Resending: OpenSSL in an embedded environment

[Gregg Gibson]

I apoligize for sending this question again.  The email account I was using 
has proved to be too unreliable, so I have switched to a different account.

Has anyone had any experience with OpenSSL in an embedded environment? I'm 
trying to trim libcrypto.a and libssl.a down to a reasonable size for an 
embedded project. I've turned off all but the few ciphers that I need, and 
that only trimmed off about 200kB. (The ciphers that I kept are des, rsa, 
md5, and sha.) I'd like to get both of those libraries to be much smaller.  
Any suggestions?

_
Get your FREE download of MSN Explorer at http://explorer.msn.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

basic SSL

[Aengus McIntyre]

Hello all,

I am relatively new to SSL and am cuurenntly researching it for my project.
I am enquiring as to whether anyone would happen to know any useful links
which contain a simple working example , or indeed, has a simple appliction
of their own,   just to get me started.

If I could see an SSL apllication myself, I reckon the SSL documentation
would be much easier to comprehend.
Thanking you in advance for your replies.

Aengus



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

basic SSL

[Aengus McIntyre]

Hello all,

Ps - I am using JSP's connecting to a database on Tomcat .

Aengus



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Getting messages twice?

[Oliver Bode]

It is not only you who is getting everything twice. I thought it was just
me.

 I apoligize for sending this question again.  The email account I was
using
 has proved to be too unreliable, so I have switched to a different
account.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Resending: OpenSSL in an embedded environment

[Greg Stark]

No problem; Dr. Henson did attempt an answer to your question; see
(http://www.mail-archive.com/openssl-users@openssl.org/msg18489.html)


_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_



- Original Message -
From: Gregg Gibson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 30, 2001 8:59 AM
Subject: Resending: OpenSSL in an embedded environment


 I apoligize for sending this question again.  The email account I was
using
 has proved to be too unreliable, so I have switched to a different
account.

 Has anyone had any experience with OpenSSL in an embedded environment? I'm
 trying to trim libcrypto.a and libssl.a down to a reasonable size for an
 embedded project. I've turned off all but the few ciphers that I need, and
 that only trimmed off about 200kB. (The ciphers that I kept are des, rsa,
 md5, and sha.) I'd like to get both of those libraries to be much smaller.
 Any suggestions?

 _
 Get your FREE download of MSN Explorer at http://explorer.msn.com

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: non-blocking example for Net::SSLeay

[Eric Rescorla]

[EMAIL PROTECTED] writes:
 I'm trying to write a tiny SSL webserver.  It would really
 help to have an example of how to set up and use non-blocking
 SSL calls with a select statement or similar.  The problem
 here is implementing CGI: the CGI script wants normal I/O
 through normal file descriptiors, and I see that it's my
 job to do SSL_read and copy the result into that file
 descriptor, and copy output from the CGI script into SSL_write.
 
 I need to select() on the CGI processes output pipe, and the
 SSL input pipe, and service requests as they come in.
The sample code from my book on SSL includes a program that
uses select() on the terminal and on the SSL input pipe, which
is a pretty isomorphic problem. You can download it at:

http://www.rtfm.com/sslbook/examples/

 Does the underlying BIO interface mean if I do a fcntl
 O_NONBLOCK on the NS (network socket) that SSL will somehow
 figure that out? 
Yes. The errors bubble up the stack to the SSL library.

 Maybe a new call: SSL_select($ssl,$readfds,$writefds,$exceptfds,$timeout)
 what it might do internally is do a select on the ssl network
 socket read and the rest of the $readfs, but loop around and
 try again if the network socket read didn't complete a pending
 SSL_read? 
You could do this, but it would interfere with other pieces
of software that want to run the event loop (X programs, for
instance, often want to).

