Re: [openssl-dev] Multithreading performance patches

Hi! > The reason is that so far it was > reserved for occasion like this, i.e. when somebody requests it and puts > effort into testing it in real-life application:-) Can we do that? I did it. Added to crypto/cryptlib.c: # ifndef OPENSSL_DISABLE_ATOMIC_ADD_INTERNAL int OPENSSL_atomic_add(int

Re: [openssl-dev] [openssl.org #4073] Segfault in engine processing

On 12 October 2015 at 12:08, Matt Caswell via RT wrote: > Are you using your new GOST > engine or the one currently in master? > Sorry to come in in the middle, but where to get that new GOST engine, that is not on master now? Is it on some other branch?

Re: [openssl-dev] [openssl.org #4073] Segfault in engine processing

On 12 October 2015 at 12:08, Matt Caswell via RT wrote: > Are you using your new GOST > engine or the one currently in master? > Sorry to come in in the middle, but where to get that new GOST engine, that is not on master now? Is it on some other branch?

Re: [openssl-dev] License compatibility: OpenSSL and Apache v2

This is something I would like to be contributed to OpenSSL. Sure, I'm talking about new engine and new files. And I agree that using the same license as OpenSSL itself would be the best solution. But, if for some reasons licensing of it will be possible under Apache v2 only - what issues could

[openssl-dev] License compatibility: OpenSSL and Apache v2

Hello, Let's imagine someone develop extension module to OpenSSL, and release it under Apache v2 license. Do you see any possible issues with using this extension module as a part of OpenSSL? ___ openssl-dev mailing list openssl-dev@openssl.org

[openssl.org #3613] Patch: Fix warning in Nginx logs on every connect when GOST TLS used.

Hello, As noted here: https://groups.google.com/forum/#!topic/mailing.openssl.dev/Ng3xI7-xZ0E all version of OpenSSL produce scary warning in nginx logs on every connect, if GOST TLS used: [alert] 25532#0: *28 ignoring stale global SSL error (SSL: error:140DD112:SSL

Re: [openssl.org #3533] [PATCH] Ensures that EVP encryption decryption operations check the encrypt flag on the context.

Patch visible. Thanks for contribution. As to actual content - it is up to OpenSSL team. But as to the style: comments of // type is not in OpenSSL code conventions. If you redo them to /**/ way - it could speed-up processing. On 13 November 2014 20:54, Alok Menghrajani via RT r...@openssl.org

Fwd: [openssl.org #3538] 1.0.1h make test fails on test_verify - Debian x64

Strange, but now on the same machine everything works fine. Seems it was fluctuations of world ether... On 21 September 2014 15:08, Andrey Kulikov via RT r...@openssl.org wrote: # uname -a Linux deb7 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux # gcc --version gcc-4.7.real

Re: [openssl.org #3538] 1.0.1h make test fails on test_verify - Debian x64

Strange, but now on the same machine everything works fine. Seems it was fluctuations of world ether... On 21 September 2014 15:08, Andrey Kulikov via RT r...@openssl.org wrote: # uname -a Linux deb7 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux # gcc --version gcc-4.7.real

[openssl.org #3538] 1.0.1h make test fails on test_verify - Debian x64

# uname -a Linux deb7 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux # gcc --version gcc-4.7.real (Debian 4.7.2-5) 4.7.2 ./config make make test fails with following: The following command should have some OK's and some failures There are definitly a few expired certificates

Re: [openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)

Indeed, Improved version of the patch are in: [openssl.org #2937] Handshake performance degradation in 1.0.1 and up. On 9 September 2014 21:16, Rich Salz via RT r...@openssl.org wrote: From an internal review of the patch: Contexts are meant to be reused and (for example) reusing the same

Re: [openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)

Indeed, Improved version of the patch are in: [openssl.org #2937] Handshake performance degradation in 1.0.1 and up. On 9 September 2014 21:16, Rich Salz via RT r...@openssl.org wrote: From an internal review of the patch: Contexts are meant to be reused and (for example) reusing the same

Re: [openssl.org #1372] default config should diable idea

The last patents for IDEA expired in 2012. Now it's free to use. On 3 July 2014 21:24, Rich Salz via RT r...@openssl.org wrote: As the changelog says for 0.9.8, (IDEA remains enabled despite being patented. This is because IDEA is frequently required for interoperability, and there is no

Re: [openssl.org #3430] ssltest fails when using -DTEMP_GOST_TLS

when I compile using the -DTEMP_GOST_TLS flag What the reason to do it? GOST TLS (at least that one what works) do not require this to be defined.

