Re: adding new encryption algorithm to OpenSSL

2011-01-19 Thread Andrey Kulikov 
This explanation may help you to add new algorithms to OpenSSL:

http://www.mail-archive.com/openssl-users@openssl.org/msg59630.html

On 18 January 2011 08:59, M. V. bored_to_deat...@yahoo.com wrote:

 hi,

 for a project, i have to add my own encryption algorithm to racoon (part of
 ipsec-tools) in freebsd. i realized racoon uses openssl libraries for
 encryption algorithms. so, i wanted to know , does anyone have any
 experience in doing such thing? does anyone have any suggestions for me?

 1- what's the best and easiest way? adding my algorithm to racoon, openssl
 or else (as a dynamic library, etc)?
 2- is there any example, code template or documentation which could help me
 doing this?

 thank you.

[openssl.org #2435] build fails when run inside tee

2011-01-19 Thread Tony Finch via RT 
I am using FreeBSD 8.1-RELEASE amd64 and I am building OpenSSL 1.0.0c

When I run `make | tee t` I get output that ends with:

/usr/X11R6/bin/perl5 asm/sha1-x86_64.pl elf  sha1-x86_64.s
gcc -I.. -I../.. -I../asn1 -I../evp -I../../include  -fPIC -DOPENSSL_PIC 
-DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 
-DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM -c -o sha1-x86_64.o sha1-x86_64.s
/usr/X11R6/bin/perl5 asm/sha512-x86_64.pl elf sha256-x86_64.s
.text

.globl  sha256_block_data_order
.type   sha256_block_data_order,@function
.align  16
sha256_block_data_order:
pushq   %rbx
... asm ...
.long   0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
gcc -I.. -I../.. -I../asn1 -I../evp -I../../include  -fPIC -DOPENSSL_PIC 
-DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM 
-DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM -c -o sha256-x86_64.o sha256-x86_64.s
gcc: sha256-x86_64.s: No such file or directory
gcc: No input files specified
*** Error code 1

This appears to be due to a bug in crypto/perlasm/x86_64-xlate.pl
which stats its stdout and its output file to see if it needs to
redirect its output. Or it could be due to a bug in the Makefile which
invokes the script inconsistently.

When it is running inside tee it gets 0,0 for the device and inode of
stdout, and undef,undef for the device and inode of the nonexistent output
file. These compare numerically equal so it thinks they are the same, and
spits its output to stdout instead of redirecting it to the output file.

One possibility is to fix the perl script like this:


--- crypto/perlasm/x86_64-xlate.pl~ 2010-10-10 22:14:17.0 +0100
+++ crypto/perlasm/x86_64-xlate.pl  2011-01-18 16:49:06.0 +
@@ -66,7 +66,7 @@
   my ($outdev,$outino,@junk)=stat($output);

 open STDOUT,$output || die can't open $output: $!
-   if ($stddev!=$outdev || $stdino!=$outino);
+   if (!defined($outdev) || $stddev!=$outdev || $stdino!=$outino);
 }

 my $gas=1; $gas=0 if ($output =~ /\.asm$/);


Alternatively it could be due to a bug in the Makefile which invokes the
perl asm scripts inconsistently.


--- crypto/sha/Makefile~2008-11-12 08:19:03.0 +
+++ crypto/sha/Makefile 2011-01-18 17:06:15.0 +
@@ -61,8 +61,8 @@

 # Solaris make has to be explicitly told
 sha1-x86_64.s: asm/sha1-x86_64.pl; $(PERL) asm/sha1-x86_64.pl 
$(PERLASM_SCHEME)  $@
-sha256-x86_64.s:asm/sha512-x86_64.pl;  $(PERL) asm/sha512-x86_64.pl 
$(PERLASM_SCHEME) $@
-sha512-x86_64.s:asm/sha512-x86_64.pl;  $(PERL) asm/sha512-x86_64.pl 
$(PERLASM_SCHEME) $@
+sha256-x86_64.s:asm/sha512-x86_64.pl;  $(PERL) asm/sha512-x86_64.pl 
$(PERLASM_SCHEME)  $@
+sha512-x86_64.s:asm/sha512-x86_64.pl;  $(PERL) asm/sha512-x86_64.pl 
$(PERLASM_SCHEME)  $@
 sha1-sparcv9.s:asm/sha1-sparcv9.pl;$(PERL) asm/sha1-sparcv9.pl $@ 
$(CFLAGS)
 sha256-sparcv9.s:asm/sha512-sparcv9.pl;$(PERL) asm/sha512-sparcv9.pl 
$@ $(CFLAGS)
 sha512-sparcv9.s:asm/sha512-sparcv9.pl;$(PERL) asm/sha512-sparcv9.pl 
$@ $(CFLAGS)


Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2436] pkcs12 enhancement and a correction to the doc of x509

2011-01-19 Thread Peter Sylvester via RT 
When converting pkcs12 files with several (CA)-certificates, the
resulting pem files do not have a textual view of the certficates,
something with is often desirable.

