Re: [CVS] OpenSSL: openssl/crypto/engine/ engine.h openssl/crypto/evp/c_a...

[Ben Laurie]

Richard Levitte - VMS Whacker wrote:

In message [EMAIL PROTECTED] on Sat,  1 Feb 2003 21:55:30 +0100 (CET), Ben Laurie [EMAIL PROTECTED] said:

ben   OpenSSL CVS Repository
ben   http://cvs.openssl.org/
ben   
ben 
ben   Server: cvs.openssl.org  Name:   Ben Laurie
ben   Root:   /e/openssl/cvs   Email:  [EMAIL PROTECTED]
ben   Module: openssl  Date:   01-Feb-2003 21:55:30
ben   Branch: HEAD Handle: 2003020120552900
ben 
ben   Modified files:
ben openssl/crypto/engine   engine.h
ben openssl/crypto/evp  c_all.c
ben 
ben   Log:
ben Fix warning.
ben 
ben   Summary:
ben RevisionChanges Path
ben 1.49+3  -0  openssl/crypto/engine/engine.h
ben 1.13+1  -0  openssl/crypto/evp/c_all.c
ben   
ben 
ben   patch -p0 '@@ .'
ben   Index: openssl/crypto/engine/engine.h
ben   
ben   $ cvs diff -u -r1.48 -r1.49 engine.h
ben   --- openssl/crypto/engine/engine.h	30 Jan 2003 17:39:21 -	1.48
ben   +++ openssl/crypto/engine/engine.h	1 Feb 2003 20:55:29 -	1.49
ben   @@ -685,6 +685,9 @@
ben * values. */
benvoid *ENGINE_get_static_state(void);
ben
ben   +#if defined(__OpenBSD__) || defined(__FreeBSD__)
ben   +void ENGINE_setup_bsd_cryptodev(void);
ben   +#endif
ben
ben/* BEGIN ERROR CODES */
ben/* The following lines are auto generated by the script mkerr.pl. Any changes

Hmm?  What warning do you get if something is declared but never
defined?

Huh? The warning is that it is called but not declared.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

patch to 0.9.7 -performacne

[David Brumley]

Hi,
I wrote awhile back about a patch to 0.9.7 in rsa_eay.c, but never heard
back.  Is this the wrong forum?

The patch is to rsa_eay.c (attached), which adds cacheing of the
montgomery context for n (in addition to p and q).  This patch improves
efficiency...normally the verify at the end of CRT does not use a cached
context.  In 0.9.7 right now, R^{-1} (Ri) for n must be recomputed on
every decryption, an expensive operation.

-david

--- rsa_eay.c.orig  2003-01-20 19:16:46.0 -0800
+++ rsa_eay.c   2003-01-20 19:17:54.0 -0800
@@ -533,6 +533,31 @@
if (bn_mont_ctx)
BN_MONT_CTX_free(bn_mont_ctx);
}
+
+   if (rsa-_method_mod_n == NULL)
+   {
+   BN_MONT_CTX* bn_mont_ctx;
+   if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
+   goto err;
+   if (!BN_MONT_CTX_set(bn_mont_ctx,rsa-n,ctx))
+   {
+   BN_MONT_CTX_free(bn_mont_ctx);
+   goto err;
+   }
+   if (rsa-_method_mod_n == NULL) /* other thread may have 
+finished first */
+   {
+   CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+   if (rsa-_method_mod_n == NULL)
+   {
+   rsa-_method_mod_n = bn_mont_ctx;
+   bn_mont_ctx = NULL;
+   }
+   CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+   }
+   if (bn_mont_ctx)
+   BN_MONT_CTX_free(bn_mont_ctx);
+   }
+
}

if (!BN_mod(r1,I,rsa-q,ctx)) goto err;
@@ -565,7 +590,7 @@
 
if (rsa-e  rsa-n)
{
-   if (!rsa-meth-bn_mod_exp(vrfy,r0,rsa-e,rsa-n,ctx,NULL)) goto err;
+   if 
+(!rsa-meth-bn_mod_exp(vrfy,r0,rsa-e,rsa-n,ctx,rsa-_method_mod_n)) goto err;
/* If 'I' was greater than (or equal to) rsa-n, the operation
 * will be equivalent to using 'I mod n'. However, the result of
 * the verify will *always* be less than 'n' so we don't check

