Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

On Mon, Feb 22, 2016, Wall, Stephen wrote: > I wonder if I could get the thoughts of some of you developers on how > difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of > the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a > legitimate way to get

[openssl-dev] RT4265 no-srtp still broken

Configuring the master branch with no-srtp is still broken. This PR: https://github.com/openssl/openssl/pull/582 fixes it. Its a bit out of date, but there shouldn’t be any conflicts. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

On 22 February 2016 at 20:18, Richard Levitte wrote: > > This is where I go dreamy eyed with a desire to make all our built in > algorithm into an engine, loadable like any other engine. I have never tried such setup but this sounds like SoftHSM2 [0] with OpenSSL crypto

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

In message <20160222185829.ga19...@openssl.org> on Mon, 22 Feb 2016 18:58:29 +, "Dr. Stephen Henson" said: steve> On Mon, Feb 22, 2016, Wall, Stephen wrote: steve> steve> > I wonder if I could get the thoughts of some of you developers on how steve> > difficult it would

Re: [openssl-dev] [openssl.org #4335] ix 'assignment from incompatible type' warning in OBJ_NAME_new_index()

On 02/22/2016 11:04 AM, David Woodhouse via RT wrote: > We are using OPENSSL_strcmp() as the cmp_func, where cmp_func takes > a pair of (void *) pointers, not (char *). Which is fine; we know we're > going to pass it strings in this case. So explicitly cast it to avoid > the resulting compiler

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

On 02/22/2016 01:58 PM, Dr. Stephen Henson wrote: > On Mon, Feb 22, 2016, Wall, Stephen wrote: > >> I wonder if I could get the thoughts of some of you developers on how >> difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of >> the current (2.0.11?) fipscanister.o. Also,

Re: [openssl-dev] [openssl.org #4320] [Patch] OpenSSL 1.1.0-pre3: "unable to load Key" error in PEM_get_EVP_CIPHER_INFO()

Hi Rich, Rich Salz via RT wrote: > fixed in commit 985c3146967633707f7c165df82bb0fd8f279758 thanks for the > report! From initial patch is missing line with header += 9. Please could you review parsing with ENCRYPTED Roumen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4320

Re: [openssl-dev] Ubsec and Chil engines

On Fri, 2016-02-19 at 15:53 +0100, Nikos Mavrogiannopoulos wrote: > On Fri, 2016-02-19 at 13:12 +, Matt Caswell wrote: > > > As far as I know there are some customers using the Chil engine > > > with > > > RHEL (openssl-1.0.1).  > > > > How do you feel about the engine being spun out into a

Re: [openssl-dev] Ubsec and Chil engines

On Sat, 2016-02-20 at 22:55 +0100, Richard Levitte wrote: > > sander> What I would like to see though is for such a PKCS#11 Engine > sander> to be part of OpenSSL proper, so that our customers and > sander> everyone else’s don’t have to go hunt hither and yon for bits > sander> and bobs of

Re: [openssl-dev] Ubsec and Chil engines

On Sat, 2016-02-20 at 23:34 +0100, Jaroslav Imrich wrote: > On 20 February 2016 at 21:40, Sander Temme wrote: > >  However, I’m intrigued by the notion of a PKCS#11 Engine in > > OpenSSL: it’s a standard (an OASIS standard now); it’s fairly fully > > featured; everyone in the

Re: [openssl-dev] Ubsec and Chil engines

In message <1456140741.4735.272.ca...@infradead.org> on Mon, 22 Feb 2016 11:32:21 +, David Woodhouse said: dwmw2> On Sat, 2016-02-20 at 22:55 +0100, Richard Levitte wrote: dwmw2> > dwmw2> > sander> What I would like to see though is for such a PKCS#11 Engine dwmw2> >

Re: [openssl-dev] Ubsec and Chil engines

On Mon, 2016-02-22 at 12:52 +0100, Richard Levitte wrote: > > That takes me back to crypto/store, which is currently removed in > master but which I have a rework of in a branch, which is meant to > solve this exact problem, but without being exclusively tied to > PKCS#11.  The design is to have

[openssl-dev] [openssl.org #4330] Unsupported options: no-ssl2

Issue fixed in commit e80381e1a3309f5d4a783bcaa508a90187a48882 -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4330 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] Ubsec and Chil engines

> If we integrate the support natively into OpenSSL, then PKCS#11 URIs (see > RFC7512) can be first-class citizens throughout the crypto and SSL APIs. Any > function which takes a filename for a cert or key should also accept¹ a > PKCS#11 URI. It'd be great to see a crypto/pkcs11 directory with

[openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

Issue fixed in commit e80381e1a3309f5d4a783bcaa508a90187a48882 -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4326 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] Ubsec and Chil engines

