RSA_public_encrypt and randomness
I have problems using the RSA_public_encrypt function, since it always return -1 (by the way, the return value is the length of the envrypted data, isn't it?) Since I've compiled openssl 0.9.5a in debug mode (as a static library on Windows NT), I was able to observe this sequence of calls: RSA_public_encrypt, rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding), RSA_eay_public_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding), RSA_padding_add_PKCS1_type_2(buf,num,from,flen), RAND_bytes(p,j), rand_meth->bytes(buf,num). The latest functions detect an entropy less than needed and sets the ''ok'' to false (actually, NON TRUE), so that at the end of the function, the following branch is executed: ... RANDerr(RAND_F_SSLEAY_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED); return(0); ... Consequently, all calling functions fail. Is this a bug or am I (probably) missing something? Thanks in advance ------ Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA_verify and NID_ripemd160
It seems that the RSA_verify function does not support the NID_ripemd160 hashing algorithm. If I hash data with ripemd160, sign it and try to verify it, the verify function returns 0 (error). Trying to debug I've seen that the ripemd160 algorithm is not checked, and the Verify code tales the branch RSAerr(RSA_F_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH); Any hint? -- Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL and Cross compilers
> Does anybody has ever tried to build OpenSSL with a cross > > compiler to use it > > on an embedded system? > We're doing just that, using our own cross-development tool > (SoftWorks) to > use OpenSSL on our object-oriented real-time executive > (SoftKernel). This > work is currently progressing quite smoothly, thanks to the > quality of the > OpenSSL source code. Are you building the toolkit or the library? I'm trying ti build the library (just want a library with API) on GHS ARM7 cross compiler, but I'm still choosing which file to include into the build and which not. (my first choice was to include all the .c files into crypto sub-directory...) ------ Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Open on HP-UX R 390
We need to compile Open-SSL on a HP-UX R390, but we cant'run the Configure script because the pre-installed perl is not perl 5. We couldn't find a suitable Perl 5 for this O.S. Does anybody has found it ? (URL, please) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS#12 private keys
I wrote the following simple code to read a private key that's inside a
PKCS12 object:
FILE * fp ;
PKCS12* p12=NULL;
EVP_PKEY *prkey=NULL;
if ( (fp = fopen ( p12file, "rb" )) == NULL ) {
return 0
}
d2i_PKCS12_fp(fp, &p12);
if (!PKCS12_parse(p12, pass, &prkey, NULL,NULL)) {
return 0;
}
...
the PKCS12_parse always fail reporting
PKCS12_F_PKCS12_PARSE,PKCS12_R_MAC_VERIFY_FAILURE.
Stepping inside it I've seen that PKCS12_verify_mac fails reporting
PKCS12_F_VERIFY_MAC,PKCS12_R_MAC_GENERATION_ERROR,
Stepping inside PKCS12_verify_mac I've seen that PKCS12_gen_mac fails
reporting PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM.
Finally, stepping inside PKCS12_gen_mac I've seen that (md_type =
EVP_get_digestbyobj) fails reporting
PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_UNKNOWN_DIGEST_ALGORITHM.
What is happening?
I've tried with different p12 and pfx keys and the result was always the
same.
Note that I've been able to load and use these keys by means of others
toolkits and libraries.
