Help decrypting TLS

2009-06-29 Thread Harsha gowda 
Hi,
I am sniffing packets over wireless of 802.11i packets,
Which uses EAP-TLS,
So i have two way data and private key of CA.

Client-Hello--

Server-Hello

ClientKeyexchange

So now i can derive key-block,

But openssl utlity for SSL3/TLS methods are built for active sessions only,
I mean

1st create a socket

fd=create_sock()
then pass the socket descriptor to ssl_ctx

is there any hack or work arround,

Like i have sniffed packet so can store them in file and give file
descriptor as socket descriptor ?.

SSLDump changes the TLSV1 method and injects the certificate,Client and
server random number of capture file and try to generate Key-block
 decrypt the text,

But SSLDump does not support all the TLSV1 ciphers.


Can any one help me in this regard

Thanks
Harsha



-- 
ಇಂತಿ
ಹರ್ಷ ಕೃ ಗೌಡ

Re: Help decrypting TLS

2009-06-29 Thread krish 
Can You pass tell me the cipher suite it is using ?
if the Key Exchange algo is Diffie and Helman .. then there is no way You
can decrypt.


Regards,
krishna.


On Mon, Jun 29, 2009 at 3:30 PM, Harsha gowda harsha.k.go...@gmail.comwrote:

 Hi,
 I am sniffing packets over wireless of 802.11i packets,
 Which uses EAP-TLS,
 So i have two way data and private key of CA.

 Client-Hello--

 Server-Hello

 ClientKeyexchange

 So now i can derive key-block,

 But openssl utlity for SSL3/TLS methods are built for active sessions only,
 I mean

 1st create a socket

 fd=create_sock()
 then pass the socket descriptor to ssl_ctx

 is there any hack or work arround,

 Like i have sniffed packet so can store them in file and give file
 descriptor as socket descriptor ?.

 SSLDump changes the TLSV1 method and injects the certificate,Client and
 server random number of capture file and try to generate Key-block
  decrypt the text,

 But SSLDump does not support all the TLSV1 ciphers.


 Can any one help me in this regard

 Thanks
 Harsha



 --
 ಇಂತಿ
 ಹರ್ಷ ಕೃ ಗೌಡ

Re: Help decrypting TLS

2009-06-29 Thread krish 
its Diffie and Helman Key exchange algorith.
There is no way You decrypt this session.

for info on DIffie and Hellman see this url

http://en.wikipedia.org/wiki/Diffie-Hellman.

for public key and private key exchange algos You need private key file to
decrypt the sessions.




Regards,
krish.


On Mon, Jun 29, 2009 at 5:54 PM, Harsha gowda harsha.k.go...@gmail.comwrote:

 Hi,

 Its
 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

 Regards
 Harsha


 On Mon, Jun 29, 2009 at 5:31 PM, krish krishna.kumar.i...@gmail.comwrote:

 Can You pass tell me the cipher suite it is using ?
 if the Key Exchange algo is Diffie and Helman .. then there is no way You
 can decrypt.


 Regards,
 krishna.



 On Mon, Jun 29, 2009 at 3:30 PM, Harsha gowda 
 harsha.k.go...@gmail.comwrote:

 Hi,
 I am sniffing packets over wireless of 802.11i packets,
 Which uses EAP-TLS,
 So i have two way data and private key of CA.

 Client-Hello--

 Server-Hello

 ClientKeyexchange

 So now i can derive key-block,

 But openssl utlity for SSL3/TLS methods are built for active sessions
 only,
 I mean

 1st create a socket

 fd=create_sock()
 then pass the socket descriptor to ssl_ctx

 is there any hack or work arround,

 Like i have sniffed packet so can store them in file and give file
 descriptor as socket descriptor ?.

 SSLDump changes the TLSV1 method and injects the certificate,Client and
 server random number of capture file and try to generate Key-block
  decrypt the text,

 But SSLDump does not support all the TLSV1 ciphers.


 Can any one help me in this regard

 Thanks
 Harsha



 --
 ಇಂತಿ
 ಹರ್ಷ ಕೃ ಗೌಡ





 --
 ಇಂತಿ
 ಹರ್ಷ ಕೃ ಗೌಡ

Re: Help decrypting TLS

2009-06-29 Thread Harsha gowda 
Hi,
:)
Ya i have private key of server,

Regards
Harsha

On Mon, Jun 29, 2009 at 6:02 PM, krish krishna.kumar.i...@gmail.com wrote:

 its Diffie and Helman Key exchange algorith.
 There is no way You decrypt this session.

 for info on DIffie and Hellman see this url

 http://en.wikipedia.org/wiki/Diffie-Hellman.

 for public key and private key exchange algos You need private key file to
 decrypt the sessions.




 Regards,
 krish.



 On Mon, Jun 29, 2009 at 5:54 PM, Harsha gowda harsha.k.go...@gmail.comwrote:

 Hi,

 Its
 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

 Regards
 Harsha


 On Mon, Jun 29, 2009 at 5:31 PM, krish krishna.kumar.i...@gmail.comwrote:

 Can You pass tell me the cipher suite it is using ?
 if the Key Exchange algo is Diffie and Helman .. then there is no way You
 can decrypt.


 Regards,
 krishna.



 On Mon, Jun 29, 2009 at 3:30 PM, Harsha gowda 
 harsha.k.go...@gmail.comwrote:

 Hi,
 I am sniffing packets over wireless of 802.11i packets,
 Which uses EAP-TLS,
 So i have two way data and private key of CA.

