RE: Can't link a static library with custom OpenSSL rsa engine

[Scott Neugroschl]

You need to put the static library at the END of your link command.  A static 
library is searched when it is encountered in the link stream, and only the 
items needed will be used from it.

Because you have it first, there are no undefined symbols, and no items will be 
used from it.

From: openssl-users  On Behalf Of Shariful 
Alam
Sent: Tuesday, November 17, 2020 12:40 PM
To: openssl-users@openssl.org
Subject: Can't link a static library with custom OpenSSL rsa engine

Hello,
I have a custom rsa engine. It builds and works fine. Later, I have added a 
static library with my custom engine code. My code compiles. However, when I 
try to load the custom engine it shows invalid engine "rsa-engine-new".  The 
full error is given below,
x@x:~/Downloads/x/x/x/rsa_engine$ openssl rsautl -decrypt -inkey private.pem 
-in msg.enc -engine rsa-engine-new
invalid engine "rsa-engine-new"
140112744122112:error:25066067:DSO support routines:dlfcn_load:could not load 
the shared 
library:crypto/dso/dso_dlfcn.c:119:filename(/opt/openssl/lib/engines-1.1/rsa-engine-new.so):
 
/opt/openssl/lib/engines-1.1/rsa-engine-new.so:
 undefined symbol: dune_init
140112744122112:error:25070067:DSO support routines:DSO_load:could not load the 
shared library:crypto/dso/dso_lib.c:162:
140112744122112:error:260B6084:engine routines:dynamic_load:dso not 
found:crypto/engine/eng_dyn.c:414:
140112744122112:error:2606A074:engine routines:ENGINE_by_id:no such 
engine:crypto/engine/eng_list.c:334:id=rsa-engine-new
140112744122112:error:25066067:DSO support routines:dlfcn_load:could not load 
the shared 
library:crypto/dso/dso_dlfcn.c:119:filename(librsa-engine-new.so):
 
librsa-engine-new.so:
 cannot open shared object file: No such file or directory
140112744122112:error:25070067:DSO support routines:DSO_load:could not load the 
shared library:crypto/dso/dso_lib.c:162:
140112744122112:error:260B6084:engine routines:dynamic_load:dso not 
found:crypto/engine/eng_dyn.c:414:

Now the error doesn't say much about the cause of invalid engine. However my 
guess is it is from the  "undefined symbol: dune_init". "dune_init" is from the 
static library. Therefire I believe my linking is not working. I use the 
following Makefile to compile the engine,

  1.  rsa-engine: rsa/rsa.c rsa/bignum.c rsa/aes.c rsa/x509parse.c rsa/pem.c
  2.  gcc -fPIC -o rsa/rsa.o -c rsa/rsa.c
  3.  gcc -fPIC -o rsa/bignum.o -c rsa/bignum.c
  4.  gcc -fPIC -o rsa/aes.o -c rsa/aes.c
  5.  gcc -fPIC -o rsa/x509parse.o -c rsa/x509parse.c
  6.  gcc -fPIC -o rsa/pem.o -c rsa/pem.c
  7.  gcc -fPIC -c rsa-engine.c
  8.  gcc -shared -o 
librsa_engine.so
 libdune/libdune.a -lcrypto rsa-engine.o rsa/rsa.o rsa/bignum.o rsa/aes.o 
rsa/x509parse.o rsa/pem.o
  9.  mv 
librsa_engine.so
 
rsa-engine-new.so
  10. sudo cp 
rsa-engine-new.so
 /opt/openssl/lib/engines-1.1/
  11. clean:
  12. rm -f *.o rsa/*.o *.so rsa-engine
So, can anyone please if my guess is correct or not? If my guess is correct, 
how can I fix my Makefile?

N.B: Static library

  *   libdune/libdune.a is in the same directory with the main rsa-engine.c
  *   libdune/libdune.a is compiled with -fPIC flag

Thanks,
Shariful

RE: Compiling for RISC-V

[Scott Neugroschl]

Is the “no-asm” configuration option still supported?

From: openssl-users  On Behalf Of Kristin 
Barber
Sent: Monday, March 9, 2020 12:03 PM
To: Richard Levitte 
Cc: openssl-users@openssl.org
Subject: Re: Compiling for RISC-V

Hi Richard, thanks for the reply. It was helpful.

You are correct, I was able to find a configuration that worked by passing the 
RISC-V compiler via "make variable" assignment, along with some relevant 
options.  Things start compiling, but the build fails on what seems to be 
architecture-specific assembly files which are selected based on which 
"platform" has been configured.  It did not seem to me that there were RISC-V 
assembly-specific files as an option here, and based on your reply, I think 
that is indeed the issue.  Am I understanding this correctly?

Thanks,

Kristin

On Mon, Mar 9, 2020 at 3:03 AM Richard Levitte 
mailto:levi...@openssl.org>> wrote:
On Mon, 09 Mar 2020 05:18:17 +0100,
Kristin Barber wrote:
> I've looked at the INSTALL docs, and it doesn't seem that RISC-V processors 
> are supported
> currently as a platform. Is this correct?

That is correct.  No one has implemented that support yet.

> Is there a branch which enables configuring for a RISC-V machine that hasn't 
> yet made it into a
> stable release?

Not that I know of.  Although, this same question has also been raised
on github (I forget the issue number).

> Any advice on where to look for information or changes to the build process 
> in order to compile
> for RISC-V?

The first thing to attempt is a generic build with no assembler.
There are some really simply config targets that could be a first
step, one of:

./Configure cc

./Configure gcc

A (pretty big) step up from that, at least if Linux is your target,
would be one of these:

./Configure linux-generic32

./Configure linux-generic64

Note that in either case, you may have to add C flags and ld flags,
which you can do in one of two ways:

1)  directly on the configuration command line, like this (Configure
makes an educated guess on what flags go where):

./Configure linux-generic64 -m64 -DWHATEVER=value -Wl,-something

2)  via "make variable" assignment:

./Configure linux-generic64 \
CPPFLAGS='-DWHATEVER=value' \
CFLAGS='-m64' \
LDFLAGS='-Wl,-something'

At some point, you might find a combination that works for you.  We
would definitely like to know what you figure out, and it may be that
the result makes it into our database of config targets (which, if
you're curious, are the files Configurations/*.conf).

Now, configuration is the easy bit when it comes to new CPUs,
relatively speaking.  I assume that part of your question is whether
there is assembler support.  This is the hard part in terms of
effort.  We currently have no such thing at all for RISC-V, and I
haven't seen any attempts to start such an effort...  PRs would
certainly be welcome, but anyone who tries this will have to be
prepared for it to take a while to get into the main source.

Cheers,
Richard

--
Richard Levitte levi...@openssl.org
OpenSSL Project 
http://www.openssl.org/~levitte/

RE: OpenSSL Security Advisory

[Scott Neugroschl]

Thanks.

-Original Message-
From: openssl-users  On Behalf Of Matt 
Caswell
Sent: Wednesday, February 27, 2019 11:18 AM
To: openssl-users@openssl.org
Subject: Re: OpenSSL Security Advisory



On 27/02/2019 18:43, Scott Neugroschl wrote:
> Is this a client-side or server-side vulnerability?  Or does it matter?

It can apply to either side.

Matt


> 
> Thanks,
> 
> ScottN
> 
> ---
> Scott Neugroschl | XYPRO Technology Corporation
> 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
> 583-2874|Fax 805 583-0124 |
> 
> 
> 
> 
> -Original Message-
> From: openssl-users  On Behalf Of OpenSSL
> Sent: Tuesday, February 26, 2019 6:59 AM
> To: openssl-proj...@openssl.org; OpenSSL User Support ML 
> ; OpenSSL Announce ML 
> 
> Subject: OpenSSL Security Advisory
> 
> OpenSSL Security Advisory [26 February 2019] 
> 
> 
> 0-byte record padding oracle (CVE-2019-1559) 
> 
> 
> Severity: Moderate
> 
> If an application encounters a fatal protocol error and then calls
> SSL_shutdown() twice (once to send a close_notify, and once to receive one) 
> then OpenSSL can respond differently to the calling application if a 0 byte 
> record is received with invalid padding compared to if a 0 byte record is 
> received with an invalid MAC. If the application then behaves differently 
> based on that in a way that is detectable to the remote peer, then this 
> amounts to a padding oracle that could be used to decrypt data.
> 
> In order for this to be exploitable "non-stitched" ciphersuites must be in 
> use.
> Stitched ciphersuites are optimised implementations of certain commonly used 
> ciphersuites. Also the application must call SSL_shutdown() twice even if a 
> protocol error has occurred (applications should not do this but some do 
> anyway).
> 
> This issue does not impact OpenSSL 1.1.1 or 1.1.0.
> 
> OpenSSL 1.0.2 users should upgrade to 1.0.2r.
> 
> This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod 
> Aviram, with additional investigation by Steven Collison and Andrew Hourselt. 
> It was reported to OpenSSL on 10th December 2018.
> 
> Note
> 
> 
> OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. 
> Support for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end 
> on 11th September 2019. Users of these versions should upgrade to OpenSSL 
> 1.1.1.
> 
> References
> ==
> 
> URL for this Security Advisory:
> https://www.openssl.org/news/secadv/20190226.txt
> 
> Note: the online version of the advisory may be updated with additional 
> details over time.
> 
> For details of OpenSSL severity classifications please see:
> https://www.openssl.org/policies/secpolicy.html
> 

RE: OpenSSL Security Advisory

[Scott Neugroschl]

Is this a client-side or server-side vulnerability?  Or does it matter?

