Re: Performance related queries for SSL based client server model
Hi, Thanks all for your update. But functionality wise it is working fine. I can remove the inner loop but that will require packet size to be of 1K. I tried with that also but did not find any improvement in performance. In my setup there are 8 routers between source & destination. Can anyone share me sample SSL based client server programme which I could use to measure performance. Regards, Alok On Tue, Sep 9, 2014 at 3:54 AM, Iñaki Baz Castillo wrote: > > 2014-09-08 19:46 GMT+02:00 Alok Sharma : > > One thing I observerd by looking into scp > > code that it does not use SSL provided APIs (i.e.SSL_Read or SSL_Write) but > > they use it differenly i.e. might be directly calling encryption APIs and > > writing data to sockets. But I don't have much understanding what SSL_Write > > or SSL_read does internally. > > It has been already replied above. SSH is not SSL so don't look for > SSL_ methods on openssh. Said that, AFAIK openssh uses the crypto > library from openssl, but that is not SSL/TLS at all. > > > > So wanted to understand if there is any way to > > improve performance of SSL_Read or SSL_write to achive high performance. > > Following are my client server programmes. Here client writes file on > > server machine in hardcoded location and name. > > You have lot of errors in your program. I suggest that you first > properly learn openssl, then measure your code if you need. > > > > -- > Iñaki Baz Castillo > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Performance related queries for SSL based client server model
, SOCK_STREAM, 0);
bzero(&addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = INADDR_ANY;
if ( bind(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
{
perror("can't bind port");
abort();
}
if ( listen(sd, 10) != 0 )
{
perror("Can't configure listening port");
abort();
}
return sd;
}
SSL_CTX* InitServerCTX(void)
{ SSL_METHOD *method;
SSL_CTX *ctx;
OpenSSL_add_all_algorithms(); /* load & register all cryptos, etc. */
SSL_load_error_strings(); /* load all error messages */
method = SSLv2_server_method(); /* create new server-method instance */
ctx = SSL_CTX_new(method); /* create new context from method */
if ( ctx == NULL )
{
ERR_print_errors_fp(stderr);
abort();
}
return ctx;
}
void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile)
{
/* set the local certificate from CertFile */
if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0
)
{
ERR_print_errors_fp(stderr);
abort();
}
/* set the private key from KeyFile (may be the same as CertFile) */
if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
{
ERR_print_errors_fp(stderr);
abort();
}
/* verify private key */
if ( !SSL_CTX_check_private_key(ctx) )
{
fprintf(stderr, "Private key does not match the public
certificate\n");
abort();
}
}
void ShowCerts(SSL* ssl)
{ X509 *cert;
char *line;
cert = SSL_get_peer_certificate(ssl); /* Get certificates (if
available) */
if ( cert != NULL )
{
printf("Server certificates:\n");
line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
printf("Subject: %s\n", line);
free(line);
line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
printf("Issuer: %s\n", line);
free(line);
X509_free(cert);
}
else
printf("No certificates.\n");
}
void Servlet(SSL* ssl) /* Serve the connection -- threadable */
{ char buf[1024*16];
char reply[1024];
int sd, bytes;
int fd=0;
int mode,len,len1;
const char* HTMLecho="%s\n\n";
if ( SSL_accept(ssl) == FAIL ) /* do SSL-protocol accept */
ERR_print_errors_fp(stderr);
else
{
ShowCerts(ssl);/* get any certificates */
fd=open("/tmp/test1",O_WRONLY | O_CREAT, 0644);
while(1)
{
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get request */
if ( bytes > 0 )
{
// printf("Client msg: \"%s\"\n", buf);
//sprintf(reply, HTMLecho, buf); /* construct reply */
//SSL_write(ssl, reply, strlen(reply)); /* send reply */
len=bytes;
mode=len;
while(mode>0)
{
len1=write(fd,buf,len);
mode=mode-len1;
len-=len1;
}
}
else {
ERR_print_errors_fp(stderr);
break;
}
}
}
sd = SSL_get_fd(ssl); /* get socket connection */
SSL_free(ssl); /* release SSL state */
close(sd); /* close connection */
}
int main(int count, char *strings[])
{ SSL_CTX *ctx;
int server;
char *portnum;
if ( count != 2 )
{
printf("Usage: %s \n", strings[0]);
exit(0);
}
SSL_library_init();
portnum = strings[1];
ctx = InitServerCTX();/* initialize SSL */
LoadCertificates(ctx, "mycert.pem", "mycert.pem"); /* load certs */
server = OpenListener(atoi(portnum));/* create server socket */
while (1)
{ struct sockaddr_in addr;
socklen_t len = sizeof(addr);
SSL *ssl;
int client = accept(server, (struct sockaddr*)&addr, &len); /*
accept connection as usual */
printf("Connection: %s:%d\n",inet_ntoa(addr.sin_addr),
ntohs(addr.sin_port));
ssl = SSL_new(ctx); /* get new SSL state with context
*/
SSL_set_fd(ssl, client); /* set connection socket to SSL state
*/
Servlet(ssl); /* service connection */
}
close(server); /* close server socket */
SSL_CTX_free(ctx); /* release context */
}
On Sun, Sep 7, 2014 at 8:11 PM, Viktor Dukhovni
wrote:
> On Sun, Sep 07, 2014 at 01:00:17PM +0530, Alok Sharma wrote:
>
> >I am writing one sample ssl based client server model which uses
> > SSL_Read & SSL_Write API provided by openssl.
