Dear Mr. Henson,
I noticed that for OpenSSL 1.0.2x and 1.0.1x on Windows the FIPS capable
libeay32.dll
does not export any of the FIPS_drbg_*() functions, although they are officially
documented by the OpenSSL FIPS 2.0 User Guide.
Is this an oversight or was this done on purpose? (IOW, is it a
To quote from several places:
Once you call FIPS_mode_set (and assuming it returns non-zero), you are using
the NIST approved DRBGs.
>From OpenSSL's Random Numbers wiki page:
The default DRBG is 256-bit CTR AES using a derivation function ... To use the
FIPS random number generator, si
If you don't know or care what FIPS 140-2 is then heave a big sigh of
relief and move on.
Over a month ago[1] I noted that the four typographical errors from the
CMVP "execution" of the "hostage" platforms[2] had still not been corrected.
Ten weeks have now passed, and
On Tue, Jul 28, 2015, Randy Steck wrote:
> Thus, it appears that there is a function in the FIPS API that allows
> for the creation of RSA keys in a non-approved manner.
>
> Am I missing something? Is this by design, or is it a bug?
>
Yes you're right it uses the unappro
I posted this to openssl-dev, but didn't get a reply. Perhaps it's more
appropriate here.
In the FIPS Security Policy there are listed two functions for
generating RSA keys:
FIPS_rsa_generate_key_ex() (renamed from RSA_generate_key_ex())
and
FIPS_rsa_x931_generate_key_ex() (re
SSL client performing mutual
> > authentication. RSA certificate used is signed with SHA512 digest. When I
> > switch to FIPS mode and perform re-authentication, I am hitting an
> > error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA.
> >
> > Can
On Thu, Jul 16, 2015, Jayalakshmi bhat wrote:
> Hi All,
>
> I am using OpenSSL library for a SSL client performing mutual
> authentication. RSA certificate used is signed with SHA512 digest. When I
> switch to FIPS mode and perform re-authentication, I am hitting an
> error :04
Hi All,
I am using OpenSSL library for a SSL client performing mutual
authentication. RSA certificate used is signed with SHA512 digest. When I
switch to FIPS mode and perform re-authentication, I am hitting an
error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA.
Can any one
e appears on provable prime generation algorithms which OpenSSL
FIPS module doesn't support.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-users ma
On 07/15/2015 01:34 PM, Philip Bellino wrote:
> Hello,
>
> We are testing our FIPS implementation which is based on openssl-1.0.2a
> and openssl-fips-2.0.9.
>
> We are executing tests on the target machine (which doesn't support
> running perl scripts so we cannot run
One more item of note:
The code appears to be erroring out on the keyword SEED.
Looking at the source code there appears to be no provision to accept that
word, hence the parse error.
Hello,
We are testing our FIPS implementation which is based on openssl-1.0.2a and
openssl-fips-2.0.9
Hello,
We are testing our FIPS implementation which is based on openssl-1.0.2a and
openssl-fips-2.0.9.
We are executing tests on the target machine (which doesn't support running
perl scripts so we cannot run fipsalgtest.pl)
that are included in the openssl-fips-2.0.9/fips directory,
Hi Jacob,
I have used openssl-fips-1_2_4 with openssl 0.9.8zf and not found any
issue. For my environment, just I upgraded my openssl version from 0.9.8zf
to zg.
Thanks,
Gayathri
On Wed, Jul 15, 2015 at 12:36 AM, Jakob Bohm wrote:
> On 14/07/2015 12:35, Gayathri Manoj wrote:
>
>
On 14/07/2015 12:35, Gayathri Manoj wrote:
Hi All,
Please let me know what is the compatible openssl-fips package for the
0.9.8zg version.
As far as I know you need to use the file
http://www.openssl.org/source/openssl-fips-1.2.4.tar.gz
with the specific HMAC checksum specified in the
Hi All,
Please let me know what is the compatible openssl-fips package for the
0.9.8zg version.
