Re: Openssl Fips Shared Library
Is this openssl fips 1.1.2 module generate position independent code ?
If so then i can inappropriate it in shared library generated by openssl
0.9.7m
Thanks
Joshi
IOn Thu, Sep 18, 2008 at 11:18 PM, joshi chandra <[EMAIL PROTECTED]
> wrote:
>
> when i have used shared option in the ./Configure , i was able to compile
> the
> openssl 0.9.7m successfully
> but when i tested the fips function in the test folder ,that time it was
> producing the error message and when i removed shared option by no-shared
> option in the ./Configure command in the openssl 0.9.7m,
> all the fips function in the test folder was successfully executed , is
> this
> beacuse of the linking problem
>
> The error message was
>
> ./fips_test_suite
> >> FIPS-mode test application
> >>
> >> 1. Non-Approved cryptographic operation test...
> >> a. Included algorithm (D-H)...successful
> >> 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212:
> >> 2. Automatic power-up self test...FAILED!
>
> Can you please tell me is the shared library is possible for openssl 0.9.7m
> which is using the openssl fips 1.1.2 module
>
> can u please explain this statement 'If it does consist of position
> independent
> code then you can incorporate it into a shared library just like any
> other object module, subject of course to the "fipsld" linking to set
> the in-core hash.'
>
> How to link fipsld to in-core hash
>
> Thanks in Advance
> Joshi Chandran
>
>
>
> Steve Marquess wrote:
> >
> > Carlo Milono wrote:
> >> How curious that this topic would come up today as I had a discussion on
> >> it just two days earlier.
> >> The OpenSSL FIPS 140-2 Security Policy Version 1.1.2 states:
> >>
> >> "The FIPS Object Module is not a static library. It may be incorporated
> >> into shared library files or runtime executable application files, but
> >> in any event can only be incorporated intact and in its entirety."
> >>
> >> This was leading me to believe that we could use this in a shared
> >> library mode; perhaps we need to understand the boundaries of what may
> >> be included in a shared library?
> >>
> >> How can we interpret the above quote?
> >
> > The FIPS Object Module is just that, an object module (fipscanister.o).
> > For v1.1.x it may or may not consist of position independent code,
> > depending on the platform. If it does consist of position independent
> > code then you can incorporate it into a shared library just like any
> > other object module, subject of course to the "fipsld" linking to set
> > the in-core hash.
> >
> > If it isn't position independent, then you're out of luck as the
> > Security Policy rules don't allow you to modify the build-time
> parameters.
> >
> > For v1.2 the FIPS Object Module is always generated as position
> > independent code. The corresponding "FIPS capable" OpenSSL
> > distributions ("fips" option) will automatically include it in the
> > libcrypto shared library.
> >
> > -Steve M.
> >
> > --
> > Steve Marquess
> > Open Source Software Institute
> > [EMAIL PROTECTED]
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager [EMAIL PROTECTED]
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19558250.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Regards
Joshi Chandran
Re: Openssl Fips Shared Library
How to find out whether openssl fips1.1.2 generate position independent
code or not
Please help me out
Thanks
Joshi
>IOn Thu, Sep 18, 2008 at 11:18 PM, joshi chandra <
> [EMAIL PROTECTED]> wrote:
>
>>
>> when i have used shared option in the ./Configure , i was able to compile
>> the
>> openssl 0.9.7m successfully
>> but when i tested the fips function in the test folder ,that time it was
>> producing the error message and when i removed shared option by no-shared
>> option in the ./Configure command in the openssl 0.9.7m,
>> all the fips function in the test folder was successfully executed , is
>> this
>> beacuse of the linking problem
>>
>> The error message was
>>
>> ./fips_test_suite
>> >> FIPS-mode test application
>> >>
>> >> 1. Non-Approved cryptographic operation test...
>> >> a. Included algorithm (D-H)...successful
>> >> 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212:
>> >> 2. Automatic power-up self test...FAILED!
>>
>> Can you please tell me is the shared library is possible for openssl
>> 0.9.7m
>> which is using the openssl fips 1.1.2 module
>>
>> can u please explain this statement 'If it does consist of position
>> independent
>> code then you can incorporate it into a shared library just like any
>> other object module, subject of course to the "fipsld" linking to set
>> the in-core hash.'
>>
>> How to link fipsld to in-core hash
>>
>> Thanks in Advance
>> Joshi Chandran
>>
>>
>>
>> Steve Marquess wrote:
>> >
>> > Carlo Milono wrote:
>> >> How curious that this topic would come up today as I had a discussion
>> on
>> >> it just two days earlier.
>> >> The OpenSSL FIPS 140-2 Security Policy Version 1.1.2 states:
>> >>
>> >> "The FIPS Object Module is not a static library. It may be incorporated
>> >> into shared library files or runtime executable application files, but
>> >> in any event can only be incorporated intact and in its entirety."
>> >>
>> >> This was leading me to believe that we could use this in a shared
>> >> library mode; perhaps we need to understand the boundaries of what may
>> >> be included in a shared library?
>> >>
>> >> How can we interpret the above quote?
>> >
>> > The FIPS Object Module is just that, an object module (fipscanister.o).
>> > For v1.1.x it may or may not consist of position independent code,
>> > depending on the platform. If it does consist of position independent
>> > code then you can incorporate it into a shared library just like any
>> > other object module, subject of course to the "fipsld" linking to set
>> > the in-core hash.
>> >
>> > If it isn't position independent, then you're out of luck as the
>> > Security Policy rules don't allow you to modify the build-time
>> parameters.
>> >
>> > For v1.2 the FIPS Object Module is always generated as position
>> > independent code. The corresponding "FIPS capable" OpenSSL
>> > distributions ("fips" option) will automatically include it in the
>> > libcrypto shared library.
>> >
>> > -Steve M.
>> >
>> > --
>> > Steve Marquess
>> > Open Source Software Institute
>> > [EMAIL PROTECTED]
>> >
>> > ______
>> > OpenSSL Project http://www.openssl.org
>> > User Support Mailing Listopenssl-users@openssl.org
>> > Automated List Manager [EMAIL PROTECTED]
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19558250.html
>> Sent from the OpenSSL - User mailing list archive at Nabble.com.
>>
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager [EMAIL PROTECTED]
>>
>
>
>
> --
> Regards
> Joshi Chandran
>
--
Regards
Joshi Chandran
Re: Openssl Fips Shared Library
How to link "fipsld" linking to set the in-core hash.
can u please tell me how to link fipsld to the fips module.
when i am using fipsld it is showing no -o specified
$ sh fipsld
no -o specified
can u please tell me wat does -o indicate here and please give the list of
other options and there purpose
Thank in Advance
Joshi Chandran
On Thu, Sep 18, 2008 at 10:44 PM, Steve Marquess <[EMAIL PROTECTED]
> wrote:
> Carlo Milono wrote:
>
>> How curious that this topic would come up today as I had a discussion on
>> it just two days earlier. The OpenSSL FIPS 140-2 Security Policy Version
>> 1.1.2 states:
>> "The FIPS Object Module is not a static library. It may be incorporated
>> into shared library files or runtime executable application files, but
>> in any event can only be incorporated intact and in its entirety."
>>
>> This was leading me to believe that we could use this in a shared
>> library mode; perhaps we need to understand the boundaries of what may
>> be included in a shared library?
>>
>> How can we interpret the above quote?
>>
>
> The FIPS Object Module is just that, an object module (fipscanister.o).
> For v1.1.x it may or may not consist of position independent code,
> depending on the platform. If it does consist of position independent code
> then you can incorporate it into a shared library just like any other object
> module, subject of course to the "fipsld" linking to set the in-core hash.
>
> If it isn't position independent, then you're out of luck as the Security
> Policy rules don't allow you to modify the build-time parameters.
>
> For v1.2 the FIPS Object Module is always generated as position independent
> code. The corresponding "FIPS capable" OpenSSL distributions ("fips"
> option) will automatically include it in the libcrypto shared library.
>
> -Steve M.
>
> --
> Steve Marquess
> Open Source Software Institute
> [EMAIL PROTECTED]
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Regards
Joshi Chandran
Re: Openssl Fips Shared Library
Can u please tell me what FIPS_set_mode() returns
when i am using it will the FIPS_set_mode(1), returns 1 and
also when using FIPS_set_mode(1), returns 1
So how can i come out of fips mode once it is entered, how can i come out of
fips mode .
can u please explain it will sample program.
Thank in Advance
Joshi
On Sat, Sep 20, 2008 at 12:12 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
> use 'fipsld' the same way you would use your system-provided ld. It
> requires a list of input files and a -o to set the name of the output
> file.
>
> -Kyle H
>
> On Fri, Sep 19, 2008 at 7:53 AM, joshi chandran
> <[EMAIL PROTECTED]> wrote:
> >
> > How to link "fipsld" linking to set the in-core hash.
> >
> > can u please tell me how to link fipsld to the fips module.
> >
> > when i am using fipsld it is showing no -o specified
> >
> > $ sh fipsld
> > no -o specified
> >
> > can u please tell me wat does -o indicate here and please give the list
> of
> > other options and there purpose
> >
> > Thank in Advance
> >
> > Joshi Chandran
> >
> > On Thu, Sep 18, 2008 at 10:44 PM, Steve Marquess
> > <[EMAIL PROTECTED]> wrote:
> >>
> >> Carlo Milono wrote:
> >>>
> >>> How curious that this topic would come up today as I had a discussion
> on
> >>> it just two days earlier. The OpenSSL FIPS 140-2 Security Policy
> Version
> >>> 1.1.2 states:
> >>> "The FIPS Object Module is not a static library. It may be incorporated
> >>> into shared library files or runtime executable application files, but
> >>> in any event can only be incorporated intact and in its entirety."
> >>>
> >>> This was leading me to believe that we could use this in a shared
> >>> library mode; perhaps we need to understand the boundaries of what may
> >>> be included in a shared library?
> >>>
> >>> How can we interpret the above quote?
> >>
> >> The FIPS Object Module is just that, an object module (fipscanister.o).
> >> For v1.1.x it may or may not consist of position independent code,
> >> depending on the platform. If it does consist of position independent
> code
> >> then you can incorporate it into a shared library just like any other
> object
> >> module, subject of course to the "fipsld" linking to set the in-core
> hash.
> >>
> >> If it isn't position independent, then you're out of luck as the
> Security
> >> Policy rules don't allow you to modify the build-time parameters.