Thanks,

ScottN

---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |




-Original Message-
From: openssl-users  On Behalf Of OpenSSL
Sent: Tuesday, February 26, 2019 6:59 AM
To: openssl-proj...@openssl.org; OpenSSL User Support ML 
; OpenSSL Announce ML 
Subject: OpenSSL Security Advisory

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

OpenSSL Security Advisory [26 February 2019] 


0-byte record padding oracle (CVE-2019-1559) 


Severity: Moderate

If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one) 
then OpenSSL can respond differently to the calling application if a 0 byte 
record is received with invalid padding compared to if a 0 byte record is 
received with an invalid MAC. If the application then behaves differently based 
on that in a way that is detectable to the remote peer, then this amounts to a 
padding oracle that could be used to decrypt data.

In order for this to be exploitable "non-stitched" ciphersuites must be in use.
Stitched ciphersuites are optimised implementations of certain commonly used 
ciphersuites. Also the application must call SSL_shutdown() twice even if a 
protocol error has occurred (applications should not do this but some do 
anyway).

This issue does not impact OpenSSL 1.1.1 or 1.1.0.

OpenSSL 1.0.2 users should upgrade to 1.0.2r.

This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, 
with additional investigation by Steven Collison and Andrew Hourselt. It was 
reported to OpenSSL on 10th December 2018.

Note


OpenSSL 1.0.2 and 1.1.0 are currently only receiving security updates. Support 
for 1.0.2 will end on 31st December 2019. Support for 1.1.0 will end on 11th 
September 2019. Users of these versions should upgrade to OpenSSL 1.1.1.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190226.txt

Note: the online version of the advisory may be updated with additional details 
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlx1U+gACgkQ2cTSbQ5g
RJFnlAf/U9yZtCz59BjgD0Kh7Eya5KxlmUWItdBu1r3DwbY4KDgL/Wwh4UxG3Qim
D7Ht5Xsta4iAywrMRI/iPEdEQct8pcpWjq4/65lEbTYjToEnNWhIeWHH/Lw3Jfza
gcVpIfbWoWc7OL7U4uPQuGWcb/PO8fJXF+HcCdZ+kIuut0peMSgN5sK/wBnmSdsM
+sJXCei+jwVy/9WvCBMOooX7D8oerJ6NX12n2cNAYH/K7e2deiPZ7D/HB7T9MSv/
BgOi1UqFzBxcsNhFpY5NMTHG8pl0bmS0OiZ9bThN0YHwxFVJz6ZsVX/L5cYOAbm/
mJAdDE24XMmUAOlVZrROzCZKXADx/A==
=8h8L
-END PGP SIGNATURE-

Re: [openssl-users] How to use a specific ip interface while testing TLS/SSL connectivity.

[Scott Neugroschl]

Hi Rajinder,

Have you tried the “socket_transport_name_set” call in your main program?

ScottN



From: openssl-users  On Behalf Of Rajinder 
Pal Singh
Sent: Friday, February 08, 2019 12:54 PM
To: m...@foocrypt.net
Cc: openssl-users 
Subject: Re: [openssl-users] How to use a specific ip interface while testing 
TLS/SSL connectivity.

Thanks Mark for the prompt reply. Absolutely makes sense. Actually, i am on 
Nonstop HPE servers. There are no internal routing tables or so to say static 
routes. Environment is different from unix/linux.

From Application perspective, we choose what ip interface to use.

Wondering if we can force the openssl to use specific interface?

Regards.


On Fri, Feb 8, 2019, 12:26 PM m...@foocrypt.net 
mailto:m...@foocrypt.net> wrote:
Hi Rajinder

There shouldn’t be any issues depending on how your host OS is performing the 
routing to the network the SSL/TLS endpoint is on.

Try a tracerout to the IP to see where it goes, and a telnet IP 80 or 443 to 
make sure you can connect to the web server.

—

Regards,

Mark A. Lane




On 9 Feb 2019, at 04:20, Rajinder Pal Singh 
mailto:rajin6...@gmail.com>> wrote:

Hi,

I want to use a specific ip interface (out of several available ethernet 
interfaces available on my server) to test TLS/SSL connectivity to a remote 
server.


Wondering if its possible?


Regards,
Rajinder.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate format question?

[Scott Neugroschl]

Steffen Nurpmeso, Tuesday, September 25, 2018 11:57 AM


> The RFC 7468 term "parsers SHOULD ignore whitespace and other non-
>base64 characters" makes me wonder.  

The relevant clause is a few sentences up: "Data before the encapsulation 
boundaries are
permitted, and parsers MUST NOT malfunction when processing such data.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate format question?

[Scott Neugroschl]

>On Sept 24, 2018, at 3:55 PM, Viktor Dukhovni wrote:
>> On Sep 24, 2018, at 6:25 PM, Scott Neugroschl > wrote:
>> 
>> I tried googling, but couldn’t find an answer to this…
>>  
>> I came across a certificate that had some text garbage before the  BEGIN 
>> CERTIFICATE  line.
>>  
>> I know that the cert is defined as the data between the delimiters.  Do the 
>> specs say anything about data before the BEGIN
>>delimiter?  Would a certificate with such data be valid?  I know OpenSSL 
>>accepts such a cert, but is this an extension, or is it 

>>explicitly permitted by the standards/specifications?

>https://tools.ietf.org/html/rfc7468#section-2

Thanks, Viktor, appreciated.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Certificate format question?

[Scott Neugroschl]

I tried googling, but couldn't find an answer to this...

I came across a certificate that had some text garbage before the  BEGIN 
CERTIFICATE  line.

I know that the cert is defined as the data between the delimiters.  Do the 
specs say anything about data before the BEGIN delimiter?  Would a certificate 
with such data be valid?  I know OpenSSL accepts such a cert, but is this an 
extension, or is it explicitly permitted by the standards/specifications?

Thanks

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PRNG is not seeded

[Scott Neugroschl]

> Either way, trying to use OpenSSL's PRNGD to seed OpenSSL's PRNGD is an 
> exercise in futility.

Oh, I agree on that.  


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PRNG is not seeded

[Scott Neugroschl]

>>> I’m using PRNGD to seed my random numbers (I’m on a system without
>>> /dev/random and /dev/urandom).   I occasionally get the dreaded “PRNG is
>>> not seeded” error.
>>
>> I don’t know your OS or environment, have you tried the ‘openssl rand’
>> functionality as a random source to seed your entropy issues ?
>
>Where would openssl rand be getting its entropy from, in this case? You have a 
>circular dependency: openssl needs entropy, so it tries to get it from PRNGD; 
>and you're asking openssl to put entropy into PRNGD.
>
>> perhaps rather than pseudo random, try a hardware device ?
>
>Now, this is a case where you might use openssl rand, in conjunction with 
>engine, to get entropy from another source. That could be a useful hack if you 
>can't easily change PRNGD or the application to read entropy from the device.
>
>For example, I think I successfully used openssl with the pkcs11 engine to get 
>entropy from a NitroKey device a couple of years back, when I was playing 
>around with cheap HSMs.
>
>Whether something like the NitroKey (which is an inexpensive USB-attached HSM 
>in a thumbdrive form factor) would be useful in this case is something Scott 
>would have to determine.
>
>If it is, it'd be cleaner if he could change the application to load the 
>pkcs11 engine and use its RNG directly, or at least get entropy from it to 
>seed OpenSSL's PRNG.
>
>>> I know this is caused by a lack of available entropy in the system; 
>>> but what can I do to address this?  Is it just a matter of waiting 
>>> until enough entropy has been collected?  Is there any kind of workaround?
>
>Depends on what sources PRNGD uses (I haven't looked), what the device is, 
>what the application is... If the device has sensors you can read, you might 
>be able to gather some entropy by reading noise from them (though this is 
>somewhat fraught - you don't want to overestimate the amount of entropy, and 
>both sensors and sensor APIs are often vulnerable to attack).
>
>Sometimes applications ask users to generate some entropy by asking them to  
>bang on the keyboard or wiggle the mouse, or that sort of thing. Again, it 
>really depends on what your device and application are.
>
>This topic is discussed at some length in the technical literature; see for 
>example section 3 of RFC 4086.
>

The platform in question is an HPE NonStop.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] PRNG is not seeded

[Scott Neugroschl]

Hi,

I'm using PRNGD to seed my random numbers (I'm on a system without /dev/random 
and /dev/urandom).   I occasionally get the dreaded "PRNG is not seeded" error.

I know this is caused by a lack of available entropy in the system; but what 
can I do to address this?  Is it just a matter of waiting until enough entropy 
has been collected?  Is there any kind of workaround?

Thanks

ScottN

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] CVE-201-0737

[Scott Neugroschl]

On 16/04/18 0935PDT, Matt Caswell wrote:
>On 16/04/18 16:59, Scott Neugroschl wrote:
>> Hi,
>> 
>> I'm trying to make sure I have grokked this advisory properly.
>> 
>> The advisory says this is a cache timing side channel attack on key 
>> generation.   So am I correct in assuming that a potential attacker must
>> 
>> 1) Already have access to the system
>> 2) Have sufficient privilege to be able to access cache info
>
>Correct.

Thanks, Matt!


---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CVE-201-0737

[Scott Neugroschl]

Hi,

I'm trying to make sure I have grokked this advisory properly.

The advisory says this is a cache timing side channel attack on key generation. 
  So am I correct in assuming that a potential attacker must

1) Already have access to the system
2) Have sufficient privilege to be able to access cache info

Or am I completely mistaken here?

Thanks,

ScottN

---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Vanilla OpenSSL uses sytems libs

[Scott Neugroschl]

Set LD_LIBRARY_PATH to use your compiled versions.

