Re: Blog post

Hello Matt, Love the blog post, and of course a hearty thanks to everyone who worked on the project to get it to this point. Is the plan still to continue with the FIPS 140-2 validation instead of 140-3? Apologies for the lack of a first party source but https://www.leidos.com/insights/fips-140-a

Re: Poll on manpages

Rich, If no-one else tells you, keeping the docs up to date is amazing work and thank you for it. My general thought is that all docs should be consistent with one another for ease of cross referncing and skimming and the manpages should follow the same layout. Cheers, Ethan On Tue, Jan 28, 20

Re: [openssl-users] openssl-users Digest, Vol 28, Issue 21

Couldn't you just use EVP_PKEY_get1_EC_KEY? https://www.openssl.org/docs/man1.0.2/crypto/EVP_PKEY_get1_EC_KEY.html Cheers, Ethan On Wed, Mar 22, 2017 at 10:48 AM, Christian Adja via openssl-users < openssl-users@openssl.org> wrote: > Good evening everybody, > I need help about to transform pub

Re: [openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs

Wow, That was quite the oversight of mine. That fixed the issue. Thanks so much, I appreciate your patience in dealing with my confusion over the APIs! Cheers, Ethan On Sat, Mar 11, 2017 at 12:28 PM, Matt Caswell wrote: > > > On 11/03/17 18:38, Ethan Rahn wrote: > >size_t

Re: [openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs

cretLen ); return 1; } On Fri, Mar 10, 2017 at 1:44 PM, Matt Caswell wrote: > > > On 10/03/17 20:58, Ethan Rahn wrote: > > Hello Openssl-users, > > > > I'm trying to write some code that derives the shared secret for 2 > > elliptic curve keys ( i.e. do

[openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs

Hello Openssl-users, I'm trying to write some code that derives the shared secret for 2 elliptic curve keys ( i.e. does ECDH ) I am doing the following to load up both the local and remote EC key ( code shown for local side ): EC_KEY* localEC = EC_KEY_new_by_curve_name( curveName ); EC_KEY_set_p

Re: [openssl-users] Should openssl publish the commit #'s that fixed each CVE?

third party site to find a commit #, when the third party chooses to release the information. On Thu, Jan 26, 2017 at 10:53 AM, Scott Neugroschl wrote: > The CVE itself contains the commit info. Find it at cve.mitre.org > > > > *From:* openssl-users [mailto:openssl-users-boun...@

[openssl-users] Should openssl publish the commit #'s that fixed each CVE?

Hello, When looking a the latest security announcement, something that I notice is that it's hard to find the actual commits that fixed an issue. If you search git.openssl.org you can find some of them if they are mentioned in the change message, but it still requires some active effort. Would it

[openssl-users] Seeking to understand difference in RSA key gen between X9.31 and FIPS 186-4

Hey Openssl-User's, I'm trying to understand the difference between how primes are generated in RSA X9.31 ANSI standards ( which I don't have access to ) and FIPS 186-4 ( found here: http://csrc.nist.gov/groups/STM/cavp/documents/dss2/rsa2vs.pdf ) In the code at crypto/bn/bn_x931p.c::BN_X931_gene

Re: [openssl-users] Building an application with OpenSSL and FIPS support.

Matt, What part of the selftest fails? Can you step through it with a debugger? Cheers, Ethan On Fri, Oct 7, 2016 at 10:56 AM, Matthew Heimlich wrote: > I'm on RHEL7. I've got a very simple encryption/decryption program that > works fine without FIPS support enabled, but fails when it is: > >

Re: [openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

Is there a reason why you cannot build it from a controlled build environment and record the hash of the final .so? It seems that it would be pretty non-trivial if not impossible to pull a .o file from a .so in the exact same format that it went in, such that you could check the hash. Being able t

Re: [openssl-users] Digest MD5 forbidden in FIPS mode

MD5 is not considered a safe function to use hence it is forbidden in FIPS mode. Can you use a different hash function ( such as SHA-something ) for your use case? On Mon, Jan 18, 2016 at 4:43 PM, Marcos Bontempo wrote: > Hello, > > I wrote a C code which enter in FIPS mode with fips_mod_set(1).

Re: [openssl-users] force to use /dev/random for openssl fips module

xxiao, have you changed the code to also increase the timeout and not try to use other devices to get entropy? If /dev/random is blocking at the time, it may run into issues trying to look for other sources of entropy than giving up. On Tue, Dec 8, 2015 at 8:25 PM, xxiao8 wrote: > I don't know

Re: [openssl-users] Openssl FIPS uses /dev/urandom by default?

xxiao, Are you sure you can't modify that? My understanding of FIPS mode is that you cannot modify the FIPS code canister, which entropy sources are not a part of. Cheers, Ethan On Thu, Nov 12, 2015 at 8:08 AM, xxiao8 wrote: > in e_os.h I saw > == > #ifndef DEVRANDOM > > /* set this to a

Re: [openssl-users] Need help understanding tradeoffs of "-dsaparam" in dhparam

Hello, Pinging again to try and get a response. Thanks for your time, Ethan On Tue, Oct 27, 2015 at 3:35 PM, Ethan Rahn wrote: > Hello, > > I'm trying to understand the tradeoffs of using "-dsaparam" in the openssl > "dhparam" command. I know that it

[openssl-users] Need help understanding tradeoffs of "-dsaparam" in dhparam

Hello, I'm trying to understand the tradeoffs of using "-dsaparam" in the openssl "dhparam" command. I know that it won't create a strong prime , but I'm not understanding the tradeoffs with that very well. The wikipedia page says that primes with the st