When i try with with openssl-1_2_4, I am getting the below error
bash 3.2:90>gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m32 -DL_END
Hi,
I am getting the below error while compliling openssl-0.9.8zg with fips
canister library.
make[2]: Entering directory `open_source/openssl/0_9_8zg_new1/fips'
../libcrypto.a(err_def.o): In function `ERR_get_state':
err_def.c:(.text+0x710): multiple definition of `ERR
Hello,
I currently have a FIPS module where I'm trying to add entropy to RSA key
generation pair. I've overwritten the callbacks within my application but
I'm not seeing them being executed when I generate an RSA key.
When I call RSA_generate_key_ex shouldn't my entropy
If you don't know or care what FIPS 140-2 is then dance a little jig of
joy and move on.
The "hostage issue" has resulted in the forced removal[*] of a number of
platforms from the #1747 validation. That removal was done by editing
the "Big Blob o' Text" in the right
On 06/30/2015 07:15 AM, jonetsu wrote:
> The validation is on the ARM platform using Linux 2.4. I am one of those
> 'unlucky' having to deal with FIPS so please pardon any silly questions.
> Would this validation be limited to these two aspects ?
The validation is limite
The validation is on the ARM platform using Linux 2.4. I am one of those
'unlucky' having to deal with FIPS so please pardon any silly questions.
Would this validation be limited to these two aspects ? And, is there any
money-saving advantage at using an already validated OpenSSL when
Hi All,
I am trying to build fips compliant openssl 1.0.1m for SSE (nonSSE2)
architecture . The last time I did this, it was not fips compliant( just built
openssl for SSE ) so it worked.
>From the Developer Command Prompt for VS 2012:
1. Build fips-ecp 2.
include those in my position, since I can
just read your updates, and accept them without knowing all the reasons behind
it. :) I'm ok either way.
TOM
--
Preserve wildlife -- pickle a squirrel!
> On Jun 22, 2015, at 11:27 AM, Steve Marquess wrote:
>
> If you don't know or ca
If you don't know or care what FIPS 140-2 is, a hysterical giggle of
pure delight and whoop of relief before moving on is fully justified.
The "SE" (Salavge Edition) validation has been approved:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2398
This ac
Ok, the API call was not correct RSA_generate_key_ex was not working same. I
have resolved all the issues now.
--
View this message in context:
http://openssl.6102.n7.nabble.com/Generating-FIPS-Compliant-libcrypto-so-tp58890p58904.html
Sent from the OpenSSL - User mailing list archive at
Ok, I will answer my own question here. The problem was that I did not have
the LD_LIBRARY_PATH set correctly for openssl.
--
View this message in context:
http://openssl.6102.n7.nabble.com/Generating-FIPS-Compliant-libcrypto-so-tp58890p58899.html
Sent from the OpenSSL - User mailing list
Ok, I searched and there are a lot of topics around building the fip
compliant version of openssl. My problem is with the generation of the
libcrypto.so.
Environment
Debian 8
openssl fips 2.0.9
openssl 1.0.1o
I follow the security guide and build a valid fipscanister.o file. I test it
and it
If you don't know or care about FIPS 140-2 then count yourself very
lucky and move on.
In the same spirit of collaboration that underlies all of the open
source based OpenSSL FIPS Object Module validations, of which the #1747
validation is the latest, some of the stakeholders impacted b
On 06/22/2015 02:36 AM, Jeffrey Walton wrote:
> Hi Steve,
>
> Forgive my ignorance
>
>>From the previous postings, I *thought* that the validation only
> applies to real iron, and [retroactively] was not conferred to the
> VMs. But it seems like this list includes real hardware, too:
>
>
015 at 11:17 AM, Steve Marquess wrote:
> If you don't know or care what FIPS 140-2 is then count yourself very
> lucky and move on.
