Re: HMAC verification with EVP Interface

[William Roberts]

On Thu, Aug 26, 2021 at 3:01 AM Tomas Mraz  wrote:
>
> On Wed, 2021-08-25 at 13:20 -0500, William Roberts wrote:
> > Hello,
> >
> > I am trying to verify an HMAC signature with the code below and the
> > EVP_DigestVerifyInit()
> > routine is failing with "error:0608F096:digital envelope
> > routines:EVP_PKEY_verify_init:operation not supported for this
> > keytype". Eventually it gets to EVP_PKEY_verify_init() and since the
> > ctx->pmeth->verify pointer is null, it sets this error. It's unclear
> > to me why this function pointer is NULL, can someone elaborate the
> > right way to do this via EVP interfaces?
>
> As HMAC is not a true signature algorithm there is no support for
> the EVP_DigestVerifyInit() operation with HMAC 'signatures'. You just
> have to use EVP_DigestSign*() operation to create a new HMAC and
> compare with the original value.
>

Ahh okay thanks. This was in the wiki I just scrolled too far and
ended up under asymmetric.
For anyone looking it was on the on the wiki here:
  - https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying

But considering that Verifying could do this, since it has both the
message and hmac
"signature", wouldn't it be nice to add this support since it's
generated through the
sign interface? In my mind a Sign operation always has a verify operation.

Re: OpenSSL dynamic engine loading shows error

[Shariful Alam]

Dear Dmitry,
Thank you very much for the help. Appreciate it.

Regards,
Shariful Alam

On Thu, Aug 26, 2021 at 12:01 PM Dmitry Belyavsky  wrote:

> Dear Shariful,
>
> You can build your engine when it's feasible.
> You can install it to the engine folder and get rid of dynamic_path, but
> it's not necessary.
>
> I prefer explicitly loading the engine via the config file.
>
>
> On Thu, Aug 26, 2021 at 7:56 PM Shariful Alam  wrote:
>
>> Dear Dmitry,
>> Thank you very much. After moving the above section at the end of the
>> configuration file and add the dynamic path to the shared library like the
>> following,
>> ==
>> [rsa_section]
>> engine_id = rsa-engine-new
>> dynamic_path = /opt/openssl/lib/engines-1.1/rsa-engine-new.so
>> ==
>>
>> My engine load without any error. Thanks.
>> One more question, Do I need to compile and install my engine
>> with Openssl source code in-order for it to work with mod_ssl?
>>
>> Regards,
>> Shariful Alam
>>
>>
>>
>>
>>
>> On Thu, Aug 26, 2021 at 10:30 AM Dmitry Belyavsky 
>> wrote:
>>
>>> As  I suspected, you have the remnants of main openssl config just after
>>> your only directive in the [rsa_section]
>>>
>>> I'd suggest you moving the following lines
>>>
>>> =
>>> [openssl_def]
>>> engines = engine_section
>>>
>>> [engine_section]
>>> rsa-engine-new = rsa_section
>>>
>>> [rsa_section]
>>> engine_id = rsa-engine-new
>>> ==
>>> to the end of your openssl.cnf
>>>
>>> On Thu, Aug 26, 2021 at 6:20 PM Shariful Alam 
>>> wrote:
>>>
 Dmitry,
 Thank you for your response.

 As you have suggested, I have changed my engine name to maintain with
 the configuration file

 /* Engine Id and Name */
 static const char *engine_rsa_id = "rsa-engine-new";
 static const char *engine_rsa_name = "Dummy RSA engine for testing";

 Here is my whole *openssl.cnf* file content

 =

 #
 # OpenSSL example configuration file.
 # This is mostly being used for generation of certificate requests.
 #

 # Note that you can include other files from the main configuration
 # file using the .include directive.
 #.include filename

 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME = .

 openssl_conf = openssl_def

 [openssl_def]
 engines = engine_section

 [engine_section]
 rsa-engine-new = rsa_section

 [rsa_section]
 engine_id = rsa-engine-new

 # Extra OBJECT IDENTIFIER info:
 #oid_file = $ENV::HOME/.oid
 oid_section = new_oids

 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
 # extensions =
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)

 [ new_oids ]

 # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 # Add a simple OID like this:
 # testoid1=1.2.3.4
 # Or use config file substitution like this:
 # testoid2=${testoid1}.5.6

 # Policies used by the TSA examples.
 tsa_policy1 = 1.2.3.4.1
 tsa_policy2 = 1.2.3.4.5.6
 tsa_policy3 = 1.2.3.4.5.7

 
 [ ca ]
 default_ca = CA_default # The default ca section

 
 [ CA_default ]

 dir = ./demoCA # Where everything is kept
 certs = $dir/certs # Where the issued certs are kept
 crl_dir = $dir/crl # Where the issued crl are kept
 database = $dir/index.txt # database index file.
 #unique_subject = no # Set to 'no' to allow creation of
 # several certs with same subject.
 new_certs_dir = $dir/newcerts # default place for new certs.

 certificate = $dir/cacert.pem # The CA certificate
 serial = $dir/serial # The current serial number
 crlnumber = $dir/crlnumber # the current crl number
 # must be commented out to leave a V1 CRL
 crl = $dir/crl.pem # The current CRL
 private_key = $dir/private/cakey.pem# The private key

 x509_extensions = usr_cert # The extensions to add to the cert

 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
 name_opt = ca_default # Subject Name options
 cert_opt = ca_default # Certificate field options

 # Extension copying option: use with caution.
 # copy_extensions = copy

 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2
 CRLs
 # so this is commented out by default to leave a V1 CRL.
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions = 

Re: OpenSSL dynamic engine loading shows error

[Dmitry Belyavsky]

Dear Shariful,

You can build your engine when it's feasible.
You can install it to the engine folder and get rid of dynamic_path, but
it's not necessary.