 Can  SSL writes not be similarly monitored,
 they can just be set as nonblocking?
The basic problem you're facing is that SSL reads and writes must
happen at record boundaries, so, for instance, just because there's
data on the pipe doesn't mean that an entire record is ready to read.
Your program really has to be prepared to handle the situation where
even though select() says things are ready, they're not.  There's
pretty extensive discussion of the details of using select() with
OpenSSL in Chapter 8 of my book, which also (of course) includes
extensive documentation of the aforementioned sample code.

-Ekr

[Eric Rescorla   [EMAIL PROTECTED]]
Author of SSL and TLS: Designing and Building Secure Systems
  http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Beginner Q: Did anyone try porting OpenSsl to Vxworks ?

[Prashant Kumar]

Hello Group,

Did anyone try porting OpenSsl to Vxworks platform ?.

Any success :),  jut to gain some confidence.


Regards,
Prashant.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Ocotillo PRNG

[Michael Wojcik]

 From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 27, 2001 6:58 PM

 On Fri, Apr 27, 2001 at 11:33:25AM -0700, Crosland, Jerel (Contract)
wrote:
  I'd like to use the Ocotillo
  PRNG with OpenSSL, but it is failing when I do the make test in the
  randtest module. Ocotillo creates a named pipe at /dev/urandom but if
  OpenSSL is treating it like a character device it may not work
correctly.

 As far as I have seen from the open() man-page, using a named pipe for
 this purpose is not very robust (it will fail for non-blocking behaviour:
 you cannot open a pipe for writing without a reading process, HP-UX 10.20)
 and I am not sure how this setup should work with several processes
 trying to read entropy at the same time.

For arrangements of this sort - a named pipe with a single long-running
producer (the daemon) and multiple consumers opening and reading from the
pipe unpredictably - the standard method is to have the producer open the
pipe with O_RDWR (ie. for both reading and writing).[1]

Though the producer never actually reads from the pipe, there is always at
least one process (the producer itself) that has it open for reading.  That
lets the open succeed and also prevents the producer from receiving SIGPIPE
or EPIPE (depending on the disposition of SIGPIPE) if all the consumers
close while it's writing.

Several processes trying to read from the pipe at the same time should work
fine for this application.  The reads will be interleaved unpredictably
(from the users' points of view), but that won't hurt anything.  If that
biases the data stream from the generator, then it's broken anyway.

That said, I can't think of anything to particularly recommend named pipes
over Unix-domain sockets for this application, except the create-and-open
race condition with SVR4 streams-based implementations of Unix-domain
sockets (which I noted in a message to openssl-users on 5 February).  Of
course that condition is easily handled with a loop in the producer when the
socket is being created.


[1] Stevens _UNP_ 2nd ed. vol. 2 says to open the pipe twice with two
separate open calls, once with O_RDONLY and once with O_WRONLY, on the
grounds that since pipes are half-duplex they should only be opened in one
direction on any given descriptor.  I don't know if this actually makes a
difference on any platform; it doesn't appear to on Solaris 2.6.  The Unix
Programming FAQ from comp.unix.programmer documents using O_RDWR with no
special cautions.

Michael Wojcik [EMAIL PROTECTED]
MERANT
Department of English, Miami University
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

pb in compil

[cdemaussion]

Hi,
Under Solaris 2.6, with gcc 2.95,
i have the following error during the compilation
whith (./Configure os/compiler:gcc, and make)
Could you help me?
:-(


#gcc -o openssl -DMONOLITH -I../include -DTHREADS
openssl.o verify.o asn1pars.o req.o dgst.o dh.o
dhparam.o enc.o passwd.o gendh.o errstr.o  ca.o
pkcs7.o crl2p7.o crl.o  rsa.o rsautl.o dsa.o
dsaparam.o  x509.o genrsa.o gendsa.o s_server.o
s_client.o speed.o  s_time.o apps.o s_cb.o s_socket.o
app_rand.o version.o sess_id.o  ciphers.o nseq.o
pkcs12.o pkcs8.o spkac.o smime.o rand.o -L. -L..
-L../.. -L../../.. -L.. -lssl -L.. -lcrypto 
Undefined   first referenced
 symbol in file
socket  s_socket.o
gethostbyname   s_socket.o
accept  s_socket.o
binds_socket.o
setsockopt  s_socket.o
getservbyname   s_socket.o
gethostbyaddr   s_socket.o
getsockopt 
../libcrypto.a(b_sock.o)
shutdowns_server.o
listen  s_socket.o
connect s_socket.o
ld: fatal: Symbol referencing errors. No output
written to openssl
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target
`openssl'
Current working directory
/user/tien/openssl-0.9.6/apps
*** Error code 1
make: Fatal error: Command failed for target `all'

