Re: Engine Issue: nShield 500
On Nov 19, 2008, at 11:24 PM, Max Pala wrote: The software that I am writing is a multi-threaded OCSP responder. Please make sure you initialize the engine correctly, and set up your locking callbacks before you actually initialize the engine. If you look at Apache: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?view=markup the invocation of ssl_init_Engine() and ssl_util_thread_setup() used to be in the wrong order, which led to Apache children crashing on an assert() from within the Hardware Crypto Hook library (libnfhwcrhk) whenever more than five threads were used. Sounds familiar? If that is all in order, perhaps you can trap that assert() in gdb and take a backtrace. S. -- [EMAIL PROTECTED] http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Re: Engine Issue: nShield 500
Hello Sande, The software that I am writing is a multi-threaded OCSP responder. Sander Temme wrote: What software are you running that makes he calls into OpenSSL? -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] [EMAIL PROTECTED] Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-9179 --o People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Engine Issue: nShield 500
On Nov 19, 2008, at 10:36 PM, Max Pala wrote: Anybody has experienced problems with this HSM on Linux + pThread ? What software are you running that makes he calls into OpenSSL? Thanks, S. -- [EMAIL PROTECTED] http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Engine Issue: nShield 500
Hi all, I am running into some problems with the nShield 500 HSM. It seems that their ENGINE implementation is not very stable... If I run the software with more than 12 threads, I get the following error: ../setup.c:517: nfast_hwch_doneconnection: Assertion `hwctx->conndatas[remember].inuse > 0' failed. Anybody has experienced problems with this HSM on Linux + pThread ? Cheers, Max -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] [EMAIL PROTECTED] Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-9179 --o People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl encrypt on UNIX, decrypt on Windows
On Wed, Nov 19, 2008, Kyle Hamilton wrote: > > Use exactly the same commands you would use on UNIX. OpenSSL does not > interact with the Windows certificate store at all. It does not > interact with CryptoAPI. It just deals with what's in the files that > you hand to it. > Well unless it is instructed otherwise. Recent versions of OpenSSL include a CryptoAPI ENGINE which can make use of private keys and (for SSL/TLS client authentication only) certificates stored in CryptoAPI. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl encrypt on UNIX, decrypt on Windows
Thank you Kyle, excellent details. I will inform the client. Ion Buicliu On Wed, Nov 19, 2008 at 1:34 PM, Buicliu, Ion VSA:EX <[EMAIL PROTECTED]> wrote: > If by CLI you mean Command Line Interface, yes, that's what I am using > on UNIX (not a graphical interface). If not, please let me know what > you mean by CLI. Yes, command-line interface, invoked by cmd.exe. > > Also, I would appreciate if you can give me more details about using > the keys and decrypting on Windows. Use exactly the same commands you would use on UNIX. OpenSSL does not interact with the Windows certificate store at all. It does not interact with CryptoAPI. It just deals with what's in the files that you hand to it. The only gotcha you need to worry about would be if you're decrypting on Vista or Windows Server 2003+; you might be in a directory which requires an integrity level of Medium or High, and most invocations of cmd.exe have Low integrity (meaning you have to get to a directory that Low integrity can write to, which is often your user account's Documents directory or a subdir thereof). Basically: if you get a "cannot write" error, move the stuff to your user account's Documents folder and retry. > > Thank you. > > Ion Buicliu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl encrypt on UNIX, decrypt on Windows