Thanks in advance
----------
Marco Donati
Context Security - Software
P.zza Liberazione, 25 - 20013 Magenta (MI)
Phone: ++39-02-97291291, Fax: ++39-02-97298225
E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: PKCS#12 private keys
> You haven't read the FAQ: > http://www.openssl.org/support/faq.html#13 I did it, but i forgot :-) Now it works, thanks a lot. -- Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: converting raw signature to PKCS#7 format
> The usual way to do this kind of thing is to write your own RSA_METHOD > to hand over the signing operation (which will probably be > RSA_private_encrypt() ) to the smart card, then place the result in an > EVP_PKEY structure. > What this ultimately does it calls application supplied functions when > the particular key is used. Then you just sign as normal but pass it > your smart card EVP_PKEY structure for the private key. Excuse me, probably I didn't understand well what you said. I have a similar problem. Some smartcards receive the data and put them in a PKCS#1 structure before signing them (but they put the Sha1 Identifier in the DigestAlgorithmIdentifier field) This signatures are well verified by Open SSL if I put them into a signed PKCS#7 and push a Sha1 algorithm identifier into the algorithms stack. Some others smartcards simply encrypt with the private key what you thell them to sign. I can't verify these signatures with Open-SSL. I can't fetch from smartcard the whole private key because the key are onboard generated and only the modulus and public exponent (that is, the public key) are extractable (so how can i put my smartcard private key into an EVP_PKEY?) How can put these raw raw signatures in a PKCS#7? How can i verify smartcard signatures with algorithms other than Sha1? Thanks in advance ---------- Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Open-SSL and PKCS11
> Some smartcards receive the data and put them in > a PKCS#1 structure before signing them (but they > put the Sha1 Identifier in the > DigestAlgorithmIdentifier field). > This signatures are well verified by Open-SSL > if I put them into a signed PKCS#7 and push a > Sha1 algorithm identifier into the algorithms > stack. > Some others smartcards simply encrypt with the private key > what you thell them to sign. > I can't verify these signatures with Open-SSL. I've done a little routine that builds up the PKCS#1 signature and converts it to der, then pass this data to the PKCS11 C_Sign function. Open-SSL verify is ok. But the only way I have to distinguish between Smartcards that build a PKCS1 structure before signing it is the PKCS11 dll name i don't ike it too much. Other ideas? Now the main problem is: > How can i verify smartcard signatures with algorithms other than Sha1? (for smartcards that build themself the PKCS1 signature structure, off course) ??? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Pkcs 12 key generation
I need a simple sequence to generate an RSA private key and to save into a PKCS12 file. I tried to generate the RSA key as in the eay example, converted it to der, converted from der to EVP and pass it to the PKCS12_create function. I don't have a certificate for this key, so the PKCS12_create complains about an invalid NULL parameter (my guess was to pass it a NULL pointer for the Certificate argument). Is there another quick way to do it? I'm in a hurry and i didn't search the FAQs, please be patient :-) Thanks in advance __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Private Keys and PKCS#12
>PKCS#12 files under OpenSSL are intended to have a key and a matching > certificate. AFAIK the same is true of Windows and Netscape > import/export routines. yes, but what if you stil have to request it to a CA... > What do you want a private key alone in PKCS#12 format for? I generate the key, then use it to sign a certificate request (PKCS#10). The PKCS#10 is sent to a CA. When the certificate is issued by the CA it is downloaded (via LDAP) and stored into the original P12 with its key > If you want to save an encrypted private key separately I suggest you > try something like PKCS#8. I need it in PKCS12 for compatibility with onother application. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Private keys and PKCS#12
I've solved my problem and I'd like to thank everybody who wrote me. I modified my low level sequence (the code I posted) to build a pkcs12 bundle with one bag, keeping "shrouded" private key, so i used PKCS12_MAKE_SHKEYBAG/PKCS12_pack_p7data INSTEAD of PKCS12_MAKE_KEYBAG/PKCS12_pack_p7encdata. Maybe I didn't explain the problem clearly, sorry. It seems to work. Thanks to Qun-Ying, but I prefer not to modify the Open-SSL original code so that i will be able to upgrade in the future with minor changes. Thank you ------ Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
new releases
I've haven't looked at the OpenSSL web site and haven't read the mailing list for a while. what's the difference between openssl-0.9.6 and openssl-engine-0.9.6 distribution? Is there any ''what's new'' file to read for these new versions BEFORE downloading them? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Open SSL on Solaris 2.6
