Re: [CVS] OpenSSL: openssl/crypto/engine/ engine.h openssl/crypto/evp/c_a...
Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Sat, 1 Feb 2003 21:55:30 +0100 (CET), Ben Laurie [EMAIL PROTECTED] said: ben OpenSSL CVS Repository ben http://cvs.openssl.org/ ben ben ben Server: cvs.openssl.org Name: Ben Laurie ben Root: /e/openssl/cvs Email: [EMAIL PROTECTED] ben Module: openssl Date: 01-Feb-2003 21:55:30 ben Branch: HEAD Handle: 2003020120552900 ben ben Modified files: ben openssl/crypto/engine engine.h ben openssl/crypto/evp c_all.c ben ben Log: ben Fix warning. ben ben Summary: ben RevisionChanges Path ben 1.49+3 -0 openssl/crypto/engine/engine.h ben 1.13+1 -0 openssl/crypto/evp/c_all.c ben ben ben patch -p0 '@@ .' ben Index: openssl/crypto/engine/engine.h ben ben $ cvs diff -u -r1.48 -r1.49 engine.h ben --- openssl/crypto/engine/engine.h 30 Jan 2003 17:39:21 - 1.48 ben +++ openssl/crypto/engine/engine.h 1 Feb 2003 20:55:29 - 1.49 ben @@ -685,6 +685,9 @@ ben * values. */ benvoid *ENGINE_get_static_state(void); ben ben +#if defined(__OpenBSD__) || defined(__FreeBSD__) ben +void ENGINE_setup_bsd_cryptodev(void); ben +#endif ben ben/* BEGIN ERROR CODES */ ben/* The following lines are auto generated by the script mkerr.pl. Any changes Hmm? What warning do you get if something is declared but never defined? Huh? The warning is that it is called but not declared. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
patch to 0.9.7 -performacne
Hi, I wrote awhile back about a patch to 0.9.7 in rsa_eay.c, but never heard back. Is this the wrong forum? The patch is to rsa_eay.c (attached), which adds cacheing of the montgomery context for n (in addition to p and q). This patch improves efficiency...normally the verify at the end of CRT does not use a cached context. In 0.9.7 right now, R^{-1} (Ri) for n must be recomputed on every decryption, an expensive operation. -david --- rsa_eay.c.orig 2003-01-20 19:16:46.0 -0800 +++ rsa_eay.c 2003-01-20 19:17:54.0 -0800 @@ -533,6 +533,31 @@ if (bn_mont_ctx) BN_MONT_CTX_free(bn_mont_ctx); } + + if (rsa-_method_mod_n == NULL) + { + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa-n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa-_method_mod_n == NULL) /* other thread may have +finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa-_method_mod_n == NULL) + { + rsa-_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); + } + } if (!BN_mod(r1,I,rsa-q,ctx)) goto err; @@ -565,7 +590,7 @@ if (rsa-e rsa-n) { - if (!rsa-meth-bn_mod_exp(vrfy,r0,rsa-e,rsa-n,ctx,NULL)) goto err; + if +(!rsa-meth-bn_mod_exp(vrfy,r0,rsa-e,rsa-n,ctx,rsa-_method_mod_n)) goto err; /* If 'I' was greater than (or equal to) rsa-n, the operation * will be equivalent to using 'I mod n'. However, the result of * the verify will *always* be less than 'n' so we don't check
RE: [openssl.org #463] PATCH
Maybe it will change when all legal issues are resolved, I hope. For now, I want to be sure that all possible combinations for aix shared build are tested (so far successfully) and when corresponding changes could be included into the next release? I hope everything is OK. Vladimir -Original Message- From: Rich Salz via RT [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 22, 2003 11:15 AM To: Shklover, Vladimir Cc: [EMAIL PROTECTED] Subject: Re: [openssl.org #463] PATCH 2)Perhaps I did not make it clear but our policy is not to include any cryptographic software directly into our applications. You might want to reconsider this policy. Do you expect much revenue from the banned country list? Is it worth the development and support cost of keeping track with openssl versions? Are you sure that you are not in violation if you say install openssl on your own? (The answer to that last question *used* to be: yes, you are in violation. Now, I don't know.) /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #359] Calling SSL_read and SSL_write with non-empty error stack may cause an error
