openssl and PeopleSoft

2010-09-02 Thread Panikulam Vivek
Hi

I am trying to use openssl to generate RSA keys and use it in PeopleSoft. But 
PeopleSoft requires keys in hex notation with specific keysize of 168 which I 
am 
not able to generate with openSSL. Please let me know if anyone has experience 
working with OpenSSL for PeopleSoft.Any help is appreciated. Thanks

Regards
Vivek Panikulam


Use Entered Value Select this option to use key values that aren't in the 
PeopleSoft keystore. Enter a key value that's formatted appropriately for the 
algorithm that you're configuring. This value will be entered into the PET 
keyset table, not the PeopleSoft keystore. 

The value that you enter has a length that depends on the keysize of the 
cipher. 
For triple DES with keysize 112, this is 16 bytes. For a keysize of 168, this 
is 
24 bytes. This value should be represented in hex notation. 

You must generate the key value that you enter here. You can use any key 
generation utility capable of producing hex encoded keys of the required 
length. 
PeopleSoft delivers the core OpenSSL command line program precompiled and ready 
to use. You can use it to generate key values and perform other 
encryption-related tasks. The executable program is 
PS_HOME\bin\server\WINX86\openssl.exe on Windows, and PS_HOME/bin/openssl on 
Unix and Linux platforms.  



  

Re: multi thread, example on win32 is wrong?

2010-09-02 Thread Lu zhuiyue
I'm a *nix programmer too [?].

I just think there may be some error with the example on wind32.


On Thu, Sep 2, 2010 at 11:36 PM, Sam Jantz  wrote:

> Lu,
>
>  I'm not sure specifically about windows, but it seems that you have
> not created the id function.  Once you create the id function then you need
> to register it in the thread_setup with the function
> CRYPTO_set_id_callback();  The thread_id function
> is a very small function that just returns the thread id for calling thread.
>  In linux you implement it like this:
>
> static unsigned long id_function(void){
>
> }
>
> On Thu, Sep 2, 2010 at 3:34 AM, Lu zhuiyue  wrote:
>
>> the documentation (http://www.openssl.org/docs/crypto/threads.html) says
>>
>> to use openssl library in multi threds environments,  the user should set
>> thses tow callback functions
>> locking_function and threadid_func
>>
>> the example:
>> *crypto/threads/mttest.c*
>> on win32 platform:
>>
>> it does not set threadid_func. it is an error?
>>
>
>
>
> --
> Sam Jantz
> Software Engineer
>
>
<<330.gif>>

Question on applying GPROF to OpenSSL s_server

2010-09-02 Thread Joe Tsin
Hi, 

I'd like to use gprof to profile the OpenSSL application s_server on a Linux 
box. I had a  'CFLAG= -g -static -pg' in the 'openssl-0.9.8o/apps/Makefile', 
then configured the OpenSSL, made it and installed it. 

However, I didn't get the gprof output (gmon.out) after running the 'openssl 
s_server'. 

Did I miss anyting here? Can anyone give me some guidelines on how to use gprof 
to profile the OpenSSL s_server?

Thanks a lot!

Joe


  

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


problem https with class 3 cert CACert

2010-09-02 Thread fakessh

hi fols
hi all the people
hi openssl users
hi apache httpd users

t explain my problem
i use CentOS 5.5
use httpd.i386 2.2.3-43.el5.centos.3 rpm's centos
use mod_ssl.i386  1:2.2.3-43.el5.centos.3 rpms's centos

I sometimes against this kind of problem
with certificates of type class 3, it was the color in the address bar
with the firefox the color in the address bar disappear sometimes and 
a reload of web page was view again

The padlock disappears for the same occasion


...
many return and welcome
some ideas are welcome

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


problem https with class 3 cert CACert

2010-09-02 Thread fakessh

hi folks
hi all the people
hi openssl users
hi apache httpd users

t explain my problem
i use CentOS 5.5
use httpd.i386 2.2.3-43.el5.centos.3 rpm's centos
use mod_ssl.i386  1:2.2.3-43.el5.centos.3 rpms's centos

I sometimes against this kind of problem
with certificates of type class 3, it was the color in the address bar
with the firefox the color in the address bar disappear sometimes and 
a reload of web page was view again

The padlock disappears for the same occasion


...
many return and welcome
some ideas are welcome

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Patch: 0.9.8[no] SSLv3 client broken with "no-tlsext".