 Client-Hello--

 Server-Hello

 ClientKeyexchange

 So now i can derive key-block,

 But openssl utlity for SSL3/TLS methods are built for active sessions
 only,
 I mean

 1st create a socket

 fd=create_sock()
 then pass the socket descriptor to ssl_ctx

 is there any hack or work arround,

 Like i have sniffed packet so can store them in file and give file
 descriptor as socket descriptor ?.

 SSLDump changes the TLSV1 method and injects the certificate,Client and
 server random number of capture file and try to generate Key-block
  decrypt the text,

 But SSLDump does not support all the TLSV1 ciphers.


 Can any one help me in this regard

 Thanks
 Harsha



 --
 ಇಂತಿ
 ಹರ್ಷ ಕೃ ಗೌಡ





 --
 ಇಂತಿ
 ಹರ್ಷ ಕೃ ಗೌಡ





-- 
ಇಂತಿ
ಹರ್ಷ ಕೃ ಗೌಡ

Request from THALES to OPEN SSL

2009-06-29 Thread patrick doudement 

Hi,

Within the framework of our Export Control survey activity for 
components of THALES equipments, and in order to update our databases, 
and in order to comply with the export regulation, we need to know the 
applicable *Export Control Code* and *ECCN* (Export Control 
Classification Number) code for the following* *product :

*
** OPENSSL 0.9.8J

*Thank you in advance for your fast answer.

Regards.

P. Doudement

--
The information contained in this e-mail/fax and any attachments are the 
property of THALES and may be confidential.
If you are not the intended recipient, please notify us immediately, send this 
message back to us and destroy it.
You are hereby notified that any review, dissemination, distribution, copying 
or otherwise use of this e-mail/fax is strictly prohibited.

begin:vcard
fn:Patrick Doudement
n:Doudement;Patrick
org:THALES CORPORATE SERVICES ;TS / TLS / EPM
adr;quoted-printable:;;18, avenue du Mar=C3=A9chal Juin ;MEUDON la FORET CEDEX;;92366;FRANCE
email;internet:patrick.doudem...@thalesgroup.com
title;quoted-printable:Manager Donn=C3=A9es Export Control
tel;work:+33 (0)1 70 28 24 19
tel;fax:+33 (0)1 70 28 25 00
x-mozilla-html:TRUE
version:2.1
end:vcard

Query Regarding building wpa_suplicant wit OpenSSL support.

2009-06-29 Thread Gaurav Halwasia -X (ghalwasi - at Cisco) 
Hi Team,
 
I want to have OpenSSL support in wpa_suplicant in order to get the
support for the functionality needed for EAP-FAST in wpa_suplicant. For
this I have downloaded the openssl-0.9.8d.tar.tar file and I have
openssl-0.9.8d-tls-extensions.patch file with me.
 
But I am not sure what exactly needs to be done now to build
wpa_suplicant for EAP-FAST support. 
I am new to this. Can you please help me in this.
 
Thanks  Regards,
Gaurav

Re: Query Regarding building wpa_suplicant wit OpenSSL support.

2009-06-29 Thread Guenter 
Hi Gaurav,
Gaurav Halwasia -X (ghalwasi - at Cisco) schrieb:
 I want to have OpenSSL support in wpa_suplicant in order to get the
 support for the functionality needed for EAP-FAST in wpa_suplicant. For
 this I have downloaded the openssl-0.9.8d.tar.tar file and I have
 openssl-0.9.8d-tls-extensions.patch file with me.
there are no *.tar.tar files for download - that is a bug with your
browser; the release downloads are named tar.gz; also when you start
into something new why dont you use latest 0.9.8k which includes already
the tls extensions? 0.9.8d is nearly 3 years old, and there are reasons
as f.e. security fixes why new versions are released.

 But I am not sure what exactly needs to be done now to build
 wpa_suplicant for EAP-FAST support.
 I am new to this. Can you please help me in this.
first I'd suggest you download 0.9.8k (right-click--save-as should give
you the right name):
http://www.openssl.org/source/openssl-0.9.8k.tar.gz
then extract this with:
tar xvfz openssl-0.9.8k.tar.gz
and build it for your platform (read the docu related to your platform
for how to do that). Then read the docu of the wpa_suplicant package
which should explain how to plugin OpenSSL.

Günter.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #1823] Linux configuration options for OCF/HAVE_CRYPTODEV needed

2009-06-29 Thread Philip A. Prindeville via RT 
Philip A. Prindeville wrote:
 Stephen Henson via RT wrote:
   
 [philipp_s...@redfish-solutions.com - Mon Jan 26 12:04:34 2009]:

 The OCF code has been ported to Linux:

 http://sourceforge.net/project/showfiles.php?group_id=133575


 it would be very nice if this were supported in openssl without patching.

 For instance, crypto/engine/eng_all.c tests for:


 #if defined(__OpenBSD__) || defined(__FreeBSD__)


 but why not test for HAVE_CRYPTODEV instead, and allow this to be set by 
 the configuration environment?

   
 You should be able to set HAVE_CRYPTODEV in the configuration
 environment with the command line switch -DHAVE_CRYPTODEV . Is the above
 line the only case you need to patch?

 Steve.
 

