Thanks for the pointer - I should have found that myself!
I was thinking 2012 pre-dated the 2.0 FIPS module validation so the change
might have been picked up, but 2.0 started in 2011 so I understand your
point.
Kevin
On Tue, Nov 4, 2014 at 3:22 AM, Andy Polyakov via RT r...@openssl.org wrote:
Building openssl-fips-2.0.6 for linux-x86_64, using gcc 4.8.2 and I am
seeing these same warnings on three files:
cbc128.c
ccm128.c
gcm128.c
This is first time I've built the FIPS module for this target. For other
targets I've built (using much older gcc cross-compilers, admittedly), I
have not
Roger,
The FIPS_mode_set() call normally calls OpenSSL_init(), which calls
RAND_init_fips(), which initializes/instantiates the FIPS DRBG (including
seeding with good entropy from call to the default DRBG bytes() method).
This all happens if built with OPENSSL_FIPS defined. So check that is
Using FIPS-capable OpenSSL on an embedded system with low entropy
collection rates. Several processes startup during system startup, each
loading libcrypto. Per latest IGs, modified to run self-tests on library
load, requiring OPENSSL_init() call and, hence, DRBG instantiation. It is
possible that
Actually, I realized that a call to FIPS_drbg_reseed() is pointless if
FIPS_drbg_instantiate() had failed. Instead, the call would need to redo
FIPS_drbg_instantiate() after ensuring the default DRBG is properly seeded.
On Fri, May 30, 2014 at 12:02 PM, Kevin Fowler kevpfow...@gmail.com wrote
Not to stand in the way of progress at all, but just to note we
cross-compile OpenSSL libraries for an embedded linux target that is still
using libc_r, not libpthread. That will not change anytime soon for us, at
least on legacy systems.
Besides that, it seems much of this discussion is about
Thanks Andy, very helpful.
The multi/dmulti was because I did not understand the PERLASM_SCHEME
options differed for mips from what I had previously done for intel cpus.
So I changed the elf to n32 in the (new) config line and now dmulti
(and other d calls are used).
The config line i added is
I have been building latest openssl1.0.1c without AES. This has been fine
for libcrypto, and for the application using it. However, if I build libssl
the same way I get errors linking it into an application because there are
unguarded calls to AES functions that I do not build in libcrypto. These
Thanks Andy,
the linker option for libcrypto resolved the issue nicely.
Kevin
On Wed, Aug 22, 2012 at 3:56 PM, Andy Polyakov ap...@openssl.org wrote:
Using openssl-1.0.1c, cross-compiling for x86 netbsd target.
When libcrypto.so is linked up, I get warnings due to the
OPENSSL_cpuid_setup
Using openssl-1.0.1c, cross-compiling for x86 netbsd target.
When libcrypto.so is linked up, I get warnings due to the
OPENSSL_cpuid_setup call in x86cpuid.S:
../lib/gcc/i386--netbsdelf/4.1.3/../../../../i386--netbsdelf/bin/ld: warning:
dynamic relocation in readonly section
Thanks Andy,
Yes, there is a discrepancy between the standard cross-compiler we use and
the fact that we currently still use libc_r, in that -pthreads resolves
to -lpthread. For our builds the -pthread option is not used so it never
came up, but to use the cross-compiler to build FIPS module and
: Kevin Fowler kevpfow...@gmail.com
À: openssl-dev@openssl.org
Envoyé: Mercredi 27 Juin 2012 17:39:08
Objet: Re: help with thread lib - x86/BSD
From what I can tell, the specs file is built-in to gcc. Yes I can
look at it with -dumpspecs, and I can override it with, e.g.,
-specs=myspecs
Hi,
both the FIPS module and OpenSSL use the -pthreads option for gcc when
building a *BSD/x86 target. With our cross-compiler, -pthreads results in
-lpthread, although on our target we actually use libc_r for thread
support. While sorting out how I can resolve this in the config/Configure
A couple of questions on Thor's proposed patch:
1. There has been no discussion - does that imply a passive acceptance or
passive rejection?
2. I am using OpenSSL/FIPS on a system with /dev/urandom. Although the
rand_unix.c RAND_poll() function is called only once with the released
code, after
Understood. I asked in part because I want to minimize the
number/scope of modifications so that the change letter validation is
viable and straightforward; and, I asked out of curiosity.
