Re: EC_POINT_get_affine_coordinates replacement in 3.0

On Tue, May 3, 2022 at 3:18 PM Chris Bare wrote: > > > On Tue, May 3, 2022 at 3:10 PM William Roberts > wrote: >> >> On Tue, May 3, 2022 at 1:14 PM Chris Bare wrote: >> > >> > I'm converting some openssl 1.0 code to 3.0 and I don't know how to g

Re: EC_POINT_get_affine_coordinates replacement in 3.0

On Tue, May 3, 2022 at 1:14 PM Chris Bare wrote: > > I'm converting some openssl 1.0 code to 3.0 and I don't know how to get the > coordinates > in a 3.0 way. > The old code is: > BN_CTX *ctx = BN_CTX_new (); > BIGNUM *X = NULL, *Y = NULL; > const EC_POINT *pubkey; > const EC_GROUP *group; >

Re: RSA test vectors, etc.

On Wed, Apr 27, 2022 at 11:46 AM Philip Prindeville wrote: > > Oh, forgot one other issue: > > I also need to pick apart the RSA keys into their constituent exponents, > modulus, etc. as BN's that I can then compare to bit-strings. > > With the old RSA_* routines this was trivial. How does one

Re: Cross-project request... looking for input on a rewrite of Asterisk's res_crypto.c module

On Tue, Mar 29, 2022 at 3:40 PM Philip Prindeville wrote: > > Hi, > > I'm trying to develop a newer replacement module for Asterisk's res_crypto > that is (for now) 1.1.x compatible but can be easily updated to 3.0 (and > maybe even easily add provider support for TPM escrowed secrets, etc).

Re: EVP_PKEY_fromdata_init returns unsupported.

On Mon, Feb 28, 2022 at 2:59 AM Matt Caswell wrote: > > > > On 25/02/2022 22:07, William Roberts wrote: > > Hello, > > > > In openssl 3.0.1 the following code hits the ctx->keymgt is null check > > and thus returns -2 > > in pmeth_gn.c: > &

Re: EVP_PKEY_fromdata_init returns unsupported.

On Fri, Feb 25, 2022 at 4:19 PM William Roberts wrote: > > Hi Kory, > > its the line: > genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL); > > There's a snippet in the first email or is there something else you're > asking me and I'm not groking it? >

Re: EVP_PKEY_fromdata_init returns unsupported.

; How are you creating the EVP_PKEY_CTX? > > Kory > > > > On Feb 25, 2022, at 2:07 PM, William Roberts > > wrote: > > > > Hello, > > > > In openssl 3.0.1 the following code hits the ctx->keymgt is null check > > and thus returns -2 &

EVP_PKEY_fromdata_init returns unsupported.

Hello, In openssl 3.0.1 the following code hits the ctx->keymgt is null check and thus returns -2 in pmeth_gn.c: static int fromdata_init(EVP_PKEY_CTX *ctx, int operation) { if (ctx == NULL || ctx->keytype == NULL) goto not_supported; evp_pkey_ctx_free_old_ops(ctx); if

Re: Congratulations! Missing 3.0.0 tag?

On Wed, Sep 8, 2021 at 5:15 PM Steffen Nurpmeso wrote: > > Hello. > > William Roberts wrote in > : > |It's there: > |https://github.com/openssl/openssl/releases/tag/openssl-3.0.0 > | > |I checked it out this morning. > > Oh! I have > > fetch =

Re: Congratulations! Missing 3.0.0 tag?

It's there: https://github.com/openssl/openssl/releases/tag/openssl-3.0.0 I checked it out this morning. On Wed, Sep 8, 2021, 16:32 Steffen Nurpmeso wrote: > Yeah? > :) > > --steffen > | > |Der Kragenbaer,The moon bear, > |der holt sich munter he cheerfully and one by

What to replace low-level padding operations with in OSSL 3.0?

