[openssl.org #2483] X509 conversions
Hi, I am running an old computer with Debian/GNU 2.2. Please don't tell me to upgrade my computer or my compiler. I can't right now. I would like to run lynx 2.8.7 with openssl support. It fails to compile with openssl because it calls X509_get_ext_d2i and my present installed verion of openssl (0.9.4-5) seems to be lacking this function. I compiles OK with out openssl. I downloaded the new openssl library and it seems to compile OK with ./config no-asm and a change of the compiler option from -O3 to -O0. (ie. no optimization), however, on make test, although it passes alot of the tests, it fails testing X509 conversions. If you could figure out a fix for me, that would be great. Either with this new openssl library, or maybe an older one that has X509_get_ext_d2i and will work with Lynx 2.8.7. Attacted in the test report. Thank you, -- Gordon Talge ,,, (. .) +-ooO-(_)-Ooo---+ | Gordon Talge WB6YKK e-mail: gtalge AT silcon Dot com| | (o-Debian / GNU / Linux | | //\The Choice of the GNU Generation | | v_/_ .oooO | | - Un HonnĂȘte Homme - ( ) Oooo. - N'Abandonne Pas Son Chien - | +-\ (---( )+ \_) ) / (_/ OpenSSL self-test report: OpenSSL version: 1.0.0d Last change: Fix parsing of OCSP stapling ClientHello extension. CVE... Options: -march=pentium no-asm no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-shared no-store no-zlib no-zlib-dynamic static-engine OS (uname): Linux pupper 2.2.19 #1 SMP Wed Aug 21 14:58:25 PDT 2002 i686 unknown OS (config): i686-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: gcc version 2.95.2 2220 (Debian GNU/Linux) Failure! - make[1]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d' making all in crypto... make[2]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto' making all in crypto/objects... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/objects' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/objects' making all in crypto/md4... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/md4' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/md4' making all in crypto/md5... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/md5' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/md5' making all in crypto/sha... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/sha' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/sha' making all in crypto/mdc2... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/mdc2' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/mdc2' making all in crypto/hmac... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/hmac' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/hmac' making all in crypto/ripemd... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/ripemd' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/ripemd' making all in crypto/whrlpool... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/whrlpool' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/whrlpool' making all in crypto/des... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/des' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/des' making all in crypto/aes... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/aes' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/aes' making all in crypto/rc2... make[3]: Entering directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/rc2' make[3]: Nothing to be done for `all'. make[3]: Leaving directory `/home/gtalge/work/openssl/openssl-1.0.0d/crypto/rc2' making all in crypto/rc4... make[3]: Entering directory
FIPS and AES NI engine
Hi All, I need to create a FIPS validated version based on 0.9.8r. This library also needs to utilize the Intel AES instructions. My current plan is to patch in the AESNI engine and then move pertinent logic over into the FIPS Canister. Is this a reasonable approach to achieve this? Or, is there some issue that I'm not aware of, such as built in engines and FIPS being mutually exclusive? Thanks in advance, Pete Beal __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS and AES NI engine
Peter Beal wrote: Hi All, I need to create a FIPS validated version based on 0.9.8r. This library also needs to utilize the Intel AES instructions. My current plan is to patch in the AESNI engine and then move pertinent logic over into the FIPS Canister. Is this a reasonable approach to achieve this? Or, is there some issue that I'm not aware of, such as built in engines and FIPS being mutually exclusive? Since you're obtaining a validation of your own that is really a question for your CMVP accredited test lab. The answer will depend on their interpretation of hybrid in the FIPS 140-2 context (I have a definite opinion but that is irrelevant if your test lab feels differently). You can't of course make changes to the validated code -- any changes at all -- and still call it validated. -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS and AES NI engine
Hi Steve, Thanks for the fast reply. So it sounds like I should discuss this with the test lab with which we're working to see what they say. My time working in OpenSSL can still be counted in weeks, so I'd be very interested in your opinion on this. Either way, it'll help me in proceeding with this technically, help me in discussing this with the test lab, or both. A few weeks ago, when I first joined this team, I sat in on a gap analysis meeting with the test lab and I do recall something about a hybrid solution being discussed. I'm going to read 140-2 again now, specifically looking for discussion of hybrid solutions. From a technical perspective, is moving the cipher logic of the AESNI engine over into fipscanister.o even feasible? I'm still a bit confused on the difference between dynamic engines, static engines, and builtin engines and have not yet come across documentation explaining this. Thanks again, Pete On 3/31/11 2:08 PM, Steve Marquess wrote: Peter Beal wrote: Hi All, I need to create a FIPS validated version based on 0.9.8r. This library also needs to utilize the Intel AES instructions. My current plan is to patch in the AESNI engine and then move pertinent logic over into the FIPS Canister. Is this a reasonable approach to achieve this? Or, is there some issue that I'm not aware of, such as built in engines and FIPS being mutually exclusive? Since you're obtaining a validation of your own that is really a question for your CMVP accredited test lab. The answer will depend on their interpretation of hybrid in the FIPS 140-2 context (I have a definite opinion but that is irrelevant if your test lab feels differently). You can't of course make changes to the validated code -- any changes at all -- and still call it validated. -Steve M. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #2483] X509 conversions
Some basic ideas in case you haven't already tried them: From: owner-openssl-...@openssl.org On Behalf Of Gordon Talge via RT Sent: Thursday, 31 March, 2011 03:22 [stuck on] Debian/GNU 2.2 [want] lynx 2.8.7 [needs] X509_get_ext_d2i I downloaded the new openssl library and it seems to compile OK new is 1.0.0d? (Best to be exact.) FWIW the oldest versions I have at hand, namely 0.9.7*, have X509_get_ext_d2i in x509.h, so you might try 8r or even 7m. Of course that isn't the newest code, and if current lynx depends (even at runtime) on more recent capabilities (like unspoofed renegotiation vs 7*) you'll have a problem. with ./config no-asm and a change of the compiler option from -O3 to -O0. (ie. no optimization), however, on make test, I'm surprised any -O caused a problem, even on old gcc. But it's not important, -O0 should be correct just slower. although it passes alot of the tests, it fails testing X509 conversions. Try doing the tested operation(s) 'by hand' to see if you get more (helpful) error information, e.g.: $ cd opensslbuild/test $ cp testx509.pem fff.p $ export LD_LIBRARY_PATH=(as needed if using shlib) $ ../apps/openssl x509 -in fff.p -inform p -outform d -out fff.d See if there's a 'core' file (and make sure you don't have ulimit set to prevent coring) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org