Re: Compiling OpenSSL shared libraries under HPUX 11.X - working
From: Chris Steinke [EMAIL PROTECTED] cjs From what we understand, HP-UX automaticaly binds the build directories cjs into the object for run time linking. So by using the +cdp flag you can cjs get around this. Syntax is: +cdp build path or old path:new path Interesting! However: cjs -L/usr/local/src/openssl-0.9.6c \ cjs +cpd /usr/local/src/openssl-0.9.6c:/usr/local/ssl/lib \ cjs cjs .. cjs cjs then... cjs hp[src/openssl-0.9.6c]$ make-- Successful build cjs hp[src/openssl-0.9.6c]$ make test --- All tests work fine cjs hp[src/openssl-0.9.6c]# make install In that test above, if the test programs and the openssl application were linked against the shared library (something that's implemented in the current development of 0.9.7), exactly which shared libraries are they going to use, the ones on the current build library or previously installed ones? And in the latter case, what happens if this is the first time OpenSSL is built on the system, i.e. there are no OpenSSL libraries in the installationn directory? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Zero-Knowledge Test/crypto
I have been looking/reading about Zero-Knowledge Test (ZKT) protocols. I am interested in a low overhead one-way function style crypto solution. Does the SSL libraries supply such a thing? If so, where can I read about it and learn how to use it? Thanks in advance for looking at this. Scott __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
porting openssl to vxworks sys/param.h missing
hello, i am trying to port openssl-0.96b onto VxWorks. i am facing the same problem of sys/param.h missing when trying to port bio . can u tell me how u overcame the problem? Thanks, gkgodava Hi, Great. Well, I started compiling the sources on VxWorks. Most of the files I was able to \ compile, but I do get few errors like: when compliling s23_pkt.o make: *** No rule to make target `sys\param.h', needed by `s23_pkt.o'. Stop. and when compiling ssl_task.o make: *** No rule to make target `iodef.h', needed by `ssl_task.o'. Stop Can you pls help me get arround these problems. Is there and equivalent \ implementation in VxWorks 5.4 where I was trying on. The CFLAGS I used : -U__WINNT -UWIN32 -U__WINNT__ -UWINNT -U__MINGW32__ -U_WIN32 -U__WIN32 -U__WIN32__ \ -U__WIN32 -mpentium -ansi -nostdinc -g -nostdlib -fno-builtin -fno-defer-pop -Wall \ -DRW_MULTI_THREAD -D_REENTRANT -I. -IC:/Tornado/target/h \ -Ic:/OpenSSL/openssl-engine-0.9.6/include -DCPU=SIMNT -DTERMIOS -DL_ENDIAN \ -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM Any help is appreciated. Thanks, S.Rahul __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL ported to VxWorks?
hello, i am trying to port openssl-0.96b onto VxWorks. i found the ftime and alarm functions missing in VxWorks. does VxWorks have related function for ftime and alarm?. if so can u tell me. have u been successful in porting rand functions? i am facing some problem as VxWorks doesn't have sys/un.h header. can u tell me the how to port rand functions. i am also facing some problem with des too. i am getting an error saying des_cbc_encrypt func is declare multiple times. i looked into it but it was defined only once. can u send me the make file for DES? sending a copy of Time_f function that is widely used in most of the crypto library. double Time_F(int s) { double ret; #ifdef TIMES static struct tms tstart,tend; if (s == START) { times(tstart); return(0); } else { times(tend); ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ; return((ret == 0.0)?1e-6:ret); } #else /* !times() */ static struct timeb tstart,tend; long i; if (s == START) { ftime(tstart); return(0); } else { ftime(tend); i=(long)tend.millitm-(long)tstart.millitm; ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; return((ret == 0.0)?1e-6:ret); } #endif } Thanks, gkgodava __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: porting openssl to vxworks sys/param.h missing
