[openssl-users] Openssl 1.0.2 snap STABLE 20170311 issue
Script started on Fri Mar 10 23:31:39 2017 You have mail. root@doctor:/usr/source/openssl-1.0.2-stable-SNAP-20170311 # make making all in crypto... making all in crypto/objects... making all in crypto/md4... making all in crypto/md5... making all in crypto/sha... making all in crypto/mdc2... making all in crypto/hmac... making all in crypto/ripemd... making all in crypto/whrlpool... making all in crypto/des... making all in crypto/aes... making all in crypto/rc2... making all in crypto/rc4... making all in crypto/idea... making all in crypto/bf... making all in crypto/cast... making all in crypto/camellia... making all in crypto/seed... making all in crypto/modes... making all in crypto/bn... making all in crypto/ec... making all in crypto/rsa... making all in crypto/dsa... making all in crypto/ecdsa... making all in crypto/dh... making all in crypto/ecdh... making all in crypto/dso... making all in crypto/engine... making all in crypto/buffer... making all in crypto/bio... making all in crypto/stack... making all in crypto/lhash... making all in crypto/rand... making all in crypto/err... making all in crypto/evp... making all in crypto/asn1... making all in crypto/pem... making all in crypto/x509... making all in crypto/x509v3... making all in crypto/conf... making all in crypto/txt_db... making all in crypto/pkcs7... making all in crypto/pkcs12... making all in crypto/comp... making all in crypto/ocsp... making all in crypto/ui... making all in crypto/krb5... making all in crypto/cms... making all in crypto/pqueue... making all in crypto/ts... making all in crypto/jpake... making all in crypto/srp... making all in crypto/store... making all in crypto/cmac... if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then (cd ..; make libcrypto.so.1.0.0); fi `libcrypto.so.1.0.0' is up to date. making all in engines... echo making all in engines/ccgost... making all in ssl... /usr/local/bin/clang39 -I../crypto -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -O3 -Wall -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local/ssl/fips-2.0/include -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c ssl_rsa.c -o ssl_rsa.o ssl_rsa.c:105:46: error: no member named 'default_passwd_callback' in 'struct ssl_st' x = PEM_read_bio_X509(in, NULL, ssl->default_passwd_callback, ~~~ ^ ssl_rsa.c:106:36: error: no member named 'default_passwd_callback_userdata' in 'struct ssl_st' ssl->default_passwd_callback_userdata); ~~~ ^ ssl_rsa.c:264:47: error: no member named 'default_passwd_callback' in 'struct ssl_st' ssl->default_passwd_callback, ~~~ ^ ssl_rsa.c:265:47: error: no member named 'default_passwd_callback_userdata' in 'struct ssl_st' ssl->default_passwd_callback_userdata); ~~~ ^ ssl_rsa.c:337:45: error: no member named 'default_passwd_callback' in 'struct ssl_st' ssl->default_passwd_callback, ~~~ ^ ssl_rsa.c:338:45: error: no member named 'default_passwd_callback_userdata' in 'struct ssl_st' ssl->default_passwd_callback_userdata); ~~~ ^ 6 errors generated. *** Error code 1 Stop. make[1]: stopped in /usr/source/openssl-1.0.2-stable-SNAP-20170311/ssl *** Error code 1 Stop. make: stopped in /usr/source/openssl-1.0.2-stable-SNAP-20170311 root@doctor:/usr/source/openssl-1.0.2-stable-SNAP-20170311 # exit exit Script done on Fri Mar 10 23:36:32 2017 Please fix. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism God is dead! Yahweh lives! Jesus his only begotten Son is the Risen Saviour!! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] fips_premain arch invalid
I have updated my iOS scripts to build for all archs now using the latest fips-2.0.14 and openssl-1.1.0e. Before I was using 1.0.2h I believe and fips-2.0.12 and didn't have armv7s support added. I needed to add it so I upgrade and adjusted my script accordingly https://gist.github.com/jostster/ebbc6925c668b632d8b185293080256c This works great, however I now get an error when building my application in xcode. Undefined symbols for architecture armv7: "_FIPS_text_start", referenced from: _FINGERPRINT_premain in fips_premain.o "_FIPS_signature", referenced from: _FINGERPRINT_premain in fips_premain.o +[VTFipsInfo getEmbeddedFingerprint] in VTFipsInfo.o "_FIPS_incore_fingerprint", referenced from: _FINGERPRINT_premain in fips_premain.o +[VTFipsInfo getExpectedFingerprint] in VTFipsInfo.o ld: symbol(s) not found for architecture armv7 VTFipsInfo.o is my objective-c files that get if FIPS is enabled and gets the hashes to display to the end user. If I try this on our buildkite server it replaces armv7 with x86_64. However running lipo --info on my libssl and libcrypt.a returns Architectures in the fat file: libssl.a are: armv7 i386 armv7s x86_64 arm64 Architectures in the fat file: libcrypto.a are: armv7 i386 armv7s x86_64 arm64 My valid architectures in xcode are armv7, armv7s and armv64. Before I upgraded my openssl and added armv7s support, this wasn't an issue. Any ideas how to fix this? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs
On 10/03/17 20:58, Ethan Rahn wrote: > Hello Openssl-users, > > I'm trying to write some code that derives the shared secret for 2 > elliptic curve keys ( i.e. does ECDH ) > > I am doing the following to load up both the local and remote EC key ( > code shown for local side ): > > EC_KEY* localEC = EC_KEY_new_by_curve_name( curveName ); > EC_KEY_set_private_key( localEC, privateKeyLocal ) > EC_KEY_set_public_key_affine_coordinates( localEC, publicXCoordLocal, > publicYCoordLocal ) > > I check the return values for all of these, as well as EC_KEY_check_key > at the end. Everything returns non-zero, so I assume that it is good to > go. I then do the following to turn the EC_KEY into an EVP_PKEY for ECDH: > > pkey = EVP_PKEY_new(); > EVP_PKEY_set1_EC_KEY( *pkey, localEC ); > > The same is done for the remote EC, except that the private key is not > loaded up. > > Now this is where things get weird. > > I run code pretty similar to the example given here ( starting from > EVP_PKEY_CTX_new() since I already have the pkey and peerkey. ( > https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman ) and > it fails on the call to EVP_PKEY_derive()without an error message. I > tried running into under gdb() and it gets to ecdh_check() before it's > unable to fill in the ecdh_data structure, i.e. it returns it as NULL. > > If I use the example code to generate the local EVP_PKEY with a random > set of points on the correct curve, then run the following line, the key > derivation will work with the parameters I read in: > ( in this example, pkey is as in the example code, i.e. generated > randomly. pkey2 is the one I made via EVP_PKEY_set1_EC_KEY ) > > EVP_PKEY_set1_EC_KEY( pkey, EVP_PKEY_get1_EC_KEY( pkey2 ) ); > > It would appear that there is something that EVP_PKEY_set1_EC_KEY is not > setting, or perhaps that I need to add, but I'm unclear what that would > be. Does anyone on this list have any ideas? Which version of OpenSSL are you using? Can you provide a simple reproducer of the problem? Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] EVP_PKEY_set1_EC_KEY seems to not set something that EVP_PKEY_derive needs
Hello Openssl-users, I'm trying to write some code that derives the shared secret for 2 elliptic curve keys ( i.e. does ECDH ) I am doing the following to load up both the local and remote EC key ( code shown for local side ): EC_KEY* localEC = EC_KEY_new_by_curve_name( curveName ); EC_KEY_set_private_key( localEC, privateKeyLocal ) EC_KEY_set_public_key_affine_coordinates( localEC, publicXCoordLocal, publicYCoordLocal ) I check the return values for all of these, as well as EC_KEY_check_key at the end. Everything returns non-zero, so I assume that it is good to go. I then do the following to turn the EC_KEY into an EVP_PKEY for ECDH: pkey = EVP_PKEY_new(); EVP_PKEY_set1_EC_KEY( *pkey, localEC ); The same is done for the remote EC, except that the private key is not loaded up. Now this is where things get weird. I run code pretty similar to the example given here ( starting from EVP_PKEY_CTX_new() since I already have the pkey and peerkey. ( https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman ) and it fails on the call to EVP_PKEY_derive()without an error message. I tried running into under gdb() and it gets to ecdh_check() before it's unable to fill in the ecdh_data structure, i.e. it returns it as NULL. If I use the example code to generate the local EVP_PKEY with a random set of points on the correct curve, then run the following line, the key derivation will work with the parameters I read in: ( in this example, pkey is as in the example code, i.e. generated randomly. pkey2 is the one I made via EVP_PKEY_set1_EC_KEY ) EVP_PKEY_set1_EC_KEY( pkey, EVP_PKEY_get1_EC_KEY( pkey2 ) ); It would appear that there is something that EVP_PKEY_set1_EC_KEY is not setting, or perhaps that I need to add, but I'm unclear what that would be. Does anyone on this list have any ideas? Much thanks, Ethan -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] using OpenSSL on Android