Re: [openssl.org #3328] [PATCH] Support for GOST R 34.10-2012 digital signature algorithm

Дмитрий, а есть ли у вас планы по внедрению TLS, основанного на новых ГОСТах, в OpenSSL ? Сам собирался занятся этим в начале лета, после отпуска. С вашей помощью, теперь, это совсем тривиально должно получиться. Можно скооперироваться как-нибудь. Если вы, конечно, всё сами не сделаете до этого.

Re: [openssl.org #3322] [PATCH] ccgost to use configured params for 28147-89 in CNT and IMIT mode

Dmitriy, Thanks for noticing! I do not see it either - correcting myself. :-) You are right - according to http://tools.ietf.org/html/draft-chudov-cryptopro-cptls-04 CryptoProParamSetA is required in GOST TLS. But only for content encryption. Premaster secret encryption could use any other

[openssl.org #3322] [PATCH] ccgost to use configured params for 28147-89 in CNT and IMIT mode

Currently ccgost engine use configured params (s-boxes) when it works in CFB mode only. For CNT and IMITO parameters are hardcoded to Gost28147_CryptoProParamSetA Supplied patch allow ccgost engine to really use parameters, specified either in config file, or via engine API. When nothing is

Re: [openssl.org #3311] [PATCH] Introduce GOST R 34.11-2012 hash function

Hello Dmitry, Thanks a lot for your commitment! It would be good idea to add test cases for new functionality as well. On 14 April 2014 23:52, Dmitry Olshansky via RT r...@openssl.org wrote: It's been a bit over 2 years since the new Russian cryptography standard is out. RFCs 6986 and

Re: [openssl.org #3308] Re: Return missed NULL-check in CMS_add0_cert back

Well... With this check 'make test' fails with: CMS = PKCS#7 compatibility tests signed content DER format, RSA key: generation error make[1]: *** [test_cms] Error 1 Can't reproduce that here. Anyone else seeing this? I saw it on Debian 7 x64, gcc 4.7.2 But anyway, as *pcerts

Re: [openssl.org #3310] Can't execute make command

What platform you are using, and what is the config parameters? Can happens due to accidental editing of source file?

[openssl.org #3307] Return missed NULL-check in CMS_add0_cert back

In 1.0.1g duplicated check for (!pcerts) where removed. Had an impression that second appearance was check for (!*pcerts) (as in all other functions). Return it back. Patch applied. 0001-Check-pcerts-for-NULL.patch Description: Binary data

[openssl.org #3308] Re: Return missed NULL-check in CMS_add0_cert back

Well... With this check 'make test' fails with: CMS = PKCS#7 compatibility tests signed content DER format, RSA key: generation error make[1]: *** [test_cms] Error 1 On 14 April 2014 00:16, Andrey Kulikov amde...@gmail.com wrote: In 1.0.1g duplicated check for (!pcerts) where removed. Had

Re: [openssl.org #3235] Re: AES256-SHA256 test failed on OpenSSL-1.0.1f ARM64( compiled with -O3 optimization)

Got the same error on Linux, both x86 and x64, when tried to add following lines to ./ssl/t1_enc.c@tls1_change_cipher_state: ssl3_cleanup_key_block(s); OPENSSL_cleanse(s-s3-read_mac_secret, sizeof(s-s3-read_mac_secret)); OPENSSL_cleanse(s-s3-write_mac_secret,