The enclosed patch adds support for -text, -nameopt and -certopt
parameters to pkcs12 which behave as with the x509 command.

and a missing -certopt in synopsis for x509 doc

Peter Sylvester

diff -r -p openssl-SNAP-20110119/apps/pkcs12.c openssl-SNAP-20110119mod/apps/pkcs12.c
*** openssl-SNAP-20110119/apps/pkcs12.c	2010-05-15 03:00:07.0 +0200
--- openssl-SNAP-20110119mod/apps/pkcs12.c	2011-01-19 12:15:44.0 +0100
*** static int set_pbe(BIO *err, int *ppbe,
*** 92,97 
--- 92,100 
  
  int MAIN(int, char **);
  
+ unsigned long nmflag = 0, certflag = 0;
+ int text=0;
+ 
  int MAIN(int argc, char **argv)
  {
  ENGINE *e = NULL;
*** int MAIN(int argc, char **argv)
*** 130,135 
--- 133,139 
  
  apps_startup();
  
+ nmflag = 0, certflag = 0; text = 0;
  enc = EVP_des_ede3_cbc();
  if (bio_err == NULL ) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
  
*** int MAIN(int argc, char **argv)
*** 261,266 
--- 265,276 
  			args++;	
  			CAfile = *args;
  		} else badarg = 1;
+ 		} else if (!strcmp (*args, -text))
+ 	 text = 1;
+ 		else if (strcmp(*argv,-certopt) == 0) {
+ 		badarg = (--argc  1 || !set_cert_ex(certflag, *(++argv))) ; 
+ 		} else if (strcmp(*argv,-nameopt) == 0) {
+ 		badarg =  (--argc  1 || !set_name_ex(nmflag, *(++argv))) ;
  #ifndef OPENSSL_NO_ENGINE
  		} else if (!strcmp(*args,-engine)) {
  		if (args[1]) {
*** int MAIN(int argc, char **argv)
*** 333,338 
--- 343,352 
  	BIO_printf(bio_err,the random number generator\n);
  	BIO_printf(bio_err,  -CSP name Microsoft CSP name\n);
  	BIO_printf(bio_err,  -LMK  Add local machine keyset attribute to private key\n);
+ 	BIO_printf(bio_err,  -text print certificates in text form\n);
+ 	BIO_printf(bio_err,  -nameopt arg  various certificate name options\n);
+ 	BIO_printf(bio_err,  -certopt arg  various certificate text options\n);
+ 
  	goto end;
  }
  
*** int dump_certs_pkeys_bag (BIO *out, PKCS
*** 799,805 
  		if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
   return 1;
  		if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
! 		dump_cert_text (out, x509);
  		PEM_write_bio_X509 (out, x509);
  		X509_free(x509);
  	break;
--- 813,822 
  		if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate )
   return 1;
  		if (!(x509 = PKCS12_certbag2x509(bag))) return 0;
! 		if (text) 
! 			X509_print_ex(out,x509,nmflag,certflag);
! 		else
! 			dump_cert_text (out, x509);
  		PEM_write_bio_X509 (out, x509);
  		X509_free(x509);
  	break;
diff -r -p openssl-SNAP-20110119/doc/apps/pkcs12.pod openssl-SNAP-20110119mod/doc/apps/pkcs12.pod
*** openssl-SNAP-20110119/doc/apps/pkcs12.pod	2006-12-21 22:00:35.0 +0100
--- openssl-SNAP-20110119mod/doc/apps/pkcs12.pod	2011-01-19 14:30:19.0 +0100
*** Bopenssl Bpkcs12
*** 40,45 
--- 40,48 
  [B-CAfile file]
  [B-CApath dir]
  [B-CSP name]
+ [B-text]
+ [B-certopt option]
+ [B-nameopt option]
  
  =head1 DESCRIPTION
  
*** write Bname as a Microsoft CSP name.
*** 282,287 
--- 285,317 
  
  =back
  
+ =head2 DISPLAY OPTIONS
+ 
+ Note: Details of these options are defined 
+ 
+ =over 4
+ 
+ =item B-text
+ 
+ prints out any certificate in text form as with Lx509(1).
+ 
+ =item B-certopt option
+ 
+ customise the output format used with B-text. The Boption argument can be
+ a single option or multiple options separated by commas. The B-certopt switch
+ may be also be used more than once to set multiple options. See the (see 
+ Lx509(1) for details for the options.
+ 
+ =item B-nameopt option
+ 
+ option which determines how the subject or issuer names are displayed. The
+ Boption argument can be a single option or multiple options separated by
+ commas.  Alternatively the B-nameopt switch may be used more than once to
+ set multiple options. See the BNAME OPTIONS section of Lx509(1) for more
+ information.
+ 
+ =back
+ 
  =head1 NOTES
  
  Although there are a large number of options most of them are very rarely
*** file from the keys and certificates usin
*** 359,363 
  
  =head1 SEE ALSO
  
! Lpkcs8(1)|pkcs8(1)
  
--- 389,393 
  
  =head1 SEE ALSO
  
! Lpkcs8(1)|pkcs8(1)|x509(1)
  
diff -r -p openssl-SNAP-20110119/doc/apps/x509.pod openssl-SNAP-20110119mod/doc/apps/x509.pod
*** openssl-SNAP-20110119/doc/apps/x509.pod	2010-01-12 19:00:15.0 +0100
--- openssl-SNAP-20110119mod/doc/apps/x509.pod	2011-01-19 14:30:43.0 +0100
*** Bopenssl Bx509
*** 48,53 
--- 48,54 
  [B-CAcreateserial]
  [B-CAserial filename]
  [B-text]
+ [B-certopt option]
  [B-C]
  [B-md2|-md5|-sha1|-mdc2]
  [B-clrext]