Cdemo

 
__
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: non-blocking example for Net::SSLeay

[Noel Burton-Krahn]

Hi M,

Here's a test program which negotiates an SSL connection and sends
data in a single process (no threads, all async IO).  

I've also included a patch for Net-SSLeay-1.06.  I had to add a few
macros to Net::SSLeay to support the async error returns.  I also
fixed the makefile to detect openssl.exe under Windows.

Hope it helps.

--Noel

 From: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: non-blocking example for Net::SSLeay
 Date: Sun, 29 Apr 2001 17:59:46 -0700 (PDT)
 
 
 I'm trying to write a tiny SSL webserver.  It would really
 help to have an example of how to set up and use non-blocking
 SSL calls with a select statement or similar.  The problem
 here is implementing CGI: the CGI script wants normal I/O
 through normal file descriptiors, and I see that it's my
 job to do SSL_read and copy the result into that file
 descriptor, and copy output from the CGI script into SSL_write.
 
 I need to select() on the CGI processes output pipe, and the
 SSL input pipe, and service requests as they come in.
 
 I'm writing this in perl, using Net::SSLeay.  I've patched
 the echo example code into my tiny webserver, so if I'm
 doing the SSL_reads and SSL_writes in the main process, it works,
 but of course, the cgi part fails miserably.
 
 Does the underlying BIO interface mean if I do a fcntl
 O_NONBLOCK on the NS (network socket) that SSL will somehow
 figure that out?   I don't see a BIO_set sort of thing
 to set nonblocking behavior for the BIO or SSL.   The
 docs are a bit sparse, here.
 
 Maybe a new call: SSL_select($ssl,$readfds,$writefds,$exceptfds,$timeout)
 what it might do internally is do a select on the ssl network
 socket read and the rest of the $readfs, but loop around and
 try again if the network socket read didn't complete a pending
 SSL_read?  Can  SSL writes not be similarly monitored,
 they can just be set as nonblocking?




#! /usr/bin/perl -w

use lib '../lib';
use Socket;
use QV::OS;
use Net::SSLeay qw(1.07 die_now die_if_ssl_error);
Net::SSLeay::load_error_strings();
Net::SSLeay::SSLeay_add_ssl_algorithms();
Net::SSLeay::randomize();

use strict;

sub ssl_ctx {
my($io) = @_;
my($ctx, $ssl);

$ctx = Net::SSLeay::CTX_new() or die_now(Failed to create SSL_CTX $!);
Net::SSLeay::CTX_set_options($ctx, Net::SSLeay::OP_ALL)
and die_if_ssl_error(CTX_set_options);
$ssl = Net::SSLeay::new($ctx) or die_now(Failed to create SSL $!);
Net::SSLeay::set_fd($ssl, fileno($io))
and die_if_ssl_error(set_fd);
return $ssl;
}

sub ssl_err_select {
my($ret, $ssl, $io, $sel_read, $sel_write) = @_;
my($i);
my($fileno) = fileno($io);

vec($$sel_read, $fileno, 1) = 0;
vec($$sel_write, $fileno, 1) = 0;

if( $ret  0 ) {
$i = Net::SSLeay::get_error($ssl, $ret);
if( $i == Net::SSLeay::ERROR_WANT_READ ) {

# debug
print(ERROR_WANT_READ: fileno= . fileno($io) . \n);

vec($$sel_read, $fileno, 1) = 1;
$ret = undef;
}
elsif( $i == Net::SSLeay::ERROR_WANT_WRITE ) {

