Re: SSL_new function definition
Yes, thank you very much. -RiazOn Apr 6, 2005 8:43 PM, yf-263 [EMAIL PROTECTED] wrote: 2005-04-06 18:02 +0530Riaz Rahaman Hi, Can anyone please point to me where I can find the definition for SSL_new function. I did a find and grep into all the files in theopenssl-0.9.7f/ssl/ssl_lib.c line 225 SSL *SSL_new(SSL_CTX *ctx)is what you want ? (I got it via source navigator ;-) )OpenSSL, didn't come across a definition anywhere. -- Thank you, Best Regards Riaz Ur Rahaman--yf-263 [EMAIL PROTECTED]Unix-driver.org__OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]-- Thank you,Best RegardsRiaz Ur Rahaman
Re: [Openvpn-users] Re: OpenSSL / OpenVPN / Padlock anomaly with small blocks of data.
Michal Ludvig wrote: James Yonan wrote: I have personally seen this behavior as well with the Padlock, though it was last year (June or July) and I don't have model/stepping info. In my case it was fixed by inserting sleep(0) calls immediately after OpenSSL EVP crypto calls. So it appeared to be timing-related. openvpn --test-crypto --secret key --cipher AES-128-CBC --verb 0 --engine padlock --tun-mtu 1 Still no problems. What OpenSSL version do you use? There *could* be a problem with forcing key reload from memory. Rolf - try adding call to padlock_reload_key() to the end of padlock_verify_context() in OpenSSL crypto/engine/hw_padlock.c file and tell us if it helped. What I did yesterday - triggered by a suggestion from centtech - was this: I inserted a padlock_reload key at the end of both padlock_aes_cipher_omnivorous and padlock_aes_cipher. This solves the problem. Some CPU stepping details: [EMAIL PROTECTED] ~]# cat /proc/cpuinfo processor : 0 vendor_id : CentaurHauls cpu family : 6 model : 9 model name : VIA Nehemiah stepping : 8 cpu MHz : 1002.482 cache size : 64 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 1 wp : yes flags : fpu vme de pse tsc msr cx8 mtrr pge cmov pat mmx fxsr sse rng rng_en ace ace_en bogomips : 1982.46
Re: RAND_seed()
Layla wrote: In addition to RAND_screen(), you can use: RAND_event(...,...,...); but you must know that use of both functions is highly discouraged, in other words they should be your last resort. As you can see from the construction I used, RAND_screen() was only called, if RAND_status() returned 0 And as I also stated, this I have never seen RAND_status() return 0 on Win XP. OpenSSL is doing a good job already seeding the PRNG and only if for some reason it is not seeded already, the RAND_screen is called. And I would say that RAND_screen is fairly much more random than time(). If you like, you could add an additional line to check if the PRNG was seeded after the RAND_screen and if not, seed it with time() or simply abort, which would probably be better than believe in something to be random, but really relies on time(). I wouldn't do much cruptography based on PRNG seeded with time() PS On windows I use the prebuild package from http://www.slproweb.com/products/Win32OpenSSL.html And I also use OpenSSL on Linux, but without this RAND_status/RAND_screen stuff ;-) Best regards Egon Andersen -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL Library Error
Hi (sorry for my english), I got a similar problem. openssl-0.9.7d has problems with some kind of ciphers; for example, my client offers as first cipher AES256-SHA (Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1) and when transmission starts I get: 2005.03.07 12:54:08 LOG6[3764:1572]: SSL connected: new session negotiated 2005.03.07 12:54:08 LOG6[3764:1572]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2005.03.07 12:54:30 LOG7[3764:1572]: SSL alert (write): fatal: bad record mac 2005.03.07 12:54:30 LOG3[3764:1572]: SSL_read: 1408F455: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac 2005.03.07 12:54:30 LOG5[3764:1572]: Connection reset: 17 bytes sent to SSL, 189 bytes sent to socket 2005.03.07 12:54:30 LOG7[3764:1572]: telnet finished (0 left) Try to use for example RC4-MD5. I also try to ask to someone if knows the changes to make on *.c and *.h from openssl-0.9.7d and the last version openssl-0.9.7f but anyone answered. So, if you know some good new, please write to me. Regards Maddalena Pulcini Kai-Uwe Schmidt [EMAIL PROTECTED]@openssl.org on 06/04/2005 21.50.01 Please respond to openssl-users@openssl.org Sent by:[EMAIL PROTECTED] To:openssl-users@openssl.org cc: Subject:SSL Library Error Hi List, can anyone point me to a solution for this ? [Sat Apr 09 16:14:30 2005] [info] SSL library error 1 in handshake (server muc03306:443, client 149.235.163.228) [Sat Apr 09 16:14:30 2005] [info] SSL Library Error: 336131157 error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac [Sat Apr 09 16:14:30 2005] [info] Connection to child 84 closed with abortive shutdown(server muc03306:443, client 149.235.163.228) i am using apache2-2.0.49-27.8 with openssl-0.9.7d-15.10 on a linux box. This only happens under heavy load. Has anyone a clue about this ? regards Kai-Uwe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Openvpn-users] Re: OpenSSL / OpenVPN / Padlock anomaly with small blocks of data.