Is there any place (www, ftp...) where I can download a COMPILED version of Open-SSL (0.9.0.5a or 0.9.6) for Solaris 2.6 ? Thanks -- Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
cannot handle CRL Distribution points
i cannot handle the CRL Distribution Points with the following code: #include "openssl\x509.h" #include "openssl\x509v3.h" X509_EXTENSION*ext=NULL; ASN1_OCTET_STRING*extValue=NULL; STACK_OF(DIST_POINT)*crlDPStack=NULL; X509 *x509=...a valid X509v3 certificate extIndex=X509_get_ext_by_NID(x509,NID_crl_distribution_points,0); ext=X509_get_ext(x509,extIndex); extValue=X509_EXTENSION_get_data(ext); now, to fill the STACK_OF(DIST_POINT)*crlDPStack variable starting from X509_EXTENSION*ext or ASN1_OCTET_STRING*extValue what function should I use? i've tried with crlDPStack=CRL_DIST_POINTS_new(); d2i_CRL_DIST_POINTS(&crlDPStack, X , Xlength); without success: there are no elements inside the array after the call. for X i've tried both the DER encoding of ASN1_OCTET_STRING*extValue and the X509_EXTENSION*ext. Where's the mistake? Is there any FAQ or documentation on these functions? Thanks in advance __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
X509 Key Usage
I have the following problem in determining the key usage of a certificate: after reading a certificate from DER file and converting it to X509 type (by means of d2i_X509), I try to read the ex_kusage and the ex_xkusage. But these fields always contain the value: 3452816845 (or CDCDCDCD in hex, or 11001101repeated 4 times in binary), no matter which certificate I load, even if the certificate has no key usge attributes at all. That value maps, if I understood correctly, onto the following key usages: X509v3_KU_DIGITAL_SIGNATURE0x0080 yes X509v3_KU_NON_REPUDIATION 0x0040 yes X509v3_KU_KEY_ENCIPHERMENT 0x0020 no X509v3_KU_DATA_ENCIPHERMENT 0x0010 no X509v3_KU_KEY_AGREEMENT0x0008 yes X509v3_KU_KEY_CERT_SIGN 0x0004 yes X509v3_KU_CRL_SIGN 0x0002 no X509v3_KU_ENCIPHER_ONLY 0x0001 yes what's wrong? Why do I get always the same value? Are these ex_kusage and ex_xkusage operative or should I extract the key usage extension in other ways (working on cert_info->extensions field, for example) ? Thanks in advance ------ Marco Donati Context Security - Software P.zza Liberazione, 25 - 20013 Magenta (MI) Phone: ++39-02-97291291, Fax: ++39-02-97298225 E-Mail: [EMAIL PROTECTED], Web site:http://www.csg.it -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
BIGNUM representation: MSB and LSB
Given the BIGNUM representation:
typedef struct bignum_st {
BN_ULONG *d;
int top;
int dmax;
int neg;
int flags;
} BIGNUM;
which is the most significant BN_ULONG?
Is it the first or the last one in the list addressed by d?
Thanks in advance
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM representation: MSB and LSB
> I would recommend operating with the output of BN_bn2bin, and > where you need to go back the other way, converting back to a BIGNUM using > BN_bin2bn. The output of BN_bn2bin (and input to BN_bin2bn) is a byte-array > (rather than variable-length words) and is always MS byte first. This also > prevents you getting into trouble from various padding-out issues, > trailing zeroes, and other head-scratchers. Thanks for help, I have another little problem. If I call BN_bn2bin(bn,NULL) just to get the buffer length, I get an exception. My intention was: 1) len=BN_bn2bin(bn,NULL); 2) buffer=(unsigned char*)malloc(len); 3) len=BN_bn2bin(bn,buffer); Is that sequence wrong? Do I have to calculate myself the size of returned buffer? Is the buffer allocated from the BN_bn2bin itself? (I don't think, looking at the prototype) what's the difference between BN_bn2bin and the BN_bn2mpi ? thanks in advance __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
smime application: stupid question
smime.p7m
smime application: stupid question
Oooops, the message I sent previously was SMIME :-), sorry Here's the text: I'm playing with the smime application. what certs and key (PEMs supplied with Open-SSL package) should I use to make a correct signature? I'm trying: smime -sign -signer cert.pem -inkey privkey.pem -passin ??? -in input.txt -out signedSMIME.txt Is it correct? What is the password for the privkey? Thanks in advance __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7_cert_from_signer_info with signed_and_enveloped p7...
why the ''PKCS7_cert_from_signer_info'' function checks if the PKCS7 is signed but not signed_and_enveloped ? I need to extract the signer cert form a multi-signature AND multi-recipient PKCS7 (signed_and_enveloped with more than one SignerInfo and more than one RecipientInfo). What I've done is to reuse the code from PKCS7_cert_from_signer_info with this check removed. It seems to work butwas there any important reason to check if the p7 was just signed? thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Parse this! :-)
I have a problem with the attached PKCS#12 key (generated and used with other tools). The PKCS12_parse return value is not 0, but the EVP_PKEY* remains NULL. The PKCS12 password is ''12071971'', in case you want to try (yes, it's a birth date:-)) Any hint? Thanks in advance parsethis.p12 Description: parsethis.p12
PKCS12_parse problem
Adding OpenSSL_add_all_ciphers() or OpenSSL_add_all_digests() doesn't help.