>
> I've created a new web page to summarize the current status of the
> long-running hostage saga:
>
> http://openssl.com/fips/afterma
If you don't know or care what FIPS 140-2 is then count yourself very
lucky and move on.
I've created a new web page to summarize the current status of the
long-running hostage saga:
http://openssl.com/fips/aftermath.html
If you use the OpenSSL FIPS Object Module 2.0 (validation #
Ok, I finally figure out my issues. I was setting the environment variables
when I should not have been. The "make depend" set will setup all the fips
dependencies you need. So I was shooting myself in the foot so to speak.
Using the commands listed in the Security Policy for OpenSSL w
If you don't know or care what FIPS 140-2 is then count yourself very
lucky and move on.
There is a new development in the long running saga of the "hostage
issue"[*]; the hostages have been executed:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
Cr
.
> >
> > openssl rsa -in my_rsa_key -outform PEM -out my_res_newkey_pem
> >
> > The new key format is -BEGIN PRIVATE KEY-.
> > But I am expecting -BEGIN RSA PRIVATE KEY-
> >
> > In nonFIPS mode i am getting -BEGIN RSA PRIVATE KEY- as ex
-.
> But I am expecting -BEGIN RSA PRIVATE KEY-
>
> In nonFIPS mode i am getting -BEGIN RSA PRIVATE KEY- as expected.
>
> My openssl version is OpenSSL 0.9.8zf-fips.
>
> Please let me know how can I generate the new key in BEGIN RSA PRIVATE KEY
> for
-BEGIN RSA PRIVATE KEY- as expected.
My openssl version is OpenSSL 0.9.8zf-fips.
Please let me know how can I generate the new key in BEGIN RSA PRIVATE KEY
format.
Thanks,
Gayathri
___
openssl-users mailing list
To unsubscribe: https
the "fips.h" file. I see it in the
/usr/local/ssl/fips-2.0/include directory and I have tried "export
FIPSDIR=/usr/local/ssl/fips-2.0" but it still does not pick it up. Is there
an environment variable that I am missing?
Thanks
--
View this message in context:
http://ope
> The problem is:
> ld: building for iOS Simulator, but linking against dylib built for MacOSX
> file '/usr/lib/libSystem.dylib' for architecture i386
> clang: error: linker command failed with exit code 1 (use -v to see
> invocation)
There's no reason to build
Hello,
I have problems with compiling Openssl FIPS library for iOS 7.1 (openssl-fips
2.0.9) on Yosemite (using Xcode 6.2).
After checking few build scripts available on net (mainly for older versions of
openssl-fips library) I came across the testing instructions (
http
Well, since you're using the fips-ecp tarball, you'll need to include
no-ec2m when configuring OpenSSL 1.0.2a. But this isn't why you're
seeing a fork error from fipsld.
I'm using Ubuntu 14.04 (Is there a 14.4?) and don't see any issue.
However, I'm not s
--
View this message in context:
http://openssl.6102.n7.nabble.com/Building-OpenSSL-with-FIPS-crypto-Module-Linker-forking-too-many-processes-tp58444p58472.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users
/workspace/libs/openssl-fips-ecp-2.0.9/fips/fipsld
FIPSLD_CC=/usr/bin/gcc
FIPSDIR=/usr/local/ssl/fips-2.0
for building fips canister
./config fipscanisterbuild no-asm
make
make install
using ./config fips no-asm
make
make install
This seemed to be pretty straight forward. I think i created
Hello,
Our product was FIPS-certified a few years ago. We are now about to start
the re-certification process.
The test for RSA X9.31 key generation have somewhat changed, or so it looks
like to me anyway.
A few years ago, we received test vectors with the following parameters:
modulus size
Hello,
We use OpenSSL-1.0.2a and FIPS 2.0.9 and have questions we need to answer in
conjunction with the FIPS validation
process.
One question is whether SHA1 accepts NULL (zero-length) messages? I couldn't
find anything on the OpenSSL
wiki so I thought I'd ask here.
