On 14 June 2013 16:10, Bodo Moeller bmoel...@acm.org wrote:
Note that the patch changes the value of SSL_OP_ALL so if OpenSSL shared
libraries are updated to include the patch existing applications wont set
it:
they'd all need to be recompiled.
That's a valid point.
This is true,
On Wed Feb 01 14:02:51 2012, dominik.oe...@informatik.hu-berlin.de wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi
BN_generate_prime_ex can generate prime numbers larger than the
specified bitsize. The problem can be reproduced using the following
commands:
[do@trinity tmp]$
On 27 March 2013 12:04, Matt Caswell fr...@baggins.org wrote:
On 27 March 2013 11:52, Michael Sierchio ku...@tenebras.com wrote:
Does Phil still teach at UC Davis? You could always ask him directly
for clarification or a waiver.
Hi contact details are on the web page describing the various
On 19 March 2013 18:53, Steve Marquess marqu...@opensslfoundation.com wrote:
On 03/19/2013 10:47 AM, Pierre DELAAGE wrote:
Dear Steve, I was wondering whether the wiki could be fed at the
beginning by all the Documents available at
http://www.openssl.org/docs/;.
Very often people are able to
On 19 March 2013 23:27, Steve Marquess marqu...@opensslfoundation.com wrote:
On 03/19/2013 04:59 PM, Matt Caswell wrote:
On 19 March 2013 19:38, Steve Marquess marqu...@opensslfoundation.com
wrote:
I took a quick look to see what utilities might be available to convert
between pod and
On 6 March 2013 03:55, Nayna Jain naynj...@in.ibm.com wrote:
Hi all,
Are RAND_seed(), RAND_add() NIST SP 800-151A compliant ?
800-151 does not appear to exist, got a link?
__
OpenSSL Project
Hey - why not make this a test?
On 5 March 2013 18:31, Dr. Stephen Henson st...@openssl.org wrote:
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project OpenSSL source code.
The branch,
On 3 March 2013 04:36, Jonathan Buhacoff jonat...@buhacoff.net wrote:
Hi,
I have a school project to make use of a TPM to store the server's RSA
private key for use with openssl. Specifically, that private key would be
sealed to certain PCR values that are also encoded in the X509
On 11 February 2013 13:19, David Woodhouse dw...@infradead.org wrote:
On Mon, 2013-02-11 at 20:59 +, David Woodhouse wrote:
From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001
From: Dr. Stephen Henson st...@openssl.org
Date: Thu, 7 Feb 2013 21:06:37 +
Subject:
On 16 January 2013 13:55, Bruce Cran br...@cran.org.uk wrote:
We've been having regular build problems on Windows: sometimes nasm claims
there are unresolved symbols. For example:
set ASM=nasm -f win64 -DNEAR -Ox -g
perl crypto\x86_64cpuid.pl tmp32dll.dbg\x86_64cpuid.asm
nasm -f win64
Already fixed.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager
I believe this was fixed long ago.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager
Fixed in 1.0.1+
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager
Given the age of this, I'm assuming it either got done, wasn't needed or no-one
cares about these protocols.
__
OpenSSL Project http://www.openssl.org
Development Mailing List
0.9.7 is no longer supported.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager
The sharp-eyed will have already noticed we're moving to git.
Well, it looks like that's actually happened now. We're also shifting
pretty much everything to new infrastructure.
So, there may be outages, unexpected changes and general weirdness for
a little while.
We'll let you know when we're
Why go via SSL_CTX_ctrl and SSL_ctrl? In fact, why do those exist at all?
On Wed, Dec 26, 2012 at 2:25 PM, Dr. Stephen Henson st...@openssl.org wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server:
On Sat, Oct 20, 2012 at 5:08 AM, Joe Pletcher joepletc...@gmail.com wrote:
Hello all,
I hope this question is more appropriate for this list. I tried openssl-users
with no luck. If not, I apologize in advance.
I'm working on an OpenSSL project, and I could use some help. I am writing a
On Mon, Oct 8, 2012 at 5:13 PM, Tomas Hoger tho...@redhat.com wrote:
Hi!
