Re: engine_pkcs11 and openssl.cnf

[Dr. Stephen Henson]

On Fri, Apr 16, 2010, Dimitrios Siganos wrote:

> Dr. Stephen Henson wrote:
>> On Fri, Apr 16, 2010, Dimitrios Siganos wrote:
>>   
>>> Now, I would like this engine to install automatically i.e. without 
>>> having to run the engine command. I tried adding the following to 
>>> openssl.cnf
>>>
>>> ##
>>> openssl_conf = openssl_def
>>>
>>> [ openssl_def ]
>>> engines = engine_section
>>>
>>> [ engine_section ]
>>> pkcs11 = pkcs11_section
>>>
>>> [ pkcs11_section ]
>>> engine_id = pkcs11
>>> dynamic_path = /home/ds/local/lib/engines/engine_pkcs11.so
>>> MODULE_PATH = opensc-pkcs11.so
>>> init = 0
>>> ##
>>>
>>> but it doesn't work properly. Here's what I get:
>>> $ openssl engine -t
>>> (dynamic) Dynamic engine loading support
>>> [ unavailable ]
>>> (4758cca) IBM 4758 CCA hardware engine support
>>> [ unavailable ]
>>> (aep) Aep hardware engine support
>>> [ unavailable ]
>>> (atalla) Atalla hardware engine support
>>> [ unavailable ]
>>> (cswift) CryptoSwift hardware engine support
>>> [ unavailable ]
>>> (chil) CHIL hardware engine support
>>> [ unavailable ]
>>> (nuron) Nuron hardware engine support
>>> [ unavailable ]
>>> (sureware) SureWare hardware engine support
>>> [ unavailable ]
>>> (ubsec) UBSEC hardware engine support
>>> [ unavailable ]
>>> (padlock) VIA PadLock (no-RNG, no-ACE)
>>> [ unavailable ]
>>> (gost) Reference implementation of GOST engine
>>> [ available ]
>>> (pkcs11) pkcs11 engine
>>> Auto configuration failed
>>> 1116888:error:260B606D:engine routines:DYNAMIC_LOAD:init 
>>> failed:eng_dyn.c:521:
>>> 1116888:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine 
>>> configuration error:eng_cnf.c:204:section=pkcs11_section, 
>>> name=dynamic_path, value=/home/ds/local/lib/engines/engine_pkcs11.so
>>> 1116888:error:0E07606D:configuration file routines:MODULE_RUN:module 
>>> initialization error:conf_mod.c:235:module=engines, value=engine_section, 
>>> retcode=-1 Can someone shed some light into this?
>>> 
>>
>> It's not obvious what the problem is from that. It looks like the PKCS#11
>> isn't initialising properly.
>>
>> Try using the dynamic ENGINE in the config file with exactly the same 
>> commands
>> you used on the commmand line.
>>   
> This seems to be a regression of some sort but not necessarily of openssl. 
> I found this thread on a different mailing list that describes the problem 
> in much more detail and there is an active discussion about possible fixes.
> http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013953.html
>
> I tried openssl 0.9.8k and that works fine for me, so I will stick with the 
> older version for now.
>

Ah I see what is happening, the auto config method is being called recursively
and getting confused. That can be worked around in OpenSSL, try adding a call
to OPENSSL_no_config() at the start of CONF_modules_load() in
crypto/conf/conf_mod.c

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl-1.0.0 compile issues on SUSE 10.1

[John R Pierce]

Jon Strait wrote:
Please bear with me as I am in the midst of my crash-course in Linux 
upgrade management.


in general, you do NOT want to be using source tarballs to 
replace/upgrade components of  a package-managed distribution.   SuSE 
Enterprise Linux 10 has their own upgrade management process, you really 
should stick with that unless there is an overwhelming reason to 
deviate, and if thats the case, you will want to package your updates as 
RPMs and carefully work out the interdependencies with the vendor 
supplied packages.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: engine_pkcs11 and openssl.cnf

[Dimitrios Siganos]

Dr. Stephen Henson wrote:

On Fri, Apr 16, 2010, Dimitrios Siganos wrote:
  
Now, I would like this engine to install automatically i.e. without having 
to run the engine command. I tried adding the following to openssl.cnf