From: ganesh kumar godavari [EMAIL PROTECTED] ganesh_kumarg Well, I started compiling the sources on VxWorks. Most ganesh_kumarg of the files I was able to compile, but I do get few ganesh_kumarg errors like: when compliling s23_pkt.o ganesh_kumarg make: *** No rule to make target `sys\param.h', needed by `s23_pkt.o'. Stop. In e_os.h, define NO_SYS_PARAM_H. Preferably wrapped in some kind of #ifdef of some macro. ganesh_kumarg and when compiling ssl_task.o Don't try compiling that one. It's VMS-specific. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SQL DB instead of index.txt
Hi list, I am not C coder! A simple question, but not a least: instead of using the index.txt file as database of registered certificates, could it be possible to use a SQL database e.g. PostgreSQL as the engine version of openssl can with HSM e.g. nCipher Regards -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # e-fingerprint = 63:B0:7D:A1:23:BC:25:96:AE:B7:76:36:F3:07:1F:88 # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compiling OpenSSL shared libraries under HPUX 11.X - working
On Sun, Jan 27, 2002 at 09:16:37AM +0100, Richard Levitte - VMS Whacker wrote: cjs -L/usr/local/src/openssl-0.9.6c \ cjs +cpd /usr/local/src/openssl-0.9.6c:/usr/local/ssl/lib \ cjs cjs .. cjs cjs then... cjs hp[src/openssl-0.9.6c]$ make-- Successful build cjs hp[src/openssl-0.9.6c]$ make test --- All tests work fine cjs hp[src/openssl-0.9.6c]# make install In that test above, if the test programs and the openssl application were linked against the shared library (something that's implemented in the current development of 0.9.7), exactly which shared libraries are they going to use, the ones on the current build library or previously installed ones? And in the latter case, what happens if this is the first time OpenSSL is built on the system, i.e. there are no OpenSSL libraries in the installationn directory? We are in a conflict here: * HP-UX records the absolute path to shared libraries when linking. The usual technique is to re-link during make install. Unfortunately this is not designed into OpenSSL's make install routines (yet?). Every other technique is error prone. If we use the +cdp technique, we probably cannot succeed in make test, as the libraries are not yet installed at their final destination. If we don't use it, the openssl command line tool won't work as it would try to pick the shared libraries from the source path. (Even worse: if there are older libraries already installed, we must make sure that these are not picked up during build stage and mess up everything.) The most simple solution would be to build with a static openssl command line tool (see also next point). * The build process for the shared libraries is not that much of a problem. There is no need to build libssl.sl against libcrypto.sl, one can simply leave it out. Applications link against -lssl -lcrypto anyway. If you have a look into the 0.9.7 version of the build procedure, you will note that I made the appropriate change long time ago. Simply build the shared libs independent of each other and put them into their target destination upon install, that's it. The only problem: in between the procedure was changed to build the openssl command line tool against the shared libraries, so probably 0.9.7 is currently broken as well. Solution: build openssl against static libs _or_ we have to modify the install procedure such that openssl is relinked upon installation. Best regards, Lutz PS. I don't know whether I will have the time to look into it before Wednesday. -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SQL DB instead of index.txt
From: Averroes [EMAIL PROTECTED] a.averroes A simple question, but not a least: a.averroes instead of using the index.txt file as database of a.averroes registered certificates, could it be possible to use a SQL a.averroes database e.g. PostgreSQL as the engine version of a.averroes openssl can with HSM e.g. nCipher Currently no, but that's honestly a rather cool idea. The reason that it wouldn't work right now is that the engine framework only has the functionality to retrieve keys or key handles from a HSM. No storage capabilities and no certificates on HSM. I don't know what the rest of the development team says about this, but I would for sure be interested into looking at implementing that kind of extension. This won't happen for 0.9.7, however. We already have a lot of new stuff coming with that release, so extensions like the above will have to wait 'til 0.9.8 or later. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compiling OpenSSL shared libraries under HPUX 11.X - working