If we comment out the OpenSSL_add_all_algorithms() call, we get the ''correct'' error:
<<
5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown digest
algorithm:p12_mutl.c:80:
5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac generation error:p12_mutl.c:105:
5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121:
>>
If we put the OpenSSL_add_all_algorithms() back in the code we get the ''unexplained''
error:
<<
5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80:
5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105:
5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121:
>>
Let me underline again some facts:
1) the first call to PKCS12_parse is ok
2) the PKCS12_parse calls starting from the second reports the error above
3) if we restart the application we have the same behavior (first call OK, then errors)
4) the error happens only with OpenSSL 0.9.6g, NOT with OpenSSL 0.9.6c (we haven't
tried intermediate versions)
5) with openSSL 0.9.6g we get ''similar'' (related?) error in calls like
''X509_verify(userCert,X509_extract_key(CACert))''
or
''X509_CRL_verify(crl,pubKey)''
that returned no error with the same files/data using OpenSSL 0.9.6c
Help! :-)
- Original Message -
Don't you also have to call
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
?
I had to. And I think there's a replacement in 0.9.7 IIRC.
- Original Message -
From: "Francesco Dal Bello" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 17, 2002 11:44 AM
Subject: R: PKCS12_parse problem
On Wed, Oct 16, 2002, Dr. Stephen Henson wrote:
> What error do you get (see FAQ)?
These are the errors reported:
21153:error:06074079:lib(6):func(116):reason(121):evp_pbe.c:89:TYPE=pbeWithS
HA1And3-KeyTripleDES-CBC
21153:error:23077073:lib(35):func(119):reason(115):p12_decr.c:82:
21153:error:2306A075:lib(35):func(106):reason(117):p12_decr.c:121:
21153:error:23076072:lib(35):func(118):reason(114):p12_kiss.c:127:
> Are you calling OpenSSL_add_all_algorithms() more than once?
My function is like the following:
int MyFunc()
{
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
...
if (!PKCS12_parse(p12, passphrase, &prkey, NULL,NULL)) {
error handling
ERR_print_error_fp(stderr);
}
...
EVP_cleanup();
}
The first call to this function is OK.
Subsequent calls cause the error above.
Thanks in advance.
Francesco.
-Messaggio originale-
Da: Dr. Stephen Henson [mailto:steve@;openssl.org]
Inviato: mercoledì 16 ottobre 2002 23.53
A: [EMAIL PROTECTED]
Oggetto: Re: PKCS12_parse problem
On Wed, Oct 16, 2002, Francesco Dal Bello wrote:
>
> Greetings.
>
> I recently re-compiled my application with OpenSSL 0.9.6g (it was
> previously linked with 0.9.6c).
>
> I have a problem with the ''PKCS12_parse'' function that I didn't have
> before (platform is Solaris 8).
>
> If my application calls ''PKCS12_parse'' more than once (at different
> moments, even distant in time) on the same PKCS#12, ONLY THE FIRST CALL
> SUCCEED.
> Calls after the first return 0.
>
> Since I'm only interested in extracting the private key, my call is
> like:
>
> if (!PKCS12_parse(p12, passphrase, &prkey, NULL,NULL))
> error handling
>
> This problem didn't happen with 0.9.6c.
>
> I'm quite sure that the p12 argument is a valid pointer to a PKCS#12
> structure because every time I :
>
> open the key file (abort if it fails),
>
> read the pkcs12 by means of d2i_PKCS12_fp (close file and abort if it
> fails)
>
> close the key file
>
> call the PKCS12_parse
>
>
> Any hint, FAQ or known problem?
>
What error do you get (see FAQ)?
Are you calling OpenSSL_add_all_algorithms() more than once?
I've seen this reported before but couldn't reproduce it myself.
Steve.
