Re: OpenSSL 0.9.8f Win32 Compile Error
Thomas J. Hruska wrote: I am trying to compile version 0.9.8f for Windows, using VC++ 6.0, ActivePerl, and MASM 6.15.8803. I am following the instructions in INSTALL.W32, which works fine for the previous 0.9.8f build, but when I get to the point of running nmake -f ms\ntdll.mak I get the following errors in 0.9.8f: Building OpenSSL ml /Cp /coff /c /Cx /Focrypto\sha\asm\sha512-sse2.obj .\crypto\sha\asm\sha512-sse2.asm Assembling: .\crypto\sha\asm\sha512-sse2.asm .\crypto\sha\asm\sha512-sse2.asm(29) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(30) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(31) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(32) : error A2006: undefined symbol : XMMWORD Actually I get 21 more of these same errors, each with a different line number. Did someone forget to add the equate for XMMWORD? Can anyone tell me how XMMWORD should be defined? -Chris Has this problem been solved yet? I've got lots of people asking for the pre-built binaries of 0.9.8f for Windows and haven't seen anything to the effect that this has been fixed. I can't build this even with VS.NET 2003. Due to the way I build the official binary releases, I can't modify the build process to force the compile to succeed. That is, there has to be an official release number from the OpenSSL dev. team. This probably means I'll have to wait for 0.9.8g. Oops. Meant 0.9.8h. Neither 0.9.8f nor 0.9.8g compiles. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ Ask me about discounts on any Shining Light Productions product! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.8f Win32 Compile Error
On Mon, Oct 22, 2007, Thomas J. Hruska wrote: Thomas J. Hruska wrote: I am trying to compile version 0.9.8f for Windows, using VC++ 6.0, ActivePerl, and MASM 6.15.8803. I am following the instructions in INSTALL.W32, which works fine for the previous 0.9.8f build, but when I get to the point of running nmake -f ms\ntdll.mak I get the following errors in 0.9.8f: Building OpenSSL ml /Cp /coff /c /Cx /Focrypto\sha\asm\sha512-sse2.obj .\crypto\sha\asm\sha512-sse2.asm Assembling: .\crypto\sha\asm\sha512-sse2.asm .\crypto\sha\asm\sha512-sse2.asm(29) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(30) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(31) : error A2006: undefined symbol : XMMWORD .\crypto\sha\asm\sha512-sse2.asm(32) : error A2006: undefined symbol : XMMWORD Actually I get 21 more of these same errors, each with a different line number. Did someone forget to add the equate for XMMWORD? Can anyone tell me how XMMWORD should be defined? -Chris Has this problem been solved yet? I've got lots of people asking for the pre-built binaries of 0.9.8f for Windows and haven't seen anything to the effect that this has been fixed. I can't build this even with VS.NET 2003. Due to the way I build the official binary releases, I can't modify the build process to force the compile to succeed. That is, there has to be an official release number from the OpenSSL dev. team. This probably means I'll have to wait for 0.9.8g. Oops. Meant 0.9.8h. Neither 0.9.8f nor 0.9.8g compiles. It's a problem with older versions of MASM. The following patch works around this issue: http://cvs.openssl.org/chngview?cn=16708 However MASM is being phased out in OpenSSL (it wont be supported at all in 0.9.9) so you are advised to switch to the free NASM instead which doesn't have such problems. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
Mark H. Wood wrote: Further, it won't be a trust root until it's distributed and the recipients are satisfied that it is legitimate. And I think that's the real question: When my CA's certificate expires, can I update it without having to deliver copies securely to everyone who is supposed to trust my CA? The answer to *that* question had better be NO. It truly doesn't matter whether you made a new certificate or updated the old one, because in either case you must distribute it again in a trustworthy manner or nobody will trust it. There should be a way to issue an updated root certificate signed by the original root (while it is still valid) such that browsers provide a very simple prompt that strongly encourages you to update the certificate. If a root is compromised inside its validity period, you're screwed anyway. Unfortunately, as far as I know, there is no such thing. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems building the FIPS OpenSSL