Also, another qu
Hello,
We use OpenSSL-1.0.2a and FIPS 2.0.9 and have questions we need to answer in
conjunction with the FIPS validation
process.
One question is whether SHA1 accepts NULL (zero-length) messages? I couldn't
find anything on the OpenSSL
wiki so I thought I'd ask here.
Als
1 RSA key generation for FIPS validation (180-4)
To: openssl-users@openssl.org
Hello,
Our product was FIPS-certified a few years ago. We are now about to start
the re-certification process.
The test for RSA X9.31 key generation have somewhat changed, or so it looks
like to me anyway.
A few
Hello,
Our product was FIPS-certified a few years ago. We are now about to start
the re-certification process.
The test for RSA X9.31 key generation have somewhat changed, or so it looks
like to me anyway.
A few years ago, we received test vectors with the following parameters:
modulus size
Can anyone shed light on why these APIs are disabled in FIPS mode? They
involve operations that must be implemented within the boundary of the FIPS
crypto module? It seems like disabling them is intended to prevent mistakes
from developers trying to write their own AES mode implementations
forum where someone was building an app with FIPS 140-2 compliant
>> communications.
>
> Note there really is no such thing as "FIPS 140-2 compliant" (though you
> see that terms bandied around a lot and I'm guilty of doing so myself).
>
> The term of inter
On 04/28/2015 03:44 PM, Sec_Aficionado wrote:
> Hi there,
>
> Total n00b question here. I recently ran across a question on an iOS
> forum where someone was building an app with FIPS 140-2 compliant
> communications.
Note there really is no such thing as "FIPS 140-2 compli
Hi,
I believe you can make an app that is FIPS compliant: since OpenSSL can be
made FIPS compliant on a non-validated OS, why not an app on iOS? But it
will be FIPS compliant, not FIPS validated app.
Le mar. 28 avr. 2015 21:45, Sec_Aficionado a
écrit :
> Hi there,
>
> Total n00b ques
Hi there,
Total n00b question here. I recently ran across a question on an iOS forum
where someone was building an app with FIPS 140-2 compliant communications.
Now, from reading here (mailing lists) about FIPS certification, it involves
both the bits and the platform. So it would not be
> If they have counterparts in TLS that could be used, why wouldn't
> the TLS version show up instead ?
Because they are *the same* TLS did not take old ciphers and renumber or
rename them.
___
openssl-users mailing list
To unsubscribe: https://mta.o
ically understood. What was lacking then in my
undestanding, is that :
% OPENSSL_FIPS=1 openssl ciphers -v
Will not output strictly according to FIPS. Maybe there's no easy way to do
that when the definition of a cipher states otherwise.
Thanks.
--
View this message in context:
On 28/04/15 13:31, jonetsu wrote:
>> That refers to the minimum version of the ciphersuite: it
>> doesn't imply that it will only be used in SSLv3 (which is
>> disabled in FIPS mode).
>
> Hmmm... I'm sorry but I do not really understand this. Since openss
> That refers to the minimum version of the ciphersuite: it
> doesn't imply that it will only be used in SSLv3 (which is
> disabled in FIPS mode).
Hmmm... I'm sorry but I do not really understand this. Since openssl is
run in FIPS mode, and since SSLv3 is disabled, then
Hi,
Our win32 applications will sometimes fail to start due to a
fingerprint mismatch in the fips module. It appears this is caused by
the fixed baseaddr used to verify the checksum. We are building with
the /FIXED and /DYNAMICBASE:NO options.
The User Guide states:
"The standard OpenSSL
On Fri, Apr 24, 2015, jonetsu wrote:
> Hello,
>
> > In FIPS mode SSL 3.0 is not allowed: that has always been the
> > case.
>
> % openssl version
> OpenSSL 1.0.1f 6 Jan 2014
>
> % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL
>
> ECDHE-RSA-AES256-SHA
Hello,
> In FIPS mode SSL 3.0 is not allowed: that has always been the
> case.
