Re: Own HW Supported RSA provider

Hi Selva, Thanks for your clear answer. Regards Tom Temat: Re: Own HW Supported RSA provider Data: 2024-07-20 19:08 Nadawca: "Selva Nair" <selva.n...@gmail.com> Adresat: DW: "openssl-users@openssl.org" <openssl-users@openssl.org>; > > On Fri, Jul 19,

RE: compile openssl for Arm A9 & VxWorks - evp_rand_******_locked() API

.org Subject: RE: compile openssl for Arm A9 & VxWorks [External email: Use caution with links and attachments] Hi, Thanks for your support. We are planning to use ECDH Algorithm(Group 19) with a minimal footprint in an Embedded System Product for the share

RE: compile openssl for Arm A9 & VxWorks

NFIG OPENSSL_NO_RDRAND OPENSSL_NO_PADLOCKENG OPENSSL_NO_AFALGENG OPENSSL_NO_STATIC_ENGINE Thanks & Regards, Damodhar. +91-7702191212 General From: Neil Horman Sent: Wednesday, July 24, 2024 11:04 PM To: Damodhar Boddukuri Cc: openssl-users@openssl.org Subject: Re: compile openssl for Arm A9 &

Re: openssl and DSA q size doubt

Howdy, But  my question is why q is not 160 bits but instead 224 bits was used by openssl since the FIPS 186 standard clearly says to use q size 160 bits for p size 1024 bits? Can someone familiar with the topic, clarify my doubt please? Maybe I missed some fine points in the standard. I'd

Re: compile openssl for Arm A9 & VxWorks

> *include/openssl/crypto.h:26:19: error: time.h: No such file or directory* > > *include/openssl/crypto.h:31:21: error: stdio.h: No such file or directory* > > *In file included from include/internal/e_os.h:17,* > > * from apps\include/apps.h:13,* > > *

RE: compile openssl for Arm A9 & VxWorks

\lib\app_libctx.c:10: include/openssl/crypto.h:88: error: expected ')' before '*' token include/openssl/crypto.h:90: error: expected ')' before '*' token include/openssl/crypto.h:434: warning: type defaults to 'int' in declaration of 'time_t

Re: compile openssl for Arm A9 & VxWorks

\src\dosfs2 > -I$(TGT_DIR)\src\drv -I$(TGT_DIR)\src\hwif\h -DCPU=_VX_ARMARCH7 > -DTOOL_FAMILY=gnu -DTOOL=gnu -D_WRS_KERNEL -DARMEL -DCPU_CORTEXA8 > -DARMMMU=ARMMMU_CORTEXA8 -DARMCACHE=ARMCACHE_CORTEXA8 -DIP_PORT_VXWORKS=69 > -DINET -D_WRS_VX_SMP -D_VSB_CONFIG_FILE=\"$(VSB_CONFIG_FILE)\

RE: compile openssl for Arm A9 & VxWorks

L$(WS_ROOT_DIR)\obj\vxworks-6.9\krnl\lib_smp\arm\ARMARCH7\common -L$(WIND_HOME)\components\obj\vxworks-6.9\krnl\lib_smp\arm\ARMARCH7\gnu -L$(WIND_HOME)\components\obj\vxworks-6.9\krnl\lib_smp\arm\ARMARCH7\common'), ex_libs => add("-Wl,--defsym,__wrs_rtp_base=0xe000"

Re: Own HW Supported RSA provider

On Fri, Jul 19, 2024 at 4:55 PM tomasz bartczak wrote: > If I use the crypto library I can provide desired properties like in > EVP_ASYM_CIPHER_fetch function. However when I use the ssl library, how to > make sure it calls the mentioned EVP_ASYM_CIPHER_fetch function with > properties required b

Re: Building x32 libraries on x64 windows machine

This error: fatal error LNK1112: module machine type 'x64' conflicts with target machine type 'x86' says that you're set up for using x64 native tools, despite indicating you have opened the x86 native tool command Try running vcvarsall.bat x32 Which should force your environment to build in 32

RE: Building x32 libraries on x64 windows machine

Sorry. Friday afternoon brain. Forgot to do a `nmake clean` Thom Bentley | Senior Software Engineer | Medidata, a Dassault Systèmes company From: BENTLEY Thom Sent: Friday, July 19, 2024 3:48 PM To: openssl-users@openssl.org Subject: Building x32 libraries on x64 windo