-Original Message-
From: openssl-users  On Behalf Of 
e...@coderhacks.com
Sent: Tuesday, March 13, 2018 3:46 PM
To: openssl-users@openssl.org
Subject: [openssl-users] Vanilla OpenSSL uses sytems libs

Hi!

I put a vanilla OpenSSL in a local folder and compiled it.

./config no-shared
make

I will not do a "make install" because I will keep my distros installation.
But Iwill use the vanilla for tests. So I need the binary as well as the libs.

After a ldd  I see that the apps/openssl as well as the libssl and libcrypto 
use the systems OpenSSL-libs instead of the one I just compiled.

Is there an option so the makefile will produce binaries out of its own libs 
instead of the sytems?

Thanks!



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate Comparison

[Scott Neugroschl]

How about saving the received cert as a PEM file and comparing the two?

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Yan, Bob via openssl-users
Sent: Tuesday, September 19, 2017 10:53 AM
To: openssl-users@openssl.org
Subject: [openssl-users] Certificate Comparison

Hi All,

I need to compare a received certificate object with a PEM-formatted 
certificate stored at local file system. Is there any openssl library functions 
or an easy way to compare these two certificates?

Thank you very much!
Bob

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SMIME -sign subcommand

[Scott Neugroschl]

Run it in a debugger?

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Carlos Caraccia
Sent: Thursday, September 07, 2017 5:02 AM
To: openssl-users@openssl.org
Subject: [openssl-users] SMIME -sign subcommand

Hello, is there a way to debug or watch line by line which functions are 
executed when I run a this command:

openssl smime -sign -signer certificadoWSASS.cer -inkey MiClave 
-out ticket.xml.cms -in Ticket.xml -outform PEM -nodetach

I know there I can see the smile.c here

/apps

I want to know how to compile if it is possible to compile it and to run it in 
Xcode and watch step by step the functions involved.

Thanks

Carlos
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Dumb question about DES

[Scott Neugroschl]

So if I'm using 1.0.2, and want to deprecate 3DES, I need to do that as part of 
my build?

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Scott Neugroschl
Sent: Thursday, May 11, 2017 11:13 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Dumb question about DES

OK.  Are the 3DES CBC ciphers still part of DEFAULT?

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Benjamin Kaduk via openssl-users
Sent: Thursday, May 11, 2017 9:18 AM
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: Re: [openssl-users] Dumb question about DES

Those ciphers are triple-DES, not single-DES.  (The "CBC3" gives it away ... 
well, not exactly.)
The single-DES ciphers were removed in release 1.1.0 (they are included in the 
"40 and 56 bit cipher support removed from libssl" item in the release notes), 
though the raw crypto primitives remain in libcrypto.

-Ben
On 05/11/2017 11:07 AM, Scott Neugroschl wrote:
Has DES been deprecated in OpenSSL?  If so, what release?  In particular the 
following ciphers


  0.19 EDH-DSS-DES-CBC3-SHA

  0.22 EDH-RSA-DES-CBC3-SHA

192.13 ECDH-RSA-DES-CBC3-SHA

192.3  ECDH-ECDSA-DES-CBC3-SHA

192.18 ECDHE-RSA-DES-CBC3-SHA

192.8  ECDHE-ECDSA-DES-CBC3-SHA



---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Dumb question about DES

[Scott Neugroschl]

OK.  Are the 3DES CBC ciphers still part of DEFAULT?

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Benjamin Kaduk via openssl-users
Sent: Thursday, May 11, 2017 9:18 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Dumb question about DES

Those ciphers are triple-DES, not single-DES.  (The "CBC3" gives it away ... 
well, not exactly.)
The single-DES ciphers were removed in release 1.1.0 (they are included in the 
"40 and 56 bit cipher support removed from libssl" item in the release notes), 
though the raw crypto primitives remain in libcrypto.

-Ben
On 05/11/2017 11:07 AM, Scott Neugroschl wrote:
Has DES been deprecated in OpenSSL?  If so, what release?  In particular the 
following ciphers


  0.19 EDH-DSS-DES-CBC3-SHA

  0.22 EDH-RSA-DES-CBC3-SHA

192.13 ECDH-RSA-DES-CBC3-SHA

192.3  ECDH-ECDSA-DES-CBC3-SHA

192.18 ECDHE-RSA-DES-CBC3-SHA

192.8  ECDHE-ECDSA-DES-CBC3-SHA



---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |





-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Dumb question about DES

[Scott Neugroschl]

Has DES been deprecated in OpenSSL?  If so, what release?  In particular the 
following ciphers


  0.19 EDH-DSS-DES-CBC3-SHA

  0.22 EDH-RSA-DES-CBC3-SHA

192.13 ECDH-RSA-DES-CBC3-SHA

192.3  ECDH-ECDSA-DES-CBC3-SHA

192.18 ECDHE-RSA-DES-CBC3-SHA

192.8  ECDHE-ECDSA-DES-CBC3-SHA



---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Should openssl publish the commit #'s that fixed each CVE?

[Scott Neugroschl]

The CVE itself contains the commit info.  Find it at cve.mitre.org

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Ethan Rahn
Sent: Thursday, January 26, 2017 10:40 AM
To: openssl-users@openssl.org
Subject: [openssl-users] Should openssl publish the commit #'s that fixed each 
CVE?

Hello,

When looking a the latest security announcement, something that I notice is 
that it's hard to find the actual commits that fixed an issue. If you search 
git.openssl.org you can find some of them if they are 
mentioned in the change message, but it still requires some active effort.

Would it be a good idea for openssl to publish the commit(s) that fixed each 
CVE? It would make it easier to see what changed, which is great for
a.) backporting.
b.) satisfying curiosity of armchair cryptographers.
c.) better assessing an issue.

Cheers,

Ethan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Enabling FIPS on an custom embedded system.

[Scott Neugroschl]

No.   You can check with the OpenSSH mailing list, but I’m pretty darned sure 
the answer is no.


---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |





From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Eric Tremblay
Sent: Wednesday, October 26, 2016 3:06 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Enabling FIPS on an custom embedded system.

Hi Steve,

Thanks for the quick reply.

That is what I had understand from my reading but wasn't sure.

My next question is about OpenSSH.  There is no official support in OpenSSH for 
FIPS at the moment right ?

Thanks

Eric



On Wed, Oct 26, 2016 at 5:04 PM, Steve Marquess 
<marqu...@openssl.com<mailto:marqu...@openssl.com>> wrote:
On 10/26/2016 04:37 PM, Eric Tremblay wrote:
> Hi all,
>
> __ __
>
> I have built the FIPS module into our Platform but I am stuck at the
> point to enable it.
>
> __ __
>
> We need FIPS to be enabled « Platform wide » not just for one
> application.
>
> __ __
>
> I have read the documentation and search on the web for answer but it
> seem that I would have 
>
> to modify a package or write a small application just to enable FIPS.
>
> __ __
>
> Is there another way to enable it on startup of Linux ?  or maybe
> something in OpenSSH ?
>
> __ __
>
> I also read about the OPENSSL_Config in the User Guide but I’m not sure
> if/who and how it is called.
>
> __ __
>
> I am working with OpenSSL 1.0.2j and FIPS 2.0.9.
>
> __ __
>
> Thanks
>
> __ __
>
> Eric
>
>
>


Hmmm ... where to start.

First there is really no such thing as "enabling FIPS" for a platform.
The FIPS module is executable code that runs in the context of a
process, and to be righteous FIPS-wise each process (that uses
cryptography) must invoke the FIPS_mode_set() call that performs the
mandatory POST (Power Up Self Test). Note that is true even when the
FIPS module is embedded in a shared library (the "FIPS enabled"
OpenSSL), as each process using said shared library maps writable data
into its own private address space.

So to make the sweeping claim that a "platform" is FIPS enabled, you
must make sure that *every* process for that platform enables FIPS mode
via a FIPS_mode_set() call (whether directly or indirectly). Note that
for your typical general purpose (e.g. Windows or Linux-like) operating
system that is an essentially unachievable goal, as not all of the many
crypto-using applications are readily converted to use the FIPS enabled
OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise
kernel-mode crypto can't be addressed with the OpenSSL FIPS module.

For that reason the wise and prudent vendor does not attempt to "enable
FIPS" for an entire platform (for Level 1 validations), but rather only
makes claims about specific individual applications running on that
platform.

In the case where all processes of interest are compatible with the FIPS
capable OpenSSL (specifically, not referencing any other crypto
implementations, or non-approved cryptographic operations), then
OPENSSL_config() can in principle be used to indirectly call
FIPS_mode_set() for each such application. That is only *after* every
such application/process has *first* been modified for compatibility
with the FIPS capable OpenSSL. Very few applications not already
designed to support the OpenSSL FIPS module will be compatible without
some degree of modification.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775<tel:%2B1%20877%20673%206775> s/b
+1 301 874 2571<tel:%2B1%20301%20874%202571> direct
marqu...@openssl.com<mailto:marqu...@openssl.com>
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Disable a cipher suite in openssl.cnf?

[Scott Neugroschl]

Hi,

I'm afraid the man page on the conf file is not particularly clear.   I'm 
looking at mitigating CVE-2016-2183 (SWEET32), and am not sure how to disable 
the DES and 3DES suites in the conf file.
Can someone give me a hand?


---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Building OpenSSL 1.0.1t without tls1.1 support?

[Scott Neugroschl]

I've done a custom build of OpenSSL where I ran Configure with "no-ssl2" and 
"no-ssl3".  I'd like to disable TLS1 and 1.1 if possible.  Will the no-tls1 
option disable just TLS1 or all TLS1.x protocols?