# debug
print(ERROR_WANT_WRITE: fileno= . fileno($io) . \n);

vec($$sel_write, $fileno, 1) = 1;
$ret = undef;
}
}
return $ret;
}

#-
my($buf, $off);

$off = 0;
if( @ARGV || ! -t STDIN ) {
local($/) = undef;
$buf = ;
}
else {
$buf = Hello from Alice;
}


my($ssl_A, $connect_A, 
   $ssl_B, $accept_B,
   $rfds, $wfds, $sel_read, $sel_write,
   $s, $i, $x);

($a, $b) = QV::OS-socket_pair();
select($a); $|=1; 
select($b); $|=1; 
select(STDOUT);

QV::OS-io_nonblock($a, 1);
QV::OS-io_nonblock($b, 1);

# debug
print(fileno(A)=, fileno($a), \n);
print(fileno(B)=, fileno($b), \n);

$ssl_A = ssl_ctx($a);
#Net::SSLeay::set_connect_state($ssl_A);
Net::SSLeay::use_RSAPrivateKey_file($ssl_A, 'b-rsa.pem',
Net::SSLeay::FILETYPE_PEM);
die_if_ssl_error(private key);
Net::SSLeay::use_certificate_file($ssl_A, 'b-cert.pem',
   Net::SSLeay::FILETYPE_PEM);
die_if_ssl_error(certificate);


$ssl_B = ssl_ctx($b);
#Net::SSLeay::set_connect_state($ssl_B);
Net::SSLeay::use_RSAPrivateKey_file($ssl_B, 'b-rsa.pem',
Net::SSLeay::FILETYPE_PEM);
die_if_ssl_error(private key);
Net::SSLeay::use_certificate_file($ssl_B, 'b-cert.pem',
   Net::SSLeay::FILETYPE_PEM);
die_if_ssl_error(certificate);


$accept_B = $connect_A = undef;
$rfds = $wfds = '';
vec($rfds, fileno($a), 1) = 1;
vec($rfds, fileno($b), 1) = 1;
$sel_read = $sel_write = '';

while(1) {
if( vec($rfds, fileno($a), 1)
|| vec($wfds, fileno($a), 1) 
) {
if( !$connect_A ) {
$i = Net::SSLeay::connect($ssl_A);
$i = ssl_err_select($i, $ssl_A, $a, \$sel_read, \$sel_write);
if( !defined($i) ) {
# no error, just continue

RE: pb in compil

[Bill Browning]

try adding -lnsl and -lsocket to your link line.

Bill

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 30, 2001 9:22 AM
To: [EMAIL PROTECTED]
Subject: pb in compil


Hi,
Under Solaris 2.6, with gcc 2.95,
i have the following error during the compilation
whith (./Configure os/compiler:gcc, and make)
Could you help me?
:-(


#gcc -o openssl -DMONOLITH -I../include -DTHREADS
openssl.o verify.o asn1pars.o req.o dgst.o dh.o
dhparam.o enc.o passwd.o gendh.o errstr.o  ca.o
pkcs7.o crl2p7.o crl.o  rsa.o rsautl.o dsa.o
dsaparam.o  x509.o genrsa.o gendsa.o s_server.o
s_client.o speed.o  s_time.o apps.o s_cb.o s_socket.o
app_rand.o version.o sess_id.o  ciphers.o nseq.o
pkcs12.o pkcs8.o spkac.o smime.o rand.o -L. -L..
-L../.. -L../../.. -L.. -lssl -L.. -lcrypto 
Undefined   first referenced
 symbol in file
socket  s_socket.o
gethostbyname   s_socket.o
accept  s_socket.o
binds_socket.o
setsockopt  s_socket.o
getservbyname   s_socket.o
gethostbyaddr   s_socket.o
getsockopt 
../libcrypto.a(b_sock.o)
shutdowns_server.o
listen  s_socket.o
connect s_socket.o
ld: fatal: Symbol referencing errors. No output
written to openssl
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target
`openssl'
Current working directory
/user/tien/openssl-0.9.6/apps
*** Error code 1
make: Fatal error: Command failed for target `all'

Cdemo

 

__
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

BIO_set_callback

[George Lind]

Is the callback function that I set with BIO_set_callback only called during
the handshake?  I would like to trace not only the verification but all
SSL_read and SSL_write data that I send during a session.  If the callback
function is not called at these times how do you trace these calls?