Re: Own HW Supported RSA provider

Hi Levitte,Thanks for your answer.  Just follow up question.If I use the crypto library I can provide desired properties like in EVP_ASYM_CIPHER_fetch function. However when I use the ssl library, how to make sure it calls the mentioned EVP_ASYM_CIPHER_fetch function with properties required by

Re: Own HW Supported RSA provider

You can give your implementation the property "provider=myname" and for fetching, you can use the conditional property query string "?provider=myname". That will ensure that, for whatever the app is fetching, it will pick what your provider offers first, and fall back to using stuff from any other

Re: sqlog partial

On 7/18/24 10:04 AM, Tomas Mraz wrote: You could try calling fcloseall() before the exit() call. That doesn't help. In fact I have changed ssl/quic/qlog.c: static void qlog_event_epilogue(QLOG *qlog) { +int ret; ossl_json_object_end(&qlog->json); ossl_json_key(&qlog->json, "tim

Re: sqlog partial

You could try calling fcloseall() before the exit() call. Tomas Mraz, OpenSSL On Wed, 2024-07-17 at 20:30 +0200, jean-frederic clere wrote: > Hi, > > I have built with enable-unstable-qlog, but when I exit (via exit(1)) > the sqlog files are truncated: > +++ > ^^{"name":"transport:packet_receive

Re: compile openssl for Arm A9 & VxWorks

There are already several targets defined for vxworks. First step I would think would be cloning one of those targets in Configurations/10-main.conf for your purposes and adjusting the settings accordingly: "vxworks-ppc60x" => {<= Change this to "vxworks-arm9' or some such inherit

Re: Application segfaults after upgrade from 3.0.11 to 3.0.13

Please update to 3.0.14. The change that most likely caused this regression for you was reverted in that release by the following pull request: https://github.com/openssl/openssl/pull/23063 Tomas Mraz, OpenSSL On Wed, 2024-07-17 at 08:47 +0300, Victor Wagner wrote: > On Tue, 16 Jul 2024 14:40:59

Re: Application segfaults after upgrade from 3.0.11 to 3.0.13

On Tue, 16 Jul 2024 14:40:59 -0400 Neil Horman wrote: > Can you post the stack trace of the segv here? Sure: Core was generated by `osslsigncode sign -pkcs11module /usr/lib/librtpkcs11ecp.so -pkcs11cert pkcs11:o'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x7fe9e87862

Re: Application segfaults after upgrade from 3.0.11 to 3.0.13

Can you post the stack trace of the segv here? On Tue, Jul 16, 2024 at 12:43 PM Victor Wagner wrote: > Hi! > > I'm using osslsigncode application on Debian 12 system (amd64) to sign > stuff with RSA key stored on hardware token with PKCS11 interface. > > osslsigncode (https://github.com/mtrojnar

Re: receiving fatal error from server

Server supports 1.3 If I do 127.0.1.1 in Firefox, I'm getting response. It's TLS 1.3 Regards. Lokesh. On Mon, Jul 15, 2024, 18:23 Alexandr Nedvedicky wrote: > Hello, > > I just took a look at the packet dump. The client hello > in packet dump is TLS 1.3 > > the alert sent by server is Alert Mes

Re: receiving fatal error from server

Hello, I just took a look at the packet dump. The client hello in packet dump is TLS 1.3 the alert sent by server is Alert Message TLS 1.2 could it be that server does not support TLS 1.3? better chance to better understand what's going on is to get hands on the server and get some logs. may b

Re: Non-Programmatic Deterministic Key Generation for ED25519 and ED448 Keys

Howdy, I notice that OpenSSL has the 'asn1parse' utility for reading PEM and DER formatted keys. Is there an analogue that allows to write back a new value for the secret integers in private keys? Or can I encode data with 'asn1parse' and then output it in PEM format to build a key? asn1parse

Re: Non-Programmatic Deterministic Key Generation for ED25519 and ED448 Keys

PEM and > DER formatted keys. Is there an analogue that allows to write back a new > value for the secret integers in private keys? Or can I encode data > with 'asn1parse' and then output it in PEM format to build a key? > > Trying to de-serialize and reconstruct keys outside

Re: Library and DLL names on Windows X64

On Fri, Jul 12, 2024 at 9:03 AM BENTLEY Thom via openssl-users < openssl-users@openssl.org> wrote: > Hi All, > > > > I had to change the names of the .lib files to: >"dcmtkcrypto_d.lib" - debug version > >"dcmtkcrypto_o.lib" - release version (optimized) > >"dcmtkssl_d.lib"

Re: Macro definitions

They are generated, using providers/common/der/oids_to_c.pm, and template files like providers/common/der/der_ec_gen.c.in, where you can see the .asn1 files that are used as sources. Cheers, Richard Damodhar Boddukuri via openssl-users writes: > Hi OpenSSL, > > > > I am compiling OpenSSL 3.1.

