Re: [openssl-users] Build OpenSSL on SUSE Linux Enterprise Server for z Systems

On May 12, 2017, at 5:00 PM, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >> Of Thomas Francis, Jr. >> Sent: Friday, May 12, 2017 15:55 >> >>> On 5/10/17 3:55 AM, 共通基盤ＳＳＬ［業務ＩＤ］ / COMMONSSL，GYOUMU wrote: >>>

Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).

> On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat > wrote: > > Hello all, > > I have a question on FIPS. We have OpenSSL FIPS module integrated with our > product. We have an option to enable/disable FIPS at run time. We are > executing the following openSSL API's

Re: [openssl-users] Call for FIPS 140-2 stakeholders

I'm not currently interested in the given platforms, and while I really hope to never be interested again, I can't rule it out. It'd be nice to be able to follow the discussions, without necessarily contributing. But I also understand I if those involved don't want to include those in my

Re: [openssl-users] Password based key derivation

On Apr 9, 2015, at 3:13 PM, Deepak dpb795...@gmail.com wrote: Hi, Any help on following questions is appreciated. 1) Can the function PKCS5_PBKDF2_HMAC_SHA1() in 0.9.8zf be used to derive a key for AES-256-CBC encryption from user supplied passphrase? Yes. 2) Is

Re: [openssl-users] Is it mandatory to reverse windows signature while doing verification in OpenSSL?

If you mean you’re using CryptSignHash(), and are reversing the bytes in the resulting signature, then yes, this is normal. You’ll need to reverse the bytes when verifying the signature with ANY other toolkit/library, including CNG. :) If it’s not too late, you should store the signature with

Re: [openssl-users] FIPS mode uses /dev/urandom ?

On Mar 11, 2015, at 11:40 AM, Alberto Roman Linacero aro...@alienvault.com wrote: Dear all, I'm doing an strace to the FIPS validated version of openssl, and I'm seeing that is uses /dev/urandom. I thought that the FIPS validated module always use /dev/random, isn't this the case, or am

Re: [openssl-users] Testing FIPS mode using 0 randomness

On Mar 2, 2015, at 12:18 PM, jonetsu jone...@teksavvy.com wrote: Hello, I tried a simple test to see if FIPS mode would fail, using the example given in the FIPS user guide 2.0. The test consisted of replacing the /dev/random and /dev/urandom with /dev/zero. I would have expected

Re: [openssl-users] FIPSLD 2.0.5 (HP-UX AI64 11.23) fails to link with pthread error

, if the error is not from invoking fips_premain_dso, then something else is wrong, and I’d suggest opening a support case with HP. TOM -Mrunal On Wed, Feb 25, 2015 at 8:31 AM, Tom Francis thomas.francis...@pobox.com wrote: Have you tried changing FIPSLD_CC and FIPSLD_LINK to include

Re: [openssl-users] FIPSLD 2.0.5 (HP-UX AI64 11.23) fails to link with pthread error

Have you tried changing FIPSLD_CC and FIPSLD_LINK to include the necessary options (e.g. -mt)? Note: it might be simpler to modify fipsld instead, depending on how easy/hard it is to maintain spaces properly when settings FIPSLD_CC and FIPSLD_LINK. Since the fipsld script is just a

Re: [openssl-users] FIPS methods and symlinks

On Feb 24, 2015, at 9:42 PM, jone...@teksavvy.com wrote: On Tue, 24 Feb 2015 16:16:17 + Dr. Stephen Henson st...@openssl.org wrote: On Tue, Feb 24, 2015, jonetsu wrote: Hello, To grasp how FIPS methods are called, and following one method as an example, HMAC_Update() in

Re: [openssl-users] The evolution of the 'master' branch

I think Jakob’s real concern (as expressed to me off-list a month or so ago) is that OpenSSL’s libcrypto will become entirely hidden. I found several of his comments confusing until he mentioned that. So, I think the fair question to be asking is: Is there any plan to make libcrypto go

Re: [openssl-users] Using FIPS mode and modifying apps

On Jan 28, 2015, at 8:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Jan 28, 2015, jone...@teksavvy.com wrote: On Mon, 26 Jan 2015 22:35:12 -0500 Tom Francis thomas.francis...@pobox.com wrote: Thanks for the detailed comments. I understand the concerns, although there's

Re: [openssl-users] Using FIPS mode and modifying apps

On Jan 28, 2015, at 8:47 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Jan 28, 2015, jone...@teksavvy.com wrote: On Mon, 26 Jan 2015 22:35:12 -0500 Tom Francis thomas.francis...@pobox.com wrote: Thanks for the detailed comments. I understand the concerns, although there's

Re: [openssl-users] Using FIPS mode and modifying apps

On Jan 26, 2015, at 6:21 PM, jone...@teksavvy.com wrote: On Fri, 16 Jan 2015 10:16:48 -0500 Steve Marquess marqu...@openssl.com wrote: On 01/15/2015 05:52 AM, Marcus Meissner wrote: On Linux usually triggered by /proc/sys/crypto/fips_enabled containing 1 or the environment variable

Re: [openssl-users] FIPS JCE cryptographic modules usage with Openssl-1.0.1j and openssl-fips-2.0.7

On Jan 21, 2015, at 8:09 AM, Philip Bellino pbell...@mrv.com wrote: Hello, I apologize if this is not the correct forum for my questions, so here goes. 1. Are the RSA JSafeJCE and the IBM’ IBMJESFIPS cryptographic modules being used widely against Openssl in FIPS mode? In

Re: [openssl-users] FIPS JCE cryptographic modules usage with Openssl-1.0.1j and openssl-fips-2.0.7

On Jan 21, 2015, at 8:09 AM, Philip Bellino pbell...@mrv.com wrote: Hello, I apologize if this is not the correct forum for my questions, so here goes. 1. Are the RSA JSafeJCE and the IBM’ IBMJESFIPS cryptographic modules being used widely against Openssl in FIPS mode? In

Re: [openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS (1.0.1)

On Jan 20, 2015, at 3:00 PM, Nou Dadoun ndad...@teradici.com wrote: Thanks for the clarification, a couple of short questions - We already have a shim to index into the function table that gets loaded after run-time selecting from the 0.9.8 FIPS vs non-FIPS dll to use. I imagined

Re: [openssl-users] EVP_DigestVerifyFinal return code?

