openssl 1.0.1 release 20110910 issue
Script started on Fri Sep 9 22:35:59 2011
doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$
exitmakeegrep bsdi Conf
figure[A.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ egrep bsdi
configure[A.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ x[K
[K[Adoctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ xegrep
bsdi conf
figure[A.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ egrep bsdi
Configure
"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3
-march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-bsdi-x86-elf", "gcc:-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer
-O2 -Wall -g::${BSDthreads}::-ldl -lm -lc:THIRY_TWO_BIT_LONG RC4_CHUNK BN_LLONG
${x86_gcc_des}
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ make
making all in crypto...
ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o
ebcdic.o uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o mem_clr.o
[ -z "" ] || ar r ../libcrypto.a fipscanister.o
/usr/bin/ranlib ../libcrypto.a || echo Never mind.
making all in crypto/objects...
making all in crypto/md2...
making all in crypto/md4...
making all in crypto/md5...
making all in crypto/sha...
making all in crypto/mdc2...
making all in crypto/hmac...
making all in crypto/ripemd...
making all in crypto/whrlpool...
making all in crypto/des...
making all in crypto/aes...
making all in crypto/rc2...
making all in crypto/rc4...
making all in crypto/rc5...
making all in crypto/idea...
making all in crypto/bf...
making all in crypto/cast...
making all in crypto/camellia...
making all in crypto/seed...
making all in crypto/modes...
making all in crypto/bn...
making all in crypto/ec...
making all in crypto/rsa...
making all in crypto/dsa...
making all in crypto/ecdsa...
making all in crypto/dh...
making all in crypto/ecdh...
making all in crypto/dso...
making all in crypto/engine...
making all in crypto/buffer...
making all in crypto/bio...
making all in crypto/stack...
making all in crypto/lhash...
making all in crypto/rand...
making all in crypto/err...
making all in crypto/evp...
making all in crypto/asn1...
making all in crypto/pem...
making all in crypto/x509...
making all in crypto/x509v3...
making all in crypto/conf...
making all in crypto/txt_db...
making all in crypto/pkcs7...
making all in crypto/pkcs12...
making all in crypto/comp...
making all in crypto/ocsp...
making all in crypto/ui...
making all in crypto/krb5...
making all in crypto/cms...
making all in crypto/pqueue...
making all in crypto/ts...
making all in crypto/jpake...
making all in crypto/srp...
making all in crypto/store...
making all in crypto/cmac...
if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then (cd ..; make
libcrypto.so.1.0.0); fi
[ -z "" ] || gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS
-pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPERL5
-DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g
-DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_STORE
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM
-DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -Iinclude
-DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso fips_premain.c
fipscanister.o libcrypto.a -ldl -lm -lc
libcrypto.a: member libcrypto.a(o_names.o) in archive is not an object
*** Error code 1
Stop.
*** Error code 1
Stop.
*** Error code 1
Stop.
*** Error code 1
Stop.
*** Error code 1
Stop.
doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ find . -name
\
*o_namw e\* -print
./crypto/objects/o_names.c
./crypto/objects/o_names.o
doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ x
sh: x: command not found
doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ x
sh: x: command not found
doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110910$ exit
exit
Script done on Fri Sep 9 22:36:59 2011
--
Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist
rising!
https://www.fullyfollow.me/rootnl2k
Ontario, Nfld, and Manitoba boot the extremists out and vote Liberal!