Re: [openssl.org #3201] EVP_DigestUpdate crashes because of a NULL pointer

EVP_MD_CTX_copy() also can fail due to external engine usage (including HW engine). In this case underlying work can be more complicated that memory allocation. Descriptors shortage, amount of simultaneous contexts constraints, etc. Or just bugs in engine code. On 27 December 2013 21:39,

Re: [openssl.org #3117] [PATCH] A fast vectorized implementation of binary elliptic curves on x86-64 processors

Dear Manuel, Exciting news! While your paper still unpublished, could you please advice, it there anything even nearly similar possible for curves over primary fields? (e.g. curves secp* ) Best regards, Andrey On 28 August 2013 09:06, Manuel Bluhm via RT r...@openssl.org wrote: Hello all,

[openssl.org #2953] s_server to show connection duration and transfer speed

Please find attached patch, introducing two new options for s_server: one specify maximum number of connections s_server will accept. It will exit clearly after completing last connection the other tells s_server to show each completed connection duration and data transfer rate. These options

Re: [openssl.org #2937] Handshake performance degradation in 1.0.1 and up.

On 11 December 2012 04:00, Stephen Henson via RT r...@openssl.org wrote: I also notice that even the original HMAC version initialises two HMAC contexts with the same key. That could be improved by initialising one and copying the context across. This kind of optimization can be also

Re: [openssl.org #2937] Handshake performance degradation in 1.0.1 and up.

Please find attached two patches, together implementing proper HMAC context re-initialization instead of full re-creation. In comparison to openssl-1.0.1c it gives ~10% handshake performance improvements when some engine-specific MAC are used. In order to apply patches use command patch -p1 -i

Re: ssl3_get_cert_verify performance

I'm affraid flamegraphs for two different servers with two different OpenSSL libraries without information about type of load it was collected with and without any information other than smth. started spending much more time than it was can not give much information about root cause for the issue.

Re: [openssl.org #2951] [PATCH] Fix speed.c to fork N threads

- for(n=0 ; n multi ; ++n) + for(n=0 ; n = multi ; ++n) Isn't |[0..n)| = n and |[0..n]| = n +1 ? I.e this patch will do one more iteration than expected? Assume multi = 1, for example.

Re: [openssl.org #2937] Handshake performance degradation in 1.0.1 and up.

In my case, handshake rate drops down to 5-6% on the same hardware in 1.0.1c in comparison to 1.0.0i. I was wrong. Handshake performance degradation is about 10%. First guilty function is EVP_DigestSignFinal what is perform copying of supplied context. When I replaces in tls1_P_hash()

[openssl.org #2937] Handshake performance degradation in 1.0.1 and up.

In comparison to 1.0.0, in 1.0.1 the implementation of PRF have been changed. In order to supporf TLS 1.1/1.2 features, in file ssl/t1_enc.c, in function tls_P_hash() calls to HMAC_Init/HMAC_Update/HMAC_Final where replaced by EVP_DigestSignInit/EVP_DigestSignUpdate/EVP_DigestSignFinal. As a

[openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)

issues in supplied patch - please let me know. Best wishes, Andrey Kulikov. Hello,In v1.0.1 tls_P_hash() has been changed in comparison to early OpenSSL versions.Used hash objects is re-initializing during P_hash calculation.It looks harmless, but only until we come to hash objects, holding

[openssl.org #2939] Re: [FIX] 1.0.0d: All platforms: GOST server MUST check correctness of shared UKM

Just noticing the wrong goto label in case of EVP_PKEY_CTX_ctrl() failue. Please find attached corrected patch (gost_server_to_check_ukm_v2.patch) On 17 April 2011 17:54, Andrey Kulikov amde...@gmail.com wrote: According to this document: http://tools.ietf.org/html/draft-chudov-cryptopro

Re: Multithreading performance patches

Hi Fedor, Thanks for valuable contribution! About your second patch: could you please advice, what the intended way to use BIO_TYPE_NO_EX_DATA in real-life applications? For example TSL-server. Do you have any numbers on performance gain when using this approach?

Re: OpenSSL and CRIME

Hi, OpenSSL enables zlib by default. Could you please advice for what version and platform this is true? openssl-1.0.1c for linux-elf has no-zlib configured by default.

