CPU usage and FPGA support
Hello everybody. We are two students doing a project about accelerating encryption on an embedded system. This system is build upon a ARM processor (180MHz) and an FPGA. We have built and implemented OpenSSH into the system (running Linux), and tested the AES encryption in software. The task is now to come up with a hardware component implemented on the FPGA which will accelerate the encryption/decryption on the system. We are trying to use the OpenSSL padlock as a reference and help. Currently the ARM cpu usage is 100% when we transfer a file over OpenSSH (SCP) in software encryption mode. We are wondering if we implement an AES core on the FPGA and calls this core from OpenSSL. What will happen with the CPU usage? How can we tell if it will drop or not? Where should we look in software? We have looked at the padlock.c file to get an overview of the implementation of this engine, and tried to figure out if there is a special kind of programming which makes the cpu usage fall if using this engine. So we guess the main question is, if we design an AES cryptocore(FPGA) how do we ensure that the cpu utilization will drop? This is more important than getting a higher throughput PS. we are two electrical engineers so we are not that strong in software development :-) Hope to hear from you soon.
Re: CPU usage and FPGA support
We are sorry for the duplicate message. Thank you all for the good answers. First of all we have to take a decision of either to use dropbear(embedded ssh2 protocol,using libtomcrypt libaries) or OpenSSH(using OpenSSL libaries). We have looked at the two libaries and it looks like libtomcrypt might be a tad more friendly to use. Any experience whats best and easiest to use of the two libaries? Michael we are not thinking of using a softprocessor on the FPGA, as it would complicate and slow matters more than necessery. We are thinking of a pure hardware solution. Thank you all for your help!
Re: problem converting PKCS8 keystore private key to PEM
And that's all he wrote Thanks for that Stephen, it worked... times like this you kind of go duh!... but still learning I suppose [Its my only excuse]. Excellent forum, loads of info and quick responses... not all are like that, appreciate it Regards Eoin Dr. Stephen Henson wrote: On Wed, Mar 10, 2010, eoinmoon wrote: I then exported the private key [in java code], checked it was in PKCS8 form - See below if (key instanceof PrivateKey PKCS#8.equals(key.getFormat())) { // Get certificate of public key keyOutput = new FileOutputStream(c:\\security\\priv.key); I then attempted to convert it using OpenSSL - see below openssl pkcs8 -inform PEM -nocrypt -in c:\security\priv.key -out c:\security\pemkey.pem What I get is the following error [note I have used several keys in the openssl command, the one above is one of them] Error decrypting key 4120:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib .c:647:Expecting: PRIVATE KEY I have search for this error with no great results, I am no expert on Keystore but it is something I have to use - I need the private key and signed cert in PEM format , it is the key that is blocking me at the moment any ideas what I am doing wrong ? Try the -inform DER argument to the pkcs8 command. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/problem-converting-PKCS8-keystore-private-key-to-PEM-tp27851781p27860462.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CPU usage and FPGA support
Notice a few things: o The OP asked about reducing CPU load, but the answers all talk about making encryption faster. These are not the same thing. Offloading encryption might *reduce* throughput of the encrypted streams, and yet free up CPU time to do other things. Encrypted communication might not be the highest priority task in the system, and there might not be much of it to do per unit time. o This is a student project. The objective is to learn something specific about the design of digital systems, not (necessarily) to maximize throughput. The requirements don't have to make practical sense, so long as they make educational sense. Anyway, when did anyone pass a law that says requirements have to be sensible? :-) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. pgp6z9PIKV9Zx.pgp Description: PGP signature
i2d_X509_REQ_INFO doesn't convert req_info structure properly