% openssl version
OpenSSL 1.0.1f 6 Jan 2014
% OPENSSL_FIPS=1 openssl ciphers -v | grep SSL
ECDHE-RSA-AES256-SHASSLv3
ECDHE-ECDSA-AES256-SHA SSLv3
DHE-RSA-AES256-SHA SSLv3
DHE-DSS-AES256-SHA
On Fri, Apr 24, 2015, jonetsu wrote:
>
> ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)
>
> https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0
>
> Specifically:
>
> "FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
&
Hi,
... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)
https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0
Specifically:
"FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
1.0, SSL
2.0, SSL 3.0, TLS 1.0"
"FCS_TLSS_EXT.2.2 The TSF shall d
>> One point is that if this is a delivery for someone
>> subject to the FIPS-only procurementrequirement
>> imposed on various US Government related entities,
>> then whatever OS theyuse, MUST (by that requirement)
>> have already passed this for its password hand
"libraries" to be FIPS-validated, perhaps as separate crypto
modules.
Kevin
On Tue, Apr 14, 2015 at 8:51 AM, jonetsu wrote:
> Salz, Rich wrote
> > As the old joke goes, "if you have to ask, you can't afford it."
>
> Well, exploration can be free.
"libraries" to be FIPS-validated, perhaps as separate crypto
modules.
Kevin
On Tue, Apr 14, 2015 at 8:51 AM, jonetsu wrote:
> Salz, Rich wrote
> > As the old joke goes, "if you have to ask, you can't afford it."
>
> Well, exploration can be free.
On 04/14/2015 09:42 AM, jonetsu wrote:
>
>
>> From: "Steve Marquess" Date: 04/14/15 09:31
>>
>
>> and note that of the 101 platforms ("OEs") appearing there, most
>> of those operating systems are neither CC certified nor have any
>&
On 04/13/2015 01:30 PM, Jakob Bohm wrote:
> ..
>>
>> With the very unique exception of the OpenSSL FIPS Object Module, there
>> are no FIPS 140-2 validated cryptographic modules that can be obtained
>> in source form and compiled by the end user. The fact that Red Hat
> From: "Steve Marquess"
> Date: 04/14/15 09:31
> and note that of the 101 platforms ("OEs") appearing there, most of
> those operating systems are neither CC certified nor have any other FIPS
> 140-2 validated crypto. Keep in mind that at Leve
Salz, Rich wrote
> As the old joke goes, "if you have to ask, you can't afford it."
Well, exploration can be free. I noticed that Strongswan uses a plug-in
architecture for crypto that seemingly allows the use of OpenSSL instead of
the kernel for crypto operations, for use
> If I may, I'd like to ask about including the Linux kernel in the validation.
As the old joke goes, "if you have to ask, you can't afford it."
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Thanks for all the comments, they're much appreciated. It is a Debian
system, so there is no Red Hat FIPS validation (or SuSE which also has one I
think) or validated components that can be used.
If I may, I'd like to ask about including the Linux kernel in the
validation. Now, includ
anything you can imagine.
Yes, the only thing easier would be if someone (maybe Red Hat)
already has a FIPS validatedopen source implementation of
crypt().
And even if Red Hat does, you would be limited to using the specific
commercial versions of RHEL that included that specific validated binary
so much easier than anything you can imagine.
> Yes, the only thing easier would be if someone (maybe Red Hat)
> already has a FIPS validatedopen source implementation of
> crypt().
And even if Red Hat does, you would be limited to using the specific
commercial versions of RHEL that included
)
already has a FIPS validatedopen source implementation of
crypt().
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote
> In other words, is the only
> practical and viable option regarding this to re-implement crypt() using EVP
> methods ? - thanks.
Yes. That would be so much easier than anything you can imagine.