> >>
> >> For v1.2 the FIPS Object Module is always generated as position
> >> independent code. The corresponding "FIPS capable" OpenSSL
> distributions
> >> ("fips" option) will automatically include it in the libcrypto shared
> >> library.
> >>
> >> -Steve M.
> >>
> >> --
> >> Steve Marquess
> >> Open Source Software Institute
> >> [EMAIL PROTECTED]
> >>
> >> ______
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing Listopenssl-users@openssl.org
> >> Automated List Manager [EMAIL PROTECTED]
> >
> >
> >
> > --
> > Regards
> > Joshi Chandran
> >
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Regards
Joshi Chandran
Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
how to link fipsld with the application .Can u please explain On Mon, Sep 22, 2008 at 4:14 PM, Dr. Stephen Henson <[EMAIL PROTECTED]>wrote: > On Sun, Sep 21, 2008, Welling, Conrad Gerhart wrote: > > > Back to square 2 out of 3: > > > > Platform: > > SunOS bear 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10 > > gcc (GCC) 3.4.6 > > GNU ld version 2.17 > > GNU ar 2.17 > > > > 1. Built fips-1.1.2 successfully > > > > 2. Built openssl-0.9.7m successfully with ... > > ./Configure solaris-sparcv9-gcc27 fips > --with-fipslibdir=/export/home/wellingc/dudc/openssl-fips-1.1.2/fips-1.0/ > > > > (also tried with -shared, but no successful build) > > > > 3. Built modded curl executable, adding a --fips-mode option, using ... > > ./configure --with-ssl=/usr/local/ssl --enable-http --disable-tftp > --disable-file --disable-ldap --disable-ldaps --disable-dict > --disable-telnet --with-ca-path=../x.dcerts --disable-ldap > > > > When curl executable is run from command-line with --fips-mode, get ... > > SSL: 0:705134702:fips.c:212:0:error:2A07806E:FIPS > routines:FIPS_check_dso:fingerprint does not match > > > > I've read all "fips solaris" forum messages + others ... I thought I had > this down, but ... > > a little guidance would be appreciated. > > > > You need to link the application using the "fipsld" script. That will > correctly obtain and embed the correct signature in the target. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
when i am using make CC=fipsld FIPSLD_CC=gcc , i am getting error message if test ! -z ""; then /.../ austin.ibm.com/fs/projects/aix/aix53L/53L_SERVICE/ode_tools/power/usr/bin/perl./fixprogs ssh_prng_cmds ; fi (cd openbsd-compat && make) /gsa/ausgsa/projects/o/openssh/fipsssl/lib/fipsld -g -qnostdinc -qnolm -I. -I.. -I. -I./.. -I/gsa/ausgsa/projects/o/openssh/fipsssl/include -I/gsa/ausgsa/projects/o/openssh/zlib-1.2.3 -I /gsa/ausgsa/projects/k/kerberos/build/krb514/current/export/rios_aix_4/usr/include -I/.../ austin.ibm.com/fs/projects/aix/aix53L/53L_SERVICE/export/power/usr/include/-I/.../ austin.ibm.com/fs/projects/aix/aix53L/53L_SERVICE/export/power/usr/include/sys-I/gsa/ausgsa/projects/o/openssh/include -DHAVE_CONFIG_H -c bsd-arc4random.c gcc: unrecognized option `-qnostdinc' gcc: unrecognized option `-qnolm' (E) Message system initialization, unable to open catalogs: xlCfe.cat, /usr/ccs/lib/exe/default_msg/xlCfe.cat. 1506-005: (E) Error in message set 12, unable to retrieve message 173. 1506-005: (E) Error in message set 12, unable to retrieve message 155. 1506-005: (E) Error in message set 12, unable to retrieve message 173. 1506-005: (E) Error in message set 12, unable to retrieve message 297. 1506-005: (E) Error in message set 12, unable to retrieve message 312. make: The error code from the last command is 1. Can u please help me Thanks Joshi On Tue, Sep 23, 2008 at 5:31 AM, Welling, Conrad Gerhart < [EMAIL PROTECTED]> wrote: > Dr. Henson: > > Thanks for your quick response and your patience. Sometimes I have a way > of trying to make things so much harder than they need to be. I reread page > 33 of the OFOM User Guide ... > > "The fipsld command requires that the CC and/or FIPSLD_CC environment > variables be set, with the latter taking precedence. These variables allow a > typical Makefile to be used without modification by specifying a command of > the form > >make CC=fipsld FIPSLD_CC=gcc > > where fipsld is invoked by make in lieu of the original compiler and linker > (gcc in this > example), and in turn invokes that compiler where appropriate." > > So, I stopped trying to edit the curl Makefiles and, instead, actually > tried doing exactly what Steve Marquess says to do in the OFOM User Guide > (along with copying fipsld into the necessary curl source directories and > telling make where to find openssl). Of course, my FIPS-capable curl built > successfully. > > Thanks again. > > -Original Message- > From: [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] Behalf Of Dr. Stephen Henson > Sent: Monday, September 22, 2008 3:44 AM > To: openssl-users@openssl.org > Subject: Re: FIPS-capable curl: Solaris 9 - fingerprint does not match > > > On Sun, Sep 21, 2008, Welling, Conrad Gerhart wrote: > > > Back to square 2 out of 3: > > > > Platform: > > SunOS bear 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10 > > gcc (GCC) 3.4.6 > > GNU ld version 2.17 > > GNU ar 2.17 > > > > 1. Built fips-1.1.2 successfully > > > > 2. Built openssl-0.9.7m successfully with ... > > ./Configure solaris-sparcv9-gcc27 fips > --with-fipslibdir=/export/home/wellingc/dudc/openssl-fips-1.1.2/fips-1.0/ > > > > (also tried with -shared, but no successful build) > > > > 3. Built modded curl executable, adding a --fips-mode option, using ... > > ./configure --with-ssl=/usr/local/ssl --enable-http --disable-tftp > --disable-file --disable-ldap --disable-ldaps --disable-dict > --disable-telnet --with-ca-path=../x.dcerts --disable-ldap > > > > When curl executable is run from command-line with --fips-mode, get ... > > SSL: 0:705134702:fips.c:212:0:error:2A07806E:FIPS > routines:FIPS_check_dso:fingerprint does not match > > > > I've read all "fips solaris" forum messages + others ... I thought I had > this down, but ... > > a little guidance would be appreciated. > > > > You need to link the application using the "fipsld" script. That will > correctly obtain and embed the correct signature in the target. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
when i have done FIPS_mod_set(1),it goes into the fips mode and when i am doing FIPS_mod_set(0), it come out of fips mode but when i again apply FIPS_mod_set(1) ,it does not goes to fips mode can u please help me out Thanks Joshi On Wed, Sep 24, 2008 at 3:55 AM, Tim Hudson <[EMAIL PROTECTED]> wrote: > joshi chandran wrote: > >> when i am using make CC=fipsld FIPSLD_CC=gcc , i am getting error message >> > > gcc: unrecognized option `-qnostdinc' > > gcc: unrecognized option `-qnolm' > > Those are xlc options - i.e. the IBM compiler. > Perhaps >make CC=fipsld FIPSLD_CC=xlc > might be a better option. Look at the settings for CC in the top-level > Makefile and that is the value to use for FIPSLD_CC > > Tim. > -- Regards Joshi Chandran
Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
Is it possible to create FIPS enabled openssl shared library(openssl 0.9.7m) ? I am not able to build shared library .I am using AIX unix system Thanks Joshi On Wed, Sep 24, 2008 at 6:47 PM, joshi chandran <[EMAIL PROTECTED]>wrote: > when i have done FIPS_mod_set(1),it goes into the fips mode and when i am > doing FIPS_mod_set(0), it come out of fips mode but when i again apply > FIPS_mod_set(1) ,it does not goes to fips mode > > can u please help me out > > Thanks > Joshi > > > > On Wed, Sep 24, 2008 at 3:55 AM, Tim Hudson <[EMAIL PROTECTED]> wrote: > >> joshi chandran wrote: >> >>> when i am using make CC=fipsld FIPSLD_CC=gcc , i am getting error message >>> >> > gcc: unrecognized option `-qnostdinc' >> > gcc: unrecognized option `-qnolm' >> >> Those are xlc options - i.e. the IBM compiler. >> Perhaps >>make CC=fipsld FIPSLD_CC=xlc >> might be a better option. Look at the settings for CC in the top-level >> Makefile and that is the value to use for FIPSLD_CC >> >> Tim. >> > > > > -- > Regards > Joshi Chandran > -- Regards Joshi Chandran
Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
I am trying to test the Fips capable openssl and when i am testing it i am getting some error openssl req -x509 -newkey rsa:2048 -out $HOME/exampleca/cacert.pem -outform PEM Generating a 2048 bit RSA private key +++ ..+++ writing new private key to '//exampleca/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - digest.c(150): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored IOT/Abort trap(coredump) There is another error also when i am issuing the smime command Data Base Updated openssl smime -encrypt -in /server_req/mail.txt -des3 -out /server_req/mail.enc /exampleca/certs/01.pem in smime command Enter pass phrase for /server_req/server_priv_key.pem: unable to load signing key file 704646:error:0608008D:digital envelope routines:EVP_DigestInit:disabled for fips:digest.c:237: 704646:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:509: 704646:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:423: Does this means that this function (EVP_DigestInit) is not supported by fips mode Please help me Thanks Joshi On Thu, Sep 25, 2008 at 5:55 AM, Steve Marquess <[EMAIL PROTECTED]>wrote: > David Schwartz wrote: > > In many cases, FIPS actually results in (you might reasonably think, at > least) reduced security. ... > > > > C) Quasi-FIPS. All FIPS rules are followed, except where it is genuinely > believed that these rules reduce security or are unreasonably impractical. > For example, obvious bugfixes might be allowed, even if the code hadn't been > re-FIPS checked. In the case of OpenSSL, you might allow changes to > optimization or code generation flags. An "obviously correct" optimized SHA1 > algorithm might be used, even if it hasn't been approved yet. (Or if it > wasn't selected for the platform due to a detection bug.) > > > IMHO it's hard to argue that FIPS *validated* software isn't clearly > less secure in a real world sense, simply due to the fact that the > validation process by its very nature provides heavy disincentives to > the aggressive and proactive pursuit of suspected security vulnerabilities. > > Frankly you shouldn't use FIPS validated software unless specifically > required to for formal policy compliance reasons. > > Use of FIPS *compliant* cryptography (strong crypto and FIPS approved > algorithms) is another matter, but then you're not artificially > constraining your options for identifying and correcting implementation > vulnerabilities. > > -Steve M. > > -- > Steve Marquess > Open Source Software institute > [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
I am using openssl 0.9.7m . Yes,I have the used the OPENSSL_FIPS=1 when
calling the command . i am attaching the testscript which i am using.
please help me
Thanks
Joshi
On Thu, Sep 25, 2008 at 10:02 PM, Dr. Stephen Henson <[EMAIL PROTECTED]>wrote:
> On Thu, Sep 25, 2008, joshi chandran wrote:
>
> > I am trying to test the Fips capable openssl and when i am testing it i
> am
> > getting some error
> >
> > openssl req -x509 -newkey rsa:2048 -out $HOME/exampleca/cacert.pem
> -outform
> > PEM
> >
> > Generating a 2048 bit RSA private key
> >
> +++
> > ..+++
> > writing new private key to '//exampleca/private/cakey.pem'
> > Enter PEM pass phrase:
> > Verifying - Enter PEM pass phrase:
> > -
> > digest.c(150): OpenSSL internal error, assertion failed: Digest update
> > previous FIPS forbidden algorithm error ignored
> > IOT/Abort trap(coredump)
> >
>
> What version of OpenSSL are you using to produce that error?