 As far as I can tell, the files that conditionally expose cryptodev stuff 
 are:

 crypto/engine/eng_all.c
 crypto/engine/engine.h
 include/openssl/engine.h
 libssl/crypto/evp/c_all.c

 and that's it.

 I'm attaching a copy of the patch we use on Linux and uClibc if anyone is 
 interested.

 -Philip

   

Didn't hear back.  I responded on 03/09/2009.

Should I repost this patch?  I'm trying to figure out what you need from
me to get movement on issues 1821, 1822, and 1823.

Thanks,

-Philip


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #1821] Extensive use of @commands in Makefile makes troubleshooting challenging

2009-06-29 Thread Stephen Henson via RT 
 [philipp_s...@redfish-solutions.com - Mon Mar 09 18:21:52 2009]:
 
 Stephen Henson via RT wrote:
 
  There have been some concerns expressed in the mailing list about
 how
  portable this is to the many version of 'make' it has to work with.
 
  Steve.
 
 
 The '@' command for quiet has been standard in Make going back to (at
 least) 4.3BSD (circa 1983).
 
 It could always be bracketed by a test for non-compliant OSes...
 

It's not the @ command which might be non-portable IMHO but the
expansion of $(Q) into @.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #1822] Issues w/ fips Makefile

2009-06-29 Thread Stephen Henson via RT 
 [philipp_s...@redfish-solutions.com - Mon Jan 26 12:04:23 2009]:
 
 The target:
 
 fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
 $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@
 sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o
 
 is built, but the extension is dropped when it's actually invoked:
 
 fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
   ...
 ./fips_standalone_sha1 fipscanister.o  fipscanister.o.sha1
 
 
 should be ./fips_standalone_sha1$(EXE_EXT) ... of course.
 

OK, I can fix the missing $(EXE_EXT) but this is part of the validated
tarball so wont be usable for FIPS. 

 Also, in a cross-compiling environment, CC tends to default to the
 target machine.
 
 If you're building intermediate binaries to be run as part of the
 build
 itself, these need to be indicated separately.
 
 A common practice is:
 
 HOSTCC?=$(CC)
 ...
 
 fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
   $(HOSTCC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c
 $(FIPSLIBDIR)fipscanister.o
 

The FIPS builds currently don't support cross compilation so this be of
much use in practice: they have to run a generate binary in order to
extract the signature during the linking process.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #1821] Extensive use of @commands in Makefile makes troubleshooting challenging

2009-06-29 Thread Philip Prindeville via RT 
Stephen Henson via RT wrote:
 [philipp_s...@redfish-solutions.com - Mon Mar 09 18:21:52 2009]:

 Stephen Henson via RT wrote:
 There have been some concerns expressed in the mailing list about
 how
 portable this is to the many version of 'make' it has to work with.

 Steve.

 The '@' command for quiet has been standard in Make going back to (at
 least) 4.3BSD (circa 1983).

 It could always be bracketed by a test for non-compliant OSes...

 
 It's not the @ command which might be non-portable IMHO but the
 expansion of $(Q) into @.

I guess I still don't understand the issue.  On the platforms that don't 
support this, it could be left undefined or set to the empty string...

-Philip



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

RE: [openssl.org #1960] i2d_SSL_SESSION/d2i_SSL_SESSION does not persist session compress_meth

2009-06-29 Thread Sean Cunningham via RT 

Currently OpenSSL always uses the values in client hello and server
hello to negotiate compression even for a resumed session. So provided
the client includes the compression method from the original method in
client hello (as required by standards) the server should end up using
compression again.


Interesting; that's not what I'm seeing with the version of OpenSSL I'm testing 
with:  'OpenSSL 0.9.8h 28 May 2008'.  The system seems to be using the 
compression type that is provided by the session returned from the user defined 
session cache, not what was negotiated during client hello/server hello.

Not sure if the resumed session should be using the newly negotiated 
compression algorithm regardless.  RFC 3749 has the following clause:

 1.  The compression algorithm MUST be retained when resuming a
   session.

   2.  The compression state/history MUST be cleared when resuming a
   session.


So in the case where, for whatever reason, the cilent and server negotiate a 
different compression type, it appears that the connection should revert to the 
original comp type RE: RFC 3749.


Regards,
Sean



Sean Cunningham
MANDIANT
Software Engineer
675 North Washington Street
Suite 210
Alexandria, VA 22314
703.683.3141 t
703.683.2891 f
sean.cunning...@mandiant.com
www.mandiant.com

From: Stephen Henson via RT [...@openssl.org]
Sent: Sunday, June 28, 2009 6:31 PM
To: Sean Cunningham
Cc: openssl-dev@openssl.org
Subject: [openssl.org #1960] i2d_SSL_SESSION/d2i_SSL_SESSION does not persist 
session compress_meth

 [sean.cunning...@mandiant.com - Thu Jun 25 08:23:49 2009]:


 This bug is not platform specific.

 Some proxies, such as nginx, implement custom session caches via the
openssl callback API's.  This implementation makes use of the
i2d_SSL_SESSION API to copy the session into a contiguous block of
memory.  When the next session matches, the cache calls
d2i_SSL_SESSION to transform the block of memory back into a
session object, which it then returns to OpenSSL.  However, the
session's compress_meth is not persisted i2d_SSL_SESSION, so if the
compress_meth is non-zero, it is not properly restored.  The SSL
connection then fails with a 'error:1408F06B:SSL
routines:SSL3_GET_RECORD:bad decompression' on the client side.