RE: Can we provide --debug and --release on a single build?

Thanks for the confirmation. Thom Bentley | Senior Software Engineer | Medidata, a Dassault Systèmes company<http://www.mdsol.com/> From: Neil Horman Sent: Wednesday, July 10, 2024 1:56 PM To: BENTLEY Thom Cc: openssl-users@openssl.org Subject: Re: Can we provide --debug and --releas

Re: Can we provide --debug and --release on a single build?

- release version (optimized) > > > > It seems they expect those file names and use them when generating a build > system with CMake. > > > > > > *Thom Bentley *| Senior Software Engineer | Medidata, a Dassault Systèmes > company <http://www.mdsol.com/> >

RE: Can we provide --debug and --release on a single build?

l.com/> From: Neil Horman Sent: Wednesday, July 10, 2024 1:32 PM To: BENTLEY Thom Subject: Re: Can we provide --debug and --release on a single build? you can supply both, but they don't create separate libraries. The --debug and --release just set different optimization flags on the

RE: Missing header file ts_local.h in install location.

rts(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs); Thom Bentley | Senior Software Engineer | Medidata, a Dassault Systèmes company<http://www.mdsol.com/> From: Tomas Mraz Sent: Monday, July 1, 2024 4:12 AM To: BENTLEY Thom ; Matt Caswell ; openssl-users@openssl.org Subject: Re: Missing he

Re: ECDH Group 19 (256-bit Elliptic curve) key length

You should use some Key Derivation Function (KDF) to derive a key from this shared secret. For example TLS-1.3 uses HKDF for that. The best way would be to use TLS-1.3 (or some other standardized secure protocol) directly instead of inventing and implementing your own protocol though. Tomas Mraz,

RE: Maximum encryption key length supported by AES-128 CBC

That answers my questions. Thanks Viktor. General -Original Message- From: openssl-users On Behalf Of Viktor Dukhovni Sent: Friday, July 5, 2024 08:01 AM To: openssl-users@openssl.org Subject: Re: Maximum encryption key length supported by AES-128 CBC [External email: Use caution

Re: Maximum encryption key length supported by AES-128 CBC

On Thu, Jul 04, 2024 at 06:20:25PM +, Vishal Kevat via openssl-users wrote: > I want to know what length of encryption key does AES-128 CBC supports? Exactly 128 bits, no more, no less. > I believe that it supports key length max upto 128 bits that is 16 bytes. It makes little sense to spea

Re: Certificate verification with cross signed CAs (James)

ssl-users > wrote: > > From: James <mailto:openssl-us...@natsuki.co.uk> > To: mailto:openssl-users@openssl.org > Subject: Re: Certificate verification with cross signed CAs > Message-ID: <mailto:c457519e-e386-4df8-84ec-9efb7a0f9...@natsuki.co.uk> > Content-Type: t

Re: Certificate verification with cross signed CAs (James)

From: James <mailto:openssl-us...@natsuki.co.uk> To: mailto:openssl-users@openssl.org Subject: Re: Certificate verification with cross signed CAs Message-ID: <mailto:c457519e-e386-4df8-84ec-9efb7a0f9...@natsuki.co.uk> Content-Type: text/plain; charset="utf-8" > The certif

Re: Certificate verification with cross signed CAs

The certificates are attached below.The use case is client A only has ta_primary_cert.pem and client B only has ta_secondary_cert.pemI’m trying to build a chain that the server can use (in the server hello) so that both client A and client B can successfully connect.Since openssl verify -trusted ta

Re: Certificate verification with cross signed CAs

On Mon, Jul 01, 2024 at 03:54:46PM +0100, James Chapman wrote: > I’ve been using openssl verify to check some certificate chains: > > server -> ca -> roota > server -> alt_ca-> rootb > > Certificates ca and alt_ca have the same subject and public key and different > issuers. > > openssl veri

Re: Missing header file ts_local.h in install location.

ntially cause issues if DCMTK 3.6.8 is not properly > configured to handle this change in OpenSSL 3.0.8. >   >   > > >   >   > Thom Bentley| Senior Software Engineer | > Medidata, a Dassault Systèmes company >   > > > From: Matt Caswell > Sent: Friday, June

RE: Missing header file ts_local.h in install location.

m Bentley | Senior Software Engineer | Medidata, a Dassault Systèmes company<http://www.mdsol.com/> From: Matt Caswell Sent: Friday, June 28, 2024 11:54 AM To: BENTLEY Thom ; Tomas Mraz ; openssl-users@openssl.org Subject: Re: Missing header file ts_local.h in install location. On 28/06/2024 16

Re: Missing header file ts_local.h in install location.

