a problem while port openssl to mips64 platform

2007-04-10 Thread shuang chen

Hi Maillist

I met a problem while porting openssl from Linux PC to mips64 platform, the
openssl version is 0.9.7i

I use openssl to verify a signature(x509), openssl prompt the error
info *unhandled
critical extension* on mips64 platform

But this operation was ok on Linux Pc, I think this may caused by
some compile problem, but I havn't any clue,

is there any patch I need add, any specail complie option, or flag

Is there anyone can give some suggestion about this problem, thanks a lot



the detail info is below

I use xmlsec lib's cmd-line application like following way, I'm not clear
what's *unhandled critical extension *mean,

can you give me some info about this,
**


# ./xmlsec1 --verify --id-attr:Id LicenceData --store-signatures
--enable-visa3d-hack --trusted-pem root.crt --X509-skip-strict-checks
D0185601.XML
func=xmlSecOpenSSLX509StoreVerify:file=
x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:cryptolibrary
function failed:subj=/C=FI/O=Nokia/CN=Nokia NET Licence Generator
ILG;err=34;msg=*unhandled critical extension*
func=xmlSecOpenSSLX509StoreVerify:file=
x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificateverification
failed:err=34;msg=unhandled critical extension
func=xmlSecKeysMngrGetKey:file=
keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlseclibrary
function failed:
func=xmlSecDSigCtxProcessKeyInfoNode:file=
xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=
xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlseclibrary
function failed:
func=xmlSecDSigCtxVerify:file=
xmldsig.c:line=366:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlseclibrary
function failed:
Error: signature failed
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
= VERIFICATION CONTEXT
== Status: unknown
== flags: 0x0018
== flags2: 0x
== Id: "licRAN1001LK-pkisig-1"
== Key Info Read Ctx:
= KEY INFO READ CONTEXT
== flags: 0x4000
== flags2: 0x
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x
== flags2: 0x
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
 keyId: rsa
 keyType: 0x0001
 keyUsage: 0x0002
 keyBitsSize: 0
=== list size: 0
== Key Info Write Ctx:
= KEY INFO WRITE CONTEXT
== flags: 0x
== flags2: 0x
== enabled key data: all
== RetrievalMethod level (cur/max): 0/1
== TRANSFORMS CTX (status=0)
== flags: 0x
== flags2: 0x
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
== EncryptedKey level (cur/max): 0/1
=== KeyReq:
 keyId: NULL
 keyType: 0x0001
 keyUsage: 0x
 keyBitsSize: 0
=== list size: 0
== Signature Transform Ctx:
== TRANSFORMS CTX (status=0)
== flags: 0x
== flags2: 0x
== enabled transforms: all
=== uri: NULL
=== uri xpointer expr: NULL
=== Transform: c14n-with-comments (href=
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
=== Transform: membuf-transform (href=NULL)
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== Signature Method:
=== Transform: rsa-sha1 (href=http://www.w3.org/2000/09/xmldsig#rsa-sha1)
== SignedInfo References List:
=== list size: 1
= REFERENCE VERIFICATION CONTEXT
== Status: succeeded
== URI: "#licRAN1001LK"
== Reference Transform Ctx:
== TRANSFORMS CTX (status=2)
== flags: 0x0001
== flags2: 0x
== enabled transforms: all
=== uri:
=== uri xpointer expr: #licRAN1001LK
=== Transform: Visa3DHackTransform (href=NULL)
=== Transform: c14n-with-comments (href=
http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments)
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
=== Transform: membuf-transform (href=NULL)
== Digest Method:
=== Transform: sha1 (href=http://www.w3.org/2000/09/xmldsig#sha1)
== Manifest References List:
=== list size: 0
Error: failed to verify file "D0185601.XML"
**
**


0.9.8e changes BF cfb encryption

2007-04-10 Thread Valient Gough

My previous mail doesn't seem to have appeared on the list, so sending
again:


Hello,

As the maintainer of a package which uses OpenSSL, I've received some
reports
of 0.9.8e failing to decrypt data which was encrypted by previous versions
of
OpenSSL.