Are there any plans to apply any changes to OpenSSL related to the
recent CRIME attack? Unlike other libraries (e.g. GnuTLS or NSS),
OpenSSL enables zlib by default. Is there a plan to change the default
in response
On Mon, Sep 17, 2012 at 6:24 PM, Bodo Moeller b...@openssl.org wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Bodo Moeller
Root: /v/openssl/cvs
On Tue, Sep 18, 2012 at 9:47 AM, Ben Laurie b...@links.org wrote:
On Mon, Sep 17, 2012 at 6:24 PM, Bodo Moeller b...@openssl.org wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server
On Sun, Jun 10, 2012 at 11:15 AM, Andy Polyakov ap...@openssl.org wrote:
The point of these changes is to reduce the skew between versions.
They are not random.
Consider my
http://cvs.openssl.org/filediff?f=openssl/crypto/x86cpuid.plv1=1.24v2=1.25.
What is the criteria for two changes
The point of these changes is to reduce the skew between versions.
They are not random.
On Mon, Jun 4, 2012 at 11:12 PM, Andy Polyakov ap...@openssl.org wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
LOL!
On Thu, May 31, 2012 at 7:41 PM, David Anthony via RT r...@openssl.org wrote:
Hello all,
There has been a new security vulnerability we have reported over at
Bugtraq (http://seclists.org/bugtraq/2012/May/155) and we feel that it
should also be reported to the OpenSSL dev team. If there
On Tue, Apr 17, 2012 at 9:46 PM, Lubomír Sedlář lubomir.sed...@gmail.comwrote:
Hello,
I would like to ask if any static analysis tool was ever used to detect
possible problems in OpenSSL source code. Is some tool used regularly?
I tried running Clang Static Analyzer [1] on the source of
On Fri, Apr 20, 2012 at 4:53 PM, Jean-Marc Desperrier jmd...@free.frwrote:
On Tue, 17 Apr 2012, Lubomír Sedlář wrote:
I would like to ask if any static analysis tool was ever used to detect
possible problems in OpenSSL source code. Is some tool used regularly?
I tried running Clang Static
On Sat, Feb 18, 2012 at 5:37 PM, Kurt Roeckx k...@roeckx.be wrote:
On Sat, Feb 18, 2012 at 05:28:41PM +0100, Stanislav Meduna wrote:
On 18.02.2012 17:02, Edward Ned Harvey wrote:
So these studies went out and scoured the internet, collecting public keys
from every service they could find,
On Mon, Dec 12, 2011 at 3:19 PM, Marshall Clow mclow.li...@gmail.com wrote:
I've been testing out the LLVM static analysis tool
http://clang-analyzer.llvm.org/ on various code bases, and it's lighting
up a particular construct used in OpenSSL.
Let me state my position right up front:
I have
I notice that the current version doesn't even compile under gcc 4.2.2
with our preferred flags.
gcc 4.6 is quite happy, though, interestingly.
On Fri, Dec 2, 2011 at 3:45 PM, Yann Droneaud via RT r...@openssl.org wrote:
The problem of the upper capability bytes is also affecting
I think we fixed this...
On Sat, Nov 19, 2011 at 2:28 PM, Ben Murphy benmmur...@gmail.com wrote:
I think there might be a bug with Next Protocol Negotiation and SSL
Renegotiation. My interpretation of the spec is that you shouldn't be
doing NPN negotiation during ssl renegotiation. Openssl
On Fri, Nov 25, 2011 at 8:36 AM, Ladar Levison la...@lavabit.com wrote:
On 11/17/11 3:08 PM, Ben Laurie wrote:
On Thu, Nov 17, 2011 at 1:01 PM, Ladar Levisonla...@lavabit.com wrote:
On 11/17/11 10:51 AM, Ben Laurie wrote:
.\ssl\t1_enc.c(963): warning C4267: 'return' : conversion from
On Fri, Nov 18, 2011 at 10:08 AM, Andy Polyakov ap...@openssl.org wrote:
.\ssl\t1_enc.c(963): warning C4267: 'return' : conversion from
'size_t' to 'int', possible loss of data t1_lib.c
.\ssl\t1_lib.c(301): warning C4244: '=' : conversion from '__int64' to
'long', possible loss of data We
On Thu, Nov 17, 2011 at 1:01 PM, Ladar Levison la...@lavabit.com wrote:
On 11/17/11 10:51 AM, Ben Laurie wrote:
.\ssl\t1_enc.c(963): warning C4267: 'return' : conversion from 'size_t' to
'int', possible loss of data t1_lib.c .\ssl\t1_lib.c(301): warning C4244:
'=' : conversion from '__int64
On Thu, Nov 17, 2011 at 1:29 AM, Hans Camilleri hans.camill...@rs2.com wrote:
Dear Sir/Madam,
First of all I would like to thank you for the good work in developing
openSSL project.
