RSA implementaion in C using openssl

2011-03-06 Thread pattabi raman 
Hi,

I have to implement the RSA algorithm in our solaris10 ( which has openssl
already) using C programming.

Anyone please forward any doc / sample code / Weblink anything would be a
great help me.

Thanks,
Pattabi.

Re: RSA implementaion in C using openssl

2011-03-06 Thread Jeffrey Walton 
On Sun, Mar 6, 2011 at 4:51 AM, pattabi raman rprt...@gmail.com wrote:
 Hi,

 I have to implement the RSA algorithm in our solaris10 ( which has openssl
 already) using C programming.

 Anyone please forward any doc / sample code / Weblink anything would be a
 great help me.
c = m^e mod n
m = c^d mod n

'Raw RSA' is fairly benign, but you should be careful of issues when
using it in a protocol. For example, see
http://www.mozilla.org/security/announce/2006/mfsa2006-60.html.
(Thanks GB).

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: RSA implementaion in C using openssl

2011-03-06 Thread pattabi raman 
Hi ,

 I need to implement the entire RSA logic in C program to encrypt the
customer key for one of our application functionality.

I am bit confused on RSA API, which gives me struggle like Which method to
call / order of the methods to be executed etc...

Pls guide me.

Thanks,
Pattabi/

Re: RSA implementaion in C using openssl

2011-03-06 Thread Jeffrey Walton 
On Sun, Mar 6, 2011 at 5:23 AM, pattabi raman rprt...@gmail.com wrote:

 Hi ,

  I need to implement the entire RSA logic in C program to encrypt the
 customer key for one of our application functionality.

 I am bit confused on RSA API, which gives me struggle like Which method to
 call / order of the methods to be executed etc...
EVP_PKEY_keygen, EVP_PKEY_encrypt, EVP_PKEY_decrypt, EVP_PKEY_sign,
and EVP_PKEY_verify.

Since you are doing the product key stuff, you will probably want the
sign/verify gear.

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: BN_mod_mul_montgomery() causing cpu spike

2011-03-06 Thread Steve Marquess 
David Schwartz wrote:
 On 3/2/2011 10:23 AM, prakgen wrote:

 I've enabled fips in sshd (OpenSSH 5.5p1)

 Why? 

He either works in, or develops products for, a DoD or federal
government environment where use of FIPS validated cryptography is mandated.

No one uses FIPS validated cryptography for fun (there is no technical,
functional, or security advantage, in fact FIPS validated crypto is
undesirable from any purely practical perspective).

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

ssleay_rand_add crash on OS X

2011-03-06 Thread Floris Bos 
Hi,

I try to generate a RSA key with a simple one liner like this:

==
RSA *rsakey = RSA_generate_key(1024, RSA_F4, NULL, NULL);
==

Works fine under Linux, but crashes under Mac OS X Snow Leopard (using Openssl 
1.0.0d compiled from source):

==
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x
0x0001000b1a81 in ssleay_rand_add ()
(gdb) bt
#0  0x0001000b1a81 in ssleay_rand_add ()
==

Do I need to call some kind of random number generator initialization routine 
first or is something else wrong?


-- 
Yours sincerely,

Floris Bos


P.S. I tried to search the OpenSSL request tracker to see if this is a known 
issue, but received the following error when trying to perform a search:

System error

error:  Can't call method delete on an undefined value at 
/v/openssl/sw/libexec/rt/WebRT/html/Elements/SetupSessionCookie line 90.
context:
... 
86:  };
87:  undef $cookies{$cookiename};
88:  }
89:  elsif ( !($session{'CurrentUser'}  $session{'CurrentUser'}-id) ) {
90:  eval { tied(%session)-delete; };
91:  tie %session, $session_class, undef,
92:  $backends{$RT::DatabaseType} ? {
93:  Handle = $RT::Handle-dbh,
94:  LockHandle = $RT::Handle-dbh,
... 
code stack:  
/v/openssl/sw/libexec/rt/WebRT/html/Elements/SetupSessionCookie:90
/v/openssl/sw/libexec/rt/WebRT/html/autohandler:73
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

using Cross-certificates in Browser

2011-03-06 Thread tanim 

Hi,

I am facing issue for using cross-certificates. Purpose is to use
cross-certificates so that user of 1  CA doesn't need the self-signed cert
from another CA. I created 2 CAs - Dohatec.com and Flora.com. I have used
OpenSSL to generate cross-certificate of Dohatec.com, signed by Flora.com,
as seen in the pic below --
http://old.nabble.com/file/p31080570/cross-certificate%2Bnot%2Brecognized.png 

when I try to import it in Mozilla Firefox's Authorities tab, it gives error
msg -

http://old.nabble.com/file/p31080570/cross-certificate%2Bissue.png  

Couldn't get anything out of it. am i missing something fundamental? Or i
have done wrong in cross-certification? the following command i have used
for cross -

openssl ca -config ca.cnf -preserveDN -ss_cert dohatec.pem -out
dohatec-cross-cert.pem

please suggest a way around.

