Re: Require help to understand a .crt file
Hi I tried and I am getting following output openssl x509 -inform PEM -in online.crt -noout -text text.txt unable to load certificate 844:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib. c:650:Expecting: TRUSTED CERTIFICATE openssl x509 -inform DER -in online.crt -noout -text unable to load certificate 3756:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as n1\tasn_dec.c:1316: 3756:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:380:Type=X509 Sorry its actually a digital signature and i need to verify it Jakob Bohm-7 wrote: On 05-10-2010 07:01, colombus wrote: Hi I am new Cryptography and Open SSl I have file online.crt The spec says it contains an online certificate which is having a public key , a signature filed etc. I want extract these details from the file I need to know what type of file is online.crt Is there any open SSL command to find or verify it ?? openssl x509 -inform DER -in online.crt -noout -text OR if the CRT file looks like some text with a lot of at the top: openssl x509 -inform PEM -in online.crt -noout -text __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Require-help-to-understand-a-.crt-file-tp29883887p29890133.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PEM_write_PUBKEY segfault with 1.0.0 on windows
I'm getting a PEM_write_PUBKEY() segfault. This is existing code that works with 0.9.8 with Windows or 1.0.0. with Linux, but fails with 1.0.0. and Windows. What's my latent bug? Here's a small sample that fails: RSA *rsa = RSA_generate_key(512, 65537, NULL, NULL); EVP_PKEY *pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa); FILE *file = fopen(tmp.pem, wb); PEM_write_PUBKEY(file, pkey); In my actual application, I set rsa-n and rsa-e to bignums that I generate. I think that should be enough to write the public key.
Re: PEM_write_PUBKEY segfault with 1.0.0 on windows
Hi, Your sample runs perfectly here: compiled using VC++ 2008 against 1.0.0a in Release and Debug modes and ran on Windows 7 system (hardware DEP enabled). What compiler are you using? Can you perform a debug build and give us a crash trace? -- Mounir IDRASSI IDRIX http://www.idrix.fr On 06/10/2010 00:31, Kenneth Goldman wrote: I'm getting a PEM_write_PUBKEY() segfault. This is existing code that works with 0.9.8 with Windows or 1.0.0. with Linux, but fails with 1.0.0. and Windows. What's my latent bug? Here's a small sample that fails: RSA *rsa = RSA_generate_key(512, 65537, NULL, NULL); EVP_PKEY *pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa); FILE *file = fopen(tmp.pem, wb); PEM_write_PUBKEY(file, pkey); In my actual application, I set rsa-n and rsa-e to bignums that I generate. I think that should be enough to write the public key. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS mode - fails to read the RSA key
Hello there I am trying to use the OpenSSL-fips version 1.2 for our application ( Webserver ) in Vxworks. I was able to integrate the library and executing FIPS_mode_set is successful. After initializing the SSL_library_init, The code tries to read the RSA key from a key.pem file. I notice that it uses the methods PEM_read_bio_RSAPrivateKey- PEM_read_bio_PrivateKey - PEM_bytes_read_bio -PEM_do_header and the PEM_do_header fails always once I enable the FIPS_mode if not it succesfully decrypts the RSA Key I googled around and found a link where they faced a similar problem in OpenSSH. In which he changed the digest parameter from EVP_md5() to EVP_sha1() in method EVP_BytesToKey I tried the same but still it fails to decrypt the information from the key I would really appreciate if someone can throw some hint what I might be doing wrong Thanks John Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Hello there I am trying to use the OpenSSL-fips version 1.2 for our application ( Webserver ) in Vxworks. I was able to integrate the library and executing FIPS_mode_set is successful. After initializing the SSL_library_init, The code tries to read the RSA key from a key.pem file. Technically you shouldn't use keys created outside FIPS mode in FIPS mode. In FIPS mode the traditional format is not supported because it used MD5 for key derivation. The more standard PKCS#8 mode using SHA1 for key derivation is use instead. You can convert keys using the pkcs8 command outside FIPS mode but again technically you aren't supposed to... Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Require help to understand a .crt file