I prefer explicitly loading the engine via the config file.


On Thu, Aug 26, 2021 at 7:56 PM Shariful Alam  wrote:

> Dear Dmitry,
> Thank you very much. After moving the above section at the end of the
> configuration file and add the dynamic path to the shared library like the
> following,
> ==
> [rsa_section]
> engine_id = rsa-engine-new
> dynamic_path = /opt/openssl/lib/engines-1.1/rsa-engine-new.so
> ==
>
> My engine load without any error. Thanks.
> One more question, Do I need to compile and install my engine with Openssl
> source code in-order for it to work with mod_ssl?
>
> Regards,
> Shariful Alam
>
>
>
>
>
> On Thu, Aug 26, 2021 at 10:30 AM Dmitry Belyavsky 
> wrote:
>
>> As  I suspected, you have the remnants of main openssl config just after
>> your only directive in the [rsa_section]
>>
>> I'd suggest you moving the following lines
>>
>> =
>> [openssl_def]
>> engines = engine_section
>>
>> [engine_section]
>> rsa-engine-new = rsa_section
>>
>> [rsa_section]
>> engine_id = rsa-engine-new
>> ==
>> to the end of your openssl.cnf
>>
>> On Thu, Aug 26, 2021 at 6:20 PM Shariful Alam  wrote:
>>
>>> Dmitry,
>>> Thank you for your response.
>>>
>>> As you have suggested, I have changed my engine name to maintain with
>>> the configuration file
>>>
>>> /* Engine Id and Name */
>>> static const char *engine_rsa_id = "rsa-engine-new";
>>> static const char *engine_rsa_name = "Dummy RSA engine for testing";
>>>
>>> Here is my whole *openssl.cnf* file content
>>>
>>> =
>>>
>>> #
>>> # OpenSSL example configuration file.
>>> # This is mostly being used for generation of certificate requests.
>>> #
>>>
>>> # Note that you can include other files from the main configuration
>>> # file using the .include directive.
>>> #.include filename
>>>
>>> # This definition stops the following lines choking if HOME isn't
>>> # defined.
>>> HOME = .
>>>
>>> openssl_conf = openssl_def
>>>
>>> [openssl_def]
>>> engines = engine_section
>>>
>>> [engine_section]
>>> rsa-engine-new = rsa_section
>>>
>>> [rsa_section]
>>> engine_id = rsa-engine-new
>>>
>>> # Extra OBJECT IDENTIFIER info:
>>> #oid_file = $ENV::HOME/.oid
>>> oid_section = new_oids
>>>
>>> # To use this configuration file with the "-extfile" option of the
>>> # "openssl x509" utility, name here the section containing the
>>> # X.509v3 extensions to use:
>>> # extensions =
>>> # (Alternatively, use a configuration file that has only
>>> # X.509v3 extensions in its main [= default] section.)
>>>
>>> [ new_oids ]
>>>
>>> # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
>>> # Add a simple OID like this:
>>> # testoid1=1.2.3.4
>>> # Or use config file substitution like this:
>>> # testoid2=${testoid1}.5.6
>>>
>>> # Policies used by the TSA examples.
>>> tsa_policy1 = 1.2.3.4.1
>>> tsa_policy2 = 1.2.3.4.5.6
>>> tsa_policy3 = 1.2.3.4.5.7
>>>
>>> 
>>> [ ca ]
>>> default_ca = CA_default # The default ca section
>>>
>>> 
>>> [ CA_default ]
>>>
>>> dir = ./demoCA # Where everything is kept
>>> certs = $dir/certs # Where the issued certs are kept
>>> crl_dir = $dir/crl # Where the issued crl are kept
>>> database = $dir/index.txt # database index file.
>>> #unique_subject = no # Set to 'no' to allow creation of
>>> # several certs with same subject.
>>> new_certs_dir = $dir/newcerts # default place for new certs.
>>>
>>> certificate = $dir/cacert.pem # The CA certificate
>>> serial = $dir/serial # The current serial number
>>> crlnumber = $dir/crlnumber # the current crl number
>>> # must be commented out to leave a V1 CRL
>>> crl = $dir/crl.pem # The current CRL
>>> private_key = $dir/private/cakey.pem# The private key
>>>
>>> x509_extensions = usr_cert # The extensions to add to the cert
>>>
>>> # Comment out the following two lines for the "traditional"
>>> # (and highly broken) format.
>>> name_opt = ca_default # Subject Name options
>>> cert_opt = ca_default # Certificate field options
>>>
>>> # Extension copying option: use with caution.
>>> # copy_extensions = copy
>>>
>>> # Extensions to add to a CRL. Note: Netscape communicator chokes on V2
>>> CRLs
>>> # so this is commented out by default to leave a V1 CRL.
>>> # crlnumber must also be commented out to leave a V1 CRL.
>>> # crl_extensions = crl_ext
>>>
>>> default_days = 365 # how long to certify for
>>> default_crl_days= 30 # how long before next CRL
>>> default_md = default # use public key default MD
>>> preserve = no # keep passed DN ordering
>>>
>>> # A few difference way of specifying how similar the request should look
>>> # For type 

Re: OpenSSL dynamic engine loading shows error

[Shariful Alam]

Dear Dmitry,
Thank you very much. After moving the above section at the end of the
configuration file and add the dynamic path to the shared library like the
following,
==
[rsa_section]
engine_id = rsa-engine-new
dynamic_path = /opt/openssl/lib/engines-1.1/rsa-engine-new.so
==

My engine load without any error. Thanks.
One more question, Do I need to compile and install my engine with Openssl
source code in-order for it to work with mod_ssl?

