How to tell when no more progress can be made
Hi Here http://marc.info/?l=openssl-usersm=124386218929227 It states that ...This is why it is very important to understand that any possible forward progress on any port (and a write operation that returns WANT_READ may have made forward progress!) requires you to retry all pending operations on all ports So am I correct in understanding that an SSL_read() that returned WANT_READ may have made forward progress (even if it did not return any data)? I have an event driven single threaded app that has 3 non blocking ssl sockets. When each socket completes its connection, I have the sockets read until I get a WANT_READ. My understanding is that a WANT_READ means I may now invoke select() and wait until the socket is ready for reading again. When select() returns, a loop goes through the 3 sockets calling ssl_read() on each of them. Say a read on Socket 1 returned WANT_READ and no data. Is it possible that Socket 2 may return WANT_READ, returns some data, and has now made some progress such that a read on socket 1 may now return data? But as the loop has already done the read for socket 1, it will not happen. As the loop has run through the 3 sockets, it waits there and hangs. Could this situation happen? If this is the case, how do I tell no more progress can be made on all 3 sockets? For example, say the loop runs through; -socket 1 returns WANT_READ. -socket 2 returns some data, then WANT_READ (and makes progress such that socket 1 can now return data) -socket 3 returns WANT_READ. But based on the quote above (where any forward progress requires retrying all pending operations), I should retry all sockets again; so the second run through the loop; -socket 1 now returns data, then WANT_READ -socket 2 returns WANT_READ -socket 3 now returns data (because the read on socket 1 made enough progress for socket 3 to return data), then WANT_READ. But what if the last read made progress such that socket 2 now returns data again? So my question is (if my understanding is correct), how do I tell in this instance how many times I'd need to run through the loop? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: X.509 certificates in OpenSSL FIPS 2.0
I see some function names for previous OpenSSL FIPS versions in FIPS 2.0. For example, d2i_X509(), X509_STORE_CTX_new(), X509_STORE_new(), . How do I use them so that my existing code still works with OpenSSL FIPS 2.0? Thanks, Rahul On Thu, Jan 17, 2013 at 12:47 PM, Rahul Godbole rahulmg1...@gmail.comwrote: Hi We are using X.509 certificates in our product and are newly moving to OpenSSL FIPS 2.0 from previous versions. I see issues in calling the previous X.509 APIs in this version. The directory crypto/x509 not there in OpenSSSL 2.0. Can someone please tell me how I could use x509 certificates with OpenSSL 2.0. Also, please note that I am a OpenSSL newbie. Hence, would be great if you can point me to some documentation. Thanks Rahul
Re: X.509 certificates in OpenSSL FIPS 2.0
These functions are in util/libeay.num.There is also a util/ssleay.num. What are these files here for? On Thu, Jan 17, 2013 at 5:45 PM, Rahul Godbole rahulmg1...@gmail.comwrote: I see some function names for previous OpenSSL FIPS versions in FIPS 2.0. For example, d2i_X509(), X509_STORE_CTX_new(), X509_STORE_new(), . How do I use them so that my existing code still works with OpenSSL FIPS 2.0? Thanks, Rahul On Thu, Jan 17, 2013 at 12:47 PM, Rahul Godbole rahulmg1...@gmail.comwrote: Hi We are using X.509 certificates in our product and are newly moving to OpenSSL FIPS 2.0 from previous versions. I see issues in calling the previous X.509 APIs in this version. The directory crypto/x509 not there in OpenSSSL 2.0. Can someone please tell me how I could use x509 certificates with OpenSSL 2.0. Also, please note that I am a OpenSSL newbie. Hence, would be great if you can point me to some documentation. Thanks Rahul
Re: How to tell when no more progress can be made
On 01/17/2013 12:10 PM, A G wrote: Hi Here http://marc.info/?l=openssl-usersm=124386218929227 It states that ...This is why it is very important to understand that any possible forward progress on any port (and a write operation that returns WANT_READ may have made forward progress!) requires you to retry all pending operations on all ports So am I correct in understanding that an SSL_read() that returned WANT_READ may have made forward progress (even if it did not return any data)? I have an event driven single threaded app that has 3 non blocking ssl sockets. When each socket completes its connection, I have the sockets read until I get a WANT_READ. My understanding is that a WANT_READ means I may now invoke select() and wait until the socket is ready for reading again. you may also receive WANT_WRITE or WANT_READ when you ssl_write. as long as you do not have interrupted ALL, you do not need to select, after a successful operation you can retry the others, or do a select to determine which are actually ready. a select call is only to avoid a cpu intensive loop on the ssl_read/write operations. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to tell when no more progress can be made