##
openssl_conf = openssl_def

[ openssl_def ]
engines = engine_section

[ engine_section ]
pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /home/ds/local/lib/engines/engine_pkcs11.so
MODULE_PATH = opensc-pkcs11.so
init = 0
##

but it doesn't work properly. Here's what I get:
$ openssl engine -t
(dynamic) Dynamic engine loading support
[ unavailable ]
(4758cca) IBM 4758 CCA hardware engine support
[ unavailable ]
(aep) Aep hardware engine support
[ unavailable ]
(atalla) Atalla hardware engine support
[ unavailable ]
(cswift) CryptoSwift hardware engine support
[ unavailable ]
(chil) CHIL hardware engine support
[ unavailable ]
(nuron) Nuron hardware engine support
[ unavailable ]
(sureware) SureWare hardware engine support
[ unavailable ]
(ubsec) UBSEC hardware engine support
[ unavailable ]
(padlock) VIA PadLock (no-RNG, no-ACE)
[ unavailable ]
(gost) Reference implementation of GOST engine
[ available ]
(pkcs11) pkcs11 engine
Auto configuration failed
1116888:error:260B606D:engine routines:DYNAMIC_LOAD:init 
failed:eng_dyn.c:521:
1116888:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine 
configuration error:eng_cnf.c:204:section=pkcs11_section, 
name=dynamic_path, value=/home/ds/local/lib/engines/engine_pkcs11.so
1116888:error:0E07606D:configuration file routines:MODULE_RUN:module 
initialization error:conf_mod.c:235:module=engines, value=engine_section, 
retcode=-1 
Can someone shed some light into this?



It's not obvious what the problem is from that. It looks like the PKCS#11
isn't initialising properly.

Try using the dynamic ENGINE in the config file with exactly the same commands
you used on the commmand line.
  
This seems to be a regression of some sort but not necessarily of 
openssl. I found this thread on a different mailing list that describes 
the problem in much more detail and there is an active discussion about 
possible fixes.

http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013953.html

I tried openssl 0.9.8k and that works fine for me, so I will stick with 
the older version for now.


Thank you for your time,
Dimitrios Siganos
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl-1.0.0 compile issues on SUSE 10.1

[Antoine Pitrou]

Le vendredi 16 avril 2010 à 10:47 -0700, Jon Strait a écrit :
> Please bear with me as I am in the midst of my crash-course in Linux
> upgrade management.
> 
> 
> I am trying to upgrade from openssl-0.9.8 to openssl-1.0.0 on SUSe
> 10.1 32bit with HP dl380's.

Why do you? Your Linux distribution will provide updated binary packages
if necessary (for example to fix hypothetical security issues).

They also might have their own custom patches to OpenSSL, which means
your self-compiled vanilla version of OpenSSL might break installed
applications.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

openssl-1.0.0 compile issues on SUSE 10.1

[Jon Strait]

Please bear with me as I am in the midst of my crash-course in Linux upgrade
management.

I am trying to upgrade from openssl-0.9.8 to openssl-1.0.0 on SUSe 10.1
32bit with HP dl380's. I have used the following commands:

./config --prefix=usr
make
make test
make install

added /usr/lib to /etc/ld.so.conf
ldconfig

'openssl version' returns OpenSSl 1.0.0 29 Mar 2010


At first I thought everything worked until I attempted an openSSH upgrade.
This gave me the SSL headers do not match the librarys error.

Checking ldd gives this:
>ldd /usr/bin/openssl
linux-gate.so.1 => (0xe000)
libdl.so.2 => /lib/libdl.so.2 (0xb7f0c000)
libc.so.6 => /lib/libc.so.6 (0xb7de)
/lib/ld-linux.so.2 (0xb7f26000)

I did a search for libssl.so.1.0.0 and found nothing in whole system, even
in the /tmp directory where I compiled the program. I have tried a to
reinstall by changing to  './config --prefix=/opt/ssl' in order to see what
is installed but after 'make && make install' libssl.so.1.0.0 is still none
existent.

I am new to linux package upgrading so I may be missing some links but I
need something to link to.

Any help is greatly appreciated.