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Creating AES Key for encryption in server side and share the key
I am implementing SSL on server side to authenticate the client certificate(X.509) and also client will authenticate the servers certificate(X.509). Once the mutual authentication has completed server has to generate AES key for encryption and decryption. In server side I am creating 256 bits AES key for encrypting the plaintext using C programming using OpenSSL. AES_KEY aeskey; RAND_bytes(key32,sizeof(key32)); AES_set_encrypt_key(key32, 32*8, &aeskey); AES_cbc_encrypt(inbuf, outbuf, 16, &aeskey, iv, AES_ENCRYPT); I have to decrypt the same message in Client side. Client side I am using JAVA Programming. 1. How i can send this AES key to JAVA client? or 2. How can derive common AES key on both side? 2. Can i use Password Based Encryption to derive the common keys for both side(JAVA and C)? Thanks, Krish
TLS Alert "insufficient security"
Hi there, I'm trying to connect to a SSL server, but on specific cipher suites, the server sends me an alert "insufficient security", during the handshake. It's the first time I'm seeing that (and I've played with lots of servers)... Anyone knows the exact meaning of that alert ? I'm guessing the SSL implementation on the server is a bit exotic, and uses that alert to reject weak cipher suites, but would like to have someone confirm that. Thanks, Alban
Re: How to Check Whether the resources of X509 has been freed when it is freed by X509_free()
Thanks for the explanation and pinter for the relevant ASN1 function.
Erwin
--
From: "Jakob Bohm"
Sent: Friday, September 09, 2011 4:22 AM
To:
Subject: Re: How to Check Whether the resources of X509 has been freed when
it is freed by X509_free()
On 9/9/2011 5:21 AM, Erwin Himawan wrote:
Hi All,
I have several questions associated with freeing resources of X509
struct.
snippet of my code:
X509 *x509Cert = X509_new();
if (x509Cert == NULL) printf("Error instantiating X509 object\n");
/* do some processing with my x509Cert object */
/* Cleaning up resources of x509Cert */
if(x509Cert != NULL) X509_free(x509Cert);
My questions are:
1. How to check that x509Cert resources have been freed? I notice that
X509_free(x509Cert) does not set the x509Cert to NULL, therefore I can
not
rely on if(x509Cert != NULL) to verify that x509Cert resources has been
freed. this a bug or there are other method for verifying whether
x509Cert
resources have been freed.
As OpenSSL is a C (not C++ or Pascal) API, unless a function takes an
explicit pointer to your x509Cert variable it is not supposed to have the
ability to change it. This is one of the nice semantic guarantees of the
C language.
As x509_free() returns void, you should simply assume that the call *will*
free what it is told to free, to the maximum extent reasonably possible,
which is actually the sanest and most programmer friendly way to specify a
cleanup function (for the same reason, C++ destructors have no return
value either and are barred from using exceptions during stack unwind). It
is good practice to wrap it in a block such as the following: {X509
*ptmp = x509Cert;x509Cert = NULL; // Do this first to reduce risk of
race conditions // in your own multithreadingx509_free(tmp); } Or in
C++ you could declare a macro-assisted smart pointer type similar to the
following: (NOT TESTED!) (For C++ purists: the macros are used to do the
name pasting needed to refer to individual per-type global function names
and to generate obvious class names such as X509Ptr, all the real work is
done by the C++ template).
#define ASNPTR_TYP(typ) ASNPtr #define
DECLARE_ASNPTR(typ) typedef ASNPTR_TYP(typ) typ##Ptr; class ASNPTRBase {
protected: void *p; public: typedef ASNPTRBase Self; typedef Self* PSelf;
typedef void *PTYP; protected: PTYP Take(void) { PTYP p1 = p; p = 0;
return p1; }ASNPtrBase(): p(0) {}ASNPtrBase(PTYP p1) p(p1) {}
ASNPTRBase(Self &p1) p(p1.Take()) {}~ASNPTRBase() { } public: bool
operator bool() const { return !!p; } PTYP operator PTYP() const { return
p; } private: Self & operator = (PTYP p1) {}; // Not available, do not
generate default impl. Self & operator = (Self &p1) {}; // Not available,
do not generate default impl. }; template < class ASNT, ASNT*
(*ASNT_new)(void), void (*ASNT_free)(ASNT *p) > class ASNPtr: public
ASNPTRBase { public: typedef ASNPtr Self; typedef Self *PSelf; typedef
ASNT * PTYP; PTYP Take(void) { return (PTYP)ASNPTRBase::Take(); }void
Free(void) { // Must be in template because of type-specic specific call
PTYP p1 = Take(); if (p1) ASNT_free(p1); } ASNPtr &Alloc(void) { // Must
be in template to avoid adding a vptr to the size of ASNPtrBase objects
Free(); p = ASNT_new(); } ASNPtr &Set(PTYP p1) { // Must be in template to
avoid adding a vptr to the size of ASNPtrBase objects Free(); p = p1; }
ASNPtr &Set(ASNPtr &p1) { return Set(p1.Take()); }ASNPtr() {}
ASNPtr(PTYP p1) ASNPTRBase(p1) {} ASNPtr(ASNPtr&p1) ASNPtrBase(p1) {}
~ASNPtr() { Free(); } Self& operator = (PTYP p1) { return Set(p1); } Self&
operator = (Self &p1) { return Set(p1); } PTYP operator PTYP() const {
return p; } private: Self& operator = (const Self &p1) {} // Not
available, do not generate default impl. // do not generate call to
operator=(p1.operator PTYP()) // for const source objects as that would
ruin the // rule that only one ASNPTR can own the object at // any given
time. } DECLARE_ASNPTR(X509) DECLARE_ASNPTR(X509_NAME)
DECLARE_ASNPTR(X509_CRL) // etc.