Attached is a small bit of C++ code which demonstrates the problem.  It uses

the EVP interface with EVP_bf_cfb as the cipher and a 256 bit key (the
reports all point to Blowfish with key length > 128 bits).  What it does is
set a key, an IV, and run an encryption pass, then a decryption and compute
checksums of the three arrays (original, encrypted, decrypted).

When built against 0.9.8c, I get:
ort:tmp> g++ -Wall -g -o ssltest ssltest.cpp -lssl -lcrypto -lz
ort:tmp> ./ssltest
src chksum = 698614540
stage2 chksum = 2266501868
final chksum = 698614540

Another machine with 0.9.7a gives an identical result.  On a machine I
upgraded to 0.9.8e, I get the following output:

src chksum = 698614540
stage2 chksum = 2108297998
final chksum = 698614540


"stage2" is the encrypted data, and it differs on 0.9.8e.  What this means
in
practice is that the program I'm using can encrypt/decrypt data just fine
when run in either version of OpenSSL, but if data is encrypted in an
earlier
version and then OpenSSL is upgraded to 0.9.8e, then decryption fails.

The nearest I've narrowed down is to something changing between 0.9.8c and
0.9.8e, but I've received reports that 0.9.8d -> 0.9.8e also fails.  I've
been looking at the diffs between 0.9.8d -> 0.9.8e, but I'm not seeing any
obvious problem.  Reports are that only Blowfish with key > 128 bits has a
problem, and AES users are not affected.

Any ideas what's wrong, and if there's a way to get 0.9.8e output to match
earlier versions?

regards,
Valient

/*
Build using:

g++ -g -o ssltest ssltest.cpp -lssl -lcrypto -lz

*/

#include 
#include 
#include 
#include 


int main()
{
const int keySize = 32; // 256 bit key
unsigned char keyBytes[keySize];

const EVP_CIPHER *cipher = EVP_bf_cfb();
EVP_CIPHER_CTX stream_enc;
EVP_CIPHER_CTX stream_dec;

// init key to known value
for(int i=0; i stage2, then decode state2 -> final
const int size = 40;
unsigned char src[size];
unsigned char stage2[size];
unsigned char final[size];

for(int i=0; i

howto generate RSA key from components?

2007-04-10 Thread Iain Pople

Hi,

I am trying to replace a legacy system with openssl. The legacy system 
used RSA keys but stored them in its own format. I can extract the RSA 
components but I'm not sure how to generate a PEM formatted RSA key. 
What is the easiest way to do this? Can the command line tools do it, or 
do I need to use the API?


thanks, Iain.

--
Iain Pople
Systems Interface Technical Lead
University of Melbourne
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


SSL error (138): cipher or hash unavailable

2007-04-10 Thread Johans Taboada

Hi list, I ask for help please.

I have an apache server (2.0.59) built with OpenSSL 0.9.8b, it hosts a
python (2.4.4) based application (Edgewall's trac) wich access a PostgreSQL
SSL-secured server (8.2.3) throught DBI libraries (pyPgSQL/Psycopg2).

When I use directly trac (it has a lightweight server, tracd), it works with
no problems.

But when I use it throught apache2+mod_python, apache shows HTTP 500:

{{{
# error_log, using pyPgSQL
[Thu Apr 05 19:25:43 2007] [error] [client 192.168.2.52]
DatabaseError: SSL error: cipher or hash unavailable\n
[Thu Apr 05 19:25:43 2007] [debug] ssl_engine_kernel.c(1787): OpenSSL:
Write: SSL negotiation finished successfully
[Thu Apr 05 19:25:43 2007] [info] Connection to child 4 closed with
standard shutdown(server PCDCOM:443, client 192.168.2.52)
}}}