Thanks
Jon

Re: engine_pkcs11 and openssl.cnf

[Dr. Stephen Henson]

On Fri, Apr 16, 2010, Dimitrios Siganos wrote:

> Hi,
>
> I have use openssl-1.0.0 and engine_pkcs11 for storing an rsa private key 
> in a smartcard (feitian epass 3000). I got openssl to access the rsa 
> private key and used it to create a self-signed certificate like this:
>
> openssl
>
> OpenSSL> engine dynamic \
> > -pre SO_PATH:/home/ds/local/lib/engines/engine_pkcs11.so \
> > -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
> > -pre MODULE_PATH:opensc-pkcs11.so
>
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/home/ds/local/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:opensc-pkcs11.so
> Loaded: (pkcs11) pkcs11 engine
>
> OpenSSL> req -new -x509 -engine pkcs11 -keyform engine -text \
> > -key slot_1-id_6de677f53533e28254d5890e2d7a15a8135883ca \
>
> engine "pkcs11" set.
> PKCS#11 token PIN:
> 
>
> So far so good.
>
> Now, I would like this engine to install automatically i.e. without having 
> to run the engine command. I tried adding the following to openssl.cnf
>
> ##
> openssl_conf = openssl_def
>
> [ openssl_def ]
> engines = engine_section
>
> [ engine_section ]
> pkcs11 = pkcs11_section
>
> [ pkcs11_section ]
> engine_id = pkcs11
> dynamic_path = /home/ds/local/lib/engines/engine_pkcs11.so
> MODULE_PATH = opensc-pkcs11.so
> init = 0
> ##
>
> but it doesn't work properly. Here's what I get:
> $ openssl engine -t
> (dynamic) Dynamic engine loading support
> [ unavailable ]
> (4758cca) IBM 4758 CCA hardware engine support
> [ unavailable ]
> (aep) Aep hardware engine support
> [ unavailable ]
> (atalla) Atalla hardware engine support
> [ unavailable ]
> (cswift) CryptoSwift hardware engine support
> [ unavailable ]
> (chil) CHIL hardware engine support
> [ unavailable ]
> (nuron) Nuron hardware engine support
> [ unavailable ]
> (sureware) SureWare hardware engine support
> [ unavailable ]
> (ubsec) UBSEC hardware engine support
> [ unavailable ]
> (padlock) VIA PadLock (no-RNG, no-ACE)
> [ unavailable ]
> (gost) Reference implementation of GOST engine
> [ available ]
> (pkcs11) pkcs11 engine
> Auto configuration failed
> 1116888:error:260B606D:engine routines:DYNAMIC_LOAD:init 
> failed:eng_dyn.c:521:
> 1116888:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine 
> configuration error:eng_cnf.c:204:section=pkcs11_section, 
> name=dynamic_path, value=/home/ds/local/lib/engines/engine_pkcs11.so
> 1116888:error:0E07606D:configuration file routines:MODULE_RUN:module 
> initialization error:conf_mod.c:235:module=engines, value=engine_section, 
> retcode=-1 
> Can someone shed some light into this?
>

It's not obvious what the problem is from that. It looks like the PKCS#11
isn't initialising properly.

Try using the dynamic ENGINE in the config file with exactly the same commands
you used on the commmand line.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Multi Threaded questions

[Sad Clouds]

Please note, I don't know the insides of OpenSSL, but I do a lot of
multithreaded programming on Unix, so the following are not authorative
answers, just my own opinions:

> 1)  According to the FAQ, "an SSL connection may not concurrently be 
> used by multiple threads". Does this mean that an SSL connection can
> be used by different threads provided access is limited to one at a
> time?
> 
I assume that having a mutex for each SSL object would prevent it from
being concurrently used by multiple threads. So this should be OK.
However do you really need to use multiple concurrent threads with the
same SSL object? Think of it as a TCP socket, each thread has a list of
open sockets, or SSL objects, there is no need to share it with other
threads.

> 2) We've implemented the required locking and thread_id callbacks and 
> we're getting into a deadlock. OpenSSL is aquiring a lock and not 
> releasing it. Have there been any bug fixes to the static locking
> since 0.9.7d? We've looked at the change log and nothing is jumping
> out at us.
>
You don't say which platform this is, or which threading library is
being used. My guess is, this is more likely to be a problem with your
implementation, rather than OpenSSL bug.

