[PATCH] `s_client -starttls smtp' fails if not using EHLO

2005-12-27 Thread Pavel Gorshkov 
Some SMTP servers require a HELO/EHLO command before a STARTTLS,
e.g.:

$ telnet mail.sourceforge.net 25
220 mail.sourceforge.net ESMTP Exim 4.44 ...
STARTTLS
503 STARTTLS command used when not advertised

for instance, when I try to retrieve the server certificate for
mail.sourceforge.net:25 using `-starttls smtp -showcerts':

$ openssl s_client -connect mail.sourceforge.net:25 \
-starttls smtp -CApath /etc/ssl/certs -showcerts

it fails with an error message like:

CONNECTED(0003)
9829:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol:s23_clnt.c:567:


The attached patch (against openssl-0.9.8a) adds the `-ehlo'
option to s_client:

 -ehlo hostname - use the EHLO smtp command before issuing STARTTLS
 (to be used in conjunction with -starttls smtp)

with this patch, s_client successfully connects and shows the
certificate:

$ openssl s_client -connect mail.sourceforge.net:25 -showcerts
-starttls smtp -ehlo host.domain -CApath /etc/ssl/certs
...
Verify return code: 0 (ok)
---
220 mail.sourceforge.net ESMTP Exim 4.44 Tue, 27 Dec 2005 10:58:18 -0800 
sc8-sf-mx1.sourceforge.net
250-mail.sourceforge.net Hello ppp85-140-15-108.pppoe.mtu-net.ru [85.140.15.108]
250-SIZE 1048576
250-EXPN
250-PIPELINING
250-STARTTLS
250 HELP


--
Pavel Gorshkov
--- openssl-0.9.8a.orig/apps/s_client.c Sat Oct  1 03:38:19 2005
+++ openssl-0.9.8a/apps/s_client.c  Tue Dec 27 18:43:52 2005
@@ -227,6 +227,8 @@
BIO_printf(bio_err," for those protocols that support 
it, where\n");
BIO_printf(bio_err," 'prot' defines which one to 
assume.  Currently,\n");
BIO_printf(bio_err," only \"smtp\" and \"pop3\" are 
supported.\n");
+   BIO_printf(bio_err," -ehlo hostname - use the EHLO smtp command before 
issuing STARTTLS\n");
+   BIO_printf(bio_err," (to be used in conjunction with 
-starttls smtp)\n");
 #ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err," -engine id- Initialise and use the specified 
engine\n");
 #endif
@@ -245,6 +247,7 @@
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
int cbuf_len,cbuf_off;
int sbuf_len,sbuf_off;
+   int mbuf_off;
fd_set readfds,writefds;
short port=PORT;
int full_log=1;
@@ -261,6 +264,7 @@
SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0;
int starttls_proto = 0;
+   char *ehlo_hostname=NULL;
int prexit = 0, vflags = 0;
SSL_METHOD *meth=NULL;
 #ifdef sock_type
@@ -472,6 +476,11 @@
else
goto bad;
}
+   else if (strcmp(*argv,"-ehlo") == 0)
+   {
+   if (--argc < 1) goto bad;
+   ehlo_hostname = *++argv;
+   }
 #ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv,"-engine") == 0)
{
@@ -717,11 +726,17 @@
cbuf_off=0;
sbuf_len=0;
sbuf_off=0;
+   mbuf_off=0;
 
/* This is an ugly hack that does a lot of assumptions */
if (starttls_proto == 1)
{
-   BIO_read(sbio,mbuf,BUFSIZZ);
+   mbuf_off = BIO_read(sbio,mbuf,BUFSIZZ);
+   if (ehlo_hostname)
+   {
+   BIO_printf(sbio,"EHLO %s\r\n",ehlo_hostname);
+   BIO_read(sbio,mbuf+mbuf_off,BUFSIZZ-mbuf_off);
+   }
BIO_printf(sbio,"STARTTLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}

[openssl.org #1146] test BN_sqr Error 139 reproducible on Redhat Linux 7.2

2005-12-27 Thread via RT 

"test BN_sqr
make[2]: *** [test_bn] Error 139"

occurs for rule linux-elf, but not linux-generic32 (tests OK).


cat /etc/redhat-release
Red Hat Linux release 7.2 (Enigma)

uname -a
Linux _hostname_censored_ 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 
2001 i686 unknown

rpm -q binutils gcc gcc3 glibc
binutils-2.11.90.0.8-12
gcc-2.96-112.7.2
gcc3-3.0.4-1
glibc-2.2.4-33


./config -t
Operating system: i686-whatever-linux2
Configuring for linux-elf
/usr/bin/perl ./Configure linux-elf -mcpu=pentium


BREAKS:
./config && make clean all test

BREAKS:
./config
vi Makefile, change CC= gcc to CC= gcc3
make clean all test

TESTS OK:
./Configure linux-generic32 && make clean all test
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Encrypt + Auth in one pass

2005-12-27 Thread Ronen Shitrit 
Hi

I have HW security acceleration, which support both encryption and
digest in one "HW operation".
I looked into the engine implementation and I have some questions:

-) The engine can support only encryption or digest in one operation
(please correct me if I'm missing something), Is there any work done
which allow using the engine for both encryption and digest in one "HW
operation"? 
(I understand that it will also require doing some changes to the
applications using the EVP interface, in order for it to exploit this
feature.) 

-) Currently I'm using the OCF cryptodev, in order to use my HW
encryption, since the driver I'm using is in kernel space.
I'm thinking about moving the driver to user space, did anyone port a
driver from kernel space to user space, for the OpenSSL engine? What was
the performance improvement if at all? Any tips, thoughts??

Thanks 4 your help

Ronen Shitrit

Marvell Semiconductor Israel Ltd (www.marvell.com)
[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]