openssl 1.0.1 release 20110910 issue
Script started on Fri Sep 9 22:35:59 2011 doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ exitmakeegrep bsdi Conf figure[A.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ egrep bsdi configure[A.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ x[K [K[Adoctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ xegrep bsdi conf figure[A.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ egrep bsdi Configure "bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-bsdi-x86-elf", "gcc:-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g::${BSDthreads}::-ldl -lm -lc:THIRY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ make making all in crypto... ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o mem_clr.o [ -z "" ] || ar r ../libcrypto.a fipscanister.o /usr/bin/ranlib ../libcrypto.a || echo Never mind. making all in crypto/objects... making all in crypto/md2... making all in crypto/md4... making all in crypto/md5... making all in crypto/sha... making all in crypto/mdc2... making all in crypto/hmac... making all in crypto/ripemd... making all in crypto/whrlpool... making all in crypto/des... making all in crypto/aes... making all in crypto/rc2... making all in crypto/rc4... making all in crypto/rc5... making all in crypto/idea... making all in crypto/bf... making all in crypto/cast... making all in crypto/camellia... making all in crypto/seed... making all in crypto/modes... making all in crypto/bn... making all in crypto/ec... making all in crypto/rsa... making all in crypto/dsa... making all in crypto/ecdsa... making all in crypto/dh... making all in crypto/ecdh... making all in crypto/dso... making all in crypto/engine... making all in crypto/buffer... making all in crypto/bio... making all in crypto/stack... making all in crypto/lhash... making all in crypto/rand... making all in crypto/err... making all in crypto/evp... making all in crypto/asn1... making all in crypto/pem... making all in crypto/x509... making all in crypto/x509v3... making all in crypto/conf... making all in crypto/txt_db... making all in crypto/pkcs7... making all in crypto/pkcs12... making all in crypto/comp... making all in crypto/ocsp... making all in crypto/ui... making all in crypto/krb5... making all in crypto/cms... making all in crypto/pqueue... making all in crypto/ts... making all in crypto/jpake... making all in crypto/srp... making all in crypto/store... making all in crypto/cmac... if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then (cd ..; make libcrypto.so.1.0.0); fi [ -z "" ] || gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -Iinclude -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso fips_premain.c fipscanister.o libcrypto.a -ldl -lm -lc libcrypto.a: member libcrypto.a(o_names.o) in archive is not an object *** Error code 1 Stop. *** Error code 1 Stop. *** Error code 1 Stop. *** Error code 1 Stop. *** Error code 1 Stop. doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ find . -name \ *o_namw e\* -print ./crypto/objects/o_names.c ./crypto/objects/o_names.o doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ x sh: x: command not found doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ x sh: x: command not found doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ exit exit Script done on Fri Sep 9 22:36:59 2011 -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! https://www.fullyfollow.me/rootnl2k Ontario, Nfld, and Manitoba boot the extremists out and vote Liberal! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Creating AES Key for encryption in server side and share the key
I am implementing SSL on server side to authenticate the client certificate(X.509) and also client will authenticate the servers certificate(X.509). Once the mutual authentication has completed server has to generate AES key for encryption and decryption. In server side I am creating 256 bits AES key for encrypting the plaintext using C programming using OpenSSL. AES_KEY aeskey; RAND_bytes(key32,sizeof(key32)); AES_set_encrypt_key(key32, 32*8, &aeskey); AES_cbc_encrypt(inbuf, outbuf, 16, &aeskey, iv, AES_ENCRYPT); I have to decrypt the same message in Client side. Client side I am using JAVA Programming. 1. How i can send this AES key to JAVA client? or 2. How can derive common AES key on both side? 2. Can i use Password Based Encryption to derive the common keys for both side(JAVA and C)? Thanks, Krish
TLS Alert "insufficient security"
Hi there, I'm trying to connect to a SSL server, but on specific cipher suites, the server sends me an alert "insufficient security", during the handshake. It's the first time I'm seeing that (and I've played with lots of servers)... Anyone knows the exact meaning of that alert ? I'm guessing the SSL implementation on the server is a bit exotic, and uses that alert to reject weak cipher suites, but would like to have someone confirm that. Thanks, Alban
Re: How to Check Whether the resources of X509 has been freed when it is freed by X509_free()