>
> If you transfering each block of data as an RPC, with a round-trip
> acknowledgement before sending the next block, and the blocks are
> small enough, you're going to sev
Performance related queries for SSL based client server model
Hi, I am writing one sample ssl based client server model which uses SSL_Read & SSL_Write API provided by openssl. But I found that my application is very slow it takes around 40 mins to copy 700MB file. While same file using scp finishes in 10 mins. So my query is that is there an alternative way to use open ssl read or write to improve performance. I searched in scp code and found it does not use SSL_read/SSL_write. So if there is another set of APIs which I can use or any idea how I can meet the same performance as scp. Regards, Alok
Re: Fwd: How to tweak openSSL vulnerabilities CVE-2013-0169
Hi Steve, I am also seeing AES along with GCM and RC4 in my search if I disable CBC. So can it guarantee that still client and server can communicate. Also if I use both end points as having same version of openssl than also there can be any problem. Regards, Alok On Tue, Nov 12, 2013 at 8:23 PM, Dr. Stephen Henson wrote: > On Tue, Nov 12, 2013, Alok Sharma wrote: > > > One of the openSSL vulnerabilities is: > > > > CVE-2013-0169: > > > > The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used > > in OpenSSL, , do not properly consider timing side-channel attacks on a > MAC > > check requirement during the processing of malformed CBC padding, which > > allows remote attackers to conduct distinguishing attacks and > > plaintext-recovery attacks via statistical analysis of timing data for > > crafted packets, aka the "Lucky Thirteen" issue. > > > > All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and > 0.9.8x > > > > Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y > > > > we use DTLS 1.0 protocol. > > > > Does anyone know of any setting in openssl configuration that can be > > tweaked to mitigate this vulnerability? E.g. a setting to not allow use > of > > algorithms with CBC etc.? > > > > The vulnerability is addressed in the latest OpenSSL releases. > > If you disable CBC ciphers then you're only left with GCM and RC4. RC4 > can't > be used with DTLS and GCM is only supported in DTLS 1.2. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
How CBC based ciphers can be disabled from openssl
Hi, I am using 0.9.8.s openssl and due to some limitation I cann't upgrade to latest versions to tackle CVE-201300169. So is there any easy process to disable CBC based ciphers. Also is there a way to know which ciphers client and servers are using? Regards, Alok
Re: Fwd: How to tweak openSSL vulnerabilities CVE-2013-0169
Hi Steve, Thanks for reply. Do you have idea how CBC ciphers can be disabled? Regards, Alok On Tue, Nov 12, 2013 at 8:23 PM, Dr. Stephen Henson wrote: > On Tue, Nov 12, 2013, Alok Sharma wrote: > > > One of the openSSL vulnerabilities is: > > > > CVE-2013-0169: > > > > The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used > > in OpenSSL, , do not properly consider timing side-channel attacks on a > MAC > > check requirement during the processing of malformed CBC padding, which > > allows remote attackers to conduct distinguishing attacks and > > plaintext-recovery attacks via statistical analysis of timing data for > > crafted packets, aka the "Lucky Thirteen" issue. > > > > All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and > 0.9.8x > > > > Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y > > > > we use DTLS 1.0 protocol. > > > > Does anyone know of any setting in openssl configuration that can be > > tweaked to mitigate this vulnerability? E.g. a setting to not allow use > of > > algorithms with CBC etc.? > > > > The vulnerability is addressed in the latest OpenSSL releases. > > If you disable CBC ciphers then you're only left with GCM and RC4. RC4 > can't > be used with DTLS and GCM is only supported in DTLS 1.2. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Fwd: How to tweak openSSL vulnerabilities CVE-2013-0169