Thanks,

ScottN



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CVE-2016-2177

[Scott Neugroschl]

CVE 2016-2177 notes that it applies to all versions up to 1.0.2h.   Does this 
mean that the fix is not applied to the 1.0.1 series (in particular 1.0.1t)?


---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Error building 1.0.1t with no-srp

[Scott Neugroschl]

I'm building 1.0.1t with the no-srp option.When I do, I get thefollowing 
error

making all in ssl...
make[1]: Entering directory `/users/scottn/openssl-1.0.1t/ssl'
make[1]: *** No rule to make target `../include/openssl/srp.h', needed by 
`tls_srp.o'.  Stop.

Anyone else build without SRP?  Anyone have suggestions?
---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Reload certificates?

[Scott Neugroschl]

I believe that's specific to the servers in question.  Often you can "restart" 
a server by giving it a SIGHUP.  I don't know if slapd and slurpd will respond 
in the way you want.


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Jordan Brown
Sent: Wednesday, May 18, 2016 10:44 AM
To: openssl-users@openssl.org
Subject: [openssl-users] Reload certificates?


We have OpenSSL consumers (primarily but not exclusively OpenLDAP).  Some of 
them are long-running processes.

We'd like to be able to update the list of trusted certificates and have the 
changes take effect, without needing to restart those long-running processes 
and preferably without needing to interact with them in any way.

It *looks* like the "file" style of certificate store is loaded once only, at 
the time it's specified, and never reloaded again for the life of a particular 
SSL context.  Similarly, it looks like in the "directory" style of certificate 
store once a particular certificate has been loaded, it's never unloaded, even 
if the underlying file is deleted.  It looks like the only way to see changes 
(and especially deletions) is to create a new SSL context.  In addition to the 
difficulty of getting middleware to do that, it seems like the middleware would 
need to either watch the files and directories on its own, or always create new 
SSL contexts for new connections, or something else similarly intrusive.

Is there something I'm missing?

Would it be reasonable to have OpenSSL watch the metadata on the file or 
directory and, on change, discard cached certificates and, for a file, reload 
the file?

--

Jordan Brown, Oracle Solaris


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Spam

[Scott Neugroschl]

Can the spam filters on the listserv be updated?   Got two today in Spanish and 
Portuguese for monetary scams.  Anyone else getting these?

---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] help on des_cblock

[Scott Neugroschl]

I suspect the use of std::string and c_str().  Use a std::vector instead.

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Jason Qian
Sent: Friday, March 18, 2016 1:19 PM
To: openssl-users@openssl.org
Subject: [openssl-users] help on des_cblock

I am new on openSSl and run  into a issue need some help.


In our application, the client and server perform a Diffie Hellman Key exchange 
and then encrypt the data  The client is written in C++(using openSSL), and 
server is in java.

 Most of time, it is running correctly, but occasionally the server(java) throw 
a  "Given final block not properly padded" exception.

I added more log on the both side. When the exception happen,  the keys are 
offset by one(for the working case, they are the same)


Server -- java  get from getEncoded()

DES Key  size (8)(1,-83,-113,-74,-77,109,84,88)

Client -- openSSL  get from des_cblock struct

DES Key  size (8)   (-83,-113,-74,-77,109,84,88,8)

Thanks
Jason

Here is the C++ code

void DiffieHellmanCipher::init(const std::string ){
if (Y.length() == 0) {
return;
}
if (m_DH == NULL) {
return;
}

// convert the Y to BIGNUM
BIGNUM *bnY = NULL;
// Memory for bnY is allocated in BN_dec2bn call.
if (!BN_dec2bn(, Y.c_str())) {
if (bnY)
BN_free(bnY);
printf("Could not convert Diffie-Hellman Y value to BIGNUM");
}

// compute the secret key
int dhSize = DH_size(m_DH);
unsigned char *secretKey = (unsigned char*) new char[dhSize + 1];
int secretKeyLen = DH_compute_key(secretKey, bnY, m_DH);
BN_free(bnY);

if (secretKeyLen < 8) {
delete [] secretKey;
printf("Error computing secret key: key length is too short");
}

// convert from raw form to odd parity DES key
des_cblock desKey;
memcpy(desKey, secretKey, 8);
delete [] secretKey;
DES_set_odd_parity();

  //just print out des_cblock
secretKeyString="(";
char ch[10]="\0";
for(int i=0;i<8;i++){
sprintf(ch,"%d",(char)desKey[i]);
  secretKeyString+=ch;
  if(i != 7){
secretKeyString+=",";
  }
}
secretKeyString+=")";


int skRet;
if ((skRet = DES_set_key(, _DESKey)) != 0) {
delete [] secretKey;
printf("Error computing secret key: generated key is weak");
}

m_bInited = true;
}
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] help on des_cblock

[Scott Neugroschl]

My mistake.  I was reading the calls backwards.  The use of c_str() there is 
fine.  Ignore my previous comment.

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Jason Qian
Sent: Friday, March 18, 2016 2:34 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] help on des_cblock

Thanks,
Jason

On Fri, Mar 18, 2016 at 4:23 PM, Scott Neugroschl 
<scot...@xypro.com<mailto:scot...@xypro.com>> wrote:
I suspect the use of std::string and c_str().  Use a std::vector instead.

From: openssl-users 
[mailto:openssl-users-boun...@openssl.org<mailto:openssl-users-boun...@openssl.org>]
 On Behalf Of Jason Qian
Sent: Friday, March 18, 2016 1:19 PM
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: [openssl-users] help on des_cblock

I am new on openSSl and run  into a issue need some help.


In our application, the client and server perform a Diffie Hellman Key exchange 
and then encrypt the data  The client is written in C++(using openSSL), and 
server is in java.

 Most of time, it is running correctly, but occasionally the server(java) throw 
a  "Given final block not properly padded" exception.

I added more log on the both side. When the exception happen,  the keys are 
offset by one(for the working case, they are the same)


Server -- java  get from getEncoded()

DES Key  size (8)(1,-83,-113,-74,-77,109,84,88)

Client -- openSSL  get from des_cblock struct

DES Key  size (8)   (-83,-113,-74,-77,109,84,88,8)
Thanks
Jason

Here is the C++ code

void DiffieHellmanCipher::init(const std::string ){
if (Y.length() == 0) {
return;
}
if (m_DH == NULL) {
return;
}

// convert the Y to BIGNUM
BIGNUM *bnY = NULL;
// Memory for bnY is allocated in BN_dec2bn call.
if (!BN_dec2bn(, Y.c_str())) {
if (bnY)
BN_free(bnY);
printf("Could not convert Diffie-Hellman Y value to BIGNUM");
}

// compute the secret key
int dhSize = DH_size(m_DH);
unsigned char *secretKey = (unsigned char*) new char[dhSize + 1];
int secretKeyLen = DH_compute_key(secretKey, bnY, m_DH);
BN_free(bnY);

if (secretKeyLen < 8) {
delete [] secretKey;
printf("Error computing secret key: key length is too short");
}

// convert from raw form to odd parity DES key
des_cblock desKey;
memcpy(desKey, secretKey, 8);
delete [] secretKey;
DES_set_odd_parity();

  //just print out des_cblock
secretKeyString="(";
char ch[10]="\0";
for(int i=0;i<8;i++){
sprintf(ch,"%d",(char)desKey[i]);
  secretKeyString+=ch;
  if(i != 7){
secretKeyString+=",";
  }
}
secretKeyString+=")";


int skRet;
if ((skRet = DES_set_key(, _DESKey)) != 0) {
delete [] secretKey;
printf("Error computing secret key: generated key is weak");
}

m_bInited = true;
}

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Trouble compiling in version 0.9.8h

[Scott Neugroschl]

0.9.8h…. REALLY The latest is 0.9.8zh.  And on top of that 0.9.8 got EOL’ed 
as of the beginning of the year.
Can you update to 1.0.1?  (Latest is 1.0.1q).

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Luiz Laranjeira
Sent: Sunday, December 27, 2015 7:02 AM
To: openssl-users@openssl.org
Subject: [openssl-users] Trouble compiling in version 0.9.8h

I am getting the errors below. Anyone can help?

Line 282 of file pkcs7.h = DECLARE_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL)

1>-- Build started: Project: OpenSSL, Configuration: Debug Win32 --
1>  tls_srp.c
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(282): 
error C2055: expected formal parameter list, not a type list
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(282): 
error C2085: 'PKCS7_ISSUER_AND_SERIAL_new' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(282): 
error C2085: 'PKCS7_ISSUER_AND_SERIAL_free' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(282): 
error C2085: 'd2i_PKCS7_ISSUER_AND_SERIAL' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(282): 
error C2085: 'i2d_PKCS7_ISSUER_AND_SERIAL' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(282): 
error C2085: 'PKCS7_ISSUER_AND_SERIAL_it' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(286): 
error C2085: 'PKCS7_ISSUER_AND_SERIAL_digest' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(288): 
error C2085: 'd2i_PKCS7_fp' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\...\include\openssl\pkcs7.h(289): 
error C2085: 'i2d_PKCS7_fp' : not in formal parameter list

..