Re: Why x509 displays ECDSA pub. key size two times less than actual?

By convention the key size for ECC is given as the number of bits in the order. E.g. see table 3 in SEC 1. Could you please provide a reference to document, defining this convention? Unfortunatelly table 3 in section B.2.1 of SEC 1 (both v1 and v2) shows only comparison of security level of

Re: Why x509 displays ECDSA pub. key size two times less than actual?

For ECC the key size is stated to be size of n in bits (where n is the order). 'n' is an order of base point 'G' on EC - i.e. size of private key (what should be in range [1; n-1]), not public. Thus, I understand that it is a size of EC private key 'd', what shown in table 3 in SEC 1.

Re: Why x509 displays ECDSA pub. key size two times less than actual?

Talking about the bit-length of the public key data is not particularly helpful because it depends on whether it is in compressed format or not. Sorry, but size of public key does not depends on size of it's representation. It can be compressed, Base64 encoded, etc., but it does not change size

Re: Why x509 displays ECDSA pub. key size two times less than actual?

As I said before it is convention when talking about a _key size_ to mean the number of bits in the order (i.e. the size of the private key). If we talking about just 'key size', then yes, we assume private key size. But I've never heard of convention to assume that for ECC public key size is

Why x509 displays ECDSA pub. key size two times less than actual?

Hello, Let's generate certificate with ECDSA key over 256 bit field: openssl ecparam -out key.pem -name prime256v1 -genkey openssl req -newkey ec:key.pem -x509 -nodes -days 365 -keyout pkey.pem -out cert.pem Then part of output of openssl x509 -text -in cert.pem will be: Subject

Re: [Q] OpenSSL memory usage per connection

Using SSL_MODE_RELEASE_BUFFERS option can drop memory footprint from 50K to around 5K per connection. It is useful when we'll have big number of connections. Also it may prevent excessive swapping. On 7 April 2012 08:22, eric wang eric_x_w...@yahoo.com wrote: Dear OpenSSL developers We got a

Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

On 16 December 2011 02:47, Andy Polyakov via RT r...@openssl.org wrote: Attached patch fix the problem on cygwin. Does it mean that you can in fact confirm that modified speed.c runs without hanging? Yes, modified speed.c, being compiled in the same Cygwin environment as before, runs without

[openssl.org #2657] Win32: fail to compile - 1.0.1 snapshot 20111211

VisualStudio 2010 perl Configure VC-WIN32 ms\do_ms.bat nmake -f ms\nt.mak .. ml /nologo /Cp /coff /c /Cx /Zi /Fotmp32\vpaes-x86.obj tmp32\vpaes-x86.asm Assembling: tmp32\vpaes-x86.asm tmp32\vpaes-x86.asm(491) : error A2070:invalid instruction operands tmp32\vpaes-x86.asm(527) :

Re: [openssl.org #2657] Win32: fail to compile - 1.0.1 snapshot 20111211

The same for SNAP-20111213 On 14 December 2011 19:54, Andrey Kulikov via RT r...@openssl.org wrote:        ml /nologo /Cp /coff /c /Cx /Zi /Fotmp32\vpaes-x86.obj tmp32\vpaes-x86.asm  Assembling: tmp32\vpaes-x86.asm tmp32\vpaes-x86.asm(491) : error A2070:invalid instruction operands tmp32

Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

. As in addition, even if speed' do not hangs up, each group of block calkulation MAY take significantly more than 3 sec... On 14 December 2011 01:45, Andrey Kulikov via RT r...@openssl.org wrote: Tested on two computers. Both native (i.e. non-VM) Windows7 x64 Professional (without SP1). One has E8600 CPU

Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

downloaded 8G file via s_server from 1.0.1 snapshot 20111213 - works fine. Using RC4-SHA chipthersuite. __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

Checked with 1.0.0e - the same problem. speed hangs up with md4 md5 mdc2 and sha1, but works well with sha256 sha512 and whirlpool. I downloaded 8G file via s_server from 1.0.1 snapshot 20111213 - works fine. (using RC4-SHA chiphersuite) Seems problem in speed' itself, or, as Andy mentioned -

Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

Compiler might be complaining about some small things, use your judgment to ignore warnings or to make it compile. It does complain! :-) Attached patch fix the problem on cygwin. Back-ported to 1.0.0e was not break native Win32 (32 bit, VS10) compilation. spped_cygwin.patch Description:

Re: [openssl.org #2657] Win32: fail to compile - 1.0.1 snapshot 20111211

Verify http://cvs.openssl.org/chngview?cn=21845. This patch helps! Thanks a lot! ml Microsoft (R) Macro Assembler Version 10.00.30319.01 Copyright (C) Microsoft Corporation.  All rights reserved. Microsoft Assembler gets *very* limited testing and the official standpoint is to favor nasm.

Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

It does complain! :-) Attached patch fix the problem on cygwin. Does it mean that you can in fact confirm that modified speed.c runs without hanging? Yes, modified speed.c, being compiled in the same Cygwin environment as before, runs without hanging for all hashes. Interesting, why we do

Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

Tested on two computers. Both native (i.e. non-VM) Windows7 x64 Professional (without SP1). One has E8600 CPU, the other is laptop with i5 mobile CPU. Both has 8G RAM. Both working stable for a monthes. No abnormalities, no BSODs. gcc version 3.4.4 (cygming special, gdc 0.12, using dmd 0.125)

[openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

OpenSSL 1.0.1 snaphot 20111211, compiled on Cygwin, no special config options. gcc version 3.4.4 (cygming special, gdc 0.12, using dmd 0.125) CPU Code2 Duo E8600 make tests shows: ../util/shlib_wrap.sh ./shatest test 1 ok test 2 ok test 3 ok ../util/shlib_wrap.sh ./sha1test test 1 ok test 2 ok

[openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

The same behaviour is for other hashes: md4 md5 mdc2 and sha. But not for sha256, sha512 and whirlpool - everything is ok with these hashes: $ ./apps/openssl speed sha512 sha256 whirlpool OpenSSL 1.0.1-dev xx XXX built on: Tue Dec 13 08:14:31 RST 2011 options:bn(64,32) rc4(8x,mmx)

[openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

Can you reproduce it under cygwin gdb? I.e. 'gdb apps/openssl' and then at gdb prompt 'run speed sha1'. If yes, ctrl-C and 'info threads'. Then 'cont', ctrl-C and 'info threads' few more times. Look at thread #1 at all occasions. Where is it caught? Does program counter varies? If  it's

Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin

Where is it caught? Addentum: programm caught in different functions: I saw OPENSSL_Cleanse(), EVP_DigestUpdate(), sha1_something and others. I provided 'thread apply 1 info reg' only if it get caugth in sha1_block_data_order_ssse3 (). openssl was compiled with ./config -g (gdb) info

Re: [openssl.org #2650] major ssl read/ write performance improvement - updated

Hello Michael, I have tested youe patch. It is working stable at least with ccgost engine (and without any engine too, of cource). Thanks for contribution! Could you please describe, what was your test environmnet and test methodology? How did you measure that doubling read/write speed? What

[openssl.org #2365] Limitations of ENGINE interface hamper performance on modern hardware

3) An accellerator device directly supports TLS/SSL record encryption/decryption and the handshake operation itself. We do many bus transactions to the accellerator (and possibly system calls into the OS kernel) where we could do one, doing every single basic cryptographic operation

Re: major ssl read/ write performance improvement

Hello, Thanks for interesting contribution! Unfortunately when I apply the patch s_server failed with SEGFAULT, when using ccgost engine (and possibly others) here: EVP_DigestSignFinal if (sctx) r = md_ctx_ptr-pctx-pmeth-signctx(md_ctx_ptr-pctx,

Re: [openssl.org #2551] [PATCH] All platforms: Option to disable sending renegotiation_info extension.

First of all - it is not a Microsoft bug. This is bug in some products, who act as a TLS clients. Second: what should I describe to customers? :-) Their programms works with other server, by not with mine. Is the question still valid? :-) On 1 July 2011 12:20, Ben Laurie via RT r...@openssl.org

What the resons to use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION may be?