On Tue, Oct 05, 2010, colombus wrote: Hi I tried and I am getting following output openssl x509 -inform PEM -in online.crt -noout -text text.txt unable to load certificate 844:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib. c:650:Expecting: TRUSTED CERTIFICATE openssl x509 -inform DER -in online.crt -noout -text unable to load certificate 3756:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as n1\tasn_dec.c:1316: 3756:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\ crypto\asn1\tasn_dec.c:380:Type=X509 Sorry its actually a digital signature and i need to verify it Then you should use the smime or cms command instead. Something like... openssl smime -verify -inform DER -in online.crt -noverify initially to test it then with: openssl smime -verify -inform DER -in online.crt -CAfile ca.pem with an appropriate CA certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Not able to load CAPI Engine
On Tue, Oct 05, 2010, Harshvir Sidhu wrote: Hi All, I am trying to load capi engine, Here the the code snippet that i am trying to use. void InitEngine() { ENGINE *e = NULL; int ret = 0; const char *engine_id = capi; ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); e = ENGINE_by_id(engine_id); if(!e) return; if(!ENGINE_init(e)) { ENGINE_free(e); return; } if(!ENGINE_set_default_RSA(e)) abort(); ENGINE_set_default_DSA(e); ENGINE_set_default_ciphers(e); ENGINE_finish(e); ENGINE_free(e); } The code is failing at *e = ENGINE_by_id(engine_id);* and after this call *e has NULL* value in it. Anyone any idea about this? Thanks. You need to install the ENGINE DLL in an appropriate place, where depends on how you compiled OpenSSL. Alternatively compiling with enable-static-engine will include all ENGINEs in libeay32.dll If you are using Openssl 0.9.8 you also need enable-capi-engine as it is not compiled in by default. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: WPA Certificate failing to parse
Hi Aapo, Thus wrote Aapo Alasuutari (aapo.alasuut...@tut.fi): Basically it seems like SSL doesn't know what format the certificate is. Maybe...? I'm not too informed of OpenSSL's behaviour, but judging on extensive Googling and some similar problems, the solution usually lies in the format of the certificate. if your certificate is http://www.ca.tut.fi/ca/tut-ca.crt, then this file is in DER format. The file contains the raw ASN.1 encoding of the certificate data. Try converting the certificate to PEM format openssl x509 -inform DER -in tut-ca.crt -out tut-ca.pem and use this file as input to your application. Best regards, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS mode - fails to read the RSA key
Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 4:36 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Hello there I am trying to use the OpenSSL-fips version 1.2 for our application ( Webserver ) in Vxworks. I was able to integrate the library and executing FIPS_mode_set is successful. After initializing the SSL_library_init, The code tries to read the RSA key from a key.pem file. Technically you shouldn't use keys created outside FIPS mode in FIPS mode. In FIPS mode the traditional format is not supported because it used MD5 for key derivation. The more standard PKCS#8 mode using SHA1 for key derivation is use instead. You can convert keys using the pkcs8 command outside FIPS mode but again technically you aren't supposed to... Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported The openssl utility is not in FIPS mode by default. You need to set the environment variable OPENSSL_FIPS to 1 when you call it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Fwd: Fix for linker warning LNK4078 on Windows 64bit
-- Ursprüngliche Nachricht -- Von: Gero Peters g...@likemag.org An: us...@openssl.org Datum: 6. Oktober 2010 um 14:04 Betreff: Fix for linker warning LNK4078 on Windows 64bit Dear OpenSSL users, just remove the declaration of a DWORD (32bit) or QWORD (64bit) containing the pointer to OPENSSL_cpuid_setup from the assembler sources x86cpuid.asm / x86_64cpuid.asm, respectively. I would recommend to modify perlasm!? Can someone of the core developers do this for all of us? Then, modify cryptlib.c and add for Visual C/C++ builds: #pragma section(.CRT$XCU,read) __declspec(allocate(.CRT$XCU)) static void (*__dummy)(void) = OPENSSL_cpuid_setup; That's it. This fix circumvents the poor COFF section flags setting of nasm for the special section .CRT$XCU. Cheers, Gero.
