done > > FIPSLD_CC=gcc /usr/lib/ssl/fips-2.0/bin/fipsld -o > fips_hmac-errCode fips_hmac-errCode.o /usr/lib/arm-li > nux-gnueabihf/libcrypto.a -ldl -lz > > > The simple Makefile: > > OPENSSLDIR = /usr/lib/ssl > LIBCRYPTO = /usr/lib/arm-linux-gnueabihf/libcrypto.a > INCLUDES = /usr/include/openssl/ The later usage makes it seem like this should be -I/usr/include/openssl/ , including the "-I". -Ben > CMD = fips_hmac-errCode > OBJS = $(CMD).o > $(CMD): $(OBJS) > FIPSLD_CC=$(CC) $(OPENSSLDIR)/fips-2.0/bin/fipsld -o $(CMD) > $(OBJS) $(LIBCRYPTO) -ldl -lz > > $(OBJS): $(CMD).c > $(CC) -c $(CMD).c $(INCLUDES) > clean: > rm $(OBJS) > > > Thanks. > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/linker-input-file-unused-linking-not-done-gcc-warning-tp67693.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: using libcrypto.so ?
The current FIPS User Guide mentions: "3.3 Creation of Shared Libraries The FIPS Object Module is not directly usable as a shared library, but it can be linked into an application that is a shared library. A “FIPS compatible” OpenSSL distribution will automatically incorporate an available FIPS Object Module into the libcrypto shared library when built using the fips option (see §4.2.3)." Does the first sentence mean that there should be an intermediate, user created, .so that itself uses libcrypto.a ? What does the second part mean ? The FOM will be included in the shared library (assuming the libcrypto.so file) ? If so, then why wouldn't it be available directly ? A clarification in perhaps simpler terms over what seems to be an explanation in the User Guide would be much appreciated. In practical terms, is it possible for an application to link against a libcrypto.so that provides all needed FIPS symbols ? If it's not, can you give an example overview in which an application already using OpenSSL (libcrypto.so) but now supporting FIPS, can still use libcrypto.so with full FIPS support ? Is the only answer to now have the application linked against libcrypto.a ? Thanks ! -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-using-libcrypto-so-tp67694.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] linker input file unused/linking not done gcc warning
Hello, Is it normal to get a 'linker imput file unused because linking not done' warning when compiling C code that uses OpenSSL in FIPS mode, hence using fipsld ? The object file is actually generated,a s well as the executable, and it does execute in a meaningful manner. The warning: [...] gcc: warning: /usr/include/openssl/: linker input file unused because linking not done FIPSLD_CC=gcc /usr/lib/ssl/fips-2.0/bin/fipsld -o fips_hmac-errCode fips_hmac-errCode.o /usr/lib/arm-li nux-gnueabihf/libcrypto.a -ldl -lz The simple Makefile: OPENSSLDIR = /usr/lib/ssl LIBCRYPTO = /usr/lib/arm-linux-gnueabihf/libcrypto.a INCLUDES = /usr/include/openssl/ CMD = fips_hmac-errCode OBJS = $(CMD).o $(CMD): $(OBJS) FIPSLD_CC=$(CC) $(OPENSSLDIR)/fips-2.0/bin/fipsld -o $(CMD) $(OBJS) $(LIBCRYPTO) -ldl -lz $(OBJS): $(CMD).c $(CC) -c $(CMD).c $(INCLUDES) clean: rm $(OBJS) Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/linker-input-file-unused-linking-not-done-gcc-warning-tp67693.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users