I have code that applies PCKS1.5 padding via RSA_padding_add_PKCS1_type_1 and strips it with RSA_padding_check_PKCS1_type_2 before sending it to the HSM for raw RSA operation to support a legacy PKCS11 interface. Is there any way to perform these tasks with OpenSSL 3.0? Thanks, Bill

Re: openssl 3.0.0 valgrind failure on OPENSSL_ia32_cpuid

On Fri, Aug 27, 2021 at 2:47 PM Ken Goldman wrote: > > I run valgrind on all my software to find memory leaks. This worked for > openssl 1.0.2 and 1.1.1, but fails with 3.0.0. Suggestions? > > vex amd64->IR: unhandled instruction bytes: 0xF3 0xF 0x1E 0xFA 0x49 0x89 0xD8 > 0x31 > vex amd64->IR:

Re: HMAC verification with EVP Interface

On Thu, Aug 26, 2021 at 3:01 AM Tomas Mraz wrote: > > On Wed, 2021-08-25 at 13:20 -0500, William Roberts wrote: > > Hello, > > > > I am trying to verify an HMAC signature with the code below and the > > EVP_DigestVerifyInit() > > routine is failing w

HMAC verification with EVP Interface

Hello, I am trying to verify an HMAC signature with the code below and the EVP_DigestVerifyInit() routine is failing with "error:0608F096:digital envelope routines:EVP_PKEY_verify_init:operation not supported for this keytype". Eventually it gets to EVP_PKEY_verify_init() and since the

Re: RSA_set0_key() equivalent for 3.0.0

On Wed, Jul 14, 2021, 09:27 Ken Goldman wrote: > On 7/13/2021 5:14 PM, William Roberts wrote: > > Outside of the migration guide others have pointed out, I think the > functions you need are: > > > > https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_set1_RSA.html <

Re: RSA_set0_key() equivalent for 3.0.0

I'd be nice to have a more detailed porting guide, I'd been poking into this a little bit, but did you see Matt's response? (Pasted below) Those functions are deprecated. Better would be EVP_PKEY_fromdata(): https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_fromdata.html On Wed, Jul 14,

Re: RSA_set0_key() equivalent for 3.0.0

Outside of the migration guide others have pointed out, I think the functions you need are: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_set1_RSA.html Use use EVP level now as pointed out in the guide. On Tue, Jul 13, 2021, 16:04 Ken Goldman wrote: > What is the 3.0.0 equivalent to

Re: How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?

On Tue, Dec 22, 2020 at 3:45 AM prudvi raj wrote: > > Hello all, > > We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .( > bn_mod_exp). I am trying to rewrite that logic for openssl 1.1.1. Code > snippet of custom bn_mod_exp function: > -- > if(rr->d) > { >

RE: Can't link a static library with custom OpenSSL rsa engine

You might try changing this: 8. gcc -shared -o librsa_engine.so libdune/libdune.a -lcrypto rsa-engine.o rsa/rsa.o rsa/bignum.o rsa/aes.o rsa/x509parse.o rsa/pem.o to this: gcc –shared –o librsa_engine.so –L./libdune rsa_engine.o rsa/rsa.o rsa/bignum.o rsa/aes.o

Re: x509_store_ctx_st structure in openssl 1.1.1

On Mon, Jun 22, 2020 at 10:45 AM shiva kumar wrote: > > Hi, > I was using the structure > struct x509_store_ctx_st > provide by x509_vfy.h in openssl 1.0.2, but can you please help me on how to > use the same or alternative for the above structure on openssl 1.1.1 I think just use the accessor

Re: OpenSSL vs SPKI

On Mon, Apr 6, 2020, 11:59 PM Jason Proctor wrote: > On Mon, Apr 6, 2020 at 9:44 PM William Roberts > wrote: > > > > > > There's setter functions now. See: > > https://www.openssl.org/docs/man1.1.0/man3/RSA_set0_key.html > > Thanks, yes it does look li

Re: OpenSSL vs SPKI

On Mon, Apr 6, 2020, 9:16 PM Jason Proctor wrote: > Distinguished crypto community, > > I have the requirement to import RSA keypairs generated by the Amazon > Key Management System into my environment. These keypairs arrive in > the de facto standard of SPKI for the public component and PKCS8

Re: [RFC] TLS salt length auto detection, switch from DIGEST to AUTO

On Thu, Feb 27, 2020 at 1:01 PM Andersen, John S wrote: > > Hi All, > > The TPM 2.0 PKCS11 project has been attempting to get the TPM working with > EAP-TLS WiFi. > > We've run into an issue where the TPM spec specifies that for RSA PSS signing > keys, the random salt length will be the largest

Re: Add ECDSA signature R and S to X509 structure

This thread actually has some code on it for doing this: https://www.mail-archive.com/openssl-users@openssl.org/msg86672.html Bill On Mon, Aug 26, 2019 at 9:46 AM Ken Goldman wrote: > > On 8/17/2019 5:35 AM, Billy Brumley wrote: > > Hey Ken, > > > >> I have an ECDSA signature supplied to me as