 
-- 
View this message in context: 
http://old.nabble.com/using-Cross-certificates-in-Browser-tp31080570p31080570.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS compliance question regarding openssl distributions

2011-03-06 Thread Tim Hudson 
 In the example of building the openssl FIPS *capable* distribution, it
 seems one should take the distribution from the official
 openssl.org/source website and validate it using PGP.  However,
 FreeBSD ships openssl distribution within its source tree.

You must follow the instructions contained in the Security Policy document with
no deviations. It's that simple.

So the answer to the question of can you start with a different distribution is
a simple 'no' - even if the files are almost identical (or in fact even
identical) you don't get that choice - you must follow the documented procedure.

Tim.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

x509 cert contains subject in hexa code

2011-03-06 Thread Dimitri BOUWYN 
Hi,

I am using  openssl 0.9.8g and certtool (GnuTLS 2.4.2) 2.4.2
I am on Debien/Lenny.

I have generate a priv key for my CA, then a cert for this CA.
Next, I am signing csr using, this command :
/usr/bin/certtool --generate-certificate --load-request ${fqdn}.csr
--outfile ${fqdn}.scsr \
--load-ca-certificate /etc/ssl/cert/$(hostname
-f)_CA.pem --load-ca-privkey /etc/ssl/private/$(hostname -f)_CA.key \
--template ${fqdn}.info
with .info like this (example: www.ppprod.biz.info):
cn = www.ppprod.biz
country = FR
serial = 11
email = dbou...@ppprod.net
tls_www_client
tls_www_server
signing_key
encryption_key

All seems to be ok,
but when I am typing openssl x509 -text -in www.ppprod.biz.scsr
-noout -subject
I see
...
subject= 
/C=\xA8\xAE\x96\xBF\xD44/O=\xA8\xAE\x96\xBF\xD44/OU=\xA8\xAE\x96\xBF\xD44/L=\xA8\xAE\x96\xBF\xD44/ST=\xA8\xAE\x96\xBF\xD44/CN=\xA8\xAE\x96\xBF\xD44/UID=\xA8\xAE\x96\xBF\xD44

And then, when I am using the cert, verify failed. Example, with openvpn:
Sun Mar  6 22:55:17 2011 us=224040 VERIFY OK: depth=1, /C=FR/CN=www.ppprod.net
Sun Mar  6 22:55:17 2011 us=224503 VERIFY ERROR: could not extract
Common Name from X509 subject string
('/C=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/O=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/OU=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/L=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/ST=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/CN=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5/UID=_xC8_x08_xE2_xBF_xD4_xB4U_x05_xB0_x08_xE2_xBF_xD0_xD5')
-- note that the Common Name length is limited to 64 characters
Sun Mar  6 22:55:17 2011 us=224589 TLS_ERROR: BIO read
tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Mar  6 22:55:17 2011 us=224615 TLS Error: TLS object - incoming
plaintext read error
Sun Mar  6 22:55:17 2011 us=224637 TLS Error: TLS handshake failed

How can I set a correct format for subject field ?
Thanks.

Dim
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Inserting lib version in .so file

2011-03-06 Thread Gérald 

Hi,

  I've got an interrogation on .so file !

I'm compiling the 0.9.8r file of openssl using the config command with 
those  threads shared zlib-dynamic options ... All is going fine :-)


 My question is :

 Why i'm not finding the version in the openssl/lib/libcrypto.so.0.9.8 
when i'm using the command : #objdump -p  openssl/lib/libcrypto.so.0.9.8 ?


My objdump -p result :

openssl/lib/libcrypto.so.0.9.8: file format elf64-x86-64

Dynamic Section:
  NEEDED   libdl.so.2
  NEEDED   libc.so.6
  SONAME   libcrypto.so.0.9.8
  SYMBOLIC 0x
  INIT 0x00069a68
  FINI 0x0011f428
  HASH 0x01b8
  GNU_HASH 0x56c0
  STRTAB   0x0001f7a8
  SYMTAB   0xba38
  STRSZ0xf4ff
  SYMENT   0x0018
  PLTGOT   0x0036caa0
  PLTRELSZ 0x08e8
  PLTREL   0x0007
  JMPREL   0x00069180
  RELA 0x00030780
  RELASZ   0x00038a00
  RELAENT  0x0018
  VERNEED  0x00030720
  VERNEEDNUM   0x0002
  VERSYM   0x0002eca8
  RELACOUNT0x25b5