While I agree that OpenSSL doesn't include the compression method in
SSL_SESSION, I'm trying to see how this could happen in practice.

Currently OpenSSL always uses the values in client hello and server
hello to negotiate compression even for a resumed session. So provided
the client includes the compression method from the original method in
client hello (as required by standards) the server should end up using
compression again.



__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 00/14] Patches from the ocf-linux and uClinux-dist projects

2009-06-29 Thread David McCullough 

Hi openssl-dev,

Here is a series of patches against the openssl-SNAP-20090628 release.
The patches fix a number of bugs and also add functionality from the
ocf-linux and uClinux-dist projects.

ocf-linux is a linux port of the OCF framework from BSD.  The project
has been running since 2004.

uClinux-dist is a full source distribution thats allows for easy cross
compilation for many different CPU/platform/vendor combinations,  including
both systems with and without MMUs.  It has been running since before 2002.

I have split the patches up into small unit changes so that they are easier
to review and apply.  Most if not all of the patches can be used in
isolation against a current openssl source tree.

Please let me know if there are any issues or if some other format is
preferred,

Thanks,
Davidm

ocf-linux:http://ocf-linux.sourceforge.net/
uClinux-dist: http://www.uclinux.org/pub/uClinux/dist/

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 01/14] Build should fail if makedepend is not present.

2009-06-29 Thread David McCullough 

If makedepend fails (for example, if it isn't in the path), then domd
should fail so the build can stop on the error.

---
 util/domd |8 ++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/util/domd b/util/domd
index 27c0211..bab48cb 100755
--- a/util/domd
+++ b/util/domd
@@ -22,13 +22,17 @@ if expr $MAKEDEPEND : '.*gcc$'  /dev/null; then
 done
 sed -e '/^# DO NOT DELETE.*/,$d'  Makefile  Makefile.tmp
 echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'  
Makefile.tmp
-${MAKEDEPEND} -Werror -D OPENSSL_DOING_MAKEDEPEND -M $args  Makefile.tmp 
|| exit
+${MAKEDEPEND} -Werror -D OPENSSL_DOING_MAKEDEPEND -M $args  Makefile.tmp 
|| exit 1
 ${PERL} $TOP/util/clean-depend.pl  Makefile.tmp  Makefile.new
+RC=$?
 rm -f Makefile.tmp
 else
-${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND $@
+${MAKEDEPEND} -D OPENSSL_DOING_MAKEDEPEND $@  \
 ${PERL} $TOP/util/clean-depend.pl  Makefile  Makefile.new
+RC=$?
 fi
 mv Makefile.new Makefile
 # unfake the presence of Kerberos
 rm $TOP/krb5.h
+
+exit $RC

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 03/14] Make sure defines to remove SHA are correct.

2009-06-29 Thread David McCullough 

Some combinations of algorithm removal cause compilation errors.
Fix this case for SHA/SHA1.

---
 crypto/evp/c_alld.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/crypto/evp/c_alld.c b/crypto/evp/c_alld.c
index 5032e7c..aa565a6 100644
--- a/crypto/evp/c_alld.c
+++ b/crypto/evp/c_alld.c
@@ -81,7 +81,7 @@ void OpenSSL_add_all_digests(void)
EVP_add_digest(EVP_dss());
 #endif
 #endif
-#ifndef OPENSSL_NO_SHA
+#if !defined(OPENSSL_NO_SHA)  !defined(OPENSSL_NO_SHA1)
EVP_add_digest(EVP_sha1());
EVP_add_digest_alias(SN_sha1,ssl3-sha1);
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 04/14] Ensure OCSP can be disabled.

2009-06-29 Thread David McCullough 

Some support for OCSP was not ifdef'd and prevents its exclusion from
openssl via the config options.

---
 apps/progs.h |2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/apps/progs.h b/apps/progs.h
index d323a1c..79e479a 100644
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -142,7 +142,9 @@ FUNCTION functions[] = {
 #ifndef OPENSSL_NO_ENGINE
{FUNC_TYPE_GENERAL,engine,engine_main},
 #endif
+#ifndef OPENSSL_NO_OCSP
{FUNC_TYPE_GENERAL,ocsp,ocsp_main},
+#endif
{FUNC_TYPE_GENERAL,prime,prime_main},
{FUNC_TYPE_GENERAL,ts,ts_main},
 #ifndef OPENSSL_NO_MD2

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 05/14] Do not run off the end of the params array.

2009-06-29 Thread David McCullough 

Do not run off the end of the RSA params arrays freeing values
or we will crash (or worse, corrupt the heap).

---
 crypto/engine/eng_cryptodev.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index ab38cd5..4f2470b 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -681,7 +681,7 @@ zapparams(struct crypt_kop *kop)
 {
int i;
 
-   for (i = 0; i = kop-crk_iparams + kop-crk_oparams; i++) {
+   for (i = 0; i  kop-crk_iparams + kop-crk_oparams; i++) {
if (kop-crk_param[i].crp_p)
free(kop-crk_param[i].crp_p);
kop-crk_param[i].crp_p = NULL;

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 07/14] Use a stronger key when testing algs.

2009-06-29 Thread David McCullough 

Some implementations of DES (ie., linux kernel) will not tolerate
extremely weak keys, fix this by making it non-repetitive.