One of the openSSL vulnerabilities is: CVE-2013-0169: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, , do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and 0.9.8x Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y we use DTLS 1.0 protocol. Does anyone know of any setting in openssl configuration that can be tweaked to mitigate this vulnerability? E.g. a setting to not allow use of algorithms with CBC etc.? Regards, Alok
Re: Issue With continous PRNG test with Fips module of openssl
Hi, Thanks for the help, it resolved my problem. Regards, Alok On Fri, Sep 23, 2011 at 5:59 PM, Dr. Stephen Henson wrote: > On Fri, Sep 23, 2011, alok sharma wrote: > > > Hi, > > Ok I got your point. I think it will be helpful.Do you have any link > or > > precedure to setup these call backs or these are just function pointers > > which needs to be initialized at ssl initialization time. > > See the FAQ: > > http://www.openssl.org/support/faq.html#PROG1 > > The manual page here: > > http://www.openssl.org/docs/crypto/threads.html > > and a simple example in crypto\threads\mttest.c > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Issue With continous PRNG test with Fips module of openssl
Hi, Ok I got your point. I think it will be helpful.Do you have any link or precedure to setup these call backs or these are just function pointers which needs to be initialized at ssl initialization time. Regards, Alok On Fri, Sep 23, 2011 at 5:22 PM, Dr. Stephen Henson wrote: > On Fri, Sep 23, 2011, alok sharma wrote: > > > Hi, > > The error message comes when we invoke SSL_accept() API. But taking > > lock on it will affect performance as it performs network operation > inside > > this API (like client hello message and other). So if network is > overloaded > > then mutex hold time will be too large. I have observed that in worst > case > > it holds lock for around 5-6 mins. > > You don't lock the SSL_accept API. > > In an multithreaded application OpenSSL needs to use locks internally to > avoid > race conditions. In order to do this an application needs to supply a set > of > locking callbacks which OpenSSL makes use of internally. The locking times > should always be very short for these cases: they are typically used to > ensure > reference counts are incremented and decremented properly. If you don't set > these up OpenSSL will be unstable in multithreaded applications: one > symptom > of this is how the FIPS PRNG behaves. > > For more details see the archives and documentation. For example: the > "threads" manual page. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Issue With continous PRNG test with Fips module of openssl
Hi, The error message comes when we invoke SSL_accept() API. But taking lock on it will affect performance as it performs network operation inside this API (like client hello message and other). So if network is overloaded then mutex hold time will be too large. I have observed that in worst case it holds lock for around 5-6 mins. Regards, Alok On Fri, Sep 23, 2011 at 5:04 PM, Dr. Stephen Henson wrote: > On Fri, Sep 23, 2011, alok sharma wrote: > > > I am using the openssl fips version for my application.So, I have not > made > > any change in openssl or Fips code. Just enabling fips and using SSL API > > exposed for client server model. But through debugger I have found that > my > > application is crashing giving error message inside Fips_rand() at > following > > line. > > > > You do not need to change the OpenSSL or the FIPS code. If your application > is > multithreaded you *MUST* set up a proper locking callback or OpenSSL will > not > function properly. This applies to FIPS and non-FIPS applications. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Issue With continous PRNG test with Fips module of openssl
I am using the openssl fips version for my application.So, I have not made
any change in openssl or Fips code. Just enabling fips and using SSL API
exposed for client server model. But through debugger I have found that my
application is crashing giving error message inside Fips_rand() at following
line.
fips_rand()
{
.