From: Lutz Jaenicke [EMAIL PROTECTED] Lutz.Jaenicke The only problem: in between the procedure was Lutz.Jaenicke changed to build the openssl command line tool Lutz.Jaenicke against the shared libraries, so probably 0.9.7 is Lutz.Jaenicke currently broken as well. I suspected something like that. Lutz.Jaenicke Solution: build openssl against static libs _or_ we Lutz.Jaenicke have to modify the install procedure such that Lutz.Jaenicke openssl is relinked upon installation. I suggest the latter. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read and poll
Tobias Rundström wrote: Hello OpenSSL people. Here is my problem. I have abstrahated my net_read and net_write functions so I dont have to worry about SSL in the main code. This works fine, but the other day I ran into a problem where my server program didnt read the whole stream. I think the problem is that I call poll() and the data has been buffered into the SSL context, any ideas? attached is my code... Use SSL_pending(SSL*) to see if you have buffered data in the SSL state before calling poll! Or make sure that chunksize is set to max size of an SSL record. /Tony __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SQL DB instead of index.txt
Richard Levitte - VMS Whacker wrote: From: Averroes [EMAIL PROTECTED] a.averroes A simple question, but not a least: a.averroes instead of using the index.txt file as database of a.averroes registered certificates, could it be possible to use a SQL a.averroes database e.g. PostgreSQL as the engine version of a.averroes openssl can with HSM e.g. nCipher Currently no, but that's honestly a rather cool idea. The reason that it wouldn't work right now is that the engine framework only has the functionality to retrieve keys or key handles from a HSM. No storage capabilities and no certificates on HSM. I don't know what the rest of the development team says about this, but I would for sure be interested into looking at implementing that kind of extension. Yes I'd also be interested in doing this. A general key certificate and CRL database API is something I've been looking at for a while but never completed patrly due to a few thorny issues but mainly due to being diverted onto something of higher priority. If this could be usable as a replacement for the highly brain dead X509_LOOKUP stuff that would be great. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: unable to load Netscape SPKAC structure
You have extra ^M in the SPKAC. - Original Message - From: Bob Kupperstein [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 26, 2002 7:31 AM Subject: unable to load Netscape SPKAC structure When I try to create a certificate with a Netscape SPKAC with the command: openssl ca -spkac cert351.req -out / cert351.cer -days 365 I get the following error: unable to load Netscape SPKAC structure 15082:error:0B081076:x509 certificate routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:92: Running verify on the request, I get the same message. Any ideas what is wrong with my request? Thanks. Here's what my request file looks like: SPKAC=MIICUTCCATkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyHspc6qyV^M hEfcTSO0 JuGzSWT9lpS1VnIwy2hdFUuJWl6D6b0S5AVr/LFp+hBuYLk5M7mXev4T^MuWcMWhoEK4Jk7x TFyMakRY UOzJ0AaHpU3Gw5bIg2rgdfMRu6nOGfpNM7OHDCHHgE^MjFBnfIWNk5tXOqlKlsmRLxi/P8nn esm81Srr kv9eQt18kF0EWU8BJUxjVl3brb8n^MDrbIshG7MNoRsN25bRzV9bNRfuSlJKmICa/48dHwqd YQtt+qEA mk8AokHdWFg2/x^MzKjTj7UT7bbIQUf+uncX5FNeHb13HRRjnq1jRxB7RdzkFMDsEotuEWx/ Dl1zAAVs ^Mt6kZ77qYZorBAgMBAAEWEWNoYWxsZW5nZVBhc3N3b3JkMA0GCSqGSIb3DQEBBAUA^MA4IB AQAl+x/e j8vV0AbI8Kd/le6FVzJzPRRSS7gloiRGNXVsn+f41TR/nnXUrFks^MT6/UuS4xqb6dmtlDJk l2kHAo4s MnZeZS+SP6nKcx5PUKYXWGtFlOxF6roigcj3Vh^MueKYauwi6UPrsja5dhpCyUkiVM7nK880 KP4DVQw4 kfzPhDRtgpTK3VWzQka4mT7N^MCJl9Vf4JhvqROHs9rUIV/atHiVlKkBB4IhFXrZsv45YfDk JjQ4l7tL jT4t5XPFqq^M+qZIoMzmhY++rvJahYps26tEsJzZzbQXTS3UmR99EME0Y+dR8MjOmnmyMBnE LfLE^MoX +5iNfFFeAvr1tgPisgu8cLpMJI CN=fri608 emailAddress=bar O=blue OU=foo L=burl SP=ma C=US __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: 0.9.7-dev ncipher bugfixes
