Re: Error inspecting PKCS#7 DER
I had to re-compile openssl using the flag enable-cms in order to use the cms command. Why is it disabled by default? Thanks, J. Messaggio Originale Oggetto: Re: Error inspecting PKCS#7 DER Da: Dr. Stephen Henson st...@openssl.org A: openssl-users@openssl.org Data: 04/08/2010 16:30:54 The smime command uses PKCS#7 which doesn't include the SKID option. Use the cms command instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Force Decryption of CLI cms -decrypt using the supplied private key, ignore no matching recipient error because of wrong SubjectKeyIdentifier
On 05-08-2010 01:10, Dr. Stephen Henson wrote: On Wed, Aug 04, 2010, Harakiri wrote: --- On Wed, 8/4/10, Dr. Stephen Hensonst...@openssl.org wrote: From: Dr. Stephen Hensonst...@openssl.org Solution: Disable the recipient check, when i manually assign the private key - just use it to decrypt the message. If you don't supply the certificate to the cms or smime command it doesn't attempt to check and it should try the private key against any possible recipients. Ah I notice that this is undocumented... ahh... i never knew =) this is great i will try it out later, final question for these kind of messages - does the cms command handle all the messages that could be handled by the smime command? What i dont want is try openssl smime --decrypt first only to see that the recip error is thrown because the SUbjectKeyIdentifier is used and retry again with openssl cms --decrypt Basically is the smime command obsolete because cms does everything now? Yes, the smime command and the PKCS7 code is retained for compatibility. There is only one exception which is the case where a PKCS#7 structure has an innner content type that is not data: this is an incompatibility between the two specifications. They are rarely encountered in practice though. Note that signatures on downloads and programs for Microsoft products (used to be called Authenticode) consist exactly of PKCS#7 signatures on ASN.1 structures other than Data. The exact ASN.1 structure depends on the file format of the signed file and includes an identifier for that format. This is mainly due to the age of the Authenticode specification, but also protects against tricking someone into creating an Authenticode signature when they think they are signing something completely different (such as an e-mail). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL FIPS 1.2 on VS2008 (64 bit)
Hi, I am trying to compile openssl-fips-1.2 on VS 2008 (64 bit) and getting a linker error LINK : fatal error LNK1181: cannot open input file 'bufferoverflowu.lib' NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 9.0\ VC\Bin\amd64\link.EXE' : return code '0x49d'. Quick searching through the archives lead me to a thread where similar error was discussed for 0.9.8l and solution for the same was to replace $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ */WIN64/*); with $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ */WIN64/* and `cl 21` =~ /14\.00\.4[0-9]{4}\./); in VC-32.pl. This, however, is not a possibility for the FIPS module as it is supposed to be used as-is. Anyone else faced this issue? Any work-around? Just FYI, I am building under VS 2008 x64 Win64 command shell. -Vivek
Re: Error inspecting PKCS#7 DER
On Thu, Aug 05, 2010, Giacomo Boccardo wrote: I had to re-compile openssl using the flag enable-cms in order to use the cms command. Why is it disabled by default? It was a new feature in a stable branch of OpenSSL and due to the policy at the time new features were disabled by default. In OpenSSL 1.0.0x it is enabled by default. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: B64 Decode issues (C)
Got some sample data to show which makes the bugger fail? On Thu, Aug 5, 2010 at 4:58 AM, Marc Phillips rm...@copacetic.net wrote: I mean if try to decode, it stops 15 bytes in. If I read the original file, and print out byte 15, it's a \n. I tried using BIO_FLAGS_BASE64_NO_NL, which then failes on encode. If I use it only on decode it just goes into an infinte loop of some kind. I'm thinking openssl might not be the most appropriate library for encoding/decoding files, as it functions fine for simple strings, but I'm having no luck with files (the file in question is around 5000 bytes but could easily be 4 times that size). R. Marc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web:http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 --
