Re: EVP DES, was: EVP_CipherInit() doesn't check for weak DES keys (0.9.6)

[James Yonan]

 Out of 2^56 DES keys, there are four weak keys and 12 semi-weak keys.
 The odds of getting a weak key are incredibly slight.  Most people
 don't bother to check, and it isn't considered a security risk.

True, weak or semi-weak keys are improbable.

I was thinking more about maintaining proper key parity.  Does a client of
EVP need to worry about making sure that if DES is the underlying cipher,
that passed keys have the proper parity?

Thanks,

James


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[PATCH] Undefined identifiers in objects.txt

[Svenning Sorensen]

Hello,

I was in for a surprise when I added some custom objects into objects.txt.

Since I wanted to use our private enterprises OIDs, I used the form:

enterprises 1527 1  : myobj : My Object

(same form as the dcObject already in there)
However, enterprises is undefined, so my object ended up at the root
(i.e. 1527.1 instead of 1.3.6.1.4.1.1527.1) without a warning.

I hacked a bit in objects.pl to catch this gotcha:

--- openssl-SNAP-20020402/crypto/objects/objects.pl Mon Dec  3 15:01:26 2001
+++ openssl-SNAP-20020402-sss/crypto/objects/objects.pl Thu Apr  4 11:12:46 2002
@@ -210,6 +210,8 @@
if (!($a[0] =~ /^[0-9]+$/))
{
$a[0] =~ s/-/_/g;
+   if (!defined($obj{$a[0]}))
+   { die $ARGV[0]:$o:Undefined identifier ,$a[0],\n; }
$pref_oid = OBJ_ . $a[0];
$pref_sep = ,;
shift @a;
=

As it turns out, both private and enterprises are undefined, so objects.txt needs
to be fixed to make it compile at all. This patch seemed least intrusive:

-- openssl-SNAP-20020402/crypto/objects/objects.txt Tue Mar 26 19:01:01 2002
+++ openssl-SNAP-20020402-sss/crypto/objects/objects.txtThu Apr  4 10:15:27 
+2002
@@ -699,10 +699,10 @@
 internet 6 : snmpv2: SNMPv2
 internet 7 : mail  : Mail
 
-private 1  : enterprises   : Enterprises
+Private 1  : enterprises   : Enterprises
 
 # RFC 2247
-enterprises 1466 344   : dcobject  : dcObject
+Enterprises 1466 344   : dcobject  : dcObject
 
 # What the hell are these OIDs, really?
 !Cname rle-compression
=

So now dcObject ends up having the (presumably) intended OID 1.3.6.1.4.1.1466.344 .


I'm also a bit suspicious about the OIDs of secp192r1 and secp256r1.
In obj_dat.h they both end up having OID 0. Their corresponding OBJ_ macros
in obj_mac.h get mapped to OBJ_X9_62_prime{192,256}v1 (of which I suppose
they are aliases), though, so it may be OK.
I'm not into all the gory details of this magic - it just looked a bit odd to me...


Regards,
Svenning

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: VxWorks and OPEN SSL questions -

[Bill Pringlemeir]

 Praveen Hi I am building an openssl image on to the Vxworks plaform.

[snip]

 Praveen My Priority is reduce the image size , as this is very
 Praveen crtitical in RTOS.  My Questions are : Crypto directory is

This is more of an application question than development.  The answer is
quite simple. Add these compiler flags, for example,

-DVXWORKS=1 -DGETPID_IS_MEANINGLESS -DNO_CHMOD -DNO_BF=1 -DNO_MD4=1 \
-DNO_RC2=1 -DNO_RC5=1 -DNO_IDEA=1 -DNO_CAST=1 -DNORIPEMD=1 -DNO_HMAC=1 \
-DNO_MDC2=1 -DNO_ERR=1 -Wall

etc.  Most defines are detailed in `evp.h'.  I particularly like the
NO_IDEA define.  The NO_ERR can save a significant amount of space
on an embedded platform.  Also, if you build the source as a library,
and your code doesn't make use of server, client, SSLv2, TLS,
etc. code, the linker will exclude a lot.

hth,
Bill Pringlemeir.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [PATCH] Undefined identifiers in objects.txt

[Lutz Jaenicke]

On Thu, Apr 04, 2002 at 12:23:26PM +0200, Svenning Sorensen wrote:
 Since I wanted to use our private enterprises OIDs, I used the form:
 
 enterprises 1527 1: myobj : My Object
 
 (same form as the dcObject already in there)
 However, enterprises is undefined, so my object ended up at the root
 (i.e. 1527.1 instead of 1.3.6.1.4.1.1527.1) without a warning.
 