> 3) Our application opens multiple SSL connections. We call 
> SSL_library_init() only once. However, we're calling  
> CRYPTO_set_locking_callback and CRYPTO_set_id_callback for each 
> connection, but always with the same function pointers. Is this
> correct?
>
I don't think this is correct. The whole point of locking callbacks
is to provide mutual exclusion for critical sections. You need to
initialise static/dynamic threading callbacks before you call
SSL_library_init(). If you're in the middle of using the library and
locking callbacks are not set, this can result in race conditions.

I've attached a fragment from some of my code. It shows how to
initialise static and dynamic locking callbacks on Unix, using
Pthreads API. You can probably adapt it to your platform/programming
language.

/* Static locks */
static pthread_mutex_t *stlocks;
int stlocks_len;

/* Dynamic locks */
struct CRYPTO_dynlock_value
{
pthread_mutex_t mutex;
};


/* Static locking functions
--*/
static unsigned long id_callback(void)
{
return (unsigned long)&errno;
}

static void locking_callback(int mode, int n, const char *file, int line)
{
if(mode & CRYPTO_LOCK)
pthread_mutex_lock(&stlocks[n]);
else
pthread_mutex_unlock(&stlocks[n]);
}

static void init_openssl_stlocks(void)
{
int i;

stlocks_len = CRYPTO_num_locks();
if((stlocks = malloc(sizeof(pthread_mutex_t) * stlocks_len)) == NULL)
{
printf("malloc() error\n");
exit(1);
}

for(i = 0; i < stlocks_len; i++)
{
pthread_mutex_init(&stlocks[i], NULL);
}

CRYPTO_set_id_callback(id_callback);
CRYPTO_set_locking_callback(locking_callback);
}
/**/

/* Dynamic locking functions
--*/
static struct CRYPTO_dynlock_value *dynlock_create_callback(
const char *file, int line)
{
struct CRYPTO_dynlock_value *lock;

if((lock = malloc(sizeof(struct CRYPTO_dynlock_value))) == NULL)
{
printf("malloc() error\n");
exit(1);
}
pthread_mutex_init(&lock->mutex, NULL);

return lock;
}

static void dynlock_destroy_callback(
struct CRYPTO_dynlock_value *lock, const char *file, int line)
{

pthread_mutex_destroy(&lock->mutex);
free(lock);
}

static void dynlock_lock_callback(
int mode, struct CRYPTO_dynlock_value *lock, const char *file, int line)
{
if(mode & CRYPTO_LOCK)
pthread_mutex_lock(&lock->mutex);
else
pthread_mutex_unlock(&lock->mutex);
}

static void init_openssl_dynlocks(void)
{
CRYPTO_set_dynlock_create_callback(dynlock_create_callback);
CRYPTO_set_dynlock_destroy_callback(dynlock_destroy_callback);
CRYPTO_set_dynlock_lock_callback(dynlock_lock_callback);
}
/**/



int main(void)
{
init_openssl_stlocks();
init_openssl_dynlocks();

SSL_library_init();
SSL_load_error_strings();

...
}

Re: unable to load private key

[Dr. Stephen Henson]

On Fri, Apr 16, 2010, digitalderik wrote:

> 
> Hi there
> I've copied and pasted an rsa private key that i need to use with openssl.
> However when i run any commands that use the private key like the command:
> $openssl rsautl -sign -in textfile -inkey privatekey.pem -out result.txt
> i get: unable to load private key
> I've checked the line length of the private key and it is 64 characters.Does
> this mean that it's not a problem with the base64 encoding(The key is in PEM
> format: ASN.1 + DER + base64).
> I'm at my wits end and can't find anything that helps on google.
> Any help would be great.Thankyou for your time
> regards

What is the full error message? What do you get with:

openssl rsa -in key.pem

Does the file look like this:

-BEGIN RSA PRIVATE KEY-

-END RSA PRIVATE KEY-

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

unable to load private key

[digitalderik]

