Re: EVP DES, was: EVP_CipherInit() doesn't check for weak DES keys (0.9.6)
Out of 2^56 DES keys, there are four weak keys and 12 semi-weak keys. The odds of getting a weak key are incredibly slight. Most people don't bother to check, and it isn't considered a security risk. True, weak or semi-weak keys are improbable. I was thinking more about maintaining proper key parity. Does a client of EVP need to worry about making sure that if DES is the underlying cipher, that passed keys have the proper parity? Thanks, James __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH] Undefined identifiers in objects.txt
Hello, I was in for a surprise when I added some custom objects into objects.txt. Since I wanted to use our private enterprises OIDs, I used the form: enterprises 1527 1 : myobj : My Object (same form as the dcObject already in there) However, enterprises is undefined, so my object ended up at the root (i.e. 1527.1 instead of 1.3.6.1.4.1.1527.1) without a warning. I hacked a bit in objects.pl to catch this gotcha: --- openssl-SNAP-20020402/crypto/objects/objects.pl Mon Dec 3 15:01:26 2001 +++ openssl-SNAP-20020402-sss/crypto/objects/objects.pl Thu Apr 4 11:12:46 2002 @@ -210,6 +210,8 @@ if (!($a[0] =~ /^[0-9]+$/)) { $a[0] =~ s/-/_/g; + if (!defined($obj{$a[0]})) + { die $ARGV[0]:$o:Undefined identifier ,$a[0],\n; } $pref_oid = OBJ_ . $a[0]; $pref_sep = ,; shift @a; = As it turns out, both private and enterprises are undefined, so objects.txt needs to be fixed to make it compile at all. This patch seemed least intrusive: -- openssl-SNAP-20020402/crypto/objects/objects.txt Tue Mar 26 19:01:01 2002 +++ openssl-SNAP-20020402-sss/crypto/objects/objects.txtThu Apr 4 10:15:27 +2002 @@ -699,10 +699,10 @@ internet 6 : snmpv2: SNMPv2 internet 7 : mail : Mail -private 1 : enterprises : Enterprises +Private 1 : enterprises : Enterprises # RFC 2247 -enterprises 1466 344 : dcobject : dcObject +Enterprises 1466 344 : dcobject : dcObject # What the hell are these OIDs, really? !Cname rle-compression = So now dcObject ends up having the (presumably) intended OID 1.3.6.1.4.1.1466.344 . I'm also a bit suspicious about the OIDs of secp192r1 and secp256r1. In obj_dat.h they both end up having OID 0. Their corresponding OBJ_ macros in obj_mac.h get mapped to OBJ_X9_62_prime{192,256}v1 (of which I suppose they are aliases), though, so it may be OK. I'm not into all the gory details of this magic - it just looked a bit odd to me... Regards, Svenning __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: VxWorks and OPEN SSL questions -
Praveen Hi I am building an openssl image on to the Vxworks plaform. [snip] Praveen My Priority is reduce the image size , as this is very Praveen crtitical in RTOS. My Questions are : Crypto directory is This is more of an application question than development. The answer is quite simple. Add these compiler flags, for example, -DVXWORKS=1 -DGETPID_IS_MEANINGLESS -DNO_CHMOD -DNO_BF=1 -DNO_MD4=1 \ -DNO_RC2=1 -DNO_RC5=1 -DNO_IDEA=1 -DNO_CAST=1 -DNORIPEMD=1 -DNO_HMAC=1 \ -DNO_MDC2=1 -DNO_ERR=1 -Wall etc. Most defines are detailed in `evp.h'. I particularly like the NO_IDEA define. The NO_ERR can save a significant amount of space on an embedded platform. Also, if you build the source as a library, and your code doesn't make use of server, client, SSLv2, TLS, etc. code, the linker will exclude a lot. hth, Bill Pringlemeir. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] Undefined identifiers in objects.txt
On Thu, Apr 04, 2002 at 12:23:26PM +0200, Svenning Sorensen wrote: Since I wanted to use our private enterprises OIDs, I used the form: enterprises 1527 1: myobj : My Object (same form as the dcObject already in there) However, enterprises is undefined, so my object ended up at the root (i.e. 1527.1 instead of 1.3.6.1.4.1.1527.1) without a warning. I hacked a bit in objects.pl to catch this gotcha: --- openssl-SNAP-20020402/crypto/objects/objects.pl Mon Dec 3 15:01:26 2001 +++ openssl-SNAP-20020402-sss/crypto/objects/objects.pl Thu Apr 4 11:12:46 2002 @@ -210,6 +210,8 @@ if (!($a[0] =~ /^[0-9]+$/)) { $a[0] =~ s/-/_/g; + if (!defined($obj{$a[0]})) + { die $ARGV[0]:$o:Undefined identifier ,$a[0],\n; } $pref_oid = OBJ_ . $a[0]; $pref_sep = ,; shift @a; = As it turns out, both private and enterprises are undefined, so objects.txt needs to be fixed to make it compile at all. This patch seemed least intrusive: -- openssl-SNAP-20020402/crypto/objects/objects.txt Tue Mar 26 19:01:01 2002 +++ openssl-SNAP-20020402-sss/crypto/objects/objects.txt Thu Apr 4 10:15:27 2002 @@ -699,10 +699,10 @@ internet 6 : snmpv2: SNMPv2 internet 7 : mail : Mail -private 1: enterprises : Enterprises +Private 1: enterprises : Enterprises # RFC 2247 -enterprises 1466 344 : dcobject : dcObject +Enterprises 1466 344 : dcobject : dcObject This makes sense to me. I have applied the patch, so it should be fixed in the next snapshot. I'm also a bit suspicious about the OIDs of secp192r1 and secp256r1. In obj_dat.h they both end up having OID 0. Their corresponding OBJ_ macros in obj_mac.h get mapped to OBJ_X9_62_prime{192,256}v1 (of which I suppose they are aliases), though, so it may be OK. I'm not into all the gory details of this magic - it just looked a bit odd to me... I am not sure about these ones. Bodo Moeller overviewed these changes, based on changes submitted by Nils Larsch. I have copied them through on this email to receive their comments. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] Undefined identifiers in objects.txt
