FIPS object module

2012-02-17 Thread Alex Chen 
From what I saw in OpenSSL site and the user guide, the FIPS object module is 
only compatible with OpenSSL 0.9.8, not 1.0.  Is that still valid?  Does that 
mean if I cannot use that module to work with OpenSSL 1.0?
The FIPS 140 certification number 1051 is for source code module and from what 
I understand it has to be build without any changes.  If we need to build it in 
64-bit mode, does the build script support that?
How about building it on Windows?  Does it also have batch file to build on 
Windows and for 64-bit, too?

Any help is appreciated.

Alex

Is it a bug in the 'openssl verify' command?

2011-04-30 Thread Alex Chen 
I was using the 'openssl verify' command on a corrupted pem file.  
Although I got the correct response from the console saying it could not 
load the certificate, the process terminated with exit code 0, i.e. 
regardless of whether the 'openssl verify' command succeeds or not, it 
always exits 0.
Further debugging into the source code of 'verify.c', I found the 
following code:


int MAIN(int argc, char **argv) )
{
ENGINE *e = NULL;
int i,ret=1, badarg = 0;
.
.

if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
else
for (i=0; i 0)
{
fprintf(stdout,"OK\n");
ret=1;
}
   .
   }

The 'MAIN' function does not check the return value of check(), 
therefore it always returns 0.

Is this a bug?

People can use 'openssl' command in a script and relies on the correct 
return value to proceed.  This problem can lead to incorrect script 
execution.



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Is it a bug in the 'openssl verify' command?

2011-04-29 Thread Alex Chen 
I was using the 'openssl verify' command on a corrupted pem file.  
Although I got the correct response from the console saying it could not 
load the certificate, the process terminated with exit code 0, i.e. 
regardless of whether the 'openssl verify' command succeeds or not, it 
always exits 0.
Further debugging into the source code of 'verify.c', I found the 
following code:


int MAIN(int argc, char **argv) )
{
ENGINE *e = NULL;
int i,ret=1, badarg = 0;
.
.

if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
else
for (i=0; i 0)
{
fprintf(stdout,"OK\n");
ret=1;
}
   .
   }

The 'MAIN' function does not check the return value of check(), 
therefore it always returns 0.

Is this a bug?

People can use 'openssl' command in a script and relies on the correct 
return value to proceed.  This problem can lead to incorrect script 
execution.



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org