---
 crypto/engine/eng_cryptodev.c |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 4f2470b..2259916 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -264,7 +264,7 @@ get_cryptodev_ciphers(const int **cnids)
return (0);
}
memset(sess, 0, sizeof(sess));
-   sess.key = (caddr_t)123456781234567812345678;
+   sess.key = (caddr_t)123456789abcdefghijklmno;
 
for (i = 0; ciphers[i].id  count  CRYPTO_ALGORITHM_MAX; i++) {
if (ciphers[i].nid == NID_undef)

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 08/14] Fix unused variable words and uninited data b.

2009-06-29 Thread David McCullough 

words was unsed (compiler warning) remove it.

b was uninited memory causing us to generate bogus numbers to pass into
cryptodev.

---
 crypto/engine/eng_cryptodev.c |3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 2259916..16afaf7 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -625,7 +625,7 @@ static int
 bn2crparam(const BIGNUM *a, struct crparam *crp)
 {
int i, j, k;
-   ssize_t words, bytes, bits;
+   ssize_t bytes, bits;
u_char *b;
 
crp-crp_p = NULL;
@@ -637,6 +637,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
b = malloc(bytes);
if (b == NULL)
return (1);
+   memset(b, 0, bytes);
 
crp-crp_p = b;
crp-crp_nbits = bits;

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 09/14] Only test speeds up to 4K packets.

2009-06-29 Thread David McCullough 

Change the speed test to only test sizes up to 4096.  Most cryptodev
HW drivers fail with 8192 sized requests.  4K seems like a reasonable
limit to test up to.

---
 apps/speed.c |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/speed.c b/apps/speed.c
index cd41252..52bc481 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -205,7 +205,7 @@ static int do_multi(int multi);
 #endif
 
 #define ALGOR_NUM  29
-#define SIZE_NUM   5
+#define SIZE_NUM   6
 #define RSA_NUM4
 #define DSA_NUM3
 
@@ -221,7 +221,7 @@ static const char *names[ALGOR_NUM]={
   evp,sha256,sha512,whirlpool,
   aes-128 ige,aes-192 ige,aes-256 ige};
 static double results[ALGOR_NUM][SIZE_NUM];
-static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
+static int lengths[SIZE_NUM]={16,64,256,1024,2*1024,4*1024};
 static double rsa_results[RSA_NUM][2];
 static double dsa_results[DSA_NUM][2];
 #ifndef OPENSSL_NO_ECDSA

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 11/14] Ensure 'make links' gets all headers correctly.

2009-06-29 Thread David McCullough 

Needed to include all the headers in the links target to get openssl
cross compiling nicely within the uClinux-dist.

---
 Makefile.org |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/Makefile.org b/Makefile.org
index ba29744..57265c6 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -379,7 +379,7 @@ files:
 
 links:
@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
-   @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
+   @$(PERL) $(TOP)/util/mklink.pl include/openssl $(HEADER) $(EXHEADER)
@set -e; target=links; $(RECURSIVE_BUILD_CMD)
 
 gentests:

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 12/14] Config option for cryptodev on other OS's (+ hash)

2009-06-29 Thread David McCullough 

Add --with-cryptodev option to config so that an OS like linux may enable
cryptodev support if it has been ported (ie., ocf-linux).

Add --with-cryptodev-digests to optionally include hash support via
cryptodev (disabled by default as it is usually too slow to be useful).

Add a working cryptodev hash implementation.

Fix up RSA API compliance for rsa_nocrt_mod_exp method while here.

---
 Configure |   22 +++
 INSTALL   |6 +
 crypto/engine/eng_all.c   |4 +-
 crypto/engine/eng_cryptodev.c |  403 ++---
 crypto/engine/engine.h|2 +-
 crypto/evp/c_all.c|2 +-
 6 files changed, 366 insertions(+), 73 deletions(-)

diff --git a/Configure b/Configure
index 5376ed3..a2681c3 100755
--- a/Configure
+++ b/Configure
@@ -34,6 +34,8 @@ my $usage=Usage: Configure [no-cipher ...] 
[enable-cipher ...] [experimenta
 #  (Default: KRB5_DIR/include)
 # --with-krb5-flavor  Declare what flavor of Kerberos 5 is used.  Currently
 #  supported values are MIT and Heimdal.  A value is required.
+# --with-cryptodev Force support for cryptodev (ie., ocf-linux)
+# --with-cryptodev-digests Force support for cryptodev digests (generally slow)
 #
 # --test-sanity Make a number of sanity checks on the data in this file.
 #   This is a debugging tool for OpenSSL developers.
@@ -628,6 +630,8 @@ my $no_rfc3779=1; # but no-rfc3779 is default
 my $no_asm=0;
 my $no_dso=0;
 my $no_gmp=0;
+my $have_cryptodev=0;
+my $use_cryptodev_digests=0;
 my @skip=();
 my $Makefile=Makefile;
 my $des_locl=crypto/des/des_locl.h;
@@ -771,6 +775,14 @@ PROCESS_ARGS:
{
exit(test_sanity());
}
+   elsif (/^--with-cryptodev$/)
+   {
+   $have_cryptodev = 1;
+   }
+   elsif (/^--with-cryptodev-digests$/)
+   {
+   $use_cryptodev_digests = 1;
+   }
elsif (/^reconfigure/ || /^reconf/)
{
if (open(IN,$Makefile))
@@ -1145,6 +1157,16 @@ if (!$no_krb5)
   $withargs{krb5-dir} ne ;
}
 