Re: i2d_ASN1_INTEGER zero pad

On Tue, Aug 6, 2019 at 11:18 AM William Roberts wrote: > > On Tue, Aug 6, 2019 at 11:16 AM Matt Caswell wrote: > > > > > > > > On 06/08/2019 17:00, William Roberts wrote: > > > On Tue, Aug 6, 2019 at 10:56 AM Matt Caswell wrote: > > >> > &

Re: i2d_ASN1_INTEGER zero pad

On Tue, Aug 6, 2019 at 11:16 AM Matt Caswell wrote: > > > > On 06/08/2019 17:00, William Roberts wrote: > > On Tue, Aug 6, 2019 at 10:56 AM Matt Caswell wrote: > >> > >> > >> > >> On 06/08/2019 16:34, William Roberts wrote: > >

Re: i2d_ASN1_INTEGER zero pad

On Tue, Aug 6, 2019 at 10:56 AM Matt Caswell wrote: > > > > On 06/08/2019 16:34, William Roberts wrote: > > Hi, > > I occasionally get spurious errors in my ECDSA signatures, and it > > appears that when the top byte is over 0x80 of either the R or S > >

i2d_ASN1_INTEGER zero pad

Hi, I occasionally get spurious errors in my ECDSA signatures, and it appears that when the top byte is over 0x80 of either the R or S component, that I get a zero pad. I noticed all this when reading through the source, their was some comments (see below). I noticed a d2i_ASN1_UINTEGER, but I

Re: [openssl-users] Question on implementing the ameth ctrl ASN1_PKEY_CTRL_DEFAULT_MD_NID

On Wed, Nov 28, 2018 at 1:22 AM Fuchs, Andreas wrote: > > Hi all, > > I'm currently implementing a TPM2 engine for OpenSSL over at > https://github.com/tpm2-software/tpm2-tss-engine > The problem I'm facing is that OpenSSL's TLS negotiation will request ECDSA > from my engine with any hash alg,

[openssl-users] public version of encode_pkcs1

I would like to use OpenSSL to compute the DigestInfo structure to pass to a TPM for a TPM side RSA_Decrypt() operation when the TPM doesn't support the digest algorithm. I see in crypt/rsa_sign.c the routine encode_pkcs1() seems to do what I want. Is their a public version of this or a better

Re: [openssl-users] Migrating to openssl 1.1.1 in real life linux server

On Tue, Sep 11, 2018, 13:10 Kurt Roeckx wrote: > On Tue, Sep 11, 2018 at 04:59:45PM +0200, Juan Isoza wrote: > > Hello, > > > > What is the better way, for anyone running, by example, Apache or nginx > on > > a popular Linux districution (Ubuntu, Debian, Suse) and want support TLS > > 1.3 ? > >

[openssl-users] How to encode R and S of an ECDSA signature to ASN1 sequence

I can successfully deconstruct an an ECDSA Signature Sequence, but now I need to construct it, and I am getting lost. The format I need to build is: sECDSA-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } I have r and s as buffers in the same format as returned from: d2i_ASN1_INTEGER() if one

Re: [openssl-users] Using a TPM to sign CSRs

On Sat, Jul 28, 2018, 09:13 Devang Kubavat wrote: > Hi Kaarhik, > > Please refer https://github.com/ThomasHabets/openssl-tpm-engine. It is > OpenSSL TPM Engine. It will help to offload all crypto operation to TPM. > Is this for tpm2.0? > Regards, > Devang. > > On Tue, Jul 24, 2018 at 4:48 PM,

Re: [openssl-users] conversion of RAND_bytes to rand in fips apporved way

On Wed, Jul 25, 2018 at 11:30 AM, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of >> Sudarshan Soma >> Sent: Wednesday, July 25, 2018 12:13 > >> But rand() returns max value of 32767 . Is there a recomended way to >> convert RAND_bytes to

Re: [openssl-users] Using a TPM to sign CSRs

On Tue, Jul 24, 2018 at 4:18 AM, Kaarthik Sivakumar wrote: > Hello > > I need to create a key pair using a TPM (proprietary) and build a CSR and What TPM Version? If it's TPM 2.0, a new Engine project has emerged here: https://github.com/tpm2-software/tpm2-tss-engine This might be able to