1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(291):
 error C2085: 'PKCS7_dup' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(292):
 error C2085: 'd2i_PKCS7_bio' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(293):
 error C2085: 'i2d_PKCS7_bio' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(296):
 error C2085: 'PKCS7_SIGNER_INFO_new' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(296):
 error C2085: 'PKCS7_SIGNER_INFO_free' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(296):
 error C2085: 'd2i_PKCS7_SIGNER_INFO' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(296):
 error C2085: 'i2d_PKCS7_SIGNER_INFO' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(296):
 error C2085: 'PKCS7_SIGNER_INFO_it' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(297):
 error C2085: 'PKCS7_RECIP_INFO_new' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(297):
 error C2085: 'PKCS7_RECIP_INFO_free' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(297):
 error C2085: 'd2i_PKCS7_RECIP_INFO' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(297):
 error C2085: 'i2d_PKCS7_RECIP_INFO' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(297):
 error C2085: 'PKCS7_RECIP_INFO_it' : not in formal parameter list
1>c:\users\luiz\dropbox\luiz\profissional\projetos\sadap3-assinaturadigital-iti\development\pdfsignature\openssl\include\openssl\pkcs7.h(298):
 error C2085: 'PKCS7_SIGNED_new' : not in formal parameter list

Re: [openssl-users] DROWN (CVE-2016-0800)

[Scott Neugroschl]

Thank you Michael and Victor for your explanation.

It's much appreciated.

ScottN

---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] DROWN (CVE-2016-0800)

[Scott Neugroschl]

>From the linked document:

"All client sessions are vulnerable if the target server still supports SSLv2 
today, irrespective of whether the client ever supported it"

I'm trying to understand this.  I am using a custom build of OpenSSL as a 
client, which was configured no-ssl2 and no-ssl3.  My code is
client-only.  So I am still vulnerable to this if my customer's server is not 
up to date?



-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Salz, Rich
Sent: Wednesday, March 02, 2016 10:22 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] DROWN (CVE-2016-0800)

Other implementations MAY be susceptible.  It's a protocol flaw.

The fix is to completely remove SSLv2.  See the blog post:  
https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/

--  
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] DROWN (CVE-2016-0800)

[Scott Neugroschl]

Hi,

I've got a question about DROWN.   Is the vulnerability due to a specific 
coding error in OpenSSL,
or is it something that other SSL implementations may be vulnerable to?  Which 
commit fixed this,
so that I can see the changes?

Thanks,

ScottN

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] no version information available error

[Scott Neugroschl]

OpenSSH does not work with the FIPS mode of OpenSSL.  This has been discussed 
both here and on the OpenSSH list.

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
cloud force
Sent: Friday, February 12, 2016 11:44 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] no version information available error

Thanks Jakob for the detailed info.

On Thu, Feb 11, 2016 at 7:50 AM, Jakob Bohm 
> wrote:
On 10/02/2016 22:46, cloud force wrote:
Hi Everyone,

I installed the FIPS capable openssl library (which was built by myself) on my 
Ubuntu linux box.

For some reason, I keep running into the following errors whenever I run ssh 
related command:


ssh: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version
information available (required by ssh)


The same error happens when I ran openssl command such as the following:

linux-fips@ubuntu:/usr/local/ssl/lib$ openssl ciphers -v | wc -l
openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information 
available (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information 
available (required by openssl)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information 
available (required by /lib/x86_64-linux-gnu/libssl.so.1.0.0)
openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information 
available (required by /lib/x86_64-linux-gnu/libssl.so.1.0.0)
The Debian-family (includes Ubuntu) standard OpenSSL shared
libraries is built in a special way to include "version tags"
in the resulting .so files, and all the openssl-needing
binaries in Debian/Ubuntu/etc. produce the error message
above if you install copies of those libraries without those
extra "version tags".

There are two alternative ways to solve this:

A) Build your FIPS-cabable OpenSSL (not the FIPScanister)
  with all the extra steps and patches in the Ubuntu OpenSSL
  source package (.dsc etc.), just adding the FIPS canister.
   Note that some of the patches in the source package are
  backports of the security fixes included in the latest
  OpenSSL versions, you'll probably have to figure out the
  details yourself (unless Kurt Roeckz posts a recipe
  somewhere).

B) Patch your FIPS-capable OpenSSL makefile (not the
  FIPScanister makefile) to use a different .so-version, such
  as .so.1.0.2 .  Then your private openssl build will not be
  used by the prepackaged software while software explicitly
  compiled against your locally build OpenSSL will not
  accidentally pick up the standard non-FIPS OpenSSL.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 
10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Thanks,
Rich

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Do you need EGD support?

[Scott Neugroschl]

Will you still support PRNGD?  I need PRNGD, as I'm on a platform without a 
built-in random device or cpu instructions.

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Salz, Rich
Sent: Monday, January 11, 2016 7:06 AM
To: openssl-...@openssl.org; openssl-users@openssl.org
Subject: [openssl-users] Do you need EGD support?

We are considering removing EGD support in 1.1  If your platform still needs 
it, please reply soon.

--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How can i verify a signature without knowing the private key? not by openssl command but openssl function.

[Scott Neugroschl]

Ignore me.  I completely misread your email.

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Scott Neugroschl
Sent: Friday, September 25, 2015 10:32 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] How can i verify a signature without knowing the 
private key? not by openssl command but openssl function.

That's the whole point of private key encryption.  You don't NEED to know the 
private key.

What you do is write out the data (abcde1234).  Then hash it (SHA-256), and 
encrypt the *HASH* with the private key.
The recipient reads the data and encrypted hash.  He then decrypts the hash 
with the public key, compares it to the hash of the data.  If the two hashes 
match, the data is authentic.

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Sent: Friday, September 25, 2015 3:52 AM
To: openssl-users
Subject: [openssl-users] How can i verify a signature without knowing the 
private key? not by openssl command but openssl function.

Hi guys
i want to write two programd to learn the details of ecdsa signature.
program A read the private key from private.pem, sign a string, like 
"abcde1234", save the signature as sig.pem.
program B read the public key from pub.pem, read the sig.pem, and verify 
the signature.
can anybody provide me a example code?

my implementation is as follow:
1, generate the ecc keys by "openssl ecparam -genkey -name secp256r1 -out 
private.pem" and extract the public key by "openssl ec -in private.pem -out 
public.pem -pubout"
2, read the private key by "PEM_read_PrivateKey()", and sign with 
"ECDSA_do_sign", there is no problem. program A works well.
3, the problem is how to read the public key from public.pem ? i find 
PEM_read_bio_PUBKEY from app/apps.c, but i can't find the source code.  how can 
i verify the signature without knowing the private key?


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How can i verify a signature without knowing the private key? not by openssl command but openssl function.

[Scott Neugroschl]

That's the whole point of private key encryption.  You don't NEED to know the 
private key.

What you do is write out the data (abcde1234).  Then hash it (SHA-256), and 
encrypt the *HASH* with the private key.
The recipient reads the data and encrypted hash.  He then decrypts the hash 
with the public key, compares it to the hash of the data.  If the two hashes 
match, the data is authentic.

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Sent: Friday, September 25, 2015 3:52 AM
To: openssl-users
Subject: [openssl-users] How can i verify a signature without knowing the 
private key? not by openssl command but openssl function.

Hi guys
i want to write two programd to learn the details of ecdsa signature.
program A read the private key from private.pem, sign a string, like 
"abcde1234", save the signature as sig.pem.
program B read the public key from pub.pem, read the sig.pem, and verify 
the signature.
can anybody provide me a example code?

my implementation is as follow:
1, generate the ecc keys by "openssl ecparam -genkey -name secp256r1 -out 
private.pem" and extract the public key by "openssl ec -in private.pem -out 
public.pem -pubout"
2, read the private key by "PEM_read_PrivateKey()", and sign with 
"ECDSA_do_sign", there is no problem. program A works well.
3, the problem is how to read the public key from public.pem ? i find 
PEM_read_bio_PUBKEY from app/apps.c, but i can't find the source code.  how can 
i verify the signature without knowing the private key?


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Vulnerability logjam downgrades TLS connections to 512 Bit

[Scott Neugroschl]

Is OpenSSL vulnerable to Logjam?


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Vulnerability logjam downgrades TLS connections to 512 Bit

[Scott Neugroschl]

On Wednesday, May 20, 2015 10:18 AM, Kurt Roeckx wrote:
 On Wed, May 20, 2015 at 03:47:33PM +, Scott Neugroschl wrote:
 Is OpenSSL vulnerable to Logjam?

 See
 http://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

Thanks.

Scott

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Compiling for multiple platforms?

[Scott Neugroschl]

I'm cross-compiling for multiple platforms.   Any changes I make to platform A 
have to be reflected in platform B.

Currently, I have to have two full source trees, and ensure that they're in 
sync.

Is there a way to specify where objects and binaries go?  Or, alternatively, 
where the source lives (rather like OpenSSH's --srcdir option)?

I.e, what I'd like to see is

openssl
   |
   +- src
   |   |
   |   +- apps
   |   |
   |   +- cryto
   |   |
   |   ...
   |
   +- platformA
   |   |
   |   +- libcrypto.a
   |   |
   |   +- libssl.a
   |   |
   |   +- openssl
   |
   +- platformA
   |
   +- libcrypto.a
   |
   +- libssl.a
   |
   +- openssl


---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] BIO_new_dgram() called in apps/s_server.c

[Scott Neugroschl]

Reposting because I sent it to the mta address:



I am building OpenSSL 1.0.2a with no-dgram and no-dtls1.  When I do so, I get a 
linker error that BIO_new_dgram() is undefined.



The following appears to fix the issue:



cut here

--- s_server.c.orig 2015-03-19 17:17:53 -0700

+++ s_server.c  2015-04-20 11:27:30 -0700

@@ -2183,6 +2183,7 @@

# endif

#endif



+#ifndef OPENSSL_NO_DGRAM

 if (stype == SOCK_DGRAM) {



 sbio = BIO_new_dgram(s, BIO_NOCLOSE); @@ -2220,6 +2221,9 @@

 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);

 } else

 sbio = BIO_new_socket(s, BIO_NOCLOSE);

+#else

+sbio = BIO_new_socket(s, BIO_NOCLOSE);

+#endif



 if (s_nbio_test) {

 BIO *test;

cut here



Does this fix make sense?




