Re: Adding cipher code
On Fri, Apr 26, 2002 at 02:29:46PM +0700, Satria Bakti (13297096) wrote: I'm working on integrating new cipher suite in 0.9.7, and now I come to part where I have to put my block algorithm code in crypto/ directory. Is there any guidelines/hints on how to put my cipher code there ? Code modification, header files, API, and things like that ? I am not aware about a corresponding documentation. You should probably have a look into the other implementations, like des (openssl/des, openssl/evp/e_des.c), aes, idea... It seems that the interface is not that large. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote:
`x509 -noout -text` prints inconsistent output.
... openssl x509 -noout -text -in old.pem | grep Issuer:
Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
... openssl x509 -noout -text -in new.pem | grep Issuer:
Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED]
see the / that magically appears, instead of a , ?
if found the place that does this magic and commented it out:
... openssl x509 -noout -text -in old.pem | grep Issuer:
Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
... openssl x509 -noout -text -in new.pem | grep Issuer:
Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED]
it does it because the type emailAddress starts lower case!
Your analysis is technically correct. If the object name is starting with
an uppercase letter, the / is replaced with the , , otherwise it is
not.
However: the section you are essentially removing (by commenting out)
may be there for a reason. I have not used this functionality myself,
so I don't know why this distinction is made. Therefore I am reluctant
to touch it. Steve, could you kindly have a look into this?
--- orig/openssl-SNAP-20020423/crypto/asn1/t_x509.c Wed Feb 13 20:00:30 2002
+++ openssl-SNAP-20020423/crypto/asn1/t_x509.cFri Apr 26 11:50:13 2002
@@ -460,12 +461,12 @@
for (;;)
{
#ifndef CHARSET_EBCDIC
- if (((*s == '/')
+ if (((*s == '/') /*
((s[1] = 'A') (s[1] = 'Z') (
(s[2] == '=') ||
((s[2] = 'A') (s[2] = 'Z')
(s[3] == '='))
- ))) ||
+ ))*/) ||
(*s == '\0'))
#else
if (((*s == '/')
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
[STATUS] OpenSSL (Sun 28-Apr-2002)
OpenSSL STATUS Last modified at __ $Date: 2002/04/26 08:28:28 $ DEVELOPMENT STATE o OpenSSL 0.9.7: Under development... o OpenSSL 0.9.6c: Released on December 21st, 2001 o OpenSSL 0.9.6b: Released on July 9th, 2001 o OpenSSL 0.9.6a: Released on April 5th, 2001 o OpenSSL 0.9.6: Released on September 24th, 2000 o OpenSSL 0.9.5a: Released on April 1st, 2000 o OpenSSL 0.9.5: Released on February 28th, 2000 o OpenSSL 0.9.4: Released on August09th, 1999 o OpenSSL 0.9.3a: Released on May 29th, 1999 o OpenSSL 0.9.3: Released on May 25th, 1999 o OpenSSL 0.9.2b: Released on March 22th, 1999 o OpenSSL 0.9.1c: Released on December 23th, 1998 RELEASE SHOWSTOPPERS o BIGNUM library failures on 64-bit platforms (0.9.7-dev): - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc and other 64-bit platforms Checked on Result alpha-cc (Tru64 version 4.0)works linux-alpha+bwx-gcc doesn't work. Reported by Sean O'Riordain [EMAIL PROTECTED] OpenBSD-sparc64 doesn't work. BN_mod_mul breaks. Needs checked on [add platforms here] - BN_mod_mul verification fails for mips3-sgi-irix unless configured with no-asm AVAILABLE PATCHES o IN PROGRESS o Steve is currently working on (in no particular order): ASN1 code redesign, butchery, replacement. OCSP EVP cipher enhancement. Enhanced certificate chain verification. Private key, certificate and CRL API and implementation. Developing and bugfixing PKCS#7 (S/MIME code). Various X509 issues: character sets, certificate request extensions. o Geoff and Richard are currently working on: ENGINE (the new code that gives hardware support among others). o Richard is currently working on: UI (User Interface) UTIL (a new set of library functions to support some higher level functionality that is currently missing). Shared library support for VMS. Kerberos 5 authentication Constification OCSP NEEDS PATCH o inappropriate AlgorithmIdentifier used in S/MIME signatures (key type instead of signature algorithm) o AES ciphersuites are not (yet) official and should not be enabled unless explicitly requested o apps/ca.c: Sign the certificate? - n creates empty certificate file o OpenSSL STATUS is never up-to-date. OPEN ISSUES o Do we want the EVP API changes in 0.9.7? Can compatibility be improved? o The Makefile hierarchy and build mechanism is still not a round thing: 1. The config vs. Configure scripts It's the same nasty situation as for Apache with APACI vs. src/Configure. It confuses. Suggestion: Merge Configure and config into a single configure script with a Autoconf style interface ;-) and remove Configure and config. Or even let us use GNU Autoconf itself. Then we can avoid a lot of those platform checks which are currently in Configure. o Support