{{{
# error_log, using Psycopg2
[Mon Apr 09 22:03:32 2007] [error] [client 192.168.2.52]
OperationalError: SSL error: cipher or hash unavailable\n
[Mon Apr 09 22:03:33 2007] [debug] ssl_engine_kernel.c(1787): OpenSSL:
Write: SSL negotiation finished successfully
[Mon Apr 09 22:03:33 2007] [info] Connection to child 1 closed with
standard shutdown(server PCDCOM:443, client 192.168.2.52)
}}}

What does it really mean '''cipher or hash unavailable'''? (SSL Error
#138,SSL_R_CIPHER_OR_HASH_UNAVAILABLE).
The only thing I can guess is that ''apache2+mod_python'' (client-app role)
fails to access PostgreSQL+SSL (server role). Must be a missconfiguration in
apache2.


How do I configure Apache2 properly, to act as a SSL client, I have no
problem acting as SSL server role.

For a more detailed info, visit:
http://groups.google.com/group/trac-users/browse_thread/thread/901ef327b448b496?hl=en

Thanks,
Johans Marvin Taboada Villca


retrieve policy constraints

2007-04-10 Thread Bin Lu

Hi,

I need to retrieve the "requireExplicitPolicy" value from a policy
constaints extension. The version of openssl that I am using is old
and does not seem to support policy constaint. What is the right way
to retrieve the value of that attribute from ASN1_OCTET_STRING* within
the X509_EXTENSION object?

Thanks a lot,
Wenwu Lu
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Problems building openssl-0.9.8b on RedHat Enterprise

2007-04-10 Thread Maximo Migliari

My perl was broken.  I recompiled it and now everything works.  Thanks for
the help.

On 4/10/07, Ricardo Stella <[EMAIL PROTECTED]> wrote:




Maximo Migliari wrote:
> Dear users,
>
> I'm having problems installing openssl-0.9.8b on RedHat Enterprise,
> kernel 2.6.9-11.ELsmp
>
> When I type: ./config I get the following output:
>
> --
> # ./config
> Operating system: i686-whatever-linux2
> Configuring for linux-elf
> Configuring for linux-elf
> no-gmp  [default]  OPENSSL_NO_GMP (skip dir)
> no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
> no-mdc2 [default]  OPENSSL_NO_MDC2 (skip dir)
> no-rc5  [default]  OPENSSL_NO_RC5 (skip dir)
> no-shared   [default]
> no-zlib [default]
> no-zlib-dynamic [default]
> IsMK1MF=0
> CC=gcc
> CFLAG =-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
> -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomSSL_IA32_SSE2 -DSHA1_ASM
> -DMD5_ASM -DRMD160_ASM -DAES_ASM
> EX_LIBS   =-ldl
> CPUID_OBJ =x86cpuid-elf.o
> BN_ASM=bn86-elf.o co86-elf.o
> DES_ENC   =dx86-elf.o yx86-elf.o
> AES_ASM_OBJ   =ax86-elf.o
> BF_ENC=bx86-elf.o
> CAST_ENC  =cx86-elf.o
> RC4_ENC   =rx86-elf.o
> RC5_ENC   =r586-elf.o
> MD5_OBJ_ASM   =mx86-elf.o
> SHA1_OBJ_ASM  =sx86-elf.o s512sse2-elf.o
> RMD160_OBJ_ASM=rm86-elf.o
> PROCESSOR =
> RANLIB=/usr/bin/ranlib
> ARFLAGS   =
> PERL  =/usr/local/bin/perl
> THIRTY_TWO_BIT mode
> DES_PTR used
> DES_RISC1 used
> DES_UNROLL used
> BN_LLONG mode
> RC4_INDEX mode
> RC4_CHUNK is undefined
> Undefined subroutine &main::getcwd called at ./util/mklink.pl line 24.
> make: *** [links] Error 255
> 
>
> This is very strange, I tried looking in Google and Yahoo but could
> find absolutely nothing.
>
> Please help!