---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] BIO_new_dgram() called in apps/s_server.h

[Scott Neugroschl]

I am building OpenSSL 1.0.2a with no-dgram and no-dtls1.  When I do so, I get a 
linker error that BIO_new_dgram() is undefined.

The following appears to fix the issue:

cut here
--- s_server.c.orig 2015-03-19 17:17:53 -0700
+++ s_server.c  2015-04-20 11:27:30 -0700
@@ -2183,6 +2183,7 @@
 # endif
 #endif

+#ifndef OPENSSL_NO_DGRAM
 if (stype == SOCK_DGRAM) {

 sbio = BIO_new_dgram(s, BIO_NOCLOSE);
@@ -2220,6 +2221,9 @@
 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
 } else
 sbio = BIO_new_socket(s, BIO_NOCLOSE);
+#else
+sbio = BIO_new_socket(s, BIO_NOCLOSE);
+#endif

 if (s_nbio_test) {
 BIO *test;
cut here

Does this fix make sense?

---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] BIO_new_dgram() called in apps/s_server.c

[Scott Neugroschl]

Correction to subject, it's s_server.c  My typo.

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Scott Neugroschl
Sent: Monday, April 20, 2015 11:32 AM
To: openssl-us...@mta.opensslfoundation.net
Subject: [openssl-users] BIO_new_dgram() called in apps/s_server.h


I am building OpenSSL 1.0.2a with no-dgram and no-dtls1.  When I do so, I get a 
linker error that BIO_new_dgram() is undefined.

The following appears to fix the issue:

cut here
--- s_server.c.orig 2015-03-19 17:17:53 -0700
+++ s_server.c  2015-04-20 11:27:30 -0700
@@ -2183,6 +2183,7 @@
 # endif
 #endif

+#ifndef OPENSSL_NO_DGRAM
 if (stype == SOCK_DGRAM) {

 sbio = BIO_new_dgram(s, BIO_NOCLOSE); @@ -2220,6 +2221,9 @@
 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
 } else
 sbio = BIO_new_socket(s, BIO_NOCLOSE);
+#else
+sbio = BIO_new_socket(s, BIO_NOCLOSE); #endif

 if (s_nbio_test) {
 BIO *test;
cut here

Does this fix make sense?

---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] base64 decode in C

[Scott Neugroschl]

I believe the SSH pubkey is binary data, not ASCII, so strlen() will not work 
on it if it has embedded NUL chars.
As Dave Thompson suggested, instead of strlen(), use the length returned from 
BIO_read.


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Prashant Bapat
Sent: Wednesday, March 18, 2015 8:08 AM
To: openssl-users
Subject: Re: [openssl-users] base64 decode in C

Hi Dave and Walter,

Thanks for our reply.

I'm not doing anything different for the ssh pubkey. I'm able to decode it 
using the openssl enc -base64 -d -A command. But not using the C program.

Attaching my entire code here. After getting the base64 decoded I'm calculating 
the MD5 sum and printing it. This works for a regular string but not for SSH 
pubkey.

Thanks again.

--Prashant

On 18 March 2015 at 18:04, Walter H. 
walte...@mathemainzel.infomailto:walte...@mathemainzel.info wrote:
Hi,

before calling this function,
remove any whitespace;

Walter



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL version 1.0.1k released

[Scott Neugroschl]

The C4047 is just a warning.  The C2065 is a known issue, per Matt.

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Kevin Layer
Sent: Thursday, January 08, 2015 1:13 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL version 1.0.1k released

With a more modern 64-bit MS compiler, I still get a failure.
I see that Cygwin released theirs, so I'm guessing this is a MS compiler issue.

cl /Fotmp32dll\cversion.obj  -Iinc32 -Itmp32dll /MD /Ox 
-DOPENSSL_THREADS  -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 
-DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE 
-D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM 
-DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 
-DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi 
/Fdtmp32dll/lib -D_WINDLL  -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD 
-DMK1MF_PLATFORM_VC_WIN64A -c .\crypto\cversion.c cversion.c
crypto\cversion.c(80) : error C2065: 'cflags' : undeclared identifier
crypto\cversion.c(80) : warning C4047: 'return' : 'const char *' differs in 
levels of indirection from 'int'
NMAKE : fatal error U1077: 'cl' : return code '0x2'
Stop.


Microsoft (R) C/C++ Optimizing Compiler Version 14.00.40310.41 for AMD64 and 
the same Microsoft Platform SDK for Windows Server 2003 R2.

Help?
Thanks.
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-users

RE: Adding new cipher to openssl.

[Scott Neugroschl]

Maybe he thinks that  if he asks it often enough, the answer will magically 
change?

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Salz, Rich
Sent: Tuesday, November 25, 2014 10:23 PM
To: openssl-users@openssl.org
Subject: RE: Adding new cipher to openssl.

 I was trying to add a new cipher to  openssl so as to  use it  with  the 
 digital certificate, is it possible ?  

You asked this a week ago.  You also asked this three weeks ago.

The answer is yes it is possible but there is NO TOOL OR DOCUMENTATION.

Stephen Henson suggested looking at the gost engine.

Please stop.

RE: undefined reference errors, e.g. to `ERR_load_crypto_strings'

[Scott Neugroschl]

Reverse the order of the libraries.  Use -lssl -lcrypto.


-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Alexander Raiola
Sent: Tuesday, November 25, 2014 8:34 AM
To: openssl-users@openssl.org
Subject: undefined reference errors, e.g. to `ERR_load_crypto_strings'

Dear Sirs or Madams,

I have the problem that I keep getting undefined reference errors whenever I 
try to access pretty much any OpenSSL-related command. I elaborated on my 
problem in the following thread:
http://stackoverflow.com/questions/27106580/undefined-reference-to-err-load-crypto-strings

Can anyone please help me?

Cheers
Alex
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: sign problem

[Scott Neugroschl]

Your problem is with signlen.   You’re accessing a null pointer in 
EVP_DigestSignFinal().

Declare signlen as  size_t, not a size_t*, and pass the *ADDRESS* of signlen.  
E.g.:

  EVP_DigestSignFinal(mdctx, NULL, signlen);



From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Amir Reda
Sent: Monday, November 24, 2014 10:10 AM
To: openssl-users@openssl.org
Subject: sign problem

dear all 
i have a problem with c++ code for sign some data here is the code

 BIO *sgerr = NULL;
      const char szPath[MAX_FILE_NAME_SIZE] = sgerr.pem;
      sgerr = BIO_new_file(szPath,wb);

      couti'm in sign digestendl;
      //create private key
      EVP_PKEY *priv_key = NULL;
      priv_key = EVP_PKEY_new();
      if (1 == EVP_PKEY_set1_RSA(priv_key,m_caKeyPairs))
      {
          coutSuccessful key private createdendl;
      }
      else
      {
          coutprivate key is badendl;
      }

    EVP_MD_CTX *mdctx = NULL;
    mdctx = EVP_MD_CTX_create();
    size_t *signlen = NULL;
    //Initialize the DigestSign operation
    if (1 == EVP_DigestSignInit(mdctx, NULL, EVP_sha1(), NULL, priv_key))
    {
        coutinitialize correctendl;
    }
    else
    {
        coutsomething wrongendl;
    }
    //update with the message
    if (1 == EVP_DigestSignUpdate(mdctx, m_digestData,(DATA_SIZE + 
RSA_KEY_SIZE)))
    {
        coutdigest created successfullyendl;
        coutdigest is endl;
        for (int i = 0; i  DIGEST_SIZE; i++)
        {
         printf(0x%.2x , m_digest[i]);
        }
        coutendl;
    }
    else
    {
        coutsomething wrongendl;
    }
    //Finalise the DigestSign operation determine the sign length
    if (1 == EVP_DigestSignFinal(mdctx, NULL, signlen))
    {
        coutsign length is (*signlen)endl;
    }
    else
    {
        coutsomething wrongendl;
    }
    if (1 == EVP_DigestSignFinal(mdctx, m_signedDigest, signlen))
    {
        coutsign successfully createdendl;
    }
    else
    {
        coutsomething wrongendl;
    }
the output of this code in terminal during debugging

i'm in sign digest
Successful key private created
initialize correct
digest created successfully
digest is 
0x99 0x2d 0x5c 0x5b 0x2f 0x7a 0x85 0x98 0x7c 0x69 0xca 0x33 0x17 0xab 0x87 0x7c 
0x79 0x73 0xd7 0x4a 
until i arrive to this point
    if (1 == EVP_DigestSignFinal(mdctx, NULL, signlen))
i got this error
No source available for EVP_PKEY_sign() at 0xb7ede098 
even this function just return the length of the sign 
note i'm using eclipse kepler and i don't know what i did wrong 




-- 
Warmest regards and best wishes for a good health,urs sincerely 
mero

RE: How to determine if a ssl object is using a DTLS method?

[Scott Neugroschl]

Use getsockopt(SO_TYPE) on the underlying socket?



-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of John Lane Schultz
Sent: Monday, November 24, 2014 1:05 PM
To: openssl-users@openssl.org
Subject: How to determine if a ssl object is using a DTLS method?

Hi all,

I wrote generic wrappers for handling both TLS + DTLS accept and connect logic 
in a non-blocking manner.

My problem is that with DTLS (but not TLS) ssl objects I need to set my own 
timers for implementing reliability of msgs by calling, for example, 
DTLSv1_get_timeout and DTLSv1_handle_timeout.  (TCP handles this for TLS 
automatically)

Therefore, I need to check if the ssl on which I’m operating is a DTLS or a TLS 
ssl object.  Is there an easy and good way to do this?