Hi all, I'm trying to create X509 certificate request signed inside smart card using PKCS11 interface. To perform this task I have to perform following steps: 1, create certificate request (X509_new) 2, load public key (X509_REQ_set_pubkey) 3, set up subject name and extensions as required 4, export req_info structure (i2d_X509_REQ_INFO) 5, sign this structure using PKCS11 6, complete X509_REQ structure with proper signature and algorithm identifier 7, export certificate request (PEM_write_bio_X509_REQ) Unfortunately created request doesn't contain valid signature. After closer look at the openssl calls I've noticed, that the buffer exported using i2d_X509_REQ_INFO function doesn't contain properly encoded structure. Can somebody help me, what I'm doing wrong, or which parameter of the structure I forgot to initialize? Relevant part of the code: ... X509_REQ *req; X509_NAME *subj; if (!(req = X509_REQ_new())) { printf(Unable to initialize X509_REQ structure\n); return -1; } RSA *rsa; rsa = RSA_new(); rsa-e = BN_bin2bn( (unsigned char *) pub_publicExponent, (int) 3, NULL ); rsa-n = BN_bin2bn( (unsigned char *) modulus, (int) (pub_modulusbits/8), NULL ); if( (pkey = EVP_PKEY_new()) == NULL ) { printf(Unable to initialize PKEY structure\n); return -1; } EVP_PKEY_assign_RSA( pkey , rsa ); X509_REQ_set_pubkey(req, pkey); subj=X509_REQ_get_subject_name(req); X509_NAME_add_entry_by_txt(subj,C, MBSTRING_ASC, (unsigned char *)SK, -1, -1, 0); X509_NAME_add_entry_by_txt(subj,CN, MBSTRING_ASC, (unsigned char *)Test, -1, -1, 0); int datasig_len; unsigned char *tobesigned; datasig_len = i2d_X509_REQ_INFO( req-req_info, NULL ); tobesigned = (unsigned char *) malloc( datasig_len ); if( !tobesigned ) { printf(Unable to alloc mem buffer\n); return -1; } int zzz = i2d_X509_REQ_INFO( req-req_info, tobesigned ); After this part of code I've got following values inside the important variables: zzz = 0x00c5 tobesigned buffer contains: 0x011B6135 fd fd fd fd ab ab ab ab ab ab ab ab fe ee fe ee ţîţî 0x011B6145 fe ee fe 00 00 00 00 00 00 00 00 92 03 3b 68 59 ţîţ’.;hY 0x011B6155 b7 00 00 28 93 1b 01 88 1a 1b 01 ee fe ee fe ee ·..(“..îţîţî 0x011B6165 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B6175 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B6185 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B6195 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B61A5 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B61B5 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B61C5 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B61D5 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B61E5 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî 0x011B61F5 fe ee fe ee fe ee fe ee fe ee fe ee fe ee fe ee ţîţîţîţîţîţîţîţî ... This buffer doesn't seems to be a correct ASN1-encoded structure. Do you have any idea, what I'm doing wrong, or which library call I forgot to perform? Many thanks, Peter.
Re: i2d_X509_REQ_INFO doesn't convert req_info structure properly
On Thu, Mar 11, 2010, Peter Gubis wrote: int datasig_len; unsigned char *tobesigned; datasig_len = i2d_X509_REQ_INFO( req-req_info, NULL ); tobesigned = (unsigned char *) malloc( datasig_len ); if( !tobesigned ) { printf(Unable to alloc mem buffer\n); return -1; } int zzz = i2d_X509_REQ_INFO( req-req_info, tobesigned ); http://www.openssl.org/support/faq.html#PROG3 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CPU usage and FPGA support
Mark H. Wood wrote: Notice a few things: o The OP asked about reducing CPU load, but the answers all talk about making encryption faster. These are not the same thing. Offloading encryption might *reduce* throughput of the encrypted streams, and yet free up CPU time to do other things. Encrypted communication might not be the highest priority task in the system, and there might not be much of it to do per unit time. well, the OP's indicated they didn't want to use an embedded processor in their design, just hard wired logic. this means the device won't have much in the way of 'smarts', which pretty much means the CPU will have to spoon feed it, unless it uses the buffer design I previously suggested (but I'm hard pressed to see how to implement that without some sort of sequencer in the hardware). If the CPU is going to have to spoon feed the data (by this, I mean, read and write every word to this hardware), then the simple act of writnig and reading the data to the hardware will consume CPU time, and if the device can't process the encryption faster than the CPU could on its own, its going to end up taking MORE cpu time. note, I have something of a background in designing embedded IO hardware and programming low level device drivers back in the 80s/90s. If I was doing this, I think I'd want just enough of a microcoded sequencer in the FPGA to be able to run out of a buffer ram chip thats 'dual ported' to the host (that, or use a bus mastering DMA engine and locate these buffers in the ARM's own RAM, but thats pretty complex too).This buffer memory could be split into 4 or 8 fixed sized buffers on power-of-two boundries... 