RFC 4279 support
Hi All, I am looking for RFC 4279 support in open ssl. Can you please let me know what version will have this support ? and any idea wehn it is going to be released ? I am specifially looking for cipher *TLS_DHE_PSK_WITH_AES_256_CBC_SHA *and * **TLS_RSA_PSK_WITH_AES_256_CBC_SHA *Thanks Mahendra
Re: RFC 4279 support
mahendra wrote: Hi All, I am looking for RFC 4279 support in open ssl. Can you please let me know what version will have this support ? and any idea wehn it is going to be released ? I am specifially looking for cipher *TLS_DHE_PSK_WITH_AES_256_CBC_SHA*and * ** TLS_RSA_PSK_WITH_AES_256_CBC_SHA The latest snapshots support PSK. Have you checked them? -jb -- The biggest problem with communication is the illusion that it has occurred. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RFC 4279 support
Hi Jimmy, Thanks for the quick reply. I checked the latest snpa shot and it says only a minimal support for RFC 4279. I am specifically lookin for DHE_PSK and RSA_PSK as mentioned in RFC 4279. Given here the contents of RFC for quick referemce: TLS_PSK_WITH_RC4_128_SHA PSK TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK TLS_PSK_WITH_AES_128_CBC_SHA PSK TLS_PSK_WITH_AES_256_CBC_SHA PSK TLS_DHE_PSK_WITH_RC4_128_SHA DHE_PSK TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA DHE_PSK TLS_DHE_PSK_WITH_AES_128_CBC_SHA DHE_PSK TLS_DHE_PSK_WITH_AES_256_CBC_SHA DHE_PSK TLS_RSA_PSK_WITH_RC4_128_SHA RSA_PSK TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA_PSK TLS_RSA_PSK_WITH_AES_128_CBC_SHA RSA_PSK TLS_RSA_PSK_WITH_AES_256_CBC_SHA RSA_PSK Snap shot openssl-SNAP-20070302 mentions only PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, PSK-AES256-CBC-SHA. Am I missing something here ? Thanks Mahendra On 4/10/07, jimmy [EMAIL PROTECTED] wrote: mahendra wrote: Hi All, I am looking for RFC 4279 support in open ssl. Can you please let me know what version will have this support ? and any idea wehn it is going to be released ? I am specifially looking for cipher *TLS_DHE_PSK_WITH_AES_256_CBC_SHA*and * ** TLS_RSA_PSK_WITH_AES_256_CBC_SHA The latest snapshots support PSK. Have you checked them? -jb -- The biggest problem with communication is the illusion that it has occurred. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA Key Block
Hello, I have a general question about RSA Key Block. Maybe key_material is more precise. The output of PRF with the master_secret to give us many keys. It includes: client_write_MAC_secret, server_wriet_MAC_secret, client_write_key, server_write_key, client_write_IV, server_write_IV. Could you Please verify what I think about how four of these keys being use correcly: 1) SSL record format: Length + Data + MAC ( in general) : client server client_write_MAC_secret is used to encrypted the MAC portion message from clientserver client_write_key is used to encrypted the Data portion message from client server SSL data record is build from ssl_record_header, application_data and MAC where application_data and MAC is encrypted. When writing packet from client to server first thing is to calculate MAC data, but in TLS1 this is not simple SHA1() or MD5() but HMAC_SHA1() or HMAC_MD5(). This functions requires some key (client_write_MAC_secret in this case) and data to calculate MAC. In this case data is: data = write_seq_num + proto + version + application_data_len + application_data and than, MAC is calculated as (for SHA1): MAC = HMAC_SHA1(client_write_MAC_secret, data) This MAC is concatenated to application_data, some padding is added too and all this is encrypted using client_write_key (with IV for CBC). 2) SSL record format: Length + Data + MAC ( in general) : server client servert_write_MAC_secret is used to encrypted the MAC portion message from server client client_write_key is used to encrypted the Data portion message from server client Like above but with different keys. 3) Data from Sever to Client is encrypted with different key from Client to Server ???. Yes. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Cross-building OpenSSL from Intel Linux to others
