Re: Not able to read public modulus public exponent fields
Hi Christian, I am getting public modulus as NULL and public exponent a huge number when X509_get_pubkey() and EVP_PKEY_get1_RSA() is used to fetch public exponent and modulus fields. On printing the same certificate using OpenSSL command the public exponent and public modulus values are 65537 and 2048 bit respectively. The code snippet is as follows: modulus_and_exponent(X509 *cert) { EVP_PKEY *pkey = X509_get_pubkey(cert); RSA *rsa_public_key = NULL; rsa_public_key = EVP_PKEY_get1_RSA(pkey); printf("PublicExponet-%s\n",BN_bn2dec(rsa_public_key-e)); printf("Public modulus--%s\n",BN_bn2dec(rsa_public_key-n)); /* Code crashes here as rsa_public_key-n is NULL */ } Output: PublicExponent-279964342706543159665257626509989783222311151451322332440661199787945070689635058717755565780056915051263769453969105572897430499929 3745386264339644558683338200791056152198580705931322779689387202606383243164440904522925490656610122331992075987530306432028706884548314192719199948802768 2013935531243223237786019153197327666386125162585064239799789437289544526672152158051987971265743490012610974637622069525558253839966730499510722847180895 2344257684815792657502151663029681418529094171517923191010946320493177361393065606680894807596115830450328067935952849240287649292898772435573305764291222 90932390276617063126287 PublicModulus cannot be printed as Code crashes here as rsa_public_key-n is NULL Thanks Best Regards, Vinay Christian Hohnstaedt wrote: Hi, Try: EVP_PKEY *pkey = X509_get_pubkey(cert); rsa_public_key = EVP_PKEY_get1_RSA(pkey); Cheers Christian On Mon, May 23, 2011 at 06:41:34PM +0530, Vinay Kumar wrote: Hi All, I am trying to print *public modulus* and *public exponent* from a *X509 certificate*. The code snippet is as follows: modulus_and_exponent(X509 *cert) { RSA *rsa_public_key = NULL; if(cert-cert_info-key-pkey){ rsa_public_key = EVP_PKEY_get1_RSA (cert-cert_info-key-pkey); printf("Public exponent--%s\n",BN_bn2dec(rsa_public_key-e)); printf("Public modulus--%s\n",BN_bn2dec(rsa_public_key-n)); } else { printf("PKEY NOT FOUND\n"); } } Output: *PKEY NOT FOUND* The key structure contains other valid fields but pkey field is NULL when checked through gdb: *(gdb) p *(cert-cert_info) * $1 = {version = 0x8f2ecb8, serialNumber = 0x8f2fa38, signature = 0x8f2fa50, issuer = 0x8f2fa60, validity = 0x8f25fb8, subject = 0x8f25ff8, key = 0x8f26050, issuerUID = 0x0, subjectUID = 0x0, extensions = 0x8f2ef58} *(gdb) p *(cert-cert_info-key) * $2 = {algor = 0x8f26060, public_key = 0x8f26070, *pkey = 0x0*} (gdb) The same certificate when printed using OpenSSL command *displays exponent and modulus* as follows*:* Certificate: Data: Version: 3 (0x2) Serial Number: 389 (0x185) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IN, O=CL, OU=XYZ, CN=PC CA Validity Not Before: Nov 25 12:40:41 2010 GMT Not After : Feb 28 12:40:41 2031 GMT Subject: C=IN, O=Global, OU=XYZ, CN=Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) * Modulus (2048 bit): * 00:dd:c6:44:3b:c0:39:0d:e8:75:21:89:fa:41:f2: ca:b1:46:d1:a2:b8:ea:78:f2:6e:27:84:03:d1:0a: 4d:85:4f:f9:5a:56:25:85:7b:1b:01:b2:de:31:df: 1a:3d:32:9d:0f:c9:a6:b8:c6:89:7c:87:f3:f9:6d: a9:fd:79:df:0e:b3:ad:90:5e:05:fc:26:d5:11:e5: 03:73:e5:9b:9e:8f:40:af:a5:a0:09:e1:50:4f:22: 06:e5:80:03:77:26:af:d8:62:28:00:c5:bc:a3:fe: c2:e7:68:a7:9a:81:6a:07:35:ee:43:0f:eb:04:d6: ed:53:92:a8:b2:87:6a:02:5c:43:dd:61:cf:da:64: ba:15:13:22:3b:79:b1:83:04:69:0d:25:82:73:f9: d2:78:f6:cd:30:20:3e:eb:f2:7d:8e:56:e3:0f:38: 06:a2:21:b8:c8:a9:50:a8:4a:7f:3c:a8:d3:85:76: ec:53:38:a7:b6:4a:9c:a7:88:a5:b9:06:e0:a5:53: b3:fa:ae:97:bb:ab:e5:35:8a:ad:92:9c:55:b1:ac: a1:11:3b:d0:b6:4f:f8:da:bc:01:74:67:99:c7:7a: d1:d5:14:91:84:76:15:a8:41:34:99:fb:c9:00:92: cf:45:d4:db:66:2c:d7:5c:38:49:c9:a9:4b:0f:80: 55:0f *Exponent: 65537 (0x10001) * X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 25:05:14:41:88:7F:0A:54:A4:04:92:05:9F:7B:F5:B1:63:D5:34:13 X509v3 Authority Key Identifier:
Re: CMS: message digest algorithm selection is ignored when signing receipts (+ peer-review request)
