[openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.
Hello, Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE. Currently OpenSSL allows loading certificate only from a file. Loading by specific engine is required for hardware-based engines, which used their own certificate storages, as well as any Microsoft CAPI-based CSP. Although there is no such engines implemented for OpenSSL yet, sooner it will. Affected files: apps/apps.c apps/s_server.c crypto/engine/engine.h crypto/engine/eng_int.h crypto/engine/eng_pkey.c Patch created using this command: diff -rupN openssl-1.0.0d/ openssl-1.0.0d-engine-srv-cert/ server_cert_from_engine4.patch To apply pach use follwing command in current OpenSSL root dev. directory: patch -p1 -l -u -b -i server_cert_from_engine4.patch After applying this patch s_server will accept -certform ENGINE option. This patch supplied by Stonesoft Corporation, who give me permission to supply it to OpenSSL. Feel free to contact with me with any related questions. Andrey. Hello,Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE.Currently OpenSSL allows loading certificate only from a file.Loading by specific engine is required for hardware-based engines, which used their own certificate storages, as well as any Microsoft CAPI-based CSP. Although there is no such engines implemented for OpenSSL yet, sooner it will.Affected files:apps/apps.capps/s_server.ccrypto/engine/engine.hcrypto/engine/eng_int.hcrypto/engine/eng_pkey.c Patch created using this command:diff -rupN openssl-1.0.0d/ openssl-1.0.0d-engine-srv-cert/ server_cert_from_engine4.patchTo apply pach use follwing command in current OpenSSL root dev. directory: patch -p1 -l -u -b -i server_cert_from_engine4.patchAfter applying this patch s_server will accept -certform ENGINE option.This patch supplied by Stonesoft Corporation, who give me permission to supply it to OpenSSL. Feel free to contact with me with any related questions.Andrey. server_cert_from_engine4.patch Description: Binary data
[openssl.org #2464] [PATCH] Experimental TLS-RSA-PSK support for OpenSSL
Hey all, I wrote a patch for openssl-1.0.0c to support TLS-RSA-PSK cipher suites as defined in RFC 4279. Plain PSK support has been implemented in openssl for quite some time, I believe. This patch now adds one of the RSA-PSK variants, namely RSA-PSK-AES256-CBC-SHA (95). Adding ciphers 92-94 should be easy, but I am not too familiar with the definition data structure in s3_lib.c. I clearly have to state that this patch is EXPERIMENTAL. PROCEDURE TO APPLY PATCH download openssl-1.0.0c.tar.gz tar xzf openssl-1.0.0c.tar.gz cd openssl-1.0.0c patch -p1 -i ../openssl-1.0.0c.tls-rsa-psk.patch TESTING TLS-RSA-PSK === You can test locally whether your openssl with TLS-RSA-PSK works as follows. Make sure that you actually call the currently generated openssl binary (in the apps directory). Must have a server.pem and privkey.pem in the current directory. # launching the server openssl s_server \ -psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 \ -key privkey.pem \ -cipher RSA-PSK-AES256-CBC-SHA \ -debug -state # launch the client openssl s_client -connect localhost:4433 \ -psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 \ -cipher RSA-PSK-AES256-CBC-SHA \ -debug -state AUTHOR == This patch is written by Christian J. Dietrich dietr...@internet-sicherheit.de I thankfully acknowledge the support and several interesting discussions with Christian Rossow. Some more info can be found in my blog http://blog.cj2s.de/archives/21-TLS-RSA-PSK-Cipher-Suites-for-OpenSSL.html or on our website http://www.if-is.net -- Christian J. Dietrich if(is) - Institute for Internet Security University of Applied Sciences Gelsenkirchen, Germany https://www.internet-sicherheit.de diff -ur -x .svn openssl-1.0.0c-orig/include/openssl/ssl.h openssl-1.0.0c-tlsrsapsk/include/openssl/ssl.h --- openssl-1.0.0c-orig/include/openssl/ssl.h 2010-01-06 18:37:38.0 +0100 +++ openssl-1.0.0c-tlsrsapsk/include/openssl/ssl.h 2011-02-25 19:57:20.467303448 +0100 @@ -250,7 +250,8 @@ #define SSL_TXT_kECDHe kECDHe #define SSL_TXT_kECDH kECDH #define SSL_TXT_kEECDH kEECDH -#define SSL_TXT_kPSKkPSK +#define SSL_TXT_kPSKkPSK +#define SSL_TXT_kRSAPSK kRSAPSK #define SSL_TXT_kGOST kGOST #defineSSL_TXT_aRSAaRSA @@ -274,7 +275,8 @@ #define SSL_TXT_AECDH AECDH #define SSL_TXT_ECDSA ECDSA #define SSL_TXT_KRB5 KRB5 -#define SSL_TXT_PSK PSK +#define SSL_TXT_PSK PSK +#define SSL_TXT_RSAPSK RSAPSK #define SSL_TXT_DESDES #define SSL_TXT_3DES 3DES diff -ur -x .svn openssl-1.0.0c-orig/include/openssl/tls1.h openssl-1.0.0c-tlsrsapsk/include/openssl/tls1.h --- openssl-1.0.0c-orig/include/openssl/tls1.h 2009-11-11 15:51:29.0 +0100 +++ openssl-1.0.0c-tlsrsapsk/include/openssl/tls1.h 2011-02-25 19:57:20.472303472 +0100 @@ -292,6 +292,9 @@ #define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x038B #define TLS1_CK_PSK_WITH_AES_128_CBC_SHA0x038C #define TLS1_CK_PSK_WITH_AES_256_CBC_SHA0x038D +/* RSA-PSK */ +// FIXME: add RSA-PSK ciphers 92-94 here, too +#define TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA0x0395 /* Additional TLS ciphersuites from expired Internet Draft * draft-ietf-tls-56-bit-ciphersuites-01.txt @@ -442,6 +445,8 @@ #define TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA #define TLS1_TXT_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA #define TLS1_TXT_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA +// FIXME: add the 3 other RSA-PSK ciphers here, too +#define TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA /* Camellia ciphersuites from RFC4132 */ #define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA Only in openssl-1.0.0c-tlsrsapsk: Makefile.bak diff -ur -x .svn openssl-1.0.0c-orig/ssl/s3_clnt.c openssl-1.0.0c-tlsrsapsk/ssl/s3_clnt.c --- openssl-1.0.0c-orig/ssl/s3_clnt.c 2010-12-02 19:24:54.0 +0100 +++ openssl-1.0.0c-tlsrsapsk/ssl/s3_clnt.c 2011-02-25 19:57:20.472303472 +0100 @@ -303,7 +303,7 @@ } #endif /* Check if it is anon DH/ECDH */ - /* or PSK */ + /* or plain PSK */ if (!(s-s3-tmp.new_cipher-algorithm_auth SSL_aNULL) !(s-s3-tmp.new_cipher-algorithm_mkey SSL_kPSK)) { @@ -1186,10 +1186,10 @@ if (s-s3-tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { #ifndef OPENSSL_NO_PSK - /* In plain PSK ciphersuite, ServerKeyExchange can be + /* In PSK ciphersuites, ServerKeyExchange can be omitted if no identity hint is sent. Set -
Re: [openssl.org #2449] [BUG] openssl 1.0.0d warnings during build and ACCVIO on OpenVMS
http://antinode.info/ftp/openssl/1_0_0d/openssl-1_0_0d_s1.zip A revised, possibly better, replacement file kit (unzip -V) is now available: http://antinode.info/ftp/openssl/1_0_0d/openssl-1_0_0d_s2.zip The builders should now be able to deal with both 32- and 64-bit pointers in the same source kit directory tree. That should include install.com and VMS/mkshared.com. The object libraries and shared images should now have HP-like names (with $ - _): 32-bit 64-bit SSL_LIBCRYPTO32.OLBSSL_LIBCRYPTO.OLB SSL_LIBSSL32.OLB SSL_LIBSSL.OLB SSL_LIBCRYPTO_SHR32.EXESSL_LIBCRYPTO_SHR.EXE SSL_LIBSSL_SHR32.EXE SSL_LIBSSL_SHR.EXE Among other advantages, this allows one installation directory tree (or SYS$LIBRARY) to accomodate all of them. (When run twice (for 32- and 64-bit builds) with one destination directory, install.com will copy the header files twice, but these may be purged, as suggested.) Other than comments in the changed files, I haven't updated any documentation. (And some of the comments could still use some work.) My VAX is currently saturated building perl, so I haven't tried the latest stuff there. (But what could go wrong? (And who'd care if it did?)) If it finishes the perl job before summer, then I should be able to check that again. For the morbidly curious, my do-everything build procedures (with zlib support) look like these: IT $ type [-]btsi_z.com $ pipe show time ; - @ makevms.com ALL NODEBUG DECC TCPIP - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ [.test]tests.com ; show time $ pipe show time ; @ [.vms]mkshared.com - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ install.com 'p1' ; show time IT $ type [-]btsi_64z.com $ pipe show time ; - @ makevms.com ALL 64 NODEBUG DECC TCPIP - utility_root:[source.zlib.zlib-1_2_5l]libz_64 ; - show time $ pipe show time ; @ [.test]tests.com 64 ; show time $ pipe show time ; @ [.vms]mkshared.com 64 - utility_root:[source.zlib.zlib-1_2_5l]libz_64 ; - show time $ pipe show time ; @ install.com ''p1' 64 ; show time Note the 64 arguments on all the procedures for the 64-bit build. Omit the libz path, if you don't have/want zlib support. As one might expect, I'm still awaiting some discussion of the pending mysteries, so there's still work left to be done. Complaints are always welcome. Steven M. Schweda sms@antinode-info 382 South Warwick Street(+1) 651-699-9818 Saint Paul MN 55105-2547 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2449] [BUG] openssl 1.0.0d warnings during build and ACCVIO on OpenVMS
IT $ type [-]btsi_z.com $ pipe show time ; - @ makevms.com ALL NODEBUG DECC TCPIP - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ [.test]tests.com ; show time $ pipe show time ; @ [.vms]mkshared.com - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ install.com 'p1' ; show time Oops. Lost a parameter () on mkshared.com: $ pipe show time ; - @ makevms.com ALL NODEBUG DECC TCPIP - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ [.test]tests.com ; show time $ pipe show time ; @ [.vms]mkshared.com - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ install.com 'p1' ; show time I suppose that it could benefit from a 'That's not 64!' message. Perhaps in the next round. SMS. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org