I need to build OpenSSL on Intel Linux (Fedora Core 4, if it matters) for PowerPC and ARM targets. Someone before me did this for us with 0.9.7 and a bunch of patches to Makefiles but it's not portable or flexible and as I'm revising our build environment somewhat, I'd rather do it the right way than patch his patches. I note in the FAQ that autoconf, et al may come but are too UNIX-y for OpenSSL and I see that point. What I seem to be missing is autoconf's distinction between prefix and exec-prefix; I can't figure out how to (easily) modify OpenSSL's Configure, Makefiles, etc. to put includes in ../target/include but libraries in ../target/arch/lib, apps in ../target/arch/sbin, etc. I saw a tantalizing thread from 2006 in the mailing list archives that talked about adding an mingw target to Configure and I wonder if that's not the way to go. Should I add powerpc-linux and arm-linux target lines to Configure to do what I want? If so, I don't see how; the existing targets are inscrutable to me. Can someone point me to documentation on their format? Or advise me on a better way to do this? Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_write and SSL_read
Hi Friends, I've an application which supports TLS communication in which, socket descriptors are handled in threads. Let's take an arbitrary socket descriptor fd and here we go, Can I send data through fd using SSL_write() if I'm in the middle of reading the data from the same fd? Or if I put it in another way, if SSL_read() returns, SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE (from SSL_get_error()) on the socket fd then, can I send data on the same socket using SSL_write() ? (Provided, both read and write operations on the fd are handled by same thread always.) Any suggestions would be greatly appreciated :-) Thanks in Advance, Soji.
Re: Cross-building OpenSSL from Intel Linux to others
On 4/10/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I need to build OpenSSL on Intel Linux (Fedora Core 4, if it matters) for PowerPC and ARM targets. Someone before me did this for us with 0.9.7 and a bunch of patches to Makefiles but it's not portable or flexible and as I'm revising our build environment somewhat, I'd rather do it the right way than patch his patches. I note in the FAQ that autoconf, et al may come but are too UNIX-y for OpenSSL and I see that point. What I seem to be missing is autoconf's distinction between prefix and exec-prefix; I can't figure out how to (easily) modify OpenSSL's Configure, Makefiles, etc. to put includes in ../target/include but libraries in ../target/arch/lib, apps in ../target/arch/sbin, etc. I saw a tantalizing thread from 2006 in the mailing list archives that talked about adding an mingw target to Configure and I wonder if that's not the way to go. Should I add powerpc-linux and arm-linux target lines to Configure to do what I want? If so, I don't see how; the existing targets are inscrutable to me. Can someone point me to documentation on their format? Or advise me on a better way to do this? Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Hi, for ARM you can try Scratchbox (http://www.scratchbox.org), it's a complete environment that runs in Linux and it enables you to build ARM executables with the regular gnu tools (gcc, make, ...). You can also run ARM executables in it. If you have the possibility, try to do it on a Debian-based system, it's only a matter of adding the correct deb-sources and doing 'apt-get install'. FWIW, I got OpenSSL compiled in Scratchbox! I don't have any experience with PowerPC, so can't help you there. Regards, Steven
Re: Cross-building OpenSSL from Intel Linux to others
On 4/10/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I need to build OpenSSL on Intel Linux (Fedora Core 4, if it matters) for PowerPC and ARM targets. ... for ARM you can try Scratchbox (http://www.scratchbox.org), it's a complete environment that runs in Linux and it enables you to build ARM executables with the regular gnu tools (gcc, make, ...). ... Thanks but I have ARM and PowerPC tool chains on my Intel system; what I'm looking for is a way to invoke them sanely in the existing OpenSSL build framework. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cross-building OpenSSL from Intel Linux to others