Engineer |Medidata, a Dassault Systèmes company thom.bent...@3ds.com From: Matt Caswell Date: Friday, June 28, 2024 at 11:53 AM To: BENTLEY Thom , Tomas Mraz , "openssl-users@openssl.org" Subject: Re: Missing header file ts_local.h in install location. On 28/06/2024 16: 29, BENTLE

Re: Missing header file ts_local.h in install location.

gt;C:\repos\mmi-director-dcmtk-3.6.8\dcmtk-3.6.8\dcmtls\include\dcmtk\dcmtls\tlslayer.h(37,8): 16:35:16:392 26>see declaration of 'ssl_ctx_st' ** ** *Thom Bentley *| Senior Software Engineer |Medidata, a Dassault Systèmes company <http://www.mdsol.com/> *From:*Tomas Mraz

RE: Missing header file ts_local.h in install location.

s\include\dcmtk\dcmtls\tlslayer.h(37,8): 16:35:16:392 26>see declaration of 'ssl_ctx_st' Thom Bentley | Senior Software Engineer | Medidata, a Dassault Systèmes company<http://www.mdsol.com/> From: Tomas Mraz Sent: Friday, June 28, 2024 10:15 AM To: BENTLEY Thom ; opens

RE: Missing header file ts_local.h in install location.

ley | Senior Software Engineer | Medidata, a Dassault Systèmes company<http://www.mdsol.com/> From: Matt Caswell Sent: Friday, June 28, 2024 10:18 AM To: BENTLEY Thom ; openssl-users@openssl.org Subject: Re: Missing header file ts_local.h in install location. On 28/06/2024 15: 09, BENTLEY

Re: Missing header file ts_local.h in install location.

On 28/06/2024 15:09, BENTLEY Thom via openssl-users wrote: Hi All, I build and installed version 3.0.8 on Windows with Visual Studio using the instructions provided. I copied the bin, include, and lib directories to a location that would be found by the CMake for the DCMTK toolkit version

Re: Missing header file ts_local.h in install location.

TS_VERIFY_CTX is an opaque structure since version 1.1.0. You may not access its members directly. To set them you need to use the various TS_VERIFY_CTX_set* functions. If there are any particular accessors missing, please report that as a bug to https://github.com/openssl/openssl Tomas Mraz, Op

Re: Issue with install after using `perl Configure` to set --prefix and --openssldir

, "openssl-users@openssl.org" Subject: Re: Issue with install after using `perl Configure` to set --prefix and --openssldir You seem to have space instead of = between --openssldir and the path. And yeah, try to experiment with the doublequotes if that does not help. I do not know the e

Re: Issue with install after using `perl Configure` to set --prefix and --openssldir

ult > Systèmes company > thom.bent...@3ds.com >   >   > > > From:Tomas Mraz > Date: Thursday, June 27, 2024 at 1:29 PM > To: BENTLEY Thom , "openssl-users@openssl.org" > > Subject: Re: Issue with install after using `perl Configure` to set - > -prefix and --openssldir >

Re: Issue with install after using `perl Configure` to set --prefix and --openssldir

at 1:29 PM To: BENTLEY Thom , "openssl-users@openssl.org" Subject: Re: Issue with install after using `perl Configure` to set --prefix and --openssldir Hello, you have to use "--openssldir=C: \OpenSSLInstallDir\CommonFiles\SSL" Regards, Tomas Mraz, OpenSSL On Thu, 2024-0

Re: Issue with install after using `perl Configure` to set --prefix and --openssldir

Hello, you have to use "--openssldir=C:\OpenSSLInstallDir\CommonFiles\SSL" Regards, Tomas Mraz, OpenSSL On Thu, 2024-06-27 at 16:50 +, BENTLEY Thom via openssl-users wrote: > > > > Hi All, >   > I get an error running `perl Configure --openssldir > "C:\OpenSSLInstallDir\CommonFiles\SSL"

Re: Syntax of OID values

I believe the oid_file key in the config is used by the ca and req applets and is meant to be a value rather than a section (i.e. oid_file = /path/to/oid/file/name) To do what I believe you are trying to do above, you need to follow the directions here: https://www.openssl.org/docs/man1.1.1/man5/c