___
openssl-users mailing list
To unsubscribe: https://m
Thanks for the comments - much appreciated.
The following question might be on the naive side of things, but then I'm
all new to this. Since crypt() in glibc2 supports SHA-256 and SHA-512 for
password, and assuming that these two are FIPS compatible, what would be the
(financial) overhe
or which we must pay them.
Also FYI for change letters the (unique/creative component of the)
documentation is trivial. As with most FIPS 140-2 documentation such
paperwork is very low in nutritional value and of essentially no value
to the end user. In particular it isn't going to help anyone &q
users-boun...@openssl.org] On Behalf Of
Philip Bellino
Sent: Monday, April 06, 2015 8:03 AM
To: openssl-users@openssl.org
Subject: [openssl-users] FIPS wrapper to lock low level AES calls in FIPS mode
Hello,
We are using Openssl-1.0.2a with FIPS 2.0.9 on Linux PPC environment. We have
code that we a
available? Maybe
>> someone can pick it up and work from there.
>
> It doesn't work that way. With FIPS 140-2 the software itself is never
> the problem, it's everything else.
>
> The OpenSSL FIPS Object Module is entirely open source, but having the
> source code does y
On 04/06/2015 10:09 AM, Nicolae Rosia wrote:
> Is the documentation for the current validation available? Maybe
> someone can pick it up and work from there.
It doesn't work that way. With FIPS 140-2 the software itself is never
the problem, it's everything else.
The OpenSSL FI
cts are using OpenSSL
>> with FIPS. I know that OpenSSL 1.0.2 started to support Linux-aarch64, but
>> our products need OpenSSL FIPS as well.
>>
>> My question is when OpenSSL FIPS will be supported on Linux-aarch64?
>
> When we have a sponsor to cover the non-trivial co
On 04/05/2015 09:13 PM, Aaron wrote:
> Hello,
>
> We are porting our products to Linux-aarch64. Our products are using OpenSSL
> with FIPS. I know that OpenSSL 1.0.2 started to support Linux-aarch64, but
> our products need OpenSSL FIPS as well.
>
> My question is when
Hello,
We are using Openssl-1.0.2a with FIPS 2.0.9 on Linux PPC environment. We have
code that we assume needs updating,
to avoid using low level routines in FIPS. For example, our snmp v3
implementation currently decrypts/encrypts using
AES_set_encrypt_key() and AES_cfb128_encrypt().
The old
Hello,
We are porting our products to Linux-aarch64. Our products are using OpenSSL
with FIPS. I know that OpenSSL 1.0.2 started to support Linux-aarch64, but
our products need OpenSSL FIPS as well.
My question is when OpenSSL FIPS will be supported on Linux-aarch64?
Thanks in advance
pisze:
> Ok, whith few modifications to fipsld++ i can now link to libcrypto.so
> and libcrypto.a and applications are working correctly, but mine problem
> still persists because if i would like to dlopen my shared library
> compiled with static libcrypto.a and i'll try to run fi
Ok, whith few modifications to fipsld++ i can now link to libcrypto.so
and libcrypto.a and applications are working correctly, but mine problem
still persists because if i would like to dlopen my shared library
compiled with static libcrypto.a and i'll try to run fips mode from that
library
Yeah i have tried with it and modified it. But mine problem is that i am
cross-compiling. I have used incore to generate digest and it works with
qcc and i386-pc-nto-qnx6.4.0-gcc. But with i386-pc-nto-qnx6.4.0-g++ and
QCC which is for c++ it does not work it generates bad digest. What is a
problem
12:41 +0200, Piotr Łobacz pisze:
> Ok i have finally managed to cross-compile openssl with fips for QNX
> platform. What i did wass modifing the fipsld script not to input this
> magical number[ $? -ne 42 ] && exit $? and the returned output of
> "${FIPS_SIG}" -ex
On Wed, Apr 01, 2015, jonetsu wrote:
> Hello,
>
> As part of development, still using the fips_hmac test code, this time on a