Hi there
I've copied and pasted an rsa private key that i need to use with openssl.
However when i run any commands that use the private key like the command:
$openssl rsautl -sign -in textfile -inkey privatekey.pem -out result.txt
i get: unable to load private key
I've checked the line length of the private key and it is 64 characters.Does
this mean that it's not a problem with the base64 encoding(The key is in PEM
format: ASN.1 + DER + base64).
I'm at my wits end and can't find anything that helps on google.
Any help would be great.Thankyou for your time
regards
-- 
View this message in context: 
http://old.nabble.com/unable-to-load-private-key-tp28268474p28268474.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Openssl.cnf Issue

[Victor Duchovni]

On Fri, Apr 16, 2010 at 10:11:20AM +, Kaila, Ashish wrote:

> Hi,
> 
> I just built Openssl 1.0.0 on a Win32 platform, after building when
> I try and run the binary openssl.exe I get a warning message "Cant
> open Config file: /usr/local/ssl/openssl.cnf" , I don't have a sample
> configuration file. What is the impact if I use any sample configuration
> file which I might find on the internet.

The source code includes a usable openssl.cnf file, which you can install
the the right place after compiling OpenSSL to look there, rather than
the default "/usr/local/ssl".

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

engine_pkcs11 and openssl.cnf

[Dimitrios Siganos]

Hi,

I have use openssl-1.0.0 and engine_pkcs11 for storing an rsa private 
key in a smartcard (feitian epass 3000). I got openssl to access the rsa 
private key and used it to create a self-signed certificate like this:


openssl

OpenSSL> engine dynamic \
> -pre SO_PATH:/home/ds/local/lib/engines/engine_pkcs11.so \
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
> -pre MODULE_PATH:opensc-pkcs11.so

(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/home/ds/local/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine

OpenSSL> req -new -x509 -engine pkcs11 -keyform engine -text \
> -key slot_1-id_6de677f53533e28254d5890e2d7a15a8135883ca \

engine "pkcs11" set.
PKCS#11 token PIN:


So far so good.

Now, I would like this engine to install automatically i.e. without 
having to run the engine command. I tried adding the following to 
openssl.cnf


##
openssl_conf = openssl_def

[ openssl_def ]
engines = engine_section

[ engine_section ]
pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /home/ds/local/lib/engines/engine_pkcs11.so
MODULE_PATH = opensc-pkcs11.so
init = 0
##

but it doesn't work properly. Here's what I get:
$ openssl engine -t
(dynamic) Dynamic engine loading support
[ unavailable ]
(4758cca) IBM 4758 CCA hardware engine support
[ unavailable ]
(aep) Aep hardware engine support
[ unavailable ]
(atalla) Atalla hardware engine support
[ unavailable ]
(cswift) CryptoSwift hardware engine support
[ unavailable ]
(chil) CHIL hardware engine support
[ unavailable ]
(nuron) Nuron hardware engine support
[ unavailable ]
(sureware) SureWare hardware engine support
[ unavailable ]
(ubsec) UBSEC hardware engine support
[ unavailable ]
(padlock) VIA PadLock (no-RNG, no-ACE)
[ unavailable ]
(gost) Reference implementation of GOST engine
[ available ]
(pkcs11) pkcs11 engine
Auto configuration failed
1116888:error:260B606D:engine routines:DYNAMIC_LOAD:init 
failed:eng_dyn.c:521:
1116888:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine 
configuration error:eng_cnf.c:204:section=pkcs11_section, 
name=dynamic_path, value=/home/ds/local/lib/engines/engine_pkcs11.so
1116888:error:0E07606D:configuration file routines:MODULE_RUN:module 
initialization error:conf_mod.c:235:module=engines, 
value=engine_section, retcode=-1 


Can someone shed some light into this?

Thank you,
Dimitrios Siganos
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How To Verify 128 Only Connections

[Jeffrey Roller]

I need to be certain that an application I am attempting to secure will only 
accept 128 bit connections.
 
I have a config file called service.xml with the following:
 

 
I do not know the openssl command to test a connection that is a low cipher ... 
or rather, I don't really know how to interpret the output, I guess ... or 
whether the command I'm using is not really testing the server in the proper 
way.
 
Here's the command I'm using:
 
OpenSSL> s_client -no_tls1 -cipher LOW -connect www.whatever.com
OpenSSL> s_client -no_tls1 -cipher HIGH -connect www.whatever.com 
 
 
Any help would be appreciated.
 