RE: Issue building after configuring for VC-WIN64A (version 3.0.8)

:29 PM To: BENTLEY Thom Cc: openssl-users@openssl.org Subject: Re: Issue building after configuring for VC-WIN64A (version 3.0.8) You will almost certainly need to preform an nmake distclean (or just run git clean on your tree) prior to reconfiguring. nmake is really bad about getting l

Re: Issue building after configuring for VC-WIN64A (version 3.0.8)

/debug /dll /nologo > /debug @C:\Users\tbentley\AppData\Local\Temp\1\nm96.tmp > /implib:libcrypto.lib || (DEL /Q libcrypto-3-x64.* libcrypto.lib & EXIT > 1)"' : return code '0x1' > > Stop. > > NMAKE : fatal error U1077: '"C:\Program Files\

RE: Issue building after configuring for VC-WIN64A (version 3.0.8)

Did you do an "nmake clean" after switching to the correct compiler? You need to get rid of those 32-bit objects, or you'll continue to have a machine-type mismatch. -- Michael Wojcik Rocket Software Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Walt

Re: secp256r1 65 byte key size in packet capture

Is there a way to have all those man pages installed in my system. I'm using Ubuntu 24. On Wed, Jun 19, 2024, 17:49 Matt Caswell wrote: > > > On 19/06/2024 12:14, Lokesh Chakka wrote: > > Now I need to explore C APIs for getting those keys as hex array. > > Could you please suggest any good refe

Re: 20240619 snapshots

The Doctor via openssl-users writes: > On Wed, Jun 19, 2024 at 09:53:19AM +0200, Tomas Mraz wrote: >> They are there. Maybe you've looked too soon before the CDN caches were >> synchronized. >> >> >> On Tue, 2024-06-18 at 21:12 -0600, The Doctor via openssl-users wrote: >> > Where are they? >>

Re: secp256r1 65 byte key size in packet capture

On 19/06/2024 12:14, Lokesh Chakka wrote: Now I need to explore C APIs for getting those keys as hex array. Could you please suggest any good references for beginners. You would need to first load the key from the file to create an EVP_PKEY object. For example you could use the PEM_read_PUB

Re: 20240619 snapshots

On Wed, Jun 19, 2024 at 09:53:19AM +0200, Tomas Mraz wrote: > They are there. Maybe you've looked too soon before the CDN caches were > synchronized. > > > On Tue, 2024-06-18 at 21:12 -0600, The Doctor via openssl-users wrote: > > Where are they? > > -- > Tom Mr??z, OpenSSL > I use lynx -

Re: secp256r1 65 byte key size in packet capture

Hi Matt, I'm trying to craft a client hello packet using a C program. I'm learning about these keys, openssl, TLS etc. So openssl ecparam -name secp256r1 -genkey -out pvtkey.pem openssl ec -in pvtkey.pem -pubout -out pubkey.pem openssl pkey -in pubkey.pem -pubin -noout -text will give me the 65

Re: secp256r1 65 byte key size in packet capture

On 19/06/2024 09:15, Lokesh Chakka wrote: hello, I'm trying to generate public/private keys with following commands: openssl ecparam -name secp256r1 -genkey -out pvtkey.pem openssl ec -in pvtkey.pem -pubout I'm seeing the sizeof private key as 164 bytes and public key as 124 bytes. In a wi

Re: secp256r1 65 byte key size in packet capture

Understood. Thanks alot. But I'm still Not able to understand why it is 65 bytes in the key value. Thanks & Regards -- Lokesh Chakka. On Wed, Jun 19, 2024 at 3:03 PM Tomas Mraz wrote: > You need to do base64 decoding to find out the real size of the ASN.1 > encoded data. > > Tomas Mraz, OpenS

Re: secp256r1 65 byte key size in packet capture

You need to do base64 decoding to find out the real size of the ASN.1 encoded data. Tomas Mraz, OpenSSL On Wed, 2024-06-19 at 14:58 +0530, Lokesh Chakka wrote: > hi, > > please check the following : > > = >

Re: secp256r1 65 byte key size in packet capture

hi, please check the following : == $ openssl ecparam -name secp256r1 -genkey -out pvtkey.pem using curve name prime256v1 instead of secp256r1 $ cat pvtkey.pem -BEGIN EC PARAMETERS- BggqhkjOPQMBBw== --

Re: secp256r1 65 byte key size in packet capture

Hi Lokesh, I am not sure how do you count the sizes of 164 bytes and 124 bytes for the pem files. If I use -outform DER (and use -noout with the ecparam to avoid outputting the params because the private key already contains info about the params used) I see the following sizes for the DER encode