On Tue, Dec 7, 2010 at 01:50, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Dec 07, 2010, Maxim Kammerer wrote: The command-line argument -md to openssl cms -sign_receipt is apparently ignored, and the default digest algorithm (SHA-1 in my tests) is used instead. At present this is a limitation of the API: there is no option to specify an alternative digest. I'll have to see if there is an easy way to fix this without a new API. It would be relatively easy to use the same digest as the original content instead of using the default public key algorithm digest. Any news on this issue? openssl cms -sign_receipt still used SHA-1 in my tests for 1.0.0d. Thanks, Maxim (please CC me on replies) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Trying to figure out what needs to be released and how
I'm trying to parse a certificate for the DNS names of the site it's for. Unfortunately, all the examples I can find don't bother releasing any of the ram they acquire! So I'm left trying to figure it out myself because I need to parse a few hundred of these a second. In addition, I can't seem to find any api documentation at all that mentions most of these functions. I've muddled my way through it, but I still have unreleased ram in the cert itself. I assume something has set a reference count some where. Pointers to any good docs, or help with the code itself would be appreciated. void ParseCert(const unsigned char *Buffer) { X509 *Cert = d2i_X509(NULL, Buffer, 1590); if (!Cert) { printf(Failed to decode cert\n); exit(1); } STACK_OF(X509_EXTENSION) *Extensions = Cert-cert_info-extensions; int Nid = OBJ_sn2nid(subjectAltName); X509_EXTENSION *SubjAltName = X509v3_get_ext(Extensions, X509v3_get_ext_by_NID(Extensions, Nid, -1)); X509V3_EXT_METHOD *Method = X509V3_EXT_get(SubjAltName); if (!Method) { printf(Failed to get method); exit(1); } const unsigned char *ExtensionData = SubjAltName-value-data; ASN1_ITEM *Tmp; // I have no idea what this is if (Method-it) Tmp = ASN1_item_d2i(NULL, ExtensionData, SubjAltName-value-length, ASN1_ITEM_ptr(Method-it)); else Tmp = Method-d2i(NULL, ExtensionData, SubjAltName-value-length); STACK_OF(CONF_VALUE) *Values = Method-i2v(Method, Tmp, NULL ); int i; for (i = 0; i sk_CONF_VALUE_num(Values); i++) { CONF_VALUE *Fields; Fields = sk_CONF_VALUE_value(Values, i); printf(%s: %s\n, Fields-name, Fields-value); } // Doesn't work //sk_CONF_VALUE_pop_free(Values, CONF_VALUE_free); if (Method-it) ASN1_item_free((ASN1_VALUE *)Tmp, ASN1_ITEM_ptr(Method-it)); sk_CONF_VALUE_pop_free(Values, X509V3_conf_free); // Doesn't appear to be required //X509_EXTENSION_free(SubjAltName); X509_free(Cert); } -- View this message in context: http://old.nabble.com/Trying-to-figure-out-what-needs-to-be-released-and-how-tp31684738p31684738.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trying to figure out what needs to be released and how
On Mon, May 23, 2011, drachs wrote: I'm trying to parse a certificate for the DNS names of the site it's for. Unfortunately, all the examples I can find don't bother releasing any of the ram they acquire! So I'm left trying to figure it out myself because I need to parse a few hundred of these a second. In addition, I can't seem to find any api documentation at all that mentions most of these functions. I've muddled my way through it, but I still have unreleased ram in the cert itself. I assume something has set a reference count some where. Pointers to any good docs, or help with the code itself would be appreciated. Once you have the X509 structure for the certificate you call X509_get_ext_d2i() to retrive and parse the extension you are interested in. In this case subject alt name. You get back a STACK_OF(GENERAL_NAME) which you can then examine to look for any DNS name entries. There will be sk_GENERAL_NAME_num() entries and you can get each one with sk_GENERAL_NAME_value(). You can use GENERAL_NAME_get0_value() to examine each entry. Once you've finished GENERAL_NAMES_free() will free them up. There is an example using email address in crypto/x509v3/v3_utl.c Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Specifications of the .pem container file