+# enable the linux cryptodev (ocf-linux) support
+if ($have_cryptodev)
+   {
+   if ($use_cryptodev_digests)
+   {
+   $cflags = -DUSE_CRYPTODEV_DIGESTS $cflags;
+   }
+   $cflags = -DHAVE_CRYPTODEV $cflags;
+   }
+
 # The DSO code currently always implements all functions so that no
 # applications will have to worry about that from a compilation point
 # of view. However, the methods may return zero unless that platform
diff --git a/INSTALL b/INSTALL
index 85e2660..4d98ac0 100644
--- a/INSTALL
+++ b/INSTALL
@@ -103,6 +103,12 @@
 define preprocessor symbols, specify additional libraries,
 library directories or other compiler options.
 
+  --with-cryptodev Enabled the BSD cryptodev engine even if we are not using
+   BSD.  Useful if you are running ocf-linux or something
+   similar.  Once enabled you can also enable the use of
+   cryptodev digests,  with is usually slower unless you have
+   large amounts data.  Use --with-cryptodev-digests to force
+   it.
 
  Installation in Detail
  --
diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index 623485d..3165b98 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -68,7 +68,7 @@ void ENGINE_load_builtin_engines(void)
 * *no* builtin implementations). */
ENGINE_load_openssl();
 #endif
-#if defined(__OpenBSD__) || defined(__FreeBSD__)
+#if !defined(OPENSSL_NO_HW)  (defined(__OpenBSD__) || defined(__FreeBSD__) 
|| defined(HAVE_CRYPTODEV))
ENGINE_load_cryptodev();
 #endif
 #if !defined(OPENSSL_NO_HW)  !defined(OPENSSL_NO_HW_AESNI)
@@ -117,7 +117,7 @@ void ENGINE_load_builtin_engines(void)
 #endif
}
 
-#if defined(__OpenBSD__) || defined(__FreeBSD__)
+#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
 void ENGINE_setup_bsd_cryptodev(void) {
static int bsd_cryptodev_default_loaded = 0;
if (!bsd_cryptodev_default_loaded) {
diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 16afaf7..186eb36 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -68,6 +68,16 @@ ENGINE_load_cryptodev(void)
 struct dev_crypto_state {
struct session_op d_sess;
int d_fd;
+
+#ifdef USE_CRYPTODEV_DIGESTS
+   char dummy_mac_key[20];
+
+   unsigned char digest_res[20];
+   char *mac_data;
+   int mac_len;
+
+   int copy;
+#endif
 };
 
 static u_int32_t cryptodev_asymfeat = 0;
@@ -75,9 +85,6 @@ static u_int32_t cryptodev_asymfeat = 0;
 static int

[PATCH 13/14] Add support for CPU usage reporting.

2009-06-29 Thread David McCullough 

Add support for calculating the CPU usage while doing crypto.
This is useful for showing the gains through HW acceleration
other than just speed.  It is best used with the '-elapsed' option
to get real-world values.

Currently only linux supports cpu calculations,  but it should be easy
to add get_cpu/calc_cpu functions for other OS's.

Also includes a few compile time warning fixes.

---
 apps/speed.c |  215 ++
 1 files changed, 172 insertions(+), 43 deletions(-)

diff --git a/apps/speed.c b/apps/speed.c
index 52bc481..a4bef32 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -257,6 +257,80 @@ static SIGRETTYPE sig_done(int sig)
 #define START  0
 #define STOP   1
 
+#ifdef __linux__
+
+#define HAVE_CPU_USAGE 1
+
+/*
+ * record CPU usage as well
+ */
+
+struct cpu_stat {
+   unsigned intuser;
+   unsigned intnice;
+   unsigned intsystem;
+   unsigned intidle;
+   unsigned inttotal;
+};
+
+static unsigned int cpu_usage[ALGOR_NUM][SIZE_NUM];
+static unsigned int rsa_cpu_usage[RSA_NUM][2];
+static unsigned int dsa_cpu_usage[DSA_NUM][2];
+static struct cpu_stat cpu_start, cpu_finish;
+
+static void
+get_cpu(int s)
+{
+   FILE *fp = NULL;
+   unsigned char   buf[80];
+   struct cpu_stat *st = s == START ? cpu_start : cpu_finish;
+
+   memset(st, 0, sizeof(*st));
+
+   if (fp == NULL)
+   fp = fopen(/proc/stat, r);
+   if (!fp)
+   return;
+   if (fseek(fp, 0, SEEK_SET) == -1) {
+   fclose(fp);
+   return;
+   }
+   if (fscanf(fp, %s %d %d %d %d, buf[0], st-user, st-nice,
+   st-system, st-idle) == 5)
+   st-total = st-user + st-nice + st-system + st-idle;
+   fclose(fp);
+}
+
+static unsigned int
+calc_cpu()
+{
+   unsigned int total, res;
+
+   total  = cpu_finish.total - cpu_start.total;
+   if (total = 0)
+   return 0;
+#if 1 // busy
+   res   = ((cpu_finish.system + cpu_finish.user + cpu_finish.nice) -
+(cpu_start.system + cpu_start.user + cpu_start.nice)) *
+100 / total;
+#endif
+#if 0 // system
+   res   = (cpu_finish.system - cpu_start.system) * 100 / total;
+#endif
+#if 0 // user
+   res   = (cpu_finish.user   - cpu_start.user)   * 100 / total;
+#endif
+#if 0 // nice
+   res   = (cpu_finish.nice   - cpu_start.nice)   * 100 / total;
+#endif
+#if 0 // idle
+   res   = (cpu_finish.idle   - cpu_start.idle)   * 100 / total;
+#endif
+   return(res);
+}
+
+#endif
+
 #if defined(_WIN32)
 