Arne Ansper [EMAIL PROTECTED]: Like I say, they should only do this if there was an error reported, surely? No. Take a look at the SSL_CTX_use_certificate_chain_file: ret=SSL_CTX_use_certificate(ctx,x); if (ERR_peek_error() != 0) ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ Actually I think this is a bug in SSL_CTX_use_certificate() -- if it intentionally ignores an error returned by X509_check_private_key(), it should call ERR_clear_error(). The reason why I did not fix this when I looked at this some time ago is some rather weird code in ssl_set_cert(), the function used by SSL_CTX_use_certificate() from which X509_check_private_key() is called. (If you look at ssl_set_cert(), you'll see that it switches from SSL_PKEY_DH_RSA to SSKL_PKEY_DH_DSA and the other way around, which does not appear to make much sense.) Investigating this has been on my to do list for a while. Once this has been resolved, the lines if (ERR_peek_error() != 0) ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ can be removed from SSL_CTX_use_certificate_chain_file(). -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #479] support version independent upgrade
Actually, I'd prefer that I wouldn't have to relink and redistribute my application every time a security patch comes out for OpenSSL. I haven't seen any issues in our application upgrading from 0.9.6 to 0.9.7 using this non version technique on our local development nodes. The version technique doesn't just prevent backward compatibility but it prevents users from getting potential security upgrades that *may* work just fine. It's definitely not a desirable distribution scenario as it sits now. It forces developers to do relinks and redistribute whether they're needed or not. -Original Message- From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 2:10 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Jim Sahaj Subject: Re: [openssl.org #479] support version independent upgrade In message [EMAIL PROTECTED] on Mon, 27 Jan 2003 22:40:24 +0100 (MET), via RT [EMAIL PROTECTED] said: rt Currently, on many Unix platforms I link my application against rt libssl.so and libcrypto.so. Typically, these are links set to resolve rt down to the versioned types of these files, like libssl.so.0.9.7 and rt libcrypto.so.0.9.7. The internal names of these shared objects rt include the major and minor version so even though I link against the rt shared objects without the version, such as libssl.so, my application rt becomes tied to the versioned shared objects at link time, for rt instance libssl.so.0.9.7. There's a reason: until OpenSSL 1, we don't guarantee backward binary compatibility. There are technical reasons for this, like the need to make changes to published structures (it may be argued that it shouldn't be needed, but to achieve such flexibility, we either need to hide them (which would require huge changes for everyone) or redo them in such a way that they become rather generic) and other stuff. Because of this, we're forced to do what we currently do with shared libraries. Perhaps you'd prefer that your applications crash mysteriously and in an unrecoverable manner? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/crypto/engine/ engine.hopenssl/crypto/evp/ c_a...