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I saw a tantalizing thread from 2006 in the mailing list archives that talked about adding an mingw target to Configure and I wonder if that's not the way to go. Should I add powerpc-linux and arm-linux target lines to Configure to do what I want? If so, I don't see how; the existing targets are inscrutable to me. Can someone point me to documentation on their format? Or advise me on a better way to do this? I cross-compiled OpenSSL on ARM and MIPS a couple months ago, to perform some RSA benchmarking. I remember hacking the linux-generic target to use arm-linux-gcc instead of gcc also added -static to the CFLAGS. There is probably a more elegant way to do it, but at least it got the job done. Christophe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Cross-building OpenSSL from Intel Linux to others
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I saw a tantalizing thread from 2006 in the mailing list archives that talked about adding an mingw target to Configure and I wonder if that's not the way to go. Should I add powerpc-linux and arm-linux target lines to Configure to do what I want? If so, I don't see how; the existing targets are inscrutable to me. Can someone point me to documentation on their format? Or advise me on a better way to do this? I cross-compiled OpenSSL on ARM and MIPS a couple months ago, to perform some RSA benchmarking. I remember hacking the linux-generic target to use arm-linux-gcc instead of gcc also added -static to the CFLAGS. There is probably a more elegant way to do it, but at least it got the job done. That sounds great but I can't read the targets in Configure well enough to hack them. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems building openssl-0.9.8b on RedHat Enterprise
Dear users, I'm having problems installing openssl-0.9.8b on RedHat Enterprise, kernel 2.6.9-11.ELsmp When I type: ./config I get the following output: -- # ./config Operating system: i686-whatever-linux2 Configuring for linux-elf Configuring for linux-elf no-gmp [default] OPENSSL_NO_GMP (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-mdc2 [default] OPENSSL_NO_MDC2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-shared [default] no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=gcc CFLAG =-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM EX_LIBS =-ldl CPUID_OBJ =x86cpuid-elf.o BN_ASM=bn86-elf.o co86-elf.o DES_ENC =dx86-elf.o yx86-elf.o AES_ASM_OBJ =ax86-elf.o BF_ENC=bx86-elf.o CAST_ENC =cx86-elf.o RC4_ENC =rx86-elf.o RC5_ENC =r586-elf.o MD5_OBJ_ASM =mx86-elf.o SHA1_OBJ_ASM =sx86-elf.o s512sse2-elf.o RMD160_OBJ_ASM=rm86-elf.o PROCESSOR = RANLIB=/usr/bin/ranlib ARFLAGS = PERL =/usr/local/bin/perl THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Undefined subroutine main::getcwd called at ./util/mklink.pl line 24. make: *** [links] Error 255 This is very strange, I tried looking in Google and Yahoo but could find absolutely nothing. Please help!
Re: Problems building openssl-0.9.8b on RedHat Enterprise
Maximo Migliari wrote: Dear users, I'm having problems installing openssl-0.9.8b on RedHat Enterprise, kernel 2.6.9-11.ELsmp When I type: ./config I get the following output: -- # ./config Operating system: i686-whatever-linux2 Configuring for linux-elf Configuring for linux-elf no-gmp [default] OPENSSL_NO_GMP (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-mdc2 [default] OPENSSL_NO_MDC2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-shared [default] no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=gcc CFLAG =-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM EX_LIBS =-ldl CPUID_OBJ =x86cpuid-elf.o BN_ASM=bn86-elf.o co86-elf.o DES_ENC =dx86-elf.o yx86-elf.o AES_ASM_OBJ =ax86-elf.o BF_ENC=bx86-elf.o CAST_ENC =cx86-elf.o RC4_ENC =rx86-elf.o RC5_ENC =r586-elf.o MD5_OBJ_ASM =mx86-elf.o SHA1_OBJ_ASM =sx86-elf.o s512sse2-elf.o RMD160_OBJ_ASM=rm86-elf.o PROCESSOR = RANLIB=/usr/bin/ranlib ARFLAGS = PERL =/usr/local/bin/perl THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Undefined subroutine main::getcwd called at ./util/mklink.pl line 24. make: *** [links] Error 255 This is very strange, I tried looking in Google and Yahoo but could find absolutely nothing. Please help! No errors at all with this options under RHEL4-AS-U4 32bit or 64bit, for at least versions 0.9.8c and 0.9.8e ./config -fPIC shared no-idea threads make depend make make test make install Hope this helps... -- °(((=((===°°°(((=== begin:vcard fn:Ricardo Stella n:Stella;Ricardo org:Rider University;Office of Information Technology adr;dom:;;2083 Lawrenceville Rd;Lawrenceville;NJ;08648 title:Assistant Director version:2.1 end:vcard