2010-09-02 Thread Victor Duchovni
On Thu, Sep 02, 2010 at 11:02:21PM +0200, Dr. Stephen Henson wrote:

> On Thu, Sep 02, 2010, Victor Duchovni wrote:
> 
> > 
> > It is my impression that enabling tls extensions breaks binary
> > compatibility, so I cannot replace a "no-tlsext" shared library with
> > one that support extensions without re-compiling all the clients. So,
> > some legacy systems still get "no-tlsext" libraries until we move
> > everyone to 1.0.0.
> > 
> 
> A few fields are appended to some structures to support TLS extensions which
> means that some structures increase in size. These structures are only ever
> allocated and freed by library calls so binary compatibility *should* be
> maintained. However there is a slight risk that a highly broken application
> will allocate the structures itself and poke around in internals to set them
> up.

So no existing fields change size or position?

And the ABI is only broken when applications allocate SSL, SSL_CTX,
... structures directly rather than via SSL_new() or SSL_CTX_new()?

If so, I may take the plunge with 0.9.8p, if it is likely that the most
common applications (Apache, stunnel, curl, wget, ...) and high-level
language run-times (Perl, Python, ... SSL support) do not break when
tls extensions are enabled in an updated shared library.

Is there anywhere either a list of applications known to work or known
to not work with recompiled libraries?

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Patch: 0.9.8[no] SSLv3 client broken with "no-tlsext".

2010-09-02 Thread Dr. Stephen Henson
On Thu, Sep 02, 2010, Victor Duchovni wrote:

> 
> It is my impression that enabling tls extensions breaks binary
> compatibility, so I cannot replace a "no-tlsext" shared library with
> one that support extensions without re-compiling all the clients. So,
> some legacy systems still get "no-tlsext" libraries until we move
> everyone to 1.0.0.
> 

A few fields are appended to some structures to support TLS extensions which
means that some structures increase in size. These structures are only ever
allocated and freed by library calls so binary compatibility *should* be
maintained. However there is a slight risk that a highly broken application
will allocate the structures itself and poke around in internals to set them
up.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Patch: 0.9.8[no] SSLv3 client broken with "no-tlsext".

2010-09-02 Thread Victor Duchovni

The 0.9.8[no] SSLv3 client code sends the SCSV cipher even when built
with "no-tlsext" and is then unable to process the server response if
the server returns tls extensions.

It is my impression that enabling tls extensions breaks binary
compatibility, so I cannot replace a "no-tlsext" shared library with
one that support extensions without re-compiling all the clients. So,
some legacy systems still get "no-tlsext" libraries until we move
everyone to 1.0.0.

The SSL client should not solicit server behaviour it does not support.
Patch below.

--- ssl/ssl_lib.c   2010-02-17 14:43:08.601690964 -0500
+++ ssl/ssl_lib.c   2010-09-02 13:19:18.401865197 -0400
@@ -1299,6 +1299,8 @@
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
p+=j;
}
+
+#ifndef OPENSSL_NO_TLSEXT
/* If p == q, no ciphers and caller indicates an error. Otherwise
 * add SCSV if not renegotiating.
 */
@@ -1310,10 +1312,11 @@
};
j = put_cb ? put_cb(&scsv,p) : 
ssl_put_cipher_by_char(s,&scsv,p);
p+=j;
-#ifdef OPENSSL_RI_DEBUG
+# ifdef OPENSSL_RI_DEBUG
fprintf(stderr, "SCSV sent by client\n");
-#endif
+# endif
}
+#endif /* OPENSSL_NO_TLSEXT */
 
return(p-q);
}

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: reading and writing into pem file

2010-09-02 Thread krishnamurthy santhanam
Hi,

Thanks for your input..it worked for me...i am writing encryption and
decryption using RSA...

