[openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.
Hello, Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE. Currently OpenSSL allows loading certificate only from a file. Loading by specific engine is required for hardware-based engines, which used their own certificate storages, as well as any Microsoft CAPI-based CSP. Although there is no such engines implemented for OpenSSL yet, sooner it will. Affected files: apps/apps.c apps/s_server.c crypto/engine/engine.h crypto/engine/eng_int.h crypto/engine/eng_pkey.c Patch created using this command: diff -rupN openssl-1.0.0d/ openssl-1.0.0d-engine-srv-cert/ server_cert_from_engine4.patch To apply pach use follwing command in current OpenSSL root dev. directory: patch -p1 -l -u -b -i server_cert_from_engine4.patch After applying this patch s_server will accept -certform ENGINE option. This patch supplied by Stonesoft Corporation, who give me permission to supply it to OpenSSL. Feel free to contact with me with any related questions. Andrey. Hello,Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE.Currently OpenSSL allows loading certificate only from a file.Loading by specific engine is required for hardware-based engines, which used their own certificate storages, as well as any Microsoft CAPI-based CSP. Although there is no such engines implemented for OpenSSL yet, sooner it will.Affected files:apps/apps.capps/s_server.ccrypto/engine/engine.hcrypto/engine/eng_int.hcrypto/engine/eng_pkey.c Patch created using this command:diff -rupN openssl-1.0.0d/ openssl-1.0.0d-engine-srv-cert/ server_cert_from_engine4.patchTo apply pach use follwing command in current OpenSSL root dev. directory: patch -p1 -l -u -b -i server_cert_from_engine4.patchAfter applying this patch s_server will accept -certform ENGINE option.This patch supplied by Stonesoft Corporation, who give me permission to supply it to OpenSSL. Feel free to contact with me with any related questions.Andrey. server_cert_from_engine4.patch Description: Binary data
[openssl.org #2464] [PATCH] Experimental TLS-RSA-PSK support for OpenSSL
Hey all,
I wrote a patch for openssl-1.0.0c to support TLS-RSA-PSK cipher suites
as defined in RFC 4279. Plain PSK support has been implemented in
openssl for quite some time, I believe. This patch now adds one of the
RSA-PSK variants, namely RSA-PSK-AES256-CBC-SHA (95). Adding ciphers
92-94 should be easy, but I am not too familiar with the definition data
structure in s3_lib.c.
I clearly have to state that this patch is EXPERIMENTAL.
PROCEDURE TO APPLY PATCH
download openssl-1.0.0c.tar.gz
tar xzf openssl-1.0.0c.tar.gz
cd openssl-1.0.0c
patch -p1 -i ../openssl-1.0.0c.tls-rsa-psk.patch
TESTING TLS-RSA-PSK
===
You can test locally whether your openssl with TLS-RSA-PSK works as
follows. Make sure that you actually call the currently generated
openssl binary (in the apps directory). Must have a server.pem and
privkey.pem in the current directory.
# launching the server
openssl s_server \
-psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 \
-key privkey.pem \
-cipher RSA-PSK-AES256-CBC-SHA \
-debug -state
# launch the client
openssl s_client -connect localhost:4433 \
-psk c033f52671c61c8128f7f8a40be88038bcf2b07a6eb3095c36e3759f0cf40837 \
-cipher RSA-PSK-AES256-CBC-SHA \
-debug -state
AUTHOR
==
This patch is written by Christian J. Dietrich
dietr...@internet-sicherheit.de
I thankfully acknowledge the support and several interesting discussions
with Christian Rossow.
Some more info can be found in my blog
http://blog.cj2s.de/archives/21-TLS-RSA-PSK-Cipher-Suites-for-OpenSSL.html
or on our website http://www.if-is.net
--
Christian J. Dietrich
if(is) - Institute for Internet Security
University of Applied Sciences Gelsenkirchen, Germany
https://www.internet-sicherheit.de
diff -ur -x .svn openssl-1.0.0c-orig/include/openssl/ssl.h
openssl-1.0.0c-tlsrsapsk/include/openssl/ssl.h
--- openssl-1.0.0c-orig/include/openssl/ssl.h 2010-01-06 18:37:38.0
+0100
+++ openssl-1.0.0c-tlsrsapsk/include/openssl/ssl.h 2011-02-25
19:57:20.467303448 +0100
@@ -250,7 +250,8 @@
#define SSL_TXT_kECDHe kECDHe
#define SSL_TXT_kECDH kECDH
#define SSL_TXT_kEECDH kEECDH
-#define SSL_TXT_kPSKkPSK
+#define SSL_TXT_kPSKkPSK
+#define SSL_TXT_kRSAPSK kRSAPSK
#define SSL_TXT_kGOST kGOST
#defineSSL_TXT_aRSAaRSA
@@ -274,7 +275,8 @@
#define SSL_TXT_AECDH AECDH
#define SSL_TXT_ECDSA ECDSA
#define SSL_TXT_KRB5 KRB5
-#define SSL_TXT_PSK PSK
+#define SSL_TXT_PSK PSK
+#define SSL_TXT_RSAPSK RSAPSK
#define SSL_TXT_DESDES
#define SSL_TXT_3DES 3DES
diff -ur -x .svn openssl-1.0.0c-orig/include/openssl/tls1.h
openssl-1.0.0c-tlsrsapsk/include/openssl/tls1.h
--- openssl-1.0.0c-orig/include/openssl/tls1.h 2009-11-11 15:51:29.0
+0100
+++ openssl-1.0.0c-tlsrsapsk/include/openssl/tls1.h 2011-02-25
19:57:20.472303472 +0100
@@ -292,6 +292,9 @@
#define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x038B