2. Does X509_free() also free all the internal objects that are part of
the
X509 struct; e.g. X509_ALGOR, X509_NAME, ASN1_INTEGER, ASN1_TIME, etc
Thanks,
Erwin
Please look at the source code of the function ASN1_item_free, which does
the real work.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: out range error compiling fips 1.2.3
On Thu, Sep 08, 2011, Kenneth Goldman wrote: > I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to > be the latest. It seems to be well known on openssl-dev, but I don't know > what to do about it. Any ideas? > > gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT > -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall > -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -c -o md5-x86_64.o md5-x86_64.s > md5-x86_64.s: Assembler messages: > md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement > > > uname -a > Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 > 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux > If you can get OpenSSL to compile despite that error (e.g. different version of the assembler) it wont matter because that file isn't used in the FIPS module itself. It's just a side effect of the 1.2 build process that it needs to build a complete vesion of OpenSSL as well as the module. > ~~ > > A second question. In researching this error, I saw someone compile with > > > ./config fipscanisterbuild > > That's not in the INSTALL file. Do I need this? > That is for testing purposes for the unvalidated 2.0 module only. The 1.2 module uses ./config fipscanister instead. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: out range error compiling fips 1.2.3
On 9/8/2011 9:35 PM, Kenneth Goldman wrote: ... A second question. In researching this error, I saw someone compile with ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? -- Ken Goldman kg...@watson.ibm.com 914-784-7646 (863-7646) Hmm, in previous versions of the FIPS module, there was an official document as part of the FIPS approval which restricted the FIPS certification to use of a specific sequence of build steps, one of which was that command. Maybe the "INSTALL" file is the standard OpenSSL INSTALL file and not the true FIPS instructions, or maybe that command is only for the old FIPS module for version 0.9.x and not for the new module for version 1.0.x . Someone else on this list certainly knows which of those two applies. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to Check Whether the resources of X509 has been freed when it is freed by X509_free()
On 9/9/2011 5:21 AM, Erwin Himawan wrote:
Hi All,
I have several questions associated with freeing resources of X509 struct.
snippet of my code:
X509 *x509Cert = X509_new();
if (x509Cert == NULL) printf("Error instantiating X509 object\n");
/* do some processing with my x509Cert object */
/* Cleaning up resources of x509Cert */
if(x509Cert != NULL) X509_free(x509Cert);
My questions are:
1. How to check that x509Cert resources have been freed? I notice that
X509_free(x509Cert) does not set the x509Cert to NULL, therefore I can not
rely on if(x509Cert != NULL) to verify that x509Cert resources has been
freed. this a bug or there are other method for verifying whether x509Cert
resources have been freed.
As OpenSSL is a C (not C++ or Pascal) API, unless a function takes an
explicit pointer to your x509Cert variable it is not supposed to have the
ability to change it. This is one of the nice semantic guarantees of the
C language.