Re: 20240619 snapshots

They are there. Maybe you've looked too soon before the CDN caches were synchronized. On Tue, 2024-06-18 at 21:12 -0600, The Doctor via openssl-users wrote: > Where are they? -- Tomáš Mráz, OpenSSL

RE: [EXTERNAL] - 32-bit OpenSSL binary found in Suprema BioStar 2 door access system

On Wednesday, April 17th, 2024 at 6:57 AM, Michael Wojcik via openssl-users wrote: > > From: Turritopsis Dohrnii Teo En Ming teo.en.m...@protonmail.com > > Sent: Monday, 15 April, 2024 07:36 > > > > > > From: openssl-users openssl-users-boun...@openssl.org On Behalf Of > > > > Turritopsis Dohrn

Re: New OpenSSL Releases

On 09/06/2024 19:59, Dennis Clarke via openssl-users wrote: On 5/30/24 11:15, Michael Wojcik via openssl-users wrote: From: openssl-users On Behalf Of Dennis Clarke via openssl-users Sent: Thursday, 30 May, 2024 07:29 OKay, thank you. I guess today is a good day to test on a few oddball sy

Re: [External] : Why do I get the following error `wrong signature length` when I try to validate a signed file using the c++ OpenSSL 3.1 library?

Hi Thomas, Thank you very much, Understood. I created a new branch with the change I created two versions: 1. one more c++ style ( https://github.com/christiangda/LicenseValidator/blob/c988c226e3e998aebe840386525a364273f41807/src/License.cpp#L80 ) 2. with the change you proposed ( https://github

Re: [External] : Why do I get the following error `wrong signature length` when I try to validate a signed file using the c++ OpenSSL 3.1 library?

|if (EVP_PKEY_verify(ctx, licenseSignature, sizeof(licenseSignature), licenseContent, sizeof(licenseContent)) <= 0)| The sizeof operator is not doing what you think it's doing. It's computing the sizes of the pointers (typically 4 or 8 bytes depending on your architecture) and not the sizes of

Re: openssl hmac and key on the command line

On Sat, Jun 08, 2024 at 08:12:57AM -0400, Neil Horman wrote: > > I see someone at > > https://github.com/openssl/openssl/issues/13382#issuecomment-1181577183 > > with a similar concern suggested -macopt keyfile:file The requested feature (explicit keyfile option) makes sense to me. Is there a mo

Re: New OpenSSL Releases

On 5/30/24 11:15, Michael Wojcik via openssl-users wrote: From: openssl-users On Behalf Of Dennis Clarke via openssl-users Sent: Thursday, 30 May, 2024 07:29 OKay, thank you. I guess today is a good day to test on a few oddball system architectures. I suspect there are very very few people out

Re: openssl hmac and key on the command line

On 6/8/2024 5:12 AM, Neil Horman wrote: printf '%s' "hello" | LD_LIBRARY_PATH=$PWD ./apps/openssl dgst -sha1 -hmac $(cat key.txt) SHA1(stdin)= c3b424548c3dbd02161a9541d89287e689f076d7 That will expose the key in the process args, so is NOT secure. -- Carson

Re: openssl hmac and key on the command line

the openssl-mac utility already contains such a option (though it doesn't circumvent the issue as the option for the key is also passed on the command line) It seems some bash magic solves this problem though. By putting your key in a file, you can use command substitution to solve this: nhorman

Re: openssl hmac and key on the command line

2024-06-08 08:43:26 +0100, Stephane Chazelas: [...] > Would it be possible to have a: -macopt keyenv:varname and > -macopt keyexenv:varname for instance to be able to pass the > secret via environment variables instead (which on most systems > are a lot less public than command arguments)? [...] I

Re: openssl hmac and key on the command line

2022-08-07 18:20:56 +0200, Francois: [...] > I am reading some doc instructing me to run > > printf '%s' "${challenge}" | openssl dgst -sha1 -hmac ${APP_TOKEN} > > Doing so would leak the APP_TOKEN on the command line arguments (so a > user running a "ps" at the right time would see the APP_T

RE: Issue in DH Algorithm Keys Generation in OpenSSL 3.3.0

ards, Vishal General -Original Message- From: openssl-users On Behalf Of Viktor Dukhovni Sent: Friday, May 31, 2024 06:14 PM To: openssl-users@openssl.org Subject: Re: Issue in DH Algorithm Keys Generation in OpenSSL 3.3.0 [External email: Use caution with links and attachm

Re: Blocking on a non-blocking socket?