From: Svenning Sorensen [EMAIL PROTECTED] sss I was in for a surprise when I added some custom objects into objects.txt. sss sss Since I wanted to use our private enterprises OIDs, I used the form: sss sss enterprises 1527 1 : myobj : My Object sss sss (same form as the dcObject already in there) sss However, enterprises is undefined, so my object ended up at the root sss (i.e. 1527.1 instead of 1.3.6.1.4.1.1527.1) without a warning. To be perfectly honest, I think you're dong this the wrong way. I assume you're using the openssl command to do stuff, and in the case, the right thing is to have the desired extra OIDs in openssl.cnf. Here's an example from my toy CA (this chunk is placed at the beginning of the file): --8-- oid_section = new_oids #... [ new_oids ] LP=1.3.6.1.4.1.5168 LPpolicies=${LP}.1 LPpolicies_noAssurance=${LPpolicies}.1 LPpolicies_rudimentaryAssurance=${LPpolicies}.2 LPpolicies_basicAssurance=${LPpolicies}.3 LPpolicies_mediumAssurance=${LPpolicies}.4 LPpolicies_highAssurance=${LPpolicies}.5 LPpolicies_testAssurance=${LPpolicies}.10 --8-- The names given in the new_oids section can then be used anywhere where I'd have a built-in OID. If you're building an application of your own, you should probably program the OIDs in whatever way you like to be used by it. In all cases, messing with objects.txt is something I do not recommend, if for nothing else then because of all the magic in it. And before someone asks: no, I haven't written any document about this arc yet. Actually, if someone knows the best way to publish something like that, I'd like to know. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Limiting key size
Hi folks, how can one limit and enforce the the key size that can be generated and used by openSSL and related utilities. The enforcement has to happen on multiple levels, 1. At generation. 2. Loading keys into the context. I am presuming that the ciphers can be limited to a lower or higher strength by using the cipher call in openSSL. Thanks Baber :) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Blocking and non-blocking IO
Folks, where can I get more info on blocking and non-blocking IO modes that openSSL operates in? Thanks Baber :) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Limiting key size
At 11:54 04.04.2002 -0700, you wrote: Hi folks, how can one limit and enforce the the key size that can be generated and used by openSSL and related utilities. The enforcement has to happen on multiple levels, 1. At generation. See http://www.openssl.org/docs/apps/openssl.html 2. Loading keys into the context. See http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html# Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
Bonjour, I am trying to install Openssl on my computer: a fatal error return happens : making all in crypto/sha... cc -I.. -I../../include -DTHREADS -pthread -DDSO_DLFCN -DHAVE_DLFCN_H -std1 -tune host -fast -readonly_strings -c sha_dgst.c Fatal: Insufficient virtual memory to continue compilation. My computer is dec alpha xp1000 OSF 4.0F Please - can you help me Best regards, [EMAIL PROTECTED] tel: 33 (0)1 6915 8223 NB __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] Undefined identifiers in objects.txt
At 20:40 04-04-2002, Richard Levitte - VMS Whacker wrote: To be perfectly honest, I think you're dong this the wrong way. I assume you're using the openssl command to do stuff, and in the case, the right thing is to have the desired extra OIDs in openssl.cnf. [snip] If you're building an application of your own, you should probably program the OIDs in whatever way you like to be used by it. In all cases, messing with objects.txt is something I do not recommend, if for nothing else then because of all the magic in it. Hello, Richard, Thanks for the tips. Yes, I am going to build my own application (actually, several smaller apps). However, during development, it's convenient to use the openssl command to create and/or check test certs. So I think it does make some sense to use objects.txt, at least while I'm still experimenting with the stuff. In the long run, I'll move things out, so my code can be used with an off-the-shelf openssl library. Regards, Svenning __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Name space collision