Re: OpenSSL FIPS 1.2 on VS2008 (64 bit)
On 05-08-2010 13:59, Vivek Madani wrote: Hi, I am trying to compile openssl-fips-1.2 on VS 2008 (64 bit) and getting a linker error LINK : fatal error LNK1181: cannot open input file 'bufferoverflowu.lib' NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 9.0\ VC\Bin\amd64\link.EXE' : return code '0x49d'. Quick searching through the archives lead me to a thread where similar error was discussed for 0.9.8l and solution for the same was to replace $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ */WIN64/*); with $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ */WIN64/* and `cl 21` =~ /14\.00\.4[0-9]{4}\./); in VC-32.pl. This, however, is not a possibility for the FIPS module as it is supposed to be used as-is. Anyone else faced this issue? Any work-around? Solution: Use the version 14.00.4 amd64 compiler from the April 2005 x64 Platform SDK, or one of its close successors. Those need and include that library. The April 2005 x64 Platform SDK is still available from MSDN subscriber downloads as en_ws_2003_sp1_sdk_april_2005.iso . Install it and use the x64 release build command prompt from the SDK, not the one from Visual Studio 2005 or later. Note: I have not yet read the FIPS documentation, so I don't know if a specific compiler version is required to satisfy the FIPS certification, apart from the practicality of using a compiler compatible with the FIPS certified build scripts. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Simulating Mac keychain CSR with OpenSSL
-Original Message- From: Dr. Stephen Henson st...@openssl.org Sent: Jul 28, 2010 8:34 PM To: openssl-users@openssl.org Subject: Re: Simulating Mac keychain CSR with OpenSSL On Wed, Jul 28, 2010, Wim Lewis wrote: On Jul 28, 2010, at 2:38 PM, Todd Oberly wrote: It's obviously asking for just a subset of what would typically go into a CSR. I tried generating several different CSR's with OpenSSL, containing various information (and then converting the files to Mac line endings), but the instructions seem to be right. Only the CSR I made on a friend's Mac was accepted. [...] It's also possible that I just missed the right combination, and trying again will make a CSR that works. Well, I haven't tried submitting an OpenSSL-generated CSR to Apple, but the CertificateAssistant-generated CSR looks pretty normal. I have a vague memory that Apple's fussy about the key type; are you using a 2048-bit RSA key? I ran asn1parse on a successfully-submitted-to-Apple CSR and I see this structure: [ version = v1 subject = { emailAddress = IA5STRING, commonName = UTF8STRING, countryName = PRINTABLESTRING } subjectPKInfo = [ [ rsaEncryption, NULL ], the usual key parameters, e=65537, m ~ 2^2048 ] attributes = empty sequence ] signed using sha1WithRSAEncryption. I don't like mysteries, and don't being locked into one platform. Understandable, though I think that once you're using Apple's notification service for your iPhones, the way you generate your X.509 key is the least of your lockin worries. :) Try the utf8only option for the mask if it doesn't include UTF8Strings already. I wanted to follow up on my quest to use OpenSSL for creating certificates that interoperate with Apple's Push Notification Servers. In the end, the process also involved creating a pkcs12 file from the Apple cert and public key, but two simple steps like openssl.exe genrsa -out iphone.key 2048 openssl.exe req -new -key iphone.key -out iphone.csr created a CSR that Apple would accept. I haven't tested many variations so far, so am not sure if the 2048-bit key or knowing the contents of the Mac-generated CSR clinched it. But the server is working now, and thanks for all the suggestions. :) Todd __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: B64 Decode issues (C)
Ger Hobbelt g...@hobbelt.com wrote: Got some sample data to show which makes the bugger fail? sqlite3 /tmp/MyTestsqlite.db SQLite version 3.3.6 Enter .help for instructions sqlite CREATE TABLE test (id INTEGER primary key AUTOINCREMENT, test TEXT); sqlite .quit encode: bmem = BIO_new(BIO_s_mem()); b64 = BIO_push(b64, bmem); fprintf(stderr,inbuf = %s, inlen = %d\n,inbuf,inlen); BIO_write(b64, inbuf, inlen); BIO_flush(b64); BIO_get_mem_ptr(b64, bptr); memcpy(outbuf, bptr-data, bptr-length); outbuf[bptr-length] = '\0'; BIO_free_all(b64); The code above yields the following encoded file: UAIGFysrAVl0YWJs ZXNxbGl0ZV9zZXF1ZW5jZXNxbGl0ZV9zZXF1ZW5jZQNDUkVBVEUgVEFCTEUgc3Fs aXRlX3NlcXVlbmNlKG5hbWUsc2VxKVgBBxcVFQGBE3RhYmxldGVzdHRlc3QCQ1JF QVRFIFRBQkxFIHRlc3QgKGlkIElOVEVHRVIgcHJpbWFyeSBrZXkgQVVUT0lOQ1JF TUVOVCwgdGVzdCBURVhUKQ0ABAAA AAANAAQA If I do the following I get back the db: cat /tmp/MyTestsqlite.db.b64 | openssl enc -base64 -d /tmp/MyTestsqlite.db.unb64 sqlite3 /tmp/MyTestsqlite.db.unb64 SQLite version 3.3.6 Enter .help for instructions sqlite .dump BEGIN