RE: [openssl.org #463] PATCH

[Shklover, Vladimir]

Maybe it will change when all legal issues are resolved, I hope.
For now, I want to be sure that all possible combinations for aix 
shared build are tested (so far successfully) and when corresponding
changes could be included into the next release? I hope everything is OK.

Vladimir

-Original Message-
From: Rich Salz via RT [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 22, 2003 11:15 AM
To: Shklover, Vladimir
Cc: [EMAIL PROTECTED]
Subject: Re: [openssl.org #463] PATCH



 2)Perhaps I did not make it clear but our policy is not to include 
 any cryptographic software directly into our applications.

You might want to reconsider this policy.  Do you expect much revenue 
from the banned country list?  Is it worth the development and support 
cost of keeping track with openssl versions?  Are you sure that you are 
not in violation if you say install openssl on your own?  (The answer 
to that last question *used* to be:  yes, you are in violation.  Now, I 
don't know.)

/r$
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #359] Calling SSL_read and SSL_write with non-empty error stack may cause an error

[Bodo Moeller]

Arne Ansper [EMAIL PROTECTED]:

 Like I say, they should only do this if there was an error reported, surely?

 No. Take a look at the SSL_CTX_use_certificate_chain_file:
 
 ret=SSL_CTX_use_certificate(ctx,x);
 if (ERR_peek_error() != 0)
 ret = 0;  /* Key/certificate mismatch doesn't imply ret==0 ... */

Actually I think this is a bug in SSL_CTX_use_certificate() -- if it
intentionally ignores an error returned by X509_check_private_key(),
it should call ERR_clear_error().

The reason why I did not fix this when I looked at this some time ago
is some rather weird code in ssl_set_cert(), the function used by
SSL_CTX_use_certificate() from which X509_check_private_key() is
called.  (If you look at ssl_set_cert(), you'll see that it switches
from SSL_PKEY_DH_RSA to SSKL_PKEY_DH_DSA and the other way around,
which does not appear to make much sense.)  Investigating this has
been on my to do list for a while.  Once this has been resolved,
the lines

 if (ERR_peek_error() != 0)
ret = 0;  /* Key/certificate mismatch doesn't imply ret==0 ... */

can be removed from SSL_CTX_use_certificate_chain_file().


-- 
Bodo Möller [EMAIL PROTECTED]
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [openssl.org #479] support version independent upgrade

[Jim Sahaj]

Actually, I'd prefer that I wouldn't have to relink and redistribute my application 
every
time a security patch comes out for OpenSSL.  I haven't seen any issues in our 
application
upgrading from 0.9.6 to 0.9.7 using this non version technique on our local 
development nodes.

The version technique doesn't just prevent backward compatibility but it 
prevents users from getting potential security upgrades that *may* work
just fine.  It's definitely not a desirable distribution scenario as it sits now. 
It forces developers to do relinks and redistribute whether they're needed or not.

-Original Message-
From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 27, 2003 2:10 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: Jim Sahaj
Subject: Re: [openssl.org #479] support version independent upgrade 


In message [EMAIL PROTECTED] on Mon, 27 Jan 2003 22:40:24 
+0100 (MET),  via RT [EMAIL PROTECTED] said:

rt Currently, on many Unix platforms I link my application against 
rt libssl.so and libcrypto.so. Typically, these are links set to resolve 
rt down to the versioned types of these files, like libssl.so.0.9.7 and 
rt libcrypto.so.0.9.7.  The internal names of these shared objects 
rt include the major and minor version so even though I link against the 
rt shared objects without the version, such as libssl.so, my application 
rt becomes tied to the versioned shared objects at link time, for 
rt instance libssl.so.0.9.7.