On Wed, Nov 19, 2008 at 1:34 PM, Buicliu, Ion VSA:EX <[EMAIL PROTECTED]> wrote: > If by CLI you mean Command Line Interface, yes, that's what I am using on > UNIX (not a graphical interface). If not, please let me know what you mean > by CLI. Yes, command-line interface, invoked by cmd.exe. > > Also, I would appreciate if you can give me more details about using the > keys and decrypting on Windows. Use exactly the same commands you would use on UNIX. OpenSSL does not interact with the Windows certificate store at all. It does not interact with CryptoAPI. It just deals with what's in the files that you hand to it. The only gotcha you need to worry about would be if you're decrypting on Vista or Windows Server 2003+; you might be in a directory which requires an integrity level of Medium or High, and most invocations of cmd.exe have Low integrity (meaning you have to get to a directory that Low integrity can write to, which is often your user account's Documents directory or a subdir thereof). Basically: if you get a "cannot write" error, move the stuff to your user account's Documents folder and retry. > > Thank you. > > Ion Buicliu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl encrypt on UNIX, decrypt on Windows
Thank you very much Chris, that's all I needed to know. I will inform the client and let them deal with the rest. Ion Buicliu Hi Ion, On Wed, 19 Nov 2008, Buicliu, Ion VSA:EX wrote: > "Are you using OpenSSL CLI tools on UNIX? > If so do the same on windows; compile OpenSSL and use the > transferred keys and decrypt the data." > > If by CLI you mean Command Line Interface, yes, that's what I am using > on UNIX (not a graphical interface). If not, please let me know what > you mean by CLI. > > Also, I would appreciate if you can give me more details about using > the keys and decrypting on Windows. There is a command-line version of OpenSSL that you can download and install on Windows that works in exactly the same way as the one on Linux/Unix does. No magic. If your Windows shop finds that too difficult to deal with (e.g. having to remember command line options) then I'm not aware of an OpenSSL GUI that could be used. Perhaps PGP for Windows might provide what you want, with a GUI? Cheers, Chris. -- _ __ _ \ __/ / ,__(_)_ | Chris Wilson < at qwirx.com> - Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \ _/_/_/_//_/___/ | Stop nuclear war http://www.nuclearrisk.org | __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl encrypt on UNIX, decrypt on Windows
Hi Ion, On Wed, 19 Nov 2008, Buicliu, Ion VSA:EX wrote: > "Are you using OpenSSL CLI tools on UNIX? > If so do the same on windows; compile OpenSSL and use the > transferred keys and decrypt the data." > > If by CLI you mean Command Line Interface, yes, that's what I am using > on UNIX (not a graphical interface). If not, please let me know what you > mean by CLI. > > Also, I would appreciate if you can give me more details about using the > keys and decrypting on Windows. There is a command-line version of OpenSSL that you can download and install on Windows that works in exactly the same way as the one on Linux/Unix does. No magic. If your Windows shop finds that too difficult to deal with (e.g. having to remember command line options) then I'm not aware of an OpenSSL GUI that could be used. Perhaps PGP for Windows might provide what you want, with a GUI? Cheers, Chris. -- _ __ _ \ __/ / ,__(_)_ | Chris Wilson < at qwirx.com> - Cambs UK | / (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Ruby/Perl/SQL Developer | \ _/_/_/_//_/___/ | Stop nuclear war http://www.nuclearrisk.org | __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl encrypt on UNIX, decrypt on Windows
"Are you using OpenSSL CLI tools on UNIX? If so do the same on windows; compile OpenSSL and use the transferred keys and decrypt the data." If by CLI you mean Command Line Interface, yes, that's what I am using on UNIX (not a graphical interface). If not, please let me know what you mean by CLI. Also, I would appreciate if you can give me more details about using the keys and decrypting on Windows. Thank you. Ion Buicliu My question: - is it possible to configure Windows with openSSL to use the keys and decrypt the files encrypted on UNIX? Yes - how difficult is this operation? Are you using OpenSSL CLI tools on UNIX? If so do the same on windows; compile OpenSSL and use the transferred keys and decrypt the data.