2 for writing data to be encrypted, and 2 for reading back the encrypted data. Perhaps 2 more for writing data to be decrypted, and 2 for reading back the decrypted data, if this thing is to operate in a full duplex manner and using an asymmetrical cypher. its possible you'd not need separate output buffers and could just write the output over the input... then you could reduce this to just a pair of buffers. Each buffer could have a few bytes at the beginning or end that contain things like the cypher keys, and data length and status/command (or this command/status/key stuff could be in a seperate address space stored in on-chip static registers...). the bulk of the actual encryption/decryption could be a hard wired pipeline, the sequencer just manages the data flow. by building the engine this way, the driver software in the ARM host gets an interrupt that a work unit is done, and simply has to block-move the last message out of the buffer, and the next message into the buffer and signal to the chip that its OK to proceed when its finished with the other buffer. o This is a student project. The objective is to learn something specific about the design of digital systems, not (necessarily) to maximize throughput. The requirements don't have to make practical sense, so long as they make educational sense. yup, you often learn more by failing than you do by succeeding. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: CPU usage and FPGA support
From my mind, when you use an FPGA encryption hardware, CPU needs to dump one block data into the FPAG and read the result out. This is the time CPU spends for the encryption of one block data when the FPGA hardware is used. You need to compare this time with the time you spend by doing the encryption work of one block data by CPU itself in software. This is highly depend of the block size and in which way CPU communicates with the FPGA to exchange the data. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mark H. Wood Sent: Thursday, March 11, 2010 6:08 AM To: openssl-users@openssl.org Subject: Re: CPU usage and FPGA support Notice a few things: o The OP asked about reducing CPU load, but the answers all talk about making encryption faster. These are not the same thing. Offloading encryption might *reduce* throughput of the encrypted streams, and yet free up CPU time to do other things. Encrypted communication might not be the highest priority task in the system, and there might not be much of it to do per unit time. o This is a student project. The objective is to learn something specific about the design of digital systems, not (necessarily) to maximize throughput. The requirements don't have to make practical sense, so long as they make educational sense. Anyway, when did anyone pass a law that says requirements have to be sensible? :-) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Friends don't let friends publish revisable-form documents. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: BIO_do_connect() strange return
It is running on Linux with openSSL 0.9.8d. Regards, -binlu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, March 10, 2010 8:13 PM To: openssl-users@openssl.org Subject: Re: BIO_do_connect() strange return On Wed, Mar 10, 2010, Bin Lu wrote: Thanks Steve. Why the connection is still invalid, because subsequent OCSP_sendreq_bio() receives no response(while in blocking mode it does), after the 2nd time call to BIO_do_connect() in the loop which always returns 1/success ? It is failing in OCSP connection after the 2nd successful BIO_do_connect() call as soon as the BIO is made non-blocking. It works fine in blocking mode but it does not timeout if the server is unreachable. What OS are you on? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
linking FIPS 1.2
hello, i just built fips 1.2, and then built a FIPs capable OpenSSL 0.9.8l as a shared lib. I then took my application, added in FIPS_mode_set(1), and it passed. But then i realized i did not switch over in my make file to use CC=fipsld It still used CC=gcc -fPIC. Is the reason why it worked is perhaps OpenSSL compiled with fipsld, therefore i do not need to use it in my application? i just want to make sure i understand the role of the fipsld in case i am getting a false positive... thank you, -=- adam grossman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: linking FIPS 1.2
On Thu, Mar 11, 2010, Adam Grossman wrote: hello, i just built fips 1.2, and then built a FIPs capable OpenSSL 0.9.8l as a shared lib. I then took my application, added in FIPS_mode_set(1), and it passed. But then i realized i did not switch over in my make file to use CC=fipsld It still used CC=gcc -fPIC. Is the reason why it worked is perhaps OpenSSL compiled with fipsld, therefore i do not need to use it in my application? i just want to make sure i understand the role of the fipsld in case i am getting a false positive... Yes if you link to a FIPS capable shared library you don't need to use fipsld: the integrity signature is embedded in the shared library itself. If you linked a static application you would need fipsld. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: BIO_do_connect() strange return