There's a reason: until OpenSSL 1, we don't guarantee backward binary
compatibility.  There are technical reasons for this, like the need to
make changes to published structures (it may be argued that it
shouldn't be needed, but to achieve such flexibility, we either need
to hide them (which would require huge changes for everyone) or redo
them in such a way that they become rather generic) and other stuff.

Because of this, we're forced to do what we currently do with shared
libraries.  Perhaps you'd prefer that your applications crash
mysteriously and in an unrecoverable manner?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [CVS] OpenSSL: openssl/crypto/engine/ engine.hopenssl/crypto/evp/ c_a...

[Richard Levitte - VMS Whacker]

In message [EMAIL PROTECTED] on Sun, 02 Feb 2003 12:34:54 +, Ben 
Laurie [EMAIL PROTECTED] said:

ben Richard Levitte - VMS Whacker wrote:
ben  Hmm?  What warning do you get if something is declared but never
ben  defined?
ben 
ben Huh? The warning is that it is called but not declared.

Ah.  Sorry, my brain was apparently out for lunch or something.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #451] SX6 port

[Stephen Henson via RT]

[[EMAIL PROTECTED] - Sat Feb  1 00:59:01 2003]:

 $ ./openssl req -x509 -new -nodes -out sscert.pem -rand /tmp/somefile
 Generating a 1024 bit RSA private key
 ++
 ..++
 writing new private key to 'privkey.pem'
 -
 You are about to be asked to enter information that will be
 incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or
 a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -
 Country Name (2 letter code) [AU]:
 State or Province Name (full name) [Some-State]:
 Locality Name (eg, city) []:
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
 Organizational Unit Name (eg, section) []:
 Common Name (eg, YOUR name) []:
 Email Address []:
 
 

OK so that seems to work. Maybe its just when x509 does it.

Can you try: 

openssl req -new -nodes -out req.pem -rand /tmp/somefile

then 

openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem

if that second command dumps core then a stack trace under a debugger
would help a lot.

Thanks, Steve.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl req prompting behavior

[Joel Daniels]

The openssl req command, when set up to prompt for the Distinguished Name,
uses fgets() to read the Distinguished Name fields.  This means that if
someone uses the backspace key, a 0x08 character is inserted wherever they
typed the backspace key.  Would it be possible/easy to add support for the
GNU readline library to avoid this problem, at least on Linux machines?

   - Joel Daniels

P. S.  I am not on the openssl-dev list, so please CC me in on any replies.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[PATCH] version independent link on solaris

[Jim Sahaj]

The following allows for a version independent link on Solaris. Before, when I linked 
against libssl.so and libcrypto.so
there would be a dependency between libssl.so and libcrypto.so.0.9.7 because the 
dynamic section name contained 
the major and minor versions.
I removed the versions from the shared object's dynamic section names so that linking 
against the version independent
shared objects will work without any version dependencies.
-
diff -e old new
ed - Makefile.org  '-*-END-*-'
363c
-h lib$$i.so \
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [openssl.org #463] PATCH

[Shklover, Vladimir]

1)I checked env OBJECT_MODE=64 make in openssl-0.9.7-snapshot... for 2 cases:
  -automatically configured by  ./Configure aix64-cc ... shared,
   using *.exp files
  -when Makefile.org is modified to use -bautoexp instead of using
   *.exp files (the changes are the same which you asked for 32 bit)
   and then ./Configure aix64-cc ... shared is run 
In both cases static and shared libraries were successfully built.
As I said earlier, usual make can also work for aix64-cc, with *.exp
(ld -b64 -r -o ..., nm -X 64 ...) as well as with -bautoexp (I have already 
sent you corresponding changes). Now, whether you want to build by usual 
make, env OBJECT_MODE=64 make, with *.exp or -bautoexp, is up to you. 
Does it finally cover all possible combinations you wanted to test?