Hi everyone ; This is my first msg on the list I'd like to know if there are any specifications I can read about the .pem format ? From what I understand it is a container meta-format, like ogg or avi, so how do I know how to read it, what to expect and how to properly write it ? I found nothing about it in the openssl man page, nor on the internets.. And on a related topic : Is there a way to sign a file, and then pack into one self-contained file -The file -The public key used to sign the file -The signature hash of the file Please excuse and correct any naming mistake that I may have made. -Phil __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Mon, May 23, 2011, ciphertexto wrote: On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote: On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? I ran fips_test_suite and it has been pegged for almost two hours on the following: = $ ./fips_test_suite FIPS-mode test application 1. Non-Approved cryptographic operation test... = The CPU is at 100% on fips_test_suite. It does not get past that. Any ideas? It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
EVP_VerifyFinal fail use RSA public key, openssl-1.0.0d, win32, vc2008sp1
Hello, EVP_VerifyFinal fail when use RSA public key, can anyone help? I use openssl cmd line tool generate a key pair of RSA and store them to two pem files. And RSA_sign and RSA_verify work fine with the pem files. To support large buffer , I change the code to work with EVP_Sign and EVP_Verify, but the flow die on EVP_VerifyFinal invoke. Error info: 4868:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:.\crypto\rsa\rsa_sign.c:258: Openssl version is openssl-1.0.0d. code: /// BIO *pBio = NULL; RSA *rsa = NULL; pBio = BIO_new_file(rsa1024-private.pem,r); if(!pBio){ printf(read pem key file error.\n); exit_1(); } if(!PEM_read_bio_RSAPrivateKey(pBio, rsa, NULL, NULL)){ printf(parse pem private key error. \n); exit_1(); } unsigned char out[200] = {0}; unsigned int outlen = 200; EVP_PKEY* pkey=EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey,rsa); int ret; EVP_MD_CTX md_ctx; EVP_MD_CTX_init(md_ctx); ret=EVP_SignInit_ex(md_ctx,EVP_sha1(), NULL); if(ret!=1){ printf(EVP_SignInit_ex error. \n); exit_1(); } ret=EVP_SignUpdate(md_ctx,buf,inlen); if(ret!=1){ printf(EVP_SignUpdate error. \n); exit_1(); } ret=EVP_SignFinal(md_ctx,out,outlen,pkey); if(ret!=1){ printf(EVP_SignFinal error. \n); exit_1(); } BIO * pBio2 = BIO_new_file(rsa1024-public.pem,r); if(!pBio2) { printf(read pem public key file error.\n); exit_1(); } RSA* rsa2 = NULL; if(!PEM_read_bio_RSA_PUBKEY(pBio2, rsa2, NULL, NULL)) { printf (parse pem public key error. \n); exit_1(); } EVP_PKEY* pkey2=EVP_PKEY_new(); ret = EVP_PKEY_assign_RSA(pkey2, rsa2); EVP_MD_CTX v_ctx; EVP_VerifyInit(v_ctx, EVP_sha1()); if(!EVP_VerifyUpdate(v_ctx, out, outlen)){ printf(EVP_VerifyUpdate error. \n); exit_1(); } if(EVP_VerifyFinal(v_ctx, out, outlen, pkey2)!=1){ here die printf(verify by public key error. \n); exit_1(); }
RE: Download fips 1.2.3
Well, Kyle I don't think tar is the problem here. After I had the problem with v1.2.3, I downloaded fips 1.2.2 afterwards and I don't have problem to untar the tar ball. Ryan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Monday, May 23, 2011 11:56 PM To: openssl-users@openssl.org Subject: Re: Download fips 1.2.3 Solaris has a buggy tar. You need to use gnu tar. -Kyle H On Mon, May 23, 2011 at 3:11 PM, Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: Hi, all Has anyone had problem with openssl-fips-1.2.3.tar.gz? When I tried to “tar xvf” on my Solaris 10 SPARC, the source had error message “unexpected EOF”. I have tried with different proxy servers and direct download from the site but had no luck. I now downloaded v1.2.2 and no problem with the source to configure and make. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited.