Regards,
Shariful Alam





On Thu, Aug 26, 2021 at 10:30 AM Dmitry Belyavsky  wrote:

> As  I suspected, you have the remnants of main openssl config just after
> your only directive in the [rsa_section]
>
> I'd suggest you moving the following lines
>
> =
> [openssl_def]
> engines = engine_section
>
> [engine_section]
> rsa-engine-new = rsa_section
>
> [rsa_section]
> engine_id = rsa-engine-new
> ==
> to the end of your openssl.cnf
>
> On Thu, Aug 26, 2021 at 6:20 PM Shariful Alam  wrote:
>
>> Dmitry,
>> Thank you for your response.
>>
>> As you have suggested, I have changed my engine name to maintain with the
>> configuration file
>>
>> /* Engine Id and Name */
>> static const char *engine_rsa_id = "rsa-engine-new";
>> static const char *engine_rsa_name = "Dummy RSA engine for testing";
>>
>> Here is my whole *openssl.cnf* file content
>>
>> =
>>
>> #
>> # OpenSSL example configuration file.
>> # This is mostly being used for generation of certificate requests.
>> #
>>
>> # Note that you can include other files from the main configuration
>> # file using the .include directive.
>> #.include filename
>>
>> # This definition stops the following lines choking if HOME isn't
>> # defined.
>> HOME = .
>>
>> openssl_conf = openssl_def
>>
>> [openssl_def]
>> engines = engine_section
>>
>> [engine_section]
>> rsa-engine-new = rsa_section
>>
>> [rsa_section]
>> engine_id = rsa-engine-new
>>
>> # Extra OBJECT IDENTIFIER info:
>> #oid_file = $ENV::HOME/.oid
>> oid_section = new_oids
>>
>> # To use this configuration file with the "-extfile" option of the
>> # "openssl x509" utility, name here the section containing the
>> # X.509v3 extensions to use:
>> # extensions =
>> # (Alternatively, use a configuration file that has only
>> # X.509v3 extensions in its main [= default] section.)
>>
>> [ new_oids ]
>>
>> # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
>> # Add a simple OID like this:
>> # testoid1=1.2.3.4
>> # Or use config file substitution like this:
>> # testoid2=${testoid1}.5.6
>>
>> # Policies used by the TSA examples.
>> tsa_policy1 = 1.2.3.4.1
>> tsa_policy2 = 1.2.3.4.5.6
>> tsa_policy3 = 1.2.3.4.5.7
>>
>> 
>> [ ca ]
>> default_ca = CA_default # The default ca section
>>
>> 
>> [ CA_default ]
>>
>> dir = ./demoCA # Where everything is kept
>> certs = $dir/certs # Where the issued certs are kept
>> crl_dir = $dir/crl # Where the issued crl are kept
>> database = $dir/index.txt # database index file.
>> #unique_subject = no # Set to 'no' to allow creation of
>> # several certs with same subject.
>> new_certs_dir = $dir/newcerts # default place for new certs.
>>
>> certificate = $dir/cacert.pem # The CA certificate
>> serial = $dir/serial # The current serial number
>> crlnumber = $dir/crlnumber # the current crl number
>> # must be commented out to leave a V1 CRL
>> crl = $dir/crl.pem # The current CRL
>> private_key = $dir/private/cakey.pem# The private key
>>
>> x509_extensions = usr_cert # The extensions to add to the cert
>>
>> # Comment out the following two lines for the "traditional"
>> # (and highly broken) format.
>> name_opt = ca_default # Subject Name options
>> cert_opt = ca_default # Certificate field options
>>
>> # Extension copying option: use with caution.
>> # copy_extensions = copy
>>
>> # Extensions to add to a CRL. Note: Netscape communicator chokes on V2
>> CRLs
>> # so this is commented out by default to leave a V1 CRL.
>> # crlnumber must also be commented out to leave a V1 CRL.
>> # crl_extensions = crl_ext
>>
>> default_days = 365 # how long to certify for
>> default_crl_days= 30 # how long before next CRL
>> default_md = default # use public key default MD
>> preserve = no # keep passed DN ordering
>>
>> # A few difference way of specifying how similar the request should look
>> # For type CA, the listed attributes must be the same, and the optional
>> # and supplied fields are just that :-)
>> policy = policy_match
>>
>> # For the CA policy
>> [ policy_match ]
>> countryName = match
>> stateOrProvinceName = optional
>> organizationName = optional
>> organizationalUnitName = optional
>> commonName = supplied
>> emailAddress = optional
>>
>> # For the 'anything' policy
>> # At this point in time, you must list all 

RE: problems with too many ssl_read and ssl_write errors

[Michael Wojcik]

Please reply to the list rather than to me directly.

> From: Kamala Ayyar 
> Sent: Thursday, 26 August, 2021 08:57

> We call the  WSAGetLastError  immediately after SSL_ERROR_SYSCALL and we get 
> the
> WSAETIMEDOUT

OK. This wasn't entirely clear to me from your previous message. So you are 
getting a network-stack timeout on a sockets operation; this isn't a TLS 
protocol issue or anything else at a level above the network stack.

> We also call the ERR_print_errors(bio); but it displays a blank line.  We call
> ERR_clear_error() before the SSL_read as mentioned in the manual.

I'm not sure why that might be happening. It may be that OpenSSL doesn't log 
any error messages in this case; I'd have to look at the OpenSSL source code to 
figure that out.

> The  ERR_print_errors() does not print anything- Is the error getting cleared
> because we called the WSAGetLastError() ?

That shouldn't affect the OpenSSL error list.

> Is there an order in which the Windows WSAGetLastError() should be called 
> before
> SSL_get_error()?