Re: Problems building openssl-0.9.8b on RedHat Enterprise
My perl was broken. I recompiled it and now everything works. Thanks for the help. On 4/10/07, Ricardo Stella [EMAIL PROTECTED] wrote: Maximo Migliari wrote: Dear users, I'm having problems installing openssl-0.9.8b on RedHat Enterprise, kernel 2.6.9-11.ELsmp When I type: ./config I get the following output: -- # ./config Operating system: i686-whatever-linux2 Configuring for linux-elf Configuring for linux-elf no-gmp [default] OPENSSL_NO_GMP (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-mdc2 [default] OPENSSL_NO_MDC2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-shared [default] no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=gcc CFLAG =-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM EX_LIBS =-ldl CPUID_OBJ =x86cpuid-elf.o BN_ASM=bn86-elf.o co86-elf.o DES_ENC =dx86-elf.o yx86-elf.o AES_ASM_OBJ =ax86-elf.o BF_ENC=bx86-elf.o CAST_ENC =cx86-elf.o RC4_ENC =rx86-elf.o RC5_ENC =r586-elf.o MD5_OBJ_ASM =mx86-elf.o SHA1_OBJ_ASM =sx86-elf.o s512sse2-elf.o RMD160_OBJ_ASM=rm86-elf.o PROCESSOR = RANLIB=/usr/bin/ranlib ARFLAGS = PERL =/usr/local/bin/perl THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Undefined subroutine main::getcwd called at ./util/mklink.pl line 24. make: *** [links] Error 255 This is very strange, I tried looking in Google and Yahoo but could find absolutely nothing. Please help! No errors at all with this options under RHEL4-AS-U4 32bit or 64bit, for at least versions 0.9.8c and 0.9.8e ./config -fPIC shared no-idea threads make depend make make test make install Hope this helps... -- °(((=((===°°°(((=== -- Diretor Gradua Networks Informática Ltda. cel: 8154- tel: 3202-5023 ou 3202-5024 (ramal 23) [EMAIL PROTECTED]
retrieve policy constraints
Hi, I need to retrieve the requireExplicitPolicy value from a policy constaints extension. The version of openssl that I am using is old and does not seem to support policy constaint. What is the right way to retrieve the value of that attribute from ASN1_OCTET_STRING* within the X509_EXTENSION object? Thanks a lot, Wenwu Lu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL error (138): cipher or hash unavailable
Hi list, I ask for help please.
I have an apache server (2.0.59) built with OpenSSL 0.9.8b, it hosts a
python (2.4.4) based application (Edgewall's trac) wich access a PostgreSQL
SSL-secured server (8.2.3) throught DBI libraries (pyPgSQL/Psycopg2).
When I use directly trac (it has a lightweight server, tracd), it works with
no problems.
But when I use it throught apache2+mod_python, apache shows HTTP 500:
{{{
# error_log, using pyPgSQL
[Thu Apr 05 19:25:43 2007] [error] [client 192.168.2.52]
DatabaseError: SSL error: cipher or hash unavailable\n
[Thu Apr 05 19:25:43 2007] [debug] ssl_engine_kernel.c(1787): OpenSSL:
Write: SSL negotiation finished successfully
[Thu Apr 05 19:25:43 2007] [info] Connection to child 4 closed with
standard shutdown(server PCDCOM:443, client 192.168.2.52)
}}}
{{{
# error_log, using Psycopg2
[Mon Apr 09 22:03:32 2007] [error] [client 192.168.2.52]
OperationalError: SSL error: cipher or hash unavailable\n
[Mon Apr 09 22:03:33 2007] [debug] ssl_engine_kernel.c(1787): OpenSSL:
Write: SSL negotiation finished successfully
[Mon Apr 09 22:03:33 2007] [info] Connection to child 1 closed with
standard shutdown(server PCDCOM:443, client 192.168.2.52)
}}}
What does it really mean '''cipher or hash unavailable'''? (SSL Error
#138,SSL_R_CIPHER_OR_HASH_UNAVAILABLE).
The only thing I can guess is that ''apache2+mod_python'' (client-app role)
fails to access PostgreSQL+SSL (server role). Must be a missconfiguration in
apache2.
How do I configure Apache2 properly, to act as a SSL client, I have no
problem acting as SSL server role.
For a more detailed info, visit:
http://groups.google.com/group/trac-users/browse_thread/thread/901ef327b448b496?hl=en
Thanks,
Johans Marvin Taboada Villca
howto generate RSA key from components?