Re: [openssl-users] engine interface for genrsa

he CAPI engine) implement the genrsa hook. If you are > looking for wide compatibility you may wish to ask your clients to do key > generation using an external utility (as that's how almost everyone else > does it). I have only looked at the PKCS11 module, and it's quite limited in functiona

Re: [openssl-users] engine interface for genrsa

On Fri, Apr 13, 2018 at 2:55 PM, Richard Levitte <levi...@openssl.org> wrote: > In message > <CAFftDdqWPXq1+Mo9_6J0EzhZ4uwg5QC=R5fx8N1j=qycha8...@mail.gmail.com> on Fri, > 13 Apr 2018 09:17:28 -0700, William Roberts <bill.c.robe...@gmail.com> said: > > bill.

[openssl-users] engine interface for genrsa

I am currently working on writing an openssl engine to interface with a piece of hardware. I am trying to understand how to implement rsa key generation, where the private key bytes would not be available. I am currently invoking the command: openssl genrsa -engine foo Which is calling my

Re: [openssl-users] Static FIPS Library with Address Randomization

On Fri, Mar 17, 2017 at 12:06 PM, Michael Wojcik wrote: > >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >> Of Neptune >> Sent: Friday, March 17, 2017 09:26 >> To: openssl-users@openssl.org >> Subject: [openssl-users] Static FIPS Library

Re: [openssl-users] error making Private RSA

printf( RED " ERROR: Could not load Private KEY!\n" " PEM_read_bio_RSA_PUBKEY FAILED:\n %s\n" OFF, ERR_error_string( ERR_get_error(), NULL ) ) ; else Check_Key( RSA2, ";" ); -- William Estrada Mt Umunhum, CA, USA, Earth

Re: [openssl-users] error making Private RSA

B4559 2D2D2D2D 2D0A /* KEY-. */ End of block - 426 bytes --------- /* */ Method 1 ERROR: Could not load PUBLIC KEY! PEM_read_bio_RSA_PUBKEY FAILED: error:0906D06C:PEM routines:func(109):reason(108) Method 2 107 (Key) Make Key Failed! error:2007507E:BIO routines:func(117):reason(126) Method 3 116 (Key) Make Key Failed! error:0407B093:rsa routines:func(123):reason(147) BIO RC: 1 121 (Key) Make Key Failed! error:0407B093:rsa routines:func(123):reason(147) Method 4 EVP Error: (null) 142 (Key) Make Key Failed! error:0407B093:rsa routines:func(123):reason(147) No usable RSA structures, quiting Hope this clarifies what I am attempting to do? Appreciate any help, thanks for your time. -- William Estrada Mt Umunhum, CA, USA, Earth HTTP:// Mt-Umunhum-Wireless.net Skype: MrUmunhum -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] error making Private RSA

a static buffer? It points to a char string > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- William Estrada Mt Umunhum, CA, USA, Earth HTTP:// Mt-Umunhum-Wireless.net Skype: MrUmunhum -- openssl-users mailing lis

Re: [openssl-users] I'm not getting an Emails after posting

It's my SPAM filtering, somehow this list go on it. > How do I set up to receive Email notices for my post here? > > > -- > William Estrada > Mt Umunhum, CA, USA, Earth > HTTP:// Mt-Umunhum-Wireless.net > Skype: MrUmunhum > > -- > openssl-users mai

[openssl-users] I'm not getting an Emails after posting

How do I set up to receive Email notices for my post here? -- William Estrada Mt Umunhum, CA, USA, Earth HTTP:// Mt-Umunhum-Wireless.net Skype: MrUmunhum -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] error making Private RSA

Not sure this is the proper way to use this mailing system? My source can be viewed at: mt-umunhum-wireless.net/Sources/rsa/rsa.c What version of openssl? I'm guessing 1.0.2. Put this line inyour code ERR_load_ERR_strings(); And youll get a more informative message. I'm using: openssl

[openssl-users] error making Private RSA

or:2007507E:lib(32):func(117):reason(126) Can anyone tell me what this error is and how to fix it? -- William Estrada Mt Umunhum, CA, USA, Earth HTTP:// Mt-Umunhum-Wireless.net Skype: MrUmunhum -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] BIO_seek() on bio_f_cipher with EVP_aes_256_ctr

"Matched\n"); } Does the BIO_seek() not handle incrementing or decrementing the IV counter? is there a callback that needs to be set to calculate what the IV counter value should be for a given file position for the cipher? William King Senior Engineer Quentus Technologies, INC 1037

