How to invoke Incore's cross compile aware routines?
Hi All, I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an Android environment with cross compilation. Both the FIPS Object Module and FIPS Capable library built and installed without much effort. I'm trying to build a simple command line application which statically links to the OpenSSL library (libcrypto.a). The application builds fine from the command line, and calls FIPS_mode() and FIPS_mode_set() (with some printf's) to exercise the OpenSSL library: $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe /usr/local/ssl/android-14/lib/libcrypto.a Unfortunately, using legacy Incore (i.e., $FIPS_SIG -exe my app) results in nothing. An MD5 sum before and after shows the fingerprint was not written. The non-write can be traced back to incore, around line 440: $fingerprint = FIPS_incore_fingerprint(); if ($legacy_mode) { print unpack(H*,$fingerprint); } else { seek(FD,$FINGERPRINT_ascii_value-{st_offset},0) or die $!; print FD unpack(H*,$fingerprint) or die $!; } Trying to use the non-legacy support (by omitting -exe or -dso) results in a Die on the lookup at line 385: $FINGERPRINT_ascii_value = $exe-Lookup(FINGERPRINT_ascii_value) or die; But I have the other required symbols (FIPS_text_endX and FIPS_text_startX): $ arm-linux-androideabi-nm fips-test.exe | grep FIPS_text 00048844 T FIPS_text_end 0004883c t FIPS_text_endX 95e8 T FIPS_text_start 95e0 t FIPS_text_startX How does one invoke the new support to ensure that incore writes the fingerprint? What is the procedure to bring in the missing symbols (or allocate storage for them)? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to invoke Incore's cross compile aware routines?
On Sat, Jun 22, 2013, Jeffrey Walton wrote: Hi All, I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an Android environment with cross compilation. Both the FIPS Object Module and FIPS Capable library built and installed without much effort. I'm trying to build a simple command line application which statically links to the OpenSSL library (libcrypto.a). The application builds fine from the command line, and calls FIPS_mode() and FIPS_mode_set() (with some printf's) to exercise the OpenSSL library: $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe /usr/local/ssl/android-14/lib/libcrypto.a You use the fipsld script to link the application. If you set FIPS_CC and FIPS_SIG appropriately it should just work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to invoke Incore's cross compile aware routines?
On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Jun 22, 2013, Jeffrey Walton wrote: Hi All, I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an Android environment with cross compilation. Both the FIPS Object Module and FIPS Capable library built and installed without much effort. ... $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe /usr/local/ssl/android-14/lib/libcrypto.a You use the fipsld script to link the application. If you set FIPS_CC and FIPS_SIG appropriately it should just work. Thanks Doctor. How do we make fipsld SYSROOT aware? $ arm-linux-androideabi-gcc --sysroot=$ANDROID_SYSROOT -I/usr/local/ssl/android-14/include -c fips-test.c $ $ /usr/local/ssl/android-14/bin/fipsld fips-test.o /usr/local/ssl/android-14/lib/libcrypto.a -o fips-test.exe In file included from /usr/local/ssl/android-14/bin/../lib/fips_premain.c:7:0: /opt/android-ndk-r8e/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86/bin/../lib/gcc/arm-linux-androideabi/4.6/include-fixed/stdio.h:50:23: fatal error: sys/cdefs.h: No such file or directory $ Or can we link directly against fips_premain.c and use `incore program` to invoke the new cross compiler (i.e., not the legacy `incore -exe program`). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to invoke Incore's cross compile aware routines?
On Sat, Jun 22, 2013, Jeffrey Walton wrote: On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Jun 22, 2013, Jeffrey Walton wrote: Hi All, I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an Android environment with cross compilation. Both the FIPS Object Module and FIPS Capable library built and installed without much effort. ... $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe /usr/local/ssl/android-14/lib/libcrypto.a You use the fipsld script to link the application. If you set FIPS_CC and FIPS_SIG appropriately it should just work. Thanks Doctor. How do we make fipsld SYSROOT aware? You just pass the appropriate command line options to fipsld and it should pass them to the compiler. In fatc if you replace arm-linux-androideabi-gcc with fipsld in you example it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Installing openssl-devel-1.0.1e
After wasting 9 hours, i tried yum --enablerepo=axivo install openssl-devel and thats all! -- View this message in context: http://openssl.6102.n7.nabble.com/Installing-openssl-devel-1-0-1e-tp45647p45671.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Any issue in these instruction?
openssl ecparam -name secp160r2 -out CA_CURVE.pem openssl req -out cacert.pem -new -x509 -keyout cakey.pem -newkey ec:CA_CURVE.pem -nodes -days 600 -sha1 openssl req -new -out TMPFILE.req -newkey ec:CA_CURVE.pem -keyout TMPFILE.key -nodes -sha1 openssl x509 -req -CAkey cakey.pem -CA cacert.pem -CAcreateserial -in TMPFILE.req -out TMPFILE.crt -days 600 -sha1 Any problem here? -- View this message in context: http://openssl.6102.n7.nabble.com/Any-issue-in-these-instruction-tp45673.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to invoke Incore's cross compile aware routines?
On Sat, Jun 22, 2013 at 4:24 PM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Jun 22, 2013, Jeffrey Walton wrote: On Sat, Jun 22, 2013 at 6:57 AM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Jun 22, 2013, Jeffrey Walton wrote: Hi All, I'm using openssl-fips-2.0.4 and openssl-1.0.1e. I'm working in an Android environment with cross compilation. Both the FIPS Object Module and FIPS Capable library built and installed without much effort. ... $ arm-linux-androideabi-gcc -Os -g2 --sysroot=$ANDROID_SYSROOT -I/usr/local/ssl/android-14/include fips-test.c -o fips-test.exe /usr/local/ssl/android-14/lib/libcrypto.a You use the fipsld script to link the application. If you set FIPS_CC and FIPS_SIG appropriately it should just work. Thanks Doctor. How do we make fipsld SYSROOT aware? You just pass the appropriate command line options to fipsld and it should pass them to the compiler. Beautiful, thanks Doctor. In fatc if you replace arm-linux-androideabi-gcc with fipsld in you example it should work. Yeah, I think that showed up after the shell expanded FIPSLD_CC. I need your opinion. When working from a script that sets the environment, would you recommend setting FIPSLD=... for the user. Then in the documentations: $ $FIPSLD --sysroot=$ANDROID_SYSROOT ... Setting FIPSLD is consistent with setting FIPS_SIG and FIPSLD_CC. (I'm a bug fan of consistency). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS#1 key vs PKCS#8...
Remove On Jun 5, 2013 9:08 AM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Jun 04, 2013, sanjaya joshi wrote: Hello, I am using strongswan(v_4.5.3) for ipsec, that uses my X509 certificate and RSA private key. If i use RSA private key(un-encrypted) that is PKCS#8 encoded, then strongswan is not able to load the key. But it works, if i use a traditional PKCS#1 encoded RSA key. That's strange. If it uses the standard PEM routines to read in a private key OpenSSL should transparently handle PCKS#8 format. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org