if (!ctx->test_mode)
fips_get_dt(ctx);
AES_encrypt(ctx->DT, I, &ctx->ks);
for (i = 0; i < AES_BLOCK_LENGTH; i++)
tmp[i] = I[i] ^ ctx->V[i];
AES_encrypt(tmp, R, &ctx->ks);
for (i = 0; i < AES_BLOCK_LENGTH; i++)
tmp[i] = R[i] ^ I[i];
AES_encrypt(tmp, ctx->V, &ctx->ks);
/* Continuous PRNG test */
if (ctx->second)
{
if (fips_prng_fail){
memcpy(ctx->last, R, AES_BLOCK_LENGTH);
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
}
if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
<-
-- The check is failing as the current encrypted and last one
are same
{
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
ctx->error = 1;
fips_set_selftest_fail();
return 0;
}
}
memcpy(ctx->last, R, AES_BLOCK_LENGTH);
Regards,
Alok
On Fri, Sep 23, 2011 at 4:46 PM, Dr. Stephen Henson wrote:
> On Fri, Sep 23, 2011, alok sharma wrote:
>
> > Hi,
> > So is there any method on Windows to generate non-predictable
> > randomnumbers. I think mostly FileSytem time is used to seed randomness
> > which is failing in my case.
> >
>
> As I indicated this shouldn't be happening if you've set up locking
> callbacks
> correctly. Have you set up any locking callbacks?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
Re: Issue With continous PRNG test with Fips module of openssl
Hi, So is there any method on Windows to generate non-predictable randomnumbers. I think mostly FileSytem time is used to seed randomness which is failing in my case. Regards, Alok On Mon, Sep 19, 2011 at 4:52 PM, Dr. Stephen Henson wrote: > On Mon, Sep 19, 2011, alok sharma wrote: > > > Hi Jacob, > > Thanks for such a detailed reply. But I am having one concern that > how > > an application can know whether it si secure or not. Fips uses > > GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 > ns, > > but my application is running even at faster rate so same value is being > > generated for current as well as for last request. Is there any provision > > inside Openssl which ensures that unique randon numbers will be generated > or > > application need to add some delay for each new connection request. > > Regards, > > > > OpenSSL uses more than just GetSystemTimeAsFileTime it also makes use of a > counter value which is incremented on each use. This is all done under a > lock > so the values should never repeat even if the time value does. > > If you are getting continuous PRNG test failures then I suspect your > locking > callbacks aren't functioning correctly and you are getting race conditions. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: Issue With continous PRNG test with Fips module of openssl
Hi Jacob,
Thanks for such a detailed reply. But I am having one concern that how
an application can know whether it si secure or not. Fips uses
GetSystemTimeAsFileTime() for PRNG test which is having granuality of 1 ns,
but my application is running even at faster rate so same value is being
generated for current as well as for last request. Is there any provision
inside Openssl which ensures that unique randon numbers will be generated or
application need to add some delay for each new connection request.
Regards,
Alok
On Thu, Sep 15, 2011 at 6:02 PM, Jakob Bohm wrote:
> On 9/14/2011 6:33 PM, alok sharma wrote:
>
>> Hi,
>> I am having my client server on Windows. The server is concurrent
>> and
>> having each thread for each connection. When the number of connection
>> increases to 400-500 i.e having high thread load, my server crashes. I
>> debuged it and found that it gives error (“random number
>> generator:FIPS_RAND:prng error") when it tries to invoke SSL_accept(). My
>> server is Fips compliant. I looked furthur inside openssl code and found
>> issue with fips_rand() method (fips/rand/fips_rand.c). Following is my
>> observation.
>> The error is generated at following point
>> fips_rand()
>>{
>> .
>>
>>
>> if (!ctx->test_mode)
>> fips_get_dt(ctx);
>> AES_encrypt(ctx->DT, I,&ctx->ks);
>> for (i = 0; i< AES_BLOCK_LENGTH; i++)
>> tmp[i] = I[i] ^ ctx->V[i];
>> AES_encrypt(tmp, R,&ctx->ks);
>> for (i = 0; i< AES_BLOCK_LENGTH; i++)
>> tmp[i] = R[i] ^ I[i];
>> AES_encrypt(tmp, ctx->V,&ctx->ks);
>> /* Continuous PRNG test */
>> if (ctx->second)
>> {
>> if (fips_prng_fail){
>> memcpy(ctx->last, R, AES_BLOCK_LENGTH);
>>
> The above line may cause the next test to fail too if "fips_prng_fail" was
> set by something else.
>
> RANDerr(RAND_F_FIPS_RAND,RAND_
>> R_PRNG_STUCK);
>> }
>> if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
>> <-**-- The check is failing as
>> the
>> current encrypted and last one are same
>> {
>> RANDerr(RAND_F_FIPS_RAND,RAND_**R_PRNG_STUCK);
>> ctx->error = 1;
>> fips_set_selftest_fail();
>> return 0;
>> }
>> }
>> memcpy(ctx->last, R, AES_BLOCK_LENGTH);
>> ..**..**
>> ...