Re: [openssl-users] BIO_seek() on bio_f_cipher with EVP_aes_256_ctr

28); /* END CODE BLOCK */ What I'm finding is that using fread() of the unencrypted file and comparing that to the BIO_seek() then BIO_read(), the data is not properly decrypted. Comparing fread() of the unencrypted file, to just doing BIO_read()'s does decrypt the file correctly. William King Senio

[openssl-users] BIO_seek() on bio_f_cipher with EVP_aes_256_ctr

What is needed to be able to BIO_seek() on a bio_f_cipher() with a cipher of EVP_aes_256_ctr() without the counter, or IV or another internal state getting corrupted? It seems that doing a seek any direction results in corrupted output. -- William King Senior Engineer Quentus Technologies, INC

[openssl-users] openssl-1.0.1r fips anomaly

Hi, I'm trying to dig through a problem where building the FIPS capable version of OpenSSL-1.0.1r is not generating the correct code. I have done the following: Created the fips canister according to the instructions in the User Guide, and installed it. Then in the openssl source, I use

Re: [openssl-users] Removing some systems

Just FTR... http://www.osnews.com/story/28933/Blue_Lion_new_OS_2_distribution_due_2016 Not that I'd take that as a mandate to preserve support... We are having the same internal dialog at the ASF httpd project and coming to the same conclusions. On Mar 17, 2016 1:36 PM, "Salz, Rich"

Re: [openssl-users] Segfault in libcrypto.so

us to know how wanguard is structured (we can't track every product that uses openssl), they're more familiar with its error modes and how to work through them. -Kyle H On 12/17/2015 10:00 PM, Alex william wrote: > > Hello, > > > > > I have been trying to inst

[openssl-users] Segfault in libcrypto.so

Hello, I have been trying to install a product named wanguard and each time am starting a collector I receive this error message: segfault at efe000 ip 7ffb571e479c sp 7ffced00dcf0 error 4 in libcrypto.so.1.0.0[7ffb57166000+1cb000] And the collector stops immediately. Has anyone

[openssl-users] Question about using fipsld for shared objects

So, I am trying to create a shared object to implement some functionality in libpam. It has dependencies on a number of dynamic objects, but I am trying to include statically linked copies of libcrypto and libssl. These are coming from a FIPS capable version of OpenSSL (1.0.1)built and

Re: Possible bug in GCM/GMAC with (just) AAD of size unequal to block size

On Nov 19, 2014, at 5:03 PM, Maarten Bodewes maarten.bode...@gmail.com wrote: Hi all, I would be very grateful if somebody could explain why the following problem occurs: a test vector with an AAD of 20 bytes created an authentication tag that is not correct, this could for

Re: Possible bug in GCM/GMAC with (just) AAD of size unequal to block size

On Nov 19, 2014, at 6:09 PM, William McGovern w...@thaiglish.com wrote: On Nov 19, 2014, at 5:03 PM, Maarten Bodewes maarten.bode...@gmail.com mailto:maarten.bode...@gmail.com wrote: Hi all, I would be very grateful if somebody could explain why the following problem occurs

Re: Possible bug in GCM/GMAC with (just) AAD of size unequal to block size

On Nov 19, 2014, at 6:26 PM, William McGovern w...@thaiglish.com wrote: On Nov 19, 2014, at 6:09 PM, William McGovern w...@thaiglish.com mailto:w...@thaiglish.com wrote: On Nov 19, 2014, at 5:03 PM, Maarten Bodewes maarten.bode...@gmail.com mailto:maarten.bode...@gmail.com wrote

Re: Possible bug in GCM/GMAC with (just) AAD of size unequal to block size

On Nov 19, 2014, at 6:26 PM, William McGovern w...@thaiglish.com wrote: On Nov 19, 2014, at 6:09 PM, William McGovern w...@thaiglish.com mailto:w...@thaiglish.com wrote: On Nov 19, 2014, at 5:03 PM, Maarten Bodewes maarten.bode...@gmail.com mailto:maarten.bode...@gmail.com wrote

RE: Sha256

Hi Aya, I have not tried this with a self-signed certificate, but putting the -sha256 option in the signature command has worked for me before, i.e., x509 -req -in server.csr -signkey server.key -out server.crt -sha256 The can check the attribute with: x509 -text -in server.crt ... Signature