As x509_free() returns void, you should simply assume that the call
*will* free what it is told to free, to the maximum extent reasonably
possible, which is actually the sanest and most programmer friendly way
to specify a cleanup function (for the same reason, C++ destructors have
no return value either and are barred from using exceptions during stack
unwind). It is good practice to wrap it in a block such as the
following: {X509 *ptmp = x509Cert;x509Cert = NULL; // Do this
first to reduce risk of race conditions // in your own multithreading
x509_free(tmp); } Or in C++ you could declare a macro-assisted smart
pointer type similar to the following: (NOT TESTED!) (For C++ purists:
the macros are used to do the name pasting needed to refer to individual
per-type global function names and to generate obvious class names such
as X509Ptr, all the real work is done by the C++ template).
#define ASNPTR_TYP(typ) ASNPtr #define
DECLARE_ASNPTR(typ) typedef ASNPTR_TYP(typ) typ##Ptr; class ASNPTRBase {
protected: void *p; public: typedef ASNPTRBase Self; typedef Self*
PSelf; typedef void *PTYP; protected: PTYP Take(void) { PTYP p1 = p; p
= 0; return p1; }ASNPtrBase(): p(0) {}ASNPtrBase(PTYP p1) p(p1)
{} ASNPTRBase(Self &p1) p(p1.Take()) {}~ASNPTRBase() { } public:
bool operator bool() const { return !!p; } PTYP operator PTYP() const {
return p; } private: Self & operator = (PTYP p1) {}; // Not available,
do not generate default impl. Self & operator = (Self &p1) {}; // Not
available, do not generate default impl. }; template < class ASNT, ASNT*
(*ASNT_new)(void), void (*ASNT_free)(ASNT *p) > class ASNPtr: public
ASNPTRBase { public: typedef ASNPtr Self; typedef Self *PSelf; typedef
ASNT * PTYP; PTYP Take(void) { return (PTYP)ASNPTRBase::Take(); }
void Free(void) { // Must be in template because of type-specic specific
call PTYP p1 = Take(); if (p1) ASNT_free(p1); } ASNPtr &Alloc(void) { //
Must be in template to avoid adding a vptr to the size of ASNPtrBase
objects Free(); p = ASNT_new(); } ASNPtr &Set(PTYP p1) { // Must be in
template to avoid adding a vptr to the size of ASNPtrBase objects
Free(); p = p1; } ASNPtr &Set(ASNPtr &p1) { return Set(p1.Take()); }
ASNPtr() {}ASNPtr(PTYP p1) ASNPTRBase(p1) {} ASNPtr(ASNPtr&p1)
ASNPtrBase(p1) {}~ASNPtr() { Free(); } Self& operator = (PTYP p1) {
return Set(p1); } Self& operator = (Self &p1) { return Set(p1); } PTYP
operator PTYP() const { return p; } private: Self& operator = (const
Self &p1) {} // Not available, do not generate default impl. // do not
generate call to operator=(p1.operator PTYP()) // for const source
objects as that would ruin the // rule that only one ASNPTR can own the
object at // any given time. } DECLARE_ASNPTR(X509)
DECLARE_ASNPTR(X509_NAME) DECLARE_ASNPTR(X509_CRL) // etc.
2. Does X509_free() also free all the internal objects that are part of the
X509 struct; e.g. X509_ALGOR, X509_NAME, ASN1_INTEGER, ASN1_TIME, etc
Thanks,
Erwin
Please look at the source code of the function ASN1_item_free, which does
the real work.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
out range error compiling fips 1.2.3
I'm getting this error compiling openssl-fips-1.2.3.tar.gz, which seems to be the latest. It seems to be well known on openssl-dev, but I don't know what to do about it. Any ideas? gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -c -o md5-x86_64.o md5-x86_64.s md5-x86_64.s: Assembler messages: md5-x86_64.s:41: Error: 0xd76aa478 out range of signed 32bit displacement > uname -a Linux cainl.watson.ibm.com 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux ~~ A second question. In researching this error, I saw someone compile with > ./config fipscanisterbuild That's not in the INSTALL file. Do I need this? -- Ken Goldman kg...@watson.ibm.com 914-784-7646 (863-7646)