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wednesday 19 November 2008 21:23:30 Geoff Thorpe wrote: > Please try for yourself if you're waiting on this. Eg. there are nightly > snapshots downloadable and you can browse the source online > too. "patch --dry-run" should also come in handy. I patched 0.9.8b, compiled and installed; results in openssl speed are worse for small values and much better for big ones. So, as for padlock, it works. But that is not a "happy end" just yet. With openssh 5.1p1 I get various errors, for example: sshd: undefined symbol: EVP_CIPHER_CTX_iv_length Maybe is too old openssl for openssh. How long would it take to await a fix of this problem from developer side? I know, that takes some more work, because you cannot just throw in unknown code. Anyway, I would prefer waiting for a week... Is that too little? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl encrypt on UNIX, decrypt on Windows
On Nov 19, 2008, at 11:35 AM, Buicliu, Ion VSA:EX wrote: Our UNIX-based organization is preparing to send encrypted data to a Windows-based organization. We have openSSL 0.9.8 on UNIX. We create the keys and will send them to the client in one process, then encrypt the data files and send them to the client in a different process. I don't know much about openSSL on Windows. My question: - is it possible to configure Windows with openSSL to use the keys and decrypt the files encrypted on UNIX? Yes - how difficult is this operation? Are you using OpenSSL CLI tools on UNIX? If so do the same on windows; compile OpenSSL and use the transferred keys and decrypt the data. Since the client seems to think that this is difficult to do, I would appreciate if you guide me in the right direction. In the end it is the client's responsibility to do it, but I'd like to have an idea of what's involved. Thank you Ion Buicliu
Openssl encrypt on UNIX, decrypt on Windows
Our UNIX-based organization is preparing to send encrypted data to a Windows-based organization. We have openSSL 0.9.8 on UNIX. We create the keys and will send them to the client in one process, then encrypt the data files and send them to the client in a different process. I don't know much about openSSL on Windows. My question: - is it possible to configure Windows with openSSL to use the keys and decrypt the files encrypted on UNIX? - how difficult is this operation? Since the client seems to think that this is difficult to do, I would appreciate if you guide me in the right direction. In the end it is the client's responsibility to do it, but I'd like to have an idea of what's involved. Thank you Ion Buicliu
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wednesday 19 November 2008 15:14:21 Jan Klod wrote: > On Wednesday 19 November 2008 21:02:06 Geoff Thorpe wrote: > > If neither Michael (Ludvig) nor Andy (Polyakov) respond in the next > > day or so, I'll try to take a look at (and understand) the state of > > the padlock engine code. > > > > Cheers, > > Geoff > > Well, thank you. I am currently looking at > www.logix.cz/michal/devel/padlock and it looks like there is a > ready-to-use solution! I don't know about the quality, though... > One thing to ask right now: is it safe to patch 0.9.8i with patch, > that has been intended (at least initially - it has been updated) for > 0.9.8b? Please try for yourself if you're waiting on this. Eg. there are nightly snapshots downloadable and you can browse the source online too. "patch --dry-run" should also come in handy. Cheers, Geoff -- Un terrien, c'est un singe avec des clefs de char... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wednesday 19 November 2008 21:02:06 Geoff Thorpe wrote: > On Wednesday 19 November 2008 14:09:06 Jan Klod wrote: > > On Wednesday 19 November 2008 19:40:06 Michael S. Zick wrote: > > > On Wed November 19 2008, Jan Klod wrote: > > > > On Wednesday 19 November 2008 19:28:51 Michael S. Zick wrote: > > > > > That simplifies things, try 0.9.8i > > > > > http://gentoo-portage.com/dev-libs/openssl > > > > > > > > Why? It worked for you? > > > > > > Because it is the current release version and > > > takes next to no effort at all for you to try it. > > > > > > Mike > > > > Well, the result is: same . > > Maybe I should try to find some openssl dev and ask directly? You > > tried? > > You're on the right list, the devs who can answer probably just aren't > poised waiting for jump on list mail. Eg. real jobs and what-not. For > turnarounds of half-a-day, you'll need a chequebook ... :-) > > If neither Michael (Ludvig) nor Andy (Polyakov) respond in the next day > or so, I'll try to take a look at (and understand) the state of the > padlock engine code. > > Cheers, > Geoff Well, thank you. I am currently looking at www.logix.cz/michal/devel/padlock and it looks like there is a ready-to-use solution! I don't know about the quality, though... One thing to ask right now: is it safe to patch 0.9.8i with patch, that has been intended (at least initially - it has been updated) for 0.9.8b? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wednesday 19 November 2008 14:09:06 Jan Klod wrote: > On Wednesday 19 November 2008 19:40:06 Michael S. Zick wrote: > > On Wed November 19 2008, Jan Klod wrote: > > > On Wednesday 19 November 2008 19:28:51 Michael S. Zick wrote: > > > > That simplifies things, try 0.9.8i > > > > http://gentoo-portage.com/dev-libs/openssl > > > > > > Why? It worked for you? > > > > Because it is the current release version and > > takes next to no effort at all for you to try it. > > > > Mike > > Well, the result is: same . > Maybe I should try to find some openssl dev and ask directly? You > tried? You're on the right list, the devs who can answer probably just aren't poised waiting for jump on list mail. Eg. real jobs and what-not. For turnarounds of half-a-day, you'll need a chequebook ... :-) If neither Michael (Ludvig) nor Andy (Polyakov) respond in the next day or so, I'll try to take a look at (and understand) the state of the padlock engine code. Cheers, Geoff -- Un terrien, c'est un singe avec des clefs de char... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to revoke certificates
On Thu, Nov 20, 2008 at 01:29:25AM +0800, Talasila, Ravikanth wrote: > Hi, > > > > Using OpenSSL API > > 1.How to find that a certificate is expired? Which API deals with > this? > 2.How to move an expired certificate to revocation list? Is it > done automatically? Expired certificates don't need to be revoked. Only unexpired ones that have become compromised may be revoked, but you can't expect all clients to check revoacation lists, unless you also control the clients. > 3.How certificates are verified at server side? If a bunch of > certificates available (inside a pem file), all these are verified to > match the client certificate? OpenSSL only verifies the trust chain (and checks the expiration dates, ...), and optionally checks revocation lists (if you import the appropriate CRL into your X509_STORE) it is up to you to determine whether the subject of the specific certicate is *authorized* to access the service. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to revoke certificates
Hi, Using OpenSSL API 1. How to find that a certificate is expired? Which API deals with this? 2. How to move an expired certificate to revocation list? Is it done automatically? 3. How certificates are verified at server side? If a bunch of certificates available (inside a pem file), all these are verified to match the client certificate? Your suggestions are valuable. If examples are provided that would be a great help. Regards, Ravikanth
RE: signature length mismatch ERROR in RSA_Verify.
> RSA_verify(NID_md5, datatosign, (strlen(datatosign)), signature, > strlen(signature), key); The 'strlen' function is only useable on a C-style string. The signature cannot be a C-style string because it is arbitrary binary data. > Best regards, > Am. Sivaramakrishnan DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wed November 19 2008, Jan Klod wrote: > On Wednesday 19 November 2008 19:40:06 Michael S. Zick wrote: > > On Wed November 19 2008, Jan Klod wrote: > > > On Wednesday 19 November 2008 19:28:51 Michael S. Zick wrote: > > > > That simplifies things, try 0.9.8i > > > > http://gentoo-portage.com/dev-libs/openssl > > > > > > Why? It worked for you? > > > > Because it is the current release version and > > takes next to no effort at all for you to try it. > > > > Mike > > Well, the result is: same . > Maybe I should try to find some openssl dev and ask directly? You tried? > Perhaps try the dev mailing list. I haven't. My position is that if it is "user ready" then it is a suitable subject for the user's mailing list. ;) I.E: I want to use it (on C7M), not develop it. Mike > Jan > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wednesday 19 November 2008 19:40:06 Michael S. Zick wrote: > On Wed November 19 2008, Jan Klod wrote: > > On Wednesday 19 November 2008 19:28:51 Michael S. Zick wrote: > > > That simplifies things, try 0.9.8i > > > http://gentoo-portage.com/dev-libs/openssl > > > > Why? It worked for you? > > Because it is the current release version and > takes next to no effort at all for you to try it. > > Mike Well, the result is: same . Maybe I should try to find some openssl dev and ask directly? You tried? Jan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Compiling OpenSSL on win32, dlls have no version info