Re: Specifications of the .pem container file
I'd like to know if there are any specifications I can read about the .pem format See: http://en.wikipedia.org/wiki/Privacy-enhanced_Electronic_Mail and the mentioned RFCs. Although Privacy Enhanced Email is not widespread as such, the formatting of messages *is* used (e.g. for PEM files). You may also be interested in the Public Key Cryptography Standards (PKCS), some of which define formats for bundling together various cryptographic materials: http://en.wikipedia.org/wiki/PKCS In particular, PKCS#7 and PKCS#12 may be useful for you. Hope this helps, TJ ~ Doubt is not a pleasant condition, but certainty is an absurd one. -Voltaire ~ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Specifications of the .pem container file
On Tue, May 24, 2011, xaccrocheur wrote: Hi everyone ; This is my first msg on the list I'd like to know if there are any specifications I can read about the .pem format ? From what I understand it is a container meta-format, like ogg or avi, so how do I know how to read it, what to expect and how to properly write it ? I found nothing about it in the openssl man page, nor on the internets.. The pem manual page gives API details and some information on the encrypted version. There is also some information in the openssl application manual pages: if you grep for BEGIN you'll see those. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS-capable OpenSSL stops working sporadically
On Mon, May 23, 2011, ciphertexto wrote: Hello, Does any one know how can any application work 100% reliably with a FIPS-capable OpenSSL given the following requirement from page 33 of the OpenSSL UserGuide at http://www.openssl.org/docs/fips/UserGuide.pdf: === The standard OpenSSL build with the fips option will use a base address for libeay32.dll of 0xFB0 by default.This value was chosen because it is unlikely to conflict with other dynamically loaded libraries. In the event of a clash with another dynamically loaded library which will trigger runtime relocation of libeay32.dll the integrity check will fail with the error FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELATED A base address conflict can be resolved by shuffling the other DLLs or re compiling OpenSSL with an alternative base address specified with the with baseaddr= option. Note that the developer can identify which DLLs are relocated with the Process Explorer utility fromhttp://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx.; = I am hitting this problem sporadically with my application on various Windows flavors. The dynamic loader on Windows changes the base address of libeay32.dll whenever it wants to. As a result, my application stops working because FIPS_mode_set() fails. So I am ending up with an unreliable application. I have no control on all of the dynamically loaded libraries in a system so I unable shuffle the other DLLs as suggested in the user guide. And changing the base address at build time is also not guaranteed to work 100% reliably because it could also conflict with some other DLL's base address. So what to do? Is there some trick/workaround to make this work? Try specifying the /FIXED and/or /DYNAMICBASE:NO options when you build the DLL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
答复: EVP_VerifyFinal fail use RSA public key, openssl-1.0.0d, win32, vc2008sp1
Sorry, I’ve made a mistake L if(!EVP_VerifyUpdate(v_ctx, out, outlen)){ MUST CHANGE TO = EVP_VerifyUpdate(v_ctx, inbuf, inbuflen) 发件人: owner-openssl-us...@openssl.org [mailto:owner-openssl-users@openssl. org] 代表 bs1 发送时间: 2011年5月24日 22:52 收件人: openssl-users@openssl.org 主题: EVP_VerifyFinal fail use RSA public key, openssl-1.0.0d, win32, vc2008sp1 Hello, EVP_VerifyFinal fail when use RSA public key, can anyone help? I use openssl cmd line tool generate a key pair of RSA and store them to two pem files. And RSA_sign and RSA_verify work fine with the pem files. To support large buffer , I change the code to work with EVP_Sign and EVP_Verify, but the flow die on EVP_VerifyFinal invoke. Error info: 4868:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:.\crypto\rsa\rsa_sign.c:258: Openssl version is openssl-1.0.0d. code: /// BIO *pBio = NULL; RSA *rsa = NULL; pBio = BIO_new_file(rsa1024-private.pem,r); if(!pBio){ printf(read pem key file error.\n); exit_1(); } if(!PEM_read_bio_RSAPrivateKey(pBio, rsa, NULL, NULL)){ printf(parse pem private key error. \n); exit_1(); } unsigned char out[200] = {0}; unsigned int outlen = 200; EVP_PKEY* pkey=EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey,rsa); int ret; EVP_MD_CTX md_ctx; EVP_MD_CTX_init(md_ctx); ret=EVP_SignInit_ex(md_ctx,EVP_sha1(), NULL); if(ret!=1){ printf(EVP_SignInit_ex error. \n); exit_1(); } ret=EVP_SignUpdate(md_ctx,buf,inlen); if(ret!=1){ printf(EVP_SignUpdate error. \n); exit_1(); } ret=EVP_SignFinal(md_ctx,out,outlen,pkey); if(ret!=1){ printf(EVP_SignFinal error. \n); exit_1(); } BIO * pBio2 = BIO_new_file(rsa1024-public.pem,r); if(!pBio2) { printf(read pem public key file error.\n); exit_1(); } RSA* rsa2 = NULL; if(!PEM_read_bio_RSA_PUBKEY(pBio2, rsa2, NULL, NULL)) { printf (parse pem public key error. \n); exit_1(); } EVP_PKEY* pkey2=EVP_PKEY_new(); ret = EVP_PKEY_assign_RSA(pkey2, rsa2); EVP_MD_CTX v_ctx; EVP_VerifyInit(v_ctx, EVP_sha1()); if(!EVP_VerifyUpdate(v_ctx, out, outlen)){ printf(EVP_VerifyUpdate error. \n); exit_1(); } if(EVP_VerifyFinal(v_ctx, out, outlen, pkey2)!=1){ here die printf(verify by public key error. \n); exit_1(); }