On Jan 15, 2015, at 3:41 AM, Jeffrey Walton noloa...@gmail.com wrote: According to the man pages on EVP_DigestVerifyFinal (https://www.openssl.org/docs/crypto/EVP_DigestVerifyInit.html): EVP_DigestVerifyInit() and EVP_DigestVerifyUpdate() return 1 for success and 0 or a negative

Re: EVP_verify APIs

On Oct 27, 2014, at 4:33 AM, Gayathri Manoj gayathri.an...@gmail.com wrote: Hi All, How can I replace RSA_public_decrypt() with EVP_Verify*(). I wanted to replace the below api with EVP_verify*() RSA_public_decrypt(Len, SgnData, dBuffer, rsa_pub_key, RSA_PKCS1_PADDING); You’d

Re: Symmetrical encryption in FIPS mode?

Your assumption is incorrect. Note that when you use the FIPS module, that you should not attempt to use the FIPS module directly — instead, you build a separate version of OpenSSL that uses the FIPS module (after building the FIPS module). You then link the new libcrypto (and libssl if you

Re: openssl-0.9.8za fips compliance

Use of -no-ec when building the FIPS capable openssl doesn’t affect the FIPS module at all, and therefore doesn’t affect any statements you can make regarding FIPS 140 compliance. The -no-ec option will prevent elliptic curve cryptography from being used in OpenSSL when NOT using the FIPS

Re: Making Open SSH FIPS compliant

You might want to start by reading the OpenSSL FIPS Users Guide. Then go read FIPS 140-2, and then read the user’s guide again. In this case “FIPS” is short for “Federal Information Processing Standard Publication 140-2”, and that standard is the controlling document (for now, 140-3 should be

Re: solaris-x86-cc or solaris-x86-gcc via MACHINE and SYSTEM exports

You should be setting the KERNEL_BITS environment variable. That works for several platforms, including Solaris x86 (although others default to 32, and you need to set it to 64 to get a 64-bit build). As an alternative, (if you’re not building the FIPS module) if you know which build

Re: Reg. type of certificate - CA / EE based on X509_check_ca().

On Jul 7, 2014, at 5:40 AM, Sanjaya Joshi joshi.sanj...@gmail.com wrote: Hello, My application uses openssl 1.0.0, and it uses X509_check_ca() to find out if an X509 certificate is a CA certificate, or an End-entity (EE) certificate. The below are the possible return codes.

Re: Where is PKCS7_free defined?

On May 25, 2014, at 10:15 AM, Han Sooloo hansoo...@gmail.com wrote: Trying to understand how the crl2p7.c application allocates PKCS7 pointers. I see the PKCS7_new() function and it makes sense. However, I cannot find the definition of PKCS7_free(). The only place it shows up is in

Re: encrypt - salt

On May 16, 2014, at 4:14 AM, Hooman Fazaeli hoomanfaza...@gmail.com wrote: On 5/16/2014 2:15 AM, Dave Thompson wrote: EVP_BytesToKey implements (a tweak on) the original PKCS#5, which derived a key and IV by iterated hashing of a (reusable but secret) password with random (i.e. unique)

Re: [1.0.1] Nested CMS structures

On May 3, 2014, at 2:41 PM, Kevin Le Gouguec kevin.le-goug...@insa-lyon.fr wrote: Using asn1parse, I got this: 0:d=0 hl=4 l=3980 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT:pkcs7-envelopedData 15:d=1 hl=4 l=3965 cons: cont [ 0 ] 19:d=2 hl=4

Re: [1.0.1] Nested CMS structures

On May 2, 2014, at 3:19 AM, Kevin Le Gouguec kevin.le-goug...@insa-lyon.fr wrote: (tl;dr : see questions at the end) I'm trying to build nested CMS structures, as in, having a file F, a signer S and a recipient R, I want to build a CMS-compliant message M which looks like: M =

Re: Java and C/OpenSSL

On Apr 26, 2014, at 6:25 PM, Anant Rao a...@noknok.com wrote: Hi, I see the doc. But, I'm afraid to say my question is still unanswered. Is this function (PKCS5_PBKDF2_HMAC) supposed to generate same or diff output over multiple calls with the same input? I see the latter and I want

Re: How to include intermediate in pkcs12?

On Apr 24, 2014, at 8:21 AM, Edward Ned Harvey (openssl) open...@nedharvey.com wrote: From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Dave Thompson - the truststore if -CAfile and/or -CApath specified IF NEEDED Thank you very much for your

Re: CRL generating server, not from command line

On Mar 18, 2014, at 2:19 PM, Clesmon University www.clemson@gmail.com wrote: Hello: What I can find online or in book Network security with OpenSSL is using command line to generte a CRL. However, what I want to do is to let my server receive a serial number from outside interface