Re: B64 Decode issues (C)
Hi Marc, If you want to encrypt a database, have you considered SQLCipher (http://www.zetetic.net/code/sqlcipher)? It is free and uses OpenSSL. Jeff On Thu, Aug 5, 2010 at 11:19 AM, Marc Phillips rm...@copacetic.net wrote: Ger Hobbelt g...@hobbelt.com wrote: Got some sample data to show which makes the bugger fail? sqlite3 /tmp/MyTestsqlite.db SQLite version 3.3.6 Enter .help for instructions sqlite CREATE TABLE test (id INTEGER primary key AUTOINCREMENT, test TEXT); sqlite .quit encode: bmem = BIO_new(BIO_s_mem()); b64 = BIO_push(b64, bmem); fprintf(stderr,inbuf = %s, inlen = %d\n,inbuf,inlen); BIO_write(b64, inbuf, inlen); BIO_flush(b64); BIO_get_mem_ptr(b64, bptr); memcpy(outbuf, bptr-data, bptr-length); outbuf[bptr-length] = '\0'; BIO_free_all(b64); The code above yields the following encoded file: [SNIP] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: B64 Decode issues (C)
If you want to encrypt a database, have you considered SQLCipher (http://www.zetetic.net/code/sqlcipher)? It is free and uses OpenSSL. I'm not encrypting it (the data is encrypted via the app already anyway), I'm simply b64 encoding it; thanks though, this might be useful for other things. R. Marc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Error Loading Extension
Hi, I am trying to add extensions to a cert or a req and when I do I get: Error Loading extension section section Is there anyway that I can get more details into why it failed? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: B64 Decode issues (C)
From: owner-openssl-us...@openssl.org On Behalf Of Marc Phillips Sent: Thursday, 05 August, 2010 11:20 Ger Hobbelt g...@hobbelt.com wrote: Got some sample data to show which makes the bugger fail? sqlite3 /tmp/MyTestsqlite.db SQLite version 3.3.6 Enter .help for instructions sqlite CREATE TABLE test (id INTEGER primary key AUTOINCREMENT, test TEXT); sqlite .quit encode: snipped The code above yields the following encoded file: snipped So you're encoding the whole db, not data in it. Linebreaks are good here, because this can be huge. If I do the following I get back the db: cat /tmp/MyTestsqlite.db.b64 | openssl enc -base64 -d /tmp/MyTestsqlite.db.unb64 (Aside: you don't need cat there. Just redirect 'enc' input.) sqlite3 /tmp/MyTestsqlite.db.unb64 snipped But if I use the code below to decode, It stops at byte 15: buffer = SQLite format 3, outlen = 15, inlen = 4160 Decode: b64 = BIO_new(BIO_f_base64()); bmem = BIO_new_mem_buf(inbuf, inlen); bmem = BIO_push(b64, bmem); outlen=BIO_read(bmem,outbuf,inlen); BIO_free_all(bmem); If I use exactly that code, with obvious declarations added, and inbuf/inlen = the encoded data you posted, I get outlen=3072 and outbuf contains data looking like what commandline produces (and you confirm is correct). You say 'buffer' = 'SQLite format 3', but there is no 'buffer' in your code. If you meant 'inbuf', that input is clearly not remotely similar to the encoded data you posted. Also it's suspicious to use inlen as max-read. While it's possible you've allocated your outbuf to be the same size as your encoded input (or greater) it's rather odd to do that. The outbuf size should be the amount of *decoded* data you expect and/or allow, and max-read should be that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Man in the middle proxy - Not working