Thanks,
George
  
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Windows Open SSL

[robert]

- Original Message -
From: Andrew W. Gray [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, March 02, 2001 12:26 PM
Subject: Re: Windows  Open SSL


 ) The visual c++ way using the IDE.  I have used this approach
 nd was able to build/test/debug the tools.  Unfortunately, I can't
 emember where I got this project (named openssl.dsw and is in a folder
 amed msvc in the root openssl folder).  I don't see it in the standard
 elease.  I must have seen it referenced somewhere in the docs and chased
 t down.  Can anyone else help here?

 It's right where I left it ;-) at

 http://www.iconsinc.com/~agray/ossldev/

 I spoke with Ulf several monthes back and hopefully it will be
 integrated into 0.9.7

 Andrew

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Where are the low-level crypto functions implemented?

[Gila Sheftel]

Hi, 

Our purpose is to write an add-on to openSSL in order to interface it
safely and comprehensively with a smartcard.

My teammate and I have come a long way in understanding the high-level
cryptography structure -- where the methods are found, how to use them,
etc, but where we get stuck is the following:

for example, in openssl-0.9.6a/crypto/rsa/rsa.h the following methods
are mentioned:

int (*rsa_pub_enc)(int flen,unsigned char *from,unsigned char *to,
   RSA *rsa,int padding);
int (*rsa_pub_dec)(int flen,unsigned char *from,unsigned char *to,
   RSA *rsa,int padding);

And they are again mentioned in rsa_lib.c where

int RSA_public_encrypt(int flen, unsigned char *from, unsigned char *to,
 RSA *rsa, int padding)

returns it, but that's all. Are we missing something? Where are all the
low-level methods defined? Are they system-native or protected or have I
overlooked something entirely?

I appreciate your help immensely,
(let alone how much I learn just from lurking on this list)
Gila. (Monstre) 
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
Gila Monstre  [EMAIL PROTECTED] 
Fearless Geek(514)732-2459
Advanced Projects Group   Gemplus Software

If you can't beat your computer at chess, try kickboxing.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: basic SSL

[Hegde, Ramdas]

There are code examples in the openssl installation under the apps
directory.
If you need a more detailed example, you can check out Eric Rescorla's book
SSL and TLS. It has a complete chapter on coding and the code examples
from the book are available  at http://www.rtfm.com/sslbook/examples

Ramdas

-Original Message-
From: Aengus McIntyre [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 30, 2001 6:11 AM
To: [EMAIL PROTECTED]
Subject: basic SSL


Hello all,

I am relatively new to SSL and am cuurenntly researching it for my project.
I am enquiring as to whether anyone would happen to know any useful links
which contain a simple working example , or indeed, has a simple appliction
of their own,   just to get me started.

If I could see an SSL apllication myself, I reckon the SSL documentation
would be much easier to comprehend.
Thanking you in advance for your replies.

Aengus



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem compiling s_client and s_server

[robert]

- Original Message -
From: agray [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Monday, April 16, 2001 4:01 PM
Subject: Re: Problem compiling s_client and s_server


 Best bet:  You are linking against the incorrect c-runtime - use /MD
 (multithreaded dll)
 Menu: Project...Settings...c/C++ tabCategory: Code GenerationUse
 Runtime Library --- Multi-Threaded DLL

 Didn't you have to build apps.c as well for a standalone s_client.exe?

