On Thu, 28 Feb 2019 14:41:19 +0100,
Salz, Rich wrote:
>
> > There are two options. First, the application does the digest and
> > sign as two separate things.
>
> My memory is a foggy surrounding that scenario, so I might be wrong,
> but I think it was argued that this was in
> There are two options. First, the application does the digest and
> sign as two separate things.
My memory is a foggy surrounding that scenario, so I might be wrong,
but I think it was argued that this was invalid use from a FIPS
perspective. Now, we can't actually stop
>From https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
I got these lines
"OpenSSL provides mechanisms for interfacing with external cryptographic
devices, such as
accelerator cards, via “ENGINES.” This mechanism is not disabled in FIPS
mode. In general, if a
FIPS validated cryptographic de
On 27/02/2019 22:20, Richard Levitte wrote:
>> I believe Richard is wrong here. Or at least his text could be
>> misleading. If the EVP API does the digesting with one module and
>> then calls another module to do the RSA signing, that is okay.
>
> Huh? From the design document, section "Exa
On Thu, 28 Feb 2019 00:51:24 +0100,
Dr. Matthias St. Pierre wrote:
>
>
> > Uhm, I'm confused. I thought we were talking about 3.0?
>
> Well, the original post started at FIPS 2.0:
>
> > I am using openssl-fips-2.0.16 and openssl-1.0.2e.
> https://mta.openssl.org/pipermail/openssl-users/2019
On Thu, 28 Feb 2019 00:17:13 +0100,
Salz, Rich wrote:
>
> >Huh? From the design document, section "Example dynamic views of
> algorithm selection", after the second diagram:
>
> An EVP_DigestSign* operation is more complicated because it
> involves two algorithms: a s
> Uhm, I'm confused. I thought we were talking about 3.0?
Well, the original post started at FIPS 2.0:
> I am using openssl-fips-2.0.16 and openssl-1.0.2e.
https://mta.openssl.org/pipermail/openssl-users/2019-February/009919.html
But it seems like the discussion in the thread has drifted a
>Huh? From the design document, section "Example dynamic views of
algorithm selection", after the second diagram:
An EVP_DigestSign* operation is more complicated because it
involves two algorithms: a signing algorithm, and a digest
algorithm. In general those
Uhm, I'm confused. I thought we were talking about 3.0?
"Dr. Matthias St. Pierre" skrev: (27 februari
2019 23:34:23 CET)
>
>> -Ursprüngliche Nachricht-
>> > >I always understood "FIPS-capable OpenSSL" to refer
>specifically to an
>> > OpenSSL compiled with the options to incorpor
> -Ursprüngliche Nachricht-
> > >I always understood "FIPS-capable OpenSSL" to refer specifically to an
> > OpenSSL compiled with the options to incorporate the FIPS canister
> > module, not just any OpenSSL build that might be used in FIPS compliant
> > applications (as t
On Wed, 27 Feb 2019 22:54:41 +0100,
Salz, Rich via openssl-users wrote:
>
> >I always understood "FIPS-capable OpenSSL" to refer specifically to an
> OpenSSL compiled with the options to incorporate the FIPS canister
> module, not just any OpenSSL build that might be used in FIPS compl
>I always understood "FIPS-capable OpenSSL" to refer specifically to an
OpenSSL compiled with the options to incorporate the FIPS canister
module, not just any OpenSSL build that might be used in FIPS compliant
applications (as that would be any OpenSSL at all).
Yes, that is histor
On 27/02/2019 22:18, Richard Levitte wrote:
On Wed, 27 Feb 2019 21:55:29 +0100,
Jakob Bohm via openssl-users wrote:
On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL validat
On Wed, 27 Feb 2019 21:55:29 +0100,
Jakob Bohm via openssl-users wrote:
>
> On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
> > If you change a single line of code or do not build it EXACTLY as
> > documented, you cannot claim to use the OpenSSL validation.
> >
>
> I believe the cont
On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL validation.
I believe the context here is one I also mentioned in my comment on
the 3.0 draft spec:
- OpenSSL FIPS Mod
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL validation.
No.
The OpenSSL FIPS Module is not written that way. It should not be permitting
any non-FIPS implementations (see Rich's email regarding a bug).
You could write your own engine, get that FIPS certified, and run it with
plain, vanilla OpenSSL.
There's a design spec out for OpenSSL 3.0.0 that
The requirement here is, to offload my "engine supported fips-compliant
methods" to engine and other "fips-complaint" functions to openssl
dynamically. Here I need to use openssl-fips module I guess.
--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Thanks for the reply.
With non-fips openssl, it is possible to write my own fips-module. I
understood.
But, is it possible for me to write a fips-compliant/fips validated "dynamic
engine" with openssl-fips? Which allows me to offload "fips-compilant"
functions to my engine "dynamically"?
--
To clarify here, using the OpenSSL FIPS implementation does not allow you to
claim “FIPS Validated”, rather this would be “FIPS Compliant”. If you want to
claim “FIPS Validated”, you must get your own validation for your
implementation regardless of what you are using, OpenSSL FIPS module or
ot
* Which means in fips mode ciphers never gets offloaded to engine?
* All other functions (digest, RSA etc) , it first updates to fips
function, and then engine function. Why only ciphers has this different
behaviour?
That seems like a bug. In FIPS mode you can only use the FIPS-validate
Hi,
I am unable to use AES-cipher offload to my engine even though it was
registered with the proper flag (EVP_CIPH_FLAG_FIPS). I was able to use
RSA, digests, and ECDSA to the engine with corresponding flags.
I am using openssl-fips-2.0.16 and openssl-1.0.2e.
OPENSSL_FIPS is set.
I come across
22 matches
Mail list logo