Hi, I recently compiled OpenSSL for windows using MinGW and the resulting dlls had no version information embedded in them. Is there a configure option or another way to enable the version information? Thanks, Tony __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wed November 19 2008, Jan Klod wrote: > On Wednesday 19 November 2008 19:28:51 Michael S. Zick wrote: > > That simplifies things, try 0.9.8i > > http://gentoo-portage.com/dev-libs/openssl > > Why? It worked for you? > Because it is the current release version and takes next to no effort at all for you to try it. Mike > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wednesday 19 November 2008 19:28:51 Michael S. Zick wrote: > That simplifies things, try 0.9.8i > http://gentoo-portage.com/dev-libs/openssl Why? It worked for you? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wed November 19 2008, Jan Klod wrote: > On Wednesday 19 November 2008 18:58:31 Michael S. Zick wrote: > > Do you say which version of openSSL you are using? > > Have you looked at the development head in cvs? > > (I haven't) > 0.9.8h-r1 > no > > > Did you mention what operating system and version you are using? > no; gentoo, but is that important? I think, no (well, patches, however). > That simplifies things, try 0.9.8i http://gentoo-portage.com/dev-libs/openssl I also notice that some of the engines are broken out from the base package. There might be something there also. Mike > > Linux has padlock drivers as a configuration option. > Which ones I have IN KERNEL. > > > > > I asked the same questions months ago - without any response > > from this list, so it must be a "done deal" in cvs. > > Or a question with some other "obvious" answer. (like: no). > Sigh. I could do that, I know, but it would take *lots* of time. I am afraid, > I don't have that much and I will have to live with slow transfers, not > mentioning what I think about it. > > > > > Mike > Jan > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wednesday 19 November 2008 18:58:31 Michael S. Zick wrote: > Do you say which version of openSSL you are using? > Have you looked at the development head in cvs? > (I haven't) 0.9.8h-r1 no > Did you mention what operating system and version you are using? no; gentoo, but is that important? I think, no (well, patches, however). > Linux has padlock drivers as a configuration option. Which ones I have IN KERNEL. > > I asked the same questions months ago - without any response > from this list, so it must be a "done deal" in cvs. > Or a question with some other "obvious" answer. (like: no). Sigh. I could do that, I know, but it would take *lots* of time. I am afraid, I don't have that much and I will have to live with slow transfers, not mentioning what I think about it. > > Mike Jan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wed November 19 2008, Jan Klod wrote: > On Wednesday 19 November 2008 18:27:07 Michael S. Zick wrote: > > On Wed November 19 2008, Jan Klod wrote: > > > Hello, > > > hashing acceleration with VIA padlock is a nice feature, if it works. I > > > am sure, it CAN work on my board, but openssl seams not to be able to use > > > it! I can only get $(openssl speed -evp aes-256-cbc -engine padlock) > > > improvement, but not sha1/sha256, witch is also supported by padlock. > > > In turn, openssh_ transfers are slowed down greatly... > > > > > > Please, how can I help myself or what needs to be done in openssl? > > > > VIA has publicly released the technical documentation on the PadLock > > engine. > > > > Go here: > > http://linux.via.com.tw/support/downloadFiles.action > > > > In the right-hand drop down box, select "CPU" > > Grab your copy of _both_ documents. > > Thank you, but that looks like a serious set-back in time... > First I would like to know if others haven't added that support yet? (well, I > would not like to assume) > It would be a lot faster for a