On Thu, Mar 11, 2010, Bin Lu wrote: It is running on Linux with openSSL 0.9.8d. Ah that's pretty old. I'd suggest trying 0.9.8m. That includes proper non-blocking I/O support for OCSP with the new function OCSP_sendreq_nbio(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: sha-256 support in openssl 0.9.8g
Hi All, Any answers to my question(s) below ? Basically I have to make sure [ IPSec link establishment, Certificates verification, general TLS/SSL, HTTPS, SSH, SFTP], etc all can support use of the SHA-2 (specifically sha-256) algorithms ! On my system I have openssl 0.9.8g, and I have openssh_5.0p1 According to Rafiq's response below: It looks like openssl 0.9.8g already has support for sha-256 for my needs mentioned above ?.? 1. Do I need to make sure that openssh supports sha-256 for SSH and SFTP operations, or does openssh basically end up using openssl underneath ? 2. I tried configuring /etc/ssh/sshd_config and /etc/ssh/ssh_config with the option MACs sha-2 or MACs sha-256, and tried to restart sshd. It didnt like that option ! So I am guessing my openssh version doesnt support sha-256 ?.? 3. Any comments about this blurb I found online: To implement the SHA256 support in OpenSSH, the platform must support libcSHA256 or OpenSSLEVP_sha256 SHA256 KEX. Any help would be greatly appreciated. Thanks in advance. From: Hasan Rezaul-CHR010 Sent: Wednesday, March 10, 2010 1:45 PM To: 'openssl-users@openssl.org' Cc: openssl-...@openssl.org; Berger Timothy-TBERGER1; Cheng Heilung-HCHENG1 Subject: sha-256 support in openssl 0.9.8g Thanks Rafiq and Jason, I did run the openssl dgst -sha256 filename command, and it didnt complain ! So I know at least the simple sha-256 hashing operation is supported in openssl 0.9.8g. Just wasn't sure if it was also fully supported in the context of certificate verification, etc. Sounds like it is... I also need to make sure SHA-256 will work with SSH and SFTP on my machine. So was reading up some OPENSSH posts online. And came across this. Any thoughts ? Thanks a lot To implement the SHA256 support in OpenSSH, the platform must support libcSHA256 or OpenSSLEVP_sha256 SHA256 KEX. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Rafiqul Ahsan Sent: Tuesday, March 09, 2010 12:13 PM To: openssl-users@openssl.org Cc: openssl-...@openssl.org Subject: Re: OpenSSL server problems Yes, openssl 098g supports SHA256. I built Freeradius 1.1.7 with openssl 098g, and we have been using EAP-TLS with SHA256 signed certs for quite sometimes. Thanks On Tue, Mar 9, 2010 at 11:28 AM, Hasan Rezaul-CHR010 chr...@motorola.com wrote: Hi All, I am somewhat of a newbie to openssl, so apologize in advance for my ignorance :-) I have openssl version 0.9.8g on my custom Linux 2.6.27 distro. I need to make sure that SHA-2 (specifically SHA-256 algorithm) is supported with this version of openssl. The sha-256 algorithm will be used during IPSec link establishment, Certificates Verification, and for general TLS/SSL Cipher suites. From the quick online reading, I am getting mixed messages of whether sha-2 algorithms (specifically sha-256) is truly supported or not ?!? Supposedly things might still be hard-coded to sha-1 even when sha-2 algorithms are 'supported' ?... 1. Would you kindly clarify if openssl version 0.9.8g does infact meet my needs ? That is, does it in fact support sha-256 to be used in IPSec, Certificate verification, and general TLS/SSL. 2. If 0.9.8g is not adequate, what version of openssl does infact support my needs described above ? Thanks soo much in advance. __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Rafiqul Ahsan
RE: problem converting PKCS8 keystore private key to PEM
From: owner-openssl-us...@openssl.org On Behalf Of eoinmoon Sent: Wednesday, 10 March, 2010 11:00 my attempts have failed to convert an private key[generated in java keystore and exported via java code] to a PEM format which I need for my application. These are the steps I have done: Keytool -v -genkey -keyalg RSA -keysize 1024 -keystore c:\security\keystore -alias -dname cn=servername.domain.com, ou=None, L=YYY, ST=, o=ExampleOrg, c=US I then created CSR's,etc [assuming it uses the private key in the keystore], got is signed and imported it back into the keystore. Nit: you created a CSR and used it to get a cert. The cert is signed, but it is not *just* a signed CSR (or .TBS); it has some differences. I then exported the certs and converted them into PEM format. - All ok it seems I then exported the private key [in java code], checked it was in PKCS8 form snip FYI, another approach that might be easier if you only need the Openssl/PEM results and not the PKCS8 itself: Standard-JRE keytool can create a PKCS*12* that Openssl can read: keytool -importkeystore -srckeystore your.jks -destkeystore output.p12 -deststoretype pkcs12 [-alias item] # default all, more than 1 less convenient in OpenSSL openssl pkcs12 -in output.p12 [options to select key, cert(s), etc.] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Crash in BIO_set_fp(): Windows esp SL VC9?