Thank you.
 
jeff
--
Jeffrey Roller, IT Specialist
Town of West Hartford, CT
50 S Main St
Info Svcs - Room 409
W Hartford, CT 06107-2485
860.561.7588
jeff.rol...@westhartford.org
41° 45' 30" N
72° 44' 30" W
 

Multi Threaded questions

[Chris Troop]

Hi,

We're currently using OpenSSL 0.9.7 in a multi threaded CORBA 
application and are experiencing some problems implementing the locking 
and thread_id callbacks.


We're using 0.9.7 because it's required by other components of the 
application.


1)  According to the FAQ, "an SSL connection may not concurrently be 
used by multiple threads". Does this mean that an SSL connection can be 
used by different threads provided access is limited to one at a time?


2) We've implemented the required locking and thread_id callbacks and 
we're getting into a deadlock. OpenSSL is aquiring a lock and not 
releasing it. Have there been any bug fixes to the static locking since 
0.9.7d? We've looked at the change log and nothing is jumping out at us.


3) Our application opens multiple SSL connections. We call 
SSL_library_init() only once. However, we're calling  
CRYPTO_set_locking_callback and CRYPTO_set_id_callback for each 
connection, but always with the same function pointers. Is this correct?


Here's our locking function:

 static void locking_function(int mode, int n, const char *file, 
int line) {

 static util::Mutex sslMutex;
 static std::vector mutexVec;

 int numMutex = CRYPTO_num_locks();

 // Initialize our vector of locks only once
 if(mutexVec.size() == 0) {
   sslMutex.lock();
   for(int i = 0; i < numMutex; i++){
 mutexVec.push_back(new util::Mutex());
   }
   sslMutex.unlock();
 }

 // We're not checking if it's a READ or a WRITE lock/unlock
 if (mode & CRYPTO_LOCK) {
   mutexVec[n]->lock();
 } else {
   mutexVec[n]->unlock();
 }
 }

Thanks,
Chris

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS 140-2 post 2010

[Steve Marquess]

Adam Grossman wrote:

hello,

from my understanding, the US government can not buy a FIPS 140-2
compliant product after 2010.  But my employer spoke to someone who said
they can still purchase a FIPS 140-2 validated product as long as they
are "transitionally" compliant by only using cryptographic algorithms
that have sufficient strength and follow the guidlines in:
http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf

- SHA-1 will not be approved for digital signature generation but will
be approved for other uses including digital signature verification,
HMACs, KDFs, RNGs, and the approved integrity technique specified in
Section 4.6.1 of FIPS 140-2;

Since the FIPS module digest is generated with SHA1, i do not know if
this will automatically make this issue dead in the water.

Has anyone heard of this or dealt with this, or has made OpenSSL FIPS
compliant for post-2010 (with the understanding it has not been
validated for compliance).

if this has been discussed already, i apologize.  i could not find
anything on this issue, just on whether or not there will be a FIPS
140-3 validation in the future for OpenSSL.

thank you very much,
-=- adam grossman

  


First of all, FIPS 140-3 and SP 800-131 are different things.  Both are 
also currently still in draft form, meaning they are not yet official 
policy.  A finalized SP 800-131 will be out well before FIPS 140-3 is 
finalized and takes effect.


Since SP 800-131 is still in draft form, and also since I hear there has 
been more than a little industry pushback, one has to speculate what's 
ultimately going to happen.  I'll give you my speculation and it's worth 
what you paid for it:  SP 800-131 will tighten the rules for new 
validations (post 2010) but the CMVP is unlikely to revoke all existing 
prior validations (think of the disruption that would cause!), so 
currently validated products will still be available for procurement and 
use for some time after 2010.


Note that SP 800-131 will mean that the current OpenSSL FIPS Object 
Module v1.2 will no longer be suitable as the basis for "private label" 
validations (a common industry practice).  In addition, the new OpenSSL 
1.0.x baseline is incompatible with the v1.2 validated module.  For both 
reasons those vendors who have been leveraging the v1.2 module in their 
products will need a new game plan in the absence of a new SP 800-131 
compatible open source based validation.  As with the earlier 
validations such a new validation will need sponsorship to defray the 
substantial costs (that's a hint, folks).  We're ready and eager to take 
that on but do not have the financial resources.  It's already mid April 
so we're also rapidly running out of time to have a validation completed 
before 2011.


