Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
Hi Ashok, On Wed, Dec 5, 2012 at 12:29 AM, Ashok C ash@gmail.com wrote: Hi, Our current SSL server loads plain-text private keys using the SSL_CTX_use_PrivateKey_file() method. We are moving from this strategy to use custom encrypted private keys using the TPM concept. For this, we have an engine implemented. Now the question is this. Does my SSL server need to change from loading private keys using SSL_CTX_use_PrivateKey_file() method to use this method -- ENGINE_load_private_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data) Or can this be achieved by using the SSL_CTX_use_PrivateKey_file() method itself and the openssl takes care of loading my encrypted private key with the help of my implemented engine. Basically wanted to understand if the SSL_CTX method for loading private keys has the support for loading engine specific keys. Last I knew there were two ways to get your TPM key loaded through an engine. Directly in your app, using code like: ENGINE_by_id(); ENGINE_init(); ENGINE_set_default_RSA(); ENGINE_load_private_key(); ... (use key ... and indirectly by using an openssl-config enabled app, and the RSA_* APIs to load the key. Basically in this case you have a system openssl config that you've added something like: --[cut]-- openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] foo = tpm_section [tpm_section] dynamic_path = /usr/local/ssl/lib/engines/libtpm.so engine_id = tpm default_algorithms = RAND,RSA init = 1 --[cut]-- then your app needs to be compiled with -DOPENSSL_LOAD_CONF=1, which triggers hooks in RSA_* apis which will read the config file and redirect key loading to your engine. Kent -- Ashok __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ecdsa_method missing?
Thanks Mounir, I'd like to use ECDSA_METHOD to implement a dynamic engine for ecdsa. I want to avoid copying the header files from the upstream source so that my engine package can compile stand-alone. This should be in line with the way dynamic engines have worked for other algorithms since 0.9.8, if I understand correctly. Should I open an item in the issue tracker for this? Thanks, Kent On Tue, Feb 22, 2011 at 8:04 PM, Mounir IDRASSI mounir.idra...@idrix.net wrote: Hi, In the case of RSA_METHOD, it is working because the underlying type rsa_meth_st is defined in rsa.h, whereas for ECDSA_METHOD, the underlying type ecdsa_method is not exported by the public headers: it is defined in the internal OpenSSL header ecs_locl.h found in the source distribution. That explains why you are getting the compile error. I don't know why it was done like this, but if you really need this structure then you'll have to copy its definition from the header I mentioned above. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/22/2011 6:14 PM, Kent Yoder wrote: Hi, The following RSA code compiles: #includeopenssl/rsa.h main() { RSA_METHOD rsa = { test }; } but this ECDSA code doesn't: #includeopenssl/ecdsa.h main() { ECDSA_METHOD ecdsa = { test }; } Am I missing a declaration, or is this perhaps a bug? Thanks, Kent __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ecdsa_method missing?
Hi, The following RSA code compiles: #include openssl/rsa.h main() { RSA_METHOD rsa = { test }; } but this ECDSA code doesn't: #include openssl/ecdsa.h main() { ECDSA_METHOD ecdsa = { test }; } Am I missing a declaration, or is this perhaps a bug? Thanks, Kent __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Config option for -keyform?
Hi, I'm looking for a config file option that will force openssl to use an engine's load key functions when accessing key files, like the -keyform engine option offered by the openssl command. Does such an option exist? Thanks, Kent -- Kent Yoder IBM LTC Security Dev. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: TPM support !!!