I don't believe so. They should be independent. The OpenSSL error list is 
maintained by OpenSSL; WSAGetLastError retrieves the Winsock error code. The 
two don't share data.

> We will try changing some of the timeouts on either side and try.

Make sure that's stack timeouts you're changing: calls to setsockopt, or 
Registry settings if you're not overriding them on your sockets. 
Application-level timeouts aren't the issue here.

You may need to involve a network administrator to look at network interface 
statistics, check wire traces to see if receive windows are closed, and look 
for interference from middleboxes such as routers and firewall appliances or 
from application firewalls, IDSes, and so on. These sorts of issues are not 
uncommon when there are load balancers, traffic-inspecting firewalls, or the 
like interfering with network traffic.

--
Michael Wojcik

Re: OpenSSL dynamic engine loading shows error

[Dmitry Belyavsky]

As  I suspected, you have the remnants of main openssl config just after
your only directive in the [rsa_section]

I'd suggest you moving the following lines

=
[openssl_def]
engines = engine_section

[engine_section]
rsa-engine-new = rsa_section

[rsa_section]
engine_id = rsa-engine-new
==
to the end of your openssl.cnf

On Thu, Aug 26, 2021 at 6:20 PM Shariful Alam  wrote:

> Dmitry,
> Thank you for your response.
>
> As you have suggested, I have changed my engine name to maintain with the
> configuration file
>
> /* Engine Id and Name */
> static const char *engine_rsa_id = "rsa-engine-new";
> static const char *engine_rsa_name = "Dummy RSA engine for testing";
>
> Here is my whole *openssl.cnf* file content
>
> =
>
> #
> # OpenSSL example configuration file.
> # This is mostly being used for generation of certificate requests.
> #
>
> # Note that you can include other files from the main configuration
> # file using the .include directive.
> #.include filename
>
> # This definition stops the following lines choking if HOME isn't
> # defined.
> HOME = .
>
> openssl_conf = openssl_def
>
> [openssl_def]
> engines = engine_section
>
> [engine_section]
> rsa-engine-new = rsa_section
>
> [rsa_section]
> engine_id = rsa-engine-new
>
> # Extra OBJECT IDENTIFIER info:
> #oid_file = $ENV::HOME/.oid
> oid_section = new_oids
>
> # To use this configuration file with the "-extfile" option of the
> # "openssl x509" utility, name here the section containing the
> # X.509v3 extensions to use:
> # extensions =
> # (Alternatively, use a configuration file that has only
> # X.509v3 extensions in its main [= default] section.)
>
> [ new_oids ]
>
> # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
>
> # Policies used by the TSA examples.
> tsa_policy1 = 1.2.3.4.1
> tsa_policy2 = 1.2.3.4.5.6
> tsa_policy3 = 1.2.3.4.5.7
>
> 
> [ ca ]
> default_ca = CA_default # The default ca section
>
> 
> [ CA_default ]
>
> dir = ./demoCA # Where everything is kept
> certs = $dir/certs # Where the issued certs are kept
> crl_dir = $dir/crl # Where the issued crl are kept
> database = $dir/index.txt # database index file.
> #unique_subject = no # Set to 'no' to allow creation of
> # several certs with same subject.
> new_certs_dir = $dir/newcerts # default place for new certs.
>
> certificate = $dir/cacert.pem # The CA certificate
> serial = $dir/serial # The current serial number
> crlnumber = $dir/crlnumber # the current crl number
> # must be commented out to leave a V1 CRL
> crl = $dir/crl.pem # The current CRL
> private_key = $dir/private/cakey.pem# The private key
>
> x509_extensions = usr_cert # The extensions to add to the cert
>
> # Comment out the following two lines for the "traditional"
> # (and highly broken) format.
> name_opt = ca_default # Subject Name options
> cert_opt = ca_default # Certificate field options
>
> # Extension copying option: use with caution.
> # copy_extensions = copy
>
> # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
> # so this is commented out by default to leave a V1 CRL.
> # crlnumber must also be commented out to leave a V1 CRL.
> # crl_extensions = crl_ext
>
> default_days = 365 # how long to certify for
> default_crl_days= 30 # how long before next CRL
> default_md = default # use public key default MD
> preserve = no # keep passed DN ordering
>
> # A few difference way of specifying how similar the request should look
> # For type CA, the listed attributes must be the same, and the optional
> # and supplied fields are just that :-)
> policy = policy_match
>
> # For the CA policy
> [ policy_match ]
> countryName = match
> stateOrProvinceName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> # For the 'anything' policy
> # At this point in time, you must list all acceptable 'object'
> # types.
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> 
> [ req ]
> default_bits = 2048
> default_keyfile = privkey.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> x509_extensions = v3_ca # The extensions to add to the self signed cert
>
> # Passwords for private keys if not present they will be prompted for
> # input_password = secret
> # output_password = secret
>
> # This sets a mask for permitted string types. There 

Re: OpenSSL dynamic engine loading shows error

[Shariful Alam]

Dear Dmitry,
In case if it helps, I have installed my OpenSSL from the source code and
my current version is  OpenSSL 1.1.1c  28 May 2019

Regards,
Shariful Alam

On Thu, Aug 26, 2021 at 10:20 AM Shariful Alam  wrote:

> Dmitry,
> Thank you for your response.
>
> As you have suggested, I have changed my engine name to maintain with the
> configuration file
>
> /* Engine Id and Name */
> static const char *engine_rsa_id = "rsa-engine-new";
> static const char *engine_rsa_name = "Dummy RSA engine for testing";
>
> Here is my whole *openssl.cnf* file content
>
> =
>
> #
> # OpenSSL example configuration file.
> # This is mostly being used for generation of certificate requests.
> #
>
> # Note that you can include other files from the main configuration
> # file using the .include directive.
> #.include filename
>
> # This definition stops the following lines choking if HOME isn't
> # defined.
> HOME = .
>
> openssl_conf = openssl_def
>
> [openssl_def]
> engines = engine_section
>
> [engine_section]
> rsa-engine-new = rsa_section
>
> [rsa_section]
> engine_id = rsa-engine-new
>
> # Extra OBJECT IDENTIFIER info:
> #oid_file = $ENV::HOME/.oid
> oid_section = new_oids
>
> # To use this configuration file with the "-extfile" option of the
> # "openssl x509" utility, name here the section containing the
> # X.509v3 extensions to use:
> # extensions =
> # (Alternatively, use a configuration file that has only
> # X.509v3 extensions in its main [= default] section.)
>
> [ new_oids ]
>
> # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
>
> # Policies used by the TSA examples.
> tsa_policy1 = 1.2.3.4.1
> tsa_policy2 = 1.2.3.4.5.6
> tsa_policy3 = 1.2.3.4.5.7
>
> 
> [ ca ]
> default_ca = CA_default # The default ca section
>
> 
> [ CA_default ]
>
> dir = ./demoCA # Where everything is kept
> certs = $dir/certs # Where the issued certs are kept
> crl_dir = $dir/crl # Where the issued crl are kept
> database = $dir/index.txt # database index file.
> #unique_subject = no # Set to 'no' to allow creation of
> # several certs with same subject.
> new_certs_dir = $dir/newcerts # default place for new certs.
>
> certificate = $dir/cacert.pem # The CA certificate
> serial = $dir/serial # The current serial number
> crlnumber = $dir/crlnumber # the current crl number
> # must be commented out to leave a V1 CRL
> crl = $dir/crl.pem # The current CRL
> private_key = $dir/private/cakey.pem# The private key
>
> x509_extensions = usr_cert # The extensions to add to the cert
>
> # Comment out the following two lines for the "traditional"
> # (and highly broken) format.
> name_opt = ca_default # Subject Name options
> cert_opt = ca_default # Certificate field options
>
> # Extension copying option: use with caution.
> # copy_extensions = copy
>
> # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
> # so this is commented out by default to leave a V1 CRL.
> # crlnumber must also be commented out to leave a V1 CRL.
> # crl_extensions = crl_ext
>
> default_days = 365 # how long to certify for
> default_crl_days= 30 # how long before next CRL
> default_md = default # use public key default MD
> preserve = no # keep passed DN ordering
>
> # A few difference way of specifying how similar the request should look
> # For type CA, the listed attributes must be the same, and the optional
> # and supplied fields are just that :-)
> policy = policy_match
>
> # For the CA policy
> [ policy_match ]
> countryName = match
> stateOrProvinceName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> # For the 'anything' policy
> # At this point in time, you must list all acceptable 'object'
> # types.
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> 
> [ req ]
> default_bits = 2048
> default_keyfile = privkey.pem
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> x509_extensions = v3_ca # The extensions to add to the self signed cert
>
> # Passwords for private keys if not present they will be prompted for
> # input_password = secret
> # output_password = secret
>
> # This sets a mask for permitted string types. There are several options.
> # default: PrintableString, T61String, BMPString.
> # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
> # utf8only: only UTF8Strings 

Re: OpenSSL dynamic engine loading shows error

[Shariful Alam]

Dmitry,
Thank you for your response.

As you have suggested, I have changed my engine name to maintain with the
configuration file

/* Engine Id and Name */
static const char *engine_rsa_id = "rsa-engine-new";
static const char *engine_rsa_name = "Dummy RSA engine for testing";

Here is my whole *openssl.cnf* file content
=

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename

# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .

openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
rsa-engine-new = rsa_section

[rsa_section]
engine_id = rsa-engine-new

# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7


[ ca ]
default_ca = CA_default # The default ca section


[ CA_default ]

dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key

x509_extensions = usr_cert # The extensions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext

default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional


[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK: a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2

stateOrProvinceName = State or 

An idiosyncratic port of OpenSSL 1.1.1l to OS/400 ILE

[Dan Fulger]

This port is for ILE (native OS/400) not PASE (PASE is almost like Unix, and 
already comes with OpenSSL).
 
The idiosyncrasies are explained in the README.as400 file in AS400patch.tar.gz.

I had to rewrite the EBCDIC support in clienthellotest.c.
 
AS400patch.tar.gz (large patch for OpenSSL and other files):
https://drive.google.com/file/d/1fttbz2T9wtVUMyre0i7ExzXmVLg2spO8/view?usp=sharing
 
AS400_GNU.tar.gz (source for GNU/IBM tools required to build OpenSSL in ILE 
environment):
https://drive.google.com/open?id=1DeKIE32nmUpvk7fvrcSYlflUn_k1CBso

RE: Testing

[Dr. Matthias St. Pierre]

I’ll take care of it and ask the administrator to remove it manually if 
possible.