 You can also grab the developer studio workspace and all of the project
 files off of my homepage - the s_client (and all of the standalone apps)
 project has all of the correct settings (from compiler options to
 library resolution) applied.  http://www.iconsinc.com/~agray/ossldev/

 Andrew

 Marcus Carey wrote:
 
  Lutz
 
  I am using MS VC++ 6.0 on Windows 2000 to build the examples.
  app_rand.c
  s_cb.c
  s_client.c
  s_socket.c
 
  ssleay32.lib
  libeay32.lib
  rsaglue.lib
 
  The program compiled after adding app_rand.c to the build but I am
getting a
  s_client.exe - Application Error:  Memory could not be written when I
run
  the application.
 
  Marcus
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Where are the low-level crypto functions implemented?

[Kenneth R. Robinette]

Date sent:  Mon, 30 Apr 2001 18:01:22 -0400
From:   Gila Sheftel [EMAIL PROTECTED]
Organization:   Gemplus Inc.
To: [EMAIL PROTECTED]
Subject:Where are the low-level crypto functions implemented?
Send reply to:  [EMAIL PROTECTED]

Gila

The rsa structure contains a pointer to the low level functions, and in 
fact one of the defaults is the one you show below.  You can place 
your own function pointers in the rsa structure if you so desire.  In 
fact that is what I do to interface to the GemPLUS Smart Card with 
our software.  In our case, we have to be able to process both disk 
based as well as Smart Card based RSA keys, and this is where we 
do the intercept.  I am sure there are other/better ways using 
engines and methods, etc. but this is a quick simple way to do it, 
and still use all the other SSL/crypto support without having to have 
multiple libraries.

Ken

Hi, 

Our purpose is to write an add-on to openSSL in order to interface it
safely and comprehensively with a smartcard.

My teammate and I have come a long way in understanding the high-level
cryptography structure -- where the methods are found, how to use them,
etc, but where we get stuck is the following:

for example, in openssl-0.9.6a/crypto/rsa/rsa.h the following methods
are mentioned:

int (*rsa_pub_enc)(int flen,unsigned char *from,unsigned char *to,
   RSA *rsa,int padding);
int (*rsa_pub_dec)(int flen,unsigned char *from,unsigned char *to,
   RSA *rsa,int padding);

And they are again mentioned in rsa_lib.c where

int RSA_public_encrypt(int flen, unsigned char *from, unsigned char *to,
 RSA *rsa, int padding)

returns it, but that's all. Are we missing something? Where are all the
low-level methods defined? Are they system-native or protected or have I
overlooked something entirely?

I appreciate your help immensely,
(let alone how much I learn just from lurking on this list)
Gila. (Monstre) 
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
Gila Monstre  [EMAIL PROTECTED] 
Fearless Geek(514)732-2459
Advanced Projects Group   Gemplus Software

If you can't beat your computer at chess, try kickboxing.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Where are the low-level crypto functions implemented?

[Dr S N Henson]

Gila Sheftel wrote:
 
 Hi,
 
 Our purpose is to write an add-on to openSSL in order to interface it
 safely and comprehensively with a smartcard.
 
 My teammate and I have come a long way in understanding the high-level
 cryptography structure -- where the methods are found, how to use them,
 etc, but where we get stuck is the following:
 
 for example, in openssl-0.9.6a/crypto/rsa/rsa.h the following methods
 are mentioned:
 
 int (*rsa_pub_enc)(int flen,unsigned char *from,unsigned char *to,
RSA *rsa,int padding);
 int (*rsa_pub_dec)(int flen,unsigned char *from,unsigned char *to,
RSA *rsa,int padding);
 
 And they are again mentioned in rsa_lib.c where
 
 int RSA_public_encrypt(int flen, unsigned char *from, unsigned char *to,
  RSA *rsa, int padding)
 
 returns it, but that's all. Are we missing something? Where are all the
 low-level methods defined? Are they system-native or protected or have I
 overlooked something entirely?
 

Hello,

My name is Stephen Henson, I'm one of the OpenSSL core developers who
works for Celo and thus Gemplus.