Hi, yesterday I released an initial version of an engine [1] that supports the TPM, right now for 0.9.8 only. Check out the readme, let me know if you have any questions. Thanks, Kent [1] http://sourceforge.net/project/showfiles.php?group_id=126012package_id=165637release_id=361437 On 10/6/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello Came to know that OpenSSL 0.9.8 supports Trusted Platform Modules (TPM) security chip. Could any one please provide more information on this? Any pointers at this stage is very much appreciated. Many thanks, Dinesh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Kent Yoder IBM LTC Security Dev. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 0.9.8: simple engine call causes loop
One concern here... The solution as it is in the latest snapshot will require apps to always call ENGINE_load_builtin_engines() before a call to ENGINE_by_id(ID), even if ID is a shared object engine. Is this the desired behavior? It may not be obvious to app writers that the builtin dynamic engine is used to load .so engines... Thanks for the help, Kent On 9/27/05, Kent Yoder [EMAIL PROTECTED] wrote: Thanks, its fixed in the latest snapshot. Kent On 9/27/05, Nils Larsch [EMAIL PROTECTED] wrote: Kent Yoder wrote: Hi, Calling ENGINE_by_id(anything) before making any other calls to OpenSSL seems to cause infinite recursion in trying to load the dynamic engine. I believe adding a call to ENGINE_load_dynamic() before attempting to load the dynamic engine inside ENGINE_by_id() will fix the problem. sounds similar to [1]. Could you try a recent snapshot. Cheers, Nils [1] http://marc.theaimsgroup.com/?t=11229562032r=1w=2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
0.9.8: simple engine call causes loop
Hi, Calling ENGINE_by_id(anything) before making any other calls to OpenSSL seems to cause infinite recursion in trying to load the dynamic engine. I believe adding a call to ENGINE_load_dynamic() before attempting to load the dynamic engine inside ENGINE_by_id() will fix the problem. Thanks, Kent __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 0.9.8: simple engine call causes loop
Thanks, its fixed in the latest snapshot. Kent On 9/27/05, Nils Larsch [EMAIL PROTECTED] wrote: Kent Yoder wrote: Hi, Calling ENGINE_by_id(anything) before making any other calls to OpenSSL seems to cause infinite recursion in trying to load the dynamic engine. I believe adding a call to ENGINE_load_dynamic() before attempting to load the dynamic engine inside ENGINE_by_id() will fix the problem. sounds similar to [1]. Could you try a recent snapshot. Cheers, Nils [1] http://marc.theaimsgroup.com/?t=11229562032r=1w=2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ppc64 build
Hi, on RHEL4 ppc64 I am getting the same message while building both 0.9.7g and 0.9.8: [EMAIL PROTECTED] openssl-0.9.7g]#./Configure linux-ppc64 shared ... Configured for linux-ppc64. [EMAIL PROTECTED] openssl-0.9.7g]# make making all in crypto... make[1]: Entering directory `/root/openssl-0.9.7g/crypto' ( echo #ifndef MK1MF_BUILD; \ echo ' /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \ echo ' #define CFLAGS gcc -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall'; \ echo ' #define PLATFORM linux-ppc64'; \ echo #define DATE \`LC_ALL=C LC_TIME=C date`\; \ echo '#endif' ) buildinf.h gcc -I. -I.. -I../include -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -c -o cryptlib.o cryptlib.c gcc: `-b' must come at the start of the command line make[1]: *** [cryptlib.o] Error 1 make[1]: Leaving directory `/root/openssl-0.9.7g/crypto' make: *** [sub_all] Error 1 Any ideas? After doing a ./config, it advised me to use ./Configure for a 64bit build... Thanks, Kent __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ppc64 build
One thing that seems to work after running Configure is to swap -bpowerpc64-linux with -m64 in the toplevel Makefile. Kent On 7/14/05, Kent Yoder [EMAIL PROTECTED] wrote: Hi, on RHEL4 ppc64 I am getting the same message while building both 0.9.7g and 0.9.8: [EMAIL PROTECTED] openssl-0.9.7g]#./Configure linux-ppc64 shared ... Configured for linux-ppc64. [EMAIL PROTECTED] openssl-0.9.7g]# make making all in crypto... make[1]: Entering directory `/root/openssl-0.9.7g/crypto' ( echo #ifndef MK1MF_BUILD; \ echo ' /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \ echo ' #define CFLAGS gcc -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall'; \ echo ' #define PLATFORM linux-ppc64'; \ echo #define DATE \`LC_ALL=C LC_TIME=C date`\; \ echo '#endif' ) buildinf.h gcc -I. -I.. -I../include -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -c -o cryptlib.o cryptlib.c gcc: `-b' must come at the start of the command line make[1]: *** [cryptlib.o] Error 1 make[1]: Leaving directory `/root/openssl-0.9.7g/crypto' make: *** [sub_all] Error 1 Any ideas? After doing a ./config, it advised me to use ./Configure for a 64bit build... Thanks, Kent __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Using config to load a shared object engine
Hi, I've been playing with 0.9.8 and have gotten my engine to load as a .so from the engines directory, which is excellent. Now I'm trying to use the config feature to find and load this engine and I'm not having much luck. Here's my config file: openssl.cnf openssl_init = init_section [ init_section ] engines = engines_section [ engines_section ] tpm = tpm_engine_section [ tpm_engine_section ] engine_id = tpm dynamic_path = /usr/local/ssl/lib/engines/libtpm.so default_algorithms = ALL init = 1 and test program: test.c #define OPENSSL_LOAD_CONF 1 #include stdio.h #include openssl/engine.h #include openssl/conf.h int main(void) { RSA *rsa = NULL; OpenSSL_add_all_algorithms(); rsa = RSA_new(); RSA_free(rsa); return 0; } In tracing through, I can see that the engine pointer isn't getting assigned in the new RSA object. Is there anything I'm missing here? Thanks, Kent __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using config to load a shared object engine