- Original Message - > From: "Wiebe Cazemier" > To: openssl-users@openssl.org > Sent: Thursday, 23 May, 2024 12:22:31 > Subject: Blocking on a non-blocking socket? > > Hi List, > > I have a very obscure problem with an application using O_NONBLOCK still > blocking. Over the course of a ye

Re: Issue in DH Algorithm Keys Generation in OpenSSL 3.3.0

On Fri, May 31, 2024 at 07:47:40AM +, Vishal Kevat via openssl-users wrote: > Hi OpenSSL users, > > I am using OpenSSL source version 3.3.0 and facing an issue in key generation > part of Diffie Hellman (DH) Algorithm. Below are the APIs I am using for > generating Public and Private Keys: >

Re: Issue in DH Algorithm Keys Generation in OpenSSL 3.3.0

On Fri, May 31, 2024 at 12:39:12PM +, Vishal Kevat via openssl-users wrote: > Is there any way to make this prime number work by doing some > modifications in the openssl source code. It ISN'T a *prime* number. > Like bypassing the OpenSSL DH prime check? Why do you want to use a broken DH

RE: Issue in DH Algorithm Keys Generation in OpenSSL 3.3.0

PM To: openssl-users@openssl.org Subject: Re: Issue in DH Algorithm Keys Generation in OpenSSL 3.3.0 [External email: Use caution with links and attachments] On Fri, May 31, 2024 at 07:47:40AM +, Vishal Kevat via openssl-users wrote: > I am using Open

Re: Issue in DH Algorithm Keys Generation in OpenSSL 3.3.0

On Fri, May 31, 2024 at 07:47:40AM +, Vishal Kevat via openssl-users wrote: > I am using OpenSSL source version 3.3.0 and facing an issue in key > generation part of Diffie Hellman (DH) Algorithm. Below are the APIs I > am using for generating Public and Private Keys: > > static unsigned char

Re: Need help on self test post failure - programmatically load FIPS provider

On 24/05/2024 16:57, murugesh pitchaiah wrote: Thanks Matt for looking into this. Here is the output:  # openssl list --providers -provider fips -provider base Providers:   base     name: OpenSSL Base Provider     version: 3.0.9     status: active   fi

RE: Issue in DH Algorithm Keys Generation in OpenSSL 3.3.0

Hi OpenSSL users, I am using OpenSSL source version 3.3.0 and facing an issue in key generation part of Diffie Hellman (DH) Algorithm. Below are the APIs I am using for generating Public and Private Keys: static unsigned char DH_PRIME_128[] = { /* 128 bit prime */ 0xff, 0xff, 0xff, 0xff,

Re: Need help on self test post failure - programmatically load FIPS provider

Hi Matt, Could you please share any insights on why these errors seen on programmatically loading fips provider : *80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid state:../openssl-3.0.9/providers/fips/self_test.c:262:* *80D1CD65667F:error:1C8000D8:Provider routines:OS

RE: New OpenSSL Releases

> From: openssl-users On Behalf Of Dennis > Clarke via openssl-users > Sent: Thursday, 30 May, 2024 07:29 > > OKay, thank you. I guess today is a good day to test on a few oddball > system architectures. I suspect there are very very few people out there > running actual HPE Itanium hardware or bi

Re: New OpenSSL Releases

On 5/30/24 03:03, Tomas Mraz wrote: You can just test the HEAD commits in the respective branches (openssl- 3.0, openssl-3.1, openssl-3.2 and openssl-3.3) in git. The repository will be frozen today afternoon so there should be no further changes apart from eventual regression fixes and the relea

Re: New OpenSSL Releases

You can just test the HEAD commits in the respective branches (openssl- 3.0, openssl-3.1, openssl-3.2 and openssl-3.3) in git. The repository will be frozen today afternoon so there should be no further changes apart from eventual regression fixes and the release commits. Regards, Tomas Mraz, Open

Re: New OpenSSL Releases

On 5/28/24 08:51, Tomas Mraz wrote: The OpenSSL project team would like to announce the upcoming release of OpenSSL versions 3.3.1, 3.2.2, 3.1.6 and 3.0.14. Will there be any release candidate tarballs for testing on various systems? Perhaps there already exists some commit or "tag" ( wha

Re: Need help on self test post failure - programmatically load FIPS provider

Thanks Matt for looking into this. Here is the output: # openssl list --providers -provider fips -provider base Providers: base name: OpenSSL Base Provider version: 3.0.9 status: active fips name: OpenSSL FIPS Provider version: 3.0.9 status: active Also ple