[error] Re-negotiation request failed IE, not FF
I have just moved a website from a Fedora 10 server to RedHat 5.5. On the Fedora the openssl version was 0.9.8g. On RedHat it is 0.9.8e-fips-rhel5 Lots of client PC's have the digital certificate installed in IE, and the users of the PC's would like to continue using IE as their other systems rely on it. On the Fedora machine all the certificates worked and they could access the website. Now the RedHat server is live only some PC's can access the site. The ones that can access the site seem to have simple PC-router-internet connections. The ones that can't seem to be through proxy servers and the get `this page cannot be displayed` when trying to access using IE, I also get [error] Re-negotiation request failed in ssl_error_log. The certificates were copied from the Fedora server to the RedHat server. If I install FF on the XP PC's, and load up the certificates, all works fine, but IE still doesn't work. -- View this message in context: http://old.nabble.com/-error--Re-negotiation-request-failed-IE%2C-not-FF-tp31691284p31691284.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CMS: message digest algorithm selection is ignored when signing receipts (+ peer-review request)
On Tue, Dec 7, 2010 at 01:50, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Dec 07, 2010, Maxim Kammerer wrote: The command-line argument -md to openssl cms -sign_receipt is apparently ignored, and the default digest algorithm (SHA-1 in my tests) is used instead. At present this is a limitation of the API: there is no option to specify an alternative digest. I'll have to see if there is an easy way to fix this without a new API. It would be relatively easy to use the same digest as the original content instead of using the default public key algorithm digest. Any news on this issue? openssl cms -sign_receipt still uses SHA-1 in my tests for 1.0.0d. Thanks, Maxim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Download fips 1.2.3
Well, Ryan I don't think that Solaris's tar hits the bug every time. Do you think Oracle (nee Sun) would ship something that failed 100% of the time instead of 0.1% of the time? Just try GNU tar. See if it works. That's what's used to create the tarball in the first place, and GNU tar has a known sporadic incompatibility with Solaris tar. -Kyle H On Tue, May 24, 2011 at 8:46 AM, Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: Well, Kyle I don't think tar is the problem here. After I had the problem with v1.2.3, I downloaded fips 1.2.2 afterwards and I don't have problem to untar the tar ball. Ryan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Monday, May 23, 2011 11:56 PM To: openssl-users@openssl.org Subject: Re: Download fips 1.2.3 Solaris has a buggy tar. You need to use gnu tar. -Kyle H On Mon, May 23, 2011 at 3:11 PM, Ruiyuan Jiang ruiyuan_ji...@liz.com wrote: Hi, all Has anyone had problem with openssl-fips-1.2.3.tar.gz? When I tried to “tar xvf” on my Solaris 10 SPARC, the source had error message “unexpected EOF”. I have tried with different proxy servers and direct download from the site but had no luck. I now downloaded v1.2.2 and no problem with the source to configure and make. Thanks. Ryan Jiang This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. Verify This Message with Penango.p7s Description: S/MIME Cryptographic Signature
Re: Download fips 1.2.3
On 05/24/11 12:53 PM, Kyle Hamilton wrote: I don't think that Solaris's tar hits the bug every time. Do you think Oracle (nee Sun) would ship something that failed 100% of the time instead of 0.1% of the time? bug? no, this is not a bug. native posix tar doesn't read gzip files, gzip does. gnu tar munged gzip into tar to create a hybrid. gunzip -c filename.tar.gz | tar xvf - or gunzip filename.tar.gz tar xvf filename.tar works just great on Solaris and any other Unix platform. -- john r pierceN 37, W 123 santa cruz ca mid-left coast __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Specifications of the .pem container file
Xac, You seem to be looking for a utility which provides access much like tar or cpio. I'm sorry to have to report that this does not exist the way you seem to expect. If you want something that can automagically do everything that you need to accomplish from the command-line, I recommend GNU Privacy Guard, also called gpg. To answer the remainder of your questions: PEM is Privacy-Enhanced Mail. It is a base-64 representation (24 bits expand to 32 bits) of a DER (or BER)-encoded ASN.1 structure of some type. The type that you can expect from decoding the PEM file can usually be found in the =BEGIN line; check out the Wikipedia article on it for pointers to the specifications. ASN.1 is Abstract Syntax Notation v1, and is defined in ITU X.680, X.681, X.682, and X.683 from the ITU-T, available from http://www.itu.int/. DER