From: Kingsley O 
Sent: Thursday, August 26, 2021 3:41 PM
To: Dr. Matthias St. Pierre 
Cc: openssl-users@openssl.org
Subject: Re: Testing

Didn't work..:-(

Did not receive email to complete the unsubscribe process

On Thu, Aug 26, 2021 at 7:50 AM Dr. Matthias St. Pierre 
mailto:matthias.st.pie...@ncp-e.com>> wrote:



To unsubscribe, visit https://mta.openssl.org/mailman/listinfo/openssl-users

Regards



[NCP engingeering GmbH]

Dr. Matthias St. Pierre

Tech Lead Cryptography
matthias.st.pie...@ncp-e.com
Phone: +49 911 9968-0
www.ncp-e.com


Follow us on:
 Facebook | 
Twitter | 
Xing | 
YouTube | 
LinkedIn

Headquarters Germany: NCP engineering GmbH • Dombuehler Str. 2 • 90449 • 
Nuremberg
North American HQ: NCP engineering Inc. • 601 Cleveland Str., Suite 501-25 • 
Clearwater, FL 33755

Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate Dietrich
Registry Court: Lower District Court of Nuremberg
Commercial register No.: HRB 7786 Nuremberg, VAT identification No.: DE 
133557619

This e-mail message including any attachments is for the sole use of the 
intended recipient(s) and may contain privileged or confidential information. 
Any unauthorized review, use, disclosure or distribution is prohibited. If you 
are not the intended recipient, please immediately contact the sender by reply 
e-mail and delete the original message and destroy all copies thereof.



From: openssl-users 
mailto:openssl-users-boun...@openssl.org>> 
On Behalf Of Kingsley O
Sent: Wednesday, August 25, 2021 6:06 PM
To: Turritopsis Dohrnii Teo En Ming 
mailto:ceo.teo.en.m...@gmail.com>>
Cc: openssl-users@openssl.org
Subject: Re: Testing

Please remove my email from this group.

Thank you

On Wed, Aug 25, 2021 at 4:10 PM Turritopsis Dohrnii Teo En Ming 
mailto:ceo.teo.en.m...@gmail.com>> wrote:
Testing


smime.p7s
Description: S/MIME cryptographic signature

Re: OpenSSL dynamic engine loading shows error

[Dmitry Belyavsky]

Dear Shariful,

1. Don't hurry :)
2. It looks like there are some more configuration options in your
openssl.cnf [rsa_section]
I think they came from the standard configuration. So if I am wrong, please
provide the whole file.
3. I'd recommend you also update the lines
`
static const char *engine_dasync_id = "dasync";
static const char *engine_dasync_name = "Dummy Async engine support";
`
To be consistent with your engine name

On Thu, Aug 26, 2021 at 3:24 PM Shariful Alam  wrote:

> Any help regarding this matter??
>
> Regards,
> Shariful
>
> On Thu, Aug 26, 2021, 12:06 AM Shariful Alam  wrote:
>
>> Hello,
>>
>> I have a simple rsa engine code (from engines/e_dasync.c). My code
>> compiles. Command "*$openssl engine -t -c*" shows the following,
>>
>>
>>  openssl engine -t -c
>>
>> (rdrand) Intel RDRAND engine
>>
>>  [RAND]
>>
>>  [ available ]
>>
>> (dynamic) Dynamic engine loading support
>>
>>  [ unavailable ]
>>
>> (dasync) Dummy Async engine support
>>
>>  [RSA]
>>
>>  [ available ]
>>
>>
>> I also modify *openssl.cnf* configuration as following to load this
>> engine,
>>
>>
>> openssl_conf = openssl_def
>>
>>
>> [openssl_def]
>>
>> engines = engine_section
>>
>>
>> [engine_section]
>>
>> rsa-engine-new = rsa_section
>>
>>
>> [rsa_section]
>>
>> engine_id = rsa-engine-new
>>
>>
>> Then when I run the command "$*openssl engine*", I get the following
>> error,
>>
>> $openssl engine
>>
>> (rdrand) Intel RDRAND engine
>>
>> (dynamic) Dynamic engine loading support
>>
>> (dasync) Dummy Async engine support
>>
>> 139633213376256:error:260AB089:engine
>> routines:ENGINE_ctrl_cmd_string:invalid cmd
>> name:crypto/engine/eng_ctrl.c:255:
>>
>> 139633213376256:error:260BC066:engine
>> routines:int_engine_configure:engine configuration
>> error:crypto/engine/eng_cnf.c:141:section=rsa_section, name=oid_section,
>> value=new_oids
>>
>> 139633213376256:error:0E07606D:configuration file
>> routines:module_run:module initialization
>> error:crypto/conf/conf_mod.c:177:module=engines, value=engine_section,
>> retcode=-1
>>
>>
>> Any help why is this happening? How can I fix this?
>>
>> My goal is to use my OpenSSL engine with Apache for mod_ssl. Do I have to
>> compile my engine with the OpenSSL source code to do that?
>>
>>
>> Here is the complete source code of my sample engine,
>>
>> ==
>>
>>
>> #include 
>>
>> #include 
>>
>>
>> #include 
>>
>> #include 
>>
>> #include 
>>
>> #include 
>>
>> #include 
>>
>> #include 
>>
>> #include 
>>
>> #include 
>>
>> #include 
>>
>> #include 
>>
>>
>> /* Engine Id and Name */
>>
>> static const char *engine_dasync_id = "dasync";
>>
>> static const char *engine_dasync_name = "Dummy Async engine support";
>>
>>
>> static int dasync_pub_enc(int flen, const unsigned char *from,
>>
>> unsigned char *to, RSA *rsa, int padding) {
>>
>> printf("dasync_pub_enc\n");
>>
>>
>>
>> return 0;
>>
>> }
>>
>>
>> static int dasync_pub_dec(int flen, const unsigned char *from,
>>
>> unsigned char *to, RSA *rsa, int padding) {
>>
>> printf("dasync_pub_dec\n");
>>
>>
>>
>> return 0;
>>
>> }
>>
>>
>> static int dasync_rsa_priv_enc(int flen, const unsigned char *from,
>> unsigned char *to, RSA *rsa, int padding){
>>
>>  printf("dasync_rsa_priv_enc\n");
>>
>> return 0;
>>
>> }
>>
>>
>> static int dasync_rsa_priv_dec(int flen, const unsigned char *from,
>> unsigned char *to, RSA *rsa, int padding){
>>
>> printf("dasync_rsa_priv_dec\n");
>>
>> return 0;
>>
>> }
>>
>>
>>
>> static RSA_METHOD *dasync_rsa_method = NULL;
>>
>>
>>
>> static int bind_dasync(ENGINE *e){
>>
>> /* Setup RSA_METHOD */
>>
>> if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0))
>> == NULL
>>
>> || RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0
>>
>> || RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0
>>
>> || RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc)
>> == 0
>>
>> || RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec)
>> == 0
>>
>> ) {
>>
>>
>> return 0;
>>
>> }
>>
>>
>> /* Ensure the dasync error handling is set up */
>>
>>
>>
>> if (!ENGINE_set_id(e, engine_dasync_id)
>>
>> || !ENGINE_set_name(e, engine_dasync_name)
>>
>> || !ENGINE_set_RSA(e, dasync_rsa_method)
>>
>> ) {
>>
>> return 0;
>>
>> }
>>
>> return 1;
>>
>> }
>>
>>
>> static int bind_helper(ENGINE *e, const char *id){
>>
>> if (!bind_dasync(e)){
>>
>> printf("2_Error: Inside Bind helper\n");
>>
>> return 0;
>>
>> }
>>
>> return 1;
>>
>> }
>>
>>
>> IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
>>
>> IMPLEMENT_DYNAMIC_CHECK_FN()
>>
>>
>> =
>>
>>
>>
>>
>>
>> Thanks,
>>
>> Shariful
>>
>>