 I hacked a bit in objects.pl to catch this gotcha:
 
 --- openssl-SNAP-20020402/crypto/objects/objects.pl   Mon Dec  3 15:01:26 2001
 +++ openssl-SNAP-20020402-sss/crypto/objects/objects.pl   Thu Apr  4 11:12:46 
2002
 @@ -210,6 +210,8 @@
   if (!($a[0] =~ /^[0-9]+$/))
   {
   $a[0] =~ s/-/_/g;
 + if (!defined($obj{$a[0]}))
 + { die $ARGV[0]:$o:Undefined identifier ,$a[0],\n; }
   $pref_oid = OBJ_ . $a[0];
   $pref_sep = ,;
   shift @a;
 =
 
 As it turns out, both private and enterprises are undefined, so objects.txt needs
 to be fixed to make it compile at all. This patch seemed least intrusive:
 
 -- openssl-SNAP-20020402/crypto/objects/objects.txt   Tue Mar 26 19:01:01 2002
 +++ openssl-SNAP-20020402-sss/crypto/objects/objects.txt  Thu Apr  4 10:15:27 
2002
 @@ -699,10 +699,10 @@
  internet 6   : snmpv2: SNMPv2
  internet 7   : mail  : Mail
  
 -private 1: enterprises   : Enterprises
 +Private 1: enterprises   : Enterprises
  
  # RFC 2247
 -enterprises 1466 344 : dcobject  : dcObject
 +Enterprises 1466 344 : dcobject  : dcObject

This makes sense to me. I have applied the patch, so it should be fixed in
the next snapshot.

 I'm also a bit suspicious about the OIDs of secp192r1 and secp256r1.
 In obj_dat.h they both end up having OID 0. Their corresponding OBJ_ macros
 in obj_mac.h get mapped to OBJ_X9_62_prime{192,256}v1 (of which I suppose
 they are aliases), though, so it may be OK.
 I'm not into all the gory details of this magic - it just looked a bit odd to me...

I am not sure about these ones. Bodo Moeller overviewed these changes, based
on changes submitted by Nils Larsch.
I have copied them through on this email to receive their comments.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [PATCH] Undefined identifiers in objects.txt

[Richard Levitte - VMS Whacker]

From: Svenning Sorensen [EMAIL PROTECTED]

sss I was in for a surprise when I added some custom objects into objects.txt.
sss 
sss Since I wanted to use our private enterprises OIDs, I used the form:
sss 
sss enterprises 1527 1 : myobj : My Object
sss 
sss (same form as the dcObject already in there)
sss However, enterprises is undefined, so my object ended up at the root
sss (i.e. 1527.1 instead of 1.3.6.1.4.1.1527.1) without a warning.

To be perfectly honest, I think you're dong this the wrong way.  I
assume you're using the openssl command to do stuff, and in the case,
the right thing is to have the desired extra OIDs in openssl.cnf.
Here's an example from my toy CA (this chunk is placed at the
beginning of the file):

--8--
oid_section = new_oids

#...

[ new_oids ]

LP=1.3.6.1.4.1.5168
LPpolicies=${LP}.1
LPpolicies_noAssurance=${LPpolicies}.1
LPpolicies_rudimentaryAssurance=${LPpolicies}.2
LPpolicies_basicAssurance=${LPpolicies}.3
LPpolicies_mediumAssurance=${LPpolicies}.4
LPpolicies_highAssurance=${LPpolicies}.5
LPpolicies_testAssurance=${LPpolicies}.10
--8--

The names given in the new_oids section can then be used anywhere
where I'd have a built-in OID.