Hello, There is an option available: SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION Descroption laconicaly states: When performing renegotiation as a server, always start a new session (i.e., session resumption requests are only accepted in the initial handshake). This option is not needed for

Re: What the resons to use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION may be?

. Would be really appreciated for any comments. Best wishes, Andrey On 18 June 2011 15:58, Andrey Kulikov amde...@gmail.com wrote: Hello, There is an option available: SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION Descroption laconicaly states: When performing renegotiation as a server

Re: s_client -reconnect with DTLS

Hello, I'm sure you'll get help faster, if you describe: 1. What are you doing exactly. 2. What do you see. 3. What do you expect to see. This is absolutelly necessary steps, as all telepathist is on vacation now. On 22 April 2011 15:50, N. J. nadh...@yahoo.com wrote: Hi again, I am not

Re: [openssl.org #2496] [PATCH] Fix compile problems when various ciphers are disabled

Tim, Seems that you miss to attach a file with actual patch... On 12 April 2011 11:13, Tim Jackson via RT r...@openssl.org wrote: When turning off various ciphers, OpenSSL doesn't always compile. The attached patches fix various issues with OpenSSL when ciphers (particularly RSA or DSA) are

[openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.

I prefer more generic method similar to ENGINE_load_ssl_client_cert, i.e. I need EVP keys, corresponding certificates and the certificate chain. Additional methods has server in it's names for the same reason why ENGINE_load_ssl_client_cert has client in it. ENGINE_load_server_certificate()

[openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.

Hello, Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE. Currently OpenSSL allows loading certificate only from a file. Loading by specific engine is required for hardware-based engines, which used their own certificate

HowTo: Engine-specific TLS master secret generation?

Hello, Now OpenSSL generates master secret and read/write keys inside the library, left only premaster secret decryption to the engine. In case of hardware-based TLS engine it could be not an option, as there may be no possibility to set read/write keys from outside (or it may be restricted

Re: adding new encryption algorithm to OpenSSL

This explanation may help you to add new algorithms to OpenSSL: http://www.mail-archive.com/openssl-users@openssl.org/msg59630.html On 18 January 2011 08:59, M. V. bored_to_deat...@yahoo.com wrote: hi, for a project, i have to add my own encryption algorithm to racoon (part of ipsec-tools)

What the purpose of EVP_PKEY_derive() function?

Hello, I'm exploring how to implement custom engine, and can't undestand the purpose of EVP_PKEY_derive() function. It is possible to set pointer to it's implementation using EVP_PKEY_meth_set_derive() call. But it used only in *pkeyutl* command. It is not used in SSL handshake. The only engine

Re: What is the REALLY proper way to use an ENGINE?

On 4 January 2011 16:54, Dr. Stephen Henson st...@openssl.org wrote: I can't see how that would happen: I find a way to reproduce it: just call ENGINE_load_builtin_engines() twice. Or call ENGINE_load_builtin_engines() after OPENSSL_config() which calls it too. It happens because internal

What is the REALLY proper way to use an ENGINE?

If we take a look at any ENGINE_load_XXX function, we find that they all has similar structure: ENGINE *toadd = engine_XXX(); if(!toadd) return; ENGINE_add(toadd); ENGINE_free(toadd); ERR_clear_error(); My question is: why we need call ENGINE_free(toadd) ?? Somewhere inside

Re: What is the REALLY proper way to use an ENGINE?

Update: adding ENGINE_init(e) after e = ENGINE_by_id(XXX); doesn't make any difference, as in my case functional reference count is 8(???) at the moment of ENGINE_init(e) call, so engine is not re-initialised. :( On 4 January 2011 04:12, Andrey Kulikov amde...@gmail.com wrote: If we take

Re: What is the REALLY proper way to use an ENGINE?