Re: Need help on self test post failure - programmatically load FIPS provider

What do you get by loading the provider via the "openssl list" command, i.e. what is the output from: $ openssl list --providers -provider fips -provider base Matt On 24/05/2024 15:48, murugesh pitchaiah wrote: Thanks Neil for your response. Please find more details below. Yes we run fipsin

Re: Need help on self test post failure - programmatically load FIPS provider

Thanks Neil for your response. Please find more details below. Yes we run fipsinstall and then edit the fipsmodule.conf file to remove the 'activate=1' line. Then try to programmatically load FIPS provider. Here are the details steps. Once the device boots up , The device has fipsmoudle.cnf presen

Re: Need help on self test post failure - programmatically load FIPS provider

I assume that, after building the openssl library you ran openssl fipsinstall? i.e. you're not just using a previously generated fipsmodule.cnf file? The above errors initially seem like self tests failed on the fips provider load, suggesting that the module-mac or install-mac is incorrect in you

Re: Blocking on a non-blocking socket?

On 24/05/2024 02:30, Wiebe Cazemier wrote: Can you show me in the code where that is? It's here: https://github.com/openssl/openssl/blob/b9e084f139c53ce133e66aba2f523c680141c0e6/ssl/record/rec_layer_s3.c#L1038-L1054 The "retry" codepath occurs where we hit the "goto start". My main conc

Re: Blocking on a non-blocking socket?

Hi Detlef, - Original Message - > From: "Detlef Vollmann" > To: openssl-users@openssl.org > Sent: Friday, 24 May, 2024 12:02:37 > Subject: Re: Blocking on a non-blocking socket? > > That's correct, but if I understand Matt correctly, t

Re: Blocking on a non-blocking socket?

On 5/24/24 03:30, Wiebe Cazemier via openssl-users wrote: Hi Matt, - Original Message - From: "Matt Caswell" To: openssl-users@openssl.org Sent: Friday, 24 May, 2024 00:26:28 Subject: Re: Blocking on a non-blocking socket? Not quite. When you call SSL_read() it is becau

Re: Blocking on a non-blocking socket?

Hi Matt, - Original Message - > From: "Matt Caswell" > To: openssl-users@openssl.org > Sent: Friday, 24 May, 2024 00:26:28 > Subject: Re: Blocking on a non-blocking socket? > Not quite. > > When you call SSL_read() it is because you are hoping to read &

RE: Blocking on a non-blocking socket?

g/docs/man1.0.2/man3/SSL_CTX_set_mode.html | >>>> https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html ] >>> >>>> SSL_MODE_AUTO_RETRY in non-blocking mode should cause >>>> SSL_reaa/SSL_write to return -1 with an error code of >>>> WANT_R

Re: Blocking on a non-blocking socket?

_mode.html ] SSL_MODE_AUTO_RETRY in non-blocking mode should cause SSL_reaa/SSL_write to return -1 with an error code of WANT_READ/WANT_WRITE until such time as the re-negotiation has completed. I need to confirm thats the case in the code, but it seems to be. If the underlying socket is in non-blocking mode, there sh

RE: Blocking on a non-blocking socket?

UTO_RETRY in non-blocking mode should cause >> SSL_reaa/SSL_write to return -1 with an error code of >> WANT_READ/WANT_WRITE until such time as the re-negotiation has >> completed. I need to confirm thats the case in the code, but it seems >> to be. If the underlying socket is in

Re: Blocking on a non-blocking socket?

Hi Neil, - Original Message - > From: "Neil Horman" > To: "Wiebe Cazemier" > Cc: "udhayakumar" , openssl-users@openssl.org > Sent: Thursday, 23 May, 2024 23:42:18 > Subject: Re: Blocking on a non-blocking socket? > from

Re: Blocking on a non-blocking socket?

from: https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_mode.html SSL_MODE_AUTO_RETRY in non-blocking mode should cause SSL_reaa/SSL_write to return -1 with an error code of WANT_READ/WANT_WRITE until such time as the re-negotiation has completed. I need to confirm thats the case in the

Re: Blocking on a non-blocking socket?

- Original Message - > From: "Neil Horman" > To: "udhayakumar" > Cc: "Wiebe Cazemier" , openssl-users@openssl.org > Sent: Thursday, 23 May, 2024 22:05:22 > Subject: Re: Blocking on a non-blocking socket? > do you have a stack trace of t

  1   2   3   4   5   6   7   8   9   10   >