Thanks for the explanation and pinter for the relevant ASN1 function. Erwin -- From: "Jakob Bohm" Sent: Friday, September 09, 2011 4:22 AM To: Subject: Re: How to Check Whether the resources of X509 has been freed when it is freed by X509_free() On 9/9/2011 5:21 AM, Erwin Himawan wrote: Hi All, I have several questions associated with freeing resources of X509 struct. snippet of my code: X509 *x509Cert = X509_new(); if (x509Cert == NULL) printf("Error instantiating X509 object\n"); /* do some processing with my x509Cert object */ /* Cleaning up resources of x509Cert */ if(x509Cert != NULL) X509_free(x509Cert); My questions are: 1. How to check that x509Cert resources have been freed? I notice that X509_free(x509Cert) does not set the x509Cert to NULL, therefore I can not rely on if(x509Cert != NULL) to verify that x509Cert resources has been freed. this a bug or there are other method for verifying whether x509Cert resources have been freed. As OpenSSL is a C (not C++ or Pascal) API, unless a function takes an explicit pointer to your x509Cert variable it is not supposed to have the ability to change it. This is one of the nice semantic guarantees of the C language. As x509_free() returns void, you should simply assume that the call *will* free what it is told to free, to the maximum extent reasonably possible, which is actually the sanest and most programmer friendly way to specify a cleanup function (for the same reason, C++ destructors have no return value either and are barred from using exceptions during stack unwind). It is good practice to wrap it in a block such as the following: {X509 *ptmp = x509Cert;x509Cert = NULL; // Do this first to reduce risk of race conditions // in your own multithreadingx509_free(tmp); } Or in C++ you could declare a macro-assisted smart pointer type similar to the following: (NOT TESTED!) (For C++ purists: the macros are used to do the name pasting needed to refer to individual per-type global function names and to generate obvious class names such as X509Ptr, all the real work is done by the C++ template). #define ASNPTR_TYP(typ) ASNPtr #define DECLARE_ASNPTR(typ) typedef ASNPTR_TYP(typ) typ##Ptr; class ASNPTRBase { protected: void *p; public: typedef ASNPTRBase Self; typedef Self* PSelf; typedef void *PTYP; protected: PTYP Take(void) { PTYP p1 = p; p = 0; return p1; }ASNPtrBase(): p(0) {}ASNPtrBase(PTYP p1) p(p1) {} ASNPTRBase(Self &p1) p(p1.Take()) {}~ASNPTRBase() { } public: bool operator bool() const { return !!p; } PTYP operator PTYP() const { return p; } private: Self & operator = (PTYP p1) {}; // Not available, do not generate default impl. Self & operator = (Self &p1) {}; // Not available, do not generate default impl. }; template < class ASNT, ASNT* (*ASNT_new)(void), void (*ASNT_free)(ASNT *p) > class ASNPtr: public ASNPTRBase { public: typedef ASNPtr Self; typedef Self *PSelf; typedef ASNT * PTYP; PTYP Take(void) { return (PTYP)ASNPTRBase::Take(); }void Free(void) { // Must be in template because of type-specic specific call PTYP p1 = Take(); if (p1) ASNT_free(p1); } ASNPtr &Alloc(void) { // Must be in template to avoid adding a vptr to the size of ASNPtrBase objects Free(); p = ASNT_new(); } ASNPtr &Set(PTYP p1) { // Must be in template to avoid adding a vptr to the size of ASNPtrBase objects Free(); p = p1; } ASNPtr &Set(ASNPtr &p1) { return Set(p1.Take()); }ASNPtr() {} ASNPtr(PTYP p1) ASNPTRBase(p1) {} ASNPtr(ASNPtr&p1) ASNPtrBase(p1) {} ~ASNPtr() { Free(); } Self& operator = (PTYP p1) { return Set(p1); } Self& operator = (Self &p1) { return Set(p1); } PTYP operator PTYP() const { return p; } private: Self& operator = (const Self &p1) {} // Not available, do not generate default impl. // do not generate call to operator=(p1.operator PTYP()) // for const source objects as that would ruin the // rule that only one ASNPTR can own the object at // any given time. } DECLARE_ASNPTR(X509) DECLARE_ASNPTR(X509_NAME) DECLARE_ASNPTR(X509_CRL) // etc. 2. Does X509_free() also free all the internal objects that are part of the X509 struct; e.g. X509_ALGOR, X509_NAME, ASN1_INTEGER, ASN1_TIME, etc Thanks, Erwin Please look at the source code of the function ASN1_item_free, which does the real work. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: out range error compiling fips 1.2.3
On Thu, Sep 08, 2011, Kenneth Goldman wrote: > I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to > be the latest. It seems to be well known on openssl-dev, but I don't know > what to do about it. Any ideas? > > gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT > -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall > -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -c -o md5-x86_64.o md5-x86_64.s > md5-x86_64.s: Assembler messages: > md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement > > > uname -a > Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 > 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux > If you can get OpenSSL to compile despite that error (e.g. different version of the assembler) it wont matter because that file isn't used in the FIPS module itself. It's just a side effect of the 1.2 build process that it needs to build a complete vesion of OpenSSL as well as the module. > ~~ > > A second question. In researching this error, I saw someone compile with > > > ./config fipscanisterbuild > > That's not in the INSTALL file. Do I need this? > That is for testing purposes for the unvalidated 2.0 module only. The 1.2 module uses ./config fipscanister instead. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: out range error compiling fips 1.2.3