My own Win32 build procedure using MinGW went like this: tar xvf openssl-fips-1.1.1.tar cd openssl-fips-1.1.1 ./config fips make make test make install THEN tar xvf openssl-0.9.7m.tar cd openssl-0.9.7m ./config fips --with-fipslibdir=/usr/local/ssl/lib make make test (do NOT skip the tests) make install FIPS capable openssl binaries in /usr/local/ssl/bin (the default location). This is how I built OpenSSL-fips for windows. Leonard Paul Levin wrote: I am trying to build FIPS OpenSSL 1.1.1 for Windows, as per the instructions in the UserGuide-1.1.1.pdf. For the most part it goes ok, but when I get to step 7, in section 4.3.2, there are several problems. 1. there is no directory called /usr/local/ssl/lib in MSYS. 2. in step 10 I can find most of the files, but fips_premain.c.sha1 is no where to be found Then everything goes to h-ll when I try to build OpenSSL with the FIPS addon. 1. I'm using the OpenSSL that is in the FIPS tar. The User Guide implies that I need to download some other version 2. The user guide says to use a --with-fipslibdir argument to perl Configure. That gives an invalid parameter error. 3. Following the instructions in the INSTALL_W32 file, I ran perl Configure VC-WIN32 fips. Then ms\do_masm. This gave several errors that the FIPS files could not be found. 4. Looking at the perl script, I see it is looking in the top level directory of the tar tree (openssl-fips-1.1.1) for the FIPS generated files. The FIPS build did not put the files there. 1. I moved the files there and I'm still getting an error because the fips_premain.c.sha1 file is not there. What needs to be done to build this? Thanks, Paul __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Leonard F. Elia III, CISSP Sr. System Administrator ConITS - NASA Langley Research Center NCI Information Systems, Inc., Hampton VA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECDSA and ECICS with OpenSSL
Hello As I mentioned before, I am using the openSSL directory for its support for the ECDSA. Which I need to implement the AACS standard. I am not sure you are familiar with it, but in short the problem I am encountering right now is that in the AACS Std the signatures are represented as 40 bytes number (2 BN of size 20). It has been working good, but I have encountered a case where the ecdsa_do_sign function returns a signature where the r and s (the 2 big numbers) are not of size 20 bytes, which as you can imagine can damage the AACS protocol. I was wondering why this could happen? should not this size be set according to the dgst len size? Is there a way to set this size to 20? r and s in DSA or ECDSA are result of modular exponentation or point addition in finite filed (modulo 160 bit prime number in DSA and modulo n in ECDSA where n is elliptic curve base poit order), not SHA1 calculation. Therefore there are some cases where big number length in bytes may be for example 19 bytes, not 20. The same situation you may observe in RSA signing. For example when you generate many ECDSA signatures using secp224r1 with command: $ openssl dgst -sign ec-key.pem -ecdsa-with-SHA1 -out file.sig file.txt /dev/null you will quickly find signature: $ openssl asn1parse -in file.sig1 -inform der 0:d=0 hl=2 l= 60 cons: SEQUENCE 2:d=1 hl=2 l= 29 prim: INTEGER :AB5D2B5B3152AE92C169CEF7967F5F194FA74A535AE93F8E9B9E783D 33:d=1 hl=2 l= 27 prim: INTEGER :50D88DDACCA3FF8CF44CE82D5E2A6B5E9C885E609ABA3554D45667 which has r of 27 bytes length, but verifies ok: $ openssl dgst -verify ec-key-pub.pem -ecdsa-with-SHA1 -signature file.sig file.txt Verified OK In ASN.1 notation there is no problem because INTERGER's are well defined but if you are going not to use ASN.1 you may pad with 0x00 binary representations of r and s (if they are too short). This method is used in RSA signatures, for example if you use 1024 bit key then signature (not in ASN.1 notation) should be 128 bytes length. If after modular exponentation length of signature (big number) is for example 127 bytes then leading 0x00 is added. During the verification this 0x00 has no meaning of course. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: VeriSign certificate with openssl
Hello, A follow-up question just for double check. The my_cert.pem file consists of two parts: [RSA private key] and [certificate (public key)]. Is this the correct sequence? I saw a certificate file that contains three parts: [certificate (?)], [RSA private key], [certificate (public key)]. We don't need anything from intermediate CA certificate in this my_cert file? In PEM notification RSA private key and certificate may exist in one file but personally I never store this data in that way. I use one file for one purpose, for example rsa-key.pem for private key, cert.pem for certificate and cacert.pem for CA certs boundle. Now, when I want to send my certificate to my friend I will not send by accident my private key with my certificate. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
0.9.8g fips
Does anyone have an idea of when the 0.9.8x versions of OpenSSL will be fips compliant? The latest version of Apache (2.2.6) appears to require 0.9.8x of OpenSSL but it appears that these versions of OpenSSL do not have the hooks for building with fips enabled. Thanks in advance
Re: 0.9.8g fips
Blasdel, Jerry wrote: Does anyone have an idea of when the 0.9.8x versions of OpenSSL will be fips compliant? The latest version of Apache (2.2.6) appears to require 0.9.8x of OpenSSL but it appears that these versions of OpenSSL do not have the hooks for building with fips enabled. It's in process. We've had problems with the usual resource constraints and thus got off to a slow start. Best guess at this point is sometime in February or March of 2008. -Steve M. -- Steve Marquess Open Source Software institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]