RE: SSL_library_init - missing 36 bytes after cleanup

[Steven Reddie]

Yes, I use pthreads on Windows.  Since you stated "How would you handle TSD,
for example? There is no *portable* way to hook the destruction of a
thread." I figured you were dismissing pthreads as non-portable due to it
not being natively available on Windows, and accepted that you were only
interested in native threading.  You may have forgotten about:
int pthread_key_create(pthread_key_t *key, void
(*destructor)(void*));

There are so many things that can't be done portably.
Daemons/Windows-services, sockets/winsock, drive/mount enumeration, GUIs(!),
etc.  I don't give these a low priority just because there are system
specifics involved.  Check out all of the #if's in OpenSSL; the crypto/rand
code for starters.  It would be nice to write pure POSIX code that works
across all platforms but in reality how often is this possible for anything
other than a trivial app?  Encapsulating system specifics is a perfectly
reasonable compromise, and the same can obviously be done for threading and
dynamic library management.  Pthread-win32 is of course such a library.

I don't know that repeatedly loading and unloading DLLs is unusal.  Sure,
doing so constantly would be weird, but I've already stated that the example
I presented was extreme in order to illustrate the point that we are talking
about a leak.  Good point, if OpenSSL was documented to not support being
dynamically loaded/unloaded/reloaded then my argument would be moot, but I
don't believe it is documented, so arguing over this is a religious war at
best.  It seems that you've not needed to dynamically load/unload/reload
DLLs, but believe me, there are scenarios where it needs to be done.  And
when you do, this leak quacks like a leak.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Wednesday, 16 November 2005 5:46 PM
To: openssl-users@openssl.org
Subject: RE: SSL_library_init - missing 36 bytes after cleanup


> There may be no portable way to handle TSD cleanup, but there is no 
> portable way to do threading at all anyway, so I'm not sure what your 
> argument is there.


Huh? POSIX threads are portable. There are even support libraries
for WIN32.

> I'm not arguing that any of this needs to be done in a portable way, 
> and of course it cannot be since dynamically loadable modules (and
> threading) are outside the scope of the C standard.

Well, that's the problem. When you're trying to maintain a portable
library, doing things that can't be done portably gets a low priority. It is
often a better choice just not to do them.

> My original response
> was to correct your reply to Steffen in which you stated that these 36 
> bytes are not leaked.  The fact is that they are.  Perhaps it's not a 
> serious leak, but a leak nonetheless.

They are leaked only if a program repeatedly opens and closes the
OpenSSL library. If this is not supported, then they are only leaked if the
library's interface contract is broken.

I don't know if OpenSSL is supposed to specifically support the
unusual use of being dynamically linked, and repeatedly opened and closed. A
leak that only occurs under unsupported usage is not a leak if only
supported usage is attempted.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_library_init - missing 36 bytes after cleanup

[Steven Reddie]

I don't understand how the memory could be reused since there is no
mechanism that I know of that the runtime library would or could use to
track this.  For a dynamically linked C runtime library the allocated memory
is held in the heap that remains after the library unloads, at which time
the pointer to it is lost.  When the library reloads there is no way, at
least that I know of, that this memory could be found again.

There may be no portable way to handle TSD cleanup, but there is no portable
way to do threading at all anyway, so I'm not sure what your argument is
there.  I'm not arguing that any of this needs to be done in a portable way,
and of course it cannot be since dynamically loadable modules (and
threading) are outside the scope of the C standard.  My original response
was to correct your reply to Steffen in which you stated that these 36 bytes
are not leaked.  The fact is that they are.  Perhaps it's not a serious
leak, but a leak nonetheless.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Wednesday, 16 November 2005 3:03 PM
To: openssl-users@openssl.org
Subject: RE: SSL_library_init - missing 36 bytes after cleanup


> Dismissing leaks as one-off's is a pet peeve of mine.  The notion of 
> one-off leaks in an executable is arguably passable, but becomes a 
> plain old memory leak just like any other when packaged as a library.

Not if the memory is reused if the library is unloaded and reloaded.

How would you handle TSD, for example? There is no *portable* way to
hook the destruction of a thread.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_library_init - missing 36 bytes after cleanup

[Steven Reddie]

Sure, that's a contrived and extreme example, but the best way to illustrate
such a leak.  For long-running (24x7) servers that may consist of many
components and subcomponents this scenario can occur.  With large enterprise
server applications that are built with processes that value component
re-use it's effectively impossible to know how some low-level subcomponent
is implemented.  While excessively loading and unloading DLLs may be less
efficient, a 36 byte leak occuring frequently enough will bring down a
server in time.

I disagree with it being prohibitively expensive to eradicate such leaks.
Yes it takes some effort, but a library-lifetime structure to house such
"global" dynamically allocated data, or a cleanup callback registration
scheme, makes it trivial to release it all when appropriate.  I guess it
depends on how much you value leak-free code.  For me it's a
needle-in-a-haystack problem; that every "one-off" leak has the potential to
mask real leaks and make using leak detection tools such as Purify and
BoundsChecker less fruitful.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Wednesday, 16 November 2005 3:02 PM
To: openssl-users@openssl.org
Subject: RE: SSL_library_init - missing 36 bytes after cleanup


> I understand about one-off leaks, but we're talking about a 
> dynamically loadable library when we're talking about OpenSSL.

> What would happen if an application did something like this:
>
>   for (int i=0; i<1000; i++)
>   {
>   hSSL = LoadLibrary("libssl.so")
>   fn = GetSymbol(hSSL, SSL_COMP_get_compression_methods);
>   fn();
>   ReleaseLibrary(hSSL);
>   }

> Is it still a one-off leak?

It is often effectively impossible to fully clean up without
destroying the process. It may be a good goal to aim for, but it is by no
stretch of the imagination a requirement.

I would argue that an application that did something like that is
broken.
If you plan to reuse a library soon, unloading it and reloading it is
broken.

> Unfreed memory is not a problem in an application, but it's a whole 
> different story in a library.

Nevertheless, perfectly freeing everything is not always possible
and not always worth the effort. In this particular case, it is a trivial
bug.

> Another example of such problems in libraries is atexit().  atexit() 
> works great in an application, but use it in libssl.so when used in 
> the code above and you'll most likely get a hard crash when the 
> application terminates because the handler is still registered with 
> the C runtime library, but the code has been unloaded.

It really depends upon what types of use the library is supposed to
support. Not every library claims to be suitable to use this way and for
some problems, it's simply prohibitively expensive to make them do so.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_library_init - missing 36 bytes after cleanup

[Steven Reddie]

That is my point, that "one-off" leaks in DLLs are not one-off leaks at all.
While statically linking against the C runtime library certainly works
around the issue (at least on Windows, and as you say on Mac) it is a poor
resolution for a memory leak as it sacrifices the benefits of using a DLL.
Since OpenSSL doesn't statically link against the C runtime on Windows it's
a further indication that the issue raised by Steffen is in fact the leak
that he presumed.

Dismissing leaks as one-off's is a pet peeve of mine.  The notion of one-off
leaks in an executable is arguably passable, but becomes a plain old memory
leak just like any other when packaged as a library.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joshua Juran
Sent: Wednesday, 16 November 2005 1:44 PM
To: openssl-users@openssl.org
Subject: Re: SSL_library_init - missing 36 bytes after cleanup

On Nov 15, 2005, at 9:00 PM, Steven Reddie wrote:

> I understand about one-off leaks, but we're talking about a 
> dynamically loadable library when we're talking about OpenSSL.
>
> What would happen if an application did something like this:
>
>   for (int i=0; i<1000; i++)
>   {
>   hSSL = LoadLibrary("libssl.so")
>   fn = GetSymbol(hSSL, SSL_COMP_get_compression_methods);
>   fn();
>   ReleaseLibrary(hSSL);
>   }
>
> Is it still a one-off leak?
>
> Unfreed memory is not a problem in an application, but it's a whole 
> different story in a library.

I agree that the rules are different for shared libraries, and if ssl hasn't
cleaned up after itself completely when the call to
ReleaseLibrary() returns, it's a leak.

My experience with dynamically linked libraries is limited to Mac OS' 
Code Fragment Manager, where I've avoided some issues by linking plugins
against the standard library statically, so each one gets its own malloc
pool.  I also generally work in C++, where I can use statically allocated
objects with constructors and destructors, such as smart pointers.

> Another example of such problems in libraries is atexit().  atexit() 
> works great in an application, but use it in libssl.so when used in 
> the code above and you'll most likely get a hard crash when the 
> application terminates because the handler is still registered with 
> the C runtime library, but the code has been unloaded.

If OpenSSL claims to be usable when dynamically loaded, then it's a bug in
OpenSSL.  Otherwise, it's a bug in the code that's loading it.

Josh

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Joshua Juran
> Sent: Wednesday, 16 November 2005 12:38 PM
> To: openssl-users@openssl.org
> Subject: Re: SSL_library_init - missing 36 bytes after cleanup
>
> On Nov 15, 2005, at 7:29 PM, Steven Reddie wrote:
>
>> David,
>>
>> If 36 bytes are being dynamically allocated and not being freed how 
>> is it not a leak?
>>
>> Steven
>
> Because it only happens once.
>
> Imagine that when you shut off a faucet, water drips out for the next 
> ten seconds and then stops.  That's not a leak, and it's not a 
> problem.
>   What would be (both a problem and a leak) is water continually 
> dripping at a regular frequency.
>
> The 36 bytes is not considered a leak because it's acquired only once 
> as a part of initialization, not proportionally to the use of your 
> application.
> And it does get released -- when the process exits. :-)
>
> If it's a problem, maybe you should invest in a RAM upgrade...  :-D

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_library_init - missing 36 bytes after cleanup

[Steven Reddie]

I understand about one-off leaks, but we're talking about a dynamically
loadable library when we're talking about OpenSSL.

What would happen if an application did something like this:

for (int i=0; i<1000; i++)
{
hSSL = LoadLibrary("libssl.so")
fn = GetSymbol(hSSL, SSL_COMP_get_compression_methods);
fn();
ReleaseLibrary(hSSL);
}

Is it still a one-off leak?

Unfreed memory is not a problem in an application, but it's a whole
different story in a library.

Another example of such problems in libraries is atexit().  atexit() works
great in an application, but use it in libssl.so when used in the code above
and you'll most likely get a hard crash when the application terminates
because the handler is still registered with the C runtime library, but the
code has been unloaded.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joshua Juran
Sent: Wednesday, 16 November 2005 12:38 PM
To: openssl-users@openssl.org
Subject: Re: SSL_library_init - missing 36 bytes after cleanup

On Nov 15, 2005, at 7:29 PM, Steven Reddie wrote:

> David,
>
> If 36 bytes are being dynamically allocated and not being freed how is 
> it not a leak?
>
> Steven

Because it only happens once.

Imagine that when you shut off a faucet, water drips out for the next ten
seconds and then stops.  That's not a leak, and it's not a problem. 
  What would be (both a problem and a leak) is water continually dripping at
a regular frequency.

The 36 bytes is not considered a leak because it's acquired only once as a
part of initialization, not proportionally to the use of your application.
And it does get released -- when the process exits. :-)

If it's a problem, maybe you should invest in a RAM upgrade...  :-D

Josh

> -Original Message-
> [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
> Sent: Wednesday, 16 November 2005 10:09 AM
>
>   These are 36 bytes that are consumed and used by the library. They 
> are not leaked but they cannot be freed.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_library_init - missing 36 bytes after cleanup

[Steven Reddie]

David,

If 36 bytes are being dynamically allocated and not being freed how is it
not a leak?

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Wednesday, 16 November 2005 10:09 AM
To: openssl-users@openssl.org
Subject: RE: SSL_library_init - missing 36 bytes after cleanup


> I use valgrind to check my code, and I can't seem to be able to free 
> up 36 bytes.

So what?

> SSL_library_init() allocates 36 bytes that I am not able to free using 
> the regular cleanup functions.

Correct.

> The details:
> SSL_library_init calls SSL_COMP_get_compression_methods() if 
> OPENSSL_NO_COMP is defined.
>
> The SSL_COMP_get_compression_methods() calls 
> load_builtin_compression()
>
> The load_builtin_compression allocates sizeof(SSL_COMP) dynamically.
>
> These are the 36 bytes that are taken away from me :-)

Yep.

> Is this a leak,

No.

> or are they cleaned up in any sense by any of the cleanup functions ?

No.

These are 36 bytes that are consumed and used by the library. They
are not leaked but they cannot be freed.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Rand_status so slow on windows

[Steven Reddie]

Yes, that's right.  The initialized flag is local to 
the module that it is in and is only set when calling RAND_status and I think 
one other function (maybe RAND_get_bytes).  If you wish to modify the 
OpenSSL code directly you could get rid of the "if (!initialized)" test and rely 
only on the "if (entropy_gatherered < ENTROPY_NEEDED)"statement that follows 
it.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Duane 
StoreySent: Friday, 21 October 2005 2:42 PMTo: 
openssl-users@openssl.orgSubject: RE: Rand_status so slow on 
windows


I find even using 
rand_load_file doesn’t set the state to initialized.. i.e. calling rand_status 
still causes that huge lag to occur.. can anyone recommend any code changes that 
may speed this up?
 
Thanks.
 

CONFIDENTIALITY NOTICE
This email and any files transmitted with 
it contains proprietary information and, unless expressly stated otherwise, all 
contents and attachments are confidential. This email is intended for the 
addressee(s) only and access by anyone else is unauthorized. If you are not an 
addressee, any disclosure, distribution, printing or copying of the contents of 
this email or its attachments, or any action taken in reliance on it, is 
unauthorized and may be unlawful. If you are not an addressee, please inform the 
sender immediately and then delete this email and any copies of it. Thank you 
for your co-operation.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Steven 
ReddieSent: Thursday, October 
20, 2005 7:41 PMTo: 
openssl-users@openssl.orgSubject: RE: Rand_status so slow on 
windows
 
RAND_status will 
trigger seeding of the PRNG if it has not been initialised.  On Windows the 
entropy gathering can take a long time due to the heap walking and performance 
counter accesses.  Whether it completes in a reasonable time or takes much 
longer can depend on current system activity and what performance counters have 
been installed.  Although adding entropy data with RAND_add increments the 
entropy count it doesn't set the initialized flag that rand_status uses.  I 
believe the only ways to fix this are:
1. Drop in your 
own PRNG implementation with RAND_set_rand_method
2. Drop in your own 
ENGINE that provides a PRNG implementation with 
RAND_set_rand_engine
3. Change the OpenSSL 
source code
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Duane 
StoreySent: Friday, 21 October 
2005 10:10 AMTo: 
openssl-users@openssl.orgSubject: Rand_status so slow on 
windows
Anyone know why rand_status is so 
slow on windows?  Any suggestions how to speed it 
up?
 
 
CONFIDENTIALITY NOTICE
This email 
and any files transmitted with it contains proprietary information and, unless 
expressly stated otherwise, all contents and attachments are confidential. This 
email is intended for the addressee(s) only and access by anyone else is 
unauthorized. If you are not an addressee, any disclosure, distribution, 
printing or copying of the contents of this email or its attachments, or any 
action taken in reliance on it, is unauthorized and may be unlawful. If you are 
not an addressee, please inform the sender immediately and then delete this 
email and any copies of it. Thank you for your 
co-operation.
 

RE: Rand_status so slow on windows

[Steven Reddie]

RAND_status will trigger seeding of the PRNG if it has not 
been initialised.  On Windows the entropy gathering can take a long time 
due to the heap walking and performance counter accesses.  Whether it 
completes in a reasonable time or takes much longer can depend on current system 
activity and what performance counters have been installed.  Although 
adding entropy data with RAND_add increments the entropy count it doesn't set 
the initialized flag that rand_status uses.  I believe the only ways to fix 
this are:

1. Drop in your own PRNG implementation with 
RAND_set_rand_method
2. Drop in your own ENGINE that provides a PRNG 
implementation with RAND_set_rand_engine3. Change the OpenSSL source 
code


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Duane 
StoreySent: Friday, 21 October 2005 10:10 AMTo: 
openssl-users@openssl.orgSubject: Rand_status so slow on 
windows


Anyone know why rand_status is so 
slow on windows?  Any suggestions how to speed it 
up?
 
 
CONFIDENTIALITY NOTICE
This email 
and any files transmitted with it contains proprietary information and, unless 
expressly stated otherwise, all contents and attachments are confidential. This 
email is intended for the addressee(s) only and access by anyone else is 
unauthorized. If you are not an addressee, any disclosure, distribution, 
printing or copying of the contents of this email or its attachments, or any 
action taken in reliance on it, is unauthorized and may be unlawful. If you are 
not an addressee, please inform the sender immediately and then delete this 
email and any copies of it. Thank you for your 
co-operation.
 

RE: Runnning openssl test

[Steven Reddie]

Hi Dharmesh,
 
The output hasn't been made to facilitate easy 
parsing.  A pragmatic approach may be to grep for "done" and "ok" (and 
perhaps "fail" and "err") and save the output from a known good run and 
compare subsequent runs against that.
 
Regards,
 
Steven



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dharmesh 
VyasSent: Friday, 21 October 2005 4:19 AMTo: 
undisclosed-recipients:Subject: Runnning openssl 
test
Hello,I just started working on openssl. I am 
running make test and redirecting the output to a log file. After that I am 
writing a parser that will scan the log file and will show the count of tests 
passed, failed, warnings etc. I have one doubt on this. I went throught 
the log file attached. In that it shows the 2220 tests passed, but after that 
also there are some statements like --->test elliptic curvesSEC2 curve secp160r1 -- 
Generator: x = 
0x4A96B5688EF573284664698968C38BB913CBFC82 y = 
0x23A628553168947D59DCC912042351377AC5FB32verify degree ... okverify group order  oktesting ECDSA_sign() and ECDSA_verify() 
with some internal curves:secp160k1: ... oksecp160r1: ... oksecp160r2: ... oksecp192k1: ... okTesting key generation with NIST 
Prime-Curve P-192  okTesting key generation with NIST 
Prime-Curve P-224  oktesting X509 conversionsp -> dp -> np -> pd -> dn -> dp -> dPKCS #1 v1.5 encryption/decryption 
okTesting cipher 
AES-128-ECB(encrypt)Key 00 01 02 03 04 05 06 07 08 09 0a 0b 
0c 0d 0e 0fPlaintext 00 11 22 33 44 55 66 77 88 99 aa bb 
cc dd ee ffCiphertext 69 c4 e0 d8 6a 7b 04 30 d8 cd b7 80 
70 b4 c5 5atest tls1 with 1024bit anonymous DH, 
multiple handshakesAvailable compression methods:  NONEDONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHADONE via BIO pair: TLSv1, cipher 
TLSv1/SSLv3 ADH-AES256-SHA10 handshakes of 256 bytes 
done    
-->can anyone please tell me how to count 
the no. of tests?? is it like 2220 is the count of all the tests?? orall 
showed as 'Ok' or 'Done' or '10 handshakes of 256 bytes done' are different 
tests or what??? how shall i count them?please guild me on this, what's 
the format of the log file?? how can i differentiate on no. of tests, no. of 
tests passed, failed , errors etc.Thanks and RegardsDharmesh.

RE: rsa_publiic_encrypt problem

[Steven Reddie]

It sounds like a padding issue.  Which padding mode are you specifying, what
is the key length, and what is the length of the plaintext?  To be clear,
the encrypt succeeds all of the time, but the decrypt fails half of the
time? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris Rutherford
Sent: Tuesday, 20 September 2005 2:53 AM
To: openssl-users@openssl.org
Subject: rsa_publiic_encrypt problem

Hi All,

I have a strange problem with RSA_Public_Encrypt.  Basically it only
produces decipherable information about 50% of the time, but with the same
clear text string.  i.e. I have an RSA encrypt decrypt benchmark program
using a static clear text char string.  sometimes it works, but other times
it produces a padding error when I decrypt, but using the same clear text.
Is this some kind of seeding problem?  How else could it work about 50% of
the time with the same clear text?

Thanks

Chris R




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Cross compilation of openSSL for ARM platform fails

[Steven Reddie]

Maybe the C files get compiled with the correct compiler, 
but you probably don't want that x86cpuid-elf file being compiled for ARM since 
it's for x86.  You seem to have ended up with an x86 configuration 
(probably linux-elf which although it doesn't explicitly state it is in this 
case for an x86 system).  What was the platform listed in the "Configured 
for xx" line at the end of the output of the ./config 
command?
 
Also, what ARM 
platform is it that you're targetting.  A Windows CE device, or something 
else.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kumar 
VenkateshSent: Monday, 12 September 2005 3:48 PMTo: 
openssl-users@openssl.orgSubject: Cross compilation of openSSL for 
ARM platform fails
Hello, I've been trying to use openSSL for my ARM platform, 
and I'm having trouble configuring it for ARM.Here is what I've 
tried:1. ./config --prefix=/home/base/openssl/binary 
--openssldir=/home/base/openssl/binary/openssldir2. Once the Make file 
has been created, I've edited the makefile and commented the lines that have the 
CC, AR and ranlib. I've done this since my environment already has these 
variables set to the ARM tools that I want to use. (arm-linux-gcc)3. 
Removed the references to the -mcpu=pentium lines in the Makefile in the main 
directory.When I do this, I can see that control goes to the crypto 
directory and the .c files do get compiled with the correct compiler. 
But, the x86cpuid-elf.s file fails to compile and gives these 
errors:x86cpuid-elf.s: Assembler messages:x86cpuid-elf.s:10: Error: 
unrecognized symbol type ""x86cpuid-elf.s:11: Error: alignment too large: 15 
assumedx86cpuid-elf.s:13: Error: bad instruction `pushl 
%ebp'x86cpuid-elf.s:14: Error: bad instruction `pushl 
%ebx'x86cpuid-elf.s:15: Error: bad instruction `pushl 
%esi'x86cpuid-elf.s:16: Error: bad instruction `pushl 
%edi'x86cpuid-elf.s:18: Error: bad instruction `xorl 
%edx,%edx'x86cpuid-elf.s:19: Error: bad instruction 
`pushfl'[]Any help will be 
appreciated.thanks,Venkatesh.

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

Sure, I'm not discounting the value of being able to do pretty printing.  I
was just thinking about using the decoded data further than that, and in all
situations I can think of knowing the data format is important (and a
given).  Even with XML, where you could use XPATH/XQUERY to drill down into
the decoded structure, without any knowledge of the structure it's not going
to be very useful other than being able to print all INTEGERs with something
along the lines of "select */INTEGER".

I suspect that the reason for favouring implicit over explicit tagging came
from the fact that it uses less octets.  For my use of ASN.1 the extra
octets that outright explict use would cause aren't a problem, but for the
telecoms that ASN.1 was developed for it is a genuine concern, where more
data per channel means less concurrent channels.

ASN.1 is still a whole lot better than a proprietary format where you get
_nothing_ without knowledge of the specific data format, but it's no XML in
this respect (though thankfully doesn't suffer the same bloat).

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Friday, 9 September 2005 8:03 AM
To: openssl-users@openssl.org
Subject: RE: OCSP, Nonce and the requestExtensions


> I guess I just haven't come across a case in practice (other than 
> pretty
> printing) where I needed to decode without knowledge of the format of 
> the data.

Pretty printing can be an important part of testing, debugging, and
securing.

> I also feel that there are worse things done with ASN.1, from the 
> standpoint of being able to parse the data in it's entirety without 
> knowledge of the format,

I'm not asking to be able to parse the data in its entirety. Just to
be able to identify the objects that I can parse. I can parse BER integers,
so I'd like to be able to find them.

> that make this implicit tagging issue pale in comparison, such as 
> encoding entire objects into an OCTET STRING member of a structure.  
> The value of an X.509 extension is a good example where, even in the 
> absence of implicit tagging, the content of the extension value is 
> largely unknown:
>
> Extension  ::=  SEQUENCE  {
> extnID  OBJECT IDENTIFIER,
> criticalBOOLEAN DEFAULT FALSE,
> extnValue   OCTET STRING  }

I'm wouldn't say this is worse, I would say it is another example of
the same thing.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

I understand you're point.  I can imagine some interesting things done with
XSLT.

I guess I just haven't come across a case in practice (other than pretty
printing) where I needed to decode without knowledge of the format of the
data.  I also feel that there are worse things done with ASN.1, from the
standpoint of being able to parse the data in it's entirety without
knowledge of the format, that make this implicit tagging issue pale in
comparison, such as encoding entire objects into an OCTET STRING member of a
structure.  The value of an X.509 extension is a good example where, even in
the absence of implicit tagging, the content of the extension value is
largely unknown:

Extension  ::=  SEQUENCE  {
extnID  OBJECT IDENTIFIER,
criticalBOOLEAN DEFAULT FALSE,
extnValue   OCTET STRING  }

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Thursday, 8 September 2005 10:35 PM
To: openssl-users@openssl.org
Subject: RE: OCSP, Nonce and the requestExtensions


> Is this a concern for real applications, things other than pretty 
> printers and protocol dumpers?

Yes.

> I agree that it makes it difficult to
> understand the
> content without a format description, but it's no worse than some 
> proprietary encoding.  Is translating into XML without knowing the 
> "language" of the format something that needs to be done?

Yes. A generic BER->XML converter and XML->BER converter would be
very handy. That would easily let people interact with a variety of BER
applications even in languages that don't manipulate raw binary very well.

Another example is a C++ BER decoder. When an integer is received,
it is expected to decode it into its integral value. But how can it do that
if it can't tell what's an integer and what isn't?

> I would have
> thought that anything that isn't understood should be left as a "black 
> box"
> blob for a downstream decoder to handle.

The idea is to be able to convert BER encoded integers from the BER
binary form to host form in once place. The idea is to convert BER encoded
floating point values, bit streams, strings, and the like into the
appropriate native format once, when they're received.

It's a horrible mixing of layers to have the protocol engine receive
decoded objects from the BER decoder and then have to pass objects into
another BER decoder (or back into it), once it figured out what type they
were.

How fun would it be to code, say, a telnet server if TCP required a
similar mechanism?

> You get similar things in XML
> where there might be a MIIB...=.

