Re: Setting a group to an existing EVP_PKEY in OpenSSL 3

I haven’t done exactly what you are trying, but something similar. See EVP_PKEY_set_params: https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_set_params.html The specific parm to set the group could be set like this:

PEM to EVP_PKEY

Hello, So I have a PEM formatted file that contains an EC certificate and a private key. I need to load that PEM file and converted to an EVP_PKEY. The goal of this exercise is so that I can do an ECDH pairwise consistency test (SP 800-56Ar3 Section 5.6.2.1.4) on the key pair by calling

Re: EC_POINT_get_affine_coordinates replacement in 3.0

You would have to use EVP_PKEY key type. You can use EVP_PKEY_get* to get key params. > On May 3, 2022, at 1:56 PM, Chris Bare wrote: > > Thanks, I'll check those out. > > On Tue, May 3, 2022 at 4:53 PM William Roberts > wrote: > On Tue, May 3, 2022 at

KDF_TLS1_PRF for TLS v1.0 and v1.1

Hi, I am using the TLS1_PRF KDF method to derive the master secret for TLS 1.0, 1.1, and 1.2. My code works with TLS 1.2, but for 1.0 and 1.1, the master secret is not correct. I have a snippet of the code below. From what I understand by reading RFC 2246 and RFC 5246, the input to the PRF

Re: EVP_KDF-SSHKDF man page error?

efined simply as > char, but it is essentially correct. > > > Pauli > > On 26/3/22 5:11 am, Kory Hamzeh wrote: >> Hi All, >> >> If you look at the example SSH KDF code here: >> >> https://www.openssl.org/docs/manmaster/man7/EVP_KDF-SSHKDF.html >>

EVP_KDF-SSHKDF man page error?

Hi All, If you look at the example SSH KDF code here: https://www.openssl.org/docs/manmaster/man7/EVP_KDF-SSHKDF.html Specifically, these lines: *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_SSHKDF_TYPE, , sizeof(type)); The variable ‘type’

Re: Source compilation of OpenSSL 3.0

On your build machine, create a staging directory, for example: mkdir /tmp/staging Then run make install like this: make DESTDIR=/tmp/staging install Then copy the files in /tmp/staging to your other machine. Note that you will have to copy the files relative to your —prefix and —openssldir

Re: EVP_PKEY_fromdata_init returns unsupported.

Hi Bill, How are you creating the EVP_PKEY_CTX? Kory > On Feb 25, 2022, at 2:07 PM, William Roberts wrote: > > Hello, > > In openssl 3.0.1 the following code hits the ctx->keymgt is null check > and thus returns -2 > in pmeth_gn.c: > static int fromdata_init(EVP_PKEY_CTX *ctx, int

Replacement fpr FIPS_Digest

Hi, I am working on converting this code to OpenSSL 3 for FIPS-140 KASVS ECDH testing: https://github.com/majek/openssl/blob/master/fips/ecdh/fips_ecdhvs.c The only consequential change I made to the code was replacing the

OpenSSL 3: FIPS DRBG Tests

I am writing the FIPS DRBG AVS per NIST SP800-90A. I have some questions. 1. Is the TEST-RAND ok for nist test? I am planning to basically follow the steps in test/acvp_test.c:drbg_test(), but the data is read in from a file rather than an in memory structure. 2. Some of the test vectors

Re: Openssl 3.0 fipsinstall fails in yocto linux environment

Hi Susan, How did you run Configure? Are you cross compiling? Be default, OpenSSL 3.0.0 builds for /usr/local. Your MUST install it there or use a Configure option if you want to install it somewhere else. Kory > On Nov 9, 2021, at 2:21 PM, Susan Tremel wrote: > > I’ve successfully built

Re: Refactring FIPS_escda_sign() for OpenSSL 3.0.0

params for R and S? Thanks, Kory > On Oct 27, 2021, at 11:04 AM, Kory Hamzeh wrote: > > > Hi, > > I am upgrading some 3RD party code which performs FIPS ECDSA AVS testing for > FIPS 140-2 certification. The code uses FIPS_escda_sign(), which in > Open

Refactring FIPS_escda_sign() for OpenSSL 3.0.0

Hi, I am upgrading some 3RD party code which performs FIPS ECDSA AVS testing for FIPS 140-2 certification. The code uses FIPS_escda_sign(), which in Openssl-fips-2.0.5 is define as: ECDSA_SIG * FIPS_ecdsa_sign(EC_KEY *key, const unsigned char *msg, size_t msglen ,