We have recently downloaded openssl-1.0.0e and created a Visual Studio 2010
project which gives us loads
Why are you modifying OpenSSL for this? This is a Microsoft bug - have
you reported it to Microsoft?
On 30/06/2011 19:58, Andrey Kulikov via RT wrote:
Now it is not possible to disable sending renegotiation_info extension from
server.
The only way to do it - is to disable TLS extension
? :-)
Their programms works with other server, by not with mine.
Their programs only work with insecure servers. They should fix their
programs (or get them fixed).
Is the question still valid?
:-)
On 1 July 2011 12:20, Ben Laurie via RT r...@openssl.org wrote:
Why are you modifying OpenSSL
Why are you modifying OpenSSL for this? This is a Microsoft bug - have
you reported it to Microsoft?
On 30/06/2011 19:58, Andrey Kulikov via RT wrote:
Now it is not possible to disable sending renegotiation_info extension from
server.
The only way to do it - is to disable TLS extension
? :-)
Their programms works with other server, by not with mine.
Their programs only work with insecure servers. They should fix their
programs (or get them fixed).
Is the question still valid?
:-)
On 1 July 2011 12:20, Ben Laurie via RT r...@openssl.org wrote:
Why are you modifying OpenSSL
Hmm. This looks like the start of a version fight between FIPS and
non-FIPS builds!
On 10/06/2011 18:17, Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org
On 09/06/2011 20:43, Andreas Probst wrote:
Hi community,
I found an email about VeraCode having found issues in OpenSSL (see
http://www.mail-archive.com/openssl-dev@openssl.org/msg25491.html).
Have there been follow-up activities? Did someone review or address
the VeraCode results?
On 15/04/2011 20:59, Eric Wong wrote:
Hello,
I'm not very knowledgeable about OpenSSL internals, but it appears
RAND_bytes() is seeded with the pid of each process, and since pids get
recycled, it's possible for two processes sharing a common parent to get
the same random sequence over time
On 06/04/2011 10:11, Laszlo Papp wrote:
Hi,
From the code:
http://cvs.openssl.org/fileview?f=openssl/crypto/conf/conf_api.cv=1.18.2.1
I think 'vv' could also be eliminated from the last function
(_CONF_new_section) there and the assert could be called directly on
the method.
Please
On 01/04/2011 09:02, Robin Seggelmann via RT wrote:
Hi,
On Apr 1, 2011, at 9:28 AM, via RT wrote:
I’ve tested DTLS implementation and know that several fixes has
been applied for issues related to fragment.
Thanks for testing! There is a known issue with the bitmask, the
patch #2457
On 23/03/2011 21:56, Tim Jackson wrote:
I hit this, and a number of other issues related to turning off
particular ciphers, as well. I have patches (1.0.0-1.0.0d). If
there's enough interest, I'll submit them.
Please do.
From: via RT r...@openssl.orgmailto:r...@openssl.org Reply-To:
On 13/03/2011 18:21, Stephen Henson via RT wrote:
[j...@studt.net - Sun Mar 13 19:15:48 2011]:
Perhaps the bomb.p12 got corrupted in transit? That looks a lot like
feeding a non-ASN.1 file to openssl.
It's easy enough to recreate such a file with:
openssl pkcs12 -out foo.p12 -export
n7vZSXLKmhISehMqUz49kdDWLkA2QwW7ocClvpBA5nY6Zoq3 -END
CERTIFICATE-
On Mar 13, 2011, at 12:18 PM, Ben Laurie via RT wrote:
If I run
openssl pkcs12 -nomacver -in bomb.p12 -info
on 1.0.0-stable, I get
1211807336:error:0D07209B:asn1 encoding
routines:ASN1_get_object:too long:asn1_lib.c:142
On 12/03/2011 17:27, Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs
On 12/03/2011 18:06, Dr. Stephen Henson wrote:
On Sat, Mar 12, 2011, Ben Laurie wrote:
On 12/03/2011 17:27, Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server
If I run
openssl pkcs12 -nomacver -in bomb.p12 -info
on 1.0.0-stable, I get
1211807336:error:0D07209B:asn1 encoding routines:ASN1_get_object:too
long:asn1_lib.c:142:
1211807336:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
header:tasn_dec.c:1306:
On 13/03/2011 18:21, Stephen Henson via RT wrote:
[j...@studt.net - Sun Mar 13 19:15:48 2011]:
Perhaps the bomb.p12 got corrupted in transit? That looks a lot like
feeding a non-ASN.1 file to openssl.
