RE : Patch: cswift engine openssl-0.9.7c
Bonjour, Je constate que vous avez pu resoudre le probleme! ;) J'espere que notre engine a pu vous aider. Belle analyse de votre part dans tous les cas! ;) Cependant cette restriction vient d'un probleme d'alignement 32bits du chip et donc driver, etc ... et je ne suis pas sur que votre patch reste valable sur platform 64bits (notamment avec les formata little et big endian) Cordialement, Donnat Frederic NetSecureOne http://www.netsecureone.com -Message d'origine- De : Frédéric Giudicelli [mailto:[EMAIL PROTECTED] Envoyé : Wednesday, February 11, 2004 2:31 PM À : [EMAIL PROTECTED] Objet : Patch: cswift engine openssl-0.9.7c Hi, There is a problem with the cswift engine: - in cswift_mod_exp_crt, it expects the length of dmp1 and dmq1 to be a multiple of 32, which is not always the case, the patch complements the datas with '\0' until the length is a multiple of 32. - in cswift_rand_bytes, it expects num to be a multiple of 32, which is not always the case, the patch make sure le length passed to p_CSwift_SimpleRequest is always a multiple of 32, by optionnaly using an intermetiade buffer. These problems have been notified to Rainbow, which has been able to reproduce the problem. The patch has been validated by their support service. Regards, -- Frédéric Giudicelli [EMAIL PROTECTED] Tel : +33 (0)1 40 07 47 20 Fax : +33 (0)1 40 07 47 27 deny all - 5, rue Scribe - 75009 Paris - France www.deny-all.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: engine vs non egine
Hi, I think engine version can also support some card use for private key storage (IBM 4758). ;) An engine using PKCS11 interface is also in development if 'm rigth. ;) In fact i would define engine like support for crypto redirection which vould be crypto accelerator HSM or even new soft crypto library. Fred -Original Message- From: Lynn Gazis [mailto:[EMAIL PROTECTED]] Sent: Wed 11/27/2002 8:59 PM To: '[EMAIL PROTECTED]' Cc: Subject:RE: engine vs non egine openssl-engine-0.9.6a.tar.gz supports several cryptographic accelerator cards which openssl-0.9.6a does not support. Otherwise the two distributions are the same. Also, it would be better to use OpenSSL 0.9.6g than OpenSSL 0.9.6a, since there are some security holes that have been fixed since 0.9.6a. And [EMAIL PROTECTED] is a better list for asking these kinds of questions, [EMAIL PROTECTED] is really for discussing the development of OpenSSL itself, rather than development of other applications which use OpenSSL. Lynn Gazis Rainbow Technologies -Original Message- From: Zvi Dubitzky [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 27, 2002 8:42 AM To: [EMAIL PROTECTED] Subject: engine vs non egine Hi there Can anybody tell what is the difference between openssl-engine-0.9.6a.tar.gzand openssl-0.9.6a.tar.gz thanks Zvi IBM __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] winmail.dat
RE: OpenSSL ENGINE, OpenCA MUSCLE
Hi Richard, I have a question PKCS#11 ENGINE, etc ... As far as i can see some method like RSA_generate_key() are not available in RSA_Method structure, but RSA key generation can be provide by hardaware even if key is not stored on it (for example). On the other hand, according to PKCS#11 standard if you generate a key pair using a PKCS#11 module you should keep the private one secret (no reading or export available from PKCS#11 module). So i think that some method like RSA_generate_key() should be accessible from RSA_Method. Is there an update planed for this? Regards Fred winmail.dat
Fault tolerance
Title: Fault tolerance Hi all, I'd like to know the better way to be fault tolerant when using a cryto accelerator through an engine. In fact, we want to redirect all crypto computations provided by our engine to soft ones when an error occured in our engine. In our crypto function, i try: - catch the error - alert for crypto accelerator error - get first engine (should be openssl one) - set all pointer from our engine to openssl soft (openssl engine) - try again to perform the request operation (with openssl soft) The only problem is when i want to set all the pointers from our engine to openssl soft. (i'd like to do it in the proper way) I try: ENGINE *soft_openssl = ENGINE_get_first () ; ENGINE_set_default ( soft_openssl, ENGINE_METHOD_ALL ) ; But this doesn't seems to work! However something more bad codded works fine: ENGINE *soft_openssl = ENGINE_get_first () ; engine_zencod = *soft_openssl ; /* engine_zencod is declared as follows static ENGINE engine_zencod = { zencod, ZENCOD hardware engine support, ... } ; */ Is there a better way? Should i use the ctrl function? I'm afraid, that the upper application will not take care of resulting error and retry it in soft! Thanks in advance fred
RE: Apache 2.0.40 and OpenSSL 0.9.7 beta - No Joy
Yep you're rigth! In fact there is a conflict beetween DES crypt and the one from unistd.h. To solve this problem you can disable OLD DES support using flag OPENSSL_DISABLE_OLD_DES_SUPPORT. (That was my problem with openssl-0.9.7, and apache 1.3.x) For example before config you can type: [root]:# export CFLAGS=-DOPENSSL_DISABLE_OLD_DES_SUPPORT Hope this will help. Fred -Original Message- From: David Tonhofer, m-plify S.A. [mailto:[EMAIL PROTECTED]] Sent: Mon 09/16/2002 6:15 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Subject:Apache 2.0.40 and OpenSSL 0.9.7 beta - No Joy Anyone else encountered this problem? When compiling Apache 2.0.40 with OpenSSL 0.9.7 beta (...under Red Hat 7.3 ...with gcc version 2.96 2731 (Red Hat Linux 7.3 2.96-110), but apparently also with gcc 3.2) one encounters a compilation error (has also been described in a posting to mailing.unix.modssl-users by [EMAIL PROTECTED] on Sat, 14 Sep 2002 17:38:00 +): When compiling mod_ssl.c: In file included from mod_ssl.h:140, from mod_ssl.c:60: /usr/include/unistd.h:946: parse error before `(' /usr/include/unistd.h:946: parse error before `__const' Looks like the declaration of 'crypt' at that place causes some problem. Compilation WORKS if one uses OpenSSL 0.9.6g (so I downgraded...) Also tested with Apache 2.0.39, same error Best regards, -- David Tonhofer m-plify.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] winmail.dat