On 22 February 2016 at 11:16, Nikos Mavrogiannopoulos wrote: > That's an implementation detail. As far as I know engine_pkcs11 does > not require re-authentication after fork. It handles the pkcs11 > peculiarities internally. > AFAIK this works by caching the PIN in

[openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

Sorry, wrong commit cited here, the correct one is 5c57fbb8ca991e8db7ce23174613898a27ca3fcb Vid Mon, 22 Feb 2016 kl. 14.46.52, skrev levitte: > Issue fixed in commit e80381e1a3309f5d4a783bcaa508a90187a48882 > > -- > Richard Levitte > levi...@openssl.org -- Richard Levitte levi...@openssl.org

Re: [openssl-dev] [openssl.org #4323] chacha-armv4.pl bugs

On Sun, Feb 21, 2016 at 3:27 PM Andy Polyakov via RT wrote: > Hi, > > > The partial-block tail code in chacha-armv4.pl also seems to have > problems. > > My colleague Steven and I made an attempt to debug it, but we're not > > familiar enough with ARM to fix it. > > > > From

[openssl-dev] openssl-1.1 started looking for engines using wrong names

In short, after commits done in the last few days, openssl-1.1 stopped looking for lib.so, and started looking for .so. I think it’s an introduced bug that needs to be fixed: $ ~/src/openssl-1.1/bin/openssl engine pkcs11 -t 140735268914000:error:25066067:DSO support routines:dlfcn_load:could not

Re: [openssl-dev] Ubsec and Chil engines

On 2/22/16, 6:12 , "openssl-dev on behalf of David Woodhouse" wrote: >>It may even be better, instead of pushing for different engines for >> different hardware, to make PKCS#11 the only API used to talk to >> hardware. There is a

Re: [openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

9e04edf2f309e7edc3f4c9a09d444b2fd23a1e46 fixed -Original Message- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Lee, Ju via RT Sent: Monday, February 22, 2016 9:57 AM To: noloa...@gmail.com Cc: openssl-dev@openssl.org Subject: Re: [openssl-dev] [openssl.org

[openssl-dev] [openssl.org #4320] [Patch] OpenSSL 1.1.0-pre3: "unable to load Key" error in PEM_get_EVP_CIPHER_INFO()

fixed in commit 985c3146967633707f7c165df82bb0fd8f279758 thanks for the report! -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4320 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

9e04edf2f309e7edc3f4c9a09d444b2fd23a1e46 fixed -Original Message- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Lee, Ju via RT Sent: Monday, February 22, 2016 9:57 AM To: noloa...@gmail.com Cc: openssl-dev@openssl.org Subject: Re: [openssl-dev] [openssl.org

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

One of the challenges with this will be symbol collision (in a Linux environment). I would think that doing this as a static engine would not be possible. The reason is your new engine that's using the 2.0.11 canister would contain symbols that exist in OpenSSL. But maybe the fipssyms.h

Re: [openssl-dev] OpenSSL 1.1.0 and FIPS

On 02/22/2016 11:01 AM, Wall, Stephen wrote: > I wonder if I could get the thoughts of some of you developers on how > difficult it would be to build an engine for OpenSSL 1.1.0 that makes > use of the current (2.0.11?) fipscanister.o. Also, opinions on if > this would be a legitimate way to get

[openssl-dev] [openssl.org #4334] Check for UEFI before __STDC_VERSION__ for

Adding -nostdinc to the EDK2 showed that we were including for some UEFI builds, because the check for __STDC_VERSION__ happens before the check for OPENSSL_SYS_UEFI. Fix that. ---  include/openssl/e_os2.h | 12 ++--  1 file changed, 6 insertions(+), 6 deletions(-) diff --git

[openssl-dev] [openssl.org #4309] [PATCH] Fix UEFI/EDK2 build error by defining PRIu64

pushed in commit d99d0d9 thanks! -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4309 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #4290] HMAC_Init_ex() return bug

If somebody (Mik, Felipe, you hear? :) cares to send me a *simple* *short* code that exposes this problem, I’ll be willing to test it on Linux and Mac OS X, with OpenSSL-1.0.2f, OpenSSL-1.0.2-stable, and 1.1-pre. -- Regards, Uri Blumenthal On 2/20/16, 9:10 , "openssl-dev on behalf of Salz,

Re: [openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

It failed to 'make test' at d784bcffa3dcd7ac4a0c77bfac4e686dcb771bd9 this morning. Test Summary Report --- ../../openssl/test/recipes/70-test_sslcertstatus.t (Wstat: 28416 Tests: 0 Failed: 0) Non-zero exit status: 111 Parse errors: Bad plan. You planned 1 tests but ran 0.