for Shared Libraries has to be added at least for the major Unix platforms. The details we can rip from the stuff Ralf has done for the Apache src/Configure script. Ben wants the solution to be really simple. Status: Ralf will look how we can easily incorporate the compiler PIC and linker DSO flags from Apache into the OpenSSL Configure script. Ulf: +1 for using GNU autoconf and libtool (but not automake, which apparently is not flexible enough to generate libcrypto) WISHES o Add variants of DH_generate_parameters() and BN_generate_prime() [etc?] where the callback function can request that the function be aborted. [Gregory Stark [EMAIL PROTECTED], [EMAIL PROTECTED]] o SRP in TLS. [wished by: Dj [EMAIL PROTECTED], Tom Wu [EMAIL PROTECTED], Tom Holroyd [EMAIL PROTECTED]] See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt as well as http://www-cs-students.stanford.edu/~tjw/srp/. Tom Holroyd tells us there is a SRP patch for OpenSSH at http://members.tripod.com/professor_tom/archives/, that could be useful. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DH parameters from http://www.ietf.org/internet-drafts/draft-iet f-ipsec-ike-modp-groups-04.txt return DH_NOT_SUITABLE_GENERATOR
Hi Ben, [...] Note that RFC 2412 says: Note that 2 is technically not a generator in the number theory sense, because it omits half of the possible residues mod P. From a cryptographic viewpoint, this is a virtue., which is precisely the type of generator I use for Lucre. To check for that, we check that: g^2 mod p != 1 and g^((p-1)/2) mod p == 1. We should perhaps revise the OpenSSL checks to do that. It should also be required that (p-1)/2 is prime, so that, too should be checked. Of course, this would break all existing satisfactory DH parameters. Hmmm. I suggest DH_check() should only check whether p is a strong prime ( p = 2 * q + 1, q prime ) and that g^2 != 1 mod p ( = g != -1,1 mod p ). Nils __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
In message [EMAIL PROTECTED] on Sun, 28 Apr 2002 19:59:33 +0200, Lutz Jaenicke [EMAIL PROTECTED] said: Lutz.Jaenicke On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote: Lutz.Jaenicke `x509 -noout -text` prints inconsistent output. Lutz.Jaenicke Lutz.Jaenicke ... openssl x509 -noout -text -in old.pem | grep Issuer: Lutz.Jaenicke Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES Lutz.Jaenicke ... openssl x509 -noout -text -in new.pem | grep Issuer: Lutz.Jaenicke Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED] Lutz.Jaenicke Lutz.Jaenicke see the / that magically appears, instead of a , ? Lutz.Jaenicke if found the place that does this magic and commented it out: Lutz.Jaenicke Lutz.Jaenicke ... openssl x509 -noout -text -in old.pem | grep Issuer: Lutz.Jaenicke Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES Lutz.Jaenicke ... openssl x509 -noout -text -in new.pem | grep Issuer: Lutz.Jaenicke Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED] Lutz.Jaenicke Lutz.Jaenicke it does it because the type emailAddress starts lower case! Lutz.Jaenicke Lutz.Jaenicke Your analysis is technically correct. If the object name is starting with Lutz.Jaenicke an uppercase letter, the / is replaced with the , , otherwise it is Lutz.Jaenicke not. Note that with 0.9.7, 'openssl x509' comes with the new option -nameopt, where you can choose from a number of formats. They are documented at http://www.openssl.org/docs/apps/x509.html#NAME_OPTIONS Lutz.Jaenicke However: the section you are essentially removing (by commenting out) Lutz.Jaenicke may be there for a reason. I have not used this functionality myself, Lutz.Jaenicke so I don't know why this distinction is made. Therefore I am reluctant Lutz.Jaenicke to touch it. Steve, could you kindly have a look into this? Yup, do not apply that patch. That'll destroy compatibility for applications that depend on this string format. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
Lutz Jaenicke wrote: On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote: `x509 -noout -text` prints inconsistent output. ... openssl x509 -noout -text -in old.pem | grep Issuer: Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES ... openssl x509 -noout -text -in new.pem | grep Issuer: Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED] see the / that magically appears, instead of a , ? if found the place that does this magic and commented it out: ... openssl x509 -noout -text -in old.pem | grep Issuer: Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES ... openssl x509 -noout -text -in new.pem | grep Issuer: Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED] it does it because the type emailAddress starts lower case! Your analysis is technically correct. If the object name is starting with an uppercase letter, the / is replaced with the , , otherwise it is not. However: the section you are essentially removing (by commenting out) may