-- 
SY, Dmitry Belyavsky

Re: OpenSSL dynamic engine loading shows error

[Shariful Alam]

Any help regarding this matter??

Regards,
Shariful

On Thu, Aug 26, 2021, 12:06 AM Shariful Alam  wrote:

> Hello,
>
> I have a simple rsa engine code (from engines/e_dasync.c). My code
> compiles. Command "*$openssl engine -t -c*" shows the following,
>
>
>  openssl engine -t -c
>
> (rdrand) Intel RDRAND engine
>
>  [RAND]
>
>  [ available ]
>
> (dynamic) Dynamic engine loading support
>
>  [ unavailable ]
>
> (dasync) Dummy Async engine support
>
>  [RSA]
>
>  [ available ]
>
>
> I also modify *openssl.cnf* configuration as following to load this
> engine,
>
>
> openssl_conf = openssl_def
>
>
> [openssl_def]
>
> engines = engine_section
>
>
> [engine_section]
>
> rsa-engine-new = rsa_section
>
>
> [rsa_section]
>
> engine_id = rsa-engine-new
>
>
> Then when I run the command "$*openssl engine*", I get the following
> error,
>
> $openssl engine
>
> (rdrand) Intel RDRAND engine
>
> (dynamic) Dynamic engine loading support
>
> (dasync) Dummy Async engine support
>
> 139633213376256:error:260AB089:engine
> routines:ENGINE_ctrl_cmd_string:invalid cmd
> name:crypto/engine/eng_ctrl.c:255:
>
> 139633213376256:error:260BC066:engine routines:int_engine_configure:engine
> configuration error:crypto/engine/eng_cnf.c:141:section=rsa_section,
> name=oid_section, value=new_oids
>
> 139633213376256:error:0E07606D:configuration file
> routines:module_run:module initialization
> error:crypto/conf/conf_mod.c:177:module=engines, value=engine_section,
> retcode=-1
>
>
> Any help why is this happening? How can I fix this?
>
> My goal is to use my OpenSSL engine with Apache for mod_ssl. Do I have to
> compile my engine with the OpenSSL source code to do that?
>
>
> Here is the complete source code of my sample engine,
>
> ==
>
>
> #include 
>
> #include 
>
>
> #include 
>
> #include 
>
> #include 
>
> #include 
>
> #include 
>
> #include 
>
> #include 
>
> #include 
>
> #include 
>
> #include 
>
>
> /* Engine Id and Name */
>
> static const char *engine_dasync_id = "dasync";
>
> static const char *engine_dasync_name = "Dummy Async engine support";
>
>
> static int dasync_pub_enc(int flen, const unsigned char *from,
>
> unsigned char *to, RSA *rsa, int padding) {
>
> printf("dasync_pub_enc\n");
>
>
>
> return 0;
>
> }
>
>
> static int dasync_pub_dec(int flen, const unsigned char *from,
>
> unsigned char *to, RSA *rsa, int padding) {
>
> printf("dasync_pub_dec\n");
>
>
>
> return 0;
>
> }
>
>
> static int dasync_rsa_priv_enc(int flen, const unsigned char *from,
> unsigned char *to, RSA *rsa, int padding){
>
>  printf("dasync_rsa_priv_enc\n");
>
> return 0;
>
> }
>
>
> static int dasync_rsa_priv_dec(int flen, const unsigned char *from,
> unsigned char *to, RSA *rsa, int padding){
>
> printf("dasync_rsa_priv_dec\n");
>
> return 0;
>
> }
>
>
>
> static RSA_METHOD *dasync_rsa_method = NULL;
>
>
>
> static int bind_dasync(ENGINE *e){
>
> /* Setup RSA_METHOD */
>
> if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) ==
> NULL
>
> || RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0
>
> || RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0
>
> || RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc)
> == 0
>
> || RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec)
> == 0
>
> ) {
>
>
> return 0;
>
> }
>
>
> /* Ensure the dasync error handling is set up */
>
>
>
> if (!ENGINE_set_id(e, engine_dasync_id)
>
> || !ENGINE_set_name(e, engine_dasync_name)
>
> || !ENGINE_set_RSA(e, dasync_rsa_method)
>
> ) {
>
> return 0;
>
> }
>
> return 1;
>
> }
>
>
> static int bind_helper(ENGINE *e, const char *id){
>
> if (!bind_dasync(e)){
>
> printf("2_Error: Inside Bind helper\n");
>
> return 0;
>
> }
>
> return 1;
>
> }
>
>
> IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
>
> IMPLEMENT_DYNAMIC_CHECK_FN()
>
>
> =
>
>
>
>
>
> Thanks,
>
> Shariful
>
>

Re: HMAC verification with EVP Interface

[Ken Goldman]

On 8/26/2021 5:35 AM, d0 wrote:

Don't forget to use CRYPTO_memcmp for comparing the HMACs, not regular
ol' memcmp.