Michal Ludvig wrote: Rolf - try adding call to padlock_reload_key() to the end of padlock_verify_context() in OpenSSL crypto/engine/hw_padlock.c file and tell us if it helped. Seems to do the trick as well. Which is strange, isn't it? It only adds another pushfl; popfl... but padlock_verify_context already does it's own pushfl; ...popfl.. Rolf # For the curious: # 0.9.5a soversion = 0 # 0.9.6 soversion = 1 # 0.9.6a soversion = 2 # 0.9.6c soversion = 3 # 0.9.7a soversion = 4 %define soversion 4 # Number of threads to spawn when testing some threading fixes. %define thread_test_threads %{?threads:%{threads}}%{!?threads:1} # Arches on which we need to prevent arch conflicts on opensslconf.h, must # also be handled in opensslconf-new.h. %define multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x x86_64 # Arches for which we don't build subpackages. %define optimize_arches i686 %define libicaversion 1.3.5-3 Summary: The OpenSSL toolkit. Name: openssl Version: 0.9.7a Release: 40.fks3 Source: openssl-%{version}-usa.tar.bz2 Source1: hobble-openssl Source2: Makefile.certificate Source3: ca-bundle.crt Source4: https://rhn.redhat.com/help/RHNS-CA-CERT Source5: https://rhn.redhat.com/help/RHNS-CA-CERT.asc Source6: make-dummy-cert Source7: libica-%{libicaversion}.tar.gz Source8: openssl-thread-test.c Source9: opensslconf-new.h Source10: opensslconf-new-warning.h Patch0: openssl-0.9.7a-redhat.patch Patch1: openssl-0.9.7-beta5-defaults.patch Patch2: openssl-0.9.7-beta6-ia64.patch Patch3: openssl-0.9.7a-soversion.patch Patch4: openssl-0.9.6-x509.patch Patch5: openssl-0.9.7-beta5-version-add-engines.patch Patch6: openssl-0.9.7c-ICA_engine_apr292004.patch Patch7: openssl-0.9.7-ppc64.patch Patch8: openssl-sec3-blinding-0.9.7.patch Patch9: openssl-0.9.7a-klima-pokorny-rosa.patch Patch10: libica-1.2-struct.patch Patch11: libica-1.2-cleanup.patch Patch12: openssl-0.9.7a-libica-autoconf.patch Patch13: openssl-0.9.7a-blinding-threads.patch Patch14: openssl-0.9.7a-specific-engine.patch Patch15: openssl-0.9.7a-blinding-rng.patch Patch16: openssl-0.9.7a-ubsec-stomp.patch Patch17: openssl-0.9.7a-krb5-leak.patch Patch18: openssl-0.9.7a-krb5-1.3.patch Patch19: niscc-097.txt Patch20: openssl-0.9.6c-ccert.patch Patch21: openssl-0.9.7a-utf8fix.patch Patch40: libica-1.3.4-urandom.patch Patch42: openssl-0.9.7a-krb5.patch Patch43: openssl-0.9.7a-krb5-security.patch Patch44: openssl-0.9.7a-dccs.patch Patch50: openssl-0.9.7d-padlock-glue-fks.diff Patch51: openssl-0.9.7d-padlock-engine.diff Patch52: openssl-0.9.7a-fks.diff Patch53: openssl-0.9.7-padlock-fix-fks3.diff License: BSDish Group: System Environment/Libraries URL: http://www.openssl.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildPreReq: mktemp, krb5-devel, perl, sed, zlib-devel Requires: mktemp %define solibbase %(echo %version | sed 's/[[:alpha:]]//g') %description The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. %package devel Summary: Files for development of applications which will use OpenSSL. Group: Development/Libraries Requires: %{name} = %{version}-%{release}, krb5-devel, zlib-devel %description devel OpenSSL is a toolkit for supporting cryptography. The openssl-devel package contains static libraries and include files needed to develop applications which support various cryptographic algorithms and protocols. %package perl Summary: Perl scripts provided with OpenSSL. Group: Applications/Internet Requires: perl Requires: %{name} = %{version}-%{release} %description perl OpenSSL is a toolkit for supporting cryptography. The openssl-perl package provides