Hi, I am trying to replace a legacy system with openssl. The legacy system used RSA keys but stored them in its own format. I can extract the RSA components but I'm not sure how to generate a PEM formatted RSA key. What is the easiest way to do this? Can the command line tools do it, or do I need to use the API? thanks, Iain. -- Iain Pople Systems Interface Technical Lead University of Melbourne __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
0.9.8e changes BF cfb encryption
My previous mail doesn't seem to have appeared on the list, so sending
again:
Hello,
As the maintainer of a package which uses OpenSSL, I've received some
reports
of 0.9.8e failing to decrypt data which was encrypted by previous versions
of
OpenSSL.
Attached is a small bit of C++ code which demonstrates the problem. It uses
the EVP interface with EVP_bf_cfb as the cipher and a 256 bit key (the
reports all point to Blowfish with key length 128 bits). What it does is
set a key, an IV, and run an encryption pass, then a decryption and compute
checksums of the three arrays (original, encrypted, decrypted).
When built against 0.9.8c, I get:
ort:tmp g++ -Wall -g -o ssltest ssltest.cpp -lssl -lcrypto -lz
ort:tmp ./ssltest
src chksum = 698614540
stage2 chksum = 2266501868
final chksum = 698614540
Another machine with 0.9.7a gives an identical result. On a machine I
upgraded to 0.9.8e, I get the following output:
src chksum = 698614540
stage2 chksum = 2108297998
final chksum = 698614540
stage2 is the encrypted data, and it differs on 0.9.8e. What this means
in
practice is that the program I'm using can encrypt/decrypt data just fine
when run in either version of OpenSSL, but if data is encrypted in an
earlier
version and then OpenSSL is upgraded to 0.9.8e, then decryption fails.
The nearest I've narrowed down is to something changing between 0.9.8c and
0.9.8e, but I've received reports that 0.9.8d - 0.9.8e also fails. I've
been looking at the diffs between 0.9.8d - 0.9.8e, but I'm not seeing any
obvious problem. Reports are that only Blowfish with key 128 bits has a
problem, and AES users are not affected.
Any ideas what's wrong, and if there's a way to get 0.9.8e output to match
earlier versions?
regards,
Valient
/*
Build using:
g++ -g -o ssltest ssltest.cpp -lssl -lcrypto -lz
*/
#include openssl/evp.h
#include zlib.h
#include assert.h
#include string.h
int main()
{
const int keySize = 32; // 256 bit key
unsigned char keyBytes[keySize];
const EVP_CIPHER *cipher = EVP_bf_cfb();
EVP_CIPHER_CTX stream_enc;
EVP_CIPHER_CTX stream_dec;
// init key to known value
for(int i=0; ikeySize; ++i)
keyBytes[i] = (unsigned char)i;
// setup IV
int ivLen = EVP_CIPHER_iv_length( cipher );
assert(ivLen == 8);
unsigned char ivec[8];
for(int i=0; i8; ++i)
ivec[i] = (unsigned char)i;
// setup cipher and a context for encryption and decryption
EVP_CIPHER_CTX_init( stream_enc );
EVP_CIPHER_CTX_init( stream_dec );
EVP_EncryptInit_ex( stream_enc, cipher, NULL, NULL, NULL );
EVP_DecryptInit_ex( stream_dec, cipher, NULL, NULL, NULL );
EVP_CIPHER_CTX_set_key_length( stream_enc, keySize );
EVP_CIPHER_CTX_set_key_length( stream_dec, keySize );
EVP_CIPHER_CTX_set_padding( stream_enc, 0 );
EVP_CIPHER_CTX_set_padding( stream_dec, 0 );
// initialize key
EVP_EncryptInit_ex( stream_enc, NULL, NULL, keyBytes, NULL );
EVP_DecryptInit_ex( stream_dec, NULL, NULL, keyBytes, NULL );
// Encode src - stage2, then decode state2 - final
const int size = 40;
unsigned char src[size];
unsigned char stage2[size];
unsigned char final[size];
for(int i=0; isize; ++i)
src[i] = (unsigned char)i;
memset(stage2, 0, sizeof(stage2));
memset(final, 0, sizeof(final));
int dstLen;
int tmpLen;
uLong chksum1 = adler32(0L, src, size);
printf(src chksum = %lu\n, chksum1);
/* encrypt some data */
EVP_EncryptInit_ex( stream_enc, NULL, NULL, NULL, ivec );
EVP_EncryptUpdate( stream_enc, stage2, dstLen, src, size );
EVP_EncryptFinal_ex( stream_enc, stage2+dstLen, tmpLen );
assert(dstLen == size);
assert(tmpLen == 0);
uLong chksum2 = adler32(0L, stage2, size);
