How to invoke Incore's cross compile aware routines?

2013-06-22 Thread Jeffrey Walton 
Hi All,

I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
Android environment with cross compilation. Both the FIPS Object
Module and FIPS Capable library built and installed without much
effort.

I'm trying to build a simple command line application which statically
links to the OpenSSL library (libcrypto.a). The application builds
fine from the command line, and calls FIPS_mode() and FIPS_mode_set()
(with some printf's) to exercise the OpenSSL library:

$ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT
-I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe
/usr/local/ssl/android-14/lib/libcrypto.a

Unfortunately, using legacy Incore (i.e., $FIPS_SIG -exe my app)
results in nothing. An MD5 sum before and after shows the fingerprint
was not written. The non-write can be traced back to incore, around
line 440:

$fingerprint = FIPS_incore_fingerprint();
if ($legacy_mode) {
print unpack(H*,$fingerprint);
} else {
seek(FD,$FINGERPRINT_ascii_value-{st_offset},0) or die $!;
print FD unpack(H*,$fingerprint) or die $!;
}

Trying to use the non-legacy support (by omitting -exe or -dso)
results in a Die on the lookup at line 385:

$FINGERPRINT_ascii_value
= $exe-Lookup(FINGERPRINT_ascii_value) or die;

But I have the other required symbols (FIPS_text_endX and FIPS_text_startX):

$ arm-linux-androideabi-nm fips-test.exe | grep FIPS_text
00048844 T FIPS_text_end
0004883c t FIPS_text_endX
95e8 T FIPS_text_start
95e0 t FIPS_text_startX

How does one invoke the new support to ensure that incore writes the
fingerprint? What is the procedure to bring in the missing symbols (or
allocate storage for them)?

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to invoke Incore's cross compile aware routines?

2013-06-22 Thread Dr. Stephen Henson 
On Sat, Jun 22, 2013, Jeffrey Walton wrote:

 Hi All,
 
 I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
 Android environment with cross compilation. Both the FIPS Object
 Module and FIPS Capable library built and installed without much
 effort.
 
 I'm trying to build a simple command line application which statically
 links to the OpenSSL library (libcrypto.a). The application builds
 fine from the command line, and calls FIPS_mode() and FIPS_mode_set()
 (with some printf's) to exercise the OpenSSL library:
 
 $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT
 -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe
 /usr/local/ssl/android-14/lib/libcrypto.a
 

You use the fipsld script to link the application. If you set FIPS_CC and
FIPS_SIG appropriately it should just work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to invoke Incore's cross compile aware routines?

2013-06-22 Thread Jeffrey Walton 
On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson st...@openssl.org wrote:
 On Sat, Jun 22, 2013, Jeffrey Walton wrote:

 Hi All,

 I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
 Android environment with cross compilation. Both the FIPS Object
 Module and FIPS Capable library built and installed without much
 effort.

 ...
 $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT
 -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe
 /usr/local/ssl/android-14/lib/libcrypto.a


 You use the fipsld script to link the application. If you set FIPS_CC and
 FIPS_SIG appropriately it should just work.
Thanks Doctor.

How do we make fipsld SYSROOT aware?

$ arm-linux-androideabi-gcc --sysroot=$ANDROID_SYSROOT
-I/usr/local/ssl/android-14/include -c fips-test.c
$
$ /usr/local/ssl/android-14/bin/fipsld fips-test.o
/usr/local/ssl/android-14/lib/libcrypto.a -o fips-test.exe
In file included from /usr/local/ssl/android-14/bin/../lib/fips_premain.c:7:0:
/opt/android-ndk-r8e/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86/bin/../lib/gcc/arm-linux-androideabi/4.6/include-fixed/stdio.h:50:23:
fatal error: sys/cdefs.h: No such file or directory
$

Or can we link directly against fips_premain.c and use `incore
program` to invoke the new cross compiler (i.e., not the legacy
`incore -exe program`).

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to invoke Incore's cross compile aware routines?