No errors at all with this options under RHEL4-AS-U4 32bit or 64bit, for
at least versions 0.9.8c and 0.9.8e

./config -fPIC shared no-idea threads
make depend
make
make test
make install

Hope this helps...

--

°(((=((===°°°(((===






--
Diretor
Gradua Networks Informática Ltda.
cel: 8154-
tel: 3202-5023 ou 3202-5024 (ramal 23)
[EMAIL PROTECTED]


Re: Problems building openssl-0.9.8b on RedHat Enterprise

2007-04-10 Thread Ricardo Stella


Maximo Migliari wrote:
> Dear users,
>
> I'm having problems installing openssl-0.9.8b on RedHat Enterprise,
> kernel 2.6.9-11.ELsmp
>
> When I type: ./config I get the following output:
>
> --
> # ./config
> Operating system: i686-whatever-linux2
> Configuring for linux-elf
> Configuring for linux-elf
> no-gmp  [default]  OPENSSL_NO_GMP (skip dir)
> no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
> no-mdc2 [default]  OPENSSL_NO_MDC2 (skip dir)
> no-rc5  [default]  OPENSSL_NO_RC5 (skip dir)
> no-shared   [default]
> no-zlib [default]
> no-zlib-dynamic [default]
> IsMK1MF=0
> CC=gcc
> CFLAG =-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
> -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomSSL_IA32_SSE2 -DSHA1_ASM
> -DMD5_ASM -DRMD160_ASM -DAES_ASM
> EX_LIBS   =-ldl
> CPUID_OBJ =x86cpuid-elf.o
> BN_ASM=bn86-elf.o co86-elf.o
> DES_ENC   =dx86-elf.o yx86-elf.o
> AES_ASM_OBJ   =ax86-elf.o
> BF_ENC=bx86-elf.o
> CAST_ENC  =cx86-elf.o
> RC4_ENC   =rx86-elf.o
> RC5_ENC   =r586-elf.o
> MD5_OBJ_ASM   =mx86-elf.o
> SHA1_OBJ_ASM  =sx86-elf.o s512sse2-elf.o
> RMD160_OBJ_ASM=rm86-elf.o
> PROCESSOR =
> RANLIB=/usr/bin/ranlib
> ARFLAGS   =
> PERL  =/usr/local/bin/perl
> THIRTY_TWO_BIT mode
> DES_PTR used
> DES_RISC1 used
> DES_UNROLL used
> BN_LLONG mode
> RC4_INDEX mode
> RC4_CHUNK is undefined
> Undefined subroutine &main::getcwd called at ./util/mklink.pl line 24.
> make: *** [links] Error 255
> 
>
> This is very strange, I tried looking in Google and Yahoo but could
> find absolutely nothing.
>
> Please help!

No errors at all with this options under RHEL4-AS-U4 32bit or 64bit, for
at least versions 0.9.8c and 0.9.8e

./config -fPIC shared no-idea threads
make depend
make
make test
make install

Hope this helps...

-- 

°(((=((===°°°(((===

begin:vcard
fn:Ricardo Stella
n:Stella;Ricardo
org:Rider University;Office of Information Technology
adr;dom:;;2083 Lawrenceville Rd;Lawrenceville;NJ;08648
title:Assistant Director
version:2.1
end:vcard



Problems building openssl-0.9.8b on RedHat Enterprise

2007-04-10 Thread Maximo Migliari

Dear users,

I'm having problems installing openssl-0.9.8b on RedHat Enterprise, kernel
2.6.9-11.ELsmp

When I type: ./config I get the following output:

--
# ./config
Operating system: i686-whatever-linux2
Configuring for linux-elf
Configuring for linux-elf
   no-gmp  [default]  OPENSSL_NO_GMP (skip dir)
   no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
   no-mdc2 [default]  OPENSSL_NO_MDC2 (skip dir)
   no-rc5  [default]  OPENSSL_NO_RC5 (skip dir)
   no-shared   [default]
   no-zlib [default]
   no-zlib-dynamic [default]
IsMK1MF=0
CC=gcc
CFLAG =-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-DL_ENDIAN -DTERMIO -O3 -fomSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-DAES_ASM
EX_LIBS   =-ldl
CPUID_OBJ =x86cpuid-elf.o
BN_ASM=bn86-elf.o co86-elf.o
DES_ENC   =dx86-elf.o yx86-elf.o
AES_ASM_OBJ   =ax86-elf.o
BF_ENC=bx86-elf.o
CAST_ENC  =cx86-elf.o
RC4_ENC   =rx86-elf.o
RC5_ENC   =r586-elf.o
MD5_OBJ_ASM   =mx86-elf.o
SHA1_OBJ_ASM  =sx86-elf.o s512sse2-elf.o
RMD160_OBJ_ASM=rm86-elf.o
PROCESSOR =
RANLIB=/usr/bin/ranlib
ARFLAGS   =
PERL  =/usr/local/bin/perl
THIRTY_TWO_BIT mode
DES_PTR used
DES_RISC1 used
DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
RC4_CHUNK is undefined
Undefined subroutine &main::getcwd called at ./util/mklink.pl line 24.
make: *** [links] Error 255


This is very strange, I tried looking in Google and Yahoo but could find
absolutely nothing.

Please help!


Re: Cross-building OpenSSL from Intel Linux to others

2007-04-10 Thread cnelson
> [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> 
> > I saw a tantalizing thread from 2006 in the mailing list archives 
> > that talked about adding an mingw target to Configure and I wonder 
> > if that's not the way to go.  Should I add powerpc-linux and 
> > arm-linux target lines to Configure to do what I want?  If so, 
> > I don't see how; the existing targets are inscrutable to me.  
> > Can someone point me to documentation on their format?  Or 
> > advise me on a better way to do this?
> 
> I cross-compiled OpenSSL on ARM and MIPS a couple months ago, to 
> perform some RSA benchmarking. I remember hacking the linux-generic 
> target to use arm-linux-gcc instead of gcc also added -static to 
> the CFLAGS. There is probably a more elegant way to do it, but at 
> least it got the job done.

That sounds great but I can't read the targets in Configure well enough
to hack them.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Cross-building OpenSSL from Intel Linux to others

2007-04-10 Thread Christophe Devine
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

> I saw a tantalizing thread from 2006 in the mailing list archives that
> talked about adding an mingw target to Configure and I wonder if that's
> not the way to go.  Should I add powerpc-linux and arm-linux target
> lines to Configure to do what I want?  If so, I don't see how; the
> existing targets are inscrutable to me.  Can someone point me to
> documentation on their format?  Or advise me on a better way to do this?

I cross-compiled OpenSSL on ARM and MIPS a couple months ago, to perform
some RSA benchmarking. I remember hacking the linux-generic target to
use arm-linux-gcc instead of gcc also added -static to the CFLAGS. There
is probably a more elegant way to do it, but at least it got the job done.

Christophe

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Cross-building OpenSSL from Intel Linux to others

2007-04-10 Thread cnelson
> On 4/10/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >
> > I need to build OpenSSL on Intel Linux (Fedora Core 4, if it 
> > matters) for PowerPC and  ARM targets.  ...
> 
> for ARM you can try Scratchbox (http://www.scratchbox.org), it's a 
> complete environment that runs in Linux and it enables you to build 
> ARM executables with the regular gnu tools (gcc, make, ...). ...

Thanks but I have ARM and PowerPC tool chains on my Intel system; what
I'm looking for is a way to invoke them sanely in the existing OpenSSL
build framework.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: Cross-building OpenSSL from Intel Linux to others

2007-04-10 Thread Steven Beeckman

On 4/10/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


I need to build OpenSSL on Intel Linux (Fedora Core 4, if it matters)
for PowerPC and  ARM targets.  Someone before me did this for us with
0.9.7 and a bunch of patches to Makefiles but it's not portable or
flexible and as I'm revising our build environment somewhat, I'd rather
do it the "right" way than patch his patches.