Re: FIPS mode - fails to read the RSA key
On 10/6/2010 5:01 AM, john.mattapi...@wipro.com wrote: Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported John You need to defined the environment variable 'OPENSSL_FIPS'. Otherwise, the 'openssl' executable will never call FIPS_mode_set(1) as required by the security policy. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS mode - fails to read the RSA key
Thanks again I do have the env Variable OPENSSL_FIPS set to 1. And the key generated is as below -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5 bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ . . . .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew== -END RSA PRIVATE KEY- But still it fails at the same method PEM_do_header Any hint? Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 6:02 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported The openssl utility is not in FIPS mode by default. You need to set the environment variable OPENSSL_FIPS to 1 when you call it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Engine Problem
Hi, I am trying to use engine_pkcs11 from opensc to talk to a smartcard. I am running into a few problems. My configuration looks like: openssl_conf= openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/local/lib/opensc-pkcs11.so init = 0 [req] distinguished_name = req_distinguished_name [req_distinguished_name] Then when I go to use it I get: openssl smime -decrypt -recip ~/encrypt2.pem -engine pkcs11 -inkey slot_0 -keyform engine -in /tmp/test.encrypt Error configuring OpenSSL 139711830169240:error:260AC089:engine routines:INT_CTRL_HELPER:invalid cmd name:eng_ctrl.c:134: 139711830169240:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:eng_ctrl.c:316: 139711830169240:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:section=pkcs11_section, name=MODULE_PATH, value=/usr/local/lib/opensc-pkcs11.so 139711830169240:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=engine_section, retcode=-1 unable to load module (null) Segmentation fault The segfualt occurs here: Program received signal SIGSEGV, Segmentation fault. 0x76ed450e in PKCS11_CTX_unload (ctx=value optimized out) at p11_load.c:100 100priv-method-C_Finalize(NULL); Any ideas what is going on? I am using openssl 1.0.0 Also on a side note if I use the command: OPENSSL_CONF=piv.conf openssl The OPENSSL_CONF variable is ignored and it just uses the default config file. Setting the config file like this on the command line used to work has something changed? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: WPA Certificate failing to parse
Hi Unfortunately this didn't change anything. Actually I was already using a PEM-format version of the certificate. (Same URL as the certificate you linked, but .cer) The output is still the same, although now with only -d option [http://pastebin.com/DPrnguQU]. The SSL error is still the only obvious error I can find in there. Early on there's a lot of stuff with wpa authentication failure, but later on it manages to associate with the Access Point, so that shouldn't be a problem in the end. So, anyone have any new ideas? -Aapo Alasuutari On 06/10/10 14:24, Martin Kaiser wrote: Hi Aapo, Thus wrote Aapo Alasuutari (aapo.alasuut...@tut.fi): Basically it seems like SSL doesn't know what format the certificate is. Maybe...? I'm not too informed of OpenSSL's behaviour, but judging on extensive Googling and some similar problems, the solution usually lies in the format of the certificate. if your certificate is http://www.ca.tut.fi/ca/tut-ca.crt, then this file is in DER format. The file contains the raw ASN.1 encoding of the certificate data. Try converting the certificate to PEM format openssl x509 -inform DER -in tut-ca.crt -out tut-ca.pem and use this file as input to your application. Best regards, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 64bit BIOs and support in OpenSSL
Are there any plans to change this? Getting streams larger than 4GB is not very unusual these days anymore. On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote: Does BIO support 64 bit IO (large files)? If so would the rest of OpenSSL (such as the ssl itself) support those BIOs? I configured the build with 64bit support and didn't see any noticeable changes. Specifically, I'd like to know if BIO_tell() is able to return a 64bit value? No, BIO_tell() is a macro: include/openssl/bio.h: #define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL) The (int) cast means that the result is never larger than INT_MAX. If the library is compiled on a machine with 64-bit longs, then the underlying BIO_ctrl() will return the value from lseek() or ftell() cast to a (long). This does not imply that 64-bit files will not break in some other way. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Thanks again I do have the env Variable OPENSSL_FIPS set to 1. And the key generated is as below -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5 bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ . . . .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew== -END RSA PRIVATE KEY- But still it fails at the same method PEM_do_header If that happens the version of OpenSSL isn't in FIPS mode. You should get: -BEGIN PRIVATE KEY- and no Proc-Type, DEK-Info lines if it worked. If you also do: OPENSSL_FIPS=1 openssl md5 somefile it should fail with an error if FIPS mode is entered correctly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Engine Problem