I don't think they're really similar because it's not clear there's
a better way in this case. It's obvious that BER can provide a better way --
explicit typing. Frankly, I think it's a real shame the BER specification
didn't say that if you want to send a BER-encoded integer, you should do it
in an object of type INTEGER.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

I don't believe there are any hard-and-fast rules about which to use.  In
most situations it's perhaps a personal design choice.  However, as David
pointed out implicit tagging seems to be the default with explict used only
when necessary.  I don't recall the particulars right now but implicit
tagging of a CHOICE within another CHOICE is a real pain to deal with and so
explicit tagging may be preferable in this case.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of sravan
Sent: Thursday, 8 September 2005 4:44 PM
To: openssl-users@openssl.org
Subject: Re: OCSP, Nonce and the requestExtensions

Hi Steven,
I understood what will be the encoding when we use explicit & implicit
tagging. that is what you explained.
But what i really want to know is - In which context we will use explict
tagging & in which context we will use implicit tagging.

- Sravan

Steven Reddie wrote:

>By using explicit tagging the underlying object is encoded as it would 
>be if standalone.  Implict tagging avoids adding a wrapper around the 
>object but results in the underlying object being slightly altered.
>
>As an example, the encoding of the certificate within MyStructExplicit 
>will be the same as the encoding on MyCertificate (for the same 
>certificate), whereas the encoding of the certificate within 
>MyStructImplicit will be different due to the tag being modified.
>
>MyCertificate ::= Certificate
>
>MyStructExplicit ::= SEQUENCE {
>certificate  [0] EXPLICIT Certificate }
>
>MyStructImplicit ::= SEQUENCE {
>certificate  [0] IMPLICIT Certificate }
>
>Is that any clearer?
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of sravan
>Sent: Thursday, 8 September 2005 3:53 PM
>To: openssl-users@openssl.org
>Subject: Re: OCSP, Nonce and the requestExtensions
>
>Hi Steven,
>I would like to know point 2.
>
>- Sravan
>  
>


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

Is this a concern for real applications, things other than pretty printers
and protocol dumpers?  I agree that it makes it difficult to understand the
content without a format description, but it's no worse than some
proprietary encoding.  Is translating into XML without knowing the
"language" of the format something that needs to be done?  I would have
thought that anything that isn't understood should be left as a "black box"
blob for a downstream decoder to handle.  You get similar things in XML
where there might be a MIIB...=.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Thursday, 8 September 2005 4:56 PM
To: openssl-users@openssl.org
Subject: RE: OCSP, Nonce and the requestExtensions


> I understood what will be the encoding when we use explicit & implicit 
> tagging. that is what you explained.
> But what i really want to know is - In which context we will use 
> explict tagging & in which context we will use implicit tagging.

If one or the other is specified in a protocol, use that. For
reasons I don't agree with but that I have to live with, implicit tagging is
almost always used. Explicit tagging is only used when implicit tagging is
not possible. The case where implicit tagging is not possible is when
something that does not understand the protocol nevertheless needs to decode
the data in the objects. I fact this situation all the time, and it's why I
*hate* implicit tagging.

Save a few bytes, tremendously increase complexity. Welcome to
implicit tagging.

Consider a parser that's supposed to turn BER into XML. With
explicit tagging, it's trivial to turn [ 3 [ INTEGER 7 ] ]

Into
37

But with implicit tagging, how do you turn

[ 3 7 ]

Into XML if you don't know that '3' means integer *in* *this*
*context*.
Result: with implicit tagging you have to understand the high level protocol
to make sense of the low level protocol. That's a horrible shame, IMO.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

By using explicit tagging the underlying object is encoded as it would be if
standalone.  Implict tagging avoids adding a wrapper around the object but
results in the underlying object being slightly altered.

As an example, the encoding of the certificate within MyStructExplicit will
be the same as the encoding on MyCertificate (for the same certificate),
whereas the encoding of the certificate within MyStructImplicit will be
different due to the tag being modified.

MyCertificate ::= Certificate

MyStructExplicit ::= SEQUENCE {
certificate  [0] EXPLICIT Certificate }

MyStructImplicit ::= SEQUENCE {
certificate  [0] IMPLICIT Certificate }

Is that any clearer?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of sravan
Sent: Thursday, 8 September 2005 3:53 PM
To: openssl-users@openssl.org
Subject: Re: OCSP, Nonce and the requestExtensions

Hi Steven,
I would like to know point 2.

- Sravan

Steven Reddie wrote:

>I'm sure someone will jump in if they see a mismatch in your question 
>and my answer.  In the meantime let's break it down.  Are you:
>1. Looking at some existing data model expressed in ASN.1 (such as 
>X.509 or
>OCSP) and are curious about when you need to worry about explicit vs 
>implicit?
>2. Curious about when to use explicit vs implicit when specifying a 
>data model in ASN.1?
>3. Something else?
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of sravan
>Sent: Thursday, 8 September 2005 3:37 PM
>To: openssl-users@openssl.org
>Subject: Re: OCSP, Nonce and the requestExtensions
>
>Hi Steven,
>I am sorry to say that I couldn't get what you have explained in your mail.
>I don't say that it is a problem in your explaination but I can't 
>understand this(may be a problem in my comprehension). Any one out 
>there who can explain this plz help us out...
>
>- Sravan
>
>Steven Reddie wrote:
>
>  
>
>>I meant to say that I don't know of any specific reason other than not 
>>changing the underlying type.  I imagine that not changing the 
>>underlying type can be important/helpful in some situations.  An 
>>example being an encoded certificate as a member of some other structure.
>>
>>
>In order to "hand"
>  
>
>>the certificate portion of the DER to an X.509 decoder an implicit tag 
>>would have to changed to the universal tag expected of the certificate.
>>For verifying the signature it would also be necessary to "correct" an 
>>implicit tag.  Using an explicit tag instead means that the underlying 
>>object is still a standalone certificate.
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of Steven Reddie
>>Sent: Thursday, 8 September 2005 2:17 PM
>>To: openssl-users@openssl.org
>>Subject: RE: OCSP, Nonce and the requestExtensions
>>
>>When working with encodings of an existing data model then the use of 
>>implicit vs explicit comes down to what the designers specified.  ie.
>>for interoperability you can't work against the specification.
>>
>>When designing a data model with ASN.1 I don't know of any specific 
>>reason for using one over the other.  Explicit tags wrapper the 
>>underlying object and as such add a little bloat but leave the 
>>underlying encoded object unchanged.  Implicit tags replace the 
>>underlying tag in the encoding, avoiding the little bloat, but 
>>altering the encoded representation of the underlying object.
>>
>>For example, the INTEGER zero is encoded in DER as 02 01 00.  Applying 
>>a context-specific tag of 2 results in:
>>Implicit: 82 01 00
>>Explicit: 82 03 02 01 00
>>
>>Regards,
>>
>>Steven
>>
>>-Original Message-
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED] On Behalf Of sravan
>>Sent: Thursday, 8 September 2005 1:55 PM
>>To: openssl-users@openssl.org
>>Subject: Re: OCSP, Nonce and the requestExtensions
>>
>>Hi Steven and others,
>>i have a doubt regd these tags in ASN1:
>>when do we use implicit tags & when do we use explicit tags?
>>
>>i have read the 'layman's guide to a subset of ASN.1, BER & DER' but 
>>it seems i didn't get the exact difference b/n the two types of tags - 
>>in the sense of exact context in which each of these types of tags are
used.
>>
>>bye & thnx
>>- sravan
>> 
>>
>>
>>
>
>
>__
>OpenSSL Project

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

I'm sure someone will jump in if they see a mismatch in your question and my
answer.  In the meantime let's break it down.  Are you:
1. Looking at some existing data model expressed in ASN.1 (such as X.509 or
OCSP) and are curious about when you need to worry about explicit vs
implicit?
2. Curious about when to use explicit vs implicit when specifying a data
model in ASN.1?
3. Something else?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of sravan
Sent: Thursday, 8 September 2005 3:37 PM
To: openssl-users@openssl.org
Subject: Re: OCSP, Nonce and the requestExtensions

Hi Steven,
I am sorry to say that I couldn't get what you have explained in your mail.
I don't say that it is a problem in your explaination but I can't understand
this(may be a problem in my comprehension). Any one out there who can
explain this plz help us out...

- Sravan

Steven Reddie wrote:

>I meant to say that I don't know of any specific reason other than not 
>changing the underlying type.  I imagine that not changing the 
>underlying type can be important/helpful in some situations.  An 
>example being an encoded certificate as a member of some other structure.
In order to "hand"
>the certificate portion of the DER to an X.509 decoder an implicit tag 
>would have to changed to the universal tag expected of the certificate.  
>For verifying the signature it would also be necessary to "correct" an 
>implicit tag.  Using an explicit tag instead means that the underlying 
>object is still a standalone certificate.
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Steven Reddie
>Sent: Thursday, 8 September 2005 2:17 PM
>To: openssl-users@openssl.org
>Subject: RE: OCSP, Nonce and the requestExtensions
>
>When working with encodings of an existing data model then the use of 
>implicit vs explicit comes down to what the designers specified.  ie. 
>for interoperability you can't work against the specification.
>
>When designing a data model with ASN.1 I don't know of any specific 
>reason for using one over the other.  Explicit tags wrapper the 
>underlying object and as such add a little bloat but leave the 
>underlying encoded object unchanged.  Implicit tags replace the 
>underlying tag in the encoding, avoiding the little bloat, but altering 
>the encoded representation of the underlying object.
>
>For example, the INTEGER zero is encoded in DER as 02 01 00.  Applying 
>a context-specific tag of 2 results in:
>Implicit: 82 01 00
>Explicit: 82 03 02 01 00
>
>Regards,
>
>Steven
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of sravan
>Sent: Thursday, 8 September 2005 1:55 PM
>To: openssl-users@openssl.org
>Subject: Re: OCSP, Nonce and the requestExtensions
>
>Hi Steven and others,
>i have a doubt regd these tags in ASN1:
>when do we use implicit tags & when do we use explicit tags?
>
>i have read the 'layman's guide to a subset of ASN.1, BER & DER' but it 
>seems i didn't get the exact difference b/n the two types of tags - in 
>the sense of exact context in which each of these types of tags are used.
>
>bye & thnx
>- sravan
>  
>


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

I meant to say that I don't know of any specific reason other than not
changing the underlying type.  I imagine that not changing the underlying
type can be important/helpful in some situations.  An example being an
encoded certificate as a member of some other structure.  In order to "hand"
the certificate portion of the DER to an X.509 decoder an implicit tag would
have to changed to the universal tag expected of the certificate.  For
verifying the signature it would also be necessary to "correct" an implicit
tag.  Using an explicit tag instead means that the underlying object is
still a standalone certificate.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Reddie
Sent: Thursday, 8 September 2005 2:17 PM
To: openssl-users@openssl.org
Subject: RE: OCSP, Nonce and the requestExtensions

When working with encodings of an existing data model then the use of
implicit vs explicit comes down to what the designers specified.  ie. for
interoperability you can't work against the specification.

When designing a data model with ASN.1 I don't know of any specific reason
for using one over the other.  Explicit tags wrapper the underlying object
and as such add a little bloat but leave the underlying encoded object
unchanged.  Implicit tags replace the underlying tag in the encoding,
avoiding the little bloat, but altering the encoded representation of the
underlying object.

For example, the INTEGER zero is encoded in DER as 02 01 00.  Applying a
context-specific tag of 2 results in:
Implicit: 82 01 00
Explicit: 82 03 02 01 00

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of sravan
Sent: Thursday, 8 September 2005 1:55 PM
To: openssl-users@openssl.org
Subject: Re: OCSP, Nonce and the requestExtensions

Hi Steven and others,
i have a doubt regd these tags in ASN1:
when do we use implicit tags & when do we use explicit tags?

i have read the 'layman's guide to a subset of ASN.1, BER & DER' but it
seems i didn't get the exact difference b/n the two types of tags - in the
sense of exact context in which each of these types of tags are used.

bye & thnx
- sravan

Steven Reddie wrote:

>I should clarify that tags aren't blindly used to identify members of 
>structured types, only when there would otherwise be ambiguity such as 
>with optional members in a SEQUENCE, or in a CHOICE.
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Steven Reddie
>Sent: Thursday, 8 September 2005 11:07 AM
>To: openssl-users@openssl.org
>Subject: RE: OCSP, Nonce and the requestExtensions
>
>Do a search for a document titled "A Layman's Guide to a Subset of 
>ASN.1, BER, and DER".  The tags in this case, and generally, are used 
>to identify the components in the structure.  Since the last two 
>members are optional it is necessary to encode the structure so that it 
>is possible to tell which of the optional components is present.  I 
>don't know why the version has an explicit tag -- it seems redundant.
>
>  
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

When working with encodings of an existing data model then the use of
implicit vs explicit comes down to what the designers specified.  ie. for
interoperability you can't work against the specification.

When designing a data model with ASN.1 I don't know of any specific reason
for using one over the other.  Explicit tags wrapper the underlying object
and as such add a little bloat but leave the underlying encoded object
unchanged.  Implicit tags replace the underlying tag in the encoding,
avoiding the little bloat, but altering the encoded representation of the
underlying object.

For example, the INTEGER zero is encoded in DER as 02 01 00.  Applying a
context-specific tag of 2 results in:
Implicit: 82 01 00
Explicit: 82 03 02 01 00

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of sravan
Sent: Thursday, 8 September 2005 1:55 PM
To: openssl-users@openssl.org
Subject: Re: OCSP, Nonce and the requestExtensions

Hi Steven and others,
i have a doubt regd these tags in ASN1:
when do we use implicit tags & when do we use explicit tags?

i have read the 'layman's guide to a subset of ASN.1, BER & DER' but it
seems i didn't get the exact difference b/n the two types of tags - in the
sense of exact context in which each of these types of tags are used.

bye & thnx
- sravan

Steven Reddie wrote:

>I should clarify that tags aren't blindly used to identify members of 
>structured types, only when there would otherwise be ambiguity such as 
>with optional members in a SEQUENCE, or in a CHOICE.
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Steven Reddie
>Sent: Thursday, 8 September 2005 11:07 AM
>To: openssl-users@openssl.org
>Subject: RE: OCSP, Nonce and the requestExtensions
>
>Do a search for a document titled "A Layman's Guide to a Subset of 
>ASN.1, BER, and DER".  The tags in this case, and generally, are used 
>to identify the components in the structure.  Since the last two 
>members are optional it is necessary to encode the structure so that it 
>is possible to tell which of the optional components is present.  I 
>don't know why the version has an explicit tag -- it seems redundant.
>
>  
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

I should clarify that tags aren't blindly used to identify members of
structured types, only when there would otherwise be ambiguity such as with
optional members in a SEQUENCE, or in a CHOICE.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Reddie
Sent: Thursday, 8 September 2005 11:07 AM
To: openssl-users@openssl.org
Subject: RE: OCSP, Nonce and the requestExtensions

Do a search for a document titled "A Layman's Guide to a Subset of ASN.1,
BER, and DER".  The tags in this case, and generally, are used to identify
the components in the structure.  Since the last two members are optional it
is necessary to encode the structure so that it is possible to tell which of
the optional components is present.  I don't know why the version has an
explicit tag -- it seems redundant.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer
Sent: Thursday, 8 September 2005 1:45 AM
To: openssl-users@openssl.org
Subject: Re: OCSP, Nonce and the requestExtensions

ah, okay. thank you!
now i know what's the number for! :)

Steven Reddie schrieb:

>That's the [2] in:
>
>TBSRequest  ::= SEQUENCE {
>version [0] EXPLICIT Version DEFAULT v1,
>requestorName   [1] EXPLICIT GeneralName OPTIONAL,
>requestList SEQUENCE OF Request,
>requestExtensions   [2] EXPLICIT Extensions OPTIONAL } 
>
>2 being the explicit context-specific tag for requestExtensions.
>
>Regards,
>
>Steven
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer
>Sent: Wednesday, 7 September 2005 11:37 PM
>To: openssl-users@openssl.org
>Subject: Re: OCSP, Nonce and the requestExtensions
>
>well, i do not see the CONTEXT SPECIFIC part in the spec!!!
>
>Sascha.
>
>Dr. Stephen Henson schrieb:
>
>  
>
>>On Wed, Sep 07, 2005, Sascha Kiefer wrote:
>>
>> 
>>
>>
>>
>>>no, that's misunderstanding (well, my english is not that great); 
>>>here is the complete ocsp request generated by openssl (i'm not sure 
>>>about the version; i'm at work and tried it at home):
>>>
>>>Offset| Len  |LenByte|
>>>==+==+===+===
>>>=
>>>  
>>>
>==
>  
>
>>>   0|   102|  1| SEQUENCE :
>>>   2|   100|  1|SEQUENCE :
>>>   4|77|  1|   SEQUENCE :
>>>   6|75|  1|  SEQUENCE :
>>>   8|73|  1| SEQUENCE :
>>>  10| 9|  1|SEQUENCE :
>>>  12| 5|  1|   OBJECT IDENTIFIER :  sha1 
>>>[1.3.14.3.2.26]
>>>  19| 0|  1|   NULL :
>>>  21|20|  1|OCTET STRING :
>>>|  |   |   
>>>C0FE0278FC99188891B3F212E9C7E1B21AB7BFC0
>>>  43|20|  1|OCTET STRING :
>>>|  |   |   
>>>0DFC1DF0A9E0F01CE7F2B213177E6F8D157CD4F6
>>>  65|16|  1|INTEGER :
>>>|  |   |   4302AB26321D1C8AA2B54FEE5F8335A5
>>>  83|19|  1|   CONTEXT SPECIFIC (2) :
>>>  85|17|  1|  SEQUENCE :
>>>  87|15|  1| SEQUENCE :
>>>  89| 9|  1|OBJECT IDENTIFIER :  
>>>[1.3.6.1.5.5.7.48.1.2]
>>> 100| 2|  1|OCTET STRING :
>>> 102|16|  1|   OCTET STRING :
>>>|  |   |
>>>  
>>>
>7F6B115E2A42DCE810F762B1E389A610
>  
>
>>>Here the RFC2560:
>>>
>>>OCSPRequest ::= SEQUENCE {
>>>  tbsRequest  TBSRequest,
>>>  optionalSignature   [0] EXPLICIT Signature OPTIONAL }
>>>
>>>TBSRequest  ::= SEQUENCE {
>>>  version [0] EXPLICIT Version DEFAULT v1,
>>>  requestorName   [1] EXPLICIT GeneralName OPTIONAL,
>>>  requestList SEQUENCE OF Request,
>>>  requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
>>>
>>>So, as you can see: the CONTEXT SPECIFIC part is actually the 
>>>requestExtensions part But why is it context specifiy and not just 
>>>the sequences?
>>>
>>>   
>>>
>>>  
>>>
>>I'm not sure what you are asking here

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

Do a search for a document titled "A Layman's Guide to a Subset of ASN.1,
BER, and DER".  The tags in this case, and generally, are used to identify
the components in the structure.  Since the last two members are optional it
is necessary to encode the structure so that it is possible to tell which of
the optional components is present.  I don't know why the version has an
explicit tag -- it seems redundant.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer
Sent: Thursday, 8 September 2005 1:45 AM
To: openssl-users@openssl.org
Subject: Re: OCSP, Nonce and the requestExtensions

ah, okay. thank you!
now i know what's the number for! :)

Steven Reddie schrieb:

>That's the [2] in:
>
>TBSRequest  ::= SEQUENCE {
>version [0] EXPLICIT Version DEFAULT v1,
>requestorName   [1] EXPLICIT GeneralName OPTIONAL,
>requestList SEQUENCE OF Request,
>requestExtensions   [2] EXPLICIT Extensions OPTIONAL } 
>
>2 being the explicit context-specific tag for requestExtensions.
>
>Regards,
>
>Steven
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer
>Sent: Wednesday, 7 September 2005 11:37 PM
>To: openssl-users@openssl.org
>Subject: Re: OCSP, Nonce and the requestExtensions
>
>well, i do not see the CONTEXT SPECIFIC part in the spec!!!
>
>Sascha.
>
>Dr. Stephen Henson schrieb:
>
>  
>
>>On Wed, Sep 07, 2005, Sascha Kiefer wrote:
>>
>> 
>>
>>
>>
>>>no, that's misunderstanding (well, my english is not that great); 
>>>here is the complete ocsp request generated by openssl (i'm not sure 
>>>about the version; i'm at work and tried it at home):
>>>
>>>Offset| Len  |LenByte|
>>>==+==+===+===
>>>=
>>>  
>>>
>==
>  
>
>>>   0|   102|  1| SEQUENCE :
>>>   2|   100|  1|SEQUENCE :
>>>   4|77|  1|   SEQUENCE :
>>>   6|75|  1|  SEQUENCE :
>>>   8|73|  1| SEQUENCE :
>>>  10| 9|  1|SEQUENCE :
>>>  12| 5|  1|   OBJECT IDENTIFIER :  sha1 
>>>[1.3.14.3.2.26]
>>>  19| 0|  1|   NULL :
>>>  21|20|  1|OCTET STRING :
>>>|  |   |   
>>>C0FE0278FC99188891B3F212E9C7E1B21AB7BFC0
>>>  43|20|  1|OCTET STRING :
>>>|  |   |   
>>>0DFC1DF0A9E0F01CE7F2B213177E6F8D157CD4F6
>>>  65|16|  1|INTEGER :
>>>|  |   |   4302AB26321D1C8AA2B54FEE5F8335A5
>>>  83|19|  1|   CONTEXT SPECIFIC (2) :
>>>  85|17|  1|  SEQUENCE :
>>>  87|15|  1| SEQUENCE :
>>>  89| 9|  1|OBJECT IDENTIFIER :  
>>>[1.3.6.1.5.5.7.48.1.2]
>>> 100| 2|  1|OCTET STRING :
>>> 102|16|  1|   OCTET STRING :
>>>|  |   |
>>>  
>>>
>7F6B115E2A42DCE810F762B1E389A610
>  
>
>>>Here the RFC2560:
>>>
>>>OCSPRequest ::= SEQUENCE {
>>>  tbsRequest  TBSRequest,
>>>  optionalSignature   [0] EXPLICIT Signature OPTIONAL }
>>>
>>>TBSRequest  ::= SEQUENCE {
>>>  version [0] EXPLICIT Version DEFAULT v1,
>>>  requestorName   [1] EXPLICIT GeneralName OPTIONAL,
>>>  requestList SEQUENCE OF Request,
>>>  requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
>>>
>>>So, as you can see: the CONTEXT SPECIFIC part is actually the 
>>>requestExtensions part But why is it context specifiy and not just 
>>>the sequences?
>>>
>>>   
>>>
>>>  
>>>
>>I'm not sure what you are asking here.
>>
>>>From an ASN1 point of view several of those tags are unnecessary and
>>
>>
>>>it could
>>>  
>>>
>>have been written without them, but as its in the spec we have to do it.
>>
>>Steve.
>>--
>>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL 
>>project core developer and freelance consultant.
>>Funding needed! Details on homepage.
>>Homepage: http://www.drh-consultancy.demon.co.uk
>>___

RE: OCSP, Nonce and the requestExtensions

[Steven Reddie]

That's the [2] in:

TBSRequest  ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
requestorName   [1] EXPLICIT GeneralName OPTIONAL,
requestList SEQUENCE OF Request,
requestExtensions   [2] EXPLICIT Extensions OPTIONAL } 

2 being the explicit context-specific tag for requestExtensions.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer
Sent: Wednesday, 7 September 2005 11:37 PM
To: openssl-users@openssl.org
Subject: Re: OCSP, Nonce and the requestExtensions

well, i do not see the CONTEXT SPECIFIC part in the spec!!!

Sascha.