--
Dr. Stephen Henson [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Post a follow-up to this message
__
OpenSSL Project http
R: PKCS12_parse problem
Well... the application is actually an intermediate library, so every ''cryptographic'' operation is enclosed between OpenSSL_add_all_algorithms()...EVP_cleanup() calls. There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and vice versa, there are no EVP_cleanup() calls without the initial OpenSSL_add_all_algorithms(). Are you saying that this is not enough and that the library should call OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ? This could be not straightforward Thanks in advance > -Messaggio originale- > Da: Dr. Stephen Henson [mailto:steve@;openssl.org] > Inviato: mercoledì 23 ottobre 2002 18.14 > A: [EMAIL PROTECTED] > Oggetto: Re: PKCS12_parse problem > > > On Wed, Oct 23, 2002, Marco Donati wrote: > > > Adding OpenSSL_add_all_ciphers() or > OpenSSL_add_all_digests() doesn't help. > > > > If we comment out the OpenSSL_add_all_algorithms() call, we > get the ''correct'' error: > > > > << > > 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown > digest algorithm:p12_mutl.c:80: > > 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac > generation error:p12_mutl.c:105: > > 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify > failure:p12_kiss.c:121: > > >> > > > > If we put the OpenSSL_add_all_algorithms() back in the code > we get the ''unexplained'' error: > > > > << > > 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: > > 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: > > 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: > > >> > > > > Let me underline again some facts: > > > > 1) the first call to PKCS12_parse is ok > > > > 2) the PKCS12_parse calls starting from the second reports > the error above > > > > 3) if we restart the application we have the same behavior > (first call OK, then errors) > > > > 4) the error happens only with OpenSSL 0.9.6g, NOT with > OpenSSL 0.9.6c (we haven't tried intermediate versions) > > > > 5) with openSSL 0.9.6g we get ''similar'' (related?) error > in calls like > > > Are you calling EVP_cleanup() in between calls? > > You should really only call OpenSSL_add_all_algorithms() once > on application > startup and EVP_cleanup() when it shuts down. > > Steve. > -- > Dr. Stephen Henson [EMAIL PROTECTED] > OpenSSL Project http://www.openssl.org/~steve/ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
undefined symbols in libssl
Greetings, we have posted this a couple of times but never get an answer... We have written an intermediate library for our applications based upon OpenSSL ''libcrypto''. All is OK on all platform (win32, Solaris, Linux) If we try to extent our library with ssl capabilities and include the ''libssl'', then our library seems to link correctly but we have a problem when we try to link with it the final application. We are getting errors like (Solaris) Undefined first referenced symbol in file COMP_CTX_free .../libssl.a(s3_enc.o) EVP_enc_null.../libssl.a(ssl_ciph.o) COMP_compress_block .../libssl.a(s3_pkt.o) BIO_f_buffer.../libssl.a(ssl_lib.o) COMP_expand_block .../libssl.a(s3_pkt.o) X509_STORE_load_locations .../libssl.a(ssl_lib.o) X509_STORE_set_default_paths.../libssl.a(ssl_lib.o) X509_certificate_type .../libssl.a(s3_clnt.o) COMP_CTX_new.../libssl.a(s3_enc.o) BIO_s_socket.../libssl.a(ssl_lib.o) ERR_load_crypto_strings .../libssl.a(ssl_err2.o) ld: fatal: Symbol referencing errors. No output written to ... collect2: ld returned 1 exit status *** Error code 1 or (Linux) In function `ssl3_change_cipher_state': s3_enc.o(.text+0x90): undefined reference to `COMP_CTX_new' s3_enc.o(.text+0x455): undefined reference to `COMP_CTX_free' s3_enc.o(.text+0x4e0): undefined reference to `COMP_CTX_new' s3_enc.o(.text+0x535): undefined reference to `COMP_CTX_free' s3_pkt.o(.text+0x36): undefined reference to `COMP_expand_block' s3_pkt.o(.text+0x2f8): undefined reference to `COMP_compress_block' t1_enc.o(.text+0x96): undefined reference to `COMP_CTX_new' t1_enc.o(.text+0x6f5): undefined reference to `COMP_CTX_free' t1_enc.o(.text+0x779): undefined reference to `COMP_CTX_new' t1_enc.o(.text+0x7c5): undefined reference to `COMP_CTX_free' ssl_lib.o(.text+0x1755): undefined reference to `COMP_CTX_free' ssl_lib.o(.text+0x1775): undefined reference to `COMP_CTX_free' ssl_lib.o(.text+0x18b4): undefined reference to `BIO_f_buffer' ssl_lib.o(.text+0x1e20): undefined reference to `BIO_s_socket' ssl_lib.o(.text+0x1f13): undefined reference to `BIO_s_socket' ssl_lib.o(.text+0x20c3): undefined reference to `BIO_s_socket' ssl_lib.o(.text+0x33ab): undefined reference to `X509_STORE_set_default_paths' ssl_lib.o(.text+0x33e3): undefined reference to `X509_STORE_load_locations' ssl_ciph.o(.text+0x147): undefined reference to `EVP_enc_null' also, note that the missing symbols the linker complains for are NOT called from our code directly, since our code calls top level ssl functions only. The problem arise only on Solaris and Linux platoform, NOT ON WIN32. We don't have this problem if we comment out ssl related code form our sources and ''libssl'' from our makefile. Any hint? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