vix By the way, can someone explain me, how should one use those vix embed type keys? I've read all the documentation, searched vix mailing lists and Internet, experimented quite a lot, but no vix success. I get some strange error (invalid param or smth) vix from HWCryptoHook library whenever I try to load a key of vix type embed. with-nfast -k keyname can load this key, but vix openssl fails. Right now I'm using hwcrhk keys. openssl loads *embed* keys using the PEM keys. An embed key is encrypted private key material. The encryption key (simplification) is either on the smartcard (when the key is card protected) or on the hardware module (for module protected keys). Instead of loading them directly into OpenSSL you load the .pem key that is generated by KeySafe when you create an nCipher key. This .pem key is in fact an alias to the key, it is not key material itself. With OpenSSL apps you use the nCipher app with-nfast to load the embed keys and then execute your openssl application. e.g. with-nfast ./yourapp (prompts for passphrases follow) At least, this is what we do. Andy S. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SQL DB instead of index.txt
A simple question, but not a least: instead of using the index.txt file as database of registered certificates, could it be possible to use a SQL database e.g. PostgreSQL as the engine version of openssl can with HSM e.g. nCipher My PKIX extensions to PostgreSQL 7.1.x provide native support for certificates, CRLs and key (PKCS8) objects. It also supports PKCS7 encrypted objects. The external representation is always PEM (with accessor functions to get most of the fields), the internal representation is ASN.1, and the data is TOASTable so you aren't bound by the usual 8k limitations. The library is mostly glue between the PostgreSQL backend and the OpenSSL library. The intention was provable consistency, not raw performance. For instance, in the cert repository mentioned below I recommend a referential integrity check that requires the issuer of a cert also be in the database. The latest version also has a simple Jave JSP/servlet cert repository, with certificate authority and registration authority on the way. It supports all of the search criteria recommended by Gutman, and besides the direct mode it can produce XML. The goal is to use XML and XSLT to produce results in whatever format you want. On the C side, it should be easy to create a wrapper library that uses ESQL/C (ecpg) to access the database. Just use a host variable and the BIO routines that use memory buffers. With ESQL/C, it would be easy to migrate to a different RDBMS if necessary. Long term, it would be best to create an abstraction layer that would allow any backend to be used. I can think of multiple common storage formats: text files, DBM files, LDAP, RDBMS. But that's definitely not a 0.9.7 task! libpkixpq is available at: http://www.dimensional.com/~bgiles/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: 0.9.7-dev ncipher bugfixes
On Sun, 27 Jan 2002, Andy Schneider wrote: openssl loads *embed* keys using the PEM keys. An embed key is encrypted private key material. The encryption key (simplification) is either on the smartcard (when the key is card protected) or on the hardware module (for module protected keys). Instead of loading them directly into OpenSSL you load the .pem key that is generated by KeySafe when you create an nCipher key. This .pem key is in fact an alias to the key, it is not key material itself. With OpenSSL apps you use the nCipher app with-nfast to load the embed keys and then execute your openssl application. e.g. with-nfast ./yourapp (prompts for passphrases follow) This is what documentation says, but I still need to pass something for key ID to HWCryptoHook_RSALoadKey(). Say, I create key as follows: $ generatekey --module 1 --slot 0 embed plainname=foo protect=token recovery=1 size=1024 type=rsa now I have files foo.pem, foo_selfcert.pem and foo_req.pem and nfkminfo -k shows something like that: $ nfkminfo -k [vix@eebik vix]$ nfkminfo -k Key summary - 1 keys: AppName embedIdent b6621954138bf0e41553115f2c402ed802c1bdb1 How do I load this key with openssl? Operator card does not have a passphrase. -v -- Has anyone ever tasted an end? Are they really bitter? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]