printf(stage2 chksum = %lu\n, chksum2);
/* decrypt */
EVP_DecryptInit_ex( stream_dec, NULL, NULL, NULL, ivec );
EVP_DecryptUpdate( stream_dec, final, dstLen, stage2, size );
EVP_DecryptFinal_ex( stream_dec, final+dstLen, tmpLen );
assert(dstLen == size);
assert(tmpLen == 0);
uLong chksum3 = adler32(0L, final, size);
printf(final chksum = %lu\n, chksum3);
/* compare */
int res = memcmp(src, final, size);
assert(res == 0);
return res;
}
a problem while port openssl to mips64 platform
Hi Maillist I met a problem while porting openssl from Linux PC to mips64 platform, the openssl version is 0.9.7i I use openssl to verify a signature(x509), openssl prompt the error info *unhandled critical extension* on mips64 platform But this operation was ok on Linux Pc, I think this may caused by some compile problem, but I havn't any clue, is there any patch I need add, any specail complie option, or flag Is there anyone can give some suggestion about this problem, thanks a lot the detail info is below I use xmlsec lib's cmd-line application like following way, I'm not clear what's *unhandled critical extension *mean, can you give me some info about this, ** # ./xmlsec1 --verify --id-attr:Id LicenceData --store-signatures --enable-visa3d-hack --trusted-pem root.crt --X509-skip-strict-checks D0185601.XML func=xmlSecOpenSSLX509StoreVerify:file= x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:cryptolibrary function failed:subj=/C=FI/O=Nokia/CN=Nokia NET Licence Generator ILG;err=34;msg=*unhandled critical extension* func=xmlSecOpenSSLX509StoreVerify:file= x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificateverification failed:err=34;msg=unhandled critical extension func=xmlSecKeysMngrGetKey:file= keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlseclibrary function failed: func=xmlSecDSigCtxProcessKeyInfoNode:file= xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: func=xmlSecDSigCtxProcessSignatureNode:file= xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlseclibrary function failed: func=xmlSecDSigCtxVerify:file= xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlseclibrary function failed: Error: signature failed ERROR SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 = VERIFICATION CONTEXT == Status: unknown == flags: 0x0018 == flags2: 0x == Id: licRAN1001LK-pkisig-1 == Key Info Read Ctx: = KEY INFO READ CONTEXT == flags: 0x4000 == flags2: 0x == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: keyId: rsa keyType: 0x0001 keyUsage: 0x0002 keyBitsSize: 0 === list size: 0 == Key Info Write Ctx: = KEY INFO WRITE CONTEXT == flags: 0x == flags2: 0x == enabled key data: all == RetrievalMethod level (cur/max): 0/1 == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL == EncryptedKey level (cur/max): 0/1 === KeyReq: keyId: NULL keyType: 0x0001 keyUsage: 0x keyBitsSize: 0 === list size: 0 == Signature Transform Ctx: == TRANSFORMS CTX (status=0) == flags: 0x == flags2: 0x == enabled transforms: all === uri: NULL === uri xpointer expr: NULL === Transform: c14n-with-comments (href= http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) === Transform: membuf-transform (href=NULL) === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == Signature Method: === Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1) == SignedInfo References List: === list size: 1 = REFERENCE VERIFICATION CONTEXT == Status: succeeded == URI: #licRAN1001LK == Reference Transform Ctx: == TRANSFORMS CTX (status=2) == flags: 0x0001 == flags2: 0x == enabled transforms: all === uri: === uri xpointer expr: #licRAN1001LK === Transform: Visa3DHackTransform (href=NULL) === Transform: c14n-with-comments (href= http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments) === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) === Transform: membuf-transform (href=NULL) == Digest Method: === Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1) == Manifest References List: === list size: 0 Error: failed to verify file D0185601.XML ** **