BINGO... thanks Nils... Looks like dynamic_path and engine_id are somewhat interchangable; having either finds my .so. Kent On 6/3/05, Nils Larsch [EMAIL PROTECTED] wrote: Kent Yoder wrote: Hi, I've been playing with 0.9.8 and have gotten my engine to load as a .so from the engines directory, which is excellent. Now I'm trying to use the config feature to find and load this engine and I'm not having much luck. Here's my config file: openssl.cnf openssl_init = init_section [ init_section ] engines = engines_section [ engines_section ] tpm = tpm_engine_section [ tpm_engine_section ] engine_id = tpm dynamic_path = /usr/local/ssl/lib/engines/libtpm.so default_algorithms = ALL init = 1 try something like this (mutatis mutandis of course), note: the openssl_conf value is the important one. openssl_conf= openssl_def [openssl_def] engines = engine_section [engine_section] foo = pkcs11_section [pkcs11_section] dynamic_path = /home/nils/lib/opensc/engine_pkcs11.so engine_id = pkcs11 Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl config file location
Hi, the page http://www.openssl.org/docs/crypto/OPENSSL_config.html claims that OPENSSL_CONFIG should be the environment variable to set for an alternate config file, however it appears that the code wants OPENSSL_CONF. Also, the OPENSSL_config.3 man page shows OPENSSL_CONFIG.. Others manpages such as ca.1 show OPENSSL_CONF... Kent __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
New IBMCA engine ... was Re: ssl3 write pending - bad write retry
Arne and Geoff, Sorry for the lng delay in this reply, but thanks for your help. This turned out to be barking up the wrong tree in the beginning, an error in the way our homebrewed server app was reporting SSL errors, and not load based at all... The real problem was that the engine implementation I was working on was not correctly handling the DES-CBC chaining that it needed to, as well as not accounting for decrypts in place. This new engine is available at: http://www-124.ibm.com/developerworks/projects/libica under openssl-patches. It now accelerates DES/TDES, SHA, RSA and RNG. Kent On Thursday 04 September 2003 02:12 pm, Geoff Thorpe wrote: Hi there, On September 4, 2003 02:10 pm, Arne Ansper wrote: Of course the correct fix is to remove this code (the if sentences above) completely, because it is not needed. The rationale why it is not needed is written down in this thread: http://www.mail-archive.com/[EMAIL PROTECTED]/msg00053.html Flicking over that thread, it appears you and Ben were sorting this out but clearly one part of it slipped through the cracks. Do you want to open a RT ticket and put the details in there? (Eg. you could also assign it to Ben seeing as he's the one who's already been fishing around in this). BTW: A normal problem on the openssl lists is that people post -users stuff to the -dev list, but this appears to be one of those rare instances where perhaps it's the other way round ... Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ssl3 write pending - bad write retry
Thanks for the tip, but unfortunately that didn't fix the problem. I'm still seeing the same behavior... Kent On Thursday 04 September 2003 05:11 am, Arne Ansper wrote: On Wed, 3 Sep 2003, Kent Yoder wrote: Hi, Under heavy load ( 95%) on s390 (SLES8, openssl-0.9.7b), I've been seeing these bad write retries. We're using 12 PCICA cards with IBMCA engine enabled and home-brew openssl client/server apps, and the errors only happen when doing hardware DES. I discovered the following bug for a similar problem, which claims to have a patch. Was this patch included in openssl-0.9.7b? If not, where can I find it? Bug: http://www.aet.TU-Cottbus.DE/rt2/Ticket/Display.html?id=598 (The post mentions requests over 250k, but all our client requests are 2k.) We're also seeing SSL_F_SSL3_SETUP_KEY_BLOCK:SSL_R_BAD_WRITE_RETRY on s390x at the same high CPU utilization, same configuration. Below 95% CPU on both platforms runs error free. You should do: SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); For your SSL_CTX before creating SSL structures out of it. This will fix the problem. In my opinion this option should be default. Arne __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ssl3 write pending - bad write retry
Hi, Under heavy load ( 95%) on s390 (SLES8, openssl-0.9.7b), I've been seeing these bad write retries. We're using 12 PCICA cards with IBMCA engine enabled and home-brew openssl client/server apps, and the errors only happen when doing hardware DES. I discovered the following bug for a similar problem, which claims to have a patch. Was this patch included in openssl-0.9.7b? If not, where can I find it? Bug: http://www.aet.TU-Cottbus.DE/rt2/Ticket/Display.html?id=598 (The post mentions requests over 250k, but all our client requests are 2k.) We're also seeing SSL_F_SSL3_SETUP_KEY_BLOCK:SSL_R_BAD_WRITE_RETRY on s390x at the same high CPU utilization, same configuration. Below 95% CPU on both platforms runs error free. Thanks for any help in advance, Kent __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]