Dr. Stephen Henson schrieb:

>On Wed, Sep 07, 2005, Sascha Kiefer wrote:
>
>  
>
>>no, that's misunderstanding (well, my english is not that great); here 
>>is the complete ocsp request generated by openssl (i'm not sure about 
>>the version; i'm at work and tried it at home):
>>
>>Offset| Len  |LenByte|
>>==+==+===+
==
>>0|   102|  1| SEQUENCE :
>>2|   100|  1|SEQUENCE :
>>4|77|  1|   SEQUENCE :
>>6|75|  1|  SEQUENCE :
>>8|73|  1| SEQUENCE :
>>   10| 9|  1|SEQUENCE :
>>   12| 5|  1|   OBJECT IDENTIFIER :  sha1 
>>[1.3.14.3.2.26]
>>   19| 0|  1|   NULL :
>>   21|20|  1|OCTET STRING :
>> |  |   |   
>>C0FE0278FC99188891B3F212E9C7E1B21AB7BFC0
>>   43|20|  1|OCTET STRING :
>> |  |   |   
>>0DFC1DF0A9E0F01CE7F2B213177E6F8D157CD4F6
>>   65|16|  1|INTEGER :
>> |  |   |   4302AB26321D1C8AA2B54FEE5F8335A5
>>   83|19|  1|   CONTEXT SPECIFIC (2) :
>>   85|17|  1|  SEQUENCE :
>>   87|15|  1| SEQUENCE :
>>   89| 9|  1|OBJECT IDENTIFIER :  
>>[1.3.6.1.5.5.7.48.1.2]
>>  100| 2|  1|OCTET STRING :
>>  102|16|  1|   OCTET STRING :
>> |  |   |
7F6B115E2A42DCE810F762B1E389A610
>>
>>Here the RFC2560:
>>
>>OCSPRequest ::= SEQUENCE {
>>   tbsRequest  TBSRequest,
>>   optionalSignature   [0] EXPLICIT Signature OPTIONAL }
>>
>>TBSRequest  ::= SEQUENCE {
>>   version [0] EXPLICIT Version DEFAULT v1,
>>   requestorName   [1] EXPLICIT GeneralName OPTIONAL,
>>   requestList SEQUENCE OF Request,
>>   requestExtensions   [2] EXPLICIT Extensions OPTIONAL }
>>
>>So, as you can see: the CONTEXT SPECIFIC part is actually the 
>>requestExtensions part But why is it context specifiy and not just the 
>>sequences?
>>
>>
>>
>
>I'm not sure what you are asking here.
>
>>From an ASN1 point of view several of those tags are unnecessary and 
>>it could
>have been written without them, but as its in the spec we have to do it.
>
>Steve.
>--
>Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL 
>project core developer and freelance consultant.
>Funding needed! Details on homepage.
>Homepage: http://www.drh-consultancy.demon.co.uk
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing Listopenssl-users@openssl.org
>Automated List Manager   [EMAIL PROTECTED]
>
>
>  
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Reading from standard input

[Steven Reddie]

It's the same as your original problem: different end-of-line markers

Try this instead:
echo -n "1122" | openssl dgst -md5

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roberto Arias Alegria
Sent: Tuesday, 30 August 2005 2:01 PM
To: openssl-users@openssl.org
Subject: Re: Reading from standard input

Thanks people,

Yeah I think the end of line was the key. After reading your posts I
realised that I needed this:
echo "mytext" | openssl dgst -md5

Anyway, I don't know why I got different hashes:

Using openssl:
 echo "1122" | openssl dgst -md5
 01ebeaafc334e503f4acc94a18df9fa5

and using MySQL:
 SELECT md5("1122");
 3b712de48137572f3849aabd5666a4e3

//roberto8080


On 8/29/05, Victor Duchovni <[EMAIL PROTECTED]> wrote:
> On Mon, Aug 29, 2005 at 06:42:07PM -0500, Roberto Arias Alegria wrote:
> 
> > Hello new around here,
> >
> > I'm just new to OpenSSL and I'd like to calculate a MD5 digest, I 
> > used the command
> >
> > openssl dgst -md5 file.txt
> >
> > and I got a digest of the file, but I want a digest of what is
> > *inside* the file, a text string, not the file itself, it is 
> > possible to do this?
> >
> 
> The difference is the newline at the end of the string on each line of 
> the file. To checksum each line (using the shell and openssl rather 
> than the much easier Perl with Digest::MD5) but omit the terminating new
line:
> 
> #! /bin/sh
> SAVEIFS="$IFS"
> IFS="
> "
> while read line
> do
> printf "%s" "$line" | openssl dgst -md5
> done < inputfile
> IFS="$SAVEIFS"
> 
> --
> Viktor.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Reading from standard input

[Steven Reddie]

Your question doesn't make much sense.  A "digest of the file" is exactly
the same as "a digest of what is *inside* the file".  If you mean that you
want a digest of a particular portion of the contents of the file then
you'll need to extract that yourself. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roberto Arias Alegria
Sent: Tuesday, 30 August 2005 9:42 AM
To: openssl-users@openssl.org
Subject: Reading from standard input

Hello new around here,

I'm just new to OpenSSL and I'd like to calculate a MD5 digest, I used the
command

openssl dgst -md5 file.txt

and I got a digest of the file, but I want a digest of what is
*inside* the file, a text string, not the file itself, it is possible to do
this?


//roberto8080
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: MD5SUM openssl-0.9.8.tar.gz

[Steven Reddie]

I've also experienced the corrupted-file-in-the-hidden-proxy problem before
(by hidden meaning that the ISP forces the use of the proxy).  You could
also try downloading from a different mirror, or use ftp.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodolfo Estrada
Sent: Tuesday, 30 August 2005 12:09 AM
To: openssl-users@openssl.org
Subject: RE: MD5SUM openssl-0.9.8.tar.gz


I used wget to downloaded it, and yes gunzip -t tells me that I have a
corrupted download.
However, I did downloaded the previous version and its ok!.

Perhaps the fact that I am behind a proxy could be the problem?..

I am going to try it using a machine directly conected to the outside..

Thanks,

Rodolfo 
  
- Original Message -
From: "Steven Reddie" <[EMAIL PROTECTED]>
To: openssl-users@openssl.org
Subject: RE: MD5SUM openssl-0.9.8.tar.gz
Date: Mon, 29 Aug 2005 23:24:41 +1000

> 
> The copy I downloaded a while back is correct.  The copy I downloaded 
> just now is also correct.  Seems you have a corrupt download.  Does 
> "gunzip -t openssl-0.9.8.tar.gz" report a corruption?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rodolfo Estrada
> Sent: Monday, 29 August 2005 11:19 PM
> To: openssl-users@openssl.org
> Subject: MD5SUM openssl-0.9.8.tar.gz
> 
> 
> [EMAIL PROTECTED] tmp]# md5sum  openssl-0.9.8.tar.gz 
> d41d8cd98f00b204e9800998ecf8427e  openssl-0.9.8.tar.gz
> 
> md5 from website 9da21071596a124acde6080552deac16
> 
> Am I doing something wrong here? IF not, we are in trouble...
> 
> Regards,
> 
> 
> Rodolfo Estrada
> [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: MD5SUM openssl-0.9.8.tar.gz

[Steven Reddie]

The copy I downloaded a while back is correct.  The copy I downloaded just
now is also correct.  Seems you have a corrupt download.  Does "gunzip -t
openssl-0.9.8.tar.gz" report a corruption?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rodolfo Estrada
Sent: Monday, 29 August 2005 11:19 PM
To: openssl-users@openssl.org
Subject: MD5SUM openssl-0.9.8.tar.gz


[EMAIL PROTECTED] tmp]# md5sum  openssl-0.9.8.tar.gz
d41d8cd98f00b204e9800998ecf8427e  openssl-0.9.8.tar.gz

md5 from website 9da21071596a124acde6080552deac16

Am I doing something wrong here? IF not, we are in trouble...

Regards,


Rodolfo Estrada
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: openssl ciphers

[Steven Reddie]

Which version are you using?  0.9.8 does what I'd expect:

$ openssl ciphers AES+DES
Error in cipher list
3312:error:144020B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
match:ssl_lib.c:1167: 

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dmitry Belyavsky
Sent: Monday, 29 August 2005 10:18 PM
To: openssl-users@openssl.org
Subject: openssl ciphers

Hello!

man openssl ciphers:

=
Lists of cipher suites can be combined in a single cipher string using the +
character. This is used as a logical and operation. For example
SHA1+DES represents all cipher suites containing the SHA1 and the DES
algorithms.
=

What about call for openssl ciphers AES+DES?

Using specification, it shouldn't return any cipher suite. But it returns
both DES and AES cipher suites. What is wrong?


--
SY, Dmitry Belyavsky (ICQ UIN 6575)

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compatibility between RSA_sign and RSA_public_decrypt

[Steven Reddie]

RSA_verify calls RSA_public_decrypt to do the actual decryption.  The
padding aspects of each are the same.  The difference in PKCS#1 padding is
between RSA_public_encrypt/RSA_private_decrypt and
RSA_private_encrypt/RSA_public_decrypt.  The pair used for signatures use a
form of padding that doesn't change each time it is applied (each byte is
0xff).  The other pair use a form of padding that includes randomly
generated padding bytes and therefore does change each time it is applied.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Suram Chandra Sekhar
Sent: Friday, 26 August 2005 7:47 PM
To: openssl-users@openssl.org
Subject: Compatibility between RSA_sign and RSA_public_decrypt

Hi all,
I understand that RSA_sign() uses PKCS#1v1.5 padding for signing.  If I sign
using RSA_sign, can this signature be verified using RSA_public_decrypt()
which uses PKCS#1 v1.0.

In other words is it possible to have compatibility between these two
versions.

Awaiting your valuable response..

Regards
Suram


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: TLS handshake failure: who's right?

[Steven Reddie]

The second handshake message in frame 18 (Certificate Request) has an empty
certificate_authorities record (shown as "Distinguished Names Length: 0" in
the dump).  TLS v1.0 specifies that this record must contain at least 3
entries:

   struct {
   ClientCertificateType certificate_types<1..2^8-1>;
   DistinguishedName certificate_authorities<3..2^16-1>;
   } CertificateRequest;

I've come across implementations like this before, and one that didn't even
include anything in the certificate_types field.  Surprisingly, there are
other implementations that just see the CertificateRequest and reply with
the Certificate, and things work even though it should result in a fatal
failure.  IE will do client authentication with certificate_authorities
missing, but not with certificate_types also missing, even though "openssl
s_client" will successfully reply with it's client Certificate if both
fields are empty.  Whichever component is sending the CertificateRequest is
not compilant with TLS v1.0.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bob Bramwell
Sent: Thursday, 25 August 2005 4:44 AM
To: openssl-users@openssl.org
Subject: TLS handshake failure: who's right?

Greetings Group Gurus,

I am trying to get a device that purportedly talks TLSv1 to connect to a
system running OpenSSL 0.9.6.  After the ServerHelloDone the other device
reports:
No TLS session key in Client Key Exchange The SSL/TLS implementation
on said device (a VOIP phone) is of unknown pedigree; pretty sure it is NOT
OpenSSL.  Can anyone shed any light on what might be going wrong?  Following
is the complete ethereal dump (minus a certificate or two).

Many thanks.

[many snips]

No. TimeSourceSport  Destination   Dport

Protocol Info
  18 22.560146   66.166.206.78 5061   199.166.37.22 2075

TLS  Server Hello, Certificate, Certificate Request, Server Hello Done

Frame 18 (1354 bytes on wire, 1354 bytes captured)
 Arrival Time: Aug 23, 2005 16:53:00.046739000
 Time delta from previous packet: 0.000825000 seconds
 Time since reference or first frame: 22.560146000 seconds
 Frame Number: 18
 Packet Length: 1354 bytes
 Capture Length: 1354 bytes
Ethernet II, Src: 00:90:0b:03:29:4c, Dst: 00:00:c5:a9:6e:9c
 Destination: 00:00:c5:a9:6e:9c (00:00:c5:a9:6e:9c)
 Source: 00:90:0b:03:29:4c (00:90:0b:03:29:4c)
 Type: IP (0x0800)
Internet Protocol, Src Addr: 66.166.206.78 (66.166.206.78), Dst Addr: 
199.166.37.22 (199.166.37.22)
 Version: 4
 Header length: 20 bytes
 Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  00.. = Differentiated Services Codepoint: Default (0x00)
  ..0. = ECN-Capable Transport (ECT): 0
  ...0 = ECN-CE: 0
 Total Length: 1340
 Identification: 0xd58a (54666)
 Flags: 0x04 (Don't Fragment)
 0... = Reserved bit: Not set
 .1.. = Don't fragment: Set
 ..0. = More fragments: Not set
 Fragment offset: 0
 Time to live: 64
 Protocol: TCP (0x06)
 Header checksum: 0x6280 (correct)
 Source: 66.166.206.78 (66.166.206.78)
 Destination: 199.166.37.22 (199.166.37.22) Transmission Control
Protocol, Src Port: 5061 (5061), Dst Port: 2075 (2075),
Seq: 2903151812, Ack: 2201575059, Len: 1288
 Source port: 5061 (5061)
 Destination port: 2075 (2075)
 Sequence number: 2903151812
 Next sequence number: 2903153100
 Acknowledgement number: 2201575059
 Header length: 32 bytes
 Flags: 0x0018 (PSH, ACK)
 0...  = Congestion Window Reduced (CWR): Not set
 .0..  = ECN-Echo: Not set
 ..0.  = Urgent: Not set
 ...1  = Acknowledgment: Set
  1... = Push: Set
  .0.. = Reset: Not set
  ..0. = Syn: Not set
  ...0 = Fin: Not set
 Window size: 5792
 Checksum: 0x9336 (correct)
 Options: (12 bytes)
 NOP
 NOP
 Time stamp: tsval 7553361, tsecr 1136805 Secure Socket Layer
 TLS Record Layer: Server Hello
 Content Type: Handshake (22)
 Version: TLS 1.0 (0x0301)
 Length: 74
 Handshake Protocol: Server Hello
 Handshake Type: Server Hello (2)
 Length: 70
 Version: TLS 1.0 (0x0301)
 Random.gmt_unix_time: Aug 23, 2005 16:53:00.0
 Random.bytes
 Session ID Length: 32
 Session ID (32 bytes)
 Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
 Compression Method: null (0)
 TLS Record Layer: Certificate
 Content Type: Handshake (22)
 Version: TLS 1.0 (0x0301)
 Length: 1186
 Handshake Protocol: Certificate
 Handshake Type: Certificate (11)
 Length: 1182
 Certificates Length: 1179
 Certificates (1179 byt

RE: Isolating SHA Algorithm from openssl

[Steven Reddie]

If you're trying to extract an implementation of SHA-256 by starting with
sha256t.c you're on the wrong track.  That file is for testing sha256. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Allen Rintoul
Sent: Monday, 22 August 2005 10:07 PM
To: openssl-users
Subject: Isolating SHA Algorithm from openssl


I wanted to isolate the code pretaining to sha256, so i started with
sha256t.c. But there are too many dependencies which i thought was out of my
tag search isolation. then i did an nm on sha256t, It used
ASN1_,BN_,BIO_,CRYPTO_,ENGINE_, EVP_,OBJ_,OPENSSL_,RAND_,RSA_,X509_
functions. How can i reduce the depencdecy can i tailor it in such a way
that i can get the sha256 code out. so that i can use it independently.

I could succesfully pulling out des, blowfish and aes. sice they were pretty
straigth forward.
i had the same problem in pulling out ECC ( but i went ahead with all the
dependencies ).
can some one tell me the pre-requisits that i should have before attempting
such a venture of tailoring openssl.

thx a lot for any help
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: What size is this key?

[Steven Reddie]

It probably is 1023 bit, but you can think of that as being 1024 bit with
the top bit zero.  Since the modulus is effectively random (the product or
two randomly chosen large primes) then it makes sense that some of the
generated moduli will not completely fill the 1024 bits, just as choosing a
number randomly between 0 and 100 won't always have the top decimal place
filled.  If the top bit was always set it would reduce the search space when
attacking the key, thereby weakening it.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tan Eng Ten
Sent: Wednesday, 17 August 2005 5:17 PM
To: openssl-users@openssl.org
Subject: What size is this key?

A local certification authority has issued a cert and the public is as below
(parsed with openssl) :

-
Modulus (1023 bit):
 5d:10:63:d3:d8:00:2a:50:ab:65:8a:f0:92:83:b0:
 6a:39:e3:0c:38:aa:f5:32:23:71:25:8e:4a:8d:50:
 fd:80:a3:95:59:33:27:92:88:d0:1d:28:dd:05:7c:
 b6:a0:5e:68:9e:b4:70:c9:bd:28:8a:fb:6d:95:0a:
 38:83:f9:8d:15:b1:3a:33:bf:d7:ab:1c:5e:1b:d3:
 d6:c1:1a:f8:05:7f:ef:22:23:48:ef:48:a2:8d:99:
 90:10:81:8a:54:dd:16:9e:7f:d0:88:a8:b7:34:68:
 be:4d:8f:dc:4b:5d:d9:72:c5:a4:88:a6:40:fa:f2:
 f7:16:79:a8:35:3d:f2:ad
Exponent: 3 (0x3)
-

The key pair was generated by the CA (smart-card based) and it was supposed
to be a 1024-bit RSA key. I retrieved the certificate from the smart card
and parsed it with openssl.

I am just wondering why did openssl report it as 1023-bit?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: RSA key sizes

[Steven Reddie]

I believe it's a matter of efficiency.  There are optimisations that can be
performed on the math of integers of length power-of-2.  It's possible that
there are implementations out there that won't work with non-standard sizes.

I have seen 4096 bit keys in the wild.  In fact, the Microsoft Root
Certificate Authority key in the Microsoft Certificate Store is 4096 bits in
length.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni
Sent: Wednesday, 17 August 2005 4:45 PM
To: openssl-users@openssl.org
Subject: Re: RSA key sizes

On Wed, Aug 17, 2005 at 02:21:30PM +0800, Tan Eng Ten wrote:

>   This is a general crypto question and I hope someone could help me 
>   out.
> 
>   Often we use RSA of 512, 1024, 2048, 4096, etc. bit lengths. Are 
>   other sizes such as 520/1045 bit "valid"? Mathematically, it should 
> work, but are there reasons why odd sizes are not to be used?

Well RSA 512 is not (or should not be) used. As for the others, 768 is in
fact used, then 1024 and 2048, I've not seen 4096 in real applications, one
is likely better off with a different algorithm at that point.

Non-standard sizes add no value, each incremental "standard" key size
supports a particular expected security range. Stick to the standard sizes.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

[Steven Reddie]

I've put up a wcecompat-1.2 which addresses #2.

ARMV4 is the most common ARM architecture available.  Microsoft called this
"ARM" in eVC3.  Arm defined a Thumb instruction set which is 16-bits to
allow more compact code, with the ability to switch between both modes.
With eVC4 Microsoft renamed "ARM" to "ARMV4" and added "ARMV4T" (for Thumb)
and "ARMV4I" (for Interoperable?, ie. Mixed 32-bit and Thumb code).  ARMV5
is available and I believe that most of the chips in the Windows CE devices
are ARMV5 capable, but ARMV4 has probably been defined as the
lowest-common-denominator -- perhaps the TI OMAP chips used in some of the
Smartphones are only ARMV4.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Wang
Sent: Thursday, 11 August 2005 10:08 AM
To: openssl-users@openssl.org
Subject: Re: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

OK, I downloaded wcecompat 1.1 and openssl-0.9.8-stable-SNAP-20050810
and rebuilt everything again.  Things are much, much better now.  Of the
items below, I think only #2 and #5 suggest a fix is needed in wcecompat and
openssl.  The others itmes are responses to previous emails.

1. I fixed my %INCLUDE% and %LIB% environment variables to point to the
right places.  Maybe I installed my SDK in the wrong place or I moved stuff
around, I don't remember.  But I'm happy to be able to set these environment
variables to the right place and the various makefiles find the files they
are looking for.

2. wcecompat/wcedefs.mak: I had to add the extra "if" test for
TARGETCPU=ARMV4I which I mentioned in a previous email.  As to whether the
same thing needs to be done if TARGETCPU=ARMV4T, I assume so. 
i.e. if TARGETCPU is ARMV4T, then ARM, _ARM_, and ARMV4T must be defined.
The auto generated ce.mak and cedll.mak seem to do this already.

3. The -DTHUMBSUPPORT I mentioned for the openssl makefile.  I don't know
where I got that from.  I can't find any reference to it.  I compiled and
ran without it, and it was fine. I think we can forget about this option.

4. The -QRarch4T and -QRinterwork-return I mentioned for the openssl
makefile.  I was able to build and run without them.  However, my both my
platformbuilder and embedded visual C++ uses those options for my
auto-generated projects, so it seems to me that it would be safer to include
them when TARGETCPU=ARMV4I.  (-QRarch4T tells the compiler to target code to
the ARMV4T architecture.  Other options are arch4, arch5, arch5T.  I don't
know the default.  -QRinterwork-return allows function calls to be made
across ARM and THUMB code.)

5. I still needed to change the MLFLAGS and LFLAGS in cedll.mak and ce.mak
from machine:ARM to machine:thumb.  Otherwise, the compiler compains about
an incompatibility with winsock.lib (winsock.dll), which was linked with
machine:thumb.

The compiles go very smoothly now.  Its a great improvement over the
0.9.8 release.  Thanks for all your help guys!

Michael

p.s. While I was looking around to figure out the differences among ARM,
ARMV4, ARMV4I, and ARMV4T, I found the following, which you may already
know:

One thing that was really confusing me was that the above monikers are used
to describe architectures, as defined by the ARM corporation, and a set of
"compilation styles", for a lack of better description, defined by
Microsoft.

ARM is just a general term.
ARMV4 is the oldest supported ARM architecture.  It defines a 32 bit
instruction set.
ARMV4T supports the 32 bit ARMV4 instruction set, plus a new compact
16 bit instruction set called Thumb.  ARM processors based on the ARMV4T
architecture can switch between the 16-bit thumb instruction set and 32-bit
ARM instruction sets.  (see
http://www.arm.com/products/CPUs/archi-thum.html).

WinCE is aware of 3 TARGETCPU types: ARMV4, ARMV4T, and ARMV4I I
assumeTARGETCPU=ARMV4 is for the 32 bit ARM processors without the Thumb
extensions.
I'm not sure exactly when TARGETCPU=ARMV4T is used.  Maybe when executables
are required to be completely comprised of 32 bit ARM instructions or
completely of 16 bit thumb instructions?  Or maybe when the entire OS image
have to be one or the other?
TARGETCPU=ARMV4I allows 32 bit ARM and 16 bit thumb instructions to be mixed
at a function level.  This TARGETCPU type seems to be meant for ARM CPU's
that support the ARMV4T architecture.

As of WinCE .NET 4.2, the ARMV4T kernel has been merged into the ARMV4I
kernel.
As of WinCE 5.0, the ARMV4 kernel has been merged into the ARMV4I kernel.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Au

RE: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

[Steven Reddie]

I wrote wcecompat solely for the OpenSSL port (but with a view to using it
for other things), so I guess you could say I'm more of an OpenSSL-er than a
Windows CE-er.

Do you know if a similar change needs to be made for ARMV4T?

I believe your include problem below relates to the possible install issue I
mentioned in the other response.  If your %INCLUDE% is set to the wrong
directory then windows.h won't be found.  The fix is to correct %INCLUDE%
(probably by reinstalling eVC4 + SDKs) rather than modify the
wcecompat/OpenSSL makefiles.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Wang
Sent: Wednesday, 10 August 2005 3:15 AM
To: openssl-users@openssl.org
Subject: Re: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

Oh Hi Steven,

I am pleasently surprised to see that you are monitoring the list. 
Thanks for the changes in wcecompat.  I downloaded your latest version and I
also had to make two minor changes for my environment.  I'm not sure how
motivated you are to actually incorporate them  In any case, at least it
is documented now, so hopefully others can find it.

The first change in wcedefs.mak was for my ARMV4I CPU.  I had to make sure
that _ARM_ and ARM was defined, not just ARMV4I and _ARMV4I_.

The second change in makefile was to add another include line so I can pick
up windows.h.  Not sure why this line was missing from both wcecompat and
openssl compiles.

The patches are below.

Thanks,
Michael


*** wcedefs.mak Wed Jul 27 14:20:12 2005
--- wcedefs.mak.new Tue Aug  9 10:00:11 2005
***
*** 62,67 
--- 62,71 
  WCETARGETCPU=ARM
  WCETARGETCPUDEFS=-DARM -D_ARM_ -D_M_ARM
  WCECC=clarm
+ !ELSEIF "$(TARGETCPU)"=="ARMV4I"
+ WCETARGETCPU=ARM
+ WCETARGETCPUDEFS=-DARM -D_ARM_ -DARMV4I -D_ARMV4I_ WCECC=clarm
  !ELSE
  WCETARGETCPU=$(TARGETCPU)
  WCETARGETCPUDEFS=-D$(TARGETCPU) -D_$(TARGETCPU)_
*** makefileTue Dec  3 00:25:14 2002
--- makefile.newTue Aug  9 10:00:22 2005
***
*** 1,6 
  !INCLUDE 
  
! CFLAGS=/W3 /WX /Ox /O2 /Ob2 /GF /Gy /nologo $(WCETARGETDEFS)
-DWIN32_PLATFORM_PSPC -DUNICODE -D_UNICODE -DWIN32 -DWIN32_LEAN_AND_MEAN
-Iinclude -D_WINDLL -D_DLL /Foobj/ -D_MSC_VER=1200
  
  SRC = \
src/args.cpp\
--- 1,6 
  !INCLUDE 
  
! CFLAGS=/W3 /WX /Ox /O2 /Ob2 /GF /Gy /nologo $(WCETARGETDEFS)
-DWIN32_PLATFORM_PSPC -DUNICODE -D_UNICODE -DWIN32 -DWIN32_LEAN_AND_MEAN
-Iinclude -I"C:\Program Files\Windows CE
Tools\wce420\STANDARDSDK_420\Include\Armv4i" -D_WINDLL -D_DLL /Foobj/
-D_MSC_VER=1200
  
  SRC = \
src/args.cpp    \


On 8/8/05, Steven Reddie <[EMAIL PROTECTED]> wrote:
> Hi Michael,
> 
> I've put a new wcecompat.zip up at essemer.com.au which includes 
> ENOMEM and EAGAIN.  The remainder of the problems need to be corrected in
OpenSSL.
> 
> Regards,
> 
> Steven
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wang
> Sent: Tuesday, 9 August 2005 5:01 AM
> To: openssl-users@openssl.org
> Subject: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0
> 
> Hi,
> 
> I downloaded openssl-0.9.8-stable-SNAP-20050805 and compiled it for my 
> Windows CE platform and had a few problems.  In general though, the 
> code (for WinCE) has been much improved over the 0.9.8 release; good 
> job openlssl developers!
> 
> Here are a couple of issues I had.
> 
> 1. In the CFLAGS define, the compiler didn't like the /wd4959.  It 
> said it was unrecognized and refused to go further.  So I took it out.
> 
> 2. cryptlib.c tried to include windows.h, which the compiler could not
find.
> I had to add the following to CFLAGS after the
> -I$(WCECOMPAT)/include:
> 
>   -I"C:\Program Files\Windows CE
> Tools\wce420\STANDARDSDK_420\Include\Armv4i"
> 
> It would probably be better to use macros instead of a hardcoded path 
> like I have for people who are not compiling for Arm or who has 
> installed their
> eVC++ somewhere else.  (But I don't know what those macros are sorry).
> 
> 3. In bf_skey, memcpy was undefined, and /WX caused the compilation to
stop.
> I just took out the /WX flag.  But it might be better to actually fix 
> the root cause.  If some developer wants to work on this, he can fix 
> the bf_skey file, and when I get the next stable SNAP, I can keep 
> compiling to see what other files generate warnings.
> 
> 4. lpdir_win.c has ENOMEM undefined.  I just added -DENONMEM=1 in CFLAGS.
> 
> 5. bss_dgram.c has EAGAIN undefined.  I just added -DEAGAIN=14 in CFLAGS.
> 
> 6. r2c_skey.c had an "Internal compiler error".  I was reading on 

RE: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

[Steven Reddie]

Whoops, I missed the memcpy reference in the original post.  I added a
memcpy prototype to string.h in wcecompat 1.1 to satisfy an OpenSSL 0.9.8
compile problem, so I guess this is the one.  The problem with the wcecompat
approach is that it overrides/replaces the Microsoft supplied header files.
I made sure that nothing in previous Microsoft implementations was hidden
but it looks like they've moved the memcpy prototype to a different header
file resulting in wcecompat obscuring it.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Polyakov
Sent: Wednesday, 10 August 2005 8:35 AM
To: openssl-users@openssl.org
Subject: Re: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

>> 3. In bf_skey, memcpy was undefined,
> 
> Will look into it...