I can do a brute force method of calling SSL_get_ssl_method and then checking 
it against all the methods I know (e.g. - DTLSv1_method(), 
DTLSv1_client_method(), DTLSv1_server_method, etc.) but that seems ugly and 
fragile, especially as more methods are added in the future.

Can anyone suggest a better way to figure out if I need to do special DTLS 
handling on a ssl object or not?

Cheers!

-
John Lane Schultz
Spread Concepts LLC
Cell: 443 838 2200

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: version question

[Scott Neugroschl]

Should probably be asked on the OpenSSH mailing lists.  My guess is that you 
will need to install a newer version of OpenSSL.

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of David Flatley
Sent: Wednesday, November 19, 2014 12:35 PM
To: openssl-users@openssl.org
Subject: version question


  I am trying to build Openssh 6.7p1 on a Red Hat 5.6 x86_64 system with 
Red Hat openssl-0.9.8e-31, which is the latest Red Hat openssl version. The 
Openssh build checks openssl versions and requires 0.9.8f.
Is there a work around for this?
Thanks.

David Flatley

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Digital Certificates

[Scott Neugroschl]

Even assuming he figures out how to tis his algorithm into Openssl, how would 
he even being to specify his custom algorithm in the cert?  Wouldn't he have to 
define his own OID for the algorithm?

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Salz, Rich
Sent: Thursday, November 20, 2014 7:32 AM
To: openssl-users@openssl.org
Subject: RE: Digital Certificates

 If, I want to use my own  algorithm instead of rsa or sha1 in the  
 digital certificates,  is it possible ? if yes then how ?

I thought I answered this.  It is hard work, it is not documented, you're on 
your own.

   H  7  m
)z{,   RǫJ i  Lj)b   )z{,    )z{,    h  ^t   Ƨj^  %  

RE: sign problem

[Scott Neugroschl]

That looks like a debugger message, not an actual error from the code.

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Amir Reda
Sent: Tuesday, November 18, 2014 10:29 AM
To: openssl-users@openssl.org
Subject: sign problem

dear all i made an application a client server the client send a certificate 
request and server reply with the certificate and it creates a encrypted shared 
key and some data and sign the digest of the shared key and data
my problem is
1- in SignDigest() in  EVP_DigestSignFinal(mdctx, NULL, signlen); function 
return an error No source available for EVP_PKEY_sign() at 0xb7ede098
i don't know the reason for this error it should return the length of the sign 
only
then i reserve a location in memory with this size
please help me


--
Warmest regards and best wishes for a good health,urs sincerely
mero

RE: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'

[Scott Neugroschl]

VS6 essentially became obsolete in 2002, with the release of Visual Studio 7 
.NET.
IIRC, IPv6 was still in its infancy.

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of neil carter
Sent: Wednesday, November 05, 2014 10:28 AM
To: Walter H.; openssl-users@openssl.org
Subject: Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 
'in6_addr'

Sorry, typo - s/b 'VCVARS32.bat'

So are you implying that MS Visual Studio 6.0 might be the issue in that it 
might not have built-in code with IPv6 headers?  Haven't the IPv6 pieces of the 
OpenSSL code been around for a while?  I know I saw posts regarding it from 
several years back in the list archive.

Thanks!



On 11/5/2014 12:13 PM, Walter H. wrote:
On 05.11.2014 18:47, neil carter wrote:
I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), 
with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3.
Steps involved include running the VCVARS21.BAT script, ' perl Configure 
VC-WIN32 --prefix=c:\openssl-1.0.1j', 'ms\do_nasm.bat', and finally 'nmake -f 
ms\ntdll.mak'.  Everything looks normal/good until the last step, which ends in 
the following:

VCVARS21.BAT = Visual C++ 2.1?
if yes, you should throw away the old ancient compiler of the early beginning 
of WinNT ... as of 1994;
and get the new actual Platform SDK from Microsoft ...

 .\apps\s_cb.c(803) : error C2027: use of undefined type 'in6_addr'
 .\apps\s_cb.c(803) : see declaration of 'in6_addr'
 .\apps\s_cb.c(836) : error C2027: use of undefined type 'in6_addr'
 .\apps\s_cb.c(836) : see declaration of 'in6_addr'
 .\apps\s_cb.c(884) : error C2027: use of undefined type 'in6_addr'
 .\apps\s_cb.c(884) : see declaration of 'in6_addr'
 .\apps\s_cb.c(917) : error C2027: use of undefined type 'in6_addr'
 .\apps\s_cb.c(917) : see declaration of 'in6_addr'
 NMAKE : fatal error U1077: 'cl' : return code '0x2'
 Stop.
this seems that you include ancient SDK headers not capable of IPv6 at all ...

RE: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'

[Scott Neugroschl]

RFC 790 defines IPv4, not IPv6.

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Walter H.
Sent: Wednesday, November 05, 2014 10:49 AM
To: neil carter
Cc: openssl-users@openssl.org
Subject: Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 
'in6_addr'

On 05.11.2014 19:27, neil carter wrote:
Sorry, typo - s/b 'VCVARS32.bat'

So are you implying that MS Visual Studio 6.0 might be the issue in that it 
might not have built-in code with IPv6 headers?
yes, definitly

WINSOCK2.H contains this:

/*
 * Constants and structures defined by the internet system,
 * Per RFC 790, September 1981, taken from the BSD file netinet/in.h.
 */

by the way: Visual C++ is from 1998, also an old ancient compiler
we have 2014 ;-)

RE: compilation error

[Scott Neugroschl]

:44: undefined 
reference to `X509_gmtime_adj'
/home/amirale32/workspace/certificate/Debug/../src/server.cc:45: undefined 
reference to `X509_gmtime_adj'
/home/amirale32/workspace/certificate/Debug/../src/server.cc:46: undefined 
reference to `X509_set_pubkey'
/home/amirale32/workspace/certificate/Debug/../src/server.cc:48: undefined 
reference to `X509_get_subject_name'
/home/amirale32/workspace/certificate/Debug/../src/server.cc:49: undefined 
reference to `X509_set_issuer_name'
/home/amirale32/workspace/certificate/Debug/../src/server.cc:50: undefined 
reference to `EVP_md5'
/home/amirale32/workspace/certificate/Debug/../src/server.cc:50: undefined 
reference to `X509_sign'
./src/server.o: In function `Server::GenerateMyKeyPairs()':
/home/amirale32/workspace/certificate/Debug/../src/server.cc:56: undefined 
reference to `RSA_generate_key'
./src/server.o: In function `Server::SetPublicKey()':
/home/amirale32/workspace/certificate/Debug/../src/server.cc:62: undefined 
reference to `EVP_PKEY_assign'
collect2: error: ld returned 1 exit status
make: *** [certificate] Error 1
Note
i have followed the steps for that links

http://amgadmadkour.blogspot.com/2011/09/compiling-open-ssl-programs-in-eclipse.html
http://askubuntu.com/questions/211038/cant-find-openssl
http://stackoverflow.com/questions/7860657/undefined-reference-to-eclipse-c
but i failed  please hellpp

On Thu, Sep 18, 2014 at 11:46 PM, Scott Neugroschl 
scot...@xypro.commailto:scot...@xypro.com wrote:
It’s -lssl, not -lopenssl.


From: owner-openssl-us...@openssl.orgmailto:owner-openssl-us...@openssl.org 
[mailto:owner-openssl-us...@openssl.orgmailto:owner-openssl-us...@openssl.org]
 On Behalf Of Amir Reda
Sent: Thursday, September 18, 2014 1:33 PM
To: openssl-users@openssl.orgmailto:openssl-users@openssl.org
Subject: compilation error

/usr/bin/ld: cannot find -lopenssl
this is the error when i have tried to compile the code i attached below i 
install the openssl lib in ubuntu 12.10 i use eclipse and add at the linker 
setting openssl usr/include/openssl
i don't know how to solve this problem please help

--
Warmest regards and best wishes for a good health,urs sincerely
mero



--
Warmest regards and best wishes for a good health,urs sincerely
mero

RE: compilation error

[Scott Neugroschl]

It’s -lssl, not -lopenssl.


From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Amir Reda
Sent: Thursday, September 18, 2014 1:33 PM
To: openssl-users@openssl.org
Subject: compilation error

/usr/bin/ld: cannot find -lopenssl
this is the error when i have tried to compile the code i attached below i 
install the openssl lib in ubuntu 12.10 i use eclipse and add at the linker 
setting openssl usr/include/openssl
i don't know how to solve this problem please help

--
Warmest regards and best wishes for a good health,urs sincerely
mero

Configure Error with no-ec?

[Scott Neugroschl]

When trying to configure 1.0.1h with no-ec, I am getting an error out of 
Configure.  When it's configuring the engines subdirectory:

make[1]: Leaving directory `/users/scottn/testssl/openssl-1.0.1h/ssl'
making links in engines...
make[1]: Entering directory `/users/scottn/testssl/openssl-1.0.1h/engines'
/bin/sh: syntax error at line 1 : `;' unexpected
make[1]: *** [links] Error 2
make[1]: Leaving directory `/users/scottn/testssl/openssl-1.0.1h/engines'
make: *** [links] Error 1

It looks like for some reason ENGDIRS is not set or passed properly.  Even 
though the test for -z is being passed, the for loop
in RECURSIVE_MAKE is generating a syntax error.

Has anyone else run into something like this?


---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 
583-2874|Fax 805 583-0124 |

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Compile error on Tandem

[Scott Neugroschl]

Wayne, there's a Tandem port on ITUGLIB.

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Johnson, Wayne
Sent: Monday, July 14, 2014 8:11 AM
To: 'openssl-users@openssl.org'
Subject: Compile error on Tandem

I'm trying to compile OpenSSL 1.0.1h on Tandem (aka NonStop).