Hi, I am trying to write a JAVA program to establish a TLS client connection to a server using openssl FIPS object module on an Android platform. I understand on a high level that I will have to build the FIPS module and write a JNI wrapper to allow the openssl routines to be invoked from JAVA and pass results back. But I am not quite clear about the specifics. In particular, since the private key cannot be extracted in JAVA, how does one give openssl the necessary key materials to use in the TLS handshaking? Do I have to go into the handshaking process and graft the the JAVA part into it? Any help will be appreciated. Thanks Jason -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jakob Bohm > Sent: Thursday, March 09, 2017 21:43 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] [AES-GCM] TLS packet nounce_explicit overflow > > I seem to recall (I haven't looked at GCM details in years) that > the 128 bit value is incremented for each 128 bit block of plaintext, > plus once more for the mac-like tag. I'll have to check the spec myself; I haven't read it in years either. > From this I assumed the 32 bit field was the per-128-bit counter and the > 64 bit field you asked about was the per-record counter. A minor correction - it wasn't my question. I had followed up after Rich's initial reply. But no matter; it's a discussion now. Thanks, Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
Very nice. But this looks like it as part of the whole easyRSA effort, not something I can easily feed into the openssl command to create the cert. It would take a fair bit of digging to dig out what I need for now. Definitely something I will look into soon, as providing a simple PKI for a small installation has long been on my list. But the effort name is limiting. What about ECDSA and EDDSA certs? :) On 03/10/2017 06:58 AM, Jochen Bern wrote: On 03/10/2017 01:10 AM, openssl-users-requ...@openssl.org digested: Thing is that this then prompts for a number of fields: [...] Is there some 'simple' way to provide these answers? Like with env variables? Yes, and as others have already pointed out, there's also the possibility of command line parameters given to OpenSSL. A publicly available set of scripts that makes heavy use of the env var method and might serve as an example would be easyRSA (here, version 3): # grep EASYRSA_REQ_ openssl-1.0.cnf commonName_default = $ENV::EASYRSA_REQ_CN countryName_default = $ENV::EASYRSA_REQ_COUNTRY stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE localityName_default= $ENV::EASYRSA_REQ_CITY 0.organizationName_default = $ENV::EASYRSA_REQ_ORG organizationalUnitName_default = $ENV::EASYRSA_REQ_OU commonName_default = $ENV::EASYRSA_REQ_CN emailAddress_default= $ENV::EASYRSA_REQ_EMAIL # grep EASYRSA_REQ_ easyrsa | grep -v ';;' [ $EASYRSA_BATCH ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1" EASYRSA_REQ_CN="$name" set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE"California" set_var EASYRSA_REQ_CITY"San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL m...@example.net set_var EASYRSA_REQ_OU "My Organizational Unit" set_var EASYRSA_REQ_CN ChangeMe https://github.com/OpenVPN/easy-rsa Kind regards, -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] scripting creating a cert
On 03/10/2017 01:10 AM, openssl-users-requ...@openssl.org digested: > Thing is that this then prompts for a number of fields: [...] > Is there some 'simple' way to provide these answers? Like with env > variables? Yes, and as others have already pointed out, there's also the possibility of command line parameters given to OpenSSL. A publicly available set of scripts that makes heavy use of the env var method and might serve as an example would be easyRSA (here, version 3): > # grep EASYRSA_REQ_ openssl-1.0.cnf > commonName_default = $ENV::EASYRSA_REQ_CN > countryName_default = $ENV::EASYRSA_REQ_COUNTRY > stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE > localityName_default= $ENV::EASYRSA_REQ_CITY > 0.organizationName_default = $ENV::EASYRSA_REQ_ORG > organizationalUnitName_default = $ENV::EASYRSA_REQ_OU > commonName_default = $ENV::EASYRSA_REQ_CN > emailAddress_default= $ENV::EASYRSA_REQ_EMAIL > # grep EASYRSA_REQ_ easyrsa | grep -v ';;' > [ $EASYRSA_BATCH ] && opts="$opts -batch" || export > EASYRSA_REQ_CN="Easy-RSA CA" > [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1" > EASYRSA_REQ_CN="$name" > set_var EASYRSA_REQ_COUNTRY "US" > set_var EASYRSA_REQ_PROVINCE"California" > set_var EASYRSA_REQ_CITY"San Francisco" > set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" > set_var EASYRSA_REQ_EMAIL m...@example.net > set_var EASYRSA_REQ_OU "My Organizational Unit" > set_var EASYRSA_REQ_CN ChangeMe https://github.com/OpenVPN/easy-rsa Kind regards, -- Jochen Bern Systemingenieur smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users