>
> Do you have the environment variable OPENSSL_FIPS=1 when you call that
> command?
>
> Does your config file openssl.cnf use MD5 as a signing algorithm? If so you
> need to change it to SHA1.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Regards
Joshi Chandran
#! /bin/ksh
integer final_count=30
integer err_count=0
integer pass_count=0
report()
{
if [ $? -ne 0 ]; then
(( err_count = err_count + 1 ));
echo
"*Failed*"
fi
}
# Creating the CA's environment
echo "***Creating the CA's environment***"
rm -r $HOME/exampleca >/dev/null 2>&1
rm -r $HOME/server_req >/dev/null 2>&1
rm mail* >/dev/null 2>&1
mkdir -p $HOME/exampleca
cd $HOME/exampleca
mkdir certs private
chmod g-rwx,o-rwx private
echo '01' > serial
touch index.txt
dir=$HOME"/exampleca"
cd ~
# Creating the configuration file for CA
echo "***Creating the configuration file for CA"
cat >> $HOME/exampleca/openssl.cnf << EOF
[ ca ]
default_ca = exampleca
[ exampleca ]
dir = $HOME/exampleca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = md5
policy = exampleca_policy
x509_extensions = certificate_extensions
[ exampleca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = $HOME/exampleca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = Example CA
stateOrProvinceName = Virginia
countryName = US
emailAddress = [EMAIL PROTECTED]
organizationName = Root Certification Authority
[ root_ca_extensions ]
basicConstraints = CA:true
EOF
report
# Telling OpenSSL where to find our configuration file
OPENSSL_CONF=$HOME/exampleca/openssl.cnf
export OPENSSL_CONF
# Generating our self-signed root certificate
echo "*Generating our self-signed root
certificate"
openssl req -x509 -newkey rsa:2048 -out $HOME/exampleca/cacert.pem -outform PEM
report
echo "*Displaying self-signed root
certificate"
openssl x509 -in $HOME/exampleca/cacert.pem -text -noout
report
echo "*End of
Display*"
# Generating a certificate request
echo "*Generating a certificate
request"
mkdir -p $HOME/server_req
cat >> $HOME/server_req/openssl.cnf << EOF
[ ca ]
default_ca = exampleca
[ exampleca ]
dir = $HOME/exampleca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
de
Re: How to convert .der file to .pem
Is there any way to convert .PEM to pkcs12 Please help me Thanks Joshi On Mon, Sep 22, 2008 at 6:10 PM, vinni rathore <[EMAIL PROTECTED]> wrote: > Hi, > > Try to use this > > openssl x509 –in input.crt –inform DER –out output.crt –outform PEM > > If u still get the error then tell the exact error u r getting during > conversion. > > > On Mon, Sep 22, 2008 at 5:54 PM, Ajeet kumar.S > <[EMAIL PROTECTED]> wrote: > > Hi all; > >Thank you Luciano Quartarone for your help. I tried to convert .der > file > > to .pem using your given idea but I did not get success.I am using open > ssl > > command line tool. Any thing more I need to do? > > > > Regards, > > > > --Ajeet Kumar Singh > > > > > > > > Sarve Bhavantu Sukhina ,Sarve Santu NiramayaSarve Bhadrani Pashyantu , > Maa > > Kaschit Dukha Bhagh Bhavet > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Luciano Quartarone > > Sent: Monday, September 22, 2008 5:14 PM > > To: openssl-users@openssl.org > > Subject: Re: How to convert .der file to .pem > > > > try with: > > openssl x509 -inform DER -in -outform PEM -out > > > > or look at www.openssl.org > > > > LQ > > > > > > Ajeet kumar.S ha scritto: > >> Hi all; > >> > >> Thanks all of you for your support. I have cert.der file and I want to > >> convert it cert.pem file using open ssl. How I can convert it. Please > >> Tell me. > >> > >> > >> > >> Thank you. > >> > >> Regards, > >> > >> --Ajeet Kumar Singh > >> > >> > >> > >> > >> > >> > >> > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing Listopenssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > > > > -- > regards, > Vineeta Kumari > Software engg > Mobera Systems > Chandigarh > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: FIPS fail
Is this means windows can generate shared library of openssl 9.7m with openssl fips 1.1.2 but i was not able to make the shared library of openssl 9.7m when i am compiled with openssl fips 1.1.2 object module in Unix(AIX) system .Does it means the coming fips version 1.2 will allow shared library generation of openssl 9.8 version Thanks Joshi On Fri, Oct 3, 2008 at 6:45 PM, Thomas J. Hruska < [EMAIL PROTECTED]> wrote: > Dr. Stephen Henson wrote: > >> On Thu, Oct 02, 2008, Thomas J. Hruska wrote: >> >> Thomas J. Hruska wrote: >>> >>> Needless to say, given the lack of response and further web searching >>> reveals issues with older VC++ linkers core dumping(?) against the latest >>> MinGW and I've already put forth 30+ hours (not counting the preparation >>> time of several months!), two CD-Rs, and who knows how much money into an >>> attempted production of a default OpenSSL FIPS 140-2 compliant binary build >>> for Windows (complete with fancy installer), I'm going to simply hold off >>> until 1.2.0 becomes available and then try again at that time. Mixing >>> together binaries from two totally different compilers is not only a bad >>> idea, it is a horrifically terrible idea. The fact that this supposedly >>> works at all for some people is a miracle. >>> >>> >> The 1.1.2 module (which I only became involved with towards the end) was >> designed round a Unix build system. >> >> For the 1.1.2 module it was a choice of mixing compilers or not having any >> Windows build at all. It was decided that was better than nothing. >> >> What version of gcc do you have with MSYS? There are issues with some >> versions >> of gcc. >> > > $ gcc --version > gcc.exe (GCC) 3.4.5 (mingw-vista special r3) > Copyright (C) 2004 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > > > Not that it really matters... > > > Supposedly, from what I've read, 1.2.0 doesn't require mixing compilers. >>> That should significantly clean things up. Assuming, of course, "not >>> mixing compilers" allows the use of VC++. If I have to use MinGW, I will be >>> very annoyed. I'm also hoping I can compile against 0.9.8x instead of >>> 0.9.7m. >>> >>> >> The 1.2 module (which I was involved with from the start) has Windows as a >> standard platform. It can be built using VC++ only. >> >> Steve. >> > > Excellent. I'll just wait for the 1.2 module then. I know that it could > be a long wait of many months since FIPS validation takes a while. > > BTW, during the FIPS creation process that I used (a set of steps that I > plan on using for all releases), I noticed that the 'MD5', 'SHA1', and 'PGP > sign' links next to the source code download links at: > > https://www.openssl.org/source/ > > Are broken (not really 'broken' per se, but blank). I had to go out to the > FTP site to get the signatures. > > -- > Thomas Hruska > Shining Light Productions > > Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. > http://www.slproweb.com/ > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: how to enable debug mode of openssl
Hi All, I am trying to make openssh compatible with the fips enabled openssl . can anybody tell me what all changes i have make in openssh Please help Thanks Joshi problem was solved by updating openssl to the latest release 0.9.8i (the one I used was 0.9.8a.) But I still don't know the root cause of that aborting. Anyway, it works now. Thanks, Elven > Date: Wed, 8 Oct 2008 01:21:08 -0700 > Subject: Re: how to enable debug mode of openssl > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > > Hi Elven, > > I suggest try using ERR_print_errors (http://openssl.org/docs/crypto/ > ERR_print_errors.html#) to get an idea of what error you are getting. > You can call it right after your call to PEM_read_bio_X509. It is most > likely to be a problem with the certificate data that you are feeding > to OpenSSL. Have you tried verifying that the data is valid? > > --- Kah > > On Oct 8, 2:46 pm, [EMAIL PROTECTED] (曹飞) wrote: > > I am using openssl in arm embedded platform. I want to support https, so it will use openssl. But I have encouterd some problem. The application aborted for some unknown reason. I tried to trace the problem and found the it aborted on call "PEM_read_bio_X509" (ssl_rsa.c). And I can't t race deep more. > > > > > > > So is there any way to enable debug mode of openssl so that I can trace > more deeply to find out the problem? > > > > > > Thanks. > > > Elven > > > _ > > > 一点即聊,MSN推出新功能"点我!"http://im.live.cn/click/ > > > > > -- > MSN上小游戏,工作休闲两不误! 马上就开始玩! <http://im.live.cn/minigame> > -- Regards Joshi Chandran
Re: FIPS fail
Hi All, Can any body give me small program which set in fips mode and uses non fips algorithm ,hence fails while running . Thanks Joshi On Thu, Oct 9, 2008 at 5:13 PM, Steve Marquess <[EMAIL PROTECTED]>wrote: > Kyle Hamilton wrote: > >> Okay. Let's see if I can piece together everything I've learned about >> the FIPS experience so far... >> >> FIPS-1.1.2 only generates a static fipscanister, which can only be >> used to generate a static library. (except on Windows, where it can >> be built into a shared library.) >> > > The fipscanister.o for v1.1.2 is generated with position independent code > or not depending on the default build options borrowed from the 0.9.7 > baseline at the time. On Windows it happens that position independent code > is generated automatically, hence that object module can be incorporated in > shared code. On Linux and some other platforms that isn't the case. > > Note we were originally going to test both shared and non-shared builds, > but ran out of money for the test lab fees (each such "platform" variation > drives up the price). > > For v1.2 we decided to just force position independent code generation > universally. > > ... >> >> FIPS-1.1.2 is the most recent validated fipscanister. 1.2.0 is >> currently submitted for review, but there is no timeframe (other than >> 'it could take until the end of the next ice age') for its validation. >> > > The latest info I've heard is that there is a new reviewer (new hire) who > has decided to revisit the entire history of the original validation from > the beginning, i.e. effectively second guessing the CMVP reviewers of those > prior validations. That first validation took five years, an Internet ice > age indeed. > > If you want to test the functionality of FIPS-1.2.0, you need to >> download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from >> the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz >> from the same location. >> >> If you want a currently-validated solution, you need >> openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz. >> >> Anyone got any comments on whether I've gotten this right? >> > > You did. > > -Steve M. > > -- > Steve Marquess > Open Source Software Institute > [EMAIL PROTECTED] > > > ______ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: FIPS fail
