Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???
On Fri, Nov 12, 2010, Andrey Kulikov wrote: Hello, I'm trying to make s_server and s_client work with GOST encryption using ccgost engine and certificates with GOST algos. But it unable to work, complaining to bad mac computing. (If I use RSA-based certificates, everything works just fine.) Please try a recent 1.0.0 snapshot and see if you still have this problem. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Is it really possible to generate gost-mac using ccgost engine?
Hello, I've got a problem with calculating gost-mac using Openssl 1.0.0a May be problem with cmd options, but I was unable to find out how to get it work Trying to generate gost-mac. Example from documentation (engines/ccgost/README.gost) Calculation of GOST 28147 MAC openssl dgst -mac gost-mac -macopt key:32 bytes of key datafile Note absense of an option that specifies digest algorithm. gost-mac algorithm supports only one digest (which is actually part of implementation of this mac) and OpenSSL is clever enough to find out this. # ./apps/openssl dgst -mac gost-mac -macopt key:FF openssl.doxy Algorithm gost-mac not found Well, do it like this: # ./apps/openssl dgst -gost-mac -macopt key:ff openssl.doxy Read Error in openssl.doxy 3076327052:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: The reason is that key for this mac is not set. The only place where it can be set is control function gost_imit_ctrl engines/ccgost/gost_crypt.c:595 But this function int gost_imit_ctrl(EVP_MD_CTX, int, int, void *) never called. So length of key option is not a root cause. As I understand, control functions for dgst called only if parameter -mac is specified. See apps/dgst.c:228 else if (!strcmp(*argv,-mac)) and apps/dgst.c:362 if (mac_name) But since there is no such parameter it not supposed to work. But if we do specify it - openssl can't find an algorithms (see first command line example). So the question is: is it a bug or it is possible to specify some valid parameter for -mac option in this case? Or may be there is other way to get it work? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Source level debug config for 1.0.0a?
As a quick hack I added to root Makefile following lines: == debug: CFLAG+= -ggdb3 -O0 -DDEBUG debug: all == just before all: Makefile build_all openssl.pc libssl.pc libcrypto.pc Then # make clean # make debug After that NetBeans can walk through source using gdb. Linux i368. It consumes about 3G of disk space. And it's a good idea to exclude test from DIRS= crypto ssl engines apps test tools in Makefile if you do not need them, as it's require enormous time to build. Scott Cherf Fri, 15 Oct 2010 15:22:45 -0700 Hello - I'm trying to compile with source level debugging enabled using the 1.0.0a distribution and I'm not having any luck at all. I would appreciate a clue if there is one. ... I'm unable to build a version that gives me source level debug using gdb and I can't figure out why. Anyone? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Help with reading DER encoded RSA cert file
Hi, I am trying to read in a DER encoded RSA public key using d2i_X509_fp(); I have generated an RSA key using openssl with the following commands: 1. openssl genrsa -out privkey.pem 2048 2. openssl rsa -pubout -in privkey.pem -out pubkey.der -outform der In my C++ program, I coded the following: FILE *fp = fopen(pubkey.der, rb); X509 *x = d2i_X509_fp(fp, NULL); However, x returns NULL after this point. How do I get a valid X509 structure from a DER encoded cert? Thanks in advance, for any help. -- View this message in context: http://old.nabble.com/Help-with-reading-DER-encoded-RSA-cert-file-tp30186539p30186539.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Is it really possible to generate gost-mac using ccgost engine?