I note in the FAQ that autoconf, et al may come but are too UNIX-y for
OpenSSL and I see that point.  What I seem to be missing is autoconf's
distinction between prefix and exec-prefix; I can't figure out how to
(easily) modify OpenSSL's Configure, Makefiles, etc. to put includes in
../target/include but libraries in ../target//lib, apps in
../target//sbin, etc.

I saw a tantalizing thread from 2006 in the mailing list archives that
talked about adding an mingw target to Configure and I wonder if that's
not the way to go.  Should I add powerpc-linux and arm-linux target
lines to Configure to do what I want?  If so, I don't see how; the
existing targets are inscrutable to me.  Can someone point me to
documentation on their format?  Or advise me on a better way to do this?

 Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



Hi,

for ARM you can try Scratchbox (http://www.scratchbox.org), it's a complete
environment that runs in Linux and it enables you to build ARM executables
with the regular gnu tools (gcc, make, ...). You can also run ARM
executables in it. If you have the possibility, try to do it on a
Debian-based system, it's only a matter of adding the correct deb-sources
and doing 'apt-get install'.

FWIW, I got OpenSSL compiled in Scratchbox!

I don't have any experience with PowerPC, so can't help you there.

Regards,

Steven


SSL_write and SSL_read

2007-04-10 Thread Soji VP
Hi Friends,

 

I've an application which supports TLS communication in which, socket
descriptors are handled in threads. 

 

Let's take an arbitrary socket descriptor "fd" and here we go,

 

Can I send data through "fd" using SSL_write() if I'm in the middle of
reading the data from the same fd? 

 

Or if I put it in another way, if SSL_read() returns,
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE (from SSL_get_error()) on
the socket "fd" then, can I send data on the same socket using
SSL_write() ? (Provided, both read and write operations on the "fd" are
handled by same thread always.)

 

 

Any suggestions would be greatly appreciated :-)

 

Thanks in Advance,

Soji. 



Cross-building OpenSSL from Intel Linux to others

2007-04-10 Thread cnelson
I need to build OpenSSL on Intel Linux (Fedora Core 4, if it matters)
for PowerPC and  ARM targets.  Someone before me did this for us with
0.9.7 and a bunch of patches to Makefiles but it's not portable or
flexible and as I'm revising our build environment somewhat, I'd rather
do it the "right" way than patch his patches.  

I note in the FAQ that autoconf, et al may come but are too UNIX-y for
OpenSSL and I see that point.  What I seem to be missing is autoconf's
distinction between prefix and exec-prefix; I can't figure out how to
(easily) modify OpenSSL's Configure, Makefiles, etc. to put includes in
../target/include but libraries in ../target//lib, apps in
../target//sbin, etc.

I saw a tantalizing thread from 2006 in the mailing list archives that
talked about adding an mingw target to Configure and I wonder if that's
not the way to go.  Should I add powerpc-linux and arm-linux target
lines to Configure to do what I want?  If so, I don't see how; the
existing targets are inscrutable to me.  Can someone point me to
documentation on their format?  Or advise me on a better way to do this?

 Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: RSA Key Block

2007-04-10 Thread Marek Marcola
Hello,

> I have a general question about RSA Key Block. 
Maybe key_material is more precise.

> The output of PRF with the master_secret to give us many keys. It
> includes: client_write_MAC_secret, server_wriet_MAC_secret,
> client_write_key, server_write_key, client_write_IV, server_write_IV.
> Could you Please verify what I think about how four of these keys
> being use correcly:
> 
> 1) SSL record format: Length + Data + MAC ( in general)  : client>
> server 
>  
> client_write_MAC_secret is used to encrypted the MAC portion
> message from client>server 
> client_write_key is used to encrypted the Data portion message
> from client> server 
SSL data record is build from ssl_record_header, application_data
and MAC where application_data and MAC is encrypted.
When writing packet from client to server first thing is to calculate
MAC data, but in TLS1 this is not simple SHA1() or MD5() but HMAC_SHA1()
or HMAC_MD5(). This functions requires some key (client_write_MAC_secret
in this case) and data to calculate MAC.
In this case data is:
   data = write_seq_num + proto + version + application_data_len +
application_data

and than, MAC is calculated as (for SHA1):
   MAC = HMAC_SHA1(client_write_MAC_secret, data)

This MAC is concatenated to application_data, some padding is added too
and all this is encrypted using client_write_key (with IV for CBC).
   