We've created in the openCryptoki project a software token which uses openSSL's crypto routines... When running under the iplanet regression test suite we get a core dump in the key generation code... Tracing it down, the crash occurs in the SHA1_Update... one of the community members as a test changed the calls in the openSSL code to SHA1_Update to be FOO_SHA1_Update. Any of the more experienced openSSL developers out there have any suggestions of things we may try with regard to linker options or other ideas that we could do to address this collision (I doubt that I;m going to be able to get netscape to chance their function names :) thanks for your help... -- Steven A. Bade UNIX Network Security Cryptographic Strategy and Development Architecture [EMAIL PROTECTED] T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want this mess is so big and so bad and so tall, we cannot clean it up, there is no way at all (Cat in the Hat) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Looking for a current SSLWSock.zip
I'm looking for an old SSLWSock.zip file as shown here. I've tried google and altavista but all the links are long dead. Can anyone help me locate a url to this file? [ssl-users] SSL socket for Delphi 3 Jan Tomasek ([EMAIL PROTECTED]) Mon, 31 Aug 1998 20:28:17 +0200 a.. Messages sorted by: [ date ][ thread ][ subject ][ author ] b.. Next message: David Orman: [ssl-users] wu-imapd c.. Previous message: Falk Hartmann: [ssl-users] SSLeay versions Hi, I put on http://www.feld.cvut.cz/~xtomasej/download/SSLWSock.zip my libary - interface for SSL for Delphi, there is to good TSSLWSock - class for basic socket communication and TSSLTnCnx - telnet client class both with example, It's only draft of future library, anything can be changed! I think that it will be useful for somehere. You will need Eric Young SSL library and Francois Piette ICS, see readme in zip and begin of library files for more info. It's free with full source, you must that are you using my library. I welcome any comment, sugestion, help Bye Jan Jan Tomasek, student FEL-CVUT __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Looking for a current SSLWSock.zip
On Fri, 5 Apr 2002, David Lyon wrote: I'm looking for an old SSLWSock.zip file as shown here. I've tried google and altavista but all the links are long dead. Can anyone help me locate a url to this file? [ssl-users] SSL socket for Delphi 3 Jan Tomasek ([EMAIL PROTECTED]) Did you try Jan Tomasek's web page? It has the updated version, called myssl. http://www.tomasek.cz/myssl/index.html; Doug __ Doug Kaufman Internet: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Looking for a current SSLWSock.zip
Thanks Doug, - Original Message - From: Doug Kaufman [EMAIL PROTECTED] To: David Lyon [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, April 05, 2002 3:52 PM Subject: Re: Looking for a current SSLWSock.zip On Fri, 5 Apr 2002, David Lyon wrote: I'm looking for an old SSLWSock.zip file as shown here. I've tried google and altavista but all the links are long dead. Can anyone help me locate a url to this file? [ssl-users] SSL socket for Delphi 3 Jan Tomasek ([EMAIL PROTECTED]) Did you try Jan Tomasek's web page? It has the updated version, called myssl. http://www.tomasek.cz/myssl/index.html; Doug __ Doug Kaufman Internet: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: your mail
On Thu, 4 Apr 2002, yves daignaux wrote: a fatal error return happens : making all in crypto/sha... cc -I.. -I../../include -DTHREADS -pthread -DDSO_DLFCN -DHAVE_DLFCN_H -std1 -tune host -fast -readonly_strings -c sha_dgst.c Fatal: Insufficient virtual memory to continue compilation. I don't think sending this message to openssl-bugs is a good idea. It's not a bug in the OpenSSL code. Just read carefully the error message, and try to determinate the cause of the error, then try to find a solution. Hint: my understanding is that you don't have enough memory left. I think a good solution would be to call the administrator. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - BC désolé, mais j'ai pas pû m'empecher. On a vu, mais bon, vraiment fallait pas, vous ne manquiez pas encore assez. -+- RM in http://neuneu.mine.nu : En période de manque -+- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EVP DES, was: EVP_CipherInit() doesn't check for weak DES keys (0.9.6)
On Thu, Apr 04, 2002 at 04:07:47AM -0700, James Yonan wrote: I was thinking more about maintaining proper key parity. Does a client of EVP need to worry about making sure that if DES is the underlying cipher, that passed keys have the proper parity? Generally, people just ignore the parity bits, however you can strictly check. IIRC, the default in OpenSSL (ie, the EVP interface) is to ignore them. John __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]