Is there any patch which can i apply for openssh to make it compatible with fips enabled openssl Thanks Joshi On Thu, Oct 9, 2008 at 5:13 PM, Steve Marquess <[EMAIL PROTECTED]>wrote: > Kyle Hamilton wrote: > >> Okay. Let's see if I can piece together everything I've learned about >> the FIPS experience so far... >> >> FIPS-1.1.2 only generates a static fipscanister, which can only be >> used to generate a static library. (except on Windows, where it can >> be built into a shared library.) >> > > The fipscanister.o for v1.1.2 is generated with position independent code > or not depending on the default build options borrowed from the 0.9.7 > baseline at the time. On Windows it happens that position independent code > is generated automatically, hence that object module can be incorporated in > shared code. On Linux and some other platforms that isn't the case. > > Note we were originally going to test both shared and non-shared builds, > but ran out of money for the test lab fees (each such "platform" variation > drives up the price). > > For v1.2 we decided to just force position independent code generation > universally. > > ... >> >> FIPS-1.1.2 is the most recent validated fipscanister. 1.2.0 is >> currently submitted for review, but there is no timeframe (other than >> 'it could take until the end of the next ice age') for its validation. >> > > The latest info I've heard is that there is a new reviewer (new hire) who > has decided to revisit the entire history of the original validation from > the beginning, i.e. effectively second guessing the CMVP reviewers of those > prior validations. That first validation took five years, an Internet ice > age indeed. > > If you want to test the functionality of FIPS-1.2.0, you need to >> download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from >> the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz >> from the same location. >> >> If you want a currently-validated solution, you need >> openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz. >> >> Anyone got any comments on whether I've gotten this right? >> > > You did. > > -Steve M. > > -- > Steve Marquess > Open Source Software Institute > [EMAIL PROTECTED] > > > ______ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: trouble with Aix
same problem i have also faced did u got any solution for it Thanks Joshi On Sun, Sep 28, 2008 at 2:22 AM, eric larrouy <[EMAIL PROTECTED]>wrote: > Hello > > I have a trouble with opennsl to encrypt (in aes128) files ( > 80Mb). My > encrypt file have just 192 octets. Have you this problem ? > > Have you an idea? > > It is very urgent > > Best regards > > Eric Larrouy > > > -- Regards Joshi Chandran
Re: how to enable debug mode of openssl
Is this bug "memory leak with mod_ssl and zlib compression (CVE-2008-1678) " is resolved in openssl 0.9.8h Please help Thanks Joshi On Thu, Oct 9, 2008 at 4:09 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > You would probably need a FIPS_mode_set(1) somewhere after the openssl > library initialization, and it would be a good thing to never keep any > keys in the clear. As well, it would need to statically link to > openssl 0.9.7m built with the fipscanister module. (If it uses > features specific to openssl 0.9.8, you cannot create a FIPS-validated > version at this time.) > > This is not an openssh support list, and I have not looked at the > openssh sources to see what else would need to be changed. > > You must ALWAYS follow the FIPS security policy when dealing with > anything FIPS. If the security policy says that some constraint must > be met, that constraint must be met -- no matter how it impacts the > function or even possibility of doing what you want. > > -Kyle H > > 2008/10/9 joshi chandran <[EMAIL PROTECTED]>: > > Hi All, > > > > I am trying to make openssh compatible with the fips enabled openssl . > can > > anybody tell me what all changes i have make in openssh > > > > Please help > > > > Thanks > > > > Joshi > > > > > > > > > > > > problem was solved by updating openssl to the latest release 0.9.8i > > (the one I used was 0.9.8a.) But I still don't know the root cause of > > that aborting. Anyway, it works now. > > > > Thanks, > > Elven > > > >> Date: Wed, 8 Oct 2008 01:21:08 -0700 > >> Subject: Re: how to enable debug mode of openssl > >> From: [EMAIL PROTECTED] > >> To: [EMAIL PROTECTED] > >> > >> Hi Elven, > >> > >> I suggest try using ERR_print_errors (http://openssl.org/docs/crypto/ > >> ERR_print_errors.html#) to get an idea of what error you are getting. > >> You can call it right after your call to PEM_read_bio_X509. It is most > >> likely to be a problem with the certificate data that you are feeding > >> to OpenSSL. Have you tried verifying that the data is valid? > >> > >> --- Kah > >> > >> On Oct 8, 2:46 pm, [EMAIL PROTECTED] (曹飞) wrote: > >> > I am using openssl in arm embedded platform. I want to support https, > so > >> > it will use openssl. But I have encouterd some problem. The > application > >> > aborted for some unknown reason. I tried to trace the problem and > found the > >> > it aborted on call "PEM_read_bio_X509" (ssl_rsa.c). And I can't t race > deep > >> > more. > >> > >> > > > >> > > So is there any way to enable debug mode of openssl so that I can > >> > > trace more deeply to find out the problem? > >> > > > >> > > Thanks. > >> > > Elven > >> > > _ > >> > > 一点即聊,MSN推出新功能"点我!"http://im.live.cn/click/ > >> > > >> > >> > >> > >> MSN上小游戏,工作休闲两不误! 马上就开始玩! > > > > > > -- > > Regards > > Joshi Chandran > > > -- Regards Joshi Chandran
Re: how to enable debug mode of openssl
Is there any patches to resolve the bug "memory leak with mod_ssl and zlib compression (CVE-2008-1678) ". Please help Thanks Joshi 2008/10/13 joshi chandran <[EMAIL PROTECTED]> > Is this bug "memory leak with mod_ssl and zlib compression (CVE-2008-1678) > " is resolved in openssl 0.9.8h > > Please help > > Thanks > > Joshi > > > On Thu, Oct 9, 2008 at 4:09 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > >> You would probably need a FIPS_mode_set(1) somewhere after the openssl >> library initialization, and it would be a good thing to never keep any >> keys in the clear. As well, it would need to statically link to >> openssl 0.9.7m built with the fipscanister module. (If it uses >> features specific to openssl 0.9.8, you cannot create a FIPS-validated >> version at this time.) >> >> This is not an openssh support list, and I have not looked at the >> openssh sources to see what else would need to be changed. >> >> You must ALWAYS follow the FIPS security policy when dealing with >> anything FIPS. If the security policy says that some constraint must >> be met, that constraint must be met -- no matter how it impacts the >> function or even possibility of doing what you want. >> >> -Kyle H >> >> 2008/10/9 joshi chandran <[EMAIL PROTECTED]>: >> > Hi All, >> > >> > I am trying to make openssh compatible with the fips enabled openssl . >> can >> > anybody tell me what all changes i have make in openssh >> > >> > Please help >> > >> > Thanks >> > >> > Joshi >> > >> > >> > >> > >> > >> > problem was solved by updating openssl to the latest release 0.9.8i >> > (the one I used was 0.9.8a.) But I still don't know the root cause of >> > that aborting. Anyway, it works now. >> > >> > Thanks, >> > Elven >> > >> >> Date: Wed, 8 Oct 2008 01:21:08 -0700 >> >> Subject: Re: how to enable debug mode of openssl >> >> From: [EMAIL PROTECTED] >> >> To: [EMAIL PROTECTED] >> >> >> >> Hi Elven, >> >> >> >> I suggest try using ERR_print_errors (http://openssl.org/docs/crypto/ >> >> ERR_print_errors.html#) to get an idea of what error you are getting. >> >> You can call it right after your call to PEM_read_bio_X509. It is most >> >> likely to be a problem with the certificate data that you are feeding >> >> to OpenSSL. Have you tried verifying that the data is valid? >> >> >> >> --- Kah >> >> >> >> On Oct 8, 2:46 pm, [EMAIL PROTECTED] (曹飞) wrote: >> >> > I am using openssl in arm embedded platform. I want to support https, >> so >> >> > it will use openssl. But I have encouterd some problem. The >> application >> >> > aborted for some unknown reason. I tried to trace the problem and >> found the >> >> > it aborted on call "PEM_read_bio_X509" (ssl_rsa.c). And I can't t >> race deep >> >> > more. >> >> >> >> > > >> >> > > So is there any way to enable debug mode of openssl so that I can >> >> > > trace more deeply to find out the problem? >> >> > > >> >> > > Thanks. >> >> > > Elven >> >> > > _ >> >> > > 一点即聊,MSN推出新功能"点我!"http://im.live.cn/click/ >> >> > >> >> >> >> >> >> >> >> MSN上小游戏,工作休闲两不误! 马上就开始玩! >> > >> > >> > -- >> > Regards >> > Joshi Chandran >> > >> > > > > -- > Regards > Joshi Chandran > -- Regards Joshi Chandran
Re: Hello
Yes this is the right place to ask questions regarding openssl On Tue, Oct 14, 2008 at 8:51 PM, So Gerald <[EMAIL PROTECTED]> wrote: > Yes > > 2008/8/23 Nguyen, Harris <[EMAIL PROTECTED]> > >> Hello, >> Is this the right place to ask Openssl programming issues? >> Thanks >> >> Harris Nguyen >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > > -- Regards Joshi Chandran
Re: What would cause a seg fault?