It's easy enough to recreate such a file with:
openssl pkcs12 -out foo.p12 -export
Thanks for the patch!
If you want this to be applied it needs to be against 1.0.1 and HEAD.
__
OpenSSL Project http://www.openssl.org
Development Mailing List
Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email:
Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email:
Richard Levitte wrote:
In message 49fdecd0.6080...@links.org on Sun, 03 May 2009 20:13:20 +0100,
Ben Laurie b...@links.org said:
ben Richard Levitte wrote:
benOpenSSL CVS Repository
benhttp://cvs.openssl.org/
ben
[dw...@infradead.org - Sat Dec 20 14:00:34 2008]:
On Tue, 2008-10-07 at 10:12 +0100, David Woodhouse wrote:
This patch against the 0.9.8 branch adds an SSL option for compatibility
with the pre-RFC version of DTLS used by Cisco for their AnyConnect SSL
VPN. This is RT #1751.
With
Bodo Moeller wrote:
On Fri, Jan 9, 2009 at 1:42 PM, Brad House b...@mainstreetsoftworks.com
wrote:
BTW, I didn't see in the changelog the fact that tls extensions were
enabled by default between 0.9.8i and j...
It's there, 3rd entry:
*) Enable TLS extensions by default.
[Ben
Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email: [EMAIL
Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email: [EMAIL
Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email: [EMAIL
Bodo Moeller wrote:
On Mon, Jun 2, 2008 at 12:47 PM, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Sun, Jun 01, 2008, Ben Laurie wrote:
Stop const mismatch warning.
- else if (index_name_cmp(row,rrow))
+ else if (index_name_cmp((const CSTRING *)row,(const CSTRING *)rrow
Dr. Stephen Henson wrote:
- if (len == -1)
+ if ((len == -1) !(attrtype MBSTRING_FLAG))
I do wish you wouldn't use these extra brackets around comparison operators.
if (len == -1 !(attrtype MBSTRING_FLAG))
works just fine and is consistent with most of the rest of the
Dr. Stephen Henson wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Dr. Stephen Henson
Root: /v/openssl/cvs Email: [EMAIL PROTECTED]
Lutz Jaenicke wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Lutz Jaenicke
Root: /v/openssl/cvs Email: [EMAIL PROTECTED]
Module:
Lutz Jaenicke wrote:
Lutz Jaenicke wrote:
Peter Waltenberg wrote:
Yes, it's desirable that that data is unknown however there is a
compromise possible:
Complement the area. It'll mean valgrind will only complain at the correct
place, or possibly not at all, and it's still random. The
Victor B. Wagner wrote:
Recently, (08-Nov) #ifdef ENGINE_DYNAMIC_SUPPORT
was added around IMPLEMENT_DYNAMIC_BIND function
in engines/ccgost/gost_eng.c (in CVS HEAD)
By default, this macro is not enabled, even if shared option is passed
to configure. This renders compiled shared library
Victor B. Wagner wrote:
On 2006.11.14 at 10:59:41 +, Ben Laurie wrote:
cvs log doesn't tell anything but Fix various warnings
If you compile with -Wall -Wmissing-prototypes -Wstrict-prototypes
-Wmissing-declarations -Werror then you'll see the errors I'm fixing.
If people always did
Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Wed, 8 Nov 2006 21:59:19 -0800, David
Schwartz [EMAIL PROTECTED] said:
davids You are correct, but that's not the issue. The issue is this
davids simple -- if you are going to call a function whose types you
davids don't
David Schwartz wrote:
x is still just a pointer to data - so it's the same
length in any case, all pointers to lvalues are the
same length in C. The only issue there is whether it's
aligned correctly - that's the programmers problem.