Looked into it and it didn't make any sense. Required header file is
included so it shouldn't be a problem... Strangely enough there're a number
of files calling memcpy, which are compiled prior bf_skey.c, so how come it
gets "angry" so "late"? I suppose you have to figure this one out yourself,
as it appears as problem with your environment.

>> 8. On that same line, the linker did not like /machine:ARMV4I. 
>> Surprisingly, it also threw an error when I changed it to 
>> /machine:ARM.  It was happy when I changed it /machine:thumb.  Not 
>> sure how it knew I has compiling for thumb and not vanilla ARM.
>> Somewhere along the line, I saw that for thumb, the following defines 
>> are also good:
>>
>> -QRarch4T -DTHUMBSUPPORT -QRinterwork-return
> 
> Will be fixed in next snapshot.

settings.evc4 [provided by Steven] doesn't mention THUMBSUPPORT... 
VC-32.pl which will be available in closest snapshot won't contain it
either. Can you actually confirm that THUMBSUPPORT is actually required? A.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

[Steven Reddie]

The file "C:\Program Files\Microsoft eMbedded C++
4.0\EVC\wce420\bin\WCEARMV4.BAT" should contain a line like:

if "%WCEROOT%"=="" set WCEROOT=C:\Program Files\Microsoft eMbedded
C++ 4.0

Which is obviously customised on install since the default is "C:\Microsoft
eMbedded C++ 4.0" and I chose to install under Program Files.  If your file
looks different it sounds like you may have installed under a different
directory and manually moved to Program Files.  If that's the case you may
want to move it back, uninstall, then reinstall in the new location as there
are bound to be registry settings (perhaps for the emulator) that point to
the wrong location.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Wang
Sent: Wednesday, 10 August 2005 4:51 AM
To: openssl-users@openssl.org
Subject: Re: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

On 8/9/05, Andy Polyakov <[EMAIL PROTECTED]> wrote:

> What were your %INCLUDE% and %LIB% upon nmake time?

C:\tmp\newwcecompat\wcecompat>set
CC=clarm.exe
CFG=none
include=C:\Windows CE Tools\WCE420\POCKET PC 2003\include\ARMV4I;C:\Windows
CE T ools\WCE420\POCKET PC 2003\MFC\include;C:\Windows CE
Tools\WCE420\POCKET PC 2003 \ATL\include; lib=C:\Windows CE
Tools\WCE420\POCKET PC 2003\lib\ARMV4I;C:\Windows CE Tools\WCE 420\POCKET PC
2003\MFC\lib\ARMV4I;C:\Windows CE Tools\WCE420\POCKET PC 2003\ATL\
lib\ARMV4I; OSVERSION=WCE420 Path=C:\Program Files\Microsoft eMbedded C++
4.0\COMMON\EVC\bin;C:\Program Files \Microsoft eMbedded C++
4.0\EVC\WCE420\bin;C:\Perl\bin\;C:\WINDOWS\system32;C:\W
INDOWS;C:\WINDOWS\System32\Wbem;C:\Program
Files\Rational\ClearCase\bin;C:\Progr
am Files\Rational\common;c:\Program Files\Microsoft SQL
Server\90\Tools\binn\;C:
\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program
Files\Micro soft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft
Visual Studio\C ommon\Tools;C:\Program Files\Microsoft Visual
Studio\VC98\bin PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PLATFORM=POCKET PC 2003
ProgramFiles=C:\Program Files
SDKROOT=C:\Windows CE Tools
WCECOMPAT=C:\tmp\sslhead\wcecompat
WCEROOT=C:\Program Files\Microsoft eMbedded C++ 4.0

Hmm, my include and lib settings seem close, but not quite right.  But its
good to know that the openssl makefiles use the %INCLUDE% and %LIB%
variables.  At least there is a way to customize the paths without changing
the source files.

Thanks,
Michael
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

[Steven Reddie]

Hi Andy,

The first release wasn't numbered.  This new release is numbered 1.1. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Polyakov
Sent: Wednesday, 10 August 2005 3:29 AM
To: openssl-users@openssl.org
Subject: Re: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

Steven,

> I've put a new wcecompat.zip up at essemer.com.au which includes 
> ENOMEM and EAGAIN.  The remainder of the problems need to be corrected in
OpenSSL.

Do you number wcecompat releases? I mean I'd like to mention some reference
point in INSTALL.WCE, e.g. "at least version x.y" or "downloaded after 8th
August 2005." A.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

[Steven Reddie]

Hi Michael,

I've put a new wcecompat.zip up at essemer.com.au which includes ENOMEM and
EAGAIN.  The remainder of the problems need to be corrected in OpenSSL.

Regards,

Steven 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Wang
Sent: Tuesday, 9 August 2005 5:01 AM
To: openssl-users@openssl.org
Subject: openssl-0.9.8-stable-SNAP-20050805 on WinCE5.0

Hi,

I downloaded openssl-0.9.8-stable-SNAP-20050805 and compiled it for my
Windows CE platform and had a few problems.  In general though, the code
(for WinCE) has been much improved over the 0.9.8 release; good job openlssl
developers!

Here are a couple of issues I had.

1. In the CFLAGS define, the compiler didn't like the /wd4959.  It said it
was unrecognized and refused to go further.  So I took it out.

2. cryptlib.c tried to include windows.h, which the compiler could not find.
I had to add the following to CFLAGS after the
-I$(WCECOMPAT)/include:

  -I"C:\Program Files\Windows CE
Tools\wce420\STANDARDSDK_420\Include\Armv4i"

It would probably be better to use macros instead of a hardcoded path like I
have for people who are not compiling for Arm or who has installed their
eVC++ somewhere else.  (But I don't know what those macros are sorry).

3. In bf_skey, memcpy was undefined, and /WX caused the compilation to stop.
I just took out the /WX flag.  But it might be better to actually fix the
root cause.  If some developer wants to work on this, he can fix the bf_skey
file, and when I get the next stable SNAP, I can keep compiling to see what
other files generate warnings.

4. lpdir_win.c has ENOMEM undefined.  I just added -DENONMEM=1 in CFLAGS.

5. bss_dgram.c has EAGAIN undefined.  I just added -DEAGAIN=14 in CFLAGS.

6. r2c_skey.c had an "Internal compiler error".  I was reading on MSDN that
the arm compiler sometimes blows up trying to optimize loops or something
like that.  So I took out the /O1i option in CFLAGS.

7. The MFLAGS and probably the LFLAGS need /LIBPATH:$(SDK_LIBPATH), where
SDK_LIBPATH is something I added that looks like:

  SDK_LIBPATH="C:\Program Files\Windows CE
Tools\wce420\STANDARDSDK_420\Lib\Armv4i"

8. On that same line, the linker did not like /machine:ARMV4I. 
Surprisingly, it also threw an error when I changed it to /machine:ARM.  It
was happy when I changed it /machine:thumb.  Not sure how it knew I has
compiling for thumb and not vanilla ARM. 
Somewhere along the line, I saw that for thumb, the following defines are
also good:

-QRarch4T -DTHUMBSUPPORT -QRinterwork-return

I'll have to experiment some more to figure out if these defines are really
needed.

Michael
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: MS VC 5: compilation fails

[Steven Reddie]

That error message tends to occur when the code is too complicated for the
compiler.  You may be able to avoid the error by rearranging the code in
that module, but it's a hit and miss approach.  Upgrading to a newer
compiler should fix the problem (since this builds fine under VC6 and up). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christian Weber
Sent: Wednesday, 13 July 2005 4:40 PM
To: openssl-users@openssl.org
Subject: MS VC 5: compilation fails

Dear 0.9.8 users.

Openssl 0.9.8 fails to compile under VC 5 with following compiler output:
> C:\wrk\openssl-0.9.8>nmake -f ms\ntdll.mak
> 
> Microsoft (R) Program Maintenance Utility   Version 1.62.7022
> Copyright (C) Microsoft Corp 1988-1997. All rights reserved.
> 
> Building OpenSSL
> cl /Fotmp32dll\sha512.obj  -Iinc32 -Itmp32dll /MD /W3 /WX /G5 
> /Ox /O2 /O
> b2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN 
> -DL_ENDIAN
>  -DDSO_WIN32 -DOPENSSL_USE_APPLINK -I. /Fdout32dll -DOPENSSL_NO_RC5 
> -DOPENSSL_NO
> _MDC2 -DOPENSSL_NO_KRB5 -D_WINDLL  -DOPENSSL_BUILD_SHLIBCRYPTO -c 
> .\crypto\sha\s ha512.c sha512.c
> .\crypto\sha\sha512.c(457) : fatal error C1001: INTERNAL COMPILER ERROR
> (compiler file 'E:\utc\src\\P2\regasg.c', line 660)
> Please choose the Technical Support command on the Visual C++
> Help menu, or open the Technical Support help file for more 
> information NMAKE : fatal error U1077: 'cl' : return code '0x2'
> Stop.

Is there any cure known?

TIA
--
Christian Weber
mailto:[EMAIL PROTECTED]Tel: 02361/91300
For information on InfoTech visit http://www.InfoTech.de/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: do_cipher function pointer points to ?????

[Steven Reddie]

That depends on which cipher you're talking about.  
The definition reveals that it's a member of a structure named evp_cipher_st 
which is typedef'd as EVP_CIPHER.  Grep for EVP_CIPHER in evp.h and you'll 
see there are a lot of implementations of this structure.
 
Steven


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Riaz 
FarnazSent: Wednesday, 6 July 2005 12:42 AMTo: 
openssl-users@openssl.orgSubject: do_cipher function pointer points 
to ?

Hi
 
   I want to know which function does the do_cipher function 
pointer points to. I was not able to find it or may be I have not looked into 
the code much thoroughly. If any one can please point me to the definition it 
would be great 
 
Cheers
Riaz

RE: does openssl allocate memory with 16 bit alignment?

[Steven Reddie]

That depends on which cipher you're talking about.  
The definition reveals that it's a member of a structure named evp_cipher_st 
which is typedef'd as EVP_CIPHER.  Grep for EVP_CIPHER in evp.h and you'll 
see there are a lot of implementations of this structure.
 
Steven


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Riaz 
FarnazSent: Wednesday, 6 July 2005 12:41 AMTo: 
openssl-users@openssl.orgSubject: Re: does openssl allocate memory 
with 16 bit alignment?

Hi all,
 
  thanks for your replies. 
  Yes it will be aligning for data but what I am concerned is 
about buffers. Presently I am testing on hardware acceleration chip and I have 
allocated an intermediate buffer using a cacheDmaMalloc which is a 32 bit 
aligned by default and after I memcpy the contents to the newly allocated buffer 
I pass the address of the newly allocated buffer to the hardware. 
 
This should solve my problem. I have a question here..does anyone know 
which functions does the do_cipher function pointer point to ?
 
Cheers
Riaz 
On 7/5/05, Steven 
Reddie <[EMAIL PROTECTED]> 
wrote: 

  Riaz,
   
  I think 
  you'll find that malloc does do the right thing.  Otherwise code such as 
  the following would fail depending on the alignment requirements of the 
  underlying platform: 
   
      double* p = 
  (double*)malloc(sizeof(double));
      *p = 3.14;
   
  You 
  shouldn't need to mess with alignment pragmas.  These are usually used 
  when you want to reduce the alignment, not increase it, such as when needing 
  to pack data to match the format expected by communication protocols or 
  storage formats.  They're typically used for packing data more compactly 
  rather than sparsely. 
   
  The compiler and 
  runtime library need to have been targeted for the underlying platform and as 
  such should have intimate knowledge of alignment issues for that 
  platform.  If you are having an actual problem, rather 
  than simply worrying about the safety of the code on your platform, I'd 
  suggest that you have a poorly targeted compiler and/or runtime 
  library.  Try working with the code above.  If it does fail on your 
  platform then you need to get that working before worrying about 
  OpenSSL.  If a malloc of 2 bytes ever returns an odd address then, again, 
  you're looking in the wrong place by worrying about OpenSSL. 
  
   
  Steven
   
  
  
  From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Riaz 
  FarnazSent: Monday, 4 July 2005 7:51 PM To: openssl-users@openssl.orgSubject: Re: does 
  openssl allocate memory with 16 bit alignment?  
  
  
  Malloc doesnt guarantee an alignment of any sort. ASIC chip requres that 
  the buffer address that is passed to it should be a strictly 16 bit ( not 
  byte ) aligned...I was going thru this link http://sources.redhat.com/ml/crossgcc/2000-08/msg00049.html and 
  here he has suggested a method of defining 
   
  #define HANDLE_PRAGMA_PACK_PUSH_POP 1  rebuild the compiler and 
  use #pragma pack(push,<2>)  for 2 byte ( which I believe is 
  16 bit alignment ) alignment. So basically I think i can create a macro 
  for the openssl malloc function to  
   
  {
      #pragma pack(push,<2>)
      malloc()
  }
   
  I am not sure if this will work, this is mainly for gcc compiler, so this 
  is a compiler dependent solution. I have to yet check this.
   
   
  On 7/4/05, Steven 
  Reddie <[EMAIL PROTECTED] > 
  wrote: 
  
Riaz, I 
think I misread/misunderstood your question.  OpenSSL uses malloc to 
allocate memory.  malloc should return an allocated buffer which is 
aligned appropriately for the underlying platform.  Typically this 
alignment will be greater than you require, such as to a 16-byte boundary. 



From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Steven 
ReddieSent: Monday, 4 July 2005 4:23 PMTo: openssl-users@openssl.orgSubject: RE: 
does openssl allocate memory with 16 bit 
alignment? 


Isn't 
this the job of the compiler?
 
I don't 
believe that OpenSSL goes out of it's way to access values larger than 
8-bits on unaligned addresses.  One exception is the hand-optimised 
crypto routines, such as AES, where 32-bit values may be accessed on 
arbitrary addresses.  Check out the macros in aes_locl.h for 
examples of handling this properly for processors that require it.  
Typical RISC processors are more restrictive than what you're asking for, 
eg. expecting 32-bit values to be aligned to 32-bit addresses, and these are 
definitely supported by OpenSSL.  The ARM processor is one 
example.  I did the port for this (for Windows CE) and ran into this 
problem with the AES module.  If you search for use of the 
OPENSSL_SYS_WINCE macro which I added to aes_locl.h you may find other 
places where this wa

RE: does openssl allocate memory with 16 bit alignment?

[Steven Reddie]

Riaz,
 
I think you'll find that malloc does do the right 
thing.  Otherwise code such as the following would fail depending on the 
alignment requirements of the underlying platform:
 
    double* p = 
(double*)malloc(sizeof(double));
    *p = 3.14;
 
You shouldn't need to 
mess with alignment pragmas.  These are usually used when you want to 
reduce the alignment, not increase it, such as when needing to pack data to 
match the format expected by communication protocols or storage formats.  
They're typically used for packing data more compactly rather than 
sparsely.
 
The compiler and runtime library need to have been 
targeted for the underlying platform and as such should have intimate knowledge 
of alignment issues for that platform.  If 
you are having an actual problem, rather than simply worrying about the safety 
of the code on your platform, I'd suggest that you have a poorly 
targeted compiler and/or runtime library.  Try working with the code 
above.  If it does fail on your platform then you need to get that working 
before worrying about OpenSSL.  If a malloc of 2 bytes ever returns an odd 
address then, again, you're looking in the wrong place by worrying about 
OpenSSL.
 
Steven



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Riaz 
FarnazSent: Monday, 4 July 2005 7:51 PMTo: 
openssl-users@openssl.orgSubject: Re: does openssl allocate memory 
with 16 bit alignment?

Malloc doesnt guarantee an alignment of any sort. ASIC chip requres that 
the buffer address that is passed to it should be a strictly 16 bit ( not 
byte ) aligned...I was going thru this link http://sources.redhat.com/ml/crossgcc/2000-08/msg00049.html and 
here he has suggested a method of defining 
 
#define HANDLE_PRAGMA_PACK_PUSH_POP 1  rebuild the compiler and 
use #pragma pack(push,<2>)  for 2 byte ( which I believe is 
16 bit alignment ) alignment. So basically I think i can create a macro for 
the openssl malloc function to  
 
{
    #pragma pack(push,<2>)
    malloc()
}
 
I am not sure if this will work, this is mainly for gcc compiler, so this 
is a compiler dependent solution. I have to yet check this.
 
 
On 7/4/05, Steven 
Reddie <[EMAIL PROTECTED]> 
wrote: 

  Riaz, I 
  think I misread/misunderstood your question.  OpenSSL uses malloc to 
  allocate memory.  malloc should return an allocated buffer which is 
  aligned appropriately for the underlying platform.  Typically this 
  alignment will be greater than you require, such as to a 16-byte boundary. 
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Steven 
  ReddieSent: Monday, 4 July 2005 4:23 PMTo: 
  openssl-users@openssl.orgSubject: RE: does 
  openssl allocate memory with 16 bit alignment? 
  
  
  Isn't this 
  the job of the compiler?
   
  I don't 
  believe that OpenSSL goes out of it's way to access values larger than 8-bits 
  on unaligned addresses.  One exception is the hand-optimised crypto 
  routines, such as AES, where 32-bit values may be accessed on arbitrary 
  addresses.  Check out the macros in aes_locl.h for examples of 
  handling this properly for processors that require it.  Typical RISC 
  processors are more restrictive than what you're asking for, eg. expecting 
  32-bit values to be aligned to 32-bit addresses, and these are definitely 
  supported by OpenSSL.  The ARM processor is one example.  I did the 
  port for this (for Windows CE) and ran into this problem with the AES 
  module.  If you search for use of the OPENSSL_SYS_WINCE macro which I 
  added to aes_locl.h you may find other places where this was necessary, which 
  I've now forgotten. 
   
  Your 
  compiler should be generating code that packs structures appropriately for the 
  target processor.  Except for the optimisations mentioned above, OpenSSL 
  simply accesses the fields within the structure, so it's the job of the 
  compiler to ensure that they are aligned appropriately.  And it's the job 
  of the runtime system to ensure that the memory is allocated on an appropriate 
  boundary (typically a 16-byte boundary). 
   
  Regards,
   
  Steven
   
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Riaz 
  FarnazSent: Monday, 4 July 2005 4:04 PMTo: openssl-users@openssl.orgSubject: does openssl 
  allocate memory with 16 bit alignment? 
  
  Hi,
   
     I am working on a proprietary ASIC chip that requires the 
  memory buffers passed to it to be 16 bit aligned. Does Openssl support 
  16-bit alignment of the memory being allocated or is there any way that I can 
  force 16 bit alignment of the data? 
   
  -Riaz

RE: does openssl allocate memory with 16 bit alignment?

[Steven Reddie]

Riaz, I think I misread/misunderstood your question.  
OpenSSL uses malloc to allocate memory.  malloc should return an allocated 
buffer which is aligned appropriately for the underlying platform.  
Typically this alignment will be greater than you require, such as to a 16-byte 
boundary.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steven 
ReddieSent: Monday, 4 July 2005 4:23 PMTo: 
openssl-users@openssl.orgSubject: RE: does openssl allocate memory 
with 16 bit alignment?

Isn't this the job of the compiler?
 
I don't believe that OpenSSL goes out of it's way to access 
values larger than 8-bits on unaligned addresses.  One exception is the 
hand-optimised crypto routines, such as AES, where 32-bit values may be accessed 
on arbitrary addresses.  Check out the macros in aes_locl.h for 
examples of handling this properly for processors that require it.  Typical 
RISC processors are more restrictive than what you're asking for, eg. expecting 
32-bit values to be aligned to 32-bit addresses, and these are definitely 
supported by OpenSSL.  The ARM processor is one example.  I did the 
port for this (for Windows CE) and ran into this problem with the AES 
module.  If you search for use of the OPENSSL_SYS_WINCE macro which I added 
to aes_locl.h you may find other places where this was necessary, which I've now 
forgotten.
 
Your compiler should 
be generating code that packs structures appropriately for the target 
processor.  Except for the optimisations mentioned above, OpenSSL simply 
accesses the fields within the structure, so it's the job of the compiler to 
ensure that they are aligned appropriately.  And it's the job of the 
runtime system to ensure that the memory is allocated on an appropriate boundary 
(typically a 16-byte boundary).
 
Regards,
 
Steven



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Riaz 
FarnazSent: Monday, 4 July 2005 4:04 PMTo: 
openssl-users@openssl.orgSubject: does openssl allocate memory with 
16 bit alignment?

Hi,
 
   I am working on a proprietary ASIC chip that requires the 
memory buffers passed to it to be 16 bit aligned. Does Openssl support 
16-bit alignment of the memory being allocated or is there any way that I can 
force 16 bit alignment of the data? 
 
-Riaz

RE: does openssl allocate memory with 16 bit alignment?

[Steven Reddie]

Isn't this the job of the compiler?
 
I don't believe that OpenSSL goes out of it's way to access 
values larger than 8-bits on unaligned addresses.  One exception is the 
hand-optimised crypto routines, such as AES, where 32-bit values may be accessed 
on arbitrary addresses.  Check out the macros in aes_locl.h for 
examples of handling this properly for processors that require it.  Typical 
RISC processors are more restrictive than what you're asking for, eg. expecting 
32-bit values to be aligned to 32-bit addresses, and these are definitely 
supported by OpenSSL.  The ARM processor is one example.  I did the 
port for this (for Windows CE) and ran into this problem with the AES 
module.  If you search for use of the OPENSSL_SYS_WINCE macro which I added 
to aes_locl.h you may find other places where this was necessary, which I've now 
forgotten.
 
Your compiler should 
be generating code that packs structures appropriately for the target 
processor.  Except for the optimisations mentioned above, OpenSSL simply 
accesses the fields within the structure, so it's the job of the compiler to 
ensure that they are aligned appropriately.  And it's the job of the 
runtime system to ensure that the memory is allocated on an appropriate boundary 
(typically a 16-byte boundary).
 
Regards,
 
Steven



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Riaz 
FarnazSent: Monday, 4 July 2005 4:04 PMTo: 
openssl-users@openssl.orgSubject: does openssl allocate memory with 
16 bit alignment?

Hi,
 
   I am working on a proprietary ASIC chip that requires the 
memory buffers passed to it to be 16 bit aligned. Does Openssl support 
16-bit alignment of the memory being allocated or is there any way that I can 
force 16 bit alignment of the data? 
 
-Riaz

RE: MSVC Application linked against static openssl libs is crashing

[Steven Reddie]

You said it crashes when you call OpenSSL?  Which function are you calling,
and what sort of crash is it? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Qadeer Baig
Sent: Tuesday, 7 June 2005 2:53 PM
To: openssl-users@openssl.org
Subject: Re: MSVC Application linked against static openssl libs is crashing

Thanks Brant Thomsen for the reply,

My application is actually a Win32 Dynamic-Library with no MFC support.

Any other idea?

Thanks and regards
--
Qadeer Baig

On 6/6/05, Brant Thomsen <[EMAIL PROTECTED]> wrote:
> I have had problems getting OpenSSL to link correctly if MFC is being
used.
> Try switching from static to dynamic loading of the MFC libraries and 
> see if that solves the problem.
> 
> Brant Thomsen
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: How to map recv(fd, buffer, SEGMENT_LEN, MSG_PEEK) to SSL_read

[Steven Reddie]

Adding to David's response...

MSG_PEEK is problematic on some systems.  On Windows for example (maybe only
the 9x series, but a problem none-the-less) using MSG_PEEK will effectively
freeze the contents of the buffered data that can be seen with MSG_PEEK,
meaning that any further peeks will not be able to see any subsequently
received data.  This means that if you need to peek at 4 bytes and only one
has arrived when you perform the first peek you will never see the following
three bytes and will therefore hang or need to abort.

The BIO support in OpenSSL can help you.  By using a BIO to wrapper the
socket and buffer data that you want to peek/push-back-on you can get a
similar result.  There has been plently of BIO discussion on this list
recently and there are samples included with OpenSSL.

Regards,

Steven 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Wednesday, 25 May 2005 9:47 AM
To: openssl-users@openssl.org
Subject: RE: How to map recv(fd, buffer, SEGMENT_LEN, MSG_PEEK) to SSL_read


> Dr Stephen,
> I want to map recv(fd, buffer, SEGMENT_LEN, MSG_PEEK) to some kind of 
> SSL_read.
>
> MSG_PEEK
>   This flag causes the receive operation to return data  
> from  the
>   beginning  of  the receive queue without removing that 
> data from
>   the queue.  Thus, a subsequent receive call will return 
> the same
>   data.
>
> Is it possible ?

Because this is so ugly, I would advise you to just receive it
normally and keep it in your own buffer to receive again. That's assuming
there's no way you can rearchitect the code not to use this.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Doubt regarding EMSA-PKCS1-v1_5

[Steven Reddie]

Ken, think of it this way:
1. To send a message for only a specific person to read you want to make it
decryptable with their private key, thus encrypting with their public key.
2. For a signature, the world needs to be able to verify it, so it needs to
be decryptable with the public key, and thus encrypted with the private key.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch
Sent: Wednesday, 25 May 2005 7:22 AM
To: openssl-users@openssl.org
Subject: Re: Doubt regarding EMSA-PKCS1-v1_5

Ken Goldman wrote:
...
>>RSA_private_encrypt adds only the 0x00 || 0x01 || PS || 0x00 padding 
>>(if padding == RSA_PKCS1_PADDING). If you want to let openssl do the 
>>whole encoding/padding use RSA_sign or if you want to create the T 
>>value manually you need to use i2d_X509_SIG, see RSA_sign.
> 
> 
> Correct me if I'm wrong (I'm sure someone will!), but I believe that 
> signing should use RSA_private_decrypt().

no, RSA_private_decrypt and RSA_public_encrypt are used for asymmetric
encryption whereas RSA_private_encrypt and RSA_public_decrypt correspond to
RSA_sign and RSA_verify.

Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: transformation from WinInet

[Steven Reddie]

:-O
It may have been helpful if you didn't already have a copy.  I'm guessing
that Mike didn't have intimate knowledge of the content of your bookshelf.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
Sent: Friday, 22 April 2005 2:24 AM
To: openssl-users@openssl.org
Subject: RE: transformation from WinInet

I've already done that.  Not that helpful.

Thanks.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael D'Errico
Sent: Thursday, April 21, 2005 9:21 AM
To: openssl-users@openssl.org
Subject: Re: transformation from WinInet

> I'm preparing to transform an app from using WinInet to OpenSSL. does 
> anyone have any recommendations, sources, resources, caveats, etc., 
> that I can use to accomplish this endeavor?

Buy a copy of "Network Security with OpenSSL" by O'Reilly & Associates.

Mike
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL 0.9.7f released

[Steven Reddie]

There will be a CHANGES file inside the distribution.  This may also be
available on the website, and by browsing CVS via the web. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Zhao Sharon-CSC002
Sent: Friday, 25 March 2005 1:17 AM
To: 'openssl-users@openssl.org'
Subject: RE: OpenSSL 0.9.7f released

Announcement. Is there any other place to  provide more information?

Thanks,

Sharon Zhao 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven Reddie
Sent: Wednesday, March 23, 2005 6:21 PM
To: openssl-users@openssl.org
Subject: RE: OpenSSL 0.9.7f released

Where have you looked? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Zhao Sharon-CSC002
Sent: Thursday, 24 March 2005 2:54 AM
To: 'openssl-users@openssl.org'
Subject: RE: OpenSSL 0.9.7f released

Where I can find the release notes of 0.9.7f?

Thanks,

Sharon
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL 0.9.7f released

[Steven Reddie]

Where have you looked? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Zhao Sharon-CSC002
Sent: Thursday, 24 March 2005 2:54 AM
To: 'openssl-users@openssl.org'
Subject: RE: OpenSSL 0.9.7f released

Where I can find the release notes of 0.9.7f?

Thanks,

Sharon
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl, FIPS, and WinCE

[Steven Reddie]

Thomas,

I view GetSystemTimeAsFileTime as a Win32 API function that has been left
out of Windows CE.  It's still part of the Windows platform though, and
wcecompat is about providing the parts of the Windows platform left out of
Windows CE.  I'm not sure how the accreditation could specifically disallow
changes outside of OpenSSL since it would also impact whether or not you
could use gcc vs native tools and possibly even compiler/library updates.

If you'd be so kind as to send me the implementation that you did for that
function I'll incorporate it into the next wcecompat release when I get the
time.  I originally had bigger plans for wcecompat but so far it's only
purpose has been to provide the functionality that OpenSSL requires -- it
sounds like changes in OpenSSL may require more wcecompa functionality.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Laramee
Sent: Thursday, 10 February 2005 4:30 AM
To: openssl-users@openssl.org
Subject: Openssl, FIPS, and WinCE

Greetings:

i recently downloaded openssl.0.9.7e, unpacked it, and began to follow the
instructions to build this for WinCE.

i have a bunch of specific questions, but i'm more interested in a
high-level question about FIPS
certification:

how many modifications can i make to both the openssl source code and
wcecompat before my openssl build is no longer FIPS certified? 

E.g.:  when trying to build crypto/rand/rand_win.c, 
   there is an undefined GetSystemTimeAsFileTime 
   method...  to get the build to complete, i have 
   to add my own version of this method. 

   does this mean that my openssl DLL will not be 
   FIPS certified?  

my thinking was that, if i build the source "as is", then i wouldn't have to
have my openssl DLL re-certified ... but if i modified it, i would.  so i'd
prefer to build the code untouched, only it doesn't build for WinCE unless
it's modified.

thoughts/comments would be very much appreciated.

thanks
--toml
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl, FIPS, and WinCE

[Steven Reddie]

Hi Oscar,

The released wcecompat only works with Windows CE SDK's up to Pocket PC 2002
(eVC3).  I am yet to release eVC4 support -- just haven't found time to do
so.  If you want to make your own local changes you should find that they
are quite minor -- the changes that I am yet to release included a revamp of
the build framework to support older and newer CE devices.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oscar Rodríguez
Sent: Thursday, 10 February 2005 6:36 AM
To: openssl-users@openssl.org
Subject: RE: Openssl, FIPS, and WinCE

I tried the same last week, but i had a lot of compilation errors like not
existing functions (ctime from wcecompat) , errors with parenthesis out of
ifdefs, a few warnings, and then, when i think that all is created, the libs
in out32_Arm doesn't compile with my project because there were missed
functions not linked :-?

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] nombre de Dr. Stephen Henson
Enviado el: miércoles, 09 de febrero de 2005 20:13
Para: openssl-users@openssl.org
Asunto: Re: Openssl, FIPS, and WinCE


On Wed, Feb 09, 2005, Thomas Laramee wrote:

> Greetings:
>
> i recently downloaded openssl.0.9.7e, unpacked it, and began to follow 
> the instructions to build this for WinCE.
>
> i have a bunch of specific questions, but i'm more interested in a 
> high-level question about FIPS
> certification:
>
> how many modifications can i make to both the openssl source code and 
> wcecompat before my openssl build is no longer FIPS certified?
>

Well OpenSSL hasn't been FIPS certified yet and some issues need to be
resolved so the question is moot.

You'll effectively be able to change source outside /fips (or \fips !).

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.6 - Release Date: 07/02/2005

--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.6 - Release Date: 07/02/2005

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: collect2: ld returned 1 exit status

[Steven Reddie]

Yes, these errors are during the link stage.  Your libcrypto.a should
contain the file des_enc.o which should contain DES_encrypt1.  If you can't
find that symbols then something has gone wrong with your build.  I don't
think LD_LIBRARY_PATH has any effect on Cygwin, but I'm not positive -- I
think the standard Windows PATH search is used. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, 22 October 2004 12:28 AM
To: [EMAIL PROTECTED]
Subject: collect2: ld returned 1 exit status


Hi,

when trying to compile OpenSSL_0_9_7d on my Win2k machine with Cygwin I
receive the following error:

collect2: ld returned 1 exit status

This should be related to the linker, correct? I have attached the part of
log file where the error occurs. Can anybody help? I don´t know if my
configuration is correct. Do I need to set up environment variables besides
of the LD_LIBRARY_PATH variable, which I have set to the ld.exe directory?

../libcrypto.a(c_ofb64.o)(.text+0x14e):c_ofb64.c: undefined reference to
`_CAST_ encrypt'
../libcrypto.a(c_ecb.o)(.text+0x75):c_ecb.c: undefined reference to
`_CAST_encry pt'
../libcrypto.a(c_ecb.o)(.text+0xc6):c_ecb.c: undefined reference to
`_CAST_decry pt'
../libcrypto.a(c_cfb64.o)(.text+0xca):c_cfb64.c: undefined reference to
`_CAST_e ncrypt'
../libcrypto.a(c_cfb64.o)(.text+0x1ba):c_cfb64.c: undefined reference to
`_CAST_ encrypt'
../libcrypto.a(bf_ofb64.o)(.text+0x14e):bf_ofb64.c: undefined reference to
`_BF_ encrypt'
../libcrypto.a(bf_cfb64.o)(.text+0xca):bf_cfb64.c: undefined reference to
`_BF_e ncrypt'
../libcrypto.a(bf_cfb64.o)(.text+0x1ba):bf_cfb64.c: undefined reference to
`_BF_ encrypt'
../libcrypto.a(xcbc_enc.o)(.text+0x1b9):xcbc_enc.c: undefined reference to
`_DES _encrypt1'
../libcrypto.a(xcbc_enc.o)(.text+0x2ba):xcbc_enc.c: undefined reference to
`_DES _encrypt1'
../libcrypto.a(xcbc_enc.o)(.text+0x463):xcbc_enc.c: undefined reference to
`_DES _encrypt1'
../libcrypto.a(xcbc_enc.o)(.text+0x55d):xcbc_enc.c: undefined reference to
`_DES _encrypt1'
collect2: ld returned 1 exit status
make[1]: *** [openssl] Error 1
make[1]: Leaving directory `/cygdrive/c/OpenSSL/openssl-0.9.7d/apps'
make: *** [sub_all] Error 1


I appreciate your support.

Best Regards,
Michael
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: SSL without Key?

[Steven Reddie]

Under SSL there are two possible client modes, anonymous and authenticated.
You're referring to anonymous connections where the client doesn't provide
any credentials to the server.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David ARMOUR
Sent: Thursday, 21 October 2004 11:31 PM
To: [EMAIL PROTECTED]
Subject: SSL without Key?

Email clients such as Outlook can have a SSL connection to the server as an
option. However when these options are selected, the user does not have to
provide a key. How does such a system create an SSL connection? 

How could I use SSL to emulate such action?


Regards.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RE: error while running "make" - No such file or directory

[Steven Reddie]

No, gcc should know where to look.  Try a separate test program, independent
of OpenSSL, that includes that header.  If that gives you problems you might
get help from the Cygwin list.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, 21 October 2004 1:04 AM
To: [EMAIL PROTECTED]
Subject: Re: RE: error while running "make" - No such file or directory


Hi Steven,

I do have the directory and the file within my Cygwin installation. So maybe
there is something missing in my configuration?
Do I have to set other environment variables besides of the PATH variable? 

TIA,
Michael


Steven Reddie <[EMAIL PROTECTED]> schrieb am 20.10.2004, 16:22:16:
> The sys directory refered to is under the system include directory, 
> probably /usr/include/sys.  Do you have a /usr/include/sys/time.h?  If 
> not, you may need to reinstall gcc.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: Thursday, 21 October 2004 12:14 AM
> To: [EMAIL PROTECTED]
> Subject: error while running "make" - No such file or directory
> 
> 
> Hi,
> 
> When trying to make the OpenSSL version on my Win2k pc I get the 
> following
> error:
> 
> tmdiff.c:80:25: sys/times.h: No such file or directory
> 
> I don´t have a sys directory in my unpacked version (openssl-0.9.7d).
> I am using Cygwin and ActivePerl to build OpoenSSL. I followed all the 
> steps described in the install.w32 file.
> Here is the complete output of my "build attempt":
> 
> $ make
> making all in crypto...
> make[1]: Entering directory `/cygdrive/c/OpenSSL/openssl-0.9.7d/crypto'
> ( echo "#ifndef MK1MF_BUILD"; \
> echo '  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c 
> */'; \ echo '  #define CFLAGS "gcc -DOPENSSL_SYSNAME_CYGWIN32 
> -DOPENSSL_THREADS -DDSO_
> WIN32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
> -march=i48
> 6 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM"'; \ echo '  #define 
> PLATFORM "Cygwin"'; \ echo "  #define DATE \"`LC_ALL=C LC_TIME=C 
> date`\""; \ echo '#endif' ) >buildinf.h gcc -I. -I.. -I../include 
> -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS -DDSO_WI
> N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
> -march=i486
> -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o cryptlib.o cryptlib.c
> gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS 
> -DDSO_WI
> N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
> -march=i486
> -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem.o mem.c
> gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS 
> -DDSO_WI
> N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
> -march=i486
> -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem_clr.o mem_clr.c
> gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS 
> -DDSO_WI
> N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
> -march=i486
> -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem_dbg.o mem_dbg.c
> gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS 
> -DDSO_WI
> N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
> -march=i486
> -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o cversion.o cversion.c
> gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS 
> -DDSO_WI
> N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
> -march=i486
> -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o ex_data.o ex_data.c
> gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS 
> -DDSO_WI
> N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
> -march=i486
> -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o tmdiff.o tmdiff.c
> tmdiff.c:80:25: sys/times.h: No such file or directory
> tmdiff.c:126: field `ms_tms' has incomplete type
> tmdiff.c: In function `ms_time_get':
> tmdiff.c:169: warning: implicit declaration of function `times'
> make[1]: *** [tmdiff.o] Error 1
> make[1]: Leaving directory `/cygdrive/c/OpenSSL/openssl-0.9.7d/crypto'
> make: *** [sub_all] Error 1
> 
> 
> 
> What can the problem be? Does anybody know?
> I appreciate any help.
> 
> Regards,
> Michael
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> 

RE: error while running "make" - No such file or directory

[Steven Reddie]

The sys directory refered to is under the system include directory, probably
/usr/include/sys.  Do you have a /usr/include/sys/time.h?  If not, you may
need to reinstall gcc. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, 21 October 2004 12:14 AM
To: [EMAIL PROTECTED]
Subject: error while running "make" - No such file or directory


Hi,

When trying to make the OpenSSL version on my Win2k pc I get the following
error:

tmdiff.c:80:25: sys/times.h: No such file or directory

I don´t have a sys directory in my unpacked version (openssl-0.9.7d).
I am using Cygwin and ActivePerl to build OpoenSSL. I followed all the steps
described in the install.w32 file.
Here is the complete output of my "build attempt":

$ make
making all in crypto...
make[1]: Entering directory `/cygdrive/c/OpenSSL/openssl-0.9.7d/crypto'
( echo "#ifndef MK1MF_BUILD"; \
echo '  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */';
\ echo '  #define CFLAGS "gcc -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS
-DDSO_
WIN32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-march=i48
6 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM"'; \ echo '  #define PLATFORM
"Cygwin"'; \ echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \ echo
'#endif' ) >buildinf.h gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32
-DOPENSSL_THREADS -DDSO_WI
N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-march=i486
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o cryptlib.o cryptlib.c
gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS
-DDSO_WI
N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-march=i486
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem.o mem.c
gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS
-DDSO_WI
N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-march=i486
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem_clr.o mem_clr.c
gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS
-DDSO_WI
N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-march=i486
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o mem_dbg.o mem_dbg.c
gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS
-DDSO_WI
N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-march=i486
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o cversion.o cversion.c
gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS
-DDSO_WI
N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-march=i486
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o ex_data.o ex_data.c
gcc -I. -I.. -I../include -DOPENSSL_SYSNAME_CYGWIN32 -DOPENSSL_THREADS
-DDSO_WI
N32 -DOPENSSL_NO_KRB5 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3
-march=i486
-Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c -o tmdiff.o tmdiff.c
tmdiff.c:80:25: sys/times.h: No such file or directory
tmdiff.c:126: field `ms_tms' has incomplete type
tmdiff.c: In function `ms_time_get':
tmdiff.c:169: warning: implicit declaration of function `times'
make[1]: *** [tmdiff.o] Error 1
make[1]: Leaving directory `/cygdrive/c/OpenSSL/openssl-0.9.7d/crypto'
make: *** [sub_all] Error 1



What can the problem be? Does anybody know?
I appreciate any help.

Regards,
Michael
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL for ARM

[Steven Reddie]

Roberto Gallo wrote:
Hi,
We are developing a new hardware device based on Atmels ARM based 
processors. However, RSA sign times for 1024 bits are critical - 
ideally it should spend less than 3 seconds.

I have two questions: does anyone have any performance figure of 
OpenSSL's RSA or DH implementation on ARM based devices (e.g. Pocket 
PC or PDAs)?

Is there any OpenSSL development branch focused on PDAs (or any ARM 
based device)?
Hi Robert,
I did a port of OpenSSL to Windows CE which was introduced in OpenSSL 
0.9.7.  Maintenance has slipped a bit on my behalf due to lack of time, 
eg. I believe it doesn't build out-of-the-box with the CE 4.x SDK 
although the required makefile tweaks are very small.  I do have some 
patches almost ready that I need to fix up and submit.

I haven't done any performance testing.  If performance of those 
algorithms is critical for you and the current implementation doesn't 
measure up then I'm sure the project would appreciate assembler 
optimsations.

Regards,
Steven
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Problems compiling 0.9.7d for WCE

[Steven Reddie]

Hi Antonio,

A patch for this has been submitted and I'll work it into a larger set of
changes for supporting newer WCE SDKs.  To fix the problem that you're
having right now take a look at the source code at the locations listed
below and make sure that the closing ')' is included.  You'll see that an
#ifdef causes the ')' to be dropped, so just add it to the line above/below.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Ruiz Martínez
Sent: Friday, 23 April 2004 8:19 PM
To: [EMAIL PROTECTED]
Subject: Problems compiling 0.9.7d for WCE


Hello!

I'm compiling OpenSSL 0.9.7d for WCE but when I execute: nmake -f
ms\ce.mak I'm getting the next error:

clarm.exe /Fotmp32_ARM\apps.obj -DMONOLITH -Iinc32 -Itmp32_ARM /W3
/WX / Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWCEPLATFORM=MS_POCKET_PC_2002 -DARM
-D_ARM_ - DUNDER_CE=300 -D_WIN32_CE=300 -DUNICODE -D_UNICODE -DWIN32
-DWIN32_LEAN_AND_MEAN  -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD
-IC:\Programacion\wcecompat/include
/Fdout32_
ARM -DOPENSSL_NO_KRB5  -c .\apps\apps.c
apps.c
.\apps\apps.c(1621) : error C2143: syntax error : missing ')' before 'goto'
.\apps\apps.c(1896) : error C2143: syntax error : missing ')' before 'goto'
.\apps\apps.c(1932) : error C2143: syntax error : missing ')' before 'goto'
NMAKE : fatal error U1077: 'clarm.exe' : return code '0x2' Stop.

Could you be so kind to help me, please?
Regards,
Antonio.

--
--
Antonio Ruiz Martínez
Faculty of Computer Science-University of Murcia
30071 Murcia - Spain
Telf: +34968364644 e-mail: [EMAIL PROTECTED]
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Any body doesn't want to help me?!!!!!

[Steven Reddie]

Title: Message



Can 
you narrow it down some more, such as the file and line number in OpenSSL at 
which the crash occurs.  If the crash occurs inside the C Runtime library 
such as inside the fopen function can you tell us which file and line number at 
which the call to this function was made.  There are many people on this 
list willing to help but you need to provide enough information to make it 
possible to help.  If you have the CRT source installed you should also be 
able to provide the file and line number of the crash if it does occur inside a 
C Runtime function.
 
Have 
you checked that the compiler options used when building OpenSSL and your own 
code are compatible?  eg. do you see /MD for both.  You may have to 
disable the /nologo option in the MSVC IDE to see the commands as they are 
executed.
 
Regards,
 
Steven

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Saladine HachemSent: Tuesday, 20 April 2004 10:29 
  PMTo: [EMAIL PROTECTED]Subject: RE: Any body 
  doesn't want to help me?!
  
  
  
  Thank you.
   
  My program crashes when it try to execute the function 
  PEM_read_RSAPrivateKey(file, NULL,NULL,NULL)). I am sure that "file" 
  is valid.
   
  My program can execute the function 
  RSA_generate_key(512,RSA_F4,NULL,NULL) without any problem.
   
  The Type fo my VC++ project is  MFC AppWizard(dll).
  The type of my VB project is "EXE STANDARD" .
   
  Steven Reddie <[EMAIL PROTECTED]> wrote:
  

Have you traced through with a debuuger?  Where does it 
crash?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Saladine HachemSent: Tuesday, 20 April 2004 
  7:40 PMTo: [EMAIL PROTECTED]Subject: Any 
  body doesn't want to help me?!
  
  


  

Hi,
I have developped a DLL with visual C++ 6.0 using the 
latest version of openssl 0.9.7d. 
I am sure that my DLL  links against the same 
version of the Win32 C-Runtime against which my openssl 
libraries were linked ("Multithreaded DLL").
My problem is that when I try to use this DLL with visual Basic 
my program crashes whenever my VB application calls an 
openssl's I/O function embedded in the VC++ DLL.
 
Can anybody help me 
  please ?
  
  
  Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! 
  Créez 
  votre Yahoo! Mail Dialoguez en direct avec vos amis grâce à Yahoo! 
  Messenger !
  
  
  Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez 
  votre Yahoo! Mail Dialoguez en direct avec vos amis grâce à Yahoo! 
  Messenger !

RE: Any body doesn't want to help me?!!!!!

[Steven Reddie]

Title: Message



Have 
you traced through with a debuuger?  Where does it 
crash?

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Saladine HachemSent: Tuesday, 20 April 2004 7:40 
  PMTo: [EMAIL PROTECTED]Subject: Any body doesn't 
  want to help me?!
  
  


  

Hi,
I have developped a DLL with visual C++ 6.0 using the latest 
version of openssl 0.9.7d. 
I am sure that my DLL  links against the same 
version of the Win32 C-Runtime against which my openssl libraries 
were linked ("Multithreaded DLL").
My problem is that when I try to use this DLL with visual Basic my 
program crashes whenever my VB application calls an openssl's I/O 
function embedded in the VC++ DLL.
 
Can anybody help me 
  please ?
  
  
  Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez 
  votre Yahoo! Mail Dialoguez en direct avec vos amis grâce à Yahoo! 
  Messenger !

RE: FIPS mode

[Steven Reddie]

Title: Message



Hi 
Steve,
 
I take 
it that dynamically linking the FIPS OpenSSL into an executable means that the 
FIPS certification is void for that application.  So as you have stated, 
static linking is required.  However, if I'm producing 
a security library that uses OpenSSL and I statically link the FIPS OpenSSL 
into that security library but applications dynamically link against my security 
library what does this mean as far as the FIPS certification is 
concerned?
 
Regards,
 
Steven

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Marquess, Steve Mr JMLFDCSent: Thursday, 25 March 
  2004 7:47 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  FIPS mode
  Graeme Perrow wrote: 
  >1. In the OpenSSL FIPS FAQ (), it 
  >says "Note that it is not compliant with the security 
  policy of FIPS >validated OpenSSL to use shared 
  libraries." What exactly does this mean? >Does it 
  mean that your app cannot use shared libraries at all, or that the 
  >OpenSSL code can't be included in a shared library, or 
  that the OpenSSL code >can't be in a shared library 
  by itself, or something else? 
  NIST has some specific "power up self test" requirements that 
  mean a message digest of the executable must be 
  checked at runtime.  We could not think of a 
  portable and robust way to accomplish that, so the validation will be confined to executables statically linked with 
  libcrypto.a.  Any other shared library may be 
  used by the referencing application, however. 
  >2. Where exactly is the security policy document? The FAQ 
  contains a link >(), 
  but this lists a >bunch of documents, none of which 
  appears to be the correct one. 
  The tense is wrong in the FAQ statement.  When NIST 
  awards the final certificate it and the Security 
  Policy will be posted at that URL (actually the 2004 
  equivalent). 
  The Security Policy is a document that defines the conditions 
  for using the validated component, in this case how to 
  build the FIPS mode library from source and how to 
  build an application using that library.  We have a near final draft but are waiting for it to be blessed by the 
  testing laboratory and NIST before releasing to the 
  general public.  That document is also written in 
  present/past tense, one of the reasons we aren't releasing it as NIST frowns on premature claims of validation. 
  