person, who added support for aes. > > Also there is a sample program, which is doing accelerated sha1: > http://www.logix.cz/michal/devel/padlock/phe_sum.c > > So you say, I have to do all that myself? > Do you say which version of openSSL you are using? Have you looked at the development head in cvs? (I haven't) Did you mention what operating system and version you are using? Linux has padlock drivers as a configuration option. I asked the same questions months ago - without any response from this list, so it must be a "done deal" in cvs. Or a question with some other "obvious" answer. (like: no). Mike > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wednesday 19 November 2008 18:27:07 Michael S. Zick wrote: > On Wed November 19 2008, Jan Klod wrote: > > Hello, > > hashing acceleration with VIA padlock is a nice feature, if it works. I > > am sure, it CAN work on my board, but openssl seams not to be able to use > > it! I can only get $(openssl speed -evp aes-256-cbc -engine padlock) > > improvement, but not sha1/sha256, witch is also supported by padlock. > > In turn, openssh_ transfers are slowed down greatly... > > > > Please, how can I help myself or what needs to be done in openssl? > > VIA has publicly released the technical documentation on the PadLock > engine. > > Go here: > http://linux.via.com.tw/support/downloadFiles.action > > In the right-hand drop down box, select "CPU" > Grab your copy of _both_ documents. Thank you, but that looks like a serious set-back in time... First I would like to know if others haven't added that support yet? (well, I would not like to assume) It would be a lot faster for a person, who added support for aes. Also there is a sample program, which is doing accelerated sha1: http://www.logix.cz/michal/devel/padlock/phe_sum.c So you say, I have to do all that myself? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problems with VIA Eden sha1 HW acceleration in ssl
On Wed November 19 2008, Jan Klod wrote: > Hello, > hashing acceleration with VIA padlock is a nice feature, if it works. I am > sure, it CAN work on my board, but openssl seams not to be able to use it! > I can only get $(openssl speed -evp aes-256-cbc -engine padlock) improvement, > but not sha1/sha256, witch is also supported by padlock. > In turn, openssh_ transfers are slowed down greatly... > > Please, how can I help myself or what needs to be done in openssl? > VIA has publicly released the technical documentation on the PadLock engine. Go here: http://linux.via.com.tw/support/downloadFiles.action In the right-hand drop down box, select "CPU" Grab your copy of _both_ documents. Mike > Jan > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Client verify failing - continued
OK, as requested, I'm going to give a detailed breakdown of what the client and server does with this error As a note: The certificates are *fine* I have used them successfully with s_client and s_server tests. They verify perfectly well. So, the conversation goes as follows. I am abbreviating some of it, but only the unimportant bits (like the low level socket negotiation, and the values we pass into the generated keys which arent being verified). SERVER: SERVER: socket() // Create socket SERVER: fcntl() // Nonblocking fcntl SERVER: bind()// Bind to port SERVER: listen() // Listen on port SERVER: SSL_library_init() SERVER: SSL_load_error_strings() SERVER: ssl_meth=SSLv23_server_method() SERVER: sctx=SSL_CTX_new(ssl_meth) SERVER: bio = memory_buf_BIO(private_key, -1) SERVER: if (private_key_password) SERVER: key=PEM_read_bio_PrivateKey(bio,NULL, ssl_key_password_callback, private_key_password) SERVER: else SERVER: key=PEM_read_bio_PrivateKey(bio,NULL,NULL,NULL,NULL) SERVER: BIO_free(bio) SERVER: bio = memory_buf_BIO(public_key, -1) SERVER: cert=PEM_read_bio_X509(bio,NULL,NULL,NULL) SERVER: SSL_CTX_use_PrivateKey(sctx,key) SERVER: SSL_CTX_use_certificate(sctx,cert) SERVER: SSL_CTX_check_private_key(sctx)// PASSES CLIENT: socket() CLIENT: fcntl() // Nonblocking fcntl CLIENT: connect() //WAIT for connect to succeed SERVER: accept() SERVER: fcntl() // Nonblocking fcntl on new socket SERVER: sssl=SSL_new(sctx) SERVER: SSL_set_fd(sssl,newly_accepted_fd) SERVER: SSL_accept(sssl) //Keep on doing this until WANT_READ stops //CLIENT DOES **NOT** run SSL_library_init, as this is a unit test //run with the server and client in one process, and so it does not //initialise twice. CLIENT: ssl_meth=SSLv23_client_method() CLIENT: cctx = SSL_CTX_new(ssl_meth) CLIENT: SSL_CTX_load_verify_locations(cctx, ca_filename,NULL) CLIENT: SSL_CTX_set_verify(cctx,SSL_VERIFY_PEER,NULL) CLIENT: SSL_CTX_set_verify_depth(cctx,10); //THIS SECTION is all just generating a new keypair CLIENT: rsakey=RSA_generate_key(1024,RSA_F4,NULL,NULL) CLIENT: ckey = EVP_PKEY_new() CLIENT: EVP_PKEY_assign_RSA(ckey, rsakey) CLIENT: required_size = i2d_RSAPublicKey(rsakey,NULL) CLIENT: len=i2d_RSAPublicKey(rsakey,&correct_sized_buf) //Move correct_sized_buf back to its start CLIENT: pubrsa=d2i_RSAPublicKey(NULL,&correct_sized_buf,len) CLIENT: tmp_pkey = EVP_PKEY_new(); CLIENT: EVP_PKEY_assign_RSA(tmp_pkey, pubrsa); CLIENT: ccert=X509_new(); CLIENT: X509_set_pubkey(ccert,tmp_pkey); CLIENT: X509_set_version(ccert,3); CLIENT: X509_set_serialNumber(ccert, serial); CLIENT: X509_set_notBefore(ccert,timebound); CLIENT: X509_set_notAfter(ccert,timebound); CLIENT: X509_set_subject_name(ccert,subject); CLIENT: X509_set_issuer_name(ccert,subject); CLIENT: X509_sign(ccert, ckey, EVP_md5()); //THIS FINISHES the creation CLIENT: SSL_CTX_use_PrivateKey(cctx,ckey); CLIENT: SSL_CTX_use_certificate(cctx,ckey) CLIENT: SSL_CTX_check_private_key(cctx)//PASS CLIENT: cssl=SSL_new(cctx); CLIENT: SSL_set_fd(cssl,clients_connected_fd) CLIENT: SSL_connect(cssl);//Keep on doing this until WANT_READ stops **HERE** We get the error on SSL_connect after a few WANT_READS error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed So, thats the routine used. The exact reverse, where the client uses the same keys and the server has the same ca, works just fine. Keys are attached, password is abcd Thanks -- Michael Simms servercert.pem Description: Binary data serverkey.pem Description: Binary data rootcert.pem Description: Binary data
problems with VIA Eden sha1 HW acceleration in ssl
Hello, hashing acceleration with VIA padlock is a nice feature, if it works. I am sure, it CAN work on my board, but openssl seams not to be able to use it! I can only get $(openssl speed -evp aes-256-cbc -engine padlock) improvement, but not sha1/sha256, witch is also supported by padlock. In turn, openssh_ transfers are slowed down greatly... Please, how can I help myself or what needs to be done in openssl? Jan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problems with VIA Eden sha1 HW acceleration in ssl
Hello, hashing acceleration with VIA padlock is a nice feature, if it works. I am sure, it CAN work on my board, but openssl seams not to be able to use it! I can only get $(openssl speed -evp aes-256-cbc -engine padlock) improvement, but not sha1/sha256, witch is also supported by padlock. In turn, openssh_ transfers are slowed down greatly... Please, how can I help myself or what needs to be done in openssl? Jan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to enable ony AES,DES/3DES, RSA algorithm by using MACRO
You can turn OFF specific algorithms using macros - which can also be configured through the Configure script. macros all come in the form of OPENSSL_NO_xyz e.g. OPENSSL_NO_MDC2 and (IIRC) those same items can be configured through 'Configure -no_mdc2' and so on. That way, you can turn off allmost all algorithms. Check the documentation and the Configure help itself for a complete list of these. By the way: I notice you do only wish to use public key and symmetric key crypto algorithms, and don't list any hash algorithm (such as SHA); I take it this is intentional? In that case, you can dispense with the SSL code itself as well ( NO_SSL / -no-ssl ). On Wed, Nov 19, 2008 at 6:29 AM, Ajeet kumar.S <[EMAIL PROTECTED]> wrote: > Dear All, > > I want to enable only DES/3DES, AES and RSA Algorithm.So please tell me any > preprocessor definition by using which we can enable only DES/3DES, AES and > RSA algorithm. I don't want to use other algorithm except above three. Is > any macro kind of thing is there by which we can enable only above mention > algorithms? > > > > Thank you. > > Regards, > > --Ajeet Kumar Singh > > > > > > -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web:http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Help for crypting password from a key
Hello all. I didn't find help anywhere, so I have to ask you. I would like to cypher (and decypher) a password with a determined key. My program already use openssl, so that why I sent you this message. Thank you. Florent
Re: signature length mismatch ERROR in RSA_Verify.