I'm getting the following errors:
c89 -I.. -I../include  -Ww -D__TANDEM -D_XOPEN_SOURCE 
-D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN   -c -o heartbeat_test.o 
heartbeat_test.c
SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 276: error(114):
  identifier __func__ is undefined


SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 294: error(114):
 identifier __func__ is undefined


SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 312: error(114):
  identifier __func__ is undefined


SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 326: error(114):
  identifier __func__ is undefined


SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 343: error(114):
  identifier __func__ is undefined


SETUP_HEARTBEAT_TEST_FIXTURE(tls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 360: error(114):
  identifier __func__ is undefined


SETUP_HEARTBEAT_TEST_FIXTURE(tls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 378: error(114):
  identifier __func__ is undefined


SETUP_HEARTBEAT_TEST_FIXTURE(tls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 396: error(114):
  identifier __func__ is undefined


SETUP_HEARTBEAT_TEST_FIXTURE(tls);
^
/home/devbuild/openssl-1.0.1h/test/heartbeat_test.c, line 410: error(114):
  identifier __func__ is undefined


9 errors detected in the compilation of heartbeat_test.c.
c89: /usr/lib/cfe exited, returning 2.
make[1]: *** [heartbeat_test.o] Error 1

Any suggestions on where this is going wrong?  Looks like the macro is 
referencing the parameter __func__, but I don't see that being defined.



Wayne D. T. Johnson
Staff Specialist Product Developer
BMC Software

phone: 952.345.8628
BMC 5 digit: 58628
fax: 952.345.8721

1600 Tower, Suite 450
1600 Utica Av. So.
St. Louis Park, MN 55416


[BMC Software]http://www.bmc.com/

RE: Decrypting from memory bio vs file bio

[Scott Neugroschl]

Try using BIO_new_mem_buf() instead.

https://www.openssl.org/docs/crypto/BIO_s_mem.html



-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Ico
Sent: Monday, July 07, 2014 2:17 PM
To: openssl-users
Subject: Decrypting from memory bio vs file bio


Hi all,

I've got a small snippet of code to decode some aes-128-cbc data. 
The encrypted data 16 bytes long, decoding to 7 bytes \x02\x00hallo.

Decoding using BIO's, works ok when the input BIO is a file BIO but fails when 
the input is a memory buffer BIO. In the latter case the BIO_read from the 
cipher bio returns -1.

See the snippet below or at http://pastebin.com/raw.php?i=1fxLQkFa

Change the 'if(1)' in 'if(0)' to switch between the two input bios.

I noticed that the decrypting works ok if I write some additional data in the 
input memory buffer using BIO_write(), but I believe this should not be 
necessary.

The data decodes properly using the openssl command line:

openssl aes-128-cbc -d \
-K 2b7e151628aed2a6abf7158809cf4f3c \
-iv a76d933653cb191de0b5ef789727fc64

Any insight in my problem much appreciated.

Ico



#include stdio.h
#include assert.h
#include openssl/evp.h
#include openssl/bio.h

char data[] = { 0xd7, 0x40, 0x9c, 0xe9, 0x81, 0xff, 0x41, 0xf1, 0xf8, 0x61, 
0xf5, 0xa9, 0x36, 0x99, 0x5b, 0x07 }; char key[]  = { 0x2b, 0x7e, 0x15, 0x16, 
0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c };
char iv[]   = { 0xa7, 0x6d, 0x93, 0x36, 0x53, 0xcb, 0x19, 0x1d, 0xe0, 0xb5, 
0xef, 0x78, 0x97, 0x27, 0xfc, 0x64 };


int main(int argc, char **argv)
{
int r;

OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();

BIO *bio;

if(1) {
bio = BIO_new(BIO_s_mem());
r = BIO_write(bio, data, sizeof(data));
assert(r == sizeof(data));
} else {
FILE *f = fopen(/tmp/flop, w);
fwrite(data, 1, sizeof(data), f);
fclose(f);
bio = BIO_new_file(/tmp/flop, r);
}

BIO *bio_dec = BIO_new(BIO_f_cipher());
BIO_set_cipher(bio_dec, EVP_aes_128_cbc(), key, iv, 0);
BIO_push(bio_dec, bio);

char flop[2048];

r = BIO_read(bio_dec, flop, sizeof flop-1);
assert(r != -1);
flop[r] = '\0';

printf(r=%d '%s'\n, r, flop+2);

return 0;
}

--
:wq
^X^Cy^K^X^C^C^C^C
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Advisory on CVE 2014-0195 not listed on main vulnerabilities page

[Scott Neugroschl]

CVE-2014-0198 is listed in the VULNERABILITIES page as fixed in 1.0.1h and 
1.0.0m , but is not listed on the Release Notes for either of these releases.

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Geoffrey Thorpe
Sent: Monday, June 23, 2014 11:59 AM
To: jb-open...@wisemo.com
Cc: openssl-users@openssl.org
Subject: Re: Advisory on CVE 2014-0195 not listed on main vulnerabilities page

Hi Jakob,

Thanks - I think this has now been corrected, the website should sync within an 
hour or so. Please let me know if you see anything amiss.

Cheers,
Geoff


On Mon, Jun 23, 2014 at 8:15 AM, Jakob Bohm 
jb-open...@wisemo.commailto:jb-open...@wisemo.com wrote:
Dear OpenSSL web page subteam,

CVE 2014-0195 is listed in

  https://www.openssl.org/news/secadv_20140605.txt

as fixed by the latest round of security fixes, however it is
missing from the primary cross reference at

  https://www.openssl.org/news/vulnerabilities.html

You may wish to update the page to reflect this part of the
advisory.

This was also mentioned by Mr. Nageswar in an unanswered message
14 days ago.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 
10tel:%2B45%2031%2013%2016%2010
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
openssl-users@openssl.orgmailto:openssl-users@openssl.org
Automated List Manager   
majord...@openssl.orgmailto:majord...@openssl.org

CVE-2014-0224

[Scott Neugroschl]

Hi guys,

I know 0.9.7 is no longer under development, but for various reasons, I have an 
app that is still using 0.9.7g.
Is 0.9.7g subject to the vulnerability from CVD-0214-0224?

Thanks,

ScottN


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: CVE-2014-0224

[Scott Neugroschl]

From Victor:
On Wed, Jun 11, 2014 at 04:09:47PM +, Scott Neugroschl wrote:

 I know 0.9.7 is no longer under development, but for various reasons, 
 I have an app that is still using 0.9.7g.
 Is 0.9.7g subject to the vulnerability from CVD-0214-0224?

There are I expect many unresolved issues (even if not the particular one in 
question) in the long ago un-maintained 0.9.7 release.  So my advice is that 
if this application is communicating over the public Internet, it needs to be 
upgraded or retired.

We are aware of this, and are looking to upgrade.  Does anyone have a 
recommendation as to 0.9.8 vs 1.0.0 (1.0.1 is too bleeding edge)?  If you have 
a recommendation, may I ask what led you to choose that path?

Thanks,

ScottN

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: REMOVE my address from your mailing list, please

[Scott Neugroschl]

unsubscribe here:  http://www.openssl.org/support/community.html
 



From: owner-openssl-us...@openssl.org on behalf of Anh Pham
Sent: Wed 9/7/2011 3:23 AM
To: openssl-users@openssl.org
Subject: REMOVE my address from your mailing list, please


Remove my address from the mailing list, please 

RE: where is the memory being held

[Scott Neugroschl]

As David said, yes.
 
On the other hand, you could re-implement malloc() and free() for your platform.



From: owner-openssl-us...@openssl.org on behalf of zhu qun-ying
Sent: Sun 9/26/2010 11:14 PM
To: openssl-users@openssl.org
Subject: Re: where is the memory being held



Does it mean that it is hard to change the behavior?
--
qun-ying


--- On Fri, 9/24/10, David Schwartz dav...@webmaster.com wrote:

 Sounds like OpenSSL wasn't what you wanted. OpenSSL is
 intended for use on general-purpose computers with virtual
 memory. It is not designed to return virtual memory to the
 system, which in your case means it won't return physical
 memory to the system. Ouch.

 DS




__
OpenSSL Project http://www.openssl.org 
http://www.openssl.org/ 
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Building a custom ENGINE?

[Scott Neugroschl]

I'm trying to build a custom ENGINE, and the docs are fairly sketchy as to
how to do it.

It doesn't have to be dynamic -- my application will have the code to build
the ENGINE and register it.

 

Are there any good pointers on building an ENGINE?

 



Scott Neugroschl

XYPRO Technology Corporation

scot...@xypro.com

805-583-2874

 

RSA vs. RSA_METHOD

[Scott Neugroschl]

Am I correct in assuming that an RSA structure is contains the encryption
context for a particular instance of RSA, whereas RSA_METHOD contains the
functions that the RSA instance will use?

 

ScottN

 

 

 

RE: Building a custom ENGINE?

[Scott Neugroschl]

Thank you very much!
 
 In message 001101ca72e0$8a6fbd60$9f4f38...@com on Tue, 1 Dec 2009
 15:46:43 -0800, Scott Neugroschl redfl...@gmail.com said:
 
 redfloyd I'm trying to build a custom ENGINE, and the docs are fairly
 sketchy as to
 redfloyd how to do it.
 redfloyd
 redfloyd It doesn't have to be dynamic -- my application will have the
 code to build
 redfloyd the ENGINE and register it.
 redfloyd
 redfloyd
 redfloyd
 redfloyd Are there any good pointers on building an ENGINE?
 
 There's an example in demos/engines/rsaref/...  does that help?


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org