-dev added, I think this is actually a bug From: owner-openssl-us...@openssl.org On Behalf Of Michael Boman Sent: Monday, 01 March, 2010 11:40 re: crash in BIO_set_fp, on Windows, could it be faq#PROG2? I am using OpenSSL 0.9.8l from http://www.slproweb.com/products/Win32OpenSSL.html I link to these libraries for debugging: C:\OpenSSL\lib\VC\ssleay32MTd.lib C:\OpenSSL\lib\VC\libeay32MTd.lib And these ones for release: C:\OpenSSL\lib\VC\ssleay32MT.lib C:\OpenSSL\lib\VC\libeay32MT.lib I compile the program using the /MT (Release) and /MTd (Debug) flag under C/C++ - Code Generation Aside: all 4 pairs of .lib's in lib\VC (and one in lib) are exportlibs for the one pair of DLL's, which are actually /MD but use the applink mechanism, as mentioned in the FAQ, to get the right CRT -- assuming the EXE correctly compiles applink.c, and the code you referenced does. So this should work. And using the corresponding files from my (DLL) build of 0.9.8m it sort of does (see below), but using the SL distro I also get a crash. Stepping in the debugger I see code in SL that is similar but not identical. It appears to be built with VC++08 or possibly later, in particular for MSVCR90, while I use (elderly but still functional) VC++6.0 and MSVCRT[d], and the exit 0xC417 occurs in MSVCR90 appparently below _setmode. You didn't say what version of VC++ (and CRT) you are using. I believe this is a bug: bss_file.c file_ctrl() case for SET_FILE_PTR uses UP_fsetmode not UP_fsetmod so it doesn't uplink when it apparently should; instead uses direct _fileno and _setmode which faults in MSVCR90. On (old) VC++6.0/MSVCRT _fileno is inlined and works, and _setmode sets an error (EBADF) which is ignored, and the mode (bin/text) set by the app at fopen is apparently left intact (and works OK). Also looking in the same area: bss_file.c BIO_new_file() calls *ctrl BIO_C_SET_FILE_PTR with flags not including BIO_FP_TEXT, which sets binary even if the call said e.g. w or wt; on Windows this gives poor results if the output actually is text and needs \n=CRLF translation. Similarly BIO_{read,rw,write,append}_filename do SET_FILENAME with flags not containing TEXT. Explicitly calling BIO_ctrl SET_FILENAME with e.g. BIO_FP_WRITE|BIO_FP_TEXT does work. And BIO_new_fp() although prototyped as 'close_flag' actually honors TEXT as well, as documented. Some other things I noticed in working on this app: Personally I would do each formatting op once to a membio or string, and then duplicate the result to stdout and xmlOutput. That would also avoid this problem, since then the app wouldn't be using an fpbio for xmlOutput; everything else seems to work. And I wouldn't indent SO deeply. And I would handle long serials, as apps/x509.c does, since bigger than 32b are pretty common and (often spurious) negatives shouldn't be misleading. And officially WSAStartup should be once per process, although since about W2k as I recall repeats are benign. And unextended (insecure) client-initiated renegotiation is probably -- we hope! -- going to stop working soon. Logically I think it should work to compile the app /MD with a new(er) compiler that uses MSVCR90 and thus doesn't need uplink, or any supported mode(s) and static link (lib\VC\STATIC\various.lib) against a new-enough library to be compatible (old MSVCRT is not, it apparently doesn't have some _cookie stuff the SL build wants). But I'm not in a position to try those out for now. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Size of DH Params
From: owner-openssl-us...@openssl.org On Behalf Of Dirk Menstermann Sent: Wednesday, 10 March, 2010 10:57 when I generate DH parameters with: int bits = 1024; DH *params = DH_generate_parameters (bits, DH_GENERATOR_5, NULL, NULL); Can I then later read the value of the bits parameter from the DH struct? DH_size() gives you the number of BYTES for the modulus (and thus group elements like privpubkey values). If it was a multiple of 8 to start with, as it was in this example and usually is, bytes*8 = bits. If (possibly) not, BH_num_bits(dh-p) gives the exact bits. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Shorten the timeout for openssl s_client?