On 9/8/2011 9:35 PM, Kenneth Goldman wrote: ... A second question. In researching this error, I saw someone compile with ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? -- Ken Goldman kg...@watson.ibm.com 914-784-7646 (863-7646) Hmm, in previous versions of the FIPS module, there was an official document as part of the FIPS approval which restricted the FIPS certification to use of a specific sequence of build steps, one of which was that command. Maybe the "INSTALL" file is the standard OpenSSL INSTALL file and not the true FIPS instructions, or maybe that command is only for the old FIPS module for version 0.9.x and not for the new module for version 1.0.x . Someone else on this list certainly knows which of those two applies. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to Check Whether the resources of X509 has been freed when it is freed by X509_free()
On 9/9/2011 5:21 AM, Erwin Himawan wrote: Hi All, I have several questions associated with freeing resources of X509 struct. snippet of my code: X509 *x509Cert = X509_new(); if (x509Cert == NULL) printf("Error instantiating X509 object\n"); /* do some processing with my x509Cert object */ /* Cleaning up resources of x509Cert */ if(x509Cert != NULL) X509_free(x509Cert); My questions are: 1. How to check that x509Cert resources have been freed? I notice that X509_free(x509Cert) does not set the x509Cert to NULL, therefore I can not rely on if(x509Cert != NULL) to verify that x509Cert resources has been freed. this a bug or there are other method for verifying whether x509Cert resources have been freed. As OpenSSL is a C (not C++ or Pascal) API, unless a function takes an explicit pointer to your x509Cert variable it is not supposed to have the ability to change it. This is one of the nice semantic guarantees of the C language. As x509_free() returns void, you should simply assume that the call *will* free what it is told to free, to the maximum extent reasonably possible, which is actually the sanest and most programmer friendly way to specify a cleanup function (for the same reason, C++ destructors have no return value either and are barred from using exceptions during stack unwind). It is good practice to wrap it in a block such as the following: {X509 *ptmp = x509Cert;x509Cert = NULL; // Do this first to reduce risk of race conditions // in your own multithreading x509_free(tmp); } Or in C++ you could declare a macro-assisted smart pointer type similar to the following: (NOT TESTED!) (For C++ purists: the macros are used to do the name pasting needed to refer to individual per-type global function names and to generate obvious class names such as X509Ptr, all the real work is done by the C++ template). #define ASNPTR_TYP(typ) ASNPtr #define DECLARE_ASNPTR(typ) typedef ASNPTR_TYP(typ) typ##Ptr; class ASNPTRBase { protected: void *p; public: typedef ASNPTRBase Self; typedef Self* PSelf; typedef void *PTYP; protected: PTYP Take(void) { PTYP p1 = p; p = 0; return p1; }ASNPtrBase(): p(0) {}ASNPtrBase(PTYP p1) p(p1) {} ASNPTRBase(Self &p1) p(p1.Take()) {}~ASNPTRBase() { } public: bool operator bool() const { return !!p; } PTYP operator PTYP() const { return p; } private: Self & operator = (PTYP p1) {}; // Not available, do not generate default impl. Self & operator = (Self &p1) {}; // Not available, do not generate default impl. }; template < class ASNT, ASNT* (*ASNT_new)(void), void (*ASNT_free)(ASNT *p) > class ASNPtr: public ASNPTRBase { public: typedef ASNPtr Self; typedef Self *PSelf; typedef ASNT * PTYP; PTYP Take(void) { return (PTYP)ASNPTRBase::Take(); } void Free(void) { // Must be in template because of type-specic specific call PTYP p1 = Take(); if (p1) ASNT_free(p1); } ASNPtr &Alloc(void) { // Must be in template to avoid adding a vptr to the size of ASNPtrBase objects Free(); p = ASNT_new(); } ASNPtr &Set(PTYP p1) { // Must be in template to avoid adding a vptr to the size of ASNPtrBase objects Free(); p = p1; } ASNPtr &Set(ASNPtr &p1) { return Set(p1.Take()); } ASNPtr() {}ASNPtr(PTYP p1) ASNPTRBase(p1) {} ASNPtr(ASNPtr&p1) ASNPtrBase(p1) {}~ASNPtr() { Free(); } Self& operator = (PTYP p1) { return Set(p1); } Self& operator = (Self &p1) { return Set(p1); } PTYP operator PTYP() const { return p; } private: Self& operator = (const Self &p1) {} // Not available, do not generate default impl. // do not generate call to operator=(p1.operator PTYP()) // for const source objects as that would ruin the // rule that only one ASNPTR can own the object at // any given time. } DECLARE_ASNPTR(X509) DECLARE_ASNPTR(X509_NAME) DECLARE_ASNPTR(X509_CRL) // etc. 2. Does X509_free() also free all the internal objects that are part of the X509 struct; e.g. X509_ALGOR, X509_NAME, ASN1_INTEGER, ASN1_TIME, etc Thanks, Erwin Please look at the source code of the function ASN1_item_free, which does the real work. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
out range error compiling fips 1.2.3
I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to be the latest. It seems to be well known on openssl-dev, but I don't know what to do about it. Any ideas? gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -c -o md5-x86_64.o md5-x86_64.s md5-x86_64.s: Assembler messages: md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement > uname -a Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux ~~ A second question. In researching this error, I saw someone compile with > ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? -- Ken Goldman kg...@watson.ibm.com 914-784-7646 (863-7646)