Re: [openssl.org #3089] Building OpenSSL 1.0.1e with FIPS on Win64A
On 07/10/2013 03:46 PM, Graeme Perrow via RT wrote: I am trying to build the FIPS Object Module for Windows on an AMD64 machine. I started with the instructions in section 4.3 of the User Guide 2.0, and was able to build the FIPS module itself, but the instructions for building a FIPS-capable OpenSSL are specific to 32-bit Windows. I adjusted the build procedure as follows: ... Also (and more importantly), if I have to modify the build procedure for the FIPS-capable OpenSSL but not for the FIPS Object Module itself, does that mean my Module is not FIPS 140-2 validated? I think this is more of a user list question. OpenSSL proper (as opposed to the OpenSSL FIPS Object Module) is out of scope of the FIPS 140-2 validation procedure, so you can hack it to your hearts content. You need to embed the HMAC-SHA1 integrity check (incore) digest in the FIPS module embedded in the shared library executable file, but you aren't constrained to a specific command or process. Also note that you must verify the SHA1 digest of the FIPS module files (as is done automatically in the fipsld script). Sort of moot if you just generated those files, but a technical requirement nonetheless. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3074] On PA-RISC, OPENSSL_cleanse() causes crash when called from outside libcrypto, patch included
On 06/16/2013 05:33 AM, Mitch Blank via RT wrote: I got a strange bug report claiming that openssl md5 was dumping core on old parisc hardware. Sure enough, it was generating the correct result but then crashing... It turns out the problem is rather subtle. ... Not sure if this fix is appropriate for 32-bit parisc. I don't have an environment for testing that at the moment. ... Unfortunately it's been several years since any of the OpenSSL team have had access to any PA-RISC systems. I used to have such access to run tests for Andy but no more. So unless someone else can develop and thoroughly test a solution PA-RISC is effectively an unsupported platform. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3029] Misspellings in the openssl license document
On 04/04/2013 03:01 PM, Coe, Brian via RT wrote: I was reviewing the license doc and saw some errors. Corrected words in are in bold and are red. I tried to submit this through RT but had some problems. I have also attached an RTF in case the formatting fails to go through email. License ... I'll hazard the guess that you're a native American English speaker, as am I. The original SSLeay licence was written by Commonwealth English speakers, and they do tend to spell things a bit differently. In Americanese license is both a noun and a verb, whereas in the Queen's English licence is the noun and license is the verb. Some of my British colleagues have explained that it often doesn't matter if Americanized spelling is used, but in this case I think we should respect the original presentation. I find is useful to set my spellchecker to British English, as intuition can be misleading. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org