-Steve M.

--
Steve Marquess
Open Source Software institute
marqu...@oss-institute.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

FIPS 140-2 post 2010

[Adam Grossman]

hello,

from my understanding, the US government can not buy a FIPS 140-2
compliant product after 2010.  But my employer spoke to someone who said
they can still purchase a FIPS 140-2 validated product as long as they
are "transitionally" compliant by only using cryptographic algorithms
that have sufficient strength and follow the guidlines in:
http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf

- SHA-1 will not be approved for digital signature generation but will
be approved for other uses including digital signature verification,
HMACs, KDFs, RNGs, and the approved integrity technique specified in
Section 4.6.1 of FIPS 140-2;

Since the FIPS module digest is generated with SHA1, i do not know if
this will automatically make this issue dead in the water.

Has anyone heard of this or dealt with this, or has made OpenSSL FIPS
compliant for post-2010 (with the understanding it has not been
validated for compliance).

if this has been discussed already, i apologize.  i could not find
anything on this issue, just on whether or not there will be a FIPS
140-3 validation in the future for OpenSSL.

thank you very much,
-=- adam grossman

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

[FWD] openssl-0.9.8 make error

[Lutz Jaenicke]

Forwarded to openssl-users for public discussion.

Best regards,
Lutz

- Forwarded message from ??  -

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:received:message-id
:subject:from:to:content-type;
bh=nYIkTsuRFbbLVXn+QvO1hf9edOs/1xeq3nsJPDhwij0=;
b=fOJzBQilEdXySrVg7M/eJYVQQCu4VeqrS6iRWoO06WGAdyoeKU/WW18EQJVgP6AqcT
TpkMpbQTxIUjEJRSS0Gl3atXI8mn5gktq9t+jprAxm8pBmkyfQYa4l3EZ9TeEBIaibV6
SA2WiJPSR/MKqy0rBIZCyO82aV9w7d/wqrMSQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=HRV6wf8AOLVmm/AyHi33qMi8bZ9wAvnywn8qDCrNCqujj3dW+LdXKgx3gIm0c0BBHS
ETd6K9yUxYmEmeRNkpC0WvofyioS89QwsQ//25Oer0gUeuHAtlPQ2skHPj7x4+vcBC4h
cLZJLBzLVywTs9O1jnXrQ+W0Z6xeX/dTk2qLg=
Date: Fri, 16 Apr 2010 15:02:47 +0800
Subject: openssl-0.9.8 make error
From: ?? 
To: openssl-b...@openssl.org

Hello :

   When I make BLFS,and during making openssl I have had a very strange
problem,and I ask for help in irc but got no result.

   My LFS version is 6.3,and I made that stricktyl following the official
book.

   when I making openssl under regular user as follows:

   ./config --openssldir=/etc/ssl --prefix=/usr shared &&
make MANDIR=/usr/share/man

but it has these errors:

 making all in crypto...
make[1]: Entering directory `/sources/openssl-0.9.8g/crypto'
( echo "#ifndef MK1MF_BUILD"; \
 echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
echo '  #define CFLAGS "gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO
-O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS
-DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM"'; \
 echo '  #define PLATFORM "linux-elf"'; \
echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
 echo '#endif' ) >buildinf.h
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o cryptlib.o cryptlib.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o mem.o mem.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o mem_clr.o mem_clr.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o mem_dbg.o mem_dbg.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o cversion.o cversion.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o ex_data.o ex_data.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o tmdiff.o tmdiff.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o cpt_err.o cpt_err.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o ebcdic.o ebcdic.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3
-fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM   -c -o uid.o uid.c
gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE

Openssl.cnf Issue

[Kaila, Ashish]

Hi,

I just built Openssl 1.0.0 on a Win32 platform, after building when I try and 
run the binary openssl.exe I get a warning message "Cant open Config file: 
/usr/local/ssl/openssl.cnf" , I don't have a sample configuration file. What is 
the impact if I use any sample configuration file which I might find on the 
internet.