If you're building an application of your own, you should probably
program the OIDs in whatever way you like to be used by it.  In all
cases, messing with objects.txt is something I do not recommend, if
for nothing else then because of all the magic in it.


And before someone asks: no, I haven't written any document about this
arc yet.  Actually, if someone knows the best way to publish something
like that, I'd like to know.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Limiting key size

[Baber Amin]

Hi folks, how can one limit and enforce the the key size that can be
generated and used by openSSL and related utilities.  The enforcement
has to happen on multiple levels, 

1.  At generation.
2.  Loading keys into the context.

I am presuming that the ciphers can be limited to a lower or higher
strength by using the cipher call in openSSL.

Thanks
Baber 
:)
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Blocking and non-blocking IO

[Baber Amin]

Folks, where can I get more info on blocking and non-blocking IO modes
that openSSL operates in?

Thanks
Baber
:)
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Limiting key size

[Richard Koenning]

At 11:54 04.04.2002 -0700, you wrote:
Hi folks, how can one limit and enforce the the key size that can be
generated and used by openSSL and related utilities.  The enforcement
has to happen on multiple levels, 

1.  At generation.

See http://www.openssl.org/docs/apps/openssl.html

2.  Loading keys into the context.

See http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html#

Ciao,
Richard
-- 
Dr. Richard W. Könning
Fujitsu Siemens Computers GmbH
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[no subject]

[yves daignaux]

Bonjour,

I am trying to install Openssl on my computer:

a fatal error return happens :


making all in crypto/sha...
cc -I.. -I../../include -DTHREADS -pthread -DDSO_DLFCN -DHAVE_DLFCN_H -std1 -tune host 
-fast -readonly_strings -c sha_dgst.c
Fatal:  Insufficient virtual memory to continue compilation.


My computer is dec alpha xp1000  OSF 4.0F 


Please - can you help me

Best regards,

 [EMAIL PROTECTED]
 tel: 33 (0)1 6915 8223

NB
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [PATCH] Undefined identifiers in objects.txt

[Svenning Sorensen]

At 20:40 04-04-2002, Richard Levitte - VMS Whacker wrote:

To be perfectly honest, I think you're dong this the wrong way.  I
assume you're using the openssl command to do stuff, and in the case,
the right thing is to have the desired extra OIDs in openssl.cnf.

[snip]

If you're building an application of your own, you should probably
program the OIDs in whatever way you like to be used by it.  In all
cases, messing with objects.txt is something I do not recommend, if
for nothing else then because of all the magic in it.

Hello, Richard,

Thanks for the tips.

Yes, I am going to build my own application (actually, several smaller apps).

However, during development, it's convenient to use the openssl command
to create and/or check test certs. So I think it does make some sense
to use objects.txt, at least while I'm still experimenting with the stuff.
In the long run, I'll move things out, so my code can be used with an
off-the-shelf openssl library.

Regards,
Svenning

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Name space collision

[Steven Bade]

We've created in the openCryptoki project a software token  which uses 
openSSL's crypto routines...   When running under the iplanet regression 
test suite we get a core dump in the key generation code... Tracing it 
down, the crash occurs in the SHA1_Update... one of the community 
members as a test changed the calls in the openSSL code to SHA1_Update 
to be FOO_SHA1_Update.

Any of the more experienced openSSL developers out there have any 
suggestions of things we may try with regard to linker options  or other 
  ideas that we could do to address this collision (I doubt that I;m 
going to be able to get netscape to chance their function names :)

thanks for your help...
-- 
Steven A. Bade
UNIX Network Security Cryptographic Strategy and Development Architecture
[EMAIL PROTECTED]
T/L 678-4799
(512)-838-4799

--
To convert from Hogsheads to Cubic Feet - Multiply by 8.4219

Two-way communication is necessary to proactively facilitate acceptance
and involvement and to get insights about the journey it takes to get where
we want

this mess is so big and so bad and so tall,
we cannot clean it up, there is no way at all
(Cat in the Hat)



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Looking for a current SSLWSock.zip

[David Lyon]

