Two things to consider with IPSec: key exchange mechanisms as provided by
packages like StrongSwan, and the actual encryption/authentication of
packets that is typically being done by the kernel stack and I believe is
based on the Kernel Crypto API. So I believe to do IPSec you do need both
crypto
Two things to consider with IPSec: key exchange mechanisms as provided by
packages like StrongSwan, and the actual encryption/authentication of
packets that is typically being done by the kernel stack and I believe is
based on the Kernel Crypto API. So I believe to do IPSec you do need both
crypto
In the Simple PKI example, step 5.4 "View PKCS#7 bundle", the "-in" option
points to "ca" directory, but the bundle was created in step 4.3 "Create
PKCS#7 bundle" in the "certs" directory". I.e.:
Step 4.3:
openssl crl2pkcs7 -nocrl \
-certfile ca/signing-ca.crt \
-certfile ca/root-ca.crt \
When the validation is obtained for FIPS Object Module v2.0, and that
version is officially released, will there also be an update to OpenSSL? Or
are those two now independent as long as v1.0.1 is used with the FIPS
module?
Thanks,
Kevin
On Tue, Feb 21, 2012 at 3:51 PM, Andy Polyakov wrote:
>> Another option (but shoot it down if its bogus :-): I noticed that if I
>> compile
>> fipscanister.o without "-fPIC", then the const variables do get placed in
>> the (really readonly) .rodata section as desired. I thought maybe if I did
>>
On Tue, Feb 21, 2012 at 1:11 PM, Andy Polyakov wrote:
>> Though in FIPS 2.0 there is new option that might work in this case.
>> Besides switching to another compiler that is. Introduced to rectify
>> situation with rodata segments not being position-independent on Win64,
>> defini
On Mon, Feb 20, 2012 at 5:18 AM, Andy Polyakov wrote:
>
> >>> Though in FIPS 2.0 there is new option that might work in this case.
> >>> Besides switching to another compiler that is. Introduced to rectify
> >>> situation with rodata segments not being position-independent on Win64,
> >>> defining
On Sun, Feb 19, 2012 at 3:50 PM, Kevin Fowler wrote:
>
>
> On Sun, Feb 19, 2012 at 11:52 AM, Andy Polyakov wrote:
>
>> >>> After I had gotten the extra "-f" options from Harvey for this
>> platform
>> >>> (BSD-powerpc),
>> >
On Sun, Feb 19, 2012 at 11:52 AM, Andy Polyakov wrote:
> >>> After I had gotten the extra "-f" options from Harvey for this platform
> >>> (BSD-powerpc),
> >> Using -f[data|function]-sections options is inappropriate as they
> >> undermine the idea of "capturing" fipscanister code and rodata betw
On Sat, Feb 18, 2012 at 6:13 PM, Andy Polyakov wrote:
> > The key thing I realized is that the incore script that comes with the
> FIPS
> > Object Module v2.0 tarball
> > handles both native AND cross-compile scenarios.
>
> Even though FIPS 2.0 util/incore is capable of handling arbitrary ELF
>
On Fri, Feb 17, 2012 at 10:25 PM, Dr. Stephen Henson wrote:
> On Fri, Feb 17, 2012, Kevin Fowler wrote:
>
> > Thanks Harvey,
> > This seems to have worked as far as getting the .rodata section used.
> This
> > is what I see now:
> >
> > 001b5740 g O .r
Thanks Harvey,
This seems to have worked as far as getting the .rodata section used. This
is what I see now:
001b5740 g O .rodata0010 FIPS_rodata_start
001b5750 l O .rodata0011 FIPS_hmac_key
001b57bc g O .rodata0036 FIPS_bn_version
001c1e08 g O .
Using FIPS module and FIPS capable OpenSSL (2.0/1.0.1) on a NetBSD platform.
I build FIPS module by hand to follow the build instructions, and copy it
into a tips sub-directory in openssl directory. I would like to build the
libcrypto.so library as part of the NetBSD cross-compile build (i.e.,
lau
I'm asking here about the header files with the same name in both
directories. I see that there are three fips-specific header files in the
fips-2.0 include directory - which I would guess is what is getting picked
up by the last "-I" in CFLAGS...
On Sun, Jan 29, 2012 at 2:19 P
When I build the FIPS module and install, it populates a
fips-2.0/include/openssl directory with a set of header files.
When I build the FIPS-capable OpenSSL library libcrypto, it has the
fips-2.0 include director in its CFLAGS, but at the end. Since the FIPS
include directory has a subset of the
I noticed that for the FIPS Object module for "./config no-asm" the endian
flag is removed from CFLAGS.
But in openssl, this is not the case. So, e.g. for linux-ppc, openssl build
has -DB_ENDIAN flag, but fips build has no such flag.
I'm guessing that the powerpc gcc may default to big-endian, so
n question...
Kevin
On Wed, Nov 30, 2011 at 12:01 PM, Kevin Fowler wrote:
> I think I know the answer to this but I'm hoping I am wrong.
>
> I am building the FIPS Object Module v2.0 (a recent snapshot) on an
> x86-linux2 host for an embedded PowerPC target running NetBSD. Th
I think I know the answer to this but I'm hoping I am wrong.
I am building the FIPS Object Module v2.0 (a recent snapshot) on an
x86-linux2 host for an embedded PowerPC target running NetBSD. There is a
well-established and intricate build process already in place for the
product, and I am trying
Thanks Steve, I have a follow-up below - just checking I have it straight.
On Mon, Nov 21, 2011 at 10:11 AM, Dr. Stephen Henson wrote:
> On Fri, Nov 18, 2011, Kevin Fowler wrote:
>
>> Let me first say I have read the User Guide and Security Policy
>> repeatedly, as well as t
Let me first say I have read the User Guide and Security Policy
repeatedly, as well as the Incore Tutorial, looked through this users
group, and read anything else I could find - so I'm not being lazy,
although my questions may be pedestrian... Please correct any
misunderstandings along the way.
I
Thank you - that was my problem
On Tue, Nov 15, 2011 at 9:43 AM, Dr. Stephen Henson wrote:
> On Mon, Nov 14, 2011, Kevin Fowler wrote:
>
>> Hi,
>> I successfully built the FIPS 2.0 module (2010), its tests passed, and
>> it was installed correctly in /usr/local/ss
Hi,
I successfully built the FIPS 2.0 module (2010), its tests passed, and
it was installed correctly in /usr/local/ssl/fips-2.0.
I then build openssl 1.0.1 (2010):
./config fips shared
make
which all seems to go ok
Then I do:
make test
and eventually get this error:
...
Testing key g
Hi,
I successfully built the FIPS 2.0 module (2010), its tests passed, and
it was installed correctly in /usr/local/ssl/fips-2.0.
I then build openssl 1.0.1 (2010):
./config fips shared
make
which all seems to go ok
Then I do:
make test
and eventually get this error:
...
Testing key g
23 matches
Mail list logo