On 1/17/2013 12:10 PM, A G wrote: Hi Here http://marc.info/?l=openssl-usersm=124386218929227 It states that ...This is why it is very important to understand that any possible forward progress on any port (and a write operation that returns WANT_READ may have made forward progress!) requires you to retry all pending operations on all ports Please beware that this old post by Mr. Schwartz seems to use the word port in an unusual way. Wherever that post says port you should probably read API entrypoint, as in Each SSL_CTX may interact with the application and/or the socket using any of ? entrypoints, including SSL_read(), SSL_write() and at least 2 others. So if your code has provided more bytes for SSL to encrypt (and later send), or extracted some decrypted bytes from SSL (previously received) or provided some received (encrypted) bytes from the socket or sent some (encrypted) bytes from the socket, any of those 4 operations may now be ready for more. The error codes WANT_READ and WANT_WRITE help you determine which of those 4 is most likely ready, but as soon as all 4 API entrypoints say they can do no more until you provide them with more data/extract some data from them, then you know that to be true. Someone please correct me if I got this wrong. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1c vs OpenSSL 1.0.1c + FIPS 2.0.2 Module without puttingin FIPS mode
I've gone through the FIPS User Guide and have built OpenSSL 1.0.1c with the FIPS module 2.0.2. From a practical perspective I'm trying to sort out in my mind the following: - What is functionally different between the standard OpenSSL and OpenSSL compiled with FIPS and _not_ in FIPS mode (i.e. FIPS_mode_set(1) _not_ called)? - Why isn't the FIPS module simply built right into OpenSSL and for those who don't want to run in FIPS mode they simply don't call FIPS_mode_set(1)? Thanks, LM __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1c vs OpenSSL 1.0.1c + FIPS 2.0.2 Module without puttingin FIPS mode
On 1/17/13, Memmott, Lester lester.memm...@landesk.com wrote: I've gone through the FIPS User Guide and have built OpenSSL 1.0.1c with the FIPS module 2.0.2. From a practical perspective I'm trying to sort out in my mind the following: Be careful - its a bit dated and some information is not correct. I understand its going through a revision now. The revision includes a general cleanup of all material, expanded iOS instructions (Appendix E), and an iOS example program. - What is functionally different between the standard OpenSSL and OpenSSL compiled with FIPS and _not_ in FIPS mode (i.e. FIPS_mode_set(1) _not_ called)? There is no functional differences between vanilla OpenSSL and FIPS Capable OpenSSL when *not* oerating in FIPS Mode. When operating in FIPS Mode, you are using validated cryptography. Some (all?) non-approved algorithms are also disabled. - Why isn't the FIPS module simply built right into OpenSSL and for those who don't want to run in FIPS mode they simply don't call FIPS_mode_set(1)? It is if you configure the FIPS Capable Library (openssl-1.0.1c.tar.gz) with: `config fips config options` It also assumes you built and installed the FIPS Object Module (openssl-fips-2.0.2.tar.gz). If you did not build for FIPS, then you save on size since the code base is smaller. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1c vs OpenSSL 1.0.1c + FIPS 2.0.2 Module without puttingin FIPS mode
On 01/17/2013 10:05 AM, Jeffrey Walton wrote: ... - Why isn't the FIPS module simply built right into OpenSSL and for those who don't want to run in FIPS mode they simply don't call FIPS_mode_set(1)? It is if you configure the FIPS Capable Library (openssl-1.0.1c.tar.gz) with: `config fips config options` It also assumes you built and installed the FIPS Object Module (openssl-fips-2.0.2.tar.gz). If you did not build for FIPS, then you save on size since the code base is smaller. The OpenSSL FIPS Object Module also comes with mandatory procedural baggage that precludes treating it like a normal open source software product. If you don't need the FIPS module as a matter of policy then you don't want it at all, as it has no technical advantages over plain OpenSSL. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Can AES-NI be disabled?