***Mainly for US based developers**

2)Perhaps I did not make it clear but our policy is not to include 
any cryptographic software directly into our applications. The reason 
is that one of the latest US laws prohibits exporting cryptography
to certain countries (especially those supporting terrorism). OpenSSL 
itself, as I understand, is legally OK for public availability because 
it is non-commersial and already posted on the Web. However, we are not
in the position to export it (although using it is always OK). This, 
in fact, is said in references from openssl README files

http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html 
http://w3.access.gpo.gov/bis/ear/pdf/740.pdf Section 740.13(e), p.25

Therefore, the acceptable legal solution for us is to build application 
which can use openssl but in such a way that the user himself would be 
responsible for installation of openssl, creating libssl.so  libcrypto.so 
which would then be dynamically loaded by our application. Those who started 
before the mentioned law was adopted, didn't have to worry at that time. 
Of course, you can say that openssl is accessible to everyone from the Web 
but that is another question because you are allowed to export your own, 
non-commersial product (although I am not a lawyer to give any legal 
conclusion). Maybe, we will add some addiditional measures which would not 
allow unauthorized users to use SSL in our software. Anyway, this our
policy based on the law and for now it remains in effect. Do I understand
that binary compatibility for shared libraries is expected since 1.0 release?

Vladimir

-Original Message-
From: Andy Polyakov via RT [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 21, 2003 3:14 PM
To: Shklover, Vladimir
Cc: [EMAIL PROTECTED]
Subject: Re: [openssl.org #463] PATCH



 1)I just got aix64-cc shared build succeed with -bautoexp. It was possible to
 modify Makefile pretty similar to aix43-cc.
  ^^ But the challenge is to construct the rule which can be
parametrized through configure line. But as already mentioned, I'd
appreciate if you could verify if 'env OBJECT_MODE=64 make' works with
snapshot configured with './Configure aix64-cc shared'.

 2)You are right, the version openssl-0.9.7 did not contain 0.9.7
 extention for aix but in my changes (which appear to be in snapshot
 version) I included these extentions to be consistent with other
 platforms where shared build contain these extention.

Right! Without access I'm bound to miss such things:-)

 I made experimental builds without extentions just for myself;
 I didn't send you such changes to Makefile. The reason I did that for
 myself is that if you link a module, say module.so with soname
  ^^ Does
AIX support soname or similar option? There was nothing of that sort in
ld manual page I've found on the web...

 libcrypto.so.0.9.6, you can not then dynamically load it with
 libcrypto.so.0.9.7.

And that is *intentional*! We don't want users to load 0.9.7 library
into an application originally linked with 0.9.6.

 (we are not physically including libssl.so...  libcrypto.so... into
 our software and SSL connection will work if the user installs openssl
 himself).

You should *not* rely on this and should consider providing copy of
shared libs with your application. Yes, it might appear a bit
meaningless, you could as well link it statically, but that's the way
it. Binary compatibility is *not* provided across OpenSSL releases and
interchanging .so modules *might* result in unpredictable result and it
will be hell to troubleshoot. A.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RSA Methods based on cyptoAPI

[Aonzo Emanuele]

Hi,
I'm trying to develop some RSA methods based on Microsoft CryptoAPI.
I need to know if exists some open source code or example for the
implementation of rsa_priv_enc and rsa_priv_dec unsing the private key on a
smart card.

Thank you very much
Emanuele
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[PATCH]shared objects for 64bit AIX

[Jim Sahaj]

The patch below builds shared objects for 64bit AIX for openssl097.
-
diff -e old new:
ed - Configure  '-*-END-*-'
443c
aix64-cc,   cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 
-q64::(unknown):::SIXTY_FOUR_BIT_LONG 
RC4_CHAR::dlfcn:aix64-shared::-b64::ranlib -X64:-X 64,
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #489] patch to 0.9.7 -performacne

[David Brumley via RT]

Hi,
I wrote awhile back about a patch to 0.9.7 in rsa_eay.c, but never heard
back.  Is this the wrong forum?