#include
#include
#include
#include
#include
#include
RSA * readPubKey(char *filename)
{
RSA *key;
BIO *bp;

ERR_load_crypto_strings();
bp=BIO_new(BIO_s_file());

if (BIO_read_filename(bp,filename) <= 0)
{
perror("ERROR: public.pem");
exit(0);
}

if ((key=(RSA *)PEM_read_bio_RSA_PUBKEY(bp,NULL,NULL,NULL)) == NULL)
{
ERR_print_errors_fp(stderr);
key = NULL;
}

BIO_free(bp);
return key;
}


rsaEncrypt()
{
RSA *pubkey;
unsigned char *message= "Hello !! can u hear me now !!";
unsigned char *encryptmess, *decryptmess;
int long_message;
char **key;
char buff[300];
pubkey = readPubKey("public.pem");
char test1,test2;
printf("\nsize of (in byte)s public:private :: %d:\n",RSA_size(pubkey));

/* Encrypt the message */
encryptmess = (unsigned char *) malloc (RSA_size(pubkey));
test1=sizeof(test2);
long_message= (strlen(message)&test1+1);
RSA_public_encrypt(long_message, message, encryptmess, pubkey,
RSA_PKCS1_OAEP_PADDING);
printf ("\n message %s\n", message);

printf("\nlenght=  %d\n",strlen(encryptmess));
int i;
i =strlen(encryptmess);
printf("length ==%d\n",i);
memmove(buff,encryptmess,i);
int j;
j=(strlen(buff)*sizeof(char)+1);
//printf ("\n message=== %s\n", encryptmess);
printf("j=%d\n",j);
free(encryptmess);
printf("%s",buff);
}

int main(void)
{
rsaEncrypt();
}

when i encrypt the message it works and printing the outpu..i need to write
the encrypted message to main function to decrypt the encrypted message...

i have tried the below program ..it is not giving as expected..please help
me out to write the this


#include
#include
#include
#include
#include


RSA * readPubKey(char *filename)
{
RSA *key;
BIO *bp;

ERR_load_crypto_strings();
bp=BIO_new(BIO_s_file());

if (BIO_read_filename(bp,filename) <= 0)
{
perror("ERROR: public.pem");
exit(0);
}

if ((key=(RSA *)PEM_read_bio_RSA_PUBKEY(bp,NULL,NULL,NULL)) == NULL)
{
ERR_print_errors_fp(stderr);
key = NULL;
}

BIO_free(bp);
return key;
}


int rsaEncrypt(unsigned char *message,unsigned char *decryptmess,int
long_message)
{
RSA *pubkey;
RSA *privkey;
unsigned char *encryptmess;
int long_message1,j;
char **key;
long_message1=long_message;
pubkey = readPubKey("public.pem");

/* Encrypt the message */
printf("hello encrypt");
encryptmess = (unsigned char *) malloc (RSA_size(pubkey));
RSA_public_encrypt(long_message1, message, encryptmess, pubkey,
RSA_PKCS1_OAEP_PADDING);
printf ("\n message %s\n", message);
j=strlen(encryptmess);
printf("\nj=%d",j);
decryptmess=encryptmess;
}

//main program===
main()
{

unsigned char *message= "Hello !! can u hear me now !!";
unsigned char* decryptmess;
int long_message,i;
long_message= (strlen(message)*sizeof(char)+1);
int rsaEncrypt(unsigned char *message,unsigned char *decryptmess,int
long_message);

i=strlen(decryptmess);
printf("\n%s\n",decryptmess);
printf("\nsize=%d",i);
}

Thanks
kris

On Wed, Sep 1, 2010 at 2:03 AM, Dave Thompson  wrote:

> >   From: owner-openssl-us...@openssl.org On Behalf Of krishnamurthy
> santhanam
> >   Sent: Tuesday, 31 August, 2010 13:33
>
> >   #include
>
> >   writekey(RSA *key2)
>
> You're obviously using a C89 (or earlier) compiler or mode.
>
> Snipped most non-I/O steps:
>
> >   {
> >   EVP_PKEY *pkey;
> >   FILE *fp;
> >   //BIO *file;
> >   OpenSSL_add_all_ciphers();
> >   OpenSSL_add_all_algorithms();
>
> Aside: add_all_algorithms *includes* add_all_ciphers
>
> >   if(!(fp = fopen("private1.pem", "w"))) {
>
> >   if(!PEM_write_PrivateKey(fp, pkey,NULL,NULL,0,NULL,NULL)){
>
> >   close(fp);
>
> >   if(!(fp = fopen("public1.pem", "w"))) {
>
> >   if(!PEM_write_PUBKEY(fp, pkey)){
>
> >close(fp);
>
> close() is not the correct routine to close a stdio FILE*.
> It doesn't even take the correct type of argument, but
> your compiler wasn't required to warn you because you
> didn't include its header (e.g. unistd.h) and in C<=89
> undeclared functions default to int(/*unspecified*/).
>
> Since you didn't close the files, no data actually got written
> to them, so there was nothing there for the PEM_read's to read.
>
> Use fclose. And see if you can use a C99 compiler, or at least
> a C89 compiler with better warnings (like gcc -Wimplicit).
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>


Re: Problem verifying a chain...

2010-09-02 Thread aerowolf

Use the '-issuer_checks' parameter to show exactly what it's looking for and 
where it's looking for it.

At 'depth 1' (i.e., one step above the end-entity certificate), it's looking 
for the issuer (which means it's looking for the USERTRUST root certificate).

-Kyle H

On Thu, Sep 2, 2010 at 9:39 AM, John Doe  wrote:

Hi,

I have some issues with chained certificates.
I am trying to verify my certificate with the intermediate certificate of my
registrar...

my.crt:
Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com

gandi.crt:
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA

# openssl verify -CAfile gandi.crt my.crt
my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
error 2 at 1 depth lookup:unable to get issuer certificate

Is it the right command to test...?
Is the error about gandi or usertrust?

Thx,
JD



__
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-us...@openssl.org
Automated List Manager                           majord...@openssl.org





smime.p7s
Description: S/MIME Cryptographic Signature


Re: [openssl-users] **Spam** Problem verifying a chain...

2010-09-02 Thread Erwann ABALEA
Bonjour,

Hodie post. Kal. Sep. MMX, John Doe scripsit:
> I have some issues with chained certificates.
> I am trying to verify my certificate with the intermediate certificate of my 
> registrar...
> 
> my.crt:
> Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
> Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com
> 
> gandi.crt:
> Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, 
> OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
> Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
> 
> # openssl verify -CAfile gandi.crt my.crt 
> my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
> error 2 at 1 depth lookup:unable to get issuer certificate

It wants to check the issuer's certificate of Gandi. You can find it
in your browser, or maybe in a decently installed Ubuntu/Debian, in
/etc/ssl/certs directory (UTN_USERFirst_Hardware_Root_CA.pem on my
machine).

-- 
Erwann ABALEA 
Département R&D
KEYNECTIS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


RE: Problem verifying a chain...

2010-09-02 Thread Erik Tkal
Hi John,

Your CAfile must contain the chain that issued your cert (i.e. the 
intermediate(s) and the root).  The error is indicating that it is unable to 
locate the issuer of the intermediate.

  Erik Tkal


-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of John Doe
Sent: Thursday, September 02, 2010 12:39 PM
To: openssl-users@openssl.org
Subject: Problem verifying a chain...

Hi,

I have some issues with chained certificates.
I am trying to verify my certificate with the intermediate certificate of my 
registrar...

my.crt:
Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com

gandi.crt:
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, 
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA

# openssl verify -CAfile gandi.crt my.crt 
my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
error 2 at 1 depth lookup:unable to get issuer certificate

Is it the right command to test...?
Is the error about gandi or usertrust?