be there for a reason. I have not used this functionality myself, so I don't know why this distinction is made. Therefore I am reluctant to touch it. Steve, could you kindly have a look into this? By default the code ultimately uses the old X509_NAME_print function to display DNs. This results in the weirdness mentioned and all manner of odd output if the DN contains things like BMPStrings. X509_NAME_print is only retained for compatibility. Changing it might do odd things if anyone parses or hashes its output for some reason: that isn't advisable but something might. If appropriate flags are passed to the X509_print_ex function then much more sensible output is produced using the X509_NAME_print_ex function. The -nameopt option can be used for this (see manual page): -nameopt oneline is a good place to start. I'd say that X509_NAME_print shouldn't be touched because new code should call X509_NAME_print_ex() However a new FAQ entry might be in order or possibly changing the default display options so that the old behaviour is no longer the default and adding a -nameopt old option is explicitly needed instead. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
On Sun, Apr 28, 2002 at 08:07:43PM +0100, Dr S N Henson wrote: By default the code ultimately uses the old X509_NAME_print function to display DNs. This results in the weirdness mentioned and all manner of odd output if the DN contains things like BMPStrings. X509_NAME_print is only retained for compatibility. Changing it might do odd things if anyone parses or hashes its output for some reason: that isn't advisable but something might. If appropriate flags are passed to the X509_print_ex function then much more sensible output is produced using the X509_NAME_print_ex function. The -nameopt option can be used for this (see manual page): -nameopt oneline is a good place to start. I'd say that X509_NAME_print shouldn't be touched because new code should call X509_NAME_print_ex() However a new FAQ entry might be in order or possibly changing the default display options so that the old behaviour is no longer the default and adding a -nameopt old option is explicitly needed instead. -nameopt compat shall retain compatibility. Hmm, make oneline the new default? Or rather leave it as is and just add it to the FAQ. Robert Joop and Michael Bell, active in discussing DN issues, are with the OpenCA project. It should be possible for them to catch the problem by using an appropriate command line flag when calling openssl x509. With 0.9.7 we have traded compatibility in some cases. Applications linking against OpenSSL can always check OPENSSL_VERSION. This is far more difficult for applications externally calling OpenSSL's command line tools... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
0.9.7 20020427 snapshot errors on Win32
cl /Fotmp32dll\s3_pkt.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /O b2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO_IDEA -DZLIB -DOPENSSL_THREADS -DDSO_WIN32 -DKRB5_MIT -D_WINDLL -D_DLL -DOPENSSL_BUILD_SHLIBSSL -c .\ssl\s3_pkt.c s3_pkt.c .\ssl\s3_pkt.c(248) : error C2220: warning treated as error - no object file generated .\ssl\s3_pkt.c(248) : warning C4018: '!=' : signed/unsigned mismatch .\ssl\s3_pkt.c(608) : warning C4018: '' : signed/unsigned mismatch int vs unsigned int -- cl /Fotmp32dll\ssl_cert.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO_IDEA -DZLIB -DOPENSSL_THREADS -DDSO_WIN32 -DKRB5_MIT -D_WINDLL -D_DLL -DOPENSSL_BUILD_SHLIBSSL -c .\ssl\ssl_cert.c ssl_cert.c .\ssl\ssl_cert.c(828) : error C2065: 'd' : undeclared identifier .\ssl\ssl_cert.c(828) : warning C4013: 'closedir' undefined; assuming extern returning int 'd' does not exist in the Windows implementation -- link /nologo /subsystem:console /machine:I386 /opt:ref /out:out32dll\eng inetest.exe @H:\DOCUME~1\jaltman\LOCALS~1\Temp\nmx03400. cl /Fotmp32dll\ssltest.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO_IDEA -DZLIB -DOPENSSL_THREADS -DDSO_WIN32 -DKRB5_MIT -c .\ssl\ssltest.c ssltest.c .\ssl\ssltest.c(1058) : error C2220: warning treated as error - no object file generated .\ssl\ssltest.c(1058) : warning C4018: '' : signed/unsigned mismatch size_t != int -- There is still an issue with perl Configure VC-WIN32 no-idea --with-krb5-flavor=MIT zlib-dynamic which produces in MINFO CFLAG=-DOPENSSL_SYSNAME_WIN32 -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS \ -DDSO_WIN32 -DKRB5_MIT -DOPENSSL_NO_IDEA However, the CFLAG values are not imported into ms\nt*.mak when ms\do_*.bat is executed. The resulting .mak files need to be edited by hand to include the flags -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -DDSO_WIN32 -DKRB5_MIT Jeffrey Altman * Sr.Software Designer Kermit 95 1.1.21 available now!!! The Kermit Project @ Columbia University SSH plus Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
Please Remove my name from the list.