> target unit using 1.0.1e, the following errors are shown at the console:
>
> 3069614096:error:2D088086:FIPS
> routines:FIPS_s
Hello,
As part of development, still using the fips_hmac test code, this time on a
target unit using 1.0.1e, the following errors are shown at the console:
3069614096:error:2D088086:FIPS
routines:FIPS_selftest_x931:selftest
failed:fips_rand_selftest.c:171:
3069614096:error:2D082086:FIPS
Ok i have finally managed to cross-compile openssl with fips for QNX
platform. What i did wass modifing the fipsld script not to input this
magical number[ $? -ne 42 ] && exit $? and the returned output of
"${FIPS_SIG}" -exe "${TARGET}" was saved in SIG variable, beca
Steve Marquess
writes:
>> Are you certain? For a user-space component like OpenSSL, this is
>> obviously true, but I think you could argue that a kernel module's
>> "Operational Environment" has no relation to the Linux distro, only to
>> the kernel it's loaded by and the hardware architecture (
On 03/27/2015 04:45 AM, Henrik Grindal Bakken wrote:
> Steve Marquess
> writes:
>
>>> If the CMVP bureaucracy insists on a specific kernel version
>>> for the platform number, this should be one of the "Long Term
>>> Support" kernel releases to maximize longevity (assuming that
>>> regular OS pat
Another problem is that compiled cross-compiled OpenSSL with fips should
start in its own prompt but it only spews the expected signature and
exits. I have modified fipsld scripts as shown in the manual and this
does not help. Incore was used from the tarball but maybe i have to use
some special
Steve Marquess
writes:
>> If the CMVP bureaucracy insists on a specific kernel version
>> for the platform number, this should be one of the "Long Term
>> Support" kernel releases to maximize longevity (assuming that
>> regular OS patching within a version number is still accepted
>> as "same pla
kernel module (a.k.a.
device driver). The idea would be to have a kernel module that provides
crypto support. This kernel module would be the FIPS object module,
with the FIPS boundary drawn around the kernel module. This would be
loaded at run time like any other device driver when FIPS mode needed
e (a.k.a.
>>> device driver). The idea would be to have a kernel module that provides
>>> crypto support. This kernel module would be the FIPS object module,
>>> with the FIPS boundary drawn around the kernel module. This would be
>>> loaded at run time like
> From: jonetsu
> Date: 03/26/15 11:11
> Is FIPS_mode_set(1) taking care of setting up a default DRBG ?
Yes. It does. When using post_cb() from fips_test_suite.c in for instance the
fips_hmac.c demo, with only but a FIPS_mode_set(1) call, it is reported that
the four DRBGs are tested:
provides
crypto support. This kernel module would be the FIPS object module,
with the FIPS boundary drawn around the kernel module. This would be
loaded at run time like any other device driver when FIPS mode needed to
be enabled.
There is likely some kernel work required to allow the ciphers in the
On 03/26/2015 01:00 PM, Marcus Meissner wrote:
> ...
>>
>> Unfortunately FIPS 140-2 validation conflicts rather violently with open
>> source software (and with software engineering best practice in general,
>> for that matter). Even if some benevolent benefactor ponied
On Thu, Mar 26, 2015 at 10:57:28AM -0400, Steve Marquess wrote:
> On 03/25/2015 06:26 PM, jone...@teksavvy.com wrote:
> > On Wed, 25 Mar 2015 17:03:04 -0400
> > Steve Marquess wrote:
> >
> >> I wasn't aware the Linux kernel (the real one, not proprietary
>
This kernel module would be the FIPS object module,
> with the FIPS boundary drawn around the kernel module. This would be
> loaded at run time like any other device driver when FIPS mode needed to
> be enabled.
>
> There is likely some kernel work required to allow the ciphers i
701 - 800 of 2862 matches
Mail list logo