All, Using the command openssl s_client -connect gmail.google.com:443 openssl gets the certificate information and stays connected until I enter QUIT, or the timeout is hit -- about 2 minutes later. I want to script certificate expiration date checks for out servers. Is there a command-line switch or some other advice that I can use to change this behavior? Thanks in advance Todd
Re: i2d_X509_REQ_INFO doesn't convert req_info structure properly
On 11. 3. 2010 17:54, Dr. Stephen Henson wrote: On Thu, Mar 11, 2010, Peter Gubis wrote: int datasig_len; unsigned char *tobesigned; datasig_len = i2d_X509_REQ_INFO( req-req_info, NULL ); tobesigned = (unsigned char *) malloc( datasig_len ); if( !tobesigned ) { printf(Unable to alloc mem buffer\n); return -1; } int zzz = i2d_X509_REQ_INFO( req-req_info, tobesigned ); http://www.openssl.org/support/faq.html#PROG3 Steve. Thank you. RTFM I've spend many hours debugging and looking to the openssl sources and didn't realized this easy stupid thing :) Now it's working as expected... Thanks a lot, Peter. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problems with SSL_shutdown() and non blocking socket
Hi, I'm trying to fix a bug in Python which is specific to OpenSSL 0.9.8m. The problem is in a FTP test using a blocking socket (client) and a non blocking socket (server). There are different tests, some tests use a timeout of 2 seconds on the client socket. Pseudo-code of Python shutdown low-level function: err = SSL_shutdown(self-ssl); if (err == 0) err = SSL_shutdown(self-ssl); if (err 0) raise an exception else ok Using OpenSSL 0.9.8m, SSL_shutdown() returns sometimes -1 and SSL_get_error() gives SSL_ERROR_WANT_READ. If I understood correctly, I have to read some bytes from the sockets using SSL_read() to make OpenSSL happy. But how many bytes? And can I read directly bytes or should I ensure that bytes are available using select() (or anything else)? I wrote a patch using a loop: while 1: try: self._sslobj.shutdown() break except SSLError as err: if err.args[0] == SSL_ERROR_WANT_READ: try: self.read() except SSLError as read_err: if read_err.args[0] == SSL_ERROR_ZERO_RETURN: # connection closed: done break else: # non blocking socket raise err else: continue else: raise except socket_error as err: if err.errno == EPIPE: # connection closed: done break else: raise The code is written in Python, don't hesitate to ask me if you don't understand something. I don't understand why I'm getting SSL_ERROR_ZERO_RETURN or EPIPE errors. --- I tried to call SSL_shutdown() in a loop, but if the first or the second call returns the SSL_ERROR_WANT_READ error: the next call will always return the same error (I tried to wait some seconds, but it doesn't change). Does it mean that SSL_Shutdown() is not compatible between 0.9.8l and 0.9.8m for non blocking sockets? -- Victor Stinner http://www.haypocalc.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Can't Use Hashlib in Python
I have several programs that I am trying to compile and they compile due to openssl As an example in trying to compile gobject-introspection-0.6.8, after the configure, the make fails: File /home/final-sources-lfs-6.6/blfs/gobject-introspection-0.6.8/giscanner/cachestore.py, line 23, in module import hashlib File /usr/lib/python2.6/hashlib.py, line 136, in module md5 = __get_builtin_constructor('md5') File /usr/lib/python2.6/hashlib.py, line 63, in __get_builtin_constructor import _md5 Cananyone supply a fix for this? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org