Re: FIPS enabled OpenSSL fails to load libeay32.dll in Windows CE 6

On Tue, 21 May 2013 16:12:45 +0530 Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote: Hi, I have compiled openssl-fips and openssl in Windows CE 6. But when I run fips_premain_dso.exe libeay32.dll in target environment I get following error: =

Re: FIPS enabled OpenSSL fails to load libeay32.dll in Windows CE 6

On Tue, 21 May 2013 16:12:45 +0530 Abhijit Ray Chaudhury abhijit.ray.chaudh...@gmail.com wrote: Which means GetProcAddress is failing for symbol name FINGERPRINT_premain. But if I do dumpbin /exports libeay32.dll, I can see the symbol FINGERPRINT_premain exported. Quote that output line from

Re: SSL mode flags - verification of certificates: is it safe to use none?

Hi Dave, Thank you very much. You just answered all my questions. That helped a lot!! Regards, David William On Tue, Sep 25, 2012 at 9:15 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of David William Sent: Tuesday, 25 September, 2012 07:07

SSL mode flags - verification of certificates: is it safe to use none?

with a self signed certificate? Thanks, David William

RE: converting pem to der

Hi, Does the PEM file have any Bag Attributes at the head of the file before -BEGIN CERTIFICATE-? Not sure, but I have heard these can cause issues with conversions. Regards, Bill -Original Message- From: owner-openssl-us...@openssl.org

RE: converting pem to der

Hi, Does the PEM file have any Bag Attributes at the head of the file before -BEGIN CERTIFICATE-? Not sure, but I have heard these can cause issues with conversions. Regards, Bill -Original Message- From: owner-openssl-us...@openssl.org

Re: OpenSSL and AES-NI not there?

--- On Sun, 2/12/12, Ryan Brown mp3g...@gmail.com wrote: From: Ryan Brown mp3g...@gmail.com Subject: OpenSSL and AES-NI not there? To: openssl-users@openssl.org Date: Sunday, February 12, 2012, 7:39 PM Wanting to use AES-NI extension, but I'm not seeing it there.. Using Intel E3-1230 on a

Re: Can't start Apache when ssl is enabled on RHEL v5.7

/dev/random is your culprit... your config isn't 100% transportable between Solaris and linux. Sent from my Verizon Wireless 4G LTE Phone -Original message- From: Ruiyuan Jiang ruiyuan_ji...@liz.com To: openssl-users@openssl.org openssl-users@openssl.org Sent: Mon, Jan 23, 2012

Re: Failing to build OpenSSL 1.0.0f on obsolete Debian box (i386, kernel 2.0.36)

On 1/18/2012 9:57 AM, Brooke, Simon wrote: Sadly, removing -fomit-frame-pointer does not work. Isn't that the default behavior for -O3? __ OpenSSL Project http://www.openssl.org User Support

Re: FW: FIPS validation and TLS 1.2

On 11/1/2011 8:35 PM, Bin Lu wrote: Do you have an answer for my question below? Is the fips-2.0-test code branched off from a FIPS-capable version? Which version is it based on if yes? AIUI, fipscanister doesn't include TLS 1.2. Nor 1.0, nor SSLv3 or v2. That's the beauty of proper

Re: FIPS-capable OpenSSL that works on Windows NT

On 10/5/2011 10:08 AM, Dr. Stephen Henson wrote: On Tue, Oct 04, 2011, William A. Rowe Jr. wrote: On 10/4/2011 10:45 PM, Bill Durant wrote: But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be located

Re: FIPS-capable OpenSSL that works on Windows NT

On 10/4/2011 10:45 PM, Bill Durant wrote: Does anyone know how to produce a FIPS-capable OpenSSL that works on Windows NT? It's likely not possible... But when I run it under Windows NT, I get the following run-time error: The procedure entry point Module32NextW could not be

about OPENSSL_set_locking_callback

and How to correctly Call Pthread_destroy_mutex and OPENSSL_free? Or, NOT Need to Call these two functions? Thanks, Regards. William

Re: OpenSSL 1.0.0 BIO_new_accept _only_ binds to IPV6 interface?