#define TLS1_CK_PSK_WITH_AES_128_CBC_SHA0x038C
#define TLS1_CK_PSK_WITH_AES_256_CBC_SHA0x038D
+/* RSA-PSK */
+// FIXME: add RSA-PSK ciphers 92-94 here, too
+#define TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA0x0395
/* Additional TLS ciphersuites from expired Internet Draft
* draft-ietf-tls-56-bit-ciphersuites-01.txt
@@ -442,6 +445,8 @@
#define TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA
#define TLS1_TXT_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
#define TLS1_TXT_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA
+// FIXME: add the 3 other RSA-PSK ciphers here, too
+#define TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA RSA-PSK-AES256-CBC-SHA
/* Camellia ciphersuites from RFC4132 */
#define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128-SHA
Only in openssl-1.0.0c-tlsrsapsk: Makefile.bak
diff -ur -x .svn openssl-1.0.0c-orig/ssl/s3_clnt.c
openssl-1.0.0c-tlsrsapsk/ssl/s3_clnt.c
--- openssl-1.0.0c-orig/ssl/s3_clnt.c 2010-12-02 19:24:54.0 +0100
+++ openssl-1.0.0c-tlsrsapsk/ssl/s3_clnt.c 2011-02-25 19:57:20.472303472
+0100
@@ -303,7 +303,7 @@
}
#endif
/* Check if it is anon DH/ECDH */
- /* or PSK */
+ /* or plain PSK */
if (!(s-s3-tmp.new_cipher-algorithm_auth
SSL_aNULL)
!(s-s3-tmp.new_cipher-algorithm_mkey SSL_kPSK))
{
@@ -1186,10 +1186,10 @@
if (s-s3-tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
{
#ifndef OPENSSL_NO_PSK
- /* In plain PSK ciphersuite, ServerKeyExchange can be
+ /* In PSK ciphersuites, ServerKeyExchange can be
omitted if no identity hint is sent. Set
-
Re: [openssl.org #2449] [BUG] openssl 1.0.0d warnings during build and ACCVIO on OpenVMS
http://antinode.info/ftp/openssl/1_0_0d/openssl-1_0_0d_s1.zip A revised, possibly better, replacement file kit (unzip -V) is now available: http://antinode.info/ftp/openssl/1_0_0d/openssl-1_0_0d_s2.zip The builders should now be able to deal with both 32- and 64-bit pointers in the same source kit directory tree. That should include install.com and VMS/mkshared.com. The object libraries and shared images should now have HP-like names (with $ - _): 32-bit 64-bit SSL_LIBCRYPTO32.OLBSSL_LIBCRYPTO.OLB SSL_LIBSSL32.OLB SSL_LIBSSL.OLB SSL_LIBCRYPTO_SHR32.EXESSL_LIBCRYPTO_SHR.EXE SSL_LIBSSL_SHR32.EXE SSL_LIBSSL_SHR.EXE Among other advantages, this allows one installation directory tree (or SYS$LIBRARY) to accomodate all of them. (When run twice (for 32- and 64-bit builds) with one destination directory, install.com will copy the header files twice, but these may be purged, as suggested.) Other than comments in the changed files, I haven't updated any documentation. (And some of the comments could still use some work.) My VAX is currently saturated building perl, so I haven't tried the latest stuff there. (But what could go wrong? (And who'd care if it did?)) If it finishes the perl job before summer, then I should be able to check that again. For the morbidly curious, my do-everything build procedures (with zlib support) look like these: IT $ type [-]btsi_z.com $ pipe show time ; - @ makevms.com ALL NODEBUG DECC TCPIP - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ [.test]tests.com ; show time $ pipe show time ; @ [.vms]mkshared.com - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ install.com 'p1' ; show time IT $ type [-]btsi_64z.com $ pipe show time ; - @ makevms.com ALL 64 NODEBUG DECC TCPIP - utility_root:[source.zlib.zlib-1_2_5l]libz_64 ; - show time $ pipe show time ; @ [.test]tests.com 64 ; show time $ pipe show time ; @ [.vms]mkshared.com 64 - utility_root:[source.zlib.zlib-1_2_5l]libz_64 ; - show time $ pipe show time ; @ install.com ''p1' 64 ; show time Note the 64 arguments on all the procedures for the 64-bit build. Omit the libz path, if you don't have/want zlib support. As one might expect, I'm still awaiting some discussion of the pending mysteries, so there's still work left to be done. Complaints are always welcome. Steven M. Schweda sms@antinode-info 382 South Warwick Street(+1) 651-699-9818 Saint Paul MN 55105-2547 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2449] [BUG] openssl 1.0.0d warnings during build and ACCVIO on OpenVMS
IT $ type [-]btsi_z.com $ pipe show time ; - @ makevms.com ALL NODEBUG DECC TCPIP - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ [.test]tests.com ; show time $ pipe show time ; @ [.vms]mkshared.com - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ install.com 'p1' ; show time Oops. Lost a parameter () on mkshared.com: $ pipe show time ; - @ makevms.com ALL NODEBUG DECC TCPIP - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ [.test]tests.com ; show time $ pipe show time ; @ [.vms]mkshared.com - utility_root:[source.zlib.zlib-1_2_5l] ; - show time $ pipe show time ; @ install.com 'p1' ; show time I suppose that it could benefit from a 'That's not 64!' message. Perhaps in the next round. SMS. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