This command works with ccgost engine: openssl dgst -mac gost-mac -binary -macopt hexkey:3132333435363738393031323334353637383930313233343536373839303132 -out mac.bin data.bin 10.11.2010 2:07, Andrey Kulikov пишет: Hello, I've got a problem with calculating gost-mac using Openssl 1.0.0a May be problem with cmd options, but I was unable to find out how to get it work Trying to generate gost-mac. Example from documentation (engines/ccgost/README.gost) Calculation of GOST 28147 MAC openssl dgst -mac gost-mac -macopt key:32 bytes of key datafile Note absense of an option that specifies digest algorithm. gost-mac algorithm supports only one digest (which is actually part of implementation of this mac) and OpenSSL is clever enough to find out this. # ./apps/openssl dgst -mac gost-mac -macopt key:FF openssl.doxy Algorithm gost-mac not found Well, do it like this: # ./apps/openssl dgst -gost-mac -macopt key:ff openssl.doxy Read Error in openssl.doxy 3076327052:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: The reason is that key for this mac is not set. The only place where it can be set is control function gost_imit_ctrl engines/ccgost/gost_crypt.c:595 But this function int gost_imit_ctrl(EVP_MD_CTX, int, int, void *) never called. So length of key option is not a root cause. As I understand, control functions for dgst called only if parameter -mac is specified. See apps/dgst.c:228 else if (!strcmp(*argv,-mac)) and apps/dgst.c:362 if (mac_name) But since there is no such parameter it not supposed to work. But if we do specify it - openssl can't find an algorithms (see first command line example). So the question is: is it a bug or it is possible to specify some valid parameter for -mac option in this case? Or may be there is other way to get it work? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- Валерий Блажнов Ведущий научный сотрудник ООО ЛИССИ тел. +7(495) 513-33-18 доб.108 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Help with reading DER encoded RSA cert file
Here's a hint: You are creating a DER encoded RSA public Key - you are trying to read a DER encoded X.509 certificate. These are not the same thing. Have fun. Patrick. On 2010-11-10, at 9:06 PM, furrbie wrote: Hi, I am trying to read in a DER encoded RSA public key using d2i_X509_fp(); I have generated an RSA key using openssl with the following commands: 1. openssl genrsa -out privkey.pem 2048 2. openssl rsa -pubout -in privkey.pem -out pubkey.der -outform der In my C++ program, I coded the following: FILE *fp = fopen(pubkey.der, rb); X509 *x = d2i_X509_fp(fp, NULL); However, x returns NULL after this point. How do I get a valid X509 structure from a DER encoded cert? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
creating an openssl (as such) browser plugin
Hi, Several people are creating browser plugins that rely on openssl. Would it be a good idea to create a browser plugin that implements just the openssl library? Now, in php i can call openssl_sign() serverside. Then, client-side, things would be equally fantastic: my javascript could execute openssl.verify(), referring to an application/x-openssl object which would prompt the end user to see 'you need the OpenSSL plugin, published by OpenSSL.org, to view this webpage'. i could attempt the initial development of this plugin (with firebreath it's easy to create browser plugins, and it would only be a one-to-one 'binding' of the existing v1.0 library interface, really). i can however not (at this point) commit to long-term ownership of it. also, it would be publicly seen as something related to openssl as a trustworthy brand. alternatively, everybody who wants to do e2ee can publish an almost identical browser plugin, under their own brand. Or, more likely, people wanting to do e2ee will give up when they find out it would involve writing a browser plugin (i saw this happen recently to a project that would have been extremely promising, would they not have dropped e2ee). has this possibility been considered? (i searched the logs of this list but couldn't find any references) many thanks, Michiel de Jong twitter.com/unhosted
Re: Is it really possible to generate gost-mac using ccgost engine?
On 12 November 2010 19:26, Valery Blazhnov vblazh...@lissi.ru wrote: This command works with ccgost engine: openssl dgst -mac gost-mac -binary -macopt hexkey:3132333435363738393031323334353637383930313233343536373839303132 -out mac.bin data.bin What openssl version do you use? I use 1.0.0a, and this command output is just Algorithm gost-mac not found. But this command works: openssl dgst -engine gost -mac gost-mac -macopt key: openssl.doxy __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???