Thx,
JD


  
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Symmetric Key Encryption

2010-09-02 Thread Sam Jantz
Hello,

 Where is the symmetric key stored during an SSL transaction?  There is
a place for it (deep) inside of the ssl structure at
  ssl->s3->tmp.key_block
with length of
  ssl->s3->tmp.key_block_length
However these are never populated on any connection that I make.  It seems
odd to me that encryption/decryption can happen without a symmetric key, but
at surface value that seems to be what is happening.  I have done quite a
bit of digging on this and found a function (or 4) that is supposed to
generate the key block (tls1_generate_key_block() and all the functions it
calls), and then I can partition it out the keys  according to the TLSv1 RFC
(http://www.ietf.org/rfc/rfc2246.txt page 14) but it seems that whenever I
do this I cannot use this key to decrypt the data from the transaction
(using the IV from the key block as well).  So either my Key, or IV, or both
are incorrect.  The "label" I am using (as per TLSv1 spec) is "key
expansion" however I have no idea if that is the correct value.  I've
attached the code I am currently using to generate the key block.  It's a
lot to digest, but it's better to be more verbose, than lacking in detail.
 Long story short, if there is a better way to access the the session key I
would like to know about it.  Thank you for any input or feedback you can
provide.


-Sam

-- 
Sam Jantz
Software Engineer
/* Copyright (C) 1995-1998 Eric Young (e...@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (e...@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (t...@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *notice, this list of conditions and the following disclaimer in the
 *documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *must display the following acknowledgement:
 *"This product includes cryptographic software written by
 * Eric Young (e...@cryptsoft.com)"
 *The word 'cryptographic' can be left out if the rouines from the library
 *being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *the apps directory (application code) you must include an acknowledgement:
 *"This product includes software written by Tim Hudson (t...@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
/* 
 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *notice, this list of conditions and the following disclaimer. 
 *
 *

Problem verifying a chain...

2010-09-02 Thread John Doe
Hi,

I have some issues with chained certificates.
I am trying to verify my certificate with the intermediate certificate of my 
registrar...

my.crt:
Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA
Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com

gandi.crt:
Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, 
OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA

# openssl verify -CAfile gandi.crt my.crt 
my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
error 2 at 1 depth lookup:unable to get issuer certificate

Is it the right command to test...?
Is the error about gandi or usertrust?

Thx,
JD


  
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: multi thread, example on win32 is wrong?

2010-09-02 Thread Sam Jantz
Sorry accidentally sent that:

return pthread_self()

}

Then you register it, and your library should be thread safe.

Again sorry about sending that too soon.  Best of luck!


 -Sam

On Thu, Sep 2, 2010 at 10:36 AM, Sam Jantz  wrote:

> Lu,
>
>  I'm not sure specifically about windows, but it seems that you have
> not created the id function.  Once you create the id function then you need
> to register it in the thread_setup with the function
> CRYPTO_set_id_callback();  The thread_id function
> is a very small function that just returns the thread id for calling thread.
>  In linux you implement it like this:
>
> static unsigned long id_function(void){
>
> }
>
> On Thu, Sep 2, 2010 at 3:34 AM, Lu zhuiyue  wrote:
>
>> the documentation (http://www.openssl.org/docs/crypto/threads.html) says
>>
>> to use openssl library in multi threds environments,  the user should set
>> thses tow callback functions
>> locking_function and threadid_func
>>
>> the example:
>> *crypto/threads/mttest.c*
>> on win32 platform:
>>
>> it does not set threadid_func. it is an error?
>>
>
>
>
> --
> Sam Jantz
> Software Engineer
>
>


-- 
Sam Jantz
Software Engineer


Re: multi thread, example on win32 is wrong?

2010-09-02 Thread Sam Jantz
Lu,

 I'm not sure specifically about windows, but it seems that you have not
created the id function.  Once you create the id function then you need to
register it in the thread_setup with the function
CRYPTO_set_id_callback();  The thread_id function
is a very small function that just returns the thread id for calling thread.
 In linux you implement it like this:

static unsigned long id_function(void){

}

On Thu, Sep 2, 2010 at 3:34 AM, Lu zhuiyue  wrote:

> the documentation (http://www.openssl.org/docs/crypto/threads.html) says
> to use openssl library in multi threds environments,  the user should set
> thses tow callback functions
> locking_function and threadid_func
>
> the example:
> *crypto/threads/mttest.c*
> on win32 platform:
>
> it does not set threadid_func. it is an error?
>



-- 
Sam Jantz
Software Engineer


RE: RE: AES in counter mode no support in openssl

2010-09-02 Thread Erik Tkal
Hi Sagar,

No, I do not see any engine support.  That code appears to use AES_encrypt 
directly, and evp.h has hints but nothing enabled:

#if 0
const EVP_CIPHER *EVP_aes_128_ctr(void);
#endif

Also, if the hardware you have (you didn't say what it was) is not supported by 
OpenSSL then the hardware vendor (or yourself) would have to implement engine 
code to perform the operations.