Hi, As explained in the initial email we were able to resolve the "RSA_verify:wrong signature length" by generating the signature in two steps as explained below (which generates 128 byte signature): openssl dgst -md5 -binary -out signmd.bin input.txt openssl rsautl -encrypt -inkey rsapriv.pem -in signmd.bin -out signmd.enc First generate a hash digest based on MD5 and then encypt the hash digest using private key. But when we use the API RSA_verify(NID_md5, datatosign, (strlen(datatosign)), signature, strlen(signature), key); at the embedded side to verify the signature we get the following error: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header FYI we disabled padding at the embedded side for RSA_verify. Any help appreciated to resolve the ASN error. Will decrypt of signature followed by local hash generation at the embedded side to be compared with the output of the decrypt signature help resolve the issue. Best regards, Am. Sivaramakrishnan --- On Thu, 11/13/08, Raja RC <[EMAIL PROTECTED]> wrote: > From: Raja RC <[EMAIL PROTECTED]> > Subject: signature length mismatch ERROR in RSA_Verify. > To: openssl-users@openssl.org > Date: Thursday, November 13, 2008, 5:11 AM > Hi, > I see the following error while trying to verify the > signature using public > key (generated in cygwin) and verification is done at > embedded system with > openssl libraries. > > error:04077077:rsa routines:RSA_verify:wrong signature > length > > The details about what I'm trying to do is as follows: > > * Private Key is created in cygwin using the command > openssl genrsa -out > private_key.pem 1024 > * Public Key is created in cygwin using the command openssl > rsa -pubout -in > private_key.pem -out public_key.pem > * The signature is created in cygwin using the command > openssl dgst -md5 > -binary -out "signmd.bin" -sign > "private_key.pem" "input.txt" > > > 1. When we use the private key and sign the data using > RSA_sign and verify > the signature created (on embedded system with openssl > libraries) using > RSA_verify with public key it works. This is when both > RSA_Sign and > RSA_Verify are done on the embedded system. > > 2) But, when we try verifying the signature created from > cygwin, using the > public key, it fails. When PEM_read_RSA_PUBKEY is used to > extract the public > key parameter N and E (N and E extraction is fine) and > subsequently using > RSA_Verify, it fails. > > 3) To get the RSA public key from ".pem" file, we > are now using the API > "PEM_read_RSA_PUBKEY", but if we have to use the > API EVP_VerifyFinal() for > verification. What API to use to get the EVP_PKey from > ".pem" file. We tried > using the API "PEM_read_PUBKEY", but guess it > doesn't work – as an > exception is generated when the API > "EVP_VerifyFinal" is called. > > 4) Would appreciate if anyone can explain how exactly the > API > "EVP_VerifyFinal()" needs to be called., (i.e., > what is the sequence - we > tried EVP_VerifyInit and EVP_VerifyUpdate and then > EVP_VerifyFinal) > > Regards, > Raja __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