Length is not the issue. There is no rule that says that
David Schwartz wrote:
On Tue, Nov 07, 2006, Bernhard Rosenkraenzer wrote:
gcc 4.2 no longer allows function casting - which is used
rather heavily by
openssl. (To make things worse, it compiles but inserts abort()
statements
resulting in app crashes).
Ugh, I would've thought that
Dr. Stephen Henson wrote:
On Wed, Nov 08, 2006, Ben Laurie wrote:
But it gets cast back to the correct type before it is called. These
casts are done the way they are to get type-safety. Removing that option
strikes me as a bad thing.
Yes and that happened to be a way that worked on all
Camp, TracyX E wrote:
I really didn't hear much back on this topic, but what I did hear seemed
to support the approach I have been taking thus far. Please see my
previous message in this thread for the details.
So in hopes of moving this topic along in a practical sense, I have
Camp, TracyX E wrote:
I'm very much in favour of this. One comment, though - if you're going
to make structure opaque, then why not make them truly opaque by
removing their definitions from the public headers?
In LSB they would be truly opaque. LSB works by producing a set of stub
[EMAIL PROTECTED] - Sun Mar 16 19:20:48 2003]:
We use the following gcc flags for our internal programs
--
-Wmissing-prototypes -Wcomment -Wformat -Wimplicit -Wmain -Wmultichar
-Wswitch -Wshadow -Wtrigraphs -Werror
[EMAIL PROTECTED] wrote:
Hello openssl-dev,
I need to secure the UDP traffic.
I've googled a product called ZeeBeeDee
(http://www.winton.org.uk/zebedee/index.html) but it looks kind of
stalled...
Is there any chance to use the OpenSSL (current or some future
version) for securing
Richard Levitte - VMS Whacker wrote:
Ben,
you committed four non-FIPS changes to 0.9.8-stable only. Are you
going to commit them to HEAD as well?
What did I say about branching being a PITA?
--
ApacheCon Europe http://www.apachecon.com/
http://www.apache-ssl.org/ben.html
Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Tue, 28 Jun 2005 15:27:53 +0200 (CEST), Ben
Laurie [EMAIL PROTECTED] said:
ben Log:
ben Did you know it was wrong to use a char as an array index?
It isn't if you know what you're doing. However, when things like
Eduardo Pérez wrote:
On 2005-06-09 19:54:13 +0200, Richard Levitte - VMS Whacker wrote:
much whining snipped
For a comparison, I suggest you compare the RSA structures in
crypto/rsa/rsa.h between 0.9.7 and 0.9.8.
If those RSA structures where only accessible through public methods
there
Philip MacKenzie wrote:
Hi,
This is my first time posting to this list - please let me know if this
is not the right forum for this comment/question.
I noticed that BN_generate_prime() does not actually generate random
primes. For instance, it will never generate a prime p of the form
p=2*3*r +
Nils Larsch wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Nils Larsch
Root: /e/openssl/cvs Email: [EMAIL PROTECTED]
Module: openssl
Nils Larsch wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Nils Larsch
Root: /e/openssl/cvs Email: [EMAIL PROTECTED]
Module: openssl
Nils Larsch wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Nils Larsch
Root: /e/openssl/cvs Email: [EMAIL PROTECTED]
Module: openssl
Scholars might like to note two bugs turned up by this change:
Index: openssl/crypto/asn1/a_set.c
$ cvs diff -u -r1.13 -r1.14 a_set.c
--- openssl/crypto/asn1/a_set.c 5 Dec 2004 01:03:06 - 1.13
+++
Nils Larsch wrote:
Hi,
what about changing the default digest algorithm in apps/x509.c,
apps/req.c and apps/openssl.cnf from md5 to something a bit more
secure like sha-1 ? MD5 shouldn't be used anymore, even by lazy
users who don't explicitly set the digest algorithm.
Definitely.