In message [EMAIL PROTECTED] on Sun, 02 Feb 2003 12:34:54 +, Ben Laurie [EMAIL PROTECTED] said: ben Richard Levitte - VMS Whacker wrote: ben Hmm? What warning do you get if something is declared but never ben defined? ben ben Huh? The warning is that it is called but not declared. Ah. Sorry, my brain was apparently out for lunch or something. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #451] SX6 port
[[EMAIL PROTECTED] - Sat Feb 1 00:59:01 2003]: $ ./openssl req -x509 -new -nodes -out sscert.pem -rand /tmp/somefile Generating a 1024 bit RSA private key ++ ..++ writing new private key to 'privkey.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: OK so that seems to work. Maybe its just when x509 does it. Can you try: openssl req -new -nodes -out req.pem -rand /tmp/somefile then openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem if that second command dumps core then a stack trace under a debugger would help a lot. Thanks, Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl req prompting behavior
The openssl req command, when set up to prompt for the Distinguished Name, uses fgets() to read the Distinguished Name fields. This means that if someone uses the backspace key, a 0x08 character is inserted wherever they typed the backspace key. Would it be possible/easy to add support for the GNU readline library to avoid this problem, at least on Linux machines? - Joel Daniels P. S. I am not on the openssl-dev list, so please CC me in on any replies. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH] version independent link on solaris
The following allows for a version independent link on Solaris. Before, when I linked against libssl.so and libcrypto.so there would be a dependency between libssl.so and libcrypto.so.0.9.7 because the dynamic section name contained the major and minor versions. I removed the versions from the shared object's dynamic section names so that linking against the version independent shared objects will work without any version dependencies. - diff -e old new ed - Makefile.org '-*-END-*-' 363c -h lib$$i.so \ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #463] PATCH
1)I checked env OBJECT_MODE=64 make in openssl-0.9.7-snapshot... for 2 cases: -automatically configured by ./Configure aix64-cc ... shared, using *.exp files -when Makefile.org is modified to use -bautoexp instead of using *.exp files (the changes are the same which you asked for 32 bit) and then ./Configure aix64-cc ... shared is run In both cases static and shared libraries were successfully built. As I said earlier, usual make can also work for aix64-cc, with *.exp (ld -b64 -r -o ..., nm -X 64 ...) as well as with -bautoexp (I have already sent you corresponding changes). Now, whether you want to build by usual make, env OBJECT_MODE=64 make, with *.exp or -bautoexp, is up to you. Does it finally cover all possible combinations you wanted to test? ***Mainly for US based developers** 2)Perhaps I did not make it clear but our policy is not to include any cryptographic software directly into our applications. The reason is that one of the latest US laws prohibits exporting cryptography to certain countries (especially those supporting terrorism). OpenSSL itself, as I understand, is legally OK for public availability because it is non-commersial and already posted on the Web. However, we are not in the position to export it (although using it is always OK). This, in fact, is said in references from openssl README files http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html http://w3.access.gpo.gov/bis/ear/pdf/740.pdf Section 740.13(e), p.25 Therefore, the acceptable legal solution for us is to build application which can use openssl but in such a way that the user himself would be responsible for installation of openssl, creating libssl.so libcrypto.so which would then be dynamically loaded by our application. Those who started before the mentioned law was adopted, didn't have to worry at that time. Of course, you can say that openssl is accessible to everyone from the Web but that is another question because you are allowed to export your own, non-commersial product (although I am not a lawyer to give any legal conclusion). Maybe, we will add some addiditional measures which would not allow unauthorized users to use SSL in our software. Anyway, this our policy based on the law and for now it remains in effect. Do I understand that binary compatibility for shared libraries is expected since 1.0 release? Vladimir -Original Message- From: Andy Polyakov via RT [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 21, 2003 3:14 PM To: Shklover, Vladimir Cc: [EMAIL PROTECTED] Subject: Re: [openssl.org #463] PATCH 1)I just got aix64-cc shared build succeed with -bautoexp. It was possible to modify Makefile pretty similar to aix43-cc. ^^ But the challenge is to construct the rule which can be parametrized through configure line. But as already mentioned, I'd appreciate if you could verify if 'env OBJECT_MODE=64 make' works with snapshot configured with './Configure aix64-cc shared'. 