>> ..**..**
>> ..
>>
>> }
>>
>> I think under heavy load openssl continous PRNG test is failing. It might
>> be
>> generating the same values as it applies AES encryption over the data
>> taken
>> from fips_get_dt(ctx).
>>
> Yes, that is (technically) how the code tests if the RNG is failing badly.
> This is a symptom, not a cause.
> The chance of this happening if the RNG is good for anything is
> 1 in 2**128 per test run, thus very unlikely, the chance of this happening
> more
> than once on the same (working) computer is astronomically small.
>
> So the real problem is that this self-test seems to have found an actual
> security problem. Running this kind of test to discover such security
> problems is a FIPS requirement.
>
> What the error is apparently saying is that the PRNG as running on your
> machine is *not* FIPS quality and must not be used for any government
> work (and probably not for anything else either!).
>
> For windows platform this function takes
>> GetSystemTimeAsFileTime(). like
>> ..
>> .
>> #ifdef OPENSSL_SYS_WIN32
>> GetSystemTimeAsFileTime(&ft);
>> buf[0] = (unsigned char) (ft.dwHighDateTime& 0xff);
>> buf[1] = (unsigned char) ((ft.dwHighDateTime>> 8)& 0xff);
>> buf[2] = (unsigned char) ((ft.dwHighDateTime>> 16)& 0xff);
>> buf[3] = (unsigned char) ((ft.dwHighDateTime>> 24)& 0xff);
>> buf[4] = (unsigned char) (ft.dwLowDateTime& 0xff);
>> buf[5] = (unsigned char) ((ft.dwLowDateTime>> 8)& 0xff);
>> buf[6] = (unsigned char) ((ft.dwLowDateTime>> 16)& 0xff);
>> buf[7] = (unsigned char) ((ft.dwLowDat
Issue With continous PRNG test with Fips module of openssl
Hi,
I am having my client server on Windows. The server is concurrent and
having each thread for each connection. When the number of connection
increases to 400-500 i.e having high thread load, my server crashes. I
debuged it and found that it gives error (“random number
generator:FIPS_RAND:prng error") when it tries to invoke SSL_accept(). My
server is Fips compliant. I looked furthur inside openssl code and found
issue with fips_rand() method (fips/rand/fips_rand.c). Following is my
observation.
The error is generated at following point
fips_rand()
{
.
if (!ctx->test_mode)
fips_get_dt(ctx);
AES_encrypt(ctx->DT, I, &ctx->ks);
for (i = 0; i < AES_BLOCK_LENGTH; i++)
tmp[i] = I[i] ^ ctx->V[i];
AES_encrypt(tmp, R, &ctx->ks);
for (i = 0; i < AES_BLOCK_LENGTH; i++)
tmp[i] = R[i] ^ I[i];
AES_encrypt(tmp, ctx->V, &ctx->ks);
/* Continuous PRNG test */
if (ctx->second)
{
if (fips_prng_fail){
memcpy(ctx->last, R, AES_BLOCK_LENGTH);
RANDerr(RAND_F_FIPS_RAND,RAND_
R_PRNG_STUCK);
}
if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
<--- The check is failing as the
current encrypted and last one are same
{
RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
ctx->error = 1;
fips_set_selftest_fail();
return 0;
}
}
memcpy(ctx->last, R, AES_BLOCK_LENGTH);
...
..
}
I think under heavy load openssl continous PRNG test is failing. It might be
generating the same values as it applies AES encryption over the data taken
from fips_get_dt(ctx). For windows platform this function takes
GetSystemTimeAsFileTime(). like
..
.
#ifdef OPENSSL_SYS_WIN32
GetSystemTimeAsFileTime(&ft);
buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
.
.
Please help in this regard. I am using openssl version 0.9.8o.
Regards,
Alok
Query regarding pseudo number generation error in OpenSSL
Hi, I am using openssl to one of my application. The application has support of multithreading and runs on Windows platform. This application uses openssl 0.9.8.0 version and has support of fips. The application listens on a particular port and for each new connection it creates a separate threads. Each thread separately invokes SSL APIs like SSL_accept()__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