--
Victor B. Wagner wrote:
On 2005.01.19 at 15:26:25 +0100, Nils Larsch wrote:
Roger Boden wrote:
Hello,
are there any plans to support eliptic curve MQV key agreements in openssl?
afaik no, btw: have a look at [1]
Cheers,
Nils
[1] http://marc.theaimsgroup.com/?l=openssl-usersm=105308047218590w=2
Jim Schneider wrote:
Sorry, I goofed - I thought we were talking about generating the prime for DH,
not the subsequent operations. In the case of the secret exponents, there's
no real justification for it (x just needs to be larger than C*ln(p)/ln(g),
where g is the DH generator, p is the DH
Jack Lloyd wrote:
On Wed, Nov 24, 2004 at 10:06:10PM +, Ben Laurie wrote:
victor sherbinin wrote:
I'm wondering whether generation of SSL session ID has to be based on
random numbers. In my system, it would be more comfortable for me to
generate a sequentially incrementing 64-bit or 128-bit
victor sherbinin wrote:
I'm wondering whether generation of SSL session ID has to be based on
random numbers. In my system, it would be more comfortable for me to
generate a sequentially incrementing 64-bit or 128-bit session ID,
with some constant padding. Does this violate the security of SSL in
Dr. Stephen Henson wrote:
On Thu, Jun 24, 2004, Ben Laurie wrote:
Dr. Stephen Henson wrote:
Well my personal perference would be to give a hard assertion error in
EVP_DigestInit_ex() and EVP_CipherInit_ex() because a non-FIPS algorithm
will
only appear in there due to an application source error
Dr. Stephen Henson wrote:
Then the EVP routines would just check to see if EVP_FIPS_MD or
EVP_FIPS_CIPHER is set in the flags field in FIPS mode.
Which EVP routines need to be visited? I could leave out the non-FIPS
algorithms in OpenSSL_add_all_{ciphers|digests} as you suggested in an
earlier
Troy Monaghen wrote:
2) I have a multi-threaded AIX application for which I needed to add a
couple of compiler flags in the OpenSSL Configure script in order to
support threading under AIX. After the FIPS code is validated would
making this change be allowed within the security policy?
Yes.
Would
Michael Sierchio wrote:
Ben Laurie wrote:
My understanding is that our security policy is that if you can show a
chain of SHA-1 HMAC signatures from the certified source to
whatever-it-is-you-are-running, then you are certified. We provide one
mechanism to do that. You can provide others.
Note
Jeffrey Altman wrote:
Steve:
Thank you for the answer.
Just fyi, I and Richard Levitte did spend time to get the code to
work on Windows to the extent that was possible without an
answer to the questions you have now answered.
One concern with your answer is that it appears to imply that
FIPS
Richard Levitte wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Richard Levitte
Root: /e/openssl/cvs Email: [EMAIL PROTECTED]
I have been told that the FIPS code doesn't work on Windows.
Unfortunately, I don't build OpenSSL on Windows, so that's not something
I can fix. But unless it is fixed, the FIPS certification will not apply
to builds made on Windows, because the certification requires the use of
unmodified
Richard Levitte wrote:
+
+#ifdef __OpenBSD__
+ /* given that all random loads just fail if the file can't be
+ * seen on a stat, we stat the file we're returning, if it
+ * fails, use /dev/arandom instead. this allows the user to
+ * use their own source for good random data, but
David Schwartz wrote:
One of the applications we are working on requires us
to generate RSA key pairs at a rate of about 20-25 key
pairs/second
is there any application out there which can do this??
is using /dev/random, /etc/entropy or accelerator card
with RNG any faster?? and can this achieve
Geoff Thorpe wrote:
There is a patch that illustrates how I've been going about the crypto/bn/
audit that can be browsed/downloaded at;
http://www.openssl.org/~geoff/bn_debug.diff
The comment in the bn.h header changes explains what the basic idea is and
of course the macro
Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Sat, 13 Sep 2003 18:57:57 +0200 (CEST), Ben
Laurie [EMAIL PROTECTED] said:
ben OpenSSL CVS Repository
ben http://cvs.openssl.org/
ben
Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Tue, 09 Sep 2003 13:55:43 -0600, Verdon Walker
[EMAIL PROTECTED] said:
VWalker I have downloaded the latest FIPS snapshot (9/9) and I have a couple
VWalker more questions about it:
VWalker
VWalker 1) How do I build it?
Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Wed, 10 Sep 2003 09:45:29 +0100, Ben Laurie
[EMAIL PROTECTED] said:
ben Richard Levitte - VMS Whacker wrote:
ben In message [EMAIL PROTECTED] on Tue, 09 Sep 2003 13:55:43 -0600, Verdon
Walker [EMAIL PROTECTED] said
101 - 200 of 636 matches
Mail list logo