Hello, I'm using OpenSSL 1.0.1c on Linux and Windows to implement encryption feature of my software. I need to compare performance of cases where AES-NI is enabled and where it is disabled on the same computer. If possible, I want to avoid rebooting the computer for some reasons. Is it possible to turn on and off AES-NI of OpenSSL with any configuration? I appreciate it if it is possible to switch AES-NI without re-building OpenSSL. Regards MauMau __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Can AES-NI be disabled?
On Thu, Jan 17, 2013 at 4:21 PM, MauMau maumau...@gmail.com wrote: Hello, I'm using OpenSSL 1.0.1c on Linux and Windows to implement encryption feature of my software. I need to compare performance of cases where AES-NI is enabled and where it is disabled on the same computer. If possible, I want to avoid rebooting the computer for some reasons. Is it possible to turn on and off AES-NI of OpenSSL with any configuration? I appreciate it if it is possible to switch AES-NI without re-building OpenSSL. That's actually covered in the FIPS User Guide. 3.2.3 Assembler Optimizations The only option for processor architectures other than x86/x86-64 and ARM is to use the pure C language implementation and not any of the hand-coded performance optimized assembler as each assembler implementation requires separate FIPS testing. For example, an Itanium or PowerPC system can only build and use the pure C language module. For the x86/x86-64 and ARM processors several levels of optimization are support by the code. Note that most such optimizations, if compiled into executable code, are selectively enabled at runtime depending on the capabilities of the target processor. If the Module is built and executed on the same platform (the build-time and run-time systems are the same) then the appropriate optimization will be utilized (assuming that the build+target system corresponds to a formally tested platform). For x86-64 there are three possible optimization levels: 1. No optimization (plain C) 2. SSE2 optimization 3. AES-NI+PCLMULQDQ+SSSE3 optimization Note that other theoretically possible combinations (e.g. AES-NI only, or SSE3 only) are not addressed individually, so that a processor which does not support all three of AES-NI, PCLMULQDQ, and SSSE3 will fall back to only SSE2 optimization. The runtime environment variable OPENSSL_ia32cap=~0x202 disables use of AES-NI, PCLMULQDQ, and SSSE3 optimizations for x86-64. For ARM there are two possible optimization levels: 1. Without NEON 2. With NEON (ARM7 only) The runtime variable OPENSSL_armcap=0 disables use of NEON optimizations for ARM. In the case where the build and runtime systems are different care must be taken to verify that the optimizations enabled at run-time on the target system correspond to a formally test platform. For instance, if Windows on x86 32bit was formally tested but Windows on x86 with AES-NI 32 bit was not then a Module built on an AES-NI capable built system would be validated when executed on a non-AES-NI capable target processor, but would notbe validated when executed on an AES-NI capable system (such as the build system itself). When the target platforms are not known to have capabilities corresponding to tested platforms then the risk of inadvertently utilizing the unvalidated optimizations at run-time can can be avoided by setting the appropriate environment variables at run-time Disabling run-time selectable optimizations Platform Environment Variable Value x86/x86-64 OPENSSL_ia32cap ~0x202 ARM OPENSSL_armcap 0 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
BIO_read/write thread safe?
Is BIO_read and BIO_write functions thread safe? Thanks in advavnce A
print result of SSL_get_verify_result
How can I print out result string from return code of SSL_get_verify_result? For example, for my test, I got 18, ERR_error_string( return_code) does not yield any thing? A
Re: print result of SSL_get_verify_result
On Thu, Jan 17, 2013 at 9:17 PM, ask as...@yahoo.com wrote: How can I print out result string from return code of SSL_get_verify_result? For example, for my test, I got 18, ERR_error_string( return_code) does not yield any thing? http://www.openssl.org/docs/ssl/SSL_get_verify_result.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org