  Erik


From: sagar gupta 
Subject: Re: RE: AES in counter mode no support in openssl

can that aes_ctr.c be used to connect to hardware driver. I have a hardware 
driver which can implement the encryption method for more performance.

Thanks

On Thu, 02 Sep 2010 03:30:20 +0530 wrote
>

OpenSSL 1.0.0a has aes_ctr.c in the crypto/aes directory.
 
Erik Tkal



Subject: AES in counter mode
no support in openssl

hi all,

I was working on the Openssl1.0.0 version for AES cryptographic support in
counter mode i.e; AES-CTR mode. I did not find any support added to the
openssl1.0.0 version. I wanted to ask that is there support for AES counter
mode in openssl?? if Yes which version of Openssl support AES counter mode?? if
no I wanted to know why the support for AES counter mode is not added into the
openssl?? 

Any help or answers in this regard will be really useful for me. Thanks for all
in Advance. please do give me some answers for my questions.


:��I"Ϯ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

Re: Confusion about subject alternative names

2010-09-02 Thread Peter Sylvester

Since webmail, imap, smtp(s) all operate on different ports, and
you have different listeners, the correct way to me seems to
use three certificates with the desired hostnames etc.

Having the same IP address doesn't matter in this particular case.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


multi thread, example on win32 is wrong?

2010-09-02 Thread Lu zhuiyue
the documentation (http://www.openssl.org/docs/crypto/threads.html) says
to use openssl library in multi threds environments,  the user should set
thses tow callback functions
locking_function and threadid_func

the example:
*crypto/threads/mttest.c*
on win32 platform:

it does not set threadid_func. it is an error?
static HANDLE *lock_cs;

void thread_setup(void)
	{
	int i;

	lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE));
	for (i=0; i end.wDayOfWeek) end.wDayOfWeek+=7;
	ret=(end.wDayOfWeek-start.wDayOfWeek)*24;

	ret=(ret+end.wHour-start.wHour)*60;
	ret=(ret+end.wMinute-start.wMinute)*60;
	ret=(ret+end.wSecond-start.wSecond);
	ret+=(end.wMilliseconds-start.wMilliseconds)/1000.0;

	printf("win32 threads done - %.3f seconds\n",ret);
	}


RE: Confusion about subject alternative names

2010-09-02 Thread Eisenacher, Patrick
Hi Gaiseric,

-Original Message-
> From: Gaiseric Vandal
>
>I am using various version of openssl-0.9.x (including 
>openssl-0.9.8k-1.fc11.i686 on
> my linux machine altho the cusotmized openssl.cnf file is probably inherited 
> from a
> slightly earlier version.)

> When I create a certificate signing request with openssl, I have an option to 
> specify an
> Subject Alternative Name (SAN.)  The request file (csr) as well as the 
> resulting
> certificate includes the SAN as a value in the in the subject field.
>
> Subject: C=US, ST=x, L=x, O=x, OU=IT,
> CN=server1.company.com/subjectAltName=server2.company.com/emailaddress=xx...@company.com

I've never seen a subjectAlternativeName construction like this. This is not 
what openssl does by default. So this behaviour is related to the changes you 
did in your openssl.conf file. Looks like you defined your own private RDN 
subjectAltName. This is not standard. And nobody else will understand this!

I recommend you read up about using the openssl req and ca commands, or 
alternatively the x509 command if you are using this to issue your certicates, 
and the format of the configuration file:

man req
man ca
man x509
man config
man x509v3_config


HTH,
Patrick Eisenacher
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org