Re: Bug in EVP_PKEY_CTX function
You are right, sorry. The reference error is indirectly caused by my own changes. Thank you for your help. Valery Blazhnov 03.11.2010 15:20, Dr. Stephen Henson пишет: On Wed, Nov 03, 2010, Valery Blazhnov wrote: Yes, but EVP_PKEY_CTX_new() may be called and is really called sometimes in OpenSSL functions with NULL engine. In that case ENGINE_init(e) is not called in int_ctx_new() but then we get engine with e = ENGINE_get_pkey_meth_engine(id); and assign it to ret-engine without ENGINE_init(e). Well ENGINE_get_pkey_meth_engine() calls engine_table_select() which itself should up the engine reference count. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL without Transport
I know that SSL requires a transport layer for reliability purpose. But if there is a reliable, pre-provisioned and lossless network is it possible to transport a SSL packet without any transport layer protocol. Does OpenSSL support SSL without transport layer. Please help. -Karthick
How to generate gost-mac using ccgost engine?
Hello, I've got a problem with calculating gost-mac using Openssl 1.0.0a May be problem with cmd options, but I was unable to find out how to get it work Trying to generate gost-mac. Example from documentation (engines/ccgost/README.gost) Calculation of GOST 28147 MAC openssl dgst -mac gost-mac -macopt key:32 bytes of key datafile Note absense of an option that specifies digest algorithm. gost-mac algorithm supports only one digest (which is actually part of implementation of this mac) and OpenSSL is clever enough to find out this. # ./apps/openssl dgst -mac gost-mac -macopt key:FF openssl.doxy Algorithm gost-mac not found Well, do it like this: # ./apps/openssl dgst -gost-mac -macopt key:ff openssl.doxy Read Error in openssl.doxy 3076327052:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: The reason is that key for this mac is not set. The only place where it can be set is control function gost_imit_ctrl engines/ccgost/gost_crypt.c:595 But this function int gost_imit_ctrl(EVP_MD_CTX, int, int, void *) never called. So length of key option is not a root cause. As I understand, control functions for dgst called only if parameter -mac is specified. See apps/dgst.c:228 else if (!strcmp(*argv,-mac)) and apps/dgst.c:362 if (mac_name) But since there is no such parameter it not supposed to work. But if we do specify it - openssl can't find an algorithms (see first command line example). So the question is: is it a bug or it is possible to specify some valid parameter for -mac option in this case? Or may be there is other way to get it work? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Source level debug config for 1.0.0a?
As a quick hack I added to root Makefile following lines: == debug: CFLAG+= -ggdb3 -O0 -DDEBUG debug: all == just before all: Makefile build_all openssl.pc libssl.pc libcrypto.pc Then # make clean # make debug After that NetBeans can walk through source using gdb. Linux i368. It consumes about 3G of disk space. And it's a good idea to exclude test from DIRS= crypto ssl engines apps test tools in Makefile if you do not need them, as it's require enormous time to build. Scott Cherf Fri, 15 Oct 2010 15:22:45 -0700 Hello - I'm trying to compile with source level debugging enabled using the 1.0.0a distribution and I'm not having any luck at all. I would appreciate a clue if there is one. ... I'm unable to build a version that gives me source level debug using gdb and I can't figure out why. Anyone? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: How to generate gost-mac using ccgost engine?
On Wed, Nov 10, 2010, Andrey Kulikov wrote: Hello, I've got a problem with calculating gost-mac using Openssl 1.0.0a May be problem with cmd options, but I was unable to find out how to get it work Try: openssl dgst -engin gost -mac gost-mac -macopt key:mac README Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL without Transport
On 11/9/2010 4:06 PM, Karthick Ramu wrote: I know that SSL requires a transport layer for reliability purpose. But if there is a reliable, pre-provisioned and lossless network is it possible to transport a SSL packet without any transport layer protocol. Does OpenSSL support SSL without transport layer. Please help. You can use BIO pairs. Just read from the SSL BIO, and when you get data, it's your job to get it to the other end by whatever mechanism you like. When you get encrypted data from the other end, by whatever mechanism, just write it to the SSL BIO. There are two caveats with this approach: 1) You must manually check that the certificate received from the other end makes sense. Without a hostname from the TCP connection process, there is no way to automatically know whether the certificate received is correct or not. If you're trying to reach 'www.amazon.com' and get a certificate for 'www.evilsite.net', your code must reject the connection. 2) You must not make assumptions about when you should read from and write to the SSL BIO. Reading plaintext may require sending ciphertext. Sending plaintext may require receiving ciphertext. Do not think of SSL as an encryption on send or decryption on receive. Think of it as a magic box that maintains a connection by sending and receiving messages. Don't think I just sent some plaintext so SSL will need to send some ciphertext. Think I just sent some plaintext, maybe SSL will need to send some ciphertext, maybe it will need to receive some ciphertext, just as it might need at any time. DS __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org