  -Steve M. 
  Steve Marquess DMLSS Technical Manager 
  JMLFDC, 623 Porter Street, Ft. Detrick, MD  
  21702 DSN 343-3933, COM 301-619-3933, FAX 
  301-619-7831 [EMAIL PROTECTED] 
  

RE: New CA index subfiles (.attr, .attr.new, .attr.old, .new)

[Steven Reddie]

enaming "index.txt" to "index.txt.old"
DEBUG: renaming "index.txt.new" to "index.txt"
DEBUG: renaming "index.txt.attr" to "index.txt.attr.old"
unable to rename index.txt.attr to index.txt.attr.old
unable to write 'random state'
about to remove
c:/cygwin/home/redst01/dev/obj/winnt/debug_build/openssl/util/issue.cnf.3856
total 5334
drwxr-xr-x+   3 redst01  None0 Mar 19 17:42 ..
-rw-r--r--1 redst01  None12921 Mar 19 17:42 test1.d
-rwxr-xr-x1 redst01  None86016 Mar 19 17:42 vc60.pdb
-rwxr-xr-x1 redst01  None85123 Mar 19 17:42 test1.obj
-rwxr-xr-x1 redst01  None  3023872 Mar 19 17:42 test1.pdb
-rwxr-xr-x1 redst01  None  1079480 Mar 19 17:42 test1.ilk
-rwxr-xr-x1 redst01  None  1126492 Mar 19 17:42 test1.exe
-rw-r--r--1 redst01  None 3332 Mar 19 17:42 test.sh
-rw-r--r--1 redst01  None   45 Mar 19 17:42 randstate
-rwxr-xr-x1 redst01  None  887 Mar 19 17:42 root_key.pem
-rwxr-xr-x1 redst01  None  749 Mar 19 17:42 root_cert.pem
-rwxr-xr-x1 redst01  None  887 Mar 19 17:42 ca1_key.pem
-rwxr-xr-x1 redst01  None   21 Mar 19 17:42 index.txt.attr.old
-rwxr-xr-x1 redst01  None 2906 Mar 19 17:42 ca1_cert.pem
-rwxr-xr-x1 redst01  None  887 Mar 19 17:42 ca1_ee1_key.pem
-rwxr-xr-x1 redst01  None   21 Mar 19 17:42 index.txt.attr
-rwxr-xr-x1 redst01  None  103 Mar 19 17:42 index.txt
-rwxr-xr-x1 redst01  None 2977 Mar 19 17:42 ca1_ee1_cert.pem
-rwxr-xr-x1 redst01  None  586 Mar 19 17:42 newreq.pem
-rwxr-xr-x1 redst01  None  887 Mar 19 17:42 newkey.pem
-rw-r--r--1 redst01  None18469 Mar 19 17:42 test.testout
-rwxr-xr-x1 redst01  None  158 Mar 19 17:42 index.txt.new
-rwxr-xr-x1 redst01  None   21 Mar 19 17:42 index.txt.attr.new
-rwxr-xr-x1 redst01  None 2977 Mar 19 17:42 newcrt.pem
drwxr-xr-x+   2 redst01  None0 Mar 19 17:42 .
Certificate(s) revoked.
total 5335
drwxr-xr-x+   3 redst01  None0 Mar 19 17:42 ..
-rw-r--r--1 redst01  None12921 Mar 19 17:42 test1.d
-rwxr-xr-x1 redst01  None86016 Mar 19 17:42 vc60.pdb
-rwxr-xr-x1 redst01  None85123 Mar 19 17:42 test1.obj
-rwxr-xr-x1 redst01  None  3023872 Mar 19 17:42 test1.pdb
-rwxr-xr-x1 redst01  None  1079480 Mar 19 17:42 test1.ilk
-rwxr-xr-x1 redst01  None  1126492 Mar 19 17:42 test1.exe
-rw-r--r--1 redst01  None 3332 Mar 19 17:42 test.sh
-rw-r--r--1 redst01  None   45 Mar 19 17:42 randstate
-rwxr-xr-x1 redst01  None  887 Mar 19 17:42 root_key.pem
-rwxr-xr-x1 redst01  None  749 Mar 19 17:42 root_cert.pem
-rwxr-xr-x1 redst01  None  887 Mar 19 17:42 ca1_key.pem
-rwxr-xr-x1 redst01  None   21 Mar 19 17:42 index.txt.attr.old
-rwxr-xr-x1 redst01  None 2906 Mar 19 17:42 ca1_cert.pem
-rwxr-xr-x1 redst01  None  887 Mar 19 17:42 ca1_ee1_key.pem
-rwxr-xr-x1 redst01  None   21 Mar 19 17:42 index.txt.attr
-rwxr-xr-x1 redst01  None 2977 Mar 19 17:42 ca1_ee1_cert.pem
-rwxr-xr-x1 redst01  None  586 Mar 19 17:42 newreq.pem
-rwxr-xr-x1 redst01  None  887 Mar 19 17:42 ca1_ee2_key.pem
-rwxr-xr-x1 redst01  None  158 Mar 19 17:42 index.txt.new
-rwxr-xr-x1 redst01  None   21 Mar 19 17:42 index.txt.attr.new
-rwxr-xr-x1 redst01  None 2977 Mar 19 17:42 ca1_ee2_cert.pem
-rw-r--r--1 redst01  None20192 Mar 19 17:42 test.testout
-rw-r--r--1 redst01  None  103 Mar 19 17:42 index.txt
drwxr-xr-x+   2 redst01  None0 Mar 19 17:42 .
c:/cygwin/home/redst01/dev/obj/winnt/debug_build/openssl/bin/openssl ocsp
-issuer ca1_cert.pem -cert ca1_ee1_cert.pem -reqout ca1_ee1_req_unsigned.der
-no_nonce
c:/cygwin/home/redst01/dev/obj/winnt/debug_build/openssl/bin/openssl ocsp
-issuer ca1_cert.pem -cert ca1_ee1_cert.pem -reqout ca1_ee1_req_signed.der
-signer ca1_ee1_cert.pem -signkey ca1_ee1_key.pem -sign_other ca1_cert.pem
-no_nonce
Starting OCSP responder
c:/cygwin/home/redst01/dev/obj/winnt/debug_build/openssl/bin/openssl ocsp
-index index.txt -text -resp_no_certs -port 19916 -CA ca1_cert.pem -rsigner
ca1_cert.pem -rkey ca1_key.pem


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Levitte - VMS
Whacker
Sent: Friday, 19 March 2004 6:57 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: New CA index subfiles (.attr, .attr.new, .attr.old, .new)


In message <[EMAIL PROTECTED]> on Fri, 19 Mar 2004
14:31:55 +1100, "Steven Reddie" <[EMAIL PROTECTED]> said:

smr> Hi Richard,
smr> 
smr> Ah, that's the problem then.  The .new file is remaining and the 
smr> contents aren

RE: New CA index subfiles (.attr, .attr.new, .attr.old, .new)

[Steven Reddie]

Hi Richard,

Ah, that's the problem then.  The .new file is remaining and the contents
aren't being rolled into the index.txt file.  All I've done is upgrade from
OpenSSL 0.9.7c to OpenSSL 0.9.7d, however we have some patches in our ca.c
file to support Delta CRLs which I don't think should matter in this case.

Here's a dump of the commands that are being run during this test, and the
resulting index.txt* files that exist after the last command:

openssl req -x509 -new -sha1 -nodes -config request.cnf -keyout newkey.pem
-out newcrt.pem
openssl req -new -sha1 -nodes -config request.cnf -keyout newkey.pem -out
newreq.pem
openssl ca -cert root_cert.pem -keyfile root_key.pem -name
certificate_authority -days 365
   -md sha1 -config issue.cnf.1384 -batch -out newcrt.pem -outdir .
-infiles newreq.pem
openssl req -new -sha1 -nodes -config request.cnf -keyout newkey.pem -out
newreq.pem
openssl ca -cert ca1_cert.pem -keyfile ca1_key.pem -name end_entity -days
365 -md sha1
   -config issue.cnf.2372 -batch -out newcrt.pem -outdir . -infiles
newreq.pem
openssl req -new -sha1 -nodes -config request.cnf -keyout newkey.pem -out
newreq.pem
openssl ca -cert ca1_cert.pem -keyfile ca1_key.pem -name end_entity -days
365 -md sha1
   -config /issue.cnf.2660 -batch -out newcrt.pem -outdir . -infiles
newreq.pem
openssl ocsp -issuer ca1_cert.pem -cert ca1_ee1_cert.pem -reqout
ca1_ee1_req_unsigned.der -no_nonce
openssl ocsp -issuer ca1_cert.pem -cert ca1_ee1_cert.pem -reqout
ca1_ee1_req_signed.der
 -signer ca1_ee1_cert.pem -signkey ca1_ee1_key.pem -sign_other
ca1_cert.pem -no_nonce
openssl ocsp -index index.txt -text -resp_no_certs -port 19916 -CA
ca1_cert.pem -rsigner ca1_cert.pem -rkey ca1_key.pem
 
index.txt
V   050319032211Z   01  unknown /C=US/O=Root/OU=CA1
V   050319032215Z   02  unknown /C=US/O=Root/OU=CA1/CN=ee1

index.txt.attr
unique_subject = yes

index.txt.attr.new
unique_subject = yes

index.txt.attr.old
unique_subject = yes

index.txt.new
V   050319032211Z   01  unknown /C=US/O=Root/OU=CA1
V   050319032215Z   02  unknown /C=US/O=Root/OU=CA1/CN=ee1
V   050319032218Z   03  unknown /C=US/O=Root/OU=CA1/CN=ee2
 
Regards,
 
Steven Reddie
Manager, Development - eTrust R&D
Computer Associates (Australia)
[EMAIL PROTECTED]
Phone: +61 3 8416 5613

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Levitte - VMS
Whacker
Sent: Friday, 19 March 2004 1:47 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: New CA index subfiles (.attr, .attr.new, .attr.old, .new)


In message <[EMAIL PROTECTED]> on Fri, 19 Mar 2004
11:33:07 +1100, "Steven Reddie" <[EMAIL PROTECTED]> said:

smr> Hi Richard,
smr>  
smr> I'm confused by changes to the "openssl ca" command changes in 
smr> 0.9.7d that now spit out several CA index files.  Previously we got 
smr> a single index.txt files, but now are seeing also index.txt.attr, 
smr> index.txt.attr.new, index.txt.attr.old, and index.txt.new.
smr>  
smr> We have some scripts that issue and revoke certificates, specifying 
smr> index.txt as the CA index file.  This all worked well as everything 
smr> was in the one file.  Now, it seems that we need to specify 
smr> index.txt when issuing certificates, but index.txt.new when 
smr> revoking certificates and when using the ocsp command.
smr>  
smr> Is there something I can do to get the original behaviour, or can 
smr> you clarify whether I do need to specify different CA index files 
smr> for each command as I've found.

Previous versions of openssl also created index.txt.new as a temporary work
file.  That hasn't changed.  index.txt.attr is an extra file that contains
some extra attributes for index.txt.  Right now, there's only one attribute
that indicates if multiple records with the same subject are OK or not.

Can you tell me exactly what the problem is?  The .new files should
disappear after an operation...

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400. See
<http://www.stacken.kth.se/~levitte/mail/> for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

New CA index subfiles (.attr, .attr.new, .attr.old, .new)

[Steven Reddie]

Title: Message



Hi 
Richard,
 
I'm confused by 
changes to the "openssl ca" command changes in 0.9.7d that now spit out several 
CA index files.  Previously we got a single index.txt files, but now are 
seeing also index.txt.attr, index.txt.attr.new, index.txt.attr.old, and 
index.txt.new.
 
We have some scripts 
that issue and revoke certificates, specifying index.txt as the CA index 
file.  This all worked well as everything was in the one file.  Now, 
it seems that we need to specify index.txt when issuing certificates, but 
index.txt.new when revoking certificates and when using the ocsp 
command.
 
Is there something I 
can do to get the original behaviour, or can you clarify whether I do need to 
specify different CA index files for each command as I've 
found.
 
Regards,
 
Steven
 

RE: BER Format ?

[Steven Reddie]

You mean DER which is a subset of BER.  The OpenSSL i2d_* functions convert
from OpenSSL's internal representation into DER.  Load with the PEM routines
and i2d the resulting X509 object.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Surrealistic Dreamer
Sent: Monday, 1 March 2004 6:31 PM
To: [EMAIL PROTECTED]
Subject: BER Format ?


Hi,

I need to convert the PEM X509 certificate to the BER format ... can anybody

tell me how to do this using the OpenSSL library ?

Thanks.

Peter.

_
Download games, logos, wallpapers and lots more at MSN Mobile! 
http://www.msn.com.sg/mobile/

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Installation Trouble VC7 Win32

[Steven Reddie]

Title: Message



Sorry, 
spoke too soon.  Not noticing the scrollbar, my window size made the 
message look like it ended after the "wheels fall off" section.  
doh!

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Steven ReddieSent: Wednesday, 18 February 2004 10:06 
  AMTo: [EMAIL PROTECTED]Subject: RE: Installation 
  Trouble VC7 Win32
  Elaborating on "wheels fall off" might make the problem easier to 
  diagnose.  If X509_NAME is mentioned then it's probably a clash with the 
  Microsoft Platform SDK.  With VC6 the Platform SDK was a seperate 
  optional package and it was simply a matter of removing the Platform SDK 
  from your INCLUDE environment variable to build OpenSSL.  With VC.NET I 
  notice that there is a Platform SDK subdirectory of Vc7 so it may not be 
  possible to alter your INCLUDE path in an appropriate way to avoid the 
  SDK.  However, I think there is a #define (maybe NOCRYPT) you can use to 
  avoid pulling in Microsoft's X509_NAME.
   
  Regards,
   
  Steven
  

-Original Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Chris RoweSent: Wednesday, 18 February 2004 
8:04 AMTo: [EMAIL PROTECTED]Subject: 
Installation Trouble VC7 Win32

OK I am new to openssl and am 
experiencing difficulty building openssl. I have followed the install.w32 
instructions to the letter, but still no luck on the nmake 
step…
Does anyone have a makefile or 
project/solution file *.sln that simplifies the build under VS.Net 
VC7?
 
These two steps are 
fine,,,
> perl Configure 
VC-WIN32
> 
ms\do_masm
 
This step is where the “wheels 
fall off”
> nmake -f 
ms\ntdll.mak
 
 
Here is the output in DOS of 
what’s happening on my machine (running WinXP Pro, MSVC++6 with latest 
platform sdk – all paths are set correctly)
 
Microsoft Windows XP [Version 
5.1.2600]
(C) Copyright 1985-2001 
Microsoft Corp.
 
D:\Temp\openssl096i>perl 
Configure VC-WIN32
Configuring for 
VC-WIN32
IsWindows=1
CC    
=cl
CFLAG 
=-DTHREADS  -DDSO_WIN32
EX_LIBS   
=
BN_ASM    
=bn_asm.o
DES_ENC   
=des_enc.o fcrypt_b.o
BF_ENC    
=bf_enc.o
CAST_ENC  
=c_enc.o
RC4_ENC   
=rc4_enc.o
RC5_ENC   
=rc5_enc.o
MD5_OBJ_ASM   
=
SHA1_OBJ_ASM  
=
RMD160_OBJ_ASM=
PROCESSOR 
=
RANLIB    
=true
PERL  
=perl
THIRTY_TWO_BIT 
mode
BN_LLONG 
mode
RC4_INDEX 
mode
RC4_CHUNK is 
undefined
 
Configured for 
VC-WIN32.
 
The next part seems to be error 
free as well…
 
D:\Temp\openssl096i>ms\do_masm
Generating x86 for MASM 
assember
Bignum
DES
"crypt(3)"
Blowfish
CAST5
RC4
MD5
SHA1
RIPEMD160
RC5\32
 
D:\Temp\openssl096i>perl 
util\mkfiles.pl  1>MINFO
 
D:\Temp\openssl096i>rem perl 
util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak
 
D:\Temp\openssl096i>rem perl 
util\mk1mf.pl VC-W31-32 >ms\w31.mak
 
D:\Temp\openssl096i>perl 
util\mk1mf.pl dll VC-W31-32  
1>ms\w31dll.mak
 
D:\Temp\openssl096i>perl 
util\mk1mf.pl VC-WIN32  1>ms\nt.mak
 
D:\Temp\openssl096i>perl 
util\mk1mf.pl dll VC-WIN32  
1>ms\ntdll.mak
 
D:\Temp\openssl096i>perl 
util\mkdef.pl 16 libeay  
1>ms\libeay16.def
 
D:\Temp\openssl096i>perl 
util\mkdef.pl 32 libeay 
 1>ms\libeay32.def
 
D:\Temp\openssl096i>perl 
util\mkdef.pl 16 ssleay  
1>ms\ssleay16.def
 
D:\Temp\openssl096i>perl 
util\mkdef.pl 32 ssleay  
1>ms\ssleay32.def
 
 
Then I am getting the following 
error on nmake
 
D:\Temp\openssl096i>nmake -f 
ms\ntdll.mak > err
 
Microsoft (R) Program 
Maintenance Utility Version 7.10.3077
Copyright (C) Microsoft 
Corporation.  All rights reserved.
 
NMAKE : fatal error U1077: 'cl' 
: return code '0x2'
Stop.
….
Building 
OpenSSL
    
cl /Fotmp32dll\cryptlib.obj  -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 
/Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN 
-DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll /Gd 
-D_WINDLL -D_DLL  -c 
D:\Temp\openssl096i\crypto\cryptlib.c
cryptlib.c
D:\Temp\openssl096i\crypto\cryptlib.c(59) 
: fatal error C1083: Cannot open include file: 'stdio.h': No such file or 
directory

RE: Installation Trouble VC7 Win32

[Steven Reddie]

Title: Message



Elaborating on "wheels fall off" might make the problem easier to 
diagnose.  If X509_NAME is mentioned then it's probably a clash with the 
Microsoft Platform SDK.  With VC6 the Platform SDK was a seperate optional 
package and it was simply a matter of removing the Platform SDK from your 
INCLUDE environment variable to build OpenSSL.  With VC.NET I notice that 
there is a Platform SDK subdirectory of Vc7 so it may not be possible to alter 
your INCLUDE path in an appropriate way to avoid the SDK.  However, I think 
there is a #define (maybe NOCRYPT) you can use to avoid pulling in Microsoft's 
X509_NAME.
 
Regards,
 
Steven

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Chris RoweSent: Wednesday, 18 February 2004 8:04 
  AMTo: [EMAIL PROTECTED]Subject: Installation 
  Trouble VC7 Win32
  
  OK I am new to openssl and am 
  experiencing difficulty building openssl. I have followed the install.w32 
  instructions to the letter, but still no luck on the nmake 
  step…
  Does anyone have a makefile or 
  project/solution file *.sln that simplifies the build under VS.Net 
  VC7?
   
  These two steps are 
  fine,,,
  > perl Configure 
  VC-WIN32
  > 
  ms\do_masm
   
  This step is where the “wheels 
  fall off”
  > nmake -f 
  ms\ntdll.mak
   
   
  Here is the output in DOS of 
  what’s happening on my machine (running WinXP Pro, MSVC++6 with latest 
  platform sdk – all paths are set correctly)
   
  Microsoft Windows XP [Version 
  5.1.2600]
  (C) Copyright 1985-2001 Microsoft 
  Corp.
   
  D:\Temp\openssl096i>perl 
  Configure VC-WIN32
  Configuring for 
  VC-WIN32
  IsWindows=1
  CC    
  =cl
  CFLAG 
  =-DTHREADS  -DDSO_WIN32
  EX_LIBS   
  =
  BN_ASM    
  =bn_asm.o
  DES_ENC   
  =des_enc.o fcrypt_b.o
  BF_ENC    
  =bf_enc.o
  CAST_ENC  
  =c_enc.o
  RC4_ENC   
  =rc4_enc.o
  RC5_ENC   
  =rc5_enc.o
  MD5_OBJ_ASM   
  =
  SHA1_OBJ_ASM  
  =
  RMD160_OBJ_ASM=
  PROCESSOR 
  =
  RANLIB    
  =true
  PERL  
  =perl
  THIRTY_TWO_BIT 
  mode
  BN_LLONG 
  mode
  RC4_INDEX 
  mode
  RC4_CHUNK is 
  undefined
   
  Configured for 
  VC-WIN32.
   
  The next part seems to be error 
  free as well…
   
  D:\Temp\openssl096i>ms\do_masm
  Generating x86 for MASM 
  assember
  Bignum
  DES
  "crypt(3)"
  Blowfish
  CAST5
  RC4
  MD5
  SHA1
  RIPEMD160
  RC5\32
   
  D:\Temp\openssl096i>perl 
  util\mkfiles.pl  1>MINFO
   
  D:\Temp\openssl096i>rem perl 
  util\mk1mf.pl VC-MSDOS no-sock >ms\msdos.mak
   
  D:\Temp\openssl096i>rem perl 
  util\mk1mf.pl VC-W31-32 >ms\w31.mak
   
  D:\Temp\openssl096i>perl 
  util\mk1mf.pl dll VC-W31-32  
  1>ms\w31dll.mak
   
  D:\Temp\openssl096i>perl 
  util\mk1mf.pl VC-WIN32  1>ms\nt.mak
   
  D:\Temp\openssl096i>perl 
  util\mk1mf.pl dll VC-WIN32  
1>ms\ntdll.mak
   
  D:\Temp\openssl096i>perl 
  util\mkdef.pl 16 libeay  
1>ms\libeay16.def
   
  D:\Temp\openssl096i>perl 
  util\mkdef.pl 32 libeay 
 1>ms\libeay32.def
   
  D:\Temp\openssl096i>perl 
  util\mkdef.pl 16 ssleay  
1>ms\ssleay16.def
   
  D:\Temp\openssl096i>perl 
  util\mkdef.pl 32 ssleay  
1>ms\ssleay32.def
   
   
  Then I am getting the following 
  error on nmake
   
  D:\Temp\openssl096i>nmake -f 
  ms\ntdll.mak > err
   
  Microsoft (R) Program Maintenance 
  Utility Version 7.10.3077
  Copyright (C) Microsoft 
  Corporation.  All rights reserved.
   
  NMAKE : fatal error U1077: 'cl' : 
  return code '0x2'
  Stop.
  ….
  Building 
  OpenSSL
      
  cl /Fotmp32dll\cryptlib.obj  -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 
  /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 
  -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll /Gd -D_WINDLL 
  -D_DLL  -c 
  D:\Temp\openssl096i\crypto\cryptlib.c
  cryptlib.c
  D:\Temp\openssl096i\crypto\cryptlib.c(59) 
  : fatal error C1083: Cannot open include file: 'stdio.h': No such file or 
  directory

RE: Randomness in encrypted text

[Steven Reddie]

Brian,

Please refrain from sending the same message four times in a row.  It
doesn't get you an answer any faster.

The openssl enc command by default adds a salt to the start of the message
to be encrypted and removes it on decryption.  This salt is of the form
"Salted__" followed by some binary data; your plaintext then follows.  By
default the binary data in the salt is random, and thus why you see the
decrypted output changing each time.  If you include the -nosalt option then
no salt will be added and your output will be fixed.  There is also a "-S
hexdigits" option that allows you to specify the salt, eg. "-S 414243" will
prepend Salted__ABC to your plaintext.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
Sent: Sunday, 1 February 2004 1:37 PM
To: [EMAIL PROTECTED]
Subject: Randomness in encrypted text


I am having problems getting random output using AES encryption.  I know
that it is possible because by typing the following at the command
prompt:

openssl enc -e -aes-256-ecb  -in test.txt -pass pass:hello -out test.enc

the resulting file test.enc had different output every time I ran that
command, so I wrote a simple program using the OpenSSL API to accomplish the
same thing (the passphrase is not the same, of course):


#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

main()
{
static const unsigned char key32[32]=
{0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,
 0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34,
 0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34,0x56};

AES_KEY aes_ks1, aes_ks2, aes_ks3;
char *plain = "This is a test";
char enc[200] = {'\0'};
char plain2[200];

int retval = RAND_write_file("./RND_FILE");
printf("RAND_write_file returned: %d\n", retval);

retval = RAND_load_file ("./RND_FILE", -1);
printf("RAND_load_file returned: %d\n", retval);
printf("RAND_status = %d\n", RAND_status());
AES_set_encrypt_key(key32,256,&aes_ks3);
AES_set_decrypt_key(key32,256,&aes_ks2);
AES_ecb_encrypt(plain, enc, &aes_ks3, 1);
printf("Plain: %s -- Enc: %s\n", plain, enc);
AES_ecb_encrypt(enc, plain2, &aes_ks2, 0);
printf("Lengths: Plain (%d)  -- Enc (%d)\n", strlen(plain),
strlen(enc));
int loop;
for (loop = 0; loop < 50; loop ++)
{
printf("%x ", (u_char)enc[loop]);
if ( ((loop+1)%20) == 0 ) printf("\n");
}
printf("\n");
printf("Plain: %s -- Enc: %s\n", plain2, enc);
return 0;
}

The program is compiled as follows:
gcc -I /usr/local/ssl/include -L /usr/local/ssl/lib -o try_aes1 try_aes1.c
-lssl -lcrypto -lsocket

according to the documentation, Unix systems that have the file
"/dev/urandom" are supposed to handle seeding the PRNG transparently.  I am
running this on Solaris and there is a file "/dev/urandom", yet every time I
run this program, I get the exact same output.  I tried it first without the
RAND_* functions (RAND_load_file and RAND_write_file, etc.) and it did not
work so I added them in later.  Even though RAND_status returns 1
(indicating the PRNG was successfully seeded) I still get exactly the same
output.  Am I missing something?  Are there more calls needed to make this
accually work?  Why does it work in the openssl command but not with the
API?  Any help would be greatly appreciated!  I am using openssl version
0.9.7c on Solaris 2.9 Sparc (sparcv9, UltraSparc IIi) tested in both 32 and
64 bit mode.  If I have left out any details let me know.

Thanks,
brian.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: unresolved symbol error on HP

[Steven Reddie]

Your libcrypto has been built with gcc so you need to link your application
against the gcc runtime library.  Either use gcc to invoke the linker, or
link against the library printed when you run "gcc -print-libgcc-file-name".

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, 18 December 2003 10:58 AM
To: [EMAIL PROTECTED]
Subject: unresolved symbol error on HP






All,

I am trying to get my application running on HP-UX, with openssl support. I
have linked sucessfully against  openssl with the shared libraries -lcrypto
and -lssl

however at runtime I get the following error:

unresolved symbol __udivdi3 (code) error from   /usr/lib/libcrypto.sl.0.9.7

Any suggestions?

Thanks!


Ajay Balan
Staff Software Engineer - I
Sybase Inc
303-409-7334
[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Win CE 3.0 with OpenSSL

[Steven Reddie]

It seems that you do have an INCLUDE variable set by WCEARM.BAT, so you
shouldn't been to tweak it yourself.  The value is:
INCLUDE=C:\Windows CE Tools\WCE300\ms pocket pc\include;
  C:\Windows CE Tools\WCE300\ms pocket pc\MFC\include;
  C:\Windows CE Tools\WCE300\ms pocket pc\ATL\include;

The command for configuring that is listed in INSTALL.WCE is:
perl Configure VC-CE
The command you are running is invalid since VC-CE is not a filename but an
argument to Configure.  You need to run this script from the
C:\openSSL\openssl-0.9.7c directory.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mahabhashyam Anupama
Sent: Thursday, 27 November 2003 6:18 PM
To: [EMAIL PROTECTED]
Subject: RE: Win CE 3.0 with OpenSSL


Thanks again Steven for your patience and help.

Still getting error messages. New ones for a change:-)

I am running some commands a C prompt and some at c:\openssl\openssl-0.9.7c 
since perl configure command doesn't run at c prompt. Could this be an 
indication of the problem?? Here is the full text of all commands I used 
from start to finish with corresponding messages.