2)You are right, the version openssl-0.9.7 did not contain 0.9.7 extention for aix but in my changes (which appear to be in snapshot version) I included these extentions to be consistent with other platforms where shared build contain these extention. Right! Without access I'm bound to miss such things:-) I made experimental builds without extentions just for myself; I didn't send you such changes to Makefile. The reason I did that for myself is that if you link a module, say module.so with soname ^^ Does AIX support soname or similar option? There was nothing of that sort in ld manual page I've found on the web... libcrypto.so.0.9.6, you can not then dynamically load it with libcrypto.so.0.9.7. And that is *intentional*! We don't want users to load 0.9.7 library into an application originally linked with 0.9.6. (we are not physically including libssl.so... libcrypto.so... into our software and SSL connection will work if the user installs openssl himself). You should *not* rely on this and should consider providing copy of shared libs with your application. Yes, it might appear a bit meaningless, you could as well link it statically, but that's the way it. Binary compatibility is *not* provided across OpenSSL releases and interchanging .so modules *might* result in unpredictable result and it will be hell to troubleshoot. A. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA Methods based on cyptoAPI
Hi, I'm trying to develop some RSA methods based on Microsoft CryptoAPI. I need to know if exists some open source code or example for the implementation of rsa_priv_enc and rsa_priv_dec unsing the private key on a smart card. Thank you very much Emanuele __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH]shared objects for 64bit AIX
The patch below builds shared objects for 64bit AIX for openssl097. - diff -e old new: ed - Configure '-*-END-*-' 443c aix64-cc, cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::dlfcn:aix64-shared::-b64::ranlib -X64:-X 64, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #489] patch to 0.9.7 -performacne
Hi, I wrote awhile back about a patch to 0.9.7 in rsa_eay.c, but never heard back. Is this the wrong forum? The patch is to rsa_eay.c (attached), which adds cacheing of the montgomery context for n (in addition to p and q). This patch improves efficiency...normally the verify at the end of CRT does not use a cached context. In 0.9.7 right now, R^{-1} (Ri) for n must be recomputed on every decryption, an expensive operation. -david __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: patch to 0.9.7 -performacne
In message [EMAIL PROTECTED] on 23 Jan 2003 11:53:09 -0800, David Brumley [EMAIL PROTECTED] said: dbrumley I wrote awhile back about a patch to 0.9.7 in rsa_eay.c, but dbrumley never heard back. Is this the wrong forum? It's in our RT database, it just hasn't been dealt with yet... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Methods based on cyptoAPI
On Fri, Jan 24, 2003, Aonzo Emanuele wrote: Hi, I'm trying to develop some RSA methods based on Microsoft CryptoAPI. I need to know if exists some open source code or example for the implementation of rsa_priv_enc and rsa_priv_dec unsing the private key on a smart card. I've some private code that does this but nothing released. CryptoAPI does not have an equivalent of rsa_priv_enc. It does however have an equivalent to rsa_sign which you can get to in a roundabout way by creating appopriate messages digest contexts and setting the digest value, then signing the context. This will give you enough for general message digest signing (e.g. S/MIME, certificate signing) and SSL client authentication. rsa_priv_dec in theory is provided by CryptDecrypt() and this does work for some CSPs: the enhanced CSP can handle this. However many smart card CSPs do not implement the necessary functionality. Workarounds exist if the CSP handles the conventional key exchange using CryptImportKey() provided you want a standard key size. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #451] SX6 port