From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Thursday, 05 August, 2010 01:06 I will describe my code snippet below The module for connecting to server SOCKET RequestSock; SOCKADDR_IN ClientAddr; RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); I don't know much about 'OVERLAPPED' in Windows, but I think it's something like 'nonblocking' in Unix. pHost = gethostbyname(pcTargetURL); memset(ClientAddr,0,sizeof(ClientAddr)); int iAddrLen = sizeof(ClientAddr); ClientAddr.sin_family = AF_INET; memcpy(ClientAddr.sin_addr,pHost-h_addr, pHost-h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } WSAOVERLAPPED SendOverlapped; DWORD dwSendDataLen = 0; WSABUF ClientRequestBuf; WSAEVENT SendEvent[1]; ClientRequestBuf.buf = pcData; ClientRequestBuf.len = strlen(pcData); SendEvent[0] = WSACreateEvent(); SendOverlapped.hEvent = SendEvent[0]; iRes = WSASend(RequestSock,ClientRequestBuf,1,dwSendDataLen,dwFlag, SendOverlapped,NULL); // Sending data to the server At this point, the send probably hasn't actually happened. And if you call [WSA]Recv and it returns, it almost certainly hasn't actually been done either. You probably have to do some kind of synchronization with the .hEvent, following whatever Windows rules are applicable. FYI pcPort = 443 pcTargetURL = Lwww.facebook.com; pcData = GET https://www.facebook.com HTTP/1.0\r\n\r\n __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Man in the middle proxy - Not working
On 05-08-2010 22:49, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Thursday, 05 August, 2010 01:06 I will describe my code snippet below The module for connecting to server SOCKET RequestSock; SOCKADDR_IN ClientAddr; RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); I don't know much about 'OVERLAPPED' in Windows, but I think it's something like 'nonblocking' in Unix. Actually, this is the Win32 level way to do Asynchronous IO (AIO), meaning that the operation will happen immediately or in the background, without the cost of extra threads or buffering. The OS will hold on to your buffer pointer and other arguments and then signal completion by signaling the provided or event or (if no event is given), the socket itself. Once signaled, the buffers are yours again and the success/failure, transmitted length etc. are available. The actual transmission logic will usually happen in DMA, interrupt handlers etc. pHost = gethostbyname(pcTargetURL); memset(ClientAddr,0,sizeof(ClientAddr)); int iAddrLen = sizeof(ClientAddr); ClientAddr.sin_family = AF_INET; memcpy(ClientAddr.sin_addr,pHost-h_addr, pHost-h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } WSAOVERLAPPED SendOverlapped; DWORD dwSendDataLen = 0; WSABUF ClientRequestBuf; WSAEVENT SendEvent[1]; ClientRequestBuf.buf = pcData; ClientRequestBuf.len = strlen(pcData); SendEvent[0] = WSACreateEvent(); SendOverlapped.hEvent = SendEvent[0]; iRes = WSASend(RequestSock,ClientRequestBuf,1,dwSendDataLen,dwFlag, SendOverlapped,NULL); // Sending data to the server At this point, the send probably hasn't actually happened. And if you call [WSA]Recv and it returns, it almost certainly hasn't actually been done either. You probably have to do some kind of synchronization with the .hEvent, following whatever Windows rules are applicable. Yep __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Cygwin errors when doing cross-compile on openssl-fips-1.2.tar.gz
I went back and uninstalled cygwin, as I inherited the cygwin environment VM from someone else. I added the crosscompile patch successfully, I managed to get the ./config fipscanisterbuild completed successfully, but when I go to do make, I get this series of errors: gcc -I. -I.. -I../include -D_WINDLL -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march PENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o cryptlib.o cryptlib.c In file included from cryptlib.c:312: /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:35: error: expected specifier-qualifier-list before `DWORD' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:41: error: expected specifier-qualifier-list before `DWORD' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:52: error: expected specifier-qualifier-list before `DWORD' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:64: error: expected specifier-qualifier-list before `DWORD' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:76: error: expected specifier-qualifier-list before `DWORD' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:85: error: expected specifier-qualifier-list before `DWORD' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:97: error: expected specifier-qualifier-list before `DWORD' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:108: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:109: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:110: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:111: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:112: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:113: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:114: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:115: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:116: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:117: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:118: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:119: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:120: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:121: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:122: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' /usr/lib/gcc/i686-pc-cygwin/4.3.4/../../../../include/w32api/tlhelp32.h:123: error: expected `=', `,', `;', `asm' or `__attribute__' before `WINAPI' make[1]: *** [cryptlib.o] Error 1 make[1]: Leaving directory `/cygdrive/d/openssl-fips-1.2/crypto' make: *** [build_crypto] Error 1 I'm using the cross-compile instructions in the user's guide, but there is nothing that talks about this kind of issue. I looked at the differences between tlhelp32 in the cygwin/usr/include/w32api and /cygdrive/d/openssl-fips-1.2/ms directories, and I exchanged the one in the ms directory for the one in the w32api, but I still received the same error as above. Removing it altogether just causes the build to fail at the last gcc command above. Is there a way to get around this? It doesn't seem to matter using gcc3 or gcc4, I still get the same issue, but only worse using gcc3, see below: gcc -I. -I.. -I../include -D_WINDLL -DOPENSSL_PIC -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -DO PENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o cryptlib.o cryptlib.c In file included from cryptlib.c:312:
Re: Man in the middle proxy - Not working
Hi Can you send me some code snippet which shows how to commutate with webserver and read the content data Thanks, Raj Rajmohan SK - Original Message - From: Dave Thompson dthomp...@prinpay.com To: openssl-users@openssl.org Sent: Friday, August 06, 2010 2:19 AM Subject: RE: Man in the middle proxy - Not working From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Thursday, 05 August, 2010 01:06 I will describe my code snippet below The module for connecting to server SOCKET RequestSock; SOCKADDR_IN ClientAddr; RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); I don't know much about 'OVERLAPPED' in Windows, but I think it's something like 'nonblocking' in Unix. pHost = gethostbyname(pcTargetURL); memset(ClientAddr,0,sizeof(ClientAddr)); int iAddrLen = sizeof(ClientAddr); ClientAddr.sin_family = AF_INET; memcpy(ClientAddr.sin_addr,pHost-h_addr, pHost-h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } WSAOVERLAPPED SendOverlapped; DWORD dwSendDataLen = 0; WSABUF ClientRequestBuf; WSAEVENT SendEvent[1]; ClientRequestBuf.buf = pcData; ClientRequestBuf.len = strlen(pcData); SendEvent[0] = WSACreateEvent(); SendOverlapped.hEvent = SendEvent[0]; iRes = WSASend(RequestSock,ClientRequestBuf,1,dwSendDataLen,dwFlag, SendOverlapped,NULL); // Sending data to the server At this point, the send probably hasn't actually happened. And if you call [WSA]Recv and it returns, it almost certainly hasn't actually been done either. You probably have to do some kind of synchronization with the .hEvent, following whatever Windows rules are applicable. FYI pcPort = 443 pcTargetURL = Lwww.facebook.com; pcData = GET https://www.facebook.com HTTP/1.0\r\n\r\n __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL FIPS 1.2 on VS2008 (64 bit)
Solution: Use the version 14.00.4 amd64 compiler from the April 2005 x64 Platform SDK, or one of its close successors. Those need and include that library. The April 2005 x64 Platform SDK is still available from MSDN subscriber downloads as en_ws_2003_sp1_sdk_april_2005.iso . Install it and use the x64 release build command prompt from the SDK, not the one from Visual Studio 2005 or later. That helps. Was able to successfully build the FIPS module. Note: I have not yet read the FIPS documentation, so I don't know if a specific compiler version is required to satisfy the FIPS certification, apart from the practicality of using a compiler compatible with the FIPS certified build scripts. FIPS documentation does not mention any specific compiler AFAIK. I have not modified the source, just used VS command prompt instead of cygwin - also used the same commands as mentioned in the user guide. Any idea if it violates FIPS guidelines? __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org