---

C:\Documents and Settings\Srinivas and Anupama>cd\

C:\>set
ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and
Settings\Srinivas and Anupama\Application Data CLASSPATH=.;C:\Documents and
Settings\Srinivas and Anupama\My 
Documents\ANU;C:\Program Files\JBuilder7\jdk1.3. 1\src.jar;C:\Documents and
Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\Xerces\xerces-2_2_1\xercesImp
l.jar;C:\Documents and Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\Xerces\xerces-2_2_1\xmlParserAPIs
.jar;C:\Documents and Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xalan.jar;C:\Doc
uments and Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xalanservlet.jar;C:\Documen
ts and Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xercesImpl.jar;C:\Documents and
Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xml-apis.jar;C:\Documents and Setting
s\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xsltc.jar;C:\Documents and 
Settings\Srinivas
and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\java_cup.jar;C:\Program 
Files\batik-1.5;C:\Program Files
\batik-1.5\batik-awt-util.jar
CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=SRI-ANU-LAPTOP
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Srinivas and Anupama
JAVA_HOME=C:\JBuilder6\jdk1.3.1\bin;C:\JBuilder6\jdk1.3.1\lib
LOGONSERVER=\\SRI-ANU-LAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\Perl\bin\;C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\WBEM;C:\orant
\bin;C:\Documents 
and Settings\Sri
nivas and Anupama\My Documents\ANU\engr27\xmlParserAPIs.jar;C:\Documents and

Settings\Srinivas and Anupama\My
Documents\ANU\engr27\xercesImpl.jar;%PATH%;C:\orant\jdk\bin;C:\JBuilder9\jdk
1.4\bin;C:\JBuilder9\jdk1.4\lib
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 6 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6 PROCESSOR_REVISION=060a ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\SRINIV~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\SRINIV~1\LOCALS~1\Temp
USERDOMAIN=SRI-ANU-LAPTOP
USERNAME=Srinivas and Anupama
USERPROFILE=C:\Documents and Settings\Srinivas and Anupama windir=C:\WINNT

C:\>"C:\Program Files\Microsoft eMbedded Tools\EVC\WCE300\BIN\WCEARM.BAT"

C:\>set
ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and
Settings\Srinivas and Anupama\Application Data CC=clarm.exe CFG=none
CLASSPATH=.;C:\Documents and Settings\Srinivas and Anupama\My 
Documents\ANU;C:\Program Files\JBuilder7\jdk1.3. 1\src.jar;C:\Documents and
Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\Xerces\xerces-2_2_1\xercesImp
l.jar;C:\Documents and Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\Xerces\xerces-2_2_1\xmlParserAPIs
.jar;C:\Documents and Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xalan.jar;C:\Doc
uments and Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xalanservlet.jar;C:\Documen
ts and Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xercesImpl.jar;C:\Documents and
Settings\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xml-apis.jar;C:\Documents and Setting
s\Srinivas and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\xsltc.jar;C:\Documents and 
Settings\Srinivas
and Anupama\My 
Documents\ANU\engr27\xalan-j_2_4_1\bin\java_cup.jar;C:\Program 
Files\batik-1.5;C:\Program Files
\batik-1.5\batik-awt-util.jar
CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=SRI-ANU-LAPTOP
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH

RE: Win CE 3.0 with OpenSSL

[Steven Reddie]

Title: Message



The 
code listed in the error below shouldn't be compiled for WINCE due to the #ifdef 
at the top of that module.  What has most likely happened is that 
OPENSSL_SYS_WINCE is not being defined.  I haven't tried building OpenSSL 
on WINCE since 0.9.7 or 0.9.7a but it doesn't look like anything has changed in 
this area.  Have you performed the "perl Configure VC-CE" 
step listed in INSTALL.WCE?  This step result in OPENSSL_SYSNAME_WINCE 
being defined which should result in OPENSSL_SYS_WINCE being defined when 
e_os2.h is included indirectly by dso_win32.c.
 
As for 
your previous problem, you might want to determine why INCLUDE wasn't set when 
running WCEARM.BAT since it may signal a problem with your SDK 
setup.

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Mahabhashyam AnupamaSent: Thursday, 27 November 2003 
  2:47 PMTo: [EMAIL PROTECTED]Subject: RE: Win CE 
  3.0 with OpenSSL
  
  
  Thanks for the quick reply. I did run that bat file and also tried setting 
  the path in environment variables from control panel settings. However, 
  setting at command prompt seemed to do the trick. Well, its never easy for 
  novices like me...now I have a new error:
      clarm.exe 
  /Fotmp32_ARM\dso_win32.obj  -Iinc32 -Itmp32_ARM /W3 /WX /Ox /O2 /Ob2 /Gs0 
  /GF /Gy /nologo -DWCEPLATFORM=MS_POCKET_PC_2000 -DARM -D_ARM_ 
  -DUNDER_CE=300 -D_WIN32_CE=300 -DUNICODE -D_UNICODE -DWIN32 
  -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD 
  -IC:\openssl\wcecompat/include /Fdout32_ARM -DOPENSSL_NO_KRB5  -c 
  .\crypto\dso\dso_win32.cdso_win32.c.\crypto\dso\dso_win32.c(125) : 
  error C2220: warning treated as error - no object file 
  generated.\crypto\dso\dso_win32.c(125) : warning C4133: 'function' : 
  incompatible types - from 'char *' to 'const unsigned short 
  *'.\crypto\dso\dso_win32.c(210) : warning C4133: 'function' : incompatible 
  types - from 'const char *' to 'const unsigned short 
  *'.\crypto\dso\dso_win32.c(241) : warning C4133: 'function' : incompatible 
  types - from 'const char *' to 'const unsigned short *'NMAKE : 
  fatal error U1077: 'clarm.exe' : return code 
  '0x2'Stop.
  
  Share holiday photos without 
  swamping your Inbox. Get MSN Extra Storage now! 
  __ OpenSSL 
  Project http://www.openssl.org User Support Mailing List 
  [EMAIL PROTECTED] Automated List Manager 
[EMAIL PROTECTED]

RE: Win CE 3.0 with OpenSSL

[Steven Reddie]

Title: Message



The 
first instruction listed in OpenSSL's INSTALL.WCE file, executing eVC's 
WCEARM.BAT file (or similar), should result in setting the INCLUDE environment 
variable.  Have you run that command?  If so, can you open a fresh 
command prompt window, execute the following commands, and send me the 
results:
 
    C:\> set
    C:\> "C:\Program Files\Microsoft 
eMbedded Tools\EVC\WCE300\BIN\WCEARM.BAT"
    C:\> set
 
Regards,
 
Steven

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Mahabhashyam AnupamaSent: Thursday, 27 November 2003 
  2:29 PMTo: [EMAIL PROTECTED]Subject: RE: Win CE 
  3.0 with OpenSSL
  
  
  Hi Steven,
  Yes, the windows.h file is in the C:\Windows CE Tools\wce300\Pocket PC 
  2002\include folder.  I tried running agin and this time I got the 
  following error message. Can you please let me know where/how I have to set 
  the include environment variable. Currently, I did not find any PPC related 
  evoronment variables in my desktop propoerties. Error message shown below:
  ---
  C:\openSSL\openssl-0.9.7c>nmake -f ms\ce.mak
  Microsoft (R) Program Maintenance Utility   Version 
  6.00.8168.0Copyright (C) Microsoft Corp 1988-1998. All rights 
reserved.
  Building OpenSSL    copy nul+ 
  .\crypto\buildinf.h 
  tmp32_ARM\buildinf.hnul.\crypto\buildinf.h    
  1 file(s) copied.    clarm.exe 
  /Fotmp32_ARM\cryptlib.obj  -Iinc32 -Itmp32_ARM /W3 /WX /Ox /O2 /Ob2 /Gs0 
  /GF /Gy /nologo -DWCEPLATFORM=MS_POCKET_PC_2000 -DARM -D_ARM_ 
  -DUNDER_CE=300 -D_WIN32_CE=300 -DUNICODE -D_UNICODE -DWIN32 
  -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD 
  -IC:\openssl\wcecompat/include /Fdout32_ARM -DOPENSSL_NO_KRB5  -c 
  .\crypto\cryptlib.ccryptlib.ctmp32_ARM\e_os.h(233) : fatal error 
  C1083: Cannot open include file: 'windows.h': No such file or 
  directoryNMAKE : fatal error U1077: 'clarm.exe' : return code 
  '0x2'Stop.
  
  Set yourself up for fun at home! 
  Get ti ps on home entertainment equipment, video game reviews, and more 
  here. 
  __ OpenSSL 
  Project http://www.openssl.org User Support Mailing List 
  [EMAIL PROTECTED] Automated List Manager 
[EMAIL PROTECTED]

RE: Win CE 3.0 with OpenSSL

[Steven Reddie]

There should be a windows.h in your PPC SDK include directory.  Has the
INCLUDE environment variable been set properly?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mahabhashyam Anupama
Sent: Wednesday, 26 November 2003 6:11 PM
To: [EMAIL PROTECTED]
Subject: Re: Win CE 3.0 with OpenSSL


New problem
I followed the instructions in install.wce and ms/do_ms went well. However, 
in the next step when I tried nmake -f ms\ce.mak , it completed a whole 
bunch of activities before giving the following error message. Any 
suggestions???


clarm.exe /Fotmp32_ARM\cryptlib.obj  -Iinc32 -Itmp32_ARM /W3 /WX /Ox /O2
/Ob2 /Gs0 /GF /Gy /nologo -DWCEPLATFORM=MS_POCKET_PC_2000 -DARM -D_ARM_ 
-DUNDER
_CE=300 -D_WIN32_CE=300 -DUNICODE -D_UNICODE -DWIN32 -DWIN32_LEAN_AND_MEAN 
-DL_E
NDIAN -DDSO_WIN32 -DNO_CHMOD -Ic:\openssl\wcecompat/include /Fdout32_ARM 
-DOPENS
SL_NO_KRB5  -c .\crypto\cryptlib.c
cryptlib.c
tmp32_ARM\e_os.h(233) : fatal error C1083: Cannot open include file: 
'windows.h'
: No such file or directory
NMAKE : fatal error U1077: 'clarm.exe' : return code '0x2' Stop.
-

_
Is there a gadget-lover on your gift list?  MSN Shopping has lined up some 
good bets!  http://shopping.msn.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Win CE 3.0 with OpenSSL

[Steven Reddie]

eVC is a free download from Microsoft that runs on the desktop as a
cross-compiler.  Take a look at the developer FAQ's and articles on
Microsoft's www.pocketpc.com site.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mahabhashyam Anupama
Sent: Wednesday, 26 November 2003 12:56 PM
To: [EMAIL PROTECTED]
Subject: Re: Win CE 3.0 with OpenSSL


Hi Steven

Thanks for the response.

Instructions in install.wce suggest downlaoding VC++. How can I down laod 
such a huge program on to my pocket PC with 32MB memory? May be I am missing

some thing basic...

Can I downlaod VC++, perl etc on my desktop compile and then copy the 
compiled files on to Pocket PC? Not sure how to proceed with the 
instruction.

Thanks for any guidance.

_
Groove on the latest from the hot new rock groups!  Get downloads, videos, 
and more here.  http://special.msn.com/entertainment/wiredformusic.armx

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Ordering of components of subject/issuer DN

[Steven Reddie]

So this sounds like a limitation of our software rather than an OpenSSL
by-design issue?

I've been told that when the EE certificate in question was issued that the
CA's subject DN was copied to the EE's issuer DN and "flipped" on the way; I
don't understand why.  The people responsible for the tools have now changed
the behaviour to not flip the DN but are looking for us to get our PKCS12
export function working with their special certs so that their clients can
avoid having to regenerate them.  Should OpenSSL work with such certs?

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson
Sent: Monday, 17 November 2003 11:42 PM
To: [EMAIL PROTECTED]
Subject: Re: Ordering of components of subject/issuer DN


On Mon, Nov 17, 2003, Steven Reddie wrote:

>  
> I have come across a certificate that chokes our software which uses 
> OpenSSL.  I haven't dug very deep yet, but was hoping that someone 
> could tell me about any ordering rules for the DN's.
>  
> openssl asn1parse on the cert produces the dump below which has the 
> order of issuer DN components in the reverse order (CN->C) of what I 
> am used to seeing (C->CN).  Is this a legal certificate?  My 
> understanding is that the order is fixed by one of the X.400/X.500 
> standards.  Apparently IE and Netscape can quite happily import and 
> export the P12 file that this cert came from.  If this encoding is 
> illegal, is it considered best practice to be able to handle it?
>  

The standards don't specify any specific ordering with single valued RDNs.
In ASN1 terms they are a SEQUENCE: the rules for encoding of a SEQUENCE are
that the order of the components is kept. The actual components withing a
multi valued RDN are a SET which is considered unordered however though use
of multi valued RDNs is rare.

If it chokes your software then perhaps it is expecting a certain order or
expecting certain components to be present?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL
project core developer and freelance consultant. Funding needed! Details on
homepage.
Homepage: http://drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Ordering of components of subject/issuer DN

[Steven Reddie]

Title: Message



Hi 
all,
 
I have come across a 
certificate that chokes our software which uses OpenSSL.  I haven't dug 
very deep yet, but was hoping that someone could tell me about any ordering 
rules for the DN's.
 
openssl asn1parse on 
the cert produces the dump below which has the order of issuer DN 
components in the reverse order (CN->C) of what I am used to seeing 
(C->CN).  Is this a legal certificate?  My understanding is that 
the order is fixed by one of the X.400/X.500 standards.  Apparently IE and 
Netscape can quite happily import and export the P12 file that this cert came 
from.  If this encoding is illegal, is it considered best practice to be 
able to handle it?
 
Regards,
 
Steven
 

   0:d=0  hl=4 l= 705 cons: 
SEQUENCE   4:d=1  hl=4 l= 554 cons:  
SEQUENCE   8:d=2  hl=2 l=   3 cons:   
cont [ 0 ]  10:d=3  hl=2 l=   1 prim:    
INTEGER   
:02  13:d=2  hl=2 l=   1 prim:   
INTEGER   
:02  16:d=2  hl=2 l=  13 cons:   SEQUENCE  
18:d=3  hl=2 l=   9 prim:    
OBJECT    
:sha1WithRSAEncryption  29:d=3  hl=2 l=   0 
prim:    NULL  31:d=2  hl=3 l= 159 
cons:   SEQUENCE  34:d=3  hl=2 l=  29 
cons:    SET  36:d=4  hl=2 l=  27 
cons: SEQUENCE  38:d=5  hl=2 
l=   3 prim:  
OBJECT    
:commonName  43:d=5  hl=2 l=  20 
prim:  PRINTABLESTRING   :SpongeBob 
SquareCert  65:d=3  hl=2 l=  37 cons:    
SET  67:d=4  hl=2 l=  35 cons: 
SEQUENCE  69:d=5  hl=2 l=   3 
prim:  
OBJECT    
:organizationalUnitName  74:d=5  hl=2 l=  28 
prim:  PRINTABLESTRING   :Sponge 
Certificate Authority 104:d=3  hl=2 l=  34 
cons:    SET 106:d=4  hl=2 l=  32 
cons: SEQUENCE 108:d=5  hl=2 
l=   3 prim:  
OBJECT    
:organizationName 113:d=5  hl=2 l=  25 
prim:  PRINTABLESTRING   :Sponge People 
Corporation 140:d=3  hl=2 l=  20 cons:    
SET 142:d=4  hl=2 l=  18 cons: 
SEQUENCE 144:d=5  hl=2 l=   3 
prim:  
OBJECT    
:localityName 149:d=5  hl=2 l=  11 
prim:  PRINTABLESTRING   
:UnderTheSea 162:d=3  hl=2 l=  16 cons:    
SET 164:d=4  hl=2 l=  14 cons: 
SEQUENCE 166:d=5  hl=2 l=   3 
prim:  
OBJECT    
:stateOrProvinceName 171:d=5  hl=2 l=   7 
prim:  PRINTABLESTRING   
:Florida 180:d=3  hl=2 l=  11 cons:    
SET 182:d=4  hl=2 l=   9 cons: 
SEQUENCE 184:d=5  hl=2 l=   3 
prim:  
OBJECT    
:countryName 189:d=5  hl=2 l=   2 
prim:  PRINTABLESTRING   
:US 193:d=2  hl=2 l=  30 cons:   
SEQUENCE 195:d=3  hl=2 l=  13 prim:    
UTCTIME   
:031031145544Z 210:d=3  hl=2 l=  13 prim:    
UTCTIME   
:041031145544Z 225:d=2  hl=2 l=  35 cons:   
SEQUENCE 227:d=3  hl=2 l=  33 cons:    
SET 229:d=4  hl=2 l=  31 cons: 
SEQUENCE 231:d=5  hl=2 l=   3 
prim:  
OBJECT    
:commonName 236:d=5  hl=2 l=  24 
prim:  PRINTABLESTRING   :john paxon is 
in control 262:d=2  hl=3 l= 159 cons:   
SEQUENCE 265:d=3  hl=2 l=  13 cons:    
SEQUENCE 267:d=4  hl=2 l=   9 
prim: 
OBJECT    
:rsaEncryption 278:d=4  hl=2 l=   0 
prim: NULL 280:d=3  hl=3 l= 141 
prim:    BIT STRING 424:d=2  hl=3 l= 135 
cons:   cont [ 3 ] 427:d=3  hl=3 l= 132 
cons:    SEQUENCE 430:d=4  hl=2 l=  66 
cons: SEQUENCE 432:d=5  hl=2 
l=   9 prim:  
OBJECT    
:Netscape Comment 443:d=5  hl=2 l=  53 
prim:  OCTET STRING 498:d=4  hl=2 
l=  31 cons: SEQUENCE 500:d=5  hl=2 
l=   3 prim:  
OBJECT    :X509v3 
Authority Key Identifier 505:d=5  hl=2 l=  24 
prim:  OCTET STRING 531:d=4  hl=2 
l=  29 cons: SEQUENCE 533:d=5  hl=2 
l=   3 prim:  
OBJECT    :X509v3 
Subject Key Identifier 538:d=5  hl=2 l=  22 
prim:  OCTET STRING 562:d=1  hl=2 
l=  13 cons:  SEQUENCE 564:d=2  hl=2 l=   9 
prim:   
OBJECT    
:sha1WithRSAEncryption 575:d=2  hl=2 l=   0 
prim:   NULL 577:d=1  hl=3 l= 129 prim:  BIT 
STRING
 

RE: Problem with time.h in wcecompat

[Steven Reddie]

I presume that you're trying the Pocket PC 2003 SDK.  I haven't upgraded to
that myself but I've just checked the header files and Microsoft do now
include a time.h that includes a struct tm.  Wcecompat will need work which
I don't currently have time for.  If you wish to contribute patches I can
incorporate them.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kambourakis Georgios
Sent: Friday, 3 October 2003 10:02 PM
To: '[EMAIL PROTECTED]'
Subject: Problem with time.h in wcecompat


Hi,

Compiling an Openssl client for Win CE compiler displays an error like
"ash1.h cannot include file time.h". I suppose that i have to use time.h
included in wcecompat (include folder). But if you do that next compiler
error message is "time.h error C2011 tm struct type redefinition".

Any advices - options ??

Many thanks in advance 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Creating Certificates for Pocket PC

[Steven Reddie]

Title: Message



You 
are trying to run the openssl.exe built for the Pocket PC.  It wont run on 
the desktop.  You would probably be better off using a desktop build of 
openssl, creating the certificates with that, and transferring them to the 
PPC.  If you really want to use the PPC version, get the desktop tool 
cerun.exe from my website (part of cetools.zip) and use it to invoke the 
openssl.exe that you have on your PPC.
 
I 
don't understand your last question.  You need to set the WCECOMPAT 
environment variable to c:\wcecompat so that openssl can find 
time.h.
 
Regards,
 
Steven

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Kambourakis GeorgiosSent: Thursday, 2 October 2003 
  4:24 AMTo: [EMAIL PROTECTED]Subject: Creating 
  Certificates for Pocket PC
  Hi,
   
  I have succesfully installed openssl 0.9.7b for 
  Windows CE,
  and i need to create certificates 
  for my openssl client that runs on a pocket pc 2002.
   
  When i run openssl from command prompt 
  (in Win 2000) writes: "The image file openssl.exe is valid, but is for a 
  machine type other than the current machine". 
   
  Any 
  advices ??
   
  Another problem is with asn1.h file wich 
  include . Is it safe to set the path to 
  c:\wcecompat\include ???
   
  Many thanks in 
advance

RE: Building problems with Embedded VC++

[Steven Reddie]

Title: Message



Hi, 
the pthread.h and unistd.h headers included by your project aren't available 
under Windows CE.  The unresolved symbols would appear to indicate that you 
haven't included the built OpenSSL libraries when linking your 
application.  The WinMainCRTStartup unresolved symbol means that you 
haven't defined an entry point (WinMain) in your application (Note that Windows 
CE doesn't use main as an entry point, although you can always write a WinMain 
that calls main).
 
Regards,
 
Steven

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Kambourakis GeorgiosSent: Monday, 29 September 2003 
  11:50 PMTo: [EMAIL PROTECTED]Subject: Building 
  problems with Embedded VC++
  Hi,
  Thanks Steven.
   
  I have installed succesfully OpensSSL 0.7.7b for 
  Win CE and 
  i am trying to build a client app. 
  for pocket PC 2002 (embedded VC++ 3.0) 
  and i get the following errors: 
  
   
  C:\mob\Mob_project\mob_client\common.h(13): Could 
  not find the file pthread.h.
  C:\mob\openssl-0.9.7b\inc32\openssl\kssl.h(72): Could not find the file 
  krb5.h.
  C:\mob\Mob_project\mob_client\reentrant.h(5): Could not find the file 
  unistd.h.
  Linking...client3.obj : error 
  LNK2019: unresolved external symbol SSL_CTX_set_cipher_list referenced in 
  function setup_client_ctxclient3.obj : error LNK2019: unresolved external 
  symbol SSL_CTX_ctrl referenced in function setup_client_ctxclient3.obj : 
  error LNK2019: unresolved external symbol SSL_CTX_set_verify referenced in 
  function setup_client_ctxclient3.obj : error LNK2019: unresolved external 
  symbol SSL_CTX_use_PrivateKey_file referenced in function 
  setup_client_ctxclient3.obj : error LNK2019: unresolved external symbol 
  SSL_CTX_set_default_passwd_cb_userdata referenced in function 
  setup_client_ctxclient3.obj : error LNK2019: unresolved external symbol 
  SSL_CTX_use_certificate_chain_file referenced in function 
  setup_client_ctxclient3.obj : error LNK2019: unresolved external symbol 
  SSL_CTX_load_verify_locations referenced in function 
  setup_client_ctxclient3.obj : error LNK2019: unresolved external symbol 
  SSL_CTX_new referenced in function setup_client_ctxclient3.obj : error 
  LNK2019: unresolved external symbol SSLv23_method referenced in function 
  setup_client_ctxclient3.obj : error LNK2019: unresolved external symbol 
  SSL_write referenced in function do_client_loopclient3.obj : error 
  LNK2019: unresolved external symbol SSL_CTX_free referenced in function 
  mainclient3.obj : error LNK2019: unresolved external symbol SSL_free 
  referenced in function mainclient3.obj : error LNK2019: unresolved 
  external symbol SSL_clear referenced in function mainclient3.obj : error 
  LNK2019: unresolved external symbol SSL_shutdown referenced in function 
  mainclient3.obj : error LNK2019: unresolved external symbol 
  X509_verify_cert_error_string referenced in function maincommon.obj : 
  error LNK2019: unresolved external symbol X509_verify_cert_error_string 
  referenced in function post_connection_checkclient3.obj : error LNK2019: 
  unresolved external symbol SSL_connect referenced in function 
  mainclient3.obj : error LNK2019: unresolved external symbol SSL_set_bio 
  referenced in function mainclient3.obj : error LNK2019: unresolved 
  external symbol SSL_new referenced in function mainclient3.obj : error 
  LNK2019: unresolved external symbol BIO_ctrl referenced in function 
  mainclient3.obj : error LNK2019: unresolved external symbol 
  BIO_new_connect referenced in function maincommon.obj : error LNK2019: 
  unresolved external symbol ERR_print_errors_fp referenced in function 
  handle_errorcommon.obj : error LNK2019: unresolved external symbol 
  SSL_library_init referenced in function init_OpenSSLcommon.obj : error 
  LNK2019: unresolved external symbol THREAD_setup referenced in function 
  init_OpenSSLcommon.obj : error LNK2019: unresolved external symbol 
  X509_get_subject_name referenced in function verify_callbackcommon.obj : 
  error LNK2019: unresolved external symbol X509_NAME_oneline referenced in 
  function verify_callbackcommon.obj : error LNK2019: unresolved external 
  symbol X509_get_issuer_name referenced in function 
  verify_callbackcommon.obj : error LNK2019: unresolved external symbol 
  X509_STORE_CTX_get_error referenced in function verify_callbackcommon.obj 
  : error LNK2019: unresolved external symbol X509_STORE_CTX_get_error_depth 
  referenced in function verify_callbackcommon.obj : error LNK2019: 
  unresolved external symbol X509_STORE_CTX_get_current_cert referenced in 
  function verify_callbackcommon.obj : error LNK2019: unresolved external 
  symbol SSL_get_verify_result referenced in function 
  post_connection_checkcommon.obj : error LNK2019: unresolved external 
  symbol X509_free referenced in function post_connection_checkcommon.obj : 
  error LNK2019: unresolved external symbol stricmp referenced in function 
  post_con

RE: pocket pc 2002 client

[Steven Reddie]

Title: Message



The 
code for using OpenSSL on the Pocket PC should be the same as the code for using 
it on other platforms.  Try the openssl apps directory for examples of how 
to use various OpenSSL features.
 
Regards,
 
Steven

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Kambourakis GeorgiosSent: Sunday, 28 September 2003 
  6:26 PMTo: [EMAIL PROTECTED]Subject: pocket pc 
  2002 client
  hi,
   
  how can i get a basic openssl client 
  source code for pocket pc 2002 (openssl 0.9.7b) ?
   
  Thanks in advance
   

RE: Ipaq h3800

[Steven Reddie]

Are you clicking on it on the iPAQ?  If so, it wont work since it is a
console based program and CE doesn't support consoles.  I was sure I
included details in INSTALL.WCE about how to run it via your desktop, but I
don't seem them there so I must be mistaken.  If you grab the ceutils from
my website (www.essemer.com.au) you can use cerun.exe (run it on the
desktop) to execute the openssl.exe and have stdin/stdout/stderr redirected
to/from the iPAQ.  It's kind of like an rsh hack and relies on the
functionality in wcecompat.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, 25 September 2003 2:54 AM
To: [EMAIL PROTECTED]
Subject: Ipaq h3800


I've built the openssl.exe file for windows ce, but when I transfered it to
a Compaq Ipaq h3800 it didn't run. The operating system of the handheld
device is PocketPc 2002 and the cpu is ARM. 
Does anyone have an idea of what was wrong or has experienced similar
problems?

Thanks
Fabio




__
Partecipa al concorso Tiscali "collegati e vinci",
il primo premio e' un viaggio per 2 persone a Zanzibar!
http://point.tiscali.it/numerounico/




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL Thread-safe Issue ?