Perl scripts for converting certificates and keys from other formats to the formats used by the OpenSSL toolkit. %prep %setup -q -a 7 %{SOURCE1} /dev/null %patch0 -p1 -b .redhat %patch1 -p1 -b .defaults %patch2 -p1 -b .ia64 %patch3 -p1 -b .soversion %patch4 -p1 -b .x509 %patch5 -p1 -b .version-add-engines %patch6 -p1 -b .ibmca %patch7 -p1 -b .ppc64 %patch8 -p0 -b .sec3-blinding pushd ssl %patch9 -p0 -b .klima-pokorny-rosa popd %ifarch s390 s390x pushd libica-%{libicaversion} %patch11 -p1 -b .cleanup if [[ $RPM_BUILD_ROOT ]] ; then export INSROOT=$RPM_BUILD_ROOT fi aclocal touch Makefile.macros automake --gnu -acf autoconf libtoolize --copy --force popd %endif %patch12 -p1 -b .libica-autoconf %patch13 -p1 -b .blinding-threads %patch14 -p1 -b .specific-engine %patch15 -p1 -b .blinding-rng %patch16 -p1 -b .ubsec-stomp %patch17 -p1 -b .krb5-leak %patch18 -p1 -b .krb5-1.3 %patch19 -p1 -b .niscc %patch20 -p1 -b .ccert %patch21 -p1 -b .utf8fix # Patch for libica to use /dev/urandom instead of internal pseudo random number # generator. %patch40 -p1 -b .urandom # Fix link line for libssl (bug #54). %patch42 -p1 -b .krb5 # Security fixes %patch43 -p1 -b .krb5-security %patch44 -p1 -b .dccs %patch50 -p0 -b .padlockglue %patch51 -p0
RE: RAND_seed()
I don't know if /dev/random is available on all linux machines. But I think it is. But as for Windows, which does not have /dev/random, I believe OpenSSL seeds the PRNG on Windows automatically using a variety of clever ideas and sources of entropy. It is probably better than what you could come up with on your own (I would guess). For details, either dig into the OpenSSL src, or maybe one of the OpenSSL gurus can elaborate more on what is done on Win32. BTW, I experimented with EGADS at one point...it's a total memory hog. And since I only need it once (when my app starts up) to seed the OpenSSL PRNG, I'd have to install the EGADS service, start it, seed the PRNG, then stop it (because it was hogging to much memory if I left it running). Too much work and not very elegant if you ask me. Then I found out that I didn't have to do anything on Win32 because OpenSSL did it for me. I hope I'm correct in my statements. I'm also a relative newbie to OpenSSL. Ed -Original Message- From: [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: 4/7/2005 12:08 AM Subject: Re: RAND_seed() Layla wrote: In addition to RAND_screen(), you can use: RAND_event(...,...,...); but you must know that use of both functions is highly discouraged, in other words they should be your last resort. As you can see from the construction I used, RAND_screen() was only called, if RAND_status() returned 0 And as I also stated, this I have never seen RAND_status() return 0 on Win XP. OpenSSL is doing a good job already seeding the PRNG and only if for some reason it is not seeded already, the RAND_screen is called. And I would say that RAND_screen is fairly much more random than time(). If you like, you could add an additional line to check if the PRNG was seeded after the RAND_screen and if not, seed it with time() or simply abort, which would probably be better than believe in something to be random, but really relies on time(). I wouldn't do much cruptography based on PRNG seeded with time() PS On windows I use the prebuild package from http://www.slproweb.com/products/Win32OpenSSL.html And I also use OpenSSL on Linux, but without this RAND_status/RAND_screen stuff ;-) Best regards Egon Andersen -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl smime ability to create a multi-attachment message?