On 5/7/2011 7:16 AM, Justin Schoeman wrote: It does not matter which of these I try, openssl always binds to '::1:8008', which does not accept IPV4. I have tried various combinations of: BIO_new_accept(0.0.0.0:8008) This syntax should have bound to all IPv4 interfaces alone, so as

Best way to encode a LDAP human readable Distinguished Name string to DER format with openssl

Hi, I have read this thread: Best way to convert a DER-encoded DN? http://www.mail-archive.com/openssl-users@openssl.org/msg37207.html, and I wanted to ask if someone knows what is the best method to do the reverse operation, respectively the encoding of a LDAP human readable string

Re: FIPS compliance question regarding openssl distributions

On 3/6/2011 3:48 PM, Tim Hudson wrote: In the example of building the openssl FIPS *capable* distribution, it seems one should take the distribution from the official openssl.org/source website and validate it using PGP. However, FreeBSD ships openssl distribution within its source tree.

Re: OpenSSL with Managed C++

On 1/31/2011 1:07 PM, John R Pierce wrote: On 01/31/11 10:55 AM, Harshvir Sidhu wrote: Hi, Can we use OpenSSL lib with Managed C++? Thanks. can you call native C style DLL's from this 'Managed C++' (whatever that is) ? my initial google of 'Managed C++' indicates its a Microsoft .NET

Re: OpenSSL 0.9.7

On 1/6/2011 12:23 PM, Garry S Ditzler wrote: Can you tell me if OpenSSL 0.9.7 is still supported? Yes, the answer is no, it is not. __ OpenSSL Project http://www.openssl.org User Support Mailing

Re: OpenSSL 1.0.0b testssl fails

On 11/18/2010 10:36 AM, Dr. Stephen Henson wrote: A 1.0.0c release is planned in the next few days. We're just seeing if any other issues arise before the release: a couple have been fixed already. Have any observed issues affected 0.9.8p? If so, is there a planned .8q?

Re: OpenSSL 1.0.0b testssl fails

On 11/18/2010 12:05 PM, Victor Duchovni wrote: None that are publically visible. You can check for yourself: No commits to the 0.9.8 branch after the release of 0.9.8p. http://cvs.openssl.org/chngview?cn=19996 I was aware of this. It's why I raised the question, if any of these were

Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X

On 10/13/2010 3:31 PM, Bill Durant wrote: I am interested in building the static version of the FIPS-capable OpenSSL as an universal binary. Three builds, per spec, of the FIPS canister. No tweaks, no exceptions to the security policy. Then it's possible but non-trivial to integrate these

Re: Building FIPS-capable OpenSSL as a universal binary on Mac OS X

On 10/13/2010 7:22 PM, Bill Durant wrote: On Oct 13, 2010, at 5:19 PM, William A. Rowe Jr. wrote: On 10/13/2010 3:31 PM, Bill Durant wrote: I am interested in building the static version of the FIPS-capable OpenSSL as an universal binary. Three builds, per spec, of the FIPS canister

what RNG implementations are available in 1.0.0 and above?

I noticed that there is an AES-based FIPS implementation distributed with validated FIPS version based upon 0.9.8. Does 1.0.0 have an X9.31 compliant RNG available? Thank you, Bill

Re: DLL issues with Windows

On 9/30/2010 11:42 AM, Jakob Bohm wrote: In Windows XP, Microsoft introduced their own badly designed idea of versioned so-names in the form of so-called Assemblies. Unless you are writing .NET code, you should really avoid that nonsense. I expect SxS packages for openssl (and several other

Re: Differences between openssl-0.9.8o and openssl-fips-1.2.tar.gz

On 8/3/2010 1:17 PM, William A. Rowe Jr. wrote: On 8/3/2010 10:05 AM, Bryan wrote: I see a fips directory in 0.9.8o. If I'm building OpenSSL with FIPS on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile? This is well documented in the FIPS user guide and security policy

Re: Differences between openssl-0.9.8o and openssl-fips-1.2.tar.gz

On 8/3/2010 10:05 AM, Bryan wrote: I see a fips directory in 0.9.8o. If I'm building OpenSSL with FIPS on cygwin, should I use the openssl-fips, or use the 0.9.8o tarfile? This is well documented in the FIPS user guide and security policy, and if you haven't read them in detail, what you are

Re: RPMBuild for FIPS OpenSSL

On 7/9/2010 9:05 AM, Steve Marquess wrote: Mark Parr wrote: Use of the FIPS OpenSSL is a mandated thing and not just something that we are looking to do for the fun of it. In fact, the base OpenSSL was working fine using the FIPS AES 256 encryption in a non FIPS Certified mode. ... Yes,

openssl 1.0.0.a OCSP responder problem

Hi, Is there a way to make the version 1.0.0a ocsp responder to sign responses using SHA256? The rsigner certificate is SHA256 and the requests are signed with SHA256 but responses are always SHA1. I saw a reference in a thread from 5/13/10 to draft-ietf-pkix-ocspagility that seems to imply

Re: error from generated code in ntdll.mak

On 6/24/2010 4:04 AM, Deckers, Rob wrote: Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp IF EXIST out32dll\libeay32.dll.manifest mt -nologo -manifest out32dll\libeay32.dll.manifest -outputresource:out32dll\libeay32.dll;2 mt: Unknown option -n Usage: mt

Re: How to attach source code in a debug build(Win32 Visual C++)?