I have used openssl 9.8h version There is mistake in previous mail "I have recompiled the shared object file SSLeay.so to link to the version of libssl.a provided by openssl.base(openssl 9.8h). Previously, this shared object linked to the libssl.a provided by the RPM on the Linux Toolbox for AIX.Now that the shared object is linked against the newer library", Rest are same . Please help Thanks Joshi On Wed, Oct 22, 2008 at 4:29 PM, joshi chandra <[EMAIL PROTECTED]>wrote: > > Hi All, > > I have recompiled the shared object file SSLeay.so to link to the version > of > libssl.a provided by openssl.base. Previously, this > shared object linked to the libssl.a (openssl 9.8h) provided by the RPM on > the Linux Toolbox for AIX.Now that the shared object is linked against the > newer library, > it seg faults in a call to the function SSL_CTX_ctrl(). > > > Code Dump > > Segmentation fault in SSL_CTX_ctrl at 0xd1f6bb80 ($t1) > 0xd1f6bb80 (SSL_CTX_ctrl+0xfc) 900300a4 stw r0,0xa4(r3) > (dbx) where > SSL_CTX_ctrl() at 0xd1f6bb80 > XS_Crypt__SSLeay__CTX_new() at 0xd1f64318 > Perl_pp_entersub() at 0xd31100d8 > Perl_runops_standard() at 0xd3163ad4 > S_call_body() at 0xd3075950 > Perl_call_sv() at 0xd3079dac > S_call_list_body() at 0xd30758bc > Perl_call_list() at 0xd307c4f0 > Perl_newATTRSUB() at 0xd30d3318 > Perl_utilize() at 0xd30d3af8 > Perl_yyparse() at 0xd310a494 > S_parse_body() at 0xd30765e0 > perl_parse() at 0xd307ccc0 > main() at 0x1460 > > Here is the full ld command, > ld -bhalt:4 -bM:SRE > -bI:/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE/perl.exp -bE:SSLeay.exp > -bnoentry -lpthreads -lc_r SSLeay.o -o > blib/arch/auto/Crypt/SSLeay/SSLeay.so -L/usr/lib -lssl -lcrypto > > Also, here is the output of 'dump -Tv SSLeay.so' for the symbol in the > stack > trace: >***Loader Symbol Table Information*** > [Index] Value Scn IMEX Sclass Type IMPid Name > [71]0xundef IMP DS EXTref > libssl.a(libssl.so.0.9.8) > SSL_CTX_ctrl > > Is this beacuse i have to specify the header file also when i am doing > linking. > > Can u please help me > > Thanks > > Joshi Chandran > > > -- > View this message in context: > http://www.nabble.com/What-would-cause-a-seg-fault--tp20108404p20108404.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: What would cause a seg fault?
This is how i am compiling # cc_r -c -I/usr/include/openssl -D_ALL_SOURCE -D_ANSI_C_SOURCE -D_POSIX_SOURCE -qmaxmem=16384 -qnoansialias -DUSE_NATIVE_DLOPEN -DNEED_PTHREAD_INIT -q32 -D_LARGE_FILES -qlonglong -O-DVERSION=\"0.51\" -DXS_VERSION=\"0.51\" "-I/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE" SSLeay.c # chmod 644 SSLeay.bs # rm -f blib/arch/auto/Crypt/SSLeay/SSLeay.so # LD_RUN_PATH="" ld -bhalt:4 -bM:SRE -bI:/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE/perl.exp -bE:SSLeay.exp -bnoentry -lpthreads -lc_r SSLeay.o -o blib/arch/auto/Crypt/SSLeay/SSLeay.so -L/usr/lib -lssl -lcrypto # chmod 755 blib/arch/auto/Crypt/SSLeay/SSLeay.so # cp SSLeay.bs blib/arch/auto/Crypt/SSLeay/SSLeay.bs # chmod 644 blib/arch/auto/Crypt/SSLeay/SSLeay.bs Please Help ,it is urgent Thanks Joshi On Wed, Oct 22, 2008 at 4:35 PM, joshi chandran <[EMAIL PROTECTED]>wrote: > I have used openssl 9.8h version > There is mistake in previous mail > > "I have recompiled the shared object file SSLeay.so to link to the version > of > libssl.a provided by openssl.base(openssl 9.8h). Previously, this > shared object linked to the libssl.a provided by the RPM on > the Linux Toolbox for AIX.Now that the shared object is linked against the > newer library", > > Rest are same . > > Please help > > Thanks > Joshi > > > On Wed, Oct 22, 2008 at 4:29 PM, joshi chandra <[EMAIL PROTECTED] > > wrote: > >> >> Hi All, >> >> I have recompiled the shared object file SSLeay.so to link to the version >> of >> libssl.a provided by openssl.base. Previously, this >> shared object linked to the libssl.a (openssl 9.8h) provided by the RPM on >> the Linux Toolbox for AIX.Now that the shared object is linked against the >> newer library, >> it seg faults in a call to the function SSL_CTX_ctrl(). >> >> >> Code Dump >> >> Segmentation fault in SSL_CTX_ctrl at 0xd1f6bb80 ($t1) >> 0xd1f6bb80 (SSL_CTX_ctrl+0xfc) 900300a4 stw r0,0xa4(r3) >> (dbx) where >> SSL_CTX_ctrl() at 0xd1f6bb80 >> XS_Crypt__SSLeay__CTX_new() at 0xd1f64318 >> Perl_pp_entersub() at 0xd31100d8 >> Perl_runops_standard() at 0xd3163ad4 >> S_call_body() at 0xd3075950 >> Perl_call_sv() at 0xd3079dac >> S_call_list_body() at 0xd30758bc >> Perl_call_list() at 0xd307c4f0 >> Perl_newATTRSUB() at 0xd30d3318 >> Perl_utilize() at 0xd30d3af8 >> Perl_yyparse() at 0xd310a494 >> S_parse_body() at 0xd30765e0 >> perl_parse() at 0xd307ccc0 >> main() at 0x1460 >> >> Here is the full ld command, >> ld -bhalt:4 -bM:SRE >> -bI:/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE/perl.exp -bE:SSLeay.exp >> -bnoentry -lpthreads -lc_r SSLeay.o -o >> blib/arch/auto/Crypt/SSLeay/SSLeay.so -L/usr/lib -lssl -lcrypto >> >> Also, here is the output of 'dump -Tv SSLeay.so' for the symbol in the >> stack >> trace: >>***Loader Symbol Table Information*** >> [Index] Value Scn IMEX Sclass Type IMPid Name >> [71]0xundef IMP DS EXTref >> libssl.a(libssl.so.0.9.8) >> SSL_CTX_ctrl >> >> Is this beacuse i have to specify the header file also when i am doing >> linking. >> >> Can u please help me >> >> Thanks >> >> Joshi Chandran >> >> >> -- >> View this message in context: >> http://www.nabble.com/What-would-cause-a-seg-fault--tp20108404p20108404.html >> Sent from the OpenSSL - User mailing list archive at Nabble.com. >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > > > > -- > Regards > Joshi Chandran > -- Regards Joshi Chandran
Re: What would cause a seg fault?
This is how i am compiling # cc_r -c -I/usr/include/l -D_ALL_SOURCE -D_ANSI_C_SOURCE -D_POSIX_SOURCE -qmaxmem=16384 -qnoansialias -DUSE_NATIVE_DLOPEN -DNEED_PTHREAD_INIT -q32 -D_LARGE_FILES -qlonglong -O-DVERSION=\"0.51\" -DXS_VERSION=\"0.51\" "-I/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE" SSLeay.c # chmod 644 SSLeay.bs # rm -f blib/arch/auto/Crypt/SSLeay/SSLeay.so # LD_RUN_PATH="" ld -bhalt:4 -bM:SRE -bI:/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE/perl.exp -bE:SSLeay.exp -bnoentry -lpthreads -lc_r SSLeay.o -o blib/arch/auto/Crypt/SSLeay/SSLeay.so -L/usr/lib -lssl -lcrypto # chmod 755 blib/arch/auto/Crypt/SSLeay/SSLeay.so # cp SSLeay.bs blib/arch/auto/Crypt/SSLeay/SSLeay.bs # chmod 644 blib/arch/auto/Crypt/SSLeay/SSLeay.bs Please Help ,it is urgent Thanks Joshi On Wed, Oct 22, 2008 at 10:17 PM, joshi chandran <[EMAIL PROTECTED] > wrote: > This is how i am compiling > > # cc_r -c -I/usr/include/l -D_ALL_SOURCE -D_ANSI_C_SOURCE -D_POSIX_SOURCE > -qmaxmem=16384 -qnoansialias -DUSE_NATIVE_DLOPEN -DNEED_PTHREAD_INIT -q32 > -D_LARGE_FILES -qlonglong -O-DVERSION=\"0.51\" -DXS_VERSION=\"0.51\" > "-I/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE" SSLeay.c > # chmod 644 SSLeay.bs > # rm -f blib/arch/auto/Crypt/SSLeay/SSLeay.so > # LD_RUN_PATH="" ld -bhalt:4 -bM:SRE > -bI:/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE/perl.exp -bE:SSLeay.exp > -bnoentry -lpthreads -lc_r SSLeay.o -o > blib/arch/auto/Crypt/SSLeay/SSLeay.so -L/usr/lib -lssl -lcrypto > # chmod 755 blib/arch/auto/Crypt/SSLeay/SSLeay.so > # cp SSLeay.bs blib/arch/auto/Crypt/SSLeay/SSLeay.bs > # chmod 644 blib/arch/auto/Crypt/SSLeay/SSLeay.bs > Please Help ,it is urgent > > Thanks > > Joshi > > On Wed, Oct 22, 2008 at 4:35 PM, joshi chandran < > [EMAIL PROTECTED]> wrote: > >> I have used openssl 9.8h version >> There is mistake in previous mail >> >> "I have recompiled the shared object file SSLeay.so to link to the version >> of >> libssl.a provided by openssl.base(openssl 9.8h). Previously, this >> shared object linked to the libssl.a provided by the RPM on >> the Linux Toolbox for AIX.Now that the shared object is linked against the >> newer library", >> >> Rest are same . >> >> Please help >> >> Thanks >> Joshi >> >> >> On Wed, Oct 22, 2008 at 4:29 PM, joshi chandra < >> [EMAIL PROTECTED]> wrote: >> >>> >>> Hi All, >>> >>> I have recompiled the shared object file SSLeay.so to link to the version >>> of >>> libssl.a provided by openssl.base. Previously, this >>> shared object linked to the libssl.a (openssl 9.8h) provided by the RPM >>> on >>> the Linux Toolbox for AIX.Now that the shared object is linked against >>> the >>> newer library, >>> it seg faults in a call to the function SSL_CTX_ctrl(). >>> >>> >>> Code Dump >>> >>> Segmentation fault in SSL_CTX_ctrl at 0xd1f6bb80 ($t1) >>> 0xd1f6bb80 (SSL_CTX_ctrl+0xfc) 900300a4 stw r0,0xa4(r3) >>> (dbx) where >>> SSL_CTX_ctrl() at 0xd1f6bb80 >>> XS_Crypt__SSLeay__CTX_new() at 0xd1f64318 >>> Perl_pp_entersub() at 0xd31100d8 >>> Perl_runops_standard() at 0xd3163ad4 >>> S_call_body() at 0xd3075950 >>> Perl_call_sv() at 0xd3079dac >>> S_call_list_body() at 0xd30758bc >>> Perl_call_list() at 0xd307c4f0 >>> Perl_newATTRSUB() at 0xd30d3318 >>> Perl_utilize() at 0xd30d3af8 >>> Perl_yyparse() at 0xd310a494 >>> S_parse_body() at 0xd30765e0 >>> perl_parse() at 0xd307ccc0 >>> main() at 0x1460 >>> >>> Here is the full ld command, >>> ld -bhalt:4 -bM:SRE >>> -bI:/usr/opt/perl5/lib/5.8.2/aix-thread-multi/CORE/perl.exp >>> -bE:SSLeay.exp >>> -bnoentry -lpthreads -lc_r SSLeay.o -o >>> blib/arch/auto/Crypt/SSLeay/SSLeay.so -L/usr/lib -lssl -lcrypto >>> >>> Also, here is the output of 'dump -Tv SSLeay.so' for the symbol in the >>> stack >>> trace: >>>***Loader Symbol Table Information*** >>> [Index] Value Scn IMEX Sclass Type IMPid Name >>> [71]0xundef IMP DS EXTref >>> libssl.a(libssl.so.0.9.8) >>> SSL_CTX_ctrl >>> >>> Is this beacuse i have to specify the header file also when i am doing >>> linking. >>> >>> Can u please help me >>> >>> Thanks >>> >>> Joshi Chandran >>> >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/What-would-cause-a-seg-fault--tp20108404p20108404.html >>> Sent from the OpenSSL - User mailing list archive at Nabble.com. >>> >>> __ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing Listopenssl-users@openssl.org >>> Automated List Manager [EMAIL PROTECTED] >>> >> >> >> >> -- >> Regards >> Joshi Chandran >> > > > > -- > Regards > Joshi Chandran > -- Regards Joshi Chandran