Version References:
  required from libdl.so.2:
0x09691a75 0x00 05 GLIBC_2.2.5
  required from libc.so.6:
0x0d696913 0x00 04 GLIBC_2.3
0x0d696917 0x00 03 GLIBC_2.7
0x09691a75 0x00 02 GLIBC_2.2.5

When i executin an objdump -p on the libcrypto.so.0.9.8 of my 
distribution i have this :

openssl/lib/libcrypto.so.0.9.8: file format elf64-x86-64

Program Header:
LOAD off0x vaddr 0x paddr 
0x align 2**21

 filesz 0x00174aac memsz 0x00174aac flags r-x
LOAD off0x00175000 vaddr 0x00375000 paddr 
0x00375000 align 2**21

 filesz 0x00027e28 memsz 0x0002b898 flags rw-
 DYNAMIC off0x00180fa8 vaddr 0x00380fa8 paddr 
0x00380fa8 align 2**3

 filesz 0x01e0 memsz 0x01e0 flags rw-
NOTE off0x0190 vaddr 0x0190 paddr 
0x0190 align 2**2

 filesz 0x0024 memsz 0x0024 flags r--
EH_FRAME off0x0015315c vaddr 0x0015315c paddr 
0x0015315c align 2**2

 filesz 0x7304 memsz 0x7304 flags r--
   STACK off0x vaddr 0x paddr 
0x align 2**3

 filesz 0x memsz 0x flags rw-

Dynamic Section:
  NEEDED   libdl.so.2
  NEEDED   libz.so.1
  NEEDED   libc.so.6
  SONAME   libcrypto.so.0.9.8
  INIT 0x00073e38
  FINI 0x00132e48
  HASH 0x01b8
  GNU_HASH 0x5748
  STRTAB   0x0001fbc8
  SYMTAB   0xbb28
  STRSZ0xf6cb
  SYMENT   0x0018
  PLTGOT   0x003819d8
  PLTRELSZ 0xa230
  PLTREL   0x0007
  JMPREL   0x00069c08
  RELA 0x00030de8
  RELASZ   0x00038e20
  RELAENT  0x0018
  VERDEF   0x00030d50
  VERDEFNUM0x0002
  VERNEED  0x00030d88
  VERNEEDNUM   0x0002
  VERSYM   0x0002f294
  RELACOUNT0x225e

Version definitions:
1 0x01 0x0745b558 libcrypto.so.0.9.8
2 0x00 0x06692428 OPENSSL_0.9.8

Version References:
  required from libdl.so.2:
0x09691a75 0x00 06 GLIBC_2.2.5
  required from libc.so.6:
0x0d696913 0x00 05 GLIBC_2.3
0x0d696917 0x00 04 GLIBC_2.7
0x09691a75 0x00 03 GLIBC_2.2.5


As you can see there an Version definitions section that i don't have :

Version definitions:
1 0x01 0x0745b558 libcrypto.so.0.9.8
2 0x00 0x06692428 OPENSSL_0.9.8

How can i tell the configure to add the necessary option to the linker 
for obtaining this Version References Section ???


That's the same for the openssl/lib/libssl.so.0.9.8  :-(

Thanks in advance for your answer,

Gérald.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: FIPS compliance question regarding openssl distributions

2011-03-06 Thread William A. Rowe Jr. 
On 3/6/2011 3:48 PM, Tim Hudson wrote:
 In the example of building the openssl FIPS *capable* distribution, it
 seems one should take the distribution from the official
 openssl.org/source website and validate it using PGP.  However,
 FreeBSD ships openssl distribution within its source tree.
 
 You must follow the instructions contained in the Security Policy document 
 with
 no deviations. It's that simple.
 
 So the answer to the question of can you start with a different distribution 
 is
 a simple 'no' - even if the files are almost identical (or in fact even
 identical) you don't get that choice - you must follow the documented 
 procedure.

...for building the fipscanister.  Once you have that, that binary artifact 
(which
you affirm as validated) can be used as the basis for building an openssl 0.9.8
package in a usual manner.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Compilation Error in application referencing FIPS Object Module using g++

2011-03-06 Thread raghib nasri 
Hi,
   I am using FIPS Object Module and encountered an error while
compiling my application using g++.
   “fips_premain.c:71: error: initializer-string for array of chars is
too long”
   I cannot change fips_premain.c  since its part of FIPS validation I
guess.
   Please suggest any sollution.