Re: Can RSA PSS-R be done simply with OpenSSL?
There is example code for doing RSA PSS with OpenSSL at https://www.idrix.fr/Root/Samples/openssl_pss_signature.c On Tue, May 12, 2020 at 11:59 AM John McCabe wrote: > Hi, > I've searched around, but found nothing that appears to help. > > I'm developing some software where I may be given a file that's been > created (signed) by using the Crypto++ library's implementation of RSA > PSS-R, with a SHA1 hash. As I understand it, the complete file contents > then effectively becomes the signature, and the receiving end needs to > recover the original file contents and verify its signature. > > Is the receiving end something I can do with OpenSSL? I have a need to use > OpenSSL features in the software I'm developing so, if possible, I'd rather > avoid having to include Crypto++ in it! > > Any pointers would be gratefully appreciated. For what it's worth, this is > something I'm fairly new to so, if what I'm asking isn't clear, or if it > sounds like I have some concepts wrong, please let me know gently ;-) > > Many thanks > John >
Re: Usage of Secure C (memcpy_s, strcpy_s etc) functions on OpenSSL
Unless buffer is a char* instead of a char[] in which case its completely wrong. A very common case among buggy C code. On Wed, Nov 27, 2019 at 7:09 AM Phillip Susi wrote: > > Michael Wojcik writes: > > > Some C experts have argued that the length-checking versions of the > library functions, either the C90 ones such as strncat or the Appendix K > ones, are essentially pointless anyway; that the caller needs to handle > truncation and so ought to know whether truncation (or overflow) would > occur before attempting the operation. > > Isn't this normally/easilly handled simply by passing sizeof( buffer ) - > 1? Then the last byte is always \0 whether or not the copy was truncated. >
Re: Trying to use a ((constructor)) to force libcrypto.so into FIPS mode
Assuming your OpenSSL library is already FIPS capable you need to build and
link with the FIPS container library enable the integrity check in your app.
Details are in section C.1 of the FIPS user guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
On Thu, Jun 6, 2019 at 2:34 PM Larry Jordan via openssl-users <
openssl-users@openssl.org> wrote:
> Re: openssl-1.0.2r
>
> Re: openssl-fips-2.0.16
>
> OS: Linux Mint 19.1 (Ubuntu)
>
>
>
> I have added a shared library initializer function to cryptlib.c to force
> OpenSSL into FIPS mode, without requiring a “module operator” to directly
> initiate (i.e. call FIPS_mode_set(1)).
>
>
>
> void __attribute__((constructor)) ForceFIPSModeOn()
>
> {
>
>FIPS_mode_set(1);
>
>FIPS_selftest_check();
>
> }
>
>
>
> The build fails shortly after creating the executable ‘fips_premain_dso’.
>
>
>
> fips.c(140): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST
> FAILURE
>
> Aborted (core dumped)
>
>
>
> I traced the problem to a failed FIPS_check_incore_fingerprint call. The
> embedded signature appears uninitialized:
>
>
>
> Starting FIPS_selftest
> fips: 00 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> imem: 33 53 e6 29 f6 eb df f3 d0 23 e9 7c 39 84 91 e0 3f 32 83 b2
> failed FIPS_check_incore_fingerprint
>
>
>
> I am at a loss to explain what is happening. Is my initializer running
> before the embedded sig is loaded? Or is there another issue.
>
>
>
> If I remove the call to FIPS_selftest_check(), the link completes, but the
> selftest still fails, when it is initiated from the initializer. A “module
> operator” can still use the libcrypto.so services, because all subsequent
> selftests pass.
>
>
>
> How can I get my module initializer to pass the selftest?
>
>
>
> Sent from Mail for
> Windows 10
>
>
>