Stephen Henson via RT wrote: [[EMAIL PROTECTED] - Sat Feb 1 00:59:01 2003]: $ ./openssl req -x509 -new -nodes -out sscert.pem -rand /tmp/somefile Generating a 1024 bit RSA private key ++ ..++ writing new private key to 'privkey.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: OK so that seems to work. Maybe its just when x509 does it. Can you try: openssl req -new -nodes -out req.pem -rand /tmp/somefile $ ./openssl req -new -nodes -out req.pem -rand /tmp/somefile Generating a 1024 bit RSA private key ++ ..++ writing new private key to 'privkey.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: then openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem $ ./openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem Signature ok subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Eric the Young core dumping Bus error (core dumped) if that second command dumps core then a stack trace under a debugger would help a lot. will have to wait a bit. i've never done that before and it's hiding the #$%! core file. i'll forward another email when i have one for you. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. [EMAIL PROTECTED], 651-605-9154 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #451] SX6 port
how's this? * 0 getrn(lh = 0x000404092290, data = 0x00040409d930, rhash = 0x00801a40), line 430 in lhash.c 1 lh_insert(lh = 0x000404092290, data = 0x00040409d930), line 189 in lhash.c 2 OBJ_add_object(obj = 0x000404088a00), line 253 in obj_dat.c 3 OBJ_create(oid = 0x40400c990 2.9.3, sn = 0x40400c9a0 SET.ex3, ln = 0x40400c9b0 SET x509v3 extension 3), line 660 in obj_dat.c 4 x509_main(argc = 0, argv = 0x00800278), line 621 in x509.c 5 do_cmd(prog = 0x00040408e120, argc = 8, argv = 0x00800238), line 379 in openssl.c 6 main(Argc = 8, Argv = 0x00800238), line 298 in openssl.c 7 _start(0x8, 0x800238, 0x800280) at 0x4057c Stephen Henson via RT wrote: [[EMAIL PROTECTED] - Sat Feb 1 00:59:01 2003]: $ ./openssl req -x509 -new -nodes -out sscert.pem -rand /tmp/somefile Generating a 1024 bit RSA private key ++ ..++ writing new private key to 'privkey.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: OK so that seems to work. Maybe its just when x509 does it. Can you try: openssl req -new -nodes -out req.pem -rand /tmp/somefile then openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem if that second command dumps core then a stack trace under a debugger would help a lot. Thanks, Steve. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. [EMAIL PROTECTED], 651-605-9154 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #451] SX6 port
i forgot to add- dbx's message says: SIGSEGV (absentee space fault) in getrn at line 430 in file lhash.c couldn't read lhash.c Wendy Palm wrote: how's this? * 0 getrn(lh = 0x000404092290, data = 0x00040409d930, rhash = 0x00801a40), line 430 in lhash.c 1 lh_insert(lh = 0x000404092290, data = 0x00040409d930), line 189 in lhash.c 2 OBJ_add_object(obj = 0x000404088a00), line 253 in obj_dat.c 3 OBJ_create(oid = 0x40400c990 2.9.3, sn = 0x40400c9a0 SET.ex3, ln = 0x40400c9b0 SET x509v3 extension 3), line 660 in obj_dat.c 4 x509_main(argc = 0, argv = 0x00800278), line 621 in x509.c 5 do_cmd(prog = 0x00040408e120, argc = 8, argv = 0x00800238), line 379 in openssl.c 6 main(Argc = 8, Argv = 0x00800238), line 298 in openssl.c 7 _start(0x8, 0x800238, 0x800280) at 0x4057c Stephen Henson via RT wrote: [[EMAIL PROTECTED] - Sat Feb 1 00:59:01 2003]: $ ./openssl req -x509 -new -nodes -out sscert.pem -rand /tmp/somefile Generating a 1024 bit RSA private key ++ ..++ writing new private key to 'privkey.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: OK so that seems to work. Maybe its just when x509 does it. Can you try: openssl req -new -nodes -out req.pem -rand /tmp/somefile then openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem if that second command dumps core then a stack trace under a debugger would help a lot. Thanks, Steve. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. [EMAIL PROTECTED], 651-605-9154 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #474] Status Changed to: open
We found some serious build issues with the original submission (openssl-lunaca3-patch-0.9.7.tar.gz) and we are busy updating the patch. I expect the update will be necessary before this ticket is closed. Let me know when you have the chance to examine the update and/or if I should just post it. Regards, Steve Woloszyn __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #475] [Fwd: patch to 0.9.7 -performacne]
As mentioned in ticket 489 (which is now closed), this ticket was not forgotten, it is waiting on the patch being submitted with a copy to the appropriate US agencies. For the patch itself, I'm not sure about the location (or necessity) of _method_mod_n initialisation you've inserted - but I'll wait for the resubmission before analysing this properly (could just be me being obtuse and scanning the diff too quickly ...) -- Geoff Thorpe, RT/openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]