Re: [openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

It failed to 'make test' at d784bcffa3dcd7ac4a0c77bfac4e686dcb771bd9 this morning. Test Summary Report --- ../../openssl/test/recipes/70-test_sslcertstatus.t (Wstat: 28416 Tests: 0 Failed: 0) Non-zero exit status: 111 Parse errors: Bad plan. You planned 1 tests but ran 0.

[openssl-dev] OpenSSL 1.1.0 and FIPS

I wonder if I could get the thoughts of some of you developers on how difficult it would be to build an engine for OpenSSL 1.1.0 that makes use of the current (2.0.11?) fipscanister.o. Also, opinions on if this would be a legitimate way to get FIPS in 1.1.0. Thanks, spw -- openssl-dev

Re: [openssl-dev] Ubsec and Chil engines

In message <347004c001fd430aadadceac908e6...@ustx2ex-dag1mb1.msg.corp.akamai.com> on Mon, 22 Feb 2016 14:46:28 +, "Salz, Rich" said: rsalz> > If we integrate the support natively into OpenSSL, then PKCS#11 URIs (see rsalz> > RFC7512) can be first-class citizens

[openssl-dev] MSVC 2015 internal compiler error

Hello. I'm sorry I cannot reply to the thread. I only just now have subscribed to the list. I can confirm that this problem exists with Visual Studio 2015 on HEAD. I spoke to a friend of mine who works at MS who relayed this to the compiler team. A senior dev there is aware of the issue and

Re: [openssl-dev] MSVC 2015 internal compiler error

The Microsoft compiler team has suggested removing the include of ssl.h from srtp.h as it creates a circular reference which is likely confusing the compiler. On Mon, Feb 22, 2016 at 2:19 PM, Bill Bierman wrote: > Hello. I'm sorry I cannot reply to the thread. I only

Re: [openssl-dev] MSVC 2015 internal compiler error

On Mon, Feb 22, 2016 at 03:55:12PM -1000, Bill Bierman wrote: > The Microsoft compiler team has suggested removing the include of ssl.h > from srtp.h as it creates a circular reference which is likely confusing > the compiler. Could you test the patch below. It tries to avoid incompatible loss

[openssl-dev] [openssl.org #4334] Check for UEFI before __STDC_VERSION__ for

fixed in commit a2d0baa thanks! -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4334 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

On Feb 21 06:27, Richard Levitte via RT wrote: > I believe that the auto-detecting script, ./config, is lacking detection of > architecture for Cygwin. Does one preferably recognise a x86_64 Cygwin from > `uname -m` or is there something in `uname -s` that should be used as an > indicator? Uh oh,

Re: [openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

In message <20160222173404.gb11...@calimero.vinschen.de> on Mon, 22 Feb 2016 18:34:04 +0100, Corinna Vinschen said: vinschen> On Feb 21 06:27, Richard Levitte via RT wrote: vinschen> > I believe that the auto-detecting script, ./config, is lacking detection of vinschen> >

Re: [openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

On Feb 22 18:43, Richard Levitte wrote: > In message <20160222173404.gb11...@calimero.vinschen.de> on Mon, 22 Feb 2016 > 18:34:04 +0100, Corinna Vinschen said: > > vinschen> On Feb 21 06:27, Richard Levitte via RT wrote: > vinschen> > I believe that the auto-detecting

Re: [openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

In message <20160222180008.ga31...@calimero.vinschen.de> on Mon, 22 Feb 2016 19:00:08 +0100, Corinna Vinschen said: vinschen> OTOH, is it much of a problem to apply the patches used for the Cygwin vinschen> distro into the 1.0.2 branch so we can get rid of them entirely?

Re: [openssl-dev] [openssl.org #4323] chacha-armv4.pl bugs

> The fix seems to work. On related note, a problem was reported with poly1305-armv4 module, which was traced down to assembler (different versions disagree about how to treat #-1 as argument to vmov.i64). If you run into problem, don't panic, fix is upcoming... -- Ticket here:

[openssl-dev] [openssl.org #4330] Unsupported options: no-ssl2

Does the attached patch work for you? Vid Sun, 21 Feb 2016 kl. 17.06.58, skrev noloa...@gmail.com: > I think its great that SSLv2 is disabled by default or removed. > However, this might cause some UI pain: > > $ ./config shared no-ssl2 no-ssl3 > Operating system: x86_64-whatever-linux2 >

[openssl-dev] [openssl.org #4326] Failed to configure for Cygwin-x64

Actually, master already had a patch, which is even better. I'll apply one reminding of that. Vid Sun, 21 Feb 2016 kl. 08.22.02, skrev noloa...@gmail.com: > On Sun, Feb 21, 2016 at 2:50 AM, Richard Levitte via RT > wrote: > > Would you try the attached patch, please? > > > >