and BER are defined in X.690, also from ITU-T. I recommend skipping these specs, and instead get ASN.1: Communication Between Heterogeneous Systems, available from http://www.oss.com/asn1/dubuisson.html . Most of the time, PEM files contain X.509 Certificates. This is defined in ITU-T X.509; however, you can get by with most things appropriate for the Internet with RFC5280 or its successors (known as PKIX, or Public Key Infrastructure Extensions for the Internet). There are ways to do what you want; the main and most portable one is CMS, or Cryptographic Message Syntax. You're looking for the arbitrary signed content structure. This is defined in RFC5652 (though if you're looking for something to compile with an ASN.1 compiler, you need to use the updated definitions in RFC5911). Seriously, I recommend avoiding ITU-T standards as much as possible. They're dense, obscure, and without the key (the map to understanding them) they're pretty much as good as encrypted for anyone trying to understand what they mean. -Kyle H On Tue, May 24, 2011 at 3:55 AM, xaccrocheur xaccroch...@gmail.com wrote: Hi everyone ; This is my first msg on the list I'd like to know if there are any specifications I can read about the .pem format ? From what I understand it is a container meta-format, like ogg or avi, so how do I know how to read it, what to expect and how to properly write it ? I found nothing about it in the openssl man page, nor on the internets.. And on a related topic : Is there a way to sign a file, and then pack into one self-contained file -The file -The public key used to sign the file -The signature hash of the file Please excuse and correct any naming mistake that I may have made. -Phil __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org Verify This Message with Penango.p7s Description: S/MIME Cryptographic Signature
Re: Download fips 1.2.3
John, The OP said that he gunzipped it in-place before doing tar xvf. It -is- a bug in Solaris tar, and it's known in many different places. One of which is here: http://docs.activestate.com/activetcl/8.5/at.install.html It appears that there are two separate issues involved. First, Solaris tar doesn't deal with long paths well. Second, Solaris tar expects a slightly different checksum calculation. This is known to occur on the version of tar from Solaris 2.6. I have not heard any statements that it has been fixed in Solaris 10. Considering that a precompiled GNU tar can be obtained from http://sunfreeware.com/, I fail to comprehend the Solaris is absolutely bug-free, it must be something else's problem mindset which prevents this workaround's application. From the OP's response to Eric Eberhard: - begin quote Hi, Eric That is what I did exactly and failed on tar xvf and I don't have problem with 1.2.2. Ryan From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Eric S. Eberhard Sent: Monday, May 23, 2011 6:22 PM To: openssl-users@openssl.org; openssl-users@openssl.org Subject: Re: Download fips 1.2.3 You need to: gunzip openssl-fips-1.2.3.tar.gz That will create openssl-fips-1.2.3.tar Then tar -xvf openssl-fips-1.2.3.tar Eric - end quote Maybe the entire thread should be read, rather than just picking up keywords. To boil this down: Solaris tar is known to be bugged by people who have to support GNU tar-created archives on Solaris. Use GNU tar from sunfreeware.com, and it will work. -Kyle H On Tue, May 24, 2011 at 1:20 PM, John R Pierce pie...@hogranch.com wrote: On 05/24/11 12:53 PM, Kyle Hamilton wrote: I don't think that Solaris's tar hits the bug every time. Do you think Oracle (nee Sun) would ship something that failed 100% of the time instead of 0.1% of the time? bug? no, this is not a bug. native posix tar doesn't read gzip files, gzip does. gnu tar munged gzip into tar to create a hybrid. gunzip -c filename.tar.gz | tar xvf - or gunzip filename.tar.gz tar xvf filename.tar works just great on Solaris and any other Unix platform. -- john r pierce N 37, W 123 santa cruz ca mid-left coast __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org Verify This Message with Penango.p7s Description: S/MIME Cryptographic Signature
Re: Download fips 1.2.3
winzip will open tar files ... E At 01:20 PM 5/24/2011, you wrote: On 05/24/11 12:53 PM, Kyle Hamilton wrote: I don't think that Solaris's tar hits the bug every time. Do you think Oracle (nee Sun) would ship something that failed 100% of the time instead of 0.1% of the time? bug? no, this is not a bug. native posix tar doesn't read gzip files, gzip does. gnu tar munged gzip into tar to create a hybrid. gunzip -c filename.tar.gz | tar xvf - or gunzip filename.tar.gz tar xvf filename.tar works just great on Solaris and any other Unix platform. -- john r pierceN 37, W 123 santa cruz ca mid-left coast __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Download fips 1.2.3