Undefined symbol in 0.9.7beta2 and 0.9.8-dev
Title: Undefined symbol in 0.9.7beta2 and 0.9.8-dev Hi all, I find an error using Konqueror Web Browser: undefined symbol: OpenSSL_add_all_algorithms I have a look at symbol using objdump -T, OPenSSL_add_all_algorithms was not present. It was in openssl-0.9.6x? Is this normal? or evolution due to evp? Regards Fred
Rand in 0.9.7-beta2
Title: Rand in 0.9.7-beta2 Hi all, I encouter some problem using random ENGINE. In fact when using openssl rand .. i see that rand stuff is made on my crypto accelerator, but when using openssl s_client ... if i want to redirect rand stuff on crypto accelerator i have to edit /apps/s_client.c and add e = setup_engine ( bio_err, engine_id, 1) ; just after option checking and before any RAND_xx function call. (like for rand stuff in /apps/rand.c) Is there something wrong in ENGINE or is this a normal behavior? becaus it seems that once rand default has been set it's impossible to change it in order to use ENGINE... Any idear? Regards Fred
RE: Name space collision
Hi Tom You say that you where loading openssl based modules under iplanet. Are you talking about gpkcs11 stored on www.sourceforge.net ? Could you tell me more about this ? What are these modules ? Are they free ? Where could i find them if there are free ? Thanks in advance Fred -Original Message- From: Tom Wu [mailto:[EMAIL PROTECTED]] Sent: Fri 04/05/2002 6:25 AM To: [EMAIL PROTECTED] Cc: Subject:Re: Name space collision Steven Bade wrote: We've created in the openCryptoki project a software token which uses openSSL's crypto routines... When running under the iplanet regression test suite we get a core dump in the key generation code... Tracing it down, the crash occurs in the SHA1_Update... one of the community members as a test changed the calls in the openSSL code to SHA1_Update to be FOO_SHA1_Update. Any of the more experienced openSSL developers out there have any suggestions of things we may try with regard to linker options or other ideas that we could do to address this collision (I doubt that I;m going to be able to get netscape to chance their function names :) We encountered the same problem here when loading OpenSSL-based modules under iPlanet or the Netscape browser. Our solution was to add macros to the OpenSSL includes to remap the offending symbols to avoid conflicts. We also added placeholders for the old function names that called the remapped functions to ensure that our library binaries were still binary and source-compatible with unmodified OpenSSL libraries. thanks for your help... Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 The Borg? Sounds Swedish... __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] winmail.dat
Question about ENGINE integration
Hi All, I submit an ENGINE last week and I have no answer or news about this. So, i have a few questions. 1) As someone news about this submission or integration in next release? Is zencod ENGINE too badly coded? Should we provide any card for testing? 2) How can we maintain our source code (even other ENGINE vendor source code, as for new error feature)? How can we help on ENGINE or OpenSSL stuff? PS: Sorry for my poor english! Best regards Fred
zencod ENGINE for OpenSSL-SNAP-0.9.7-20020214
Title: zencod ENGINE for OpenSSL-SNAP-0.9.7-20020214 Hi all, My company (zencod) has developped a crypto accelerator which should provide: - asymetric computations: RSA, DSA, DH - random generation - digest functions: SHA1, MD5 - cipher operations: DES, RC4 So we have coded an ENGINE which should fit OpenSSL ENGINE features. The development has been made under Linux OS, Mdk-8.0 with: gcc-2.96-0.48mdk gcc version 2.96 2731 (Linux-Mandrake 8.0 2.96-0.48mdk) glibc-2.2.2-4mdk As you announce a new release, we would like to be part of it, so we send you our source code. I join an archive including: our zencod ENGINE source code: - /crypto/engine/hw_zencod.c - /crypto/engine/hw_zencod_err.h - /crypto/engine/hw_zencod_err.c - /crypto/engine/vendor_defns/hw_zencod.h a diff file for: - /crypto/engine/Makefile.ssl - /crypto/engine/engine.h - /crypto/engine/eng_all.c With have tested the ENGINE using our own tests file which are cloned from OpenSSL tests files. For each algorithm, we have used the test file corresponding with some modification to call our engine. (If you want the source file, just ask for it). We also have tested it using speed funtionnality, and we success to call the ENGINE from Apache Web Server through mod-ssl module. I hope you won't find it too badly coded. Best regards Fred Donnat Frederic RD Engineer ZENCOD www.zencod.com zencod-engine.tar.gz Description: zencod-engine.tar.gz
Zencod engine for 0.9.7
Title: Zencod engine for 0.9.7 Hi all, We have developed an engine for our crypto accelerator Zenssl32. Symetric operation: RSA, DSA, DH Random Digest: MD5 SHA1 Cipher: DES, RC4 (based on evp) We have some patch for OpenSSL-engine-0.9.6x (asymetric and random). We are actually finishing tests. We'd like to send it to the community before the end of the week, to have a chance to appeare in the next release. So what should we do to be in the next release 0.9.7 (What are the step to follow ?). Should we send the code in this mailing list? Thanks in advance. Fred