Kevin
On Sat, Mar 17, 2012 at 12:26 PM, Andy Polyakov ap...@openssl.org wrote:
Is incore part of the
Thanks Andy, helpful as always.
Is incore part of the validation, or is it like fipsld - allowed to be
modified as needed without invalidating FIPS certification?
Kevin
On Sat, Mar 10, 2012 at 3:44 AM, Andy Polyakov ap...@openssl.org wrote:
While investigating this I realized I did not really
I have successfully cross-compiled a FIPS_capable libcrypto.a for my
target (NetBSD on PowerPC), and successfully built the FIPS tests and
run them on the target - all pass/fail as expected. I also built a
simple app and built that with the library, and ran that successfully.
I have (see other
On Tue, Feb 21, 2012 at 1:11 PM, Andy Polyakov ap...@openssl.org wrote:
Though in FIPS 2.0 there is new option that might work in this case.
Besides switching to another compiler that is. Introduced to rectify
situation with rodata segments not being position-independent on Win64,
defining
On Tue, Feb 21, 2012 at 3:51 PM, Andy Polyakov ap...@openssl.org wrote:
Another option (but shoot it down if its bogus :-): I noticed that if I
compile
fipscanister.o without -fPIC, then the const variables do get placed in
the (really readonly) .rodata section as desired. I thought maybe if
On Mon, Feb 20, 2012 at 5:18 AM, Andy Polyakov ap...@openssl.org wrote:
Though in FIPS 2.0 there is new option that might work in this case.
Besides switching to another compiler that is. Introduced to rectify
situation with rodata segments not being position-independent on Win64,
On Sat, Feb 18, 2012 at 6:13 PM, Andy Polyakov ap...@openssl.org wrote:
The key thing I realized is that the incore script that comes with the
FIPS
Object Module v2.0 tarball
handles both native AND cross-compile scenarios.
Even though FIPS 2.0 util/incore is capable of handling
On Sun, Feb 19, 2012 at 11:52 AM, Andy Polyakov ap...@openssl.org wrote:
After I had gotten the extra -f options from Harvey for this platform
(BSD-powerpc),
Using -f[data|function]-sections options is inappropriate as they
undermine the idea of capturing fipscanister code and rodata
On Sun, Feb 19, 2012 at 3:50 PM, Kevin Fowler kevpfow...@gmail.com wrote:
On Sun, Feb 19, 2012 at 11:52 AM, Andy Polyakov ap...@openssl.org wrote:
After I had gotten the extra -f options from Harvey for this
platform
(BSD-powerpc),
Using -f[data|function]-sections options
On Fri, Feb 17, 2012 at 10:25 PM, Dr. Stephen Henson st...@openssl.orgwrote:
On Fri, Feb 17, 2012, Kevin Fowler wrote:
Thanks Harvey,
This seems to have worked as far as getting the .rodata section used.
This
is what I see now:
001b5740 g O .rodata0010
Thanks Harvey,
This seems to have worked as far as getting the .rodata section used. This
is what I see now:
001b5740 g O .rodata0010 FIPS_rodata_start
001b5750 l O .rodata0011 FIPS_hmac_key
001b57bc g O .rodata0036 FIPS_bn_version
001c1e08 g O
issues. One
thing I found helpful was to
get the 'MACHINE', 'SYSTEM', 'BUILD', and 'RELEASE' settings by running
the variants of uname
on my target.
Regards;
== Rick Davis
--
*From: *Kevin Fowler kevpfow...@gmail.com
*To: *openssl-dev@openssl.org
*Sent
I am building and testing the FIPS module for a PowerPC/NetBSD1.6.2 target
on a x86/linux(CentOS) host.
The Configure script does not have NetBSD options, so I am setting my
environment variables such that it selects the ppc-linux target. The
fipscanister.o builds fine.
When I go to build the
that is indicating I need to correct.
Any pointers on that?
Thanks,
Kevin
On Thu, Dec 8, 2011 at 3:42 PM, Kevin Fowler kevpfow...@gmail.com wrote:
I am building and testing the FIPS module for a PowerPC/NetBSD1.6.2 target
on a x86/linux(CentOS) host.
The Configure script does not have NetBSD options
I am building and testing the FIPS module for a PowerPC/NetBSD1.6.2 target
on a x86/linux(CentOS) host.
The Configure script does not have NetBSD options, so I am setting my
environment variables such that it selects the ppc-linux target. The
fipscanister.o builds fine.
When I go to build the
29 matches
Mail list logo