What kind of facilities does the smartcard provide? Does it do high
level PKCS#1 operations or just the raw 'private key operation'.

You can intercept both operations but how and where you do this depends
on exactly what you want to do.

Which particular Gemplus libraries are you using? I'm myself getting up
to speed on the Gemplus smart card side of things so maybe we could help
each other here.

One possible project I'm considering for OpenSSL would be to provide
support for smartcards (and thus Gemplus smartcards) in the core source
code. The current ENGINE architecture for OpenSSL should help with this
but I think it needs some additional support to make it as smart card
friendly as possible.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Where are the low-level crypto functions implemented?

[Dr S N Henson]

Oops, shouldn't have sent that to the list.

Reply-To: claims another victim :-)

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

error generating private key

[John Peters]

Hello, I'm trying to generate a private key for use with a thawte 
certificate (I just want to generate they keys, the actual certificate will 
be installed on another server to which I don't have telnet access)

The random files I used are located here:
/usr/local/etc/httpd/htdocs/fileskey

I keep getting this error after I enter the pass phrase:

OpenSSL genrsa -des3 -rand file1.txt:file2.txt:file3.txt -out
www.vitadvice.com
key 512260215 semi-random bytes loaded
Generating RSA private key, 512 bit long modulus
.
...
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Verify failure
10575:error:0906406D:PEM routines:DEF_CALLBACK:problems getting
password:pem_lib
..c:114:
10575:error:0906906F:PEM routines:PEM_ASN1_write_bio:read
key:pem_lib.c:366:
error in genrsa

---

I did everything as it says in the instructions.
But I must be doing something wrong...help is appreciated!

_
Get your FREE download of MSN Explorer at http://explorer.msn.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: does s_server accept PUT command?

[Patrick Li]

I developed a SSL client adapter program and need to get some tool to test
it out.
s_server is great as it supports HTTP GET but in order to complete my test,
I need a tool to support PUT as well.

I am thinking of doing a PUT (send a file to a server) and then a GET
(retrieve the same file from the server).  By comparing the file sent and
the file received, I know the sending and receiving big chuck of data are
working.

I don't have much of choices right? It is either I modify s_server to
support PUT or install mod_ssl.
Anyone has other idea?

Thanks
Patrick

- Original Message -
From: Richard Levitte - VMS Whacker [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, April 29, 2001 11:52 PM
Subject: Re: does s_server accept PUT command?


 From: Patrick Li [EMAIL PROTECTED]

 pcwli Does the s_server only supports the GET HTTP command when
 pcwli running with -WWW option?  I tried with PUT HTTP command and it
 pcwli is not working.  I check the source code in apps/s_server and
 pcwli it does not have code to handle any HTTP command except GET.

 s_server is just a test tool!  If you want t full-blown HTTP server,
 use Apache with mod_ssl or something equally suitable.

 --
 Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
 Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
 Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
 Member of the OpenSSL development team: http://www.openssl.org/
 Software Engineer, Celo Communications: http://www.celocom.com/

 Unsolicited commercial email is subject to an archival fee of $400.
 See http://www.stacken.kth.se/~levitte/mail/ for more info.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

generating csr using public key?

[Sabyasachi Gupta]

Can it be done?
thanks
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

how to generate SSL keys??

[j.cooney1]

HiI am 
trying to find out how to generate a pair of SSL private and 
publickeys.I have installed openssl-0.9.6aand have searched 
the www.openssl.org FAQ 
section but to no avail. Someplaces I have looked say that the 
documentation can be found in either the"apps" or the "man" or the "doc" 
directories. Well, I don't appear to havean "apps" or a "doc" 
directory, and my "man" directory contains verydifficult, i.e. just about 
impossible, content to understand.I would really appreciate it if 
someone could take the time time to give me*detailed* instructions on how to 
do this. All the content on this subjectI have found so far is way too 
vague for me to be able to comprehend. Sorryif this is a drag for some 
of you, but we're not all experts!regards,john.ps I am 
running RedHat Linux 6.2 with Apache 
1.3.19