Re: OpenSSL 3.0 FIPS questions

Actually, if you are running on the same machine that you built OpenSSL, you are fine. I cross-compile and have to do a fipsinstall each time. My apologies. > On Oct 26, 2021, at 12:17 PM, Jason Schultz wrote: > > Thanks for all of the help so far. Unfortunately, I'm still struggling with >

Re: OpenSSL 3.0 FIPS questions

Did you follow the steps in README-FIPS.md and do the “fipsinstall”? > On Oct 26, 2021, at 12:17 PM, Jason Schultz wrote: > > Thanks for all of the help so far. Unfortunately, I'm still struggling with > this. There could be a number of issues, starting with the installation of > OpenSSL. I

Re: OpenSSL 3.0 FIPS questions

One way to do what you want is with two config file, and and in the first line of your main() function, add: putenv(“OPENSSL_CONF=/path/to/your/conf”) depending on whether you want to run in FIPS mode or not. Of course, this only works if FIPS is needed application wide, not on a per

Re: OpenSSL 3.0.0 enabling SSLv3 support

Fair enough. We are not using SSLv3, the code just made reference to the method. I will compile it out. Thanks! > On Oct 5, 2021, at 5:09 PM, Viktor Dukhovni > wrote: > > On Tue, Oct 05, 2021 at 03:49:48PM -0700, Kory Hamzeh wrote: > >> It looks like SSLv3 is

OpenSSL 3.0.0 enabling SSLv3 support

Hi, It looks like SSLv3 is not built by default in OpenSSL 3.0.0. At least SSLv3_method() is not define, and looking at the conditional compilation of that function, it makes sense. What command line option do I pass the Configure script to enable it? I tried enable-sslv3 and enable-SSLv3.

Re: FIPS_selftest_drbg_all()

? > On Sep 28, 2021, at 10:17 AM, Kory Hamzeh wrote: > > Hello, > > For our FIPS 140-2 POST KAT sequence, I use FIPS_selftest_drbg() and > FIPS_selftest_drbg_all() from openssl-fips-2.0.5. I was wondering what would > be the best way to perform the same functionality with OpenS

FIPS_selftest_drbg_all()

Hello, For our FIPS 140-2 POST KAT sequence, I use FIPS_selftest_drbg() and FIPS_selftest_drbg_all() from openssl-fips-2.0.5. I was wondering what would be the best way to perform the same functionality with OpenSSL 3.0.0. Thanks, Kory

Re: OpenSSL 3.0.0 custom entropy source

t;> call RAND_set_seed_source_type() early in your startup sequence. >> >> >> Pauli >> >> On 14/9/21 8:19 am, Kory Hamzeh wrote: >>> Hi, >>> >>> We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0. Yes, I >

OpenSSL 3.0.0 FIPS compatible ECDH-KAS

I have an OpenSSL app which performs ECDH-KAS using openssl-1.0.1g + openssl-fips-2.0.5. It needs to be FIPS compatible. The app was written using the low level ECDH functions similar to what is documented here:

Re: openssl 3.0.0 legacy provider won't lload via config file

; openssl-3.0 with incorrect (default) OPENSSLDIR lying on the system > somewhere? > > Please open an GitHub issue so we can investigate this further. > > Tomas Mraz > > > On Fri, 2021-09-17 at 11:55 -0700, Kory Hamzeh wrote: >> >> >>> On Sep 14, 2021

Re: openssl 3.0.0 legacy provider won't lload via config file

> On Sep 14, 2021, at 12:03 AM, Tomas Mraz wrote: > > On Mon, 2021-09-13 at 16:13 -0700, Kory Hamzeh wrote: >> I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything >> seems to be working fine, except for the fact that I cannot get >> OpenSSL to lo

OpenSSl 3 statically linking a provider

I have written a custom provider which I need to include (link) with my Application at link time rather than load it at run-time. The init function is defined like this: OSSL_provider_init_fn sck_provider_init; int sck_provider_init(const OSSL_CORE_HANDLE *handle, const

openssl 3.0.0 legacy provider won't lload via config file

I have cross-compiled OpenSSL 3.0.0 for the ARMv7. So far, everything seems to be working fine, except for the fact that I cannot get OpenSSL to load the legacy module when I configure /ssl/openssl.cnf as such. I can, however, load the module explicitly at run time. This is a diff of my config

OpenSSL 3.0.0 custom entropy source

Hi, We are upgrading from OpenSSL 1.0.1g+OpenSSL-FIPS-2.0.5 to 3.0.0. Yes, I know, big jump. We have our own entropy source we use to seed the OpenSSL DRBG. This is a basic code snippet of how we set it up: DRBG_CTX *dctx = FIPS_get_default_drbg(); FIPS_drbg_init(dctx,