On 12 November 2010 15:20, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Nov 12, 2010, Andrey Kulikov wrote: Hello, I'm trying to make s_server and s_client work with GOST encryption using ccgost engine and certificates with GOST algos. But it unable to work, complaining to bad mac computing. (If I use RSA-based certificates, everything works just fine.) Please try a recent 1.0.0 snapshot and see if you still have this problem. Steve. I check with ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20101112.tar.gz Visible behaviour is the same. Commands output is the same. Test procedure the same as described in original message: Modify openssl.cnf export OPENSSL_CONF=path to /openssl.cnf ./apps/openssl genpkey -engine gost -algorithm gost2001 -pkeyopt paramset:A -out botkey.p8 ./apps/openssl req -config ./apps/openssl.cnf -x509 -days 1095 -subj '/C=RU/CN=csp_srv/o=lapu...@mail.ru' -engine gost -new -key botkey.p8 -out botcert.pem ./apps/openssl s_server -www -engine gost -accept 4333 -state -cert botcert.pem -key botkey.p8 ./apps/openssl s_client -engine gost -ssl3 -connect localhost:4333 s_client output (truncated): == ~/comt_area/openssl-1.0.1-stable-SNAP-20101112# ./apps/openssl s_client -engine gost -ssl3 -connect localhost:4333 engine gost set. CONNECTED(0003) depth=0 C = RU, CN = csp_srv, O = lapu...@mail.ru verify error:num=18:self signed certificate verify return:1 depth=0 C = RU, CN = csp_srv, O = lapu...@mail.ru verify return:1 3076486796:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: 3076486796:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: 3076486796:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1212:SSL alert number 20 3076486796:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591: --- Certificate chain 0 s:/C=RU/CN=csp_srv/o=lapu...@mail.ru i:/C=RU/CN=csp_srv/o=lapu...@mail.ru --- == s_server output (truncated) == :~/comt_area/openssl-1.0.1-stable-SNAP-20101112# ./apps/openssl s_server -www -engine gost -accept 4333 -state -cert botcert.pem -key botkey.p8 engine gost set. Using default temp DH parameters Using default temp ECDH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL_accept:SSLv3 read client key exchange A SSL3 alert write:fatal:bad record mac SSL_accept:error in SSLv3 read certificate verify A SSL_accept:error in SSLv3 read certificate verify A 3076945548:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: 3076945548:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:8808C074:lib(136):GOST_IMIT_FINAL:mac key not set:gost_crypt.c:564: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:8808C074:lib(136):GOST_IMIT_FINAL:mac key not set:gost_crypt.c:564: 3076945548:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:479: __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???
Sorry, previous email is about 1.0.1 latest snapshot. I just checked with 1.0.1 ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz Results exactly the same. If you'll need any details - please let me know. Andrey On 13 November 2010 00:43, Andrey Kulikov amde...@gmail.com wrote: On 12 November 2010 15:20, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Nov 12, 2010, Andrey Kulikov wrote: Hello, I'm trying to make s_server and s_client work with GOST encryption using ccgost engine and certificates with GOST algos. But it unable to work, complaining to bad mac computing. (If I use RSA-based certificates, everything works just fine.) Please try a recent 1.0.0 snapshot and see if you still have this problem. Steve. I check with ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20101112.tar.gz Visible behaviour is the same. Commands output is the same. Test procedure the same as described in original message: __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???
On Sat, Nov 13, 2010, Andrey Kulikov wrote: Sorry, previous email is about 1.0.1 latest snapshot. I just checked with 1.0.1 ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz Results exactly the same. If you'll need any details - please let me know. Did you install the GOST ENGINE from that version? The 1.0.0 version has a known issue with macs. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???
On Sat, Nov 13, 2010, Andrey Kulikov wrote: Sorry, previous email is about 1.0.1 latest snapshot. I just checked with 1.0.1 ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz Results exactly the same. If you'll need any details - please let me know. I've just tried 1.0.1 and it does have a problem with GOST and TLS v1.1 which is the default for OpenSSL 1.0.1. If you include -no_tls1_1 in the command line it should work or if you try a recent 1.0.0 snapshot (OpenSSL 1.0.0 doesn't support TLS v1.1). I'll look into the TLS v1.1 issue. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???
Hello, On 13 November 2010 03:33, Dr. Stephen Henson st...@openssl.org wrote: I've just tried 1.0.1 and it does have a problem with GOST and TLS v1.1 which is the default for OpenSSL 1.0.1. If you include -no_tls1_1 in the command line it should work or if you try a recent 1.0.0 snapshot (OpenSSL 1.0.0 doesn't support TLS v1.1). I'll look into the TLS v1.1 issue. Steve. Sorry to confuse you - I've mixed up versions and snapshot filenames. I just re-check these snapshots of 1.0.0 ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz and 1.0.1 ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20101112.tar.gz I disable TSL in there: ./config no-tls I add -ssl3 parameter to s_server and s_client commands. ./apps/openssl s_server -ssl3 -www -engine gost -accept 4333 -state -cert botcert.pem -key botkey.p8 ./apps/openssl s_client -ssl3 -engine gost -connect localhost:4333 And both of these versions are not working in the same way. s_server = SSL3 alert write:fatal:bad record mac SSL_accept:error in SSLv3 read certificate verify A 3076736652:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: = s_client = verify return:1 3076413068:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: = So, the problem not in TLS1.1 BTW: 1.0.1 s_server doesn't accept -no_tls1_1 option, while have it in help option list. s_client does accept this option. WBR, Andrey __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org