January 2011 06:23, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Jan 04, 2011, Andrey Kulikov wrote: If we take a look at any ENGINE_load_XXX function, we find that they all has similar structure: ENGINE *toadd = engine_XXX(); if(!toadd) return; ENGINE_add(toadd

Re: s_client - debug arg make the difference

I had the same behaviour (different results in debug/not debug). In my case answer was obvious: in debug environment I had different value for OPENSSL_CONF env. variable, and that why in debug nothing works. On 22 December 2010 16:58, Benjamin benja...@gentilkiwi.net wrote: Hello, Maybe a

Re: [openssl.org #2398] [PATCH] gost code cleanup

On 16 December 2010 16:31, Mark Andrews via RT r...@openssl.org wrote: encountered a NULL pointer dereference in the gost code due to a undetected EVP_PKEY_assign() failure in pkey_gost01_paramgen(). Thnaks for report! Could you please share a secret knowelege: why EVP_PKEY_assign() fails in

Is it really possible to generate gost-mac using ccgost engine?

Hello, I've got a problem with calculating gost-mac using Openssl 1.0.0a May be problem with cmd options, but I was unable to find out how to get it work Trying to generate gost-mac. Example from documentation (engines/ccgost/README.gost) Calculation of GOST 28147 MAC

Re: Source level debug config for 1.0.0a?

As a quick hack I added to root Makefile following lines: == debug: CFLAG+= -ggdb3 -O0 -DDEBUG debug: all == just before all: Makefile build_all openssl.pc libssl.pc libcrypto.pc Then # make clean # make debug After that NetBeans can walk through source using gdb. Linux i368. It

Re: Is it really possible to generate gost-mac using ccgost engine?

On 12 November 2010 19:26, Valery Blazhnov vblazh...@lissi.ru wrote:  This command works with ccgost engine: openssl dgst -mac gost-mac -binary -macopt hexkey:3132333435363738393031323334353637383930313233343536373839303132 -out mac.bin data.bin What openssl version do you use? I use 1.0.0a,

Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???

On 12 November 2010 15:20, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Nov 12, 2010, Andrey Kulikov wrote: Hello, I'm trying to make s_server and s_client work with GOST encryption using ccgost engine and certificates with GOST algos. But it unable to work, complaining to bad mac

Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???

Sorry, previous email is about 1.0.1 latest snapshot. I just checked with 1.0.1 ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz Results exactly the same. If you'll need any details - please let me know. Andrey On 13 November 2010 00:43, Andrey Kulikov amde...@gmail.com

Re: 1.0.0a s_server with GOST certificate can't compute sha1 digest???

Hello, On 13 November 2010 03:33, Dr. Stephen Henson st...@openssl.org wrote: I've just tried 1.0.1 and it does have a problem with GOST and TLS v1.1 which is the default for OpenSSL 1.0.1. If you include -no_tls1_1 in the command line it should work or if you try a recent 1.0.0 snapshot

1.0.0a s_server with GOST certificate can't compute sha1 digest???

Hello, I'm trying to make s_server and s_client work with GOST encryption using ccgost engine and certificates with GOST algos. But it unable to work, complaining to bad mac computing. (If I use RSA-based certificates, everything works just fine.) Openssl 1.0.0a, Linux i386 I have ccgost

Re: Source level debug config for 1.0.0a?

Thanks for pointing to this feature! In context of original question ./Configure debug-rse looks better than others, as it add -ggdb3 switch, while just -g (like in all others debugging targets) was not work well (for me). On 10 November 2010 16:33, Martin Kaiser li...@kaiser.cx wrote: Hello,

How to generate gost-mac using ccgost engine?

Hello, I've got a problem with calculating gost-mac using Openssl 1.0.0a May be problem with cmd options, but I was unable to find out how to get it work Trying to generate gost-mac. Example from documentation (engines/ccgost/README.gost)  Calculation of GOST 28147 MAC  

Re: Source level debug config for 1.0.0a?

As a quick hack I added to root Makefile following lines: == debug: CFLAG+= -ggdb3 -O0 -DDEBUG debug: all == just before all: Makefile build_all openssl.pc libssl.pc libcrypto.pc Then # make clean # make debug After that NetBeans can walk through source using gdb. Linux i368. It