Re: Client verify failing - continued
Hi I am new to openssl and now i face the problem "SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificat errror" .While searching in google , i have found you too had the same problem and also you was able to rectify the problem. Can you please help me to solve this problem . Thanks Joshi Chandran On Mon, Nov 24, 2008 at 3:57 AM, Michael Simms <[EMAIL PROTECTED]>wrote: > Well, thanks to Dave Thompson, this silly bug was fixed, his hint to > examine the certificate lead me to the path that ended up with me > finding that actually the CA in the clients side was being set AFTER > its test to see if it had a CA and setting the values if it did, so it > never ran the SSL_CTX_load_verify_locations, believing it had no CTX > > The logic was all fine, just one line setting the CA done at the wrong > place. > > So, hooray, all of the SSL functionality now works! > > Thanks > -- > Michael Simms > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
Re: which algorithms are enabled by default with fips?
Hi All, Will the Openssl community will release all the openssl with fips support ie next release of openssl will support fips capability? Thanks Joshi Chandran On Mon, Jan 12, 2009 at 7:23 PM, Steve Marquess wrote: > PGNet wrote: > >> On Sun, Jan 11, 2009 at 3:42 PM, Steve Marquess < >> marqu...@oss-institute.org> wrote: >> >>> Long story short, OpenSSH really needs some source mods to >>> gracefully invoke and run in FIPS mode. >>> >> >> Hrm ... I'd have thought that openssh would be amoong the 1st/best @ >> compliance. >> > > Me too. I embarked on this FIPS validation adventure some six years ago > because my DoD client at the time wanted a FIPS validated OpenSSH. I > wrote a patch several years ago but didn't push it at the time because > the first OpenSSL FIPS Object Module validation was still pending, and > encountering some significant opposition that took all my attention. > Now the OpenSSH patch is not a priority for any of my clients and I > don't have the spare time to pursue it. I'd love to see someone else > follow it through. > > To my knowledge Stunnel is the first application to formally support the > FIPS object Module. I've been told ProFTP has baselined support as > well. I've heard privately from many people who have done local mods of > various applications, but have been disappointed in how slowly this > support is appearing publicly. > > Several people, myself included, have created patches to that end. >>> >> >> Are those specific patches sourced in the openssl trees, the openssh >> trees, or somewhere else? I'll google, but if you have URLs ... >> > > I could point you to my original very dated patch but I know there are > some more recent updates. Check the OpenSSH mail archives. > > Of course, if you don't plan to actually run in FIPS mode and just >>> need buzzword compliance (often the case) then what you plan should >>> work. >>> >> >> We've gotten a heads-up that a gov't client will require in the next >> (soon, tho hasn't occurred just yet ...) contract that SSH/VPN/IPSec/etc >> comms will be required. Of course, detailed spec, verification, etc is not >> yet available. >> >> $10 says it's for _their_ buzzword compliance >> > > Very typical for DoD. The mandates for *procurement* of validated > software are (increasingly) enforced, but there doesn't seem to be any > effective push to actually *use* a runtime FIPS mode. That lack of > pressure plus the interoperability issues that FIPS mode can cause means > program managers have zero incentive to actually run anything in FIPS > mode. It's a paper chase. > > My goal is to get an all-ssh-in-fips-mode setup demo'd locally, then hand >> it off to our tech folks so that we can then respond & document when the >> demand occurs. >> > > Please consider posting your patches to the OpenSSH lists... > > -Steve M. > > -- > Steve Marquess > Open Source Software Institute > marqu...@oss-institute.org > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Regards Joshi Chandran
Re: Make test fails for openssl fips 1.2 for 64 bit
This problem will exist for fips package. so this error i can ignore it and can use the fips module with openssl 9.8 j and can test (make test in openssl 9.8J) in openssl 9.8J please correct it if i am wrong Thanks Joshi On Tue, Jan 20, 2009 at 5:07 PM, Dr. Stephen Henson wrote: > On Tue, Jan 20, 2009, joshi chandra wrote: > > > > > Hi All, > > > > I have came across the error when i build openssl fips 1.2 for 64 bit . > > > > ./Configure fipscanisterbuild aix64-cc > > > > make was successful > > > > Well other than that command line violating the security policy... > > You may well have problems attempting to use the version of OpenSSL in the > FIPS 1.2 distribution due to its use of function pointers in a way gcc > doesn't > like. The validated module doesn't use such pointers so that is OK. At the > time the tarball was submitted this wasn't an issue. > > If you use the validated module with OpenSSL 0.9.8j this shouldn't happen. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Regards Joshi Chandran
Re: Make test failed for Fips Capable openssl 9.8J
I have used the same security policy step . openssl fips 1.2 1. ./Configure fipscansiterbuild aix-cc 2. make 3. make install openssl 9.8j 1. ./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl --with-fipslibdir=$fipslibdir fips no-idea no-rc5 no-ec no-symlinks shared threads aix-xlc_r 2. make 3. make test Can u please tell me where i have gone wrong Thanks Rajan On Wed, Jan 21, 2009 at 10:50 PM, Dr. Stephen Henson wrote: > On Wed, Jan 21, 2009, rajanchittil wrote: > > > > > Hi All, > > > > I am new to openssl and i am first time building openssl source code . > > > > I have build openssl fips 1.2 > > > > ./Configure fipscansiterbuild aix-cc > > make > > > > It generated the fips module > > > > That build procedure violates the security policy so the result is not > validated. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Regards Joshi Chandran
Re: openssl-fips 1.2 questions
I have doubt regarding fips . If i have an application which enter into the fips mode , will that make crypto lib into the fips mode and rest of the application will also be in fips mode . in other word whether fips mode is at system level or application level. Thanks Joshi On Fri, Jan 23, 2009 at 7:24 PM, Michal Trojnara < michal.trojn...@mobi-com.net> wrote: > > Steve Marquess wrote: > > Stunnel has official FIPS mode support. > > I'm working on some fixes to cleanly compile stunnel with openssl-fips 1.2. > Unfortunately it looks like fipsld is no longer installed during the > openssl-fips installation process. Can you confirm it? Is there a > recommended way to find fipsld in ./configure script? > > TIA, >Michal Trojnara > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Regards Joshi Chandran
Re: Make test failed for Fips Capable openssl 9.8J
fter overwriting: >> > > >> 5171b0a563d968222705431c1abf13bef9780e38a28817d7a36c953d18179e2330ee87d363b8154e2d268eb5aed447bd6419da455d390ce70891bf0512360721e0be0e44c32489e1c975436fa752460397a8e921a0ad64eee7200abe57c2807925edc105a5233da59dd7b4a26a675a2683d5cbee2d87f02fefbfaab5c355e264 >> > > char buffer key before overwriting: >> > > 4850f0a33aedd3af6e477f8302b10968 >> > > char buffer key after overwriting: >> > > 96a916306b46b3d4189fa6d1b04a4ed9 >> > > successful as expected >> > > >> > > All tests completed with 0 errors >> > > >> > > $ ./fips_test_suite aes >> > > FIPS-mode test application >> > > >> > > AES encryption/decryption with corrupted KAT... >> > > >> ERROR:2d06e065:lib=45,func=110,reason=101:file=fips_aes_selftest.c:line=98: >> > > Power-up self test failed >> > > $ ./fips_test_suite sha1 >> > > FIPS-mode test application >> > > >> > > SHA-1 hash with corrupted KAT... >> > > >> ERROR:2d073065:lib=45,func=115,reason=101:file=fips_sha1_selftest.c:line=90: >> > > Power-up self test failed >> > > >> > > This things work fine. >> > > >> > > Can You please tell me where i am going wrong. >> > > >> > >> > Try building without the "shared" option and see if that works. Also >> make sure >> > the system type is consistent between the two builds... in the FIPS >> directory >> > do: >> > >> > ./config -t >> > >> > and ensure you use that type for the 0.9.8j build. >> > >> > Steve. >> > -- >> > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage >> > OpenSSL project core developer and freelance consultant. >> > Homepage: http://www.drh-consultancy.demon.co.uk >> > __ >> > OpenSSL Project http://www.openssl.org >> > User Support Mailing List openssl-users@openssl.org >> > Automated List Manager majord...@openssl.org >> >> [image: ;-)] HOWDY COWBOYS &COWGIRLS >> >> i get all your e-mail all the time every day, i develo web ages, excuse my >> daughters com uter it doesnt have the letter thats missing, anyway >> >> i must get at least12 mails a day about your develo ing secure info and >> netsca e develo ment. sssi etc. dont send them >> >> anymore, i know you use lists, take my adress off. thanx from bob in the >> usa! and GOD bless all! >> > > -- Regards Joshi Chandran
Re: Not able to find Definition of MD5_Init, MD5_Update and MD5_Final?