From: John R Pierce Sent: Tuesday, May 24, 2011 9:20 PM On 05/24/11 12:53 PM, Kyle Hamilton wrote: I don't think that Solaris's tar hits the bug every time. Do you think Oracle (nee Sun) would ship something that failed 100% of the time instead of 0.1% of the time? bug? no, this is not a bug. native posix tar doesn't read gzip files, gzip does. gnu tar munged gzip into tar to create a hybrid. gunzip -c filename.tar.gz | tar xvf - or gunzip filename.tar.gz tar xvf filename.tar works just great on Solaris and any other Unix platform. ... except when it doesn't, such as in the case in question.__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Download fips 1.2.3
If you tried to open it in Winzip (which can open tar files and tar.gz files) you can see if it is the Solaris or the file. To have Winzip do the tar.gz rename it to simply .tgz ... You could always transfer it from your PC if you do it this way -- if you are running Samba on the Solaris it is trivial. Eric At 02:55 PM 5/24/2011, you wrote: From: John R Pierce Sent: Tuesday, May 24, 2011 9:20 PM On 05/24/11 12:53 PM, Kyle Hamilton wrote: I don't think that Solaris's tar hits the bug every time. Do you think Oracle (nee Sun) would ship something that failed 100% of the time instead of 0.1% of the time? bug? no, this is not a bug. native posix tar doesn't read gzip files, gzip does. gnu tar munged gzip into tar to create a hybrid. gunzip -c filename.tar.gz | tar xvf - or gunzip filename.tar.gz tar xvf filename.tar works just great on Solaris and any other Unix platform. ... except when it doesn't, such as in the case in question.__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: On Mon, May 23, 2011, ciphertexto wrote: On May 23, 2011, at 7:20 PM, Dr. Stephen Henson wrote: On Sun, May 22, 2011, Bill Durant wrote: Hello, Has anyone been able to build a working 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7 (SnowLeopard)? I have built a 64-bit version of the fipscanister from openssl-fips-1.2.3 on Mac OS X 10.6.7. But fips_shatest and the openssl command are core dumping when I do a 'make test' For example: ./config fipscanisterbuild make make test (fips_shatest and openssl core dump at this step) Does fips_test_suite run OK? I ran fips_test_suite and it has been pegged for almost two hours on the following: = $ ./fips_test_suite FIPS-mode test application 1. Non-Approved cryptographic operation test... = The CPU is at 100% on fips_test_suite. It does not get past that. Any ideas? It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? Thanks, Bill Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Download fips 1.2.3
On 05/24/11 3:26 PM, Eric S. Eberhard wrote: If you tried to open it in Winzip (which can open tar files and tar.gz files) you can see if it is the Solaris or the file. To have Winzip do the tar.gz rename it to simply .tgz ... You could always transfer it from your PC if you do it this way -- if you are running Samba on the Solaris it is trivial. or with solaris 10, /usr/sfw/bin/gtar xvzf filename.tar.gz $ gtar --version tar (GNU tar) 1.23 Copyright (C) 2010 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Written by John Gilmore and Jay Fenlason. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Tue, May 24, 2011, ciphertexto wrote: On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as the right way to do things. Something like: ./config -d fipscanisterbuild make Then try the version command again and see where it crashes and why. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS: Zeroization function during Power on self tests
Hi, I am compiling and running open ssl fips compliant version and trying to run the power on self tests during boot up time as part of FIPS requirements. I have observed invokation of zeroization function as well as output displayed as part of this function. Here are questions a) What is the intent of this zeroization function (it is not related to zeroization operation of FIPS) b) This function is not testing any algorithm, is it satisfying any other requirements c) Theoretically , output should not be displayed regarding the buffers during Power on self tests, why are the buffer(s) outputed during this zeroization operation. Any comments and relevance for FIPS 140-2. Any comments or inputs regarding this is really appreciated. File:fips_test_suite.c Function name: /* Zeroization */ printf(9. Zero-ization...\n); Zeroize(); Code: /* Zeroize */ static int Zeroize() { RSA *key; unsigned char userkey[16] = { 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 }; int i, n; key = RSA_generate_key(1024,65537,NULL,NULL); if (!key) return 0; n = BN_num_bytes(key-d); printf( Generated %d byte RSA private key\n, n); printf(\tBN key before overwriting:\n%s\n, BN_bn2hex(key-d)); BN_rand(key-d,n*8,-1,0); printf(\tBN key after overwriting:\n%s\n, BN_bn2hex(key-d)); printf(\tchar buffer key before overwriting: \n\t\t); for(i = 0; i sizeof(userkey); i++) printf(%02x, userkey[i]); printf(\n); RAND_bytes(userkey, sizeof userkey); printf(\tchar buffer key after overwriting: \n\t\t); for(i = 0; i sizeof(userkey); i++) printf(%02x, userkey[i]); printf(\n); return 1; } -- Vidya Sagar