 #define SIGALRM
@@ -273,6 +347,9 @@ static DWORD WINAPI sleepy(VOID *arg)
 
 static double Time_F(int s)
{
+   if (do_cpu)
+   get_cpu(s);
+
if (s == START)
{
HANDLE  thr;
@@ -294,6 +371,8 @@ static double Time_F(int s)
 
 static double Time_F(int s)
{
+   if (do_cpu)
+   get_cpu(s);
return app_tminterval(s,usertime);
}
 #endif
@@ -316,6 +395,14 @@ static void *KDF1_SHA1(const void *in, size_t inlen, void 
*out, size_t *outlen)
 #endif /* OPENSSL_NO_ECDH */
 
 
+static int do_cpu = 0;
+#ifndef HAVE_CPU_USAGE
+/* stub out the cpu functions if we do not support it */
+static void get_cpu(int s) {}
+static unsigned int calc_cpu() { return 0; }
+#endif
+
+
 int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
@@ -670,6 +757,14 @@ int MAIN(int argc, char **argv)
j--;/* Otherwise, -elapsed gets confused with
   an algorithm. */
}
+#ifdef HAVE_CPU_USAGE
+   else if ((argc  0)  (strcmp(*argv,-cpu) == 0))
+   {
+   do_cpu = 1;
+   j--;/* Otherwise, -cpu gets confused with
+  an algorithm. */
+   }
+#endif
else if ((argc  0)  (strcmp(*argv,-evp) == 0))
{
argc--;
@@ -1106,6 +1201,9 @@ int MAIN(int argc, char **argv)
 #ifdef HAVE_FORK
BIO_printf(bio_err,-multi nrun n benchmarks in 
parallel.\n);
 #endif
+#ifdef HAVE_CPU_USAGE
+   BIO_printf(bio_err,-cpucalculate cpu 
utilisation.\n);
+#endif
goto end;
}
argc--;
@@ -1113,11 +1211,6 @@ int MAIN(int argc, char **argv)
j++;
}
 
-#ifdef HAVE_FORK
-   if(multi  do_multi(multi))
-   goto show_res;
-#endif
-
if (j == 0)
{
for (i=0; iALGOR_NUM; i++)
@@ -1457,6 +1550,11 @@ int MAIN(int argc, char **argv)
 #endif
 #endif /* SIGALRM */
 
+#ifdef HAVE_FORK /* Do this as late as possible to give better CPU readings */
+   if(multi  do_multi(multi))
+   goto show_res;
+#endif
+
 #ifndef

[PATCH 14/14] Cleanup some compile time warnings/magic numbers.

2009-06-29 Thread David McCullough 

Cleanup some compile time warnings/magic numbers.

---
 crypto/engine/eng_cryptodev.c |   18 +-
 1 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 186eb36..1e5d3a3 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -70,9 +70,9 @@ struct dev_crypto_state {
int d_fd;
 
 #ifdef USE_CRYPTODEV_DIGESTS
-   char dummy_mac_key[20];
+   char dummy_mac_key[HASH_MAX_LEN];
 
-   unsigned char digest_res[20];
+   unsigned char digest_res[HASH_MAX_LEN];
char *mac_data;
int mac_len;
 
@@ -90,7 +90,7 @@ static int get_cryptodev_digests(const int **cnids);
 static int cryptodev_usable_ciphers(const int **nids);
 static int cryptodev_usable_digests(const int **nids);
 static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-const unsigned char *in, unsigned int inl);
+const unsigned char *in, size_t inl);
 static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 const unsigned char *iv, int enc);
 static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx);
@@ -350,7 +350,7 @@ cryptodev_usable_digests(const int **nids)
 
 static int
 cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-const unsigned char *in, unsigned int inl)
+const unsigned char *in, size_t inl)
 {
struct crypt_op cryp;
struct dev_crypto_state *state = ctx-cipher_data;
@@ -428,7 +428,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char 
*key,
if ((state-d_fd = get_dev_crypto())  0)
return (0);
 
-   sess-key = (unsigned char *)key;
+   sess-key = (caddr_t)key;
sess-keylen = ctx-key_len;
sess-cipher = cipher;
 
@@ -730,7 +730,7 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const 
void *data,
cryp.len = count;
cryp.src = (caddr_t) data;
cryp.dst = NULL;
-   cryp.mac = state-digest_res;
+   cryp.mac = (caddr_t) state-digest_res;
if (ioctl(state-d_fd, CIOCCRYPT, cryp)  0) {
printf(cryptodev_digest_update: digest failed\n);
return (0);
@@ -761,7 +761,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned 
char *md)
cryp.len = state-mac_len;
cryp.src = state-mac_data;
cryp.dst = NULL;
-   cryp.mac = md;
+   cryp.mac = (caddr_t)md;
 
if (ioctl(state-d_fd, CIOCCRYPT, cryp)  0) {
printf(cryptodev_digest_final: digest failed\n);
@@ -906,7 +906,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
return (1);
memset(b, 0, bytes);
 