What's the rationale?  The HMAC result isn't secret.

Re: HMAC verification with EVP Interface

[d0]

Don't forget to use CRYPTO_memcmp for comparing the HMACs, not regular
ol' memcmp.

-Marian

Re: HMAC verification with EVP Interface

[Tomas Mraz]

On Wed, 2021-08-25 at 13:20 -0500, William Roberts wrote:
> Hello,
> 
> I am trying to verify an HMAC signature with the code below and the
> EVP_DigestVerifyInit()
> routine is failing with "error:0608F096:digital envelope
> routines:EVP_PKEY_verify_init:operation not supported for this
> keytype". Eventually it gets to EVP_PKEY_verify_init() and since the
> ctx->pmeth->verify pointer is null, it sets this error. It's unclear
> to me why this function pointer is NULL, can someone elaborate the
> right way to do this via EVP interfaces?

As HMAC is not a true signature algorithm there is no support for
the EVP_DigestVerifyInit() operation with HMAC 'signatures'. You just
have to use EVP_DigestSign*() operation to create a new HMAC and
compare with the original value.

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

RE: Testing

[Dr. Matthias St. Pierre]

To unsubscribe, visit https://mta.openssl.org/mailman/listinfo/openssl-users

Regards

From: openssl-users  On Behalf Of Kingsley O
Sent: Wednesday, August 25, 2021 6:06 PM
To: Turritopsis Dohrnii Teo En Ming 
Cc: openssl-users@openssl.org
Subject: Re: Testing

Please remove my email from this group.

Thank you

On Wed, Aug 25, 2021 at 4:10 PM Turritopsis Dohrnii Teo En Ming 
mailto:ceo.teo.en.m...@gmail.com>> wrote:
Testing


smime.p7s
Description: S/MIME cryptographic signature

OpenSSL dynamic engine loading shows error

[Shariful Alam]

Hello,

I have a simple rsa engine code (from engines/e_dasync.c). My code
compiles. Command "*$openssl engine -t -c*" shows the following,


 openssl engine -t -c

(rdrand) Intel RDRAND engine

 [RAND]

 [ available ]

(dynamic) Dynamic engine loading support

 [ unavailable ]

(dasync) Dummy Async engine support

 [RSA]

 [ available ]


I also modify *openssl.cnf* configuration as following to load this engine,


openssl_conf = openssl_def


[openssl_def]

engines = engine_section


[engine_section]

rsa-engine-new = rsa_section


[rsa_section]

engine_id = rsa-engine-new


Then when I run the command "$*openssl engine*", I get the following error,

$openssl engine

(rdrand) Intel RDRAND engine

(dynamic) Dynamic engine loading support

(dasync) Dummy Async engine support

139633213376256:error:260AB089:engine
routines:ENGINE_ctrl_cmd_string:invalid cmd
name:crypto/engine/eng_ctrl.c:255:

139633213376256:error:260BC066:engine routines:int_engine_configure:engine
configuration error:crypto/engine/eng_cnf.c:141:section=rsa_section,
name=oid_section, value=new_oids

139633213376256:error:0E07606D:configuration file
routines:module_run:module initialization
error:crypto/conf/conf_mod.c:177:module=engines, value=engine_section,
retcode=-1


Any help why is this happening? How can I fix this?

My goal is to use my OpenSSL engine with Apache for mod_ssl. Do I have to
compile my engine with the OpenSSL source code to do that?


Here is the complete source code of my sample engine,

==


#include 

#include 


#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 


/* Engine Id and Name */

static const char *engine_dasync_id = "dasync";

static const char *engine_dasync_name = "Dummy Async engine support";


static int dasync_pub_enc(int flen, const unsigned char *from,

unsigned char *to, RSA *rsa, int padding) {

printf("dasync_pub_enc\n");



return 0;

}


static int dasync_pub_dec(int flen, const unsigned char *from,

unsigned char *to, RSA *rsa, int padding) {

printf("dasync_pub_dec\n");



return 0;

}


static int dasync_rsa_priv_enc(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding){

 printf("dasync_rsa_priv_enc\n");

return 0;

}


static int dasync_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding){

printf("dasync_rsa_priv_dec\n");

return 0;

}



static RSA_METHOD *dasync_rsa_method = NULL;



static int bind_dasync(ENGINE *e){

/* Setup RSA_METHOD */

if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) ==
NULL

|| RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0

|| RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0

|| RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc) ==
0

|| RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec) ==
0

) {


return 0;

}


/* Ensure the dasync error handling is set up */



if (!ENGINE_set_id(e, engine_dasync_id)

|| !ENGINE_set_name(e, engine_dasync_name)

|| !ENGINE_set_RSA(e, dasync_rsa_method)

) {

return 0;

}

return 1;

}


static int bind_helper(ENGINE *e, const char *id){

if (!bind_dasync(e)){

printf("2_Error: Inside Bind helper\n");

return 0;

}

return 1;

}


IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)

IMPLEMENT_DYNAMIC_CHECK_FN()


=





Thanks,

Shariful