On 6/17/2010 10:10 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of JC Yang Sent: Wednesday, 16 June, 2010 23:53 Hi, I'm new to openssl. I've just compiled openssl with Visual C++ 2008, I've read the installation guide and added the debug

Re: Up-to-date Tutorial

On 6/16/2010 12:10 PM, Dr. Stephen Henson wrote: Those for the bleeding egde development version are also available online too, see: http://www.openssl.org/docs/ the API doesn't change that much so those will be largely accurate for older versions of OpenSSL. The examples at the bottom of

Re: unable to build dynamic library on HP-UX RISC and Itanium

On 6/2/2010 11:08 AM, Alona Rossen wrote: Building dynamic library on HP-UX fails despite I explicitly specify ‘shared’ as Configure argument: ./Configure hpux64-ia64-cc -D_REENTRANT shared Why are you adding -D for _REENTRANT? I did a very similar build last week, no such problems, would

Re: unable to build dynamic library on HP-UX RISC and Itanium

On 6/2/2010 4:04 PM, Alona Rossen wrote: This is a suggested configuration. -D stands for preprocessor define. The reason I ask is that the entries in Configure should provide the necessary defines, and if not, that is a bug. As it was 'suggested', we'll just presume things are fine w/w-o it.

Re: server side renegotiation

On 4/15/2010 12:42 PM, Adam Grossman wrote: hello, i had my code running on 0.9.8e without any issues. i upgraded to 0.9.8n, and now when my server initiates a renegotiation with the client (which is either IE or Firefox), SSL_renegotiation returns a 0. i understand from the CHANGELOG the

Re: ERROR LINK2019

On 4/13/2010 4:49 PM, 芦翔 wrote: Dear all, I am trying to add the security flavor to an application. To achieve this objective, I wrote the codes to establish a security tunnel between the server and the client with VC2008. When I build the whole project, there are tens of similar errors.

Re: does bio_get_mem_data handle unicode?

On 4/7/2010 12:33 PM, Ryan Pfeifle wrote: While we are on the subject of Unicode, there are other areas of OpenSSL that need Unicode support added, in particular handling of paths and filenames on UTF16-based filesystems that require wchar_t* parameters. For instance, on Windows, OpenSSL

Re: OpenSSL 1.0.0 and FIPS

On 3/30/2010 10:58 AM, Gatewood (Woody) Green wrote: I assume the 2010 limit on new validations is the impending finalization of 140-3. What you are thinking of won't be designated 140-3, it's not sequential, there is such a FIPS level already. Probably FIPS-{new}-2 or FIPS-140-2 2010 or

Re: OpenSSL 1.0.0 and FIPS

On 3/31/2010 4:21 PM, Gatewood (Woody) Green wrote: Actually, no 140-3 will be successor to 140-2 which is successor to 140-1. The hyphenated number is a release version. Woody, thanks for this clarification... You are trying to talk about FIPS 140-2, Level 3 certification in your

Re: FIPS linked as a shared library

On 1/18/2010 2:42 PM, Kyle Hamilton wrote: The way that the FIPS module verifies its signature is that it forces itself to load (via a pre-main() section) and then calculate the checksum of the image in-core. Probably the reason why you're running into issues is because of the fixup step of

Re: CryptoAPI calls failing in rand_win on Windows 7

James Baker wrote: The problem does occur with full admin privileges. To be 100% clear, this is full admin with no UAC? UAC will drop privilege of an app seemingly running as 'administrator'. __ OpenSSL Project

dmake vista 64 sp2

greetings: i'm trying to build openssl-0.9.8l according to these instructions. perl Configure VC-WIN64A ms\do_win64a nmake -f ms\ntdll.mak cd out32dll ..\ms\test i'm using dmake due to the incompatibility of nmake15 with vista 64. this is the error i am getting.

  1   2   >