2013-06-22 Thread Dr. Stephen Henson 
On Sat, Jun 22, 2013, Jeffrey Walton wrote:

 On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson st...@openssl.org wrote:
  On Sat, Jun 22, 2013, Jeffrey Walton wrote:
 
  Hi All,
 
  I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
  Android environment with cross compilation. Both the FIPS Object
  Module and FIPS Capable library built and installed without much
  effort.
 
  ...
  $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT
  -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe
  /usr/local/ssl/android-14/lib/libcrypto.a
 
 
  You use the fipsld script to link the application. If you set FIPS_CC and
  FIPS_SIG appropriately it should just work.
 Thanks Doctor.
 
 How do we make fipsld SYSROOT aware?
 

You just pass the appropriate command line options to fipsld and it should
pass them to the compiler. In fatc if you replace arm-linux-androideabi-gcc
with fipsld in you example it should work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Installing openssl-devel-1.0.1e

2013-06-22 Thread mehroz 
After wasting 9 hours, i tried

yum --enablerepo=axivo install openssl-devel

and thats all! 



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Installing-openssl-devel-1-0-1e-tp45647p45671.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Any issue in these instruction?

2013-06-22 Thread mehroz 
openssl ecparam -name secp160r2 -out CA_CURVE.pem

openssl req -out cacert.pem -new -x509 -keyout cakey.pem -newkey
ec:CA_CURVE.pem -nodes -days 600 -sha1

openssl req -new -out TMPFILE.req -newkey ec:CA_CURVE.pem -keyout
TMPFILE.key -nodes -sha1

openssl x509 -req -CAkey cakey.pem -CA cacert.pem -CAcreateserial -in
TMPFILE.req -out TMPFILE.crt -days 600 -sha1

Any problem here?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Any-issue-in-these-instruction-tp45673.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to invoke Incore's cross compile aware routines?

2013-06-22 Thread Jeffrey Walton 
On Sat, Jun 22, 2013 at 4:24 PM, Dr. Stephen Henson st...@openssl.org wrote:
 On Sat, Jun 22, 2013, Jeffrey Walton wrote:

 On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson st...@openssl.org 
 wrote:
  On Sat, Jun 22, 2013, Jeffrey Walton wrote:
 
  Hi All,
 
  I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an
  Android environment with cross compilation. Both the FIPS Object
  Module and FIPS Capable library built and installed without much
  effort.
 
  ...
  $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT
  -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe
  /usr/local/ssl/android-14/lib/libcrypto.a
 
 
  You use the fipsld script to link the application. If you set FIPS_CC and
  FIPS_SIG appropriately it should just work.
 Thanks Doctor.

 How do we make fipsld SYSROOT aware?


 You just pass the appropriate command line options to fipsld and it should
 pass them to the compiler.
Beautiful, thanks Doctor.

 In fatc if you replace arm-linux-androideabi-gcc
 with fipsld in you example it should work.
Yeah, I think that showed up after the shell expanded FIPSLD_CC.

I need your opinion. When working from a script that sets the
environment, would you recommend setting FIPSLD=... for the user.
Then in the documentations:

$ $FIPSLD --sysroot=$ANDROID_SYSROOT ...

Setting FIPSLD is consistent with setting FIPS_SIG and FIPSLD_CC. (I'm
a bug fan of consistency).

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: PKCS#1 key vs PKCS#8...

2013-06-22 Thread mike pilato 
Remove

On Jun 5, 2013 9:08 AM, Dr. Stephen Henson st...@openssl.org wrote:

 On Tue, Jun 04, 2013, sanjaya joshi wrote:

  Hello,
I am using strongswan(v_4.5.3) for ipsec, that uses my X509 certificate
  and RSA private key.
  If i use RSA private key(un-encrypted) that is PKCS#8 encoded, then
  strongswan is not able to load the key. But it works, if i use a
  traditional PKCS#1 encoded RSA key.
 

 That's strange. If it uses the standard PEM routines to read in a private
 key
 OpenSSL should transparently handle PCKS#8 format.

 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org