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote: On Tue, May 24, 2011, ciphertexto wrote: On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as the right way to do things. Something like: ./config -d fipscanisterbuild make Here is what I get with the -d option: $ ./config -d fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details. And without the -d option, I get the following: $ ./config fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 Configuring for darwin-i386-cc target already defined - darwin-i386-cc (offending arg: fipcanisterbuild) Notice that it configures for darwin-i386-cc which I believe it is incorrect. I am thinking that it should configure for darwin64-x86_64-cc instead. And my system details are: $ sw_vers ProductName:Mac OS X ProductVersion: 10.6.7 BuildVersion: 10J869 $ sysctl hw | grep 64bit hw.cpu64bit_capable: 1 $ ioreg -l -p IODeviceTree | grep firmware-abi | | firmware-abi = EFI64 What to do? Thanks, Bill Then try the version command again and see where it crashes and why. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On Tue, May 24, 2011, Bill Durant wrote: On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote: On Tue, May 24, 2011, ciphertexto wrote: On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as the right way to do things. Something like: ./config -d fipscanisterbuild make Here is what I get with the -d option: $ ./config -d fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details. And without the -d option, I get the following: $ ./config fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 Configuring for darwin-i386-cc target already defined - darwin-i386-cc (offending arg: fipcanisterbuild) Notice that it configures for darwin-i386-cc which I believe it is incorrect. I am thinking that it should configure for darwin64-x86_64-cc instead. Ah that explains it. There is no darwin64-x86_64-cc target for the validated tarball so it isn't supported. It is possible to add new platforms via a change letter but so far no one has been interested in including that one. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building a 64-bit version of the FIPS-capable OpenSSL on Mac OS X 10.6.7
On May 24, 2011, at 5:42 PM, Dr. Stephen Henson wrote: On Tue, May 24, 2011, Bill Durant wrote: On May 24, 2011, at 3:58 PM, Dr. Stephen Henson wrote: On Tue, May 24, 2011, ciphertexto wrote: On May 24, 2011, at 4:18 AM, Dr. Stephen Henson wrote: It can take a long time to execute sometimes as it performs two slow DH parameter generation operations. Retry it a few times. If it still doesn't complete try: OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Note that the utilities in the 1.2.3 build come from an ancient version of OpenSSL 0.9.8 and to get a usable library you must build an FIPS capable OpenSSL using the 1.2.3 fipscanister.o and a recent 0.9.8 version. fips_test_suite hangs (stayed there for more than 24 hours). So I tried shlib_wrap.sh as you suggest and I got a core dump from openssl. I am testing with a FIPS-capable OpenSSL using the 1.2.3 fipscanister.o with 0.9.8r (the most recent version). $ apps/openssl version OpenSSL 0.9.8r-fips 8 Feb 2011 $ OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl version -a Segmentation fault (core dumped) $ otool -c /cores/core.97244 | head -4 /cores/core.97244: Argument strings on the stack at: 7fff5fc0 /Users/foo/svn/mac_crypto_64/Crypto/OSX/build_openssl_fips_capable/openssl-0.9.8r/apps/openssl $ gdb apps/openssl /cores/core.97244 GNU gdb 6.3.50-20050815 (Apple version gdb-1515) (Sat Jan 15 08:33:48 UTC 2011) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as x86_64-apple-darwin...Reading symbols for shared libraries done Reading symbols for shared libraries . done Reading symbols for shared libraries done #0 0x3f61 in ?? () (gdb) bt #0 0x3f61 in ?? () Cannot access memory at address 0x3f61 #1 0x092ff8bb in ?? () (gdb) quit So does it look like the 64-bit version of the FIPS-capable OpenSSL on SnowLeopard is officially broken? I don't have access to that platform so can't say for sure: it could conceivably be a compiler bug. Can you try a debug build of fipscanitsr using 0.9.8r? NB: to anyone who reads this in future. THIS DOES NOT RESULT IN A VALIDATED LIBRARY IT IS ONLY BEING DONE FOR TESTING PURPOSES!! I have to say that as some messages get cut and pasted into cookbooks as the right way to do things. Something like: ./config -d fipscanisterbuild make Here is what I get with the -d option: $ ./config -d fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 This system (debug-darwin-i386-cc) is not supported. See file INSTALL for details. And without the -d option, I get the following: $ ./config fipcanisterbuild Operating system: i386-apple-darwinDarwin Kernel Version 10.7.0: Sat Jan 29 15:17:16 PST 2011; root:xnu-1504.9.37~1/RELEASE_I386 Configuring for darwin-i386-cc target already defined - darwin-i386-cc (offending arg: fipcanisterbuild) Notice that it configures for darwin-i386-cc which I believe it is incorrect. I am thinking that it should configure for darwin64-x86_64-cc instead. Ah that explains it. There is no darwin64-x86_64-cc target for the validated tarball so it isn't supported. It is possible to add new platforms via a change letter but so far no one has been interested in including that one. What is the procedure for a change letter? How do I make the request to add darwin64-x86_64-cc in the validated tarball? Thanks, Bill Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org