, I want to find the definition of this function. The prototype of this function is there in md5.h file but when i tried to find the code for this function , i was not able to find any code related to this function. Thanks in advance Rajan On Wed, Jul 29, 2009 at 1:06 PM, Neil Dugan wrote: > rajanchittil wrote: >> >> Hi All, >> >> I was trying to figure out the Definition for this function >> >> 1. MD5_Init >> 2. MD5_Update >> 3. MD5_Final >> >> But i went through the openssl source code but was not bale to find the >> definition of it. >> >> Can any one please help me regarding the same. >> >> Thanks in advance >> >> Rajan > > did you include the openssl/md5.h file > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > -- Regards Joshi Chandran __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Not able to find Definition of MD5_Init, MD5_Update and MD5_Final?
Thanks Martin. I can find the definition of MD5_Update() and MD5_Final() . But was not able to find the definition for MD5_Init() in crypto/md5/md5_dgst.c On Wed, Jul 29, 2009 at 1:38 PM, Martin Kaiser wrote: > Hello Joshi, > > On Wed, Jul 29, 2009 at 01:13:27PM +0530, joshi chandran wrote: > >> , I want to find the definition of this function. The prototype of >> this function is there in md5.h file but when i tried to find the code >> for this function , i was not able to find any code related to this >> function. > > MD5_Init() is in crypto/md5/md5_dgst.c > > MD5_Update() and MD5_Final() are mapped to HASH_UPDATE() and > HASH_FINAL(), respectively. This is defined in crypto/md5/md5_locl.h > > HASH_UPDATE() and HASH_FINAL() are implemented in crypto/md32_common.h > > Best regards, > > Martin > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > -- Regards Joshi Chandran __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Not able to find Definition of MD5_Init, MD5_Update and MD5_Final?
I am using openssl 9.8k ...
This is the content of md5_dgst.c
#include
#include "md5_locl.h"
#include
#include
#ifdef OPENSSL_FIPS
#include
#endif
const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
/* Implemented from RFC1321 The MD5 Message-Digest Algorithm
*/
#define INIT_DATA_A (unsigned long)0x67452301L
#define INIT_DATA_B (unsigned long)0xefcdab89L
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
FIPS_NON_FIPS_MD_Init(MD5)
{
c->A=INIT_DATA_A;
c->B=INIT_DATA_B;
c->C=INIT_DATA_C;
c->D=INIT_DATA_D;
c->Nl=0;
c->Nh=0;
c->num=0;
return 1;
}
#ifndef md5_block_data_order
#ifdef X
#undef X
#endif
void md5_block_data_order (MD5_CTX *c, const void *data_, size_t num)
{
const unsigned char *data=data_;
register unsigned MD32_REG_T A,B,C,D,l;
#ifndef MD32_XARRAY
/* See comment in crypto/sha/sha_locl.h for details. */
unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
# define X(i) XX##i
#else
MD5_LONG XX[MD5_LBLOCK];
# define X(i) XX[i]
#endif
A=c->A;
B=c->B;
C=c->C;
D=c->D;
for (;num--;)
{
HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l;
/* Round 0 */
R0(A,B,C,D,X( 0), 7,0xd76aa478L); HOST_c2l(data,l); X( 2)=l;
R0(D,A,B,C,X( 1),12,0xe8c7b756L); HOST_c2l(data,l); X( 3)=l;
R0(C,D,A,B,X( 2),17,0x242070dbL); HOST_c2l(data,l); X( 4)=l;
R0(B,C,D,A,X( 3),22,0xc1bdceeeL); HOST_c2l(data,l); X( 5)=l;
R0(A,B,C,D,X( 4), 7,0xf57c0fafL); HOST_c2l(data,l); X( 6)=l;
R0(D,A,B,C,X( 5),12,0x4787c62aL); HOST_c2l(data,l); X( 7)=l;
R0(C,D,A,B,X( 6),17,0xa8304613L); HOST_c2l(data,l); X( 8)=l;
R0(B,C,D,A,X( 7),22,0xfd469501L); HOST_c2l(data,l); X( 9)=l;
R0(A,B,C,D,X( 8), 7,0x698098d8L); HOST_c2l(data,l); X(10)=l;
R0(D,A,B,C,X( 9),12,0x8b44f7afL); HOST_c2l(data,l); X(11)=l;
R0(C,D,A,B,X(10),17,0x5bb1L); HOST_c2l(data,l); X(12)=l;
R0(B,C,D,A,X(11),22,0x895cd7beL); HOST_c2l(data,l); X(13)=l;
R0(A,B,C,D,X(12), 7,0x6b901122L); HOST_c2l(data,l); X(14)=l;
R0(D,A,B,C,X(13),12,0xfd987193L); HOST_c2l(data,l); X(15)=l;
R0(C,D,A,B,X(14),17,0xa679438eL);
R0(B,C,D,A,X(15),22,0x49b40821L);
/* Round 1 */
R1(A,B,C,D,X( 1), 5,0xf61e2562L);
R1(D,A,B,C,X( 6), 9,0xc040b340L);
R1(C,D,A,B,X(11),14,0x265e5a51L);
R1(B,C,D,A,X( 0),20,0xe9b6c7aaL);
R1(A,B,C,D,X( 5), 5,0xd62f105dL);
R1(D,A,B,C,X(10), 9,0x02441453L);
R1(C,D,A,B,X(15),14,0xd8a1e681L);
R1(B,C,D,A,X( 4),20,0xe7d3fbc8L);
R1(A,B,C,D,X( 9), 5,0x21e1cde6L);
R1(D,A,B,C,X(14), 9,0xc33707d6L);
R1(C,D,A,B,X( 3),14,0xf4d50d87L);
R1(B,C,D,A,X( 8),20,0x455a14edL);
R1(A,B,C,D,X(13), 5,0xa9e3e905L);
R1(D,A,B,C,X( 2), 9,0xfcefa3f8L);
R1(C,D,A,B,X( 7),14,0x676f02d9L);
R1(B,C,D,A,X(12),20,0x8d2a4c8aL);
/* Round 2 */
R2(A,B,C,D,X( 5), 4,0xfffa3942L);
R2(D,A,B,C,X( 8),11,0x8771f681L);
R2(C,D,A,B,X(11),16,0x6d9d6122L);
R2(B,C,D,A,X(14),23,0xfde5380cL);
R2(A,B,C,D,X( 1), 4,0xa4beea44L);
R2(D,A,B,C,X( 4),11,0x4bdecfa9L);
R2(C,D,A,B,X( 7),16,0xf6bb4b60L);
R2(B,C,D,A,X(10),23,0xbebfbc70L);
R2(A,B,C,D,X(13), 4,0x289b7ec6L);
R2(D,A,B,C,X( 0),11,0xeaa127faL);
R2(C,D,A,B,X( 3),16,0xd4ef3085L);
R2(B,C,D,A,X( 6),23,0x04881d05L);
R2(A,B,C,D,X( 9), 4,0xd9d4d039L);
R2(D,A,B,C,X(12),11,0xe6db99e5L);
R2(C,D,A,B,X(15),16,0x1fa27cf8L);
R2(B,C,D,A,X( 2),23,0xc4ac5665L);
/* Round 3 */
R3(A,B,C,D,X( 0), 6,0xf4292244L);
R3(D,A,B,C,X( 7),10,0x432aff97L);
R3(C,D,A,B,X(14),15,0xab9423a7L);
R3(B,C,D,A,X( 5),21,0xfc93a039L);
R3(A,B,C,D,X(12), 6,0x655b59c3L);
R3(D,A,B,C,X( 3),10,0x8f0ccc92L);
R3(C,D,A,B,X(10),15,0xffeff47dL);
R3(B,C,D,A,X( 1),21,0x85845dd1L);
R3(A,B,C,D,X( 8), 6,0x6fa87e4fL);
R3(D,A,B,C,X(15),10,0xfe2ce6e0L);
R3(C,D,A,B,X( 6),15,0xa3014314L);
R3(B,C,D,A,X(13),21,0x4e0811a1L);
R3(A,B,C,D,X( 4), 6,0xf7537e82L);
R3(D,A,B,C,X(11),10,0xbd3af235L);
R3(C,D,A,B,X( 2),15,0x2ad7d2bbL);
R3(B,C,D,A,X( 9),21,0xeb86d391L);
A = c->A += A;
B = c->B += B;
C = c->C += C;
D = c->D += D;
}
}
#endif
On Wed, Jul 29, 2009 at 4:52 PM, Martin Kaiser wrote:
>
> On Wed, Jul 29, 2009 at 03:03:27PM +0530, joshi chandran wrote:
>>
>> I can fi
Re: Not able to find Definition of MD5_Init, MD5_Update and MD5_Final?
I got the definition for MD5_Update and MD5_Final . but was not able
to figure out the code for MD5_Init.
Thank in advance
On Wed, Jul 29, 2009 at 6:15 PM, PMHager wrote:
>
> In crypto\md5\md5_locl.h:
>
> #define HASH_UPDATE MD5_Update
> #define HASH_FINAL MD5_Final
> #include "md32_common.h"
>
> now in crypto\md32_common.h:
>
> int HASH_UPDATE (HASH_CTX *c, const void *data_, size_t len)
> {...}
> int HASH_FINAL (unsigned char *md, HASH_CTX *c)
> {...}
>
> Please note that #define is not an assignment. It is a replacement definition.
>
> Peter
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf
> Of joshi chandran
> Sent: Wednesday, July 29, 2009 1:26 PM
> To: openssl-users@openssl.org
> Subject: Re: Not able to find Definition of MD5_Init, MD5_Update and
> MD5_Final?