I'm looking for an old SSLWSock.zip file as shown here. I've tried google
and altavista but all the links are long dead. Can anyone help me locate a
url to this file?
[ssl-users] SSL socket for Delphi 3
Jan Tomasek ([EMAIL PROTECTED])
Mon, 31 Aug 1998 20:28:17 +0200

  a.. Messages sorted by: [ date ][ thread ][ subject ][ author ]
  b.. Next message: David Orman: [ssl-users] wu-imapd
  c.. Previous message: Falk Hartmann: [ssl-users] SSLeay versions
Hi,
I put on
http://www.feld.cvut.cz/~xtomasej/download/SSLWSock.zip

my libary - interface for SSL for Delphi, there is to
good TSSLWSock - class for basic socket communication
and TSSLTnCnx - telnet client class both with example,


It's only draft of future library, anything can be changed!
I think that it will be useful for somehere.


You will need Eric Young SSL library and Francois Piette ICS,
see readme in zip and begin of library files for more info.


It's free with full source, you must that are you using my library.



I welcome any comment, sugestion, help



Bye Jan


Jan Tomasek, student FEL-CVUT



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Looking for a current SSLWSock.zip

[Doug Kaufman]

On Fri, 5 Apr 2002, David Lyon wrote:

 I'm looking for an old SSLWSock.zip file as shown here. I've tried google
 and altavista but all the links are long dead. Can anyone help me locate a
 url to this file?
 [ssl-users] SSL socket for Delphi 3
 Jan Tomasek ([EMAIL PROTECTED])

Did you try Jan Tomasek's web page? It has the updated version, called
myssl.
http://www.tomasek.cz/myssl/index.html;
  Doug

__ 
Doug Kaufman
Internet: [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Looking for a current SSLWSock.zip

[David Lyon]

Thanks Doug,

- Original Message -
From: Doug Kaufman [EMAIL PROTECTED]
To: David Lyon [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, April 05, 2002 3:52 PM
Subject: Re: Looking for a current SSLWSock.zip


 On Fri, 5 Apr 2002, David Lyon wrote:

  I'm looking for an old SSLWSock.zip file as shown here. I've tried
google
  and altavista but all the links are long dead. Can anyone help me locate
a
  url to this file?
  [ssl-users] SSL socket for Delphi 3
  Jan Tomasek ([EMAIL PROTECTED])

 Did you try Jan Tomasek's web page? It has the updated version, called
 myssl.
 http://www.tomasek.cz/myssl/index.html;
   Doug

 __
 Doug Kaufman
 Internet: [EMAIL PROTECTED]

 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   [EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: your mail

[Erwann ABALEA]

On Thu, 4 Apr 2002, yves daignaux wrote:

 a fatal error return happens :


 making all in crypto/sha...
 cc -I.. -I../../include -DTHREADS -pthread -DDSO_DLFCN -DHAVE_DLFCN_H -std1 -tune 
host -fast -readonly_strings -c sha_dgst.c
 Fatal:  Insufficient virtual memory to continue compilation.

I don't think sending this message to openssl-bugs is a good idea. It's
not a bug in the OpenSSL code.

Just read carefully the error message, and try to determinate the cause of
the error, then try to find a solution.

Hint: my understanding is that you don't have enough memory left.
I think a good solution would be to call the administrator.

-- 
Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5
-
BC désolé, mais j'ai pas pû m'empecher.
On a vu, mais bon, vraiment fallait pas, vous ne manquiez pas encore
assez.
-+- RM in http://neuneu.mine.nu : En période de manque -+-

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: EVP DES, was: EVP_CipherInit() doesn't check for weak DES keys (0.9.6)

[John Viega]

On Thu, Apr 04, 2002 at 04:07:47AM -0700, James Yonan wrote:
 
 I was thinking more about maintaining proper key parity.  Does a client of
 EVP need to worry about making sure that if DES is the underlying cipher,
 that passed keys have the proper parity?

Generally, people just ignore the parity bits, however you can
strictly check.  IIRC, the default in OpenSSL (ie, the EVP interface)
is to ignore them.

John
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]