So It looks like this is a problem with openssl = 1.0.0 as it works with 0.9.8k (this was the latest version of 0.9.8 that I tried). I even tried the fix described here: http://old.nabble.com/engine_pkcs11-and-openssl.cnf-td28268403.html but it did not fix the problem. Nor did the one described here: http://www.opensc-project.org/pipermail/opensc-devel/2010-April/013956.html On Oct 06, 2010 09:50 AM, Bram Cymet bcy...@cbnco.com wrote: Hi, I am trying to use engine_pkcs11 from opensc to talk to a smartcard. I am running into a few problems. My configuration looks like: openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/local/lib/opensc-pkcs11.so init = 0 [req] distinguished_name = req_distinguished_name [req_distinguished_name] Then when I go to use it I get: openssl smime -decrypt -recip ~/encrypt2.pem -engine pkcs11 -inkey slot_0 -keyform engine -in /tmp/test.encrypt Error configuring OpenSSL 139711830169240:error:260AC089:engine routines:INT_CTRL_HELPER:invalid cmd name:eng_ctrl.c:134: 139711830169240:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:eng_ctrl.c:316: 139711830169240:error:260BC066:engine routines:INT_ENGINE_CONFIGURE:engine configuration error:eng_cnf.c:204:section=pkcs11_section, name=MODULE_PATH, value=/usr/local/lib/opensc-pkcs11.so 139711830169240:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=engine_section, retcode=-1 unable to load module (null) Segmentation fault The segfualt occurs here: Program received signal SIGSEGV, Segmentation fault. 0x76ed450e in PKCS11_CTX_unload (ctx=value optimized out) at p11_load.c:100 100 priv-method-C_Finalize(NULL); Any ideas what is going on? I am using openssl 1.0.0 Also on a side note if I use the command: OPENSSL_CONF=piv.conf openssl The OPENSSL_CONF variable is ignored and it just uses the default config file. Setting the config file like this on the command line used to work has something changed? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. Cell: 613-608-9752 __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Fwd: Fix for linker warning LNK4078 on Windows 64bit
Please ignore this clumsy solution, a proper solution was posted previously (it involved adding nasm keywords to get the right flags for read only data). On 06-10-2010 14:18, Gero Peters wrote: -- Ursprüngliche Nachricht -- Von: Gero Peters g...@likemag.org An: us...@openssl.org Datum: 6. Oktober 2010 um 14:04 Betreff: Fix for linker warning LNK4078 on Windows 64bit Dear OpenSSL users, just remove the declaration of a DWORD (32bit) or QWORD (64bit) containing the pointer to OPENSSL_cpuid_setup from the assembler sources x86cpuid.asm / x86_64cpuid.asm, respectively. I would recommend to modify perlasm!? Can someone of the core developers do this for all of us? Then, modify cryptlib.c and add for Visual C/C++ builds: #pragma section(.CRT$XCU,read) __declspec(allocate(.CRT$XCU)) static void (*__dummy)(void) = OPENSSL_cpuid_setup; That's it. This fix circumvents the poor COFF section flags setting of nasm for the special section .CRT$XCU. Cheers, Gero. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 64bit BIOs and support in OpenSSL
Jakob Bohm wrote: On 04-10-2010 21:10, Victor Duchovni wrote: On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote: Does BIO support 64 bit IO (large files)? If so would the rest of OpenSSL (such as the ssl itself) support those BIOs? I configured the build with 64bit support and didn't see any noticeable changes. Specifically, I'd like to know if BIO_tell() is able to return a 64bit value? No, BIO_tell() is a macro: include/openssl/bio.h: #define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL) The (int) cast means that the result is never larger than INT_MAX. And the upstream function call performs bounds clipping ? long long a = (int)(0x1UL); // 1^33 cast to (int) int b = (int)(0x1UL); // 1^33 cast to (int) a == 0; // this statement is true now a != INT_MAX; // this statement is true now b == 0; // this statement is true now b != INT_MAX; // this statement is true now Bounds clipping would be: long long a = 0x1UL; if(a INT_MAX) return INT_MAX; else return (int)a; If the library is compiled on a machine with 64-bit longs, then the underlying BIO_ctrl() will return the value from lseek() or ftell() cast to a (long). This does not imply that 64-bit files will not break in some other way. That can't be true with the (int) cast you pasted at the top above. Since sizeof(int) can be smaller than sizeof(long). So the above paragraph would be true is you has said ftell() cast to a (int). I would call this a bug! There is no reason in portable code to assume sizeof(int) == sizeof(long). And you presume sizeof(long)==8 ? See Win64 info below. Isn't the off_t or loff_t the type used with lseek/llseek. So if the goal is to preserve as much as possible of the underlying operating system then this should be used throughout the OpenSSL return path as well. Some operating system's will return an error condition for an overflowed result, when an overflowed result would become truncated if passed back through an older API using 32bit types. On Linux -1/EOVERFLOW. Having a BIO_tell64() might be useful in those 32bit systems that support a 64bit file system API and large files. And thinking that 64 bit platforms always have 64 bit ints (or even 64 bit longs) is a wrong assumption too. A 64bit platform always has a 64bit wide sizeof(void *) and sizeof(long long) if the type is supported. All other combination of sizeof(int) and sizeof(long) exist in the world, ILP64, LP64, LLP64. Although 64bit wide sizeof(int) is getting rarer (ILP64). Linux64 has 32bit sizeof(int), 64bit sizeof(long) (LP64) Win64 has 32bit sizeof(long) (LLP64) I guess to assist porting from the 32bit world. The rules that you can trust are: The ones mandated by the C language. [From memory] sizeof(char) == 1 (aka 8 bits) sizeof(short) = sizeof(char) sizeof(int) = sizeof(short) sizeof(long) = sizeof(int) In practice the only platforms with shorter than 32bit sizeof(int) are less than 32bit CPUs. I'm not even sure is OpenSSL tries to support smaller than 32bit CPUs out of the box you really have to try hard to find one in the embedded world since 32bit is so cheap now. long long (GNU and some others) Many others these days. int64_t (some OS and compiler headers) This is a good choice if you are looking for specific bit width cross-platform, but that is not what BIO_tell should use (see off_t and loff_t above). Oh, and stdint.h is not available with all compilers! Isn't this an ANSI requirement, ah well, poor compiler users what standards do they conform to then ? Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[no subject]
http://capitolbird.org/mas5.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org