-   crp-crp_p = b;
+   crp-crp_p = (caddr_t) b;
crp-crp_nbits = bits;
 
for (i = 0, j = 0; i  a-top; i++) {
@@ -1260,7 +1260,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM 
*pub_key, DH *dh)
goto err;
kop.crk_iparams = 3;
 
-   kop.crk_param[3].crp_p = key;
+   kop.crk_param[3].crp_p = (caddr_t) key;
kop.crk_param[3].crp_nbits = keylen * 8;
kop.crk_oparams = 1;
 
-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [PATCH 00/14] Patches from the ocf-linux and uClinux-dist projects

2009-06-29 Thread Kyle Hamilton 
Please mail these each as attachments to r...@openssl.org.  This will
ensure that each gets entered into a trackable state, and also ensures
that the formatting for the patch files stays consistent.

-Kyle H

On Mon, Jun 29, 2009 at 7:54 PM, David
McCulloughdavid_mccullo...@securecomputing.com wrote:

 Hi openssl-dev,

 Here is a series of patches against the openssl-SNAP-20090628 release.
 The patches fix a number of bugs and also add functionality from the
 ocf-linux and uClinux-dist projects.

 ocf-linux is a linux port of the OCF framework from BSD.  The project
 has been running since 2004.

 uClinux-dist is a full source distribution thats allows for easy cross
 compilation for many different CPU/platform/vendor combinations,  including
 both systems with and without MMUs.  It has been running since before 2002.

 I have split the patches up into small unit changes so that they are easier
 to review and apply.  Most if not all of the patches can be used in
 isolation against a current openssl source tree.

 Please let me know if there are any issues or if some other format is
 preferred,

 Thanks,
 Davidm

 ocf-linux:    http://ocf-linux.sourceforge.net/
 uClinux-dist: http://www.uclinux.org/pub/uClinux/dist/

 --
 David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
 McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org
 __
 OpenSSL Project                                 http://www.openssl.org
 Development Mailing List                       openssl-dev@openssl.org
 Automated List Manager                           majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [PATCH 00/14] Patches from the ocf-linux and uClinux-dist projects

2009-06-29 Thread David McCullough 

Jivin Kyle Hamilton lays it down ...
 Please mail these each as attachments to r...@openssl.org.  This will
 ensure that each gets entered into a trackable state, and also ensures
 that the formatting for the patch files stays consistent.

No problems,  I wasn't sure if I should do that or not, so I opted to
not spam two lists ;-)

It seems the mailing list ate 3 of the patches  (#2 #6 and #10),
hopefully RT will deal with them,

Thanks,
Davidm

 On Mon, Jun 29, 2009 at 7:54 PM, David
 McCulloughdavid_mccullo...@securecomputing.com wrote:
 
  Hi openssl-dev,
 
  Here is a series of patches against the openssl-SNAP-20090628 release.
  The patches fix a number of bugs and also add functionality from the
  ocf-linux and uClinux-dist projects.
 
  ocf-linux is a linux port of the OCF framework from BSD.  The project
  has been running since 2004.
 
  uClinux-dist is a full source distribution thats allows for easy cross
  compilation for many different CPU/platform/vendor combinations,  including
  both systems with and without MMUs.  It has been running since before 2002.
 
  I have split the patches up into small unit changes so that they are easier
  to review and apply.  Most if not all of the patches can be used in
  isolation against a current openssl source tree.
 
  Please let me know if there are any issues or if some other format is
  preferred,
 
  Thanks,
  Davidm
 
  ocf-linux:    http://ocf-linux.sourceforge.net/
  uClinux-dist: http://www.uclinux.org/pub/uClinux/dist/
 
  --
  David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
  McAfee - SnapGear  http://www.snapgear.com                
  http://www.uCdot.org
  __
  OpenSSL Project                                 http://www.openssl.org
  Development Mailing List                       openssl-dev@openssl.org
  Automated List Manager                           majord...@openssl.org
 
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-dev@openssl.org
 Automated List Manager   majord...@openssl.org
 

-- 
David McCullough,  david_mccullo...@securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.comhttp://www.uCdot.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Request from THALES to OPEN SSL

2009-06-29 Thread Kyle Hamilton 
OpenSSL is distributed under a clause in US law which allows
openly-available cryptographic software to be exempt from ECCN filing,
under exemption TSU (EAR, section 740.13(e)).

It is very possible that what you are doing with it falls under ECCN
5D002 or another in the 5Dnnn series.

I am not a lawyer, I'm simply going by what the exemption says.

-Kyle H

On Mon, Jun 29, 2009 at 5:30 AM, patrick
doudementpatrick.doudem...@thalesgroup.com wrote:
 Hi,

 Within the framework of our Export Control survey activity for components of
 THALES equipments, and in order to update our databases, and in order to
 comply with the export regulation, we need to know the applicable Export
 Control Code and ECCN (Export Control Classification Number) code for the
 following product :

 OPENSSL 0.9.8J

 Thank you in advance for your fast answer.

 Regards.

 P. Doudement

 --
 The information contained in this e-mail/fax and any attachments are the
 property of THALES and may be confidential.
 If you are not the intended recipient, please notify us immediately, send
 this message back to us and destroy it.
 You are hereby notified that any review, dissemination, distribution,
 copying or otherwise use of this e-mail/fax is strictly prohibited.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org