[Steven Reddie]

Have you used the following functions to register OpenSSL thread-safety
callbacks:

CRYPTO_set_locking_callback(locking_function);
CRYPTO_set_id_callback(id_function);

You need to supply your own locking_function() and id_function(), samples of
which can be found in OpenSSL's mt/mttest.c, crypto/threads/mttest.c and
crypto/threads/th-lock.c.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Wang
Sent: Thursday, 25 September 2003 8:31 AM
To: [EMAIL PROTECTED]
Subject: OpenSSL Thread-safe Issue ?


Hi,

I have a server program using OpenSSL. It works well
most of the time. However, when multiple clients
connect to the server simultaneously, the server
sometimes crashes with an access violation in the
following code:

/* locked by SSL_CTX in the calling function */
static void SSL_SESSION_list_remove(SSL_CTX *ctx,
SSL_SESSION *s)
{
if ((s->next == NULL) || (s->prev == NULL)) return;

if (s->next == (SSL_SESSION
*)&(ctx->session_cache_tail))
{ /* last element in list */
if (s->prev == (SSL_SESSION
*)&(ctx->session_cache_head))
{ /* only one element in list */
ctx->session_cache_head=NULL;
ctx->session_cache_tail=NULL;
}
else
{
ctx->session_cache_tail=s->prev;
s->prev->next=(SSL_SESSION
*)&(ctx->session_cache_tail);
}
}
else
{
if (s->prev == (SSL_SESSION
*)&(ctx->session_cache_head))
{ /* first element in list */
ctx->session_cache_head=s->next;
s->next->prev=(SSL_SESSION
*)&(ctx->session_cache_head);
}
else
{ /* middle of list */
at this line>   s->next->prev=s->prev;
s->prev->next=s->next;
}
}
s->prev=s->next=NULL;
}


I built the OpenSSL libraries as multi-threaded, and
in the server, I have a global SSL context, and
service each OpenSSL request by a separate thread. I
am wondering if I need to lock any global data in
order to handle many concurrent requests. The crash
appears to be thread-safty related.

Thank you, and your help is greatly appreciated !

Jim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ARM and Xscale processor

[Steven Reddie]

Title: Message



Yes, 
the XScale is an ARM v5.
 
Regards,
 
Steven

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
  Behalf Of Kambourakis GeorgiosSent: Wednesday, 24 September 
  2003 6:15 PMTo: [EMAIL PROTECTED]Subject: ARM 
  and Xscale processor
  Hi,
   
  I am trying to install 
  openssl 0.9.7b for windows ce platform.
  I have an ipaq 3970 which has an xscale 
  processor. Is it correct to execute the WCEARM.BAT to setup the eMbedded 
  C++ env before installation ??
   
  Thanks in 
advance 

RE: more spam

[Steven Reddie]

Yeah, I get the same.  I've added this user to my spam list.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Aleix Conchillo
Flaque
Sent: Thursday, 17 July 2003 6:06 PM
To: [EMAIL PROTECTED]
Subject: more spam



hi,

i have sent a message to the list, and some anti spam software that this
user ([EMAIL PROTECTED]) has installed has sent to me an email asking
me to accept it if i really wanted to send the message to him.

what is this? i do not want more spam. it is really annoying.

anti-spam filters are good if people keeps them for themselves. i
don't want to receive more email that i have not asked for.

can anyone solve this? may be i'm to drastic, but i start hating all of
these.

regards,

aleix

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ASN.1 Question...

[Steven Reddie]

Title: RE: ASN.1 Question...



I 
can't think of anything myself, but it should only take a programmer a few 
minutes to write one.

  -Original Message-From: Daniel Gómez 
  [mailto:[EMAIL PROTECTED]On Behalf Of Daniel 
  GómezSent: Thursday, 10 July 2003 12:24 PMTo: 
  [EMAIL PROTECTED]Subject: RE: ASN.1 
  Question...
  
  What command tool i can 
  use to convert this data to binary data ?
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Steven ReddieSent: Wed 7/9/2003 10:40 PMTo: 
  [EMAIL PROTECTED]Subject: RE: ASN.1 
  Question...
  
  That command will work if the data is stored as binary in the 
  file.  Is thedata below the way it is stored in the file, as the 
  characters "308201"...?If so, you will need to convert this to binary 
  yourself and then use thecommand 
  below.Regards,Steven-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On 
  Behalf Of Daniel GómezSent: Thursday, 10 July 2003 11:29 AMTo: 
  [EMAIL PROTECTED]Subject: ASN.1 Question...Importance: 
  HighHello, my name is Daniel Gomez, i am a solution 
  developer.I need your help to resolve a problem with a ASN.1 
  convertion command.My ASN.1 data is 
  this:{ASN}308201FB30820164020101300D06092A864886F70D01010505003021310B300906035504061302415231123010060355040A13094749524520532E412E170D303330373035323131365A170D3033303730383030303832385A3081943023020438A9BD93170D3033303633303230303831375A300C300A0603551D1504030A01003023020438A9BE28170D3033303730373135333835385A300C300A0603551D1504030A01003023020438A9BE22170D3033303730373135343035365A300C300A0603551D1504030A01003023020438A9BE30170D3033303730373135343230325A300C300A0603551D1504030A0100A078307630470603551D1C0101FF043D303BA036A034A4323030310B300906035504061302415231123010060355040A13094749524520532E412E310D300B0603550403130443524C368101FF300A0603551D140403020114301F0603551D23041830168014B48EF2BAC520A5C974909B4FC3C9EA9579A07C12300D06092A864886F70D010105050003818100710B4AD901D53E59EE42A6FD45F6EC5A1C7966CB92535C3D0A18C4B33E1A9A7295CEFD12686D705A9E9E29ABDA0769A4F1A1505E53D8D3C0F7C4F77A882072C3BB499B1AB9A49905EE37EEFC2E3638C3F4C5A2937E4165BF8E0C6478CCFA567F0FBAFA93280D79022E116C4DE9EC9B406FC4B1E1D58E4670D71051A28A6F5DCCAnd 
  i need convert this to a TXT.This data is a CRL Revocation 
  List.I try to execute this command:openssl crl -inform DER 
  -text -in asn.crlBut doesn't work.Can you help me ? I need the 
  exact command!Thank 
  you.__OpenSSL 
  Project 
  http://www.openssl.orgUser Support 
  Mailing 
  List    
  [EMAIL PROTECTED]Automated List 
  Manager   
  [EMAIL PROTECTED]__OpenSSL 
  Project 
  http://www.openssl.orgUser Support 
  Mailing 
  List    
  [EMAIL PROTECTED]Automated List 
  Manager   
  [EMAIL PROTECTED]
<>

RE: ASN.1 Question...

[Steven Reddie]

That command will work if the data is stored as binary in the file.  Is the
data below the way it is stored in the file, as the characters "308201"...?
If so, you will need to convert this to binary yourself and then use the
command below.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Daniel Gómez
Sent: Thursday, 10 July 2003 11:29 AM
To: [EMAIL PROTECTED]
Subject: ASN.1 Question...
Importance: High


Hello, my name is Daniel Gomez, i am a solution developer.

I need your help to resolve a problem with a ASN.1 convertion command.

My ASN.1 data is this:

{ASN}308201FB30820164020101300D06092A864886F70D01010505003021310B30090603550
4061302415231123010060355040A13094749524520532E412E170D30333037303532313
1365A170D3033303730383030303832385A3081943023020438A9BD93170D303330363330323
0303831375A300C300A0603551D1504030A01003023020438A9BE28170D30333037303731353
33835385A300C300A0603551D1504030A01003023020438A9BE22170D3033303730373135343
035365A300C300A0603551D1504030A01003023020438A9BE30170D303330373037313534323
0325A300C300A0603551D1504030A0100A078307630470603551D1C0101FF043D303BA036A03
4A4323030310B300906035504061302415231123010060355040A13094749524520532E412E3
10D300B0603550403130443524C368101FF300A0603551D140403020114301F0603551D23041
830168014B48EF2BAC520A5C974909B4FC3C9EA9579A07C12300D06092A864886F70D0101050
50003818100710B4AD901D53E59EE42A6FD45F6EC5A1C7966CB92535C3D0A18C4B33E1A9A729
5CEFD12686D705A9E9E29ABDA0769A4F1A1505E53D8D3C0F7C4F77A882072C3BB499B1AB9A49
905EE37EEFC2E3638C3F4C5A2937E4165BF8E0C6478CCFA567F0FBAFA93280D79022E116C4DE
9EC9B406FC4B1E1D58E4670D71051A28A6F5DCC

And i need convert this to a TXT.

This data is a CRL Revocation List.

I try to execute this command:

openssl crl -inform DER -text -in asn.crl

But doesn't work.

Can you help me ? I need the exact command!

Thank you.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA_private_decrypt take too long time:(

[Steven Reddie]

RSA does take a lot of time compared to, say, DES, but they're used for
completely different things.  To understand the difference you should read a
book such as Applied Cryptography by Bruce Schneier, or a better place to
start might be the RSA Crypto FAQ at
http://www.rsasecurity.com/rsalabs/faq/index.html.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of linux guy
Sent: Tuesday, 1 July 2003 9:29 PM
To: [EMAIL PROTECTED]
Subject: Re: RSA_private_decrypt take too long time:(


I am just a greenhand of openssl
I read some artcile which says that RSA_private_decrypt takes a great of the
CPU usage?
should I change to another encrypt/decrypt method?

BTW:I use the default method SSLv23.

- Original Message -
From: "linux guy" <[EMAIL PROTECTED]>
Date: Tue, 01 Jul 2003 19:12:57 +0800
To: [EMAIL PROTECTED]
Subject: RSA_private_decrypt take too long time:(

> hi,I am providing one https server on our vxworks(ppc603) board,
> I find function RSA_private_decrypt(in  ssl3_get_client_key_exchange of
s3_srvr.c)
> takes too long time,I don't know if the memory of our board is not enought
or
> some reason else:(
>
>
>
> --
> __
> http://www.linuxmail.org/
> Now with e-mail forwarding for only US$5.95/yr
>
> Powered by Outblaze
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

--
__
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: RSA_private_decrypt take too long time:(

[Steven Reddie]

I don't think anyone on this list is going to be able to tell you if you
have enough memory.  Unless you can provide more information such as how
long it is taking you are not likely to get any help.  That function can
take considerable time to complete and of course it will depend on the speed
of the CPU.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of linux guy
Sent: Tuesday, 1 July 2003 9:13 PM
To: [EMAIL PROTECTED]
Subject: RSA_private_decrypt take too long time:(


hi,I am providing one https server on our vxworks(ppc603) board,
I find function RSA_private_decrypt(in  ssl3_get_client_key_exchange of
s3_srvr.c)
takes too long time,I don't know if the memory of our board is not enought
or
some reason else:(



--
__
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl for windows ce "tchar" problem

[Steven Reddie]

In anticipation of your response...  char is the type that has been used to
represent a character in C for a very long time now, in fact I've read that
it dates back to the same time as C's "if" keyword.  TCHAR is a newish type
defined by Microsoft that is equivalent to a char when doing a non-Unicode
build and equivalent to a wide char (WCHAR) when doing a Unicode build.
OpenSSL is platform-independant and therefore does not use such
Microsoft-specific types in it's interface.  If you wish to use OpenSSL on a
Unicode system such as Windows CE you may at times need to convert between
ASCII char's and Unicode WCHAR's.  This is not a problem specific to
OpenSSL, nor To Windows CE; it is a requirement of mixing ASCII and Unicode
in a single program.  The Win32 functions WideCharToMultiByte and
MultiByteToWideChar will help you with the conversions.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Steven Reddie
Sent: Friday, 20 June 2003 12:22 AM
To: [EMAIL PROTECTED]
Subject: RE: openssl for windows ce "tchar" problem


Can you give me an example of an OpenSSL function that uses a char type
where you expect to be able to use a TCHAR type?

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Antonio d'Errico
Sent: Thursday, 19 June 2003 7:48 PM
To: [EMAIL PROTECTED]
Subject: openssl for windows ce "tchar" problem


Hi,

i'm building a windows ce project for pocket pc 2002 with the openssl 0.9.7b
e wcecompat support.
I have some problems using TCHAR type in functions defined in openssl
include files (.h) and libraries, but i must use TCHAR type for the correct
visualization about the device!
Why openssl libraries for windows ce using char type and not TCHAR type?
it's normal? How I do?
Thanks for any suggestions

_
MSN Foto: condividi, ritocca e stampa le tue foto online
http://photos.msn.it

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl for windows ce "tchar" problem

[Steven Reddie]

Can you give me an example of an OpenSSL function that uses a char type
where you expect to be able to use a TCHAR type?

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Antonio d'Errico
Sent: Thursday, 19 June 2003 7:48 PM
To: [EMAIL PROTECTED]
Subject: openssl for windows ce "tchar" problem


Hi,

i'm building a windows ce project for pocket pc 2002 with the openssl 0.9.7b
e wcecompat support.
I have some problems using TCHAR type in functions defined in openssl
include files (.h) and libraries, but i must use TCHAR type for the correct
visualization about the device!
Why openssl libraries for windows ce using char type and not TCHAR type?
it's normal? How I do?
Thanks for any suggestions

_
MSN Foto: condividi, ritocca e stampa le tue foto online
http://photos.msn.it

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: something maybe out of topic

[Steven Reddie]

For 
ASN.1, start with "A Layman's Guide to a Subset of ASN.1, BER, and DER".  
You will find a copy at http://security.polito.it/asn1/layman.pdf.  
A search on google for "distinguished name" should return you some useful 
information.

  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On 
  Behalf Of Rafael LaraSent: Wednesday, 18 June 2003 7:35 
  AMTo: [EMAIL PROTECTED]Subject: something maybe 
  out of topic
  Estimate users:
   
     Good afternoon for all!. I try to 
  study all the features in OpenSSL, but i unknow about ASN.1, OID's, 
  Distinguished Name's etc.
   
     Where i can find information about 
  this?. I read the manuals page about OpenSSL, but need more 
  information.
   
   
  Thanks in advance
   
   
   
  Rafael Lara

RE: SSL protocol packet format

[Steven Reddie]

The information that you're after is in the spec, it just takes a little
deconstruction to determine that byte sequences.  I've successfully used it
to hand disassemble the SSL headers from a packet dump but I agree that it's
not as easy as it would be with a structure diagram.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dustin C. Locke
Sent: Wednesday, 11 June 2003 11:39 AM
To: [EMAIL PROTECTED]
Subject: RE: SSL protocol packet format


Thanks for the reply. I've read Netscape's SSL 3.0 draft twice...most of
the information is simply data type specification in Baukus Naur Form
with no reference to the construction of the packet itself. For
instance, it outlines several higher-level data types within the
protocol (SSLPlaintext, SSLCompressed, SSLCiphertext) and their
component types (type, version, length, fragment, etc.), but with no
useful information as to where such data is located in the packet. I
need to be able to map a struct{} data type over the packet headers, so
some sort of detailed specification (e.g., "bits 0 - 7 are flag bits
with the following possible values, bits 9-23 are ...") is necessary.

Obviously, I could map them myself using a packet sniffer and
trial-and-error packet generation, but this is somewhat tedious.
Alternatively, I could look at the source for OpenSSL or SSLDump I
suppose, but this is not desirable either. It seems to me that since
somebody somewhere has developed software that interacts directly with
the layer 3 protocol datagrams themselves, this information should be
available.

Thanks,
DCL

On Tue, 2003-06-10 at 17:25, Steven Reddie wrote:
> The fourth result returned by google.com for "SSL" is the "SSL 3.0
> Specification".  Is that not what you're after?  I haven't seen a diagram
of
> packet content but this specification should contain the information that
> you're after in a textual form.
>
> Regards,
>
> Steven
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dustin C. Locke
> Sent: Wednesday, 11 June 2003 11:09 AM
> To: [EMAIL PROTECTED]
> Subject: SSL protocol packet format
>
>
> Does anybody know where I can find a specific diagram/chart showing the
> number of bits, data content, and data type of all of the individual
> fields (header and body both) of an ssl packet? They're readily
> available for many other protocols (IP, TCP, NTP, etc.), but I am unable
> to find one for SSL. I need to do some packet analysis directly from a
> tcpdump, creating a struct{} from the packet header and payload, which
> is difficult to do with the info in the Internet-Draft for SSL 3.0.
>
> Thanks,
> DCL
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Multithreaded; how to abort during read?

[Steven Reddie]

The only way I know of to solve this problem is to use non-blocking sockets,
create a second socket pair to deliver the terminate message, and select()
on the SSL socket and the terminate socket.  When thread#2 wants to
terminate thread#1 it sends a message down the terminate socket which causes
the select to wakeup.  At this point you can check if the readable event was
on the terminate socket and if so abort the connection.  If none of this
makes any sense you might want to search the web for information on
non-blocking sockets and select() and then search the OpenSSL mailing lists
for related info.  Note, on Unix you'd probably use a pipe() instead of a
socket pair for the terminate socket, but you can't do that on Win32 because
Win32 can't select() on pipes.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jem
Sent: Wednesday, 19 February 2003 10:55 AM
To: [EMAIL PROTECTED]
Subject: Multithreaded; how to abort during read?


In my test program (on win32, using OpenSSL 0.9.7 DLLs) I have two threads
running:

Thread #1 is busy doing a SSL_read()
Thread #2 wants to abort the SSL connection

When I make Thread #2 do "SSL_shutdown", the program crashes. Is there a
'gentle' way to do this, perhaps by having Thread #2 set a flag in the SSL
stucture that tells SSL_read, SSL_write to abort whatever they're doing?
Then
Thread #1 can do the actual SSL_shutdown when the time is right?

Any suggestions greatly appreciated.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: SOLVED: Using pcAnyhwere with public-key encryption and self-signed certificates

[Steven Reddie]

I haven't been following this thread.  While there may be people on this
list who highly value the documents that you've posted please remember that
there are probably thousands of people on this list, and many of them don't
know anything of, or care about, pcAnywhere.  Posting only the link would
have considerably reduced the used bandwith (1.2MB x thousands of people =
GBs), especially if you were only wanting to send it to Victor.  I feel
sorry for those people fetching this list over a dial-up modem.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Neil Aggarwal
Sent: Saturday, 28 December 2002 3:10 PM
To: [EMAIL PROTECTED]
Subject: RE: SOLVED: Using pcAnyhwere with public-key encryption and
self-signed certificates


Victor:

I am attaching my notes on how to set-up pcAnywhere
with public key encryption using self-generated certificates.

If you would like any help setting up your network, please let me know.

I have also posted these documents to the reading room of my
company web site at this url:
http://www.jammconsulting.com/jamm/readingRoom/index.jsp
The reading room has more interesting documents for you to read.

Also, we are putting together a newsletter that will give you
information on the latest technology-related developments.
We call it Your On-Line "JAMM Session".  If you are interested,
please let me know and I will add you to the list.

Thanks,
Neil.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl-0.9.7-beta6/wcecompat on Pocket PC 2002 -- problem with time.h

[Steven Reddie]

Thanks Atul, I'll incorporate this into the next wcecompat release.

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Atul Prakash
Sent: Monday, 23 December 2002 6:41 AM
To: [EMAIL PROTECTED]
Subject: Openssl-0.9.7-beta6/wcecompat on Pocket PC 2002 -- problem with
time.h


The  "struct tm" structure is  defined in wcecompat/include/time.h as 
well as in "Windows CE Tools\wce300\Pocket Pc 
2002\mfc\include\wcealt.h". That gives problems in compiling some 
openssl programs that use MFC includes as well as wcecompat includes. 
Perhaps, the wcecompat's time.h should be the following, so that the 
struct tm is not declared twice.


#ifndef _TM_DEFINED
#define _TM_DEFINED
struct tm {
int tm_sec; /* seconds after the minute - [0,59] */
int tm_min; /* minutes after the hour - [0,59] */
int tm_hour;/* hours since midnight - [0,23] */
int tm_mday;/* day of the month - [1,31] */
int tm_mon; /* months since January - [0,11] */
int tm_year;/* years since 1900 */
int tm_wday;/* days since Sunday - [0,6] */
int tm_yday;/* days since January 1 - [0,365] */
int tm_isdst;   /* daylight savings time flag */
};
#endif // _TM_DEFINED

Note that wcealt.h uses _TM_DEFINED to avoid redeclaration.

-- Atul
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: W2K Installation

[Steven Reddie]

The problem is that you've run nmake from the VC++ bin directory.  Change to
the c:\openssl-0.9.6g\directory and execute "nmake -f ms\ntdll.mak" from
there.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Saturday, 7 December 2002 8:41 AM
To: [EMAIL PROTECTED]
Subject: W2K Installation




Hello everybody.
I'm in trouble.
I'm trying to install the openssl0.9.6g in a W2K machine.

Following the INSTALL.W32 file, I stoped in:
nmake -f ms\ntdll.mak

the console return follows:
C:\Arquivos de programas\Microsoft Visual Studio\VC98\Bin>nmake -f c:
\openssl-0.
9.6g\ms\ntdll.mak

Microsoft (R) Program Maintenance Utility   Version 6.00.8168.0
Copyright (C) Microsoft Corp 1988-1998. All rights reserved.

Building OpenSSL
NMAKE : fatal error U1073: don't know how to make '.\crypto\cryptlib.h'
Stop.

Any help will be appreciated.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: SSL in windows CE

[Steven Reddie]

It was added in 0.9.7 beta 4.  beta 5 will be out shortly and fixes a few
build issues.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Bala Kanagasabai
Sent: Tuesday, 3 December 2002 5:46 PM
To: [EMAIL PROTECTED]
Subject: SSL in windows CE


Can anyone tell me if SSL works for windows CE ?

Thanks in advance.

Regards

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: How to make in Visual C++ 6.0

[Steven Reddie]

That's odd.  stdio_extras.h is only included if OPENSSL_SYS_WINCE is defined
which is only defined if OPENSSL_SYSNAME_WINCE is defined which should only
be defined if you ran "perl Configure VC-CE".  Do you have any idea how
stdio_extras.h is being included when it's wrapped with an "#ifdef
OPENSSL_SYS_WINCE"?  Is there any reference to WCE in your ms\ntdll.mak?

The INCLUDE variable is set by vcvars32.bat.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Desmond Ling
Sent: Tuesday, 3 December 2002 11:31 AM
To: [EMAIL PROTECTED]
Subject: RE: How to make in Visual C++ 6.0


Hi
no i'm not using winCE.
i'm using win 2000. and visual studio.net
here's what i did

i installed perl and set the path for it to be exe etc..and ran the
following commands

perl Configure VC-WIN32
ms\do_ms
nmake -f ms\ntdll.mak

but doing that the compiler couldn't find stdio.h. So someone
suggested i exe vcvars.bat. i tried that and it seems to work
until it complaint that it can't find stdio_extras.h. If this
file is for winCE then i must have done smething wrong.

i realise you asked me if i have an include evironment variable
set with a path that includes the directory where the stdio.h lives.
how do u do that?

Desmond

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: How to make in Visual C++ 6.0

[Steven Reddie]

That file is only used for the Windows CE build.  Are you building for
Windows CE?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Desmond Ling
Sent: Tuesday, 3 December 2002 11:02 AM
To: [EMAIL PROTECTED]
Subject: Re: How to make in Visual C++ 6.0


hi,
seems like its working till it couldn't
find another file.
"stdio_extras.h"
i did a search and found that this file was
included in the crypto.h file.
what is "stdio_extras.h"??? i've never heard
of it before. i did a search for this file
and found nothing.

i am using visual studio .Net

Desmond




>From: "Sisyphus" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: <[EMAIL PROTECTED]>
>Subject: Re: How to make in Visual C++ 6.0
>Date: Tue, 3 Dec 2002 09:59:41 +1100
>
>
>- Original Message -
>From: "Desmond Ling" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Tuesday, December 03, 2002 9:18 AM
>Subject: Re: How to make in Visual C++ 6.0
>
>
> > hi
> > i tried to build the program in
> > visual studio c++.net
> > i got stuck at the step "nmake -f ntdll.mak"
> > i've already changed the SRC_D value in the
> > ntdll.mak file to the openssl directory
> > some how, when it tried to compile the
> > cryptlib.c file, it couldn't find stdio.h
> > does any1 know how to solve this?
> >
>
>Sounds like you have neglected to run 'vcvars32.bat'. Running that file
>from
>the command prompt will set some environment variables that will enable the
>msvc header files and lib files to be found. You might have to do some
>minimal configuring of  'vcvars32.bat' first. Have a look inside it and
>check that the specified paths are correct.
>
>At least, that's the way it is for msvc++6.0 - visual studio.net might be a
>little different (don't have it, hence don't know) - and I'm a little
>unclear as to which it is that you are using.
>
>Hth.
>
>Cheers,
>Rob
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]


_
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Visual Studio

[Steven Reddie]

Do you have an INCLUDE environment variable set with a path that includes
the directory where your stdio.h lives?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Desmond Ling
Sent: Tuesday, 3 December 2002 9:21 AM
To: [EMAIL PROTECTED]
Subject: Re: Visual Studio


HI
i tried that, i used the nmake command
on the ntdll.mak. i changed the SRC_D value
to the openssl directory. still when it
tried to compile the cryptlib.c file, it
couldn't find stdio.h.
sorry i'm a complete idiot when it comes
to command compiling...

Desmond




>From: mikecross <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Re: Visual Studio
>Date: Sun, 1 Dec 2002 23:28:25 -0800 (PST)
>
>it's in the same manner as VC 6.0.
>Compile openSSL /2 dlls - libeay32.dll ssleay32.dll/
>add openSSL includes and lib files into VC dirs.
>if you want there is openSSL .dsw and .dsp files for
>VC6 which easily can be converted to VC7 project
>files.
>http://www.iconsinc.com/~agray/ossldev/
>
>
>--- Desmond Ling <[EMAIL PROTECTED]> wrote:
> > Hi,
> > Does anybody know how to use the source code
> > in Visual Studio.Net? Specifically