Thanks & Regards
Ashish__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Information wanted on OpenSSL cipher alias HIGH, MEDIUM and LOW.

[Dr. Stephen Henson]

On Fri, Apr 16, 2010, Bhat, Jayalakshmi Manjunath wrote:

> Hi Sandeep and Adam Langley,
> 
> Thank you very much. But I did not find where the aliases LOW,MEDIUM and
> HIGH are defined.  I wanted to know where they are defined in OpenSSL?
> 

Don't send this to openssl-dev it is a users question.

Each ciphersuite definition can include various bits for categories of cipher.
For example LOW uses SSL_LOW. These are in ssl/s3_lib.c

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Problem building OpenSSL version 1.0.0 using no-tlsext flag

[Kaila, Ashish]

 
Hi Steve,

I get that maybe compilation is made problematic to prevent "no-tlsext" to be 
used, but what I think is why is it problematic only on Win32 and Win64 
systems, compilation with the "no-tlsext" flag is not problematic on an HPUX 
system, I was able to build it without any issues.

On analysing the build I found out that,ssleay.def is created which has a list 
of all the functions that are to be exported in the ssleay.dll which is getting 
created. The list of functions are obtained by parsing the header files and 
finding the list of prototyped functions,even though the no-tlsext flag was 
given in ssl.h the 3 functions under suspicion were getting declared and as a 
result they were showing up in the def file even though they were not getting 
built, after the declaration of these functions was put under the 
OPENSSL_NO_TLSEXT macro check block, when the no-tlsext flag was defined, these 
functions ceased to exist and did not turn up in the .def file and as a result 
the linker did not throw an error. 

Is this an acceptable workaround, even if I am aware of the implications of 
using the "no-tlsext" flag?

Regards
Ashish __
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Information wanted on OpenSSL cipher alias HIGH, MEDIUM and LOW.

[Adam Langley]

On Thu, Apr 15, 2010 at 1:15 AM, Bhat, Jayalakshmi Manjunath
 wrote:
> I wanted to know when we use "ALL:!SSLv2:!EXPORT:!LOW:!MEDIUM:!DH" to select
> the ciphers how do OpenSSL understands what are ciphers are available under
> LOW and MEDIUM. Ssleay.txt documents names LOW,MEDIUM and HIGH as aliases.
> Please can someone provide me more information on this?

For example:

% openssl ciphers -v '-ALL:HIGH'

should give you a list of the HIGH ciphers.



AGL

-- 
Adam Langley a...@imperialviolet.org http://www.imperialviolet.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: PKCS7 - SubjectKeyIdentifier CHOICE in SignerIdentifier fails?

[Stef Hoeben]

Hi,

> If you use the CMS routines instead it should work OK.

Yes, works fine with openssl-1.0.0, thx!

It took me a while to to figure it out due to the lack of samples, so 
attached is a basic sample program to parse the contents of an SOD file
(a CMS-based file in the RFID chip on e-passports).

(To compile with VS: cl -I..\inc32 parseSOD.c ..\inc32\openssl\applink.c
..\out32dll\libeay32.lib)

Best regards,
Stef

> -Original Message-
> From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org]
> On Behalf Of Dr. Stephen Henson
> Sent: maandag 22 maart 2010 13:54
> To: openssl-users@openssl.org
> Subject: Re: PKCS7 - SubjectKeyIdentifier CHOICE in SignerIdentifier
fails?
> 
> On Mon, Mar 22, 2010, Stef Hoeben wrote:
> 
> > Hello,
> >
> > subjectKeyIdentifier [0] SubjectKeyIdentifier }
> >
> > Could it be that the SubjectKeyIdentifier CHOICE isn't supported
here,
> > that the parser expects a IssuerAndSerialNumber only?
> >
> 
> Yes the SKID option is not part of the PKCS#7 standard so it is
illegal in a
> PKCS#7 file. If you use the CMS routines instead it should work OK.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org


parseSOD.c
Description: parseSOD.c

Using OpenSSL Offline

[Brian Wilkins]

Question -

Can OpenSSL be used offline - meaning without an Internet connection to
check if cert's are valid with a CA?

Thanks

Brian