Hey Steve, When I create a mime message with mutt then pass it to openssl, the mime message created in mutt contains date, to, from, and subject...but isn't s/mime supposed to contain that? If I create a mime message with all the header information then sign that mime message with S/MIME with all the header information will this cause a problem on some systems? Or should it be ok?! Maybe there is an easier way to generate S/MIME messages with attachments?! Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 30, 2005 5:26 AM To: openssl-users@openssl.org Subject: Re: openssl smime ability to create a multi-attachment message? On Tue, Mar 29, 2005, Chevalier, Victor T. wrote: I am using mpack to create the mime message, it looks like openssl is putting S/MIME around the entire MIME message as if it were text...used this command: openssl smime -sign -inkey private/mykey.pem -signer mycert.pem -in mimemessage -out new.mail maybe the syntax is wrong? Or is it supposed to be like: MIME-Version: 1.0 Content-Type: ... This is an S/MIME signed message ---4DF5902840938 MIME MESSAGE HERE ---4DF5902840938 Content-Type: application/x-pkcs7-signature... The first part of a multipart/signed message is the data to be signed, the second the signature itself. So that's perfectly normal: if it appended text/plain content type in the first part that would be wrong. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: RAND_seed()
In my case, I'm trying to support various versions of Linux, AIX, Solaris, HP-UX, Windows, and something running on OS/360 when the details finally filter back to me. I had assumed up until a few days ago that all of the UNIX folks had one of the /dev/random variants or that OpenSSL would fully seed itself like my previous toolkit. Oh how wrong I was. Fortunately, I've found enough inside rand_lib.c and rand_wind.c that I think what I've ended up with is good enough. Christopher Bibbs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Edward Chan Sent: Thursday, April 07, 2005 11:36 AM To: 'Egon Andersen '; 'openssl-users@openssl.org ' Subject: RE: RAND_seed() I don't know if /dev/random is available on all linux machines. But I think it is. But as for Windows, which does not have /dev/random, I believe OpenSSL seeds the PRNG on Windows automatically using a variety of clever ideas and sources of entropy. It is probably better than what you could come up with on your own (I would guess). For details, either dig into the OpenSSL src, or maybe one of the OpenSSL gurus can elaborate more on what is done on Win32. BTW, I experimented with EGADS at one point...it's a total memory hog. And since I only need it once (when my app starts up) to seed the OpenSSL PRNG, I'd have to install the EGADS service, start it, seed the PRNG, then stop it (because it was hogging to much memory if I left it running). Too much work and not very elegant if you ask me. Then I found out that I didn't have to do anything on Win32 because OpenSSL did it for me. I hope I'm correct in my statements. I'm also a relative newbie to OpenSSL. Ed The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Use of Engines
Title: Use of Engines Is it required to call ENGINE_init()? Or is this sufficient ENGINE* e = ENGINE_by_id(id); ENGINE_set_default(e, ENGINE_METHOD_ALL); I have looked in various code, and I mostly see the latter. But in the stunnel code, I see them doing ENGINE* e = ENGINE_by_id(id); ENGINE_init(e); ENGINE_set_default(e, ENGINE_METHOD_ALL); Also, I tried using a card from nCipher. But when I specify ENGINE_METHOD_ALL, it seems to be failing in the call to ENGINE_set_default_RSA(). When I dig deeper, it looks like it is trying to load ubsec.dll which is missing. I've installed all the drivers that came with the card. Does that mean OpenSSL does not support that card? Or does it mean the card doesn't support RSA operations? What am I doing wrong? Thanks, Ed
Re: Use of Engines
Hi Edward, I am guesing that you need to call ENGINE_ctrl() to set the right parameters. These are control commands and each engine has a set of these; to see what control commands are available for the ubsec engine: $ openssl engine ubsec - Or you could just look into the ubsec engine codes for the definitions. -Tan Eng Ten Edward Chan wrote: Is it required to call ENGINE_init()? Or is this sufficient ENGINE* e = ENGINE_by_id(id); ENGINE_set_default(e, ENGINE_METHOD_ALL); I have looked in various code, and I mostly see the latter. But in the stunnel code, I see them doing ENGINE* e = ENGINE_by_id(id); ENGINE_init(e); ENGINE_set_default(e, ENGINE_METHOD_ALL); Also, I tried using a card from nCipher. But when I specify ENGINE_METHOD_ALL, it seems to be failing in the call to ENGINE_set_default_RSA(). When I dig deeper, it looks like it is trying to load ubsec.dll which is missing. I've installed all the drivers that came with the card. Does that mean OpenSSL does not support that card? Or does it mean the card doesn't support RSA operations? What am I doing wrong? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]