The patch is to rsa_eay.c (attached), which adds cacheing of the
montgomery context for n (in addition to p and q).  This patch improves
efficiency...normally the verify at the end of CRT does not use a cached
context.  In 0.9.7 right now, R^{-1} (Ri) for n must be recomputed on
every decryption, an expensive operation.

-david
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: patch to 0.9.7 -performacne

[Richard Levitte - VMS Whacker]

In message [EMAIL PROTECTED] on 23 Jan 2003 11:53:09 
-0800, David Brumley [EMAIL PROTECTED] said:

dbrumley I wrote awhile back about a patch to 0.9.7 in rsa_eay.c, but
dbrumley never heard back.  Is this the wrong forum?

It's in our RT database, it just hasn't been dealt with yet...

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA Methods based on cyptoAPI

[Dr. Stephen Henson]

On Fri, Jan 24, 2003, Aonzo Emanuele wrote:

 Hi,
 I'm trying to develop some RSA methods based on Microsoft CryptoAPI.
 I need to know if exists some open source code or example for the
 implementation of rsa_priv_enc and rsa_priv_dec unsing the private key on a
 smart card.
 

I've some private code that does this but nothing released.

CryptoAPI does not have an equivalent of rsa_priv_enc. It does however have an
equivalent to rsa_sign which you can get to in a roundabout way by creating
appopriate messages digest contexts and setting the digest value, then signing
the context. This will give you enough for general message digest signing
(e.g. S/MIME, certificate signing) and SSL client authentication.

rsa_priv_dec in theory is provided by CryptDecrypt() and this does work for
some CSPs: the enhanced CSP can handle this. However many smart card
CSPs do not implement the necessary functionality. Workarounds exist if
the CSP handles the conventional key exchange using CryptImportKey() provided
you want a standard key size.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #451] SX6 port

[Wendy Palm via RT]

Stephen Henson via RT wrote:

 [[EMAIL PROTECTED] - Sat Feb  1 00:59:01 2003]:
 
 
$ ./openssl req -x509 -new -nodes -out sscert.pem -rand /tmp/somefile
Generating a 1024 bit RSA private key
++
..++
writing new private key to 'privkey.pem'
-
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:



 
 OK so that seems to work. Maybe its just when x509 does it.
 
 Can you try: 
 
 openssl req -new -nodes -out req.pem -rand /tmp/somefile


$ ./openssl req -new -nodes -out req.pem -rand /tmp/somefile

Generating a 1024 bit RSA private key
++
..++
writing new private key to 'privkey.pem'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


 
 then 
 
 openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem


$ ./openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem

Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Eric the Young
core dumping
Bus error (core dumped)


 if that second command dumps core then a stack trace under a debugger
 would help a lot.


will have to wait a bit.  i've never done that before and it's hiding the #$%!
core file.  i'll forward another email when i have one for you.




-- 
wendy palm
Cray OS Sustaining Engineering, Cray Inc.
[EMAIL PROTECTED], 651-605-9154

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #451] SX6 port

[Wendy Palm via RT]

how's this?

*  0 getrn(lh = 0x000404092290, data = 0x00040409d930, rhash = 
0x00801a40), line 430 in lhash.c
1 lh_insert(lh = 0x000404092290, data = 0x00040409d930), line 189 in 
lhash.c
2 OBJ_add_object(obj = 0x000404088a00), line 253 in obj_dat.c
3 OBJ_create(oid = 0x40400c990 2.9.3, sn = 0x40400c9a0 SET.ex3, ln = 
0x40400c9b0 SET x509v3 extension 3), line 660 in obj_dat.c
4 x509_main(argc = 0, argv = 0x00800278), line 621 in x509.c
5 do_cmd(prog = 0x00040408e120, argc = 8, argv = 0x00800238), line 379 
in openssl.c
6 main(Argc = 8, Argv = 0x00800238), line 298 in openssl.c
7 _start(0x8, 0x800238, 0x800280) at 0x4057c


Stephen Henson via RT wrote:

 [[EMAIL PROTECTED] - Sat Feb  1 00:59:01 2003]:
 
 
$ ./openssl req -x509 -new -nodes -out sscert.pem -rand /tmp/somefile
Generating a 1024 bit RSA private key
++
..++
writing new private key to 'privkey.pem'
-
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:



 
 OK so that seems to work. Maybe its just when x509 does it.
 