> 2) SSL record format: Length + Data + MAC ( in general)  : server>
> client 
>  
> servert_write_MAC_secret is used to encrypted the MAC portion
> message from server> client 
> client_write_key is used to encrypted the Data portion message
> from  server> client 
Like above but with different keys.

> 3) Data from Sever to Client is encrypted with different key from
> Client to Server ???.
Yes.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


Re: RFC 4279 support

2007-04-10 Thread mahendra

Hi Jimmy,

Thanks for the quick reply. I checked the latest snpa shot and it says only
a minimal support for RFC 4279.  I am specifically lookin for "DHE_PSK" and
"RSA_PSK" as mentioned in RFC 4279.

Given here the contents of RFC for quick referemce:

TLS_PSK_WITH_RC4_128_SHA   PSK
TLS_PSK_WITH_3DES_EDE_CBC_SHA  PSK
TLS_PSK_WITH_AES_128_CBC_SHA   PSK
TLS_PSK_WITH_AES_256_CBC_SHA   PSK
TLS_DHE_PSK_WITH_RC4_128_SHA   DHE_PSK
TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA  DHE_PSK
TLS_DHE_PSK_WITH_AES_128_CBC_SHA   DHE_PSK
TLS_DHE_PSK_WITH_AES_256_CBC_SHA   DHE_PSK
TLS_RSA_PSK_WITH_RC4_128_SHA   RSA_PSK
TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA  RSA_PSK
TLS_RSA_PSK_WITH_AES_128_CBC_SHA   RSA_PSK
TLS_RSA_PSK_WITH_AES_256_CBC_SHA   RSA_PSK


Snap shot "openssl-SNAP-20070302" mentions only  "PSK-RC4-SHA",
"PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA", "PSK-AES256-CBC-SHA".

Am I missing something here ?

Thanks
Mahendra


On 4/10/07, jimmy <[EMAIL PROTECTED]> wrote:


mahendra wrote:
> Hi All,
>
> I am looking for RFC 4279 support in open ssl. Can you please let me
> know what version will have this support ? and any idea wehn it is going
> to be released ? I am specifially looking for cipher "
> *TLS_DHE_PSK_WITH_AES_256_CBC_SHA"*and
> * ** "TLS_RSA_PSK_WITH_AES_256_CBC_SHA"

The latest snapshots support PSK. Have you checked them?


-jb
--
The biggest problem with communication is the illusion that it has
occurred.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]



Re: RFC 4279 support

2007-04-10 Thread jimmy
mahendra wrote:
> Hi All,
> 
> I am looking for RFC 4279 support in open ssl. Can you please let me
> know what version will have this support ? and any idea wehn it is going
> to be released ? I am specifially looking for cipher "
> *TLS_DHE_PSK_WITH_AES_256_CBC_SHA"*and
> * ** "TLS_RSA_PSK_WITH_AES_256_CBC_SHA"

The latest snapshots support PSK. Have you checked them?


-jb
-- 
The biggest problem with communication is the illusion that it has occurred.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


RFC 4279 support

2007-04-10 Thread mahendra

Hi All,

I am looking for RFC 4279 support in open ssl. Can you please let me know
what version will have this support ? and any idea wehn it is going to be
released ? I am specifially looking for cipher
"*TLS_DHE_PSK_WITH_AES_256_CBC_SHA"
  *and
* **"TLS_RSA_PSK_WITH_AES_256_CBC_SHA"

*Thanks
Mahendra