>
> I am using openssl 9.8k ...
>
> This is the content of md5_dgst.c
>
>
> #include
> #include "md5_locl.h"
> #include
> #include
> #ifdef OPENSSL_FIPS
> #include
> #endif
>
>
> const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
>
> /* Implemented from RFC1321 The MD5 Message-Digest Algorithm
> */
>
> #define INIT_DATA_A (unsigned long)0x67452301L
> #define INIT_DATA_B (unsigned long)0xefcdab89L
> #define INIT_DATA_C (unsigned long)0x98badcfeL
> #define INIT_DATA_D (unsigned long)0x10325476L
>
> FIPS_NON_FIPS_MD_Init(MD5)
> {
> c->A=INIT_DATA_A;
> c->B=INIT_DATA_B;
> c->C=INIT_DATA_C;
> c->D=INIT_DATA_D;
> c->Nl=0;
> c->Nh=0;
> c->num=0;
> return 1;
> }
>
> #ifndef md5_block_data_order
> #ifdef X
> #undef X
> #endif
> void md5_block_data_order (MD5_CTX *c, const void *data_, size_t num)
> {
> const unsigned char *data=data_;
> register unsigned MD32_REG_T A,B,C,D,l;
> #ifndef MD32_XARRAY
> /* See comment in crypto/sha/sha_locl.h for details. */
> unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
> XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
> # define X(i) XX##i
> #else
> MD5_LONG XX[MD5_LBLOCK];
> # define X(i) XX[i]
> #endif
>
> A=c->A;
> B=c->B;
> C=c->C;
> D=c->D;
>
> for (;num--;)
> {
> HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l;
> /* Round 0 */
> R0(A,B,C,D,X( 0), 7,0xd76aa478L); HOST_c2l(data,l); X( 2)=l;
> R0(D,A,B,C,X( 1),12,0xe8c7b756L); HOST_c2l(data,l); X( 3)=l;
> R0(C,D,A,B,X( 2),17,0x242070dbL); HOST_c2l(data,l); X( 4)=l;
> R0(B,C,D,A,X( 3),22,0xc1bdceeeL); HOST_c2l(data,l); X( 5)=l;
> R0(A,B,C,D,X( 4), 7,0xf57c0fafL); HOST_c2l(data,l); X( 6)=l;
> R0(D,A,B,C,X( 5),12,0x4787c62aL); HOST_c2l(data,l); X( 7)=l;
> R0(C,D,A,B,X( 6),17,0xa8304613L); HOST_c2l(data,l); X( 8)=l;
> R0(B,C,D,A,X( 7),22,0xfd469501L); HOST_c2l(data,l); X( 9)=l;
> R0(A,B,C,D,X( 8), 7,0x698098d8L); HOST_c2l(data,l); X(10)=l;
> R0(D,A,B,C,X( 9),12,0x8b44f7afL); HOST_c2l(data,l); X(11)=l;
> R0(C,D,A,B,X(10),17,0x5bb1L); HOST_c2l(data,l); X(12)=l;
> R0(B,C,D,A,X(11),22,0x895cd7beL); HOST_c2l(data,l); X(13)=l;
> R0(A,B,C,D,X(12), 7,0x6b901122L); HOST_c2l(data,l); X(14)=l;
> R0(D,A,B,C,X(13),12,0xfd987193L); HOST_c2l(data,l); X(15)=l;
> R0(C,D,A,B,X(14),17,0xa679438eL);
> R0(B,C,D,A,X(15),22,0x49b40821L);
> /* Round 1 */
> R1(A,B,C,D,X( 1), 5,0xf61e2562L);
> R1(D,A,B,C,X( 6), 9,0xc040b340L);
> R1(C,D,A,B,X(11),14,0x265e5a51L);
> R1(B,C,D,A,X( 0),20,0xe9b6c7aaL);
> R1(A,B,C,D,X( 5), 5,0xd62f105dL);
> R1(D,A,B,C,X(10), 9,0x02441453L);
> R1(C,D,A,B,X(15),14,0xd8a1e681L);
> R1(B,C,D,A,X( 4),20,0xe7d3fbc8L);
> R1(A,B,C,D,X( 9), 5,0x21e1cde6L);
> R1(D,A,B,C,X(14), 9,0xc33707d6L);
> R1(C,D,A,B,X( 3),14,0xf4d50d87L);
> R1(B,C,D,A,X( 8),20,0x455a14edL);
> R1(A,B,C,D,X(13), 5,0xa9e3e905L);
> R1(D,A,B,C,X( 2), 9,0xfcefa3f8L);
> R1(C,D,A,B,X( 7),14,0x676f02d9L);
> R1(B,C,D,A,X(12),20,0x8d2a4c8aL);
> /* Round 2 */
> R2(A,B,C,D,X( 5), 4,0xfffa3942L);
> R2(D,A,B,C,X( 8),11,0x8771f681L);
> R2(C,D,A,B,X(11),16,0x6d9d6122L);
> R2(B,C,D,A,X(14),23,0xfde5380cL);
> R2(A,B,C,D,X( 1), 4,0xa4beea44L);
> R2(D,A,B,C,X( 4),11,0x4bdecfa9L);
> R2(C,D,A,
Re: Not able to find Definition of MD5_Init, MD5_Update and MD5_Final?
But in the Openssl 9.8k , this function is changed to
#define INIT_DATA_A (unsigned long)0x67452301L
#define INIT_DATA_B (unsigned long)0xefcdab89L
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
FIPS_NON_FIPS_MD_Init(MD5)
{
c->A=INIT_DATA_A;
c->B=INIT_DATA_B;
c->C=INIT_DATA_C;
c->D=INIT_DATA_D;
c->Nl=0;
c->Nh=0;
c->num=0;
return 1;
}
I cannot see any MD_Init function there .So how is MD_Init function is
generated ?
Thanks
On Wed, Jul 29, 2009 at 6:41 PM, PMHager wrote:
> It is in crypto\md5\md5_dgst.c:
>
> int MD5_Init(MD5_CTX *c)
> {
> memset (c,0,sizeof(*c));
> c->A=INIT_DATA_A; // see #define INIT_DATA_A (unsigned long)0x67452301L
> c->B=INIT_DATA_B; // see #define INIT_DATA_B (unsigned long)0xefcdab89L
> c->C=INIT_DATA_C; // see #define INIT_DATA_C (unsigned long)0x98badcfeL
> c->D=INIT_DATA_D; // see #define INIT_DATA_D (unsigned long)0x10325476L
> return 1;
> }
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf
> Of joshi chandran
> Sent: Wednesday, July 29, 2009 3:01 PM
> To: openssl-users@openssl.org
> Subject: Re: Not able to find Definition of MD5_Init, MD5_Update and
> MD5_Final?
>
> I got the definition for MD5_Update and MD5_Final . but was not able
> to figure out the code for MD5_Init.
>
> Thank in advance
>
> On Wed, Jul 29, 2009 at 6:15 PM, PMHager wrote:
>>
>> In crypto\md5\md5_locl.h:
>>
>> #define HASH_UPDATE MD5_Update
>> #define HASH_FINAL MD5_Final
>> #include "md32_common.h"
>>
>> now in crypto\md32_common.h:
>>
>> int HASH_UPDATE (HASH_CTX *c, const void *data_, size_t len)
>> {...}
>> int HASH_FINAL (unsigned char *md, HASH_CTX *c)
>> {...}
>>
>> Please note that #define is not an assignment. It is a replacement
>> definition.
>>
>> Peter
>>
>> -Original Message-
>> From: owner-openssl-us...@openssl.org
>> [mailto:owner-openssl-us...@openssl.org] On Behalf
>> Of joshi chandran
>> Sent: Wednesday, July 29, 2009 1:26 PM
>> To: openssl-users@openssl.org
>> Subject: Re: Not able to find Definition of MD5_Init, MD5_Update and
>> MD5_Final?
>>
>> I am using openssl 9.8k ...
>>
>> This is the content of md5_dgst.c
>>
>>
>> #include
>> #include "md5_locl.h"
>> #include
>> #include
>> #ifdef OPENSSL_FIPS
>> #include
>> #endif
>>
>>
>> const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
>>
>> /* Implemented from RFC1321 The MD5 Message-Digest Algorithm
>> */
>>
>> #define INIT_DATA_A (unsigned long)0x67452301L
>> #define INIT_DATA_B (unsigned long)0xefcdab89L
>> #define INIT_DATA_C (unsigned long)0x98badcfeL
>> #define INIT_DATA_D (unsigned long)0x10325476L
>>
>> FIPS_NON_FIPS_MD_Init(MD5)
>> {
>> c->A=INIT_DATA_A;
>> c->B=INIT_DATA_B;
>> c->C=INIT_DATA_C;
>> c->D=INIT_DATA_D;
>> c->Nl=0;
>> c->Nh=0;
>> c->num=0;
>> return 1;
>> }
>>
>> #ifndef md5_block_data_order
>> #ifdef X
>> #undef X
>> #endif
>> void md5_block_data_order (MD5_CTX *c, const void *data_, size_t num)
>> {
>> const unsigned char *data=data_;
>> register unsigned MD32_REG_T A,B,C,D,l;
>> #ifndef MD32_XARRAY
>> /* See comment in crypto/sha/sha_locl.h for details. */
>> unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7,
>> XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15;
>> # define X(i) XX##i
>> #else
>> MD5_LONG XX[MD5_LBLOCK];
>> # define X(i) XX[i]
>> #endif
>>
>> A=c->A;
>> B=c->B;
>> C=c->C;
>> D=c->D;
>>
>> for (;num--;)
>> {
>> HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l;
>> /* Round 0 */
>> R0(A,B,C,D,X( 0), 7,0xd76aa478L); HOST_c2l(data,l); X( 2)=l;
>> R0(D,A,B,C,X( 1),12,0xe8c7b756L); HOST_c2l(data,l); X( 3)=l;
>> R0(C,D,A,B,X( 2),17,0x242070dbL); HOST_c2l(data,l); X( 4)=l;
>> R0(B,C,D,A,X( 3),22,0xc1bdceeeL); HOST_c2l(data,l); X( 5)=l;
>> R0(A,B,C,D,X( 4), 7,0xf57c0fafL); HOST_c2l(data,l); X( 6)=l;
>> R0(D,A,B,C,X( 5),12,0x4787c62aL)