 Can you try: 
 
 openssl req -new -nodes -out req.pem -rand /tmp/somefile
 
 then 
 
 openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem
 
 if that second command dumps core then a stack trace under a debugger
 would help a lot.
 
 Thanks, Steve.
 
 


-- 
wendy palm
Cray OS Sustaining Engineering, Cray Inc.
[EMAIL PROTECTED], 651-605-9154

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #451] SX6 port

[Wendy Palm via RT]

i forgot to add-

dbx's message says:

SIGSEGV (absentee space fault) in getrn at line 430 in file lhash.c
couldn't read lhash.c

Wendy Palm wrote:

 how's this?
 
 *  0 getrn(lh = 0x000404092290, data = 0x00040409d930, rhash = 
 0x00801a40), line 430 in lhash.c
1 lh_insert(lh = 0x000404092290, data = 0x00040409d930), line 
 189 in lhash.c
2 OBJ_add_object(obj = 0x000404088a00), line 253 in obj_dat.c
3 OBJ_create(oid = 0x40400c990 2.9.3, sn = 0x40400c9a0 
 SET.ex3, ln = 0x40400c9b0 SET x509v3 extension 3), line 660 in 
 obj_dat.c
4 x509_main(argc = 0, argv = 0x00800278), line 621 in x509.c
5 do_cmd(prog = 0x00040408e120, argc = 8, argv = 
 0x00800238), line 379 in openssl.c
6 main(Argc = 8, Argv = 0x00800238), line 298 in openssl.c
7 _start(0x8, 0x800238, 0x800280) at 0x4057c
 
 
 Stephen Henson via RT wrote:
 
 [[EMAIL PROTECTED] - Sat Feb  1 00:59:01 2003]:


 $ ./openssl req -x509 -new -nodes -out sscert.pem -rand /tmp/somefile
 Generating a 1024 bit RSA private key
 ++
 ..++
 writing new private key to 'privkey.pem'
 -
 You are about to be asked to enter information that will be
 incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or
 a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -
 Country Name (2 letter code) [AU]:
 State or Province Name (full name) [Some-State]:
 Locality Name (eg, city) []:
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:
 Organizational Unit Name (eg, section) []:
 Common Name (eg, YOUR name) []:
 Email Address []:




 OK so that seems to work. Maybe its just when x509 does it.

 Can you try:
 openssl req -new -nodes -out req.pem -rand /tmp/somefile

 then
 openssl x509 -req -in req.pem -out sscert.pem -signkey privkey.pem

 if that second command dumps core then a stack trace under a debugger
 would help a lot.

 Thanks, Steve.


 
 


-- 
wendy palm
Cray OS Sustaining Engineering, Cray Inc.
[EMAIL PROTECTED], 651-605-9154

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [openssl.org #474] Status Changed to: open

[[EMAIL PROTECTED] via RT]

We found some serious build issues with the original submission
(openssl-lunaca3-patch-0.9.7.tar.gz) and we are busy updating the patch.  I
expect the update will be necessary before this ticket is closed.

Let me know when you have the chance to examine the update and/or if I
should just post it.


Regards,

Steve Woloszyn 

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #475] [Fwd: patch to 0.9.7 -performacne]

[Geoff Thorpe via RT]

As mentioned in ticket 489 (which is now closed), this ticket was not
forgotten, it is waiting on the patch being submitted with a copy to the
appropriate US agencies.

For the patch itself, I'm not sure about the location (or necessity) of
_method_mod_n initialisation you've inserted - but I'll wait for the
resubmission before analysing this properly (could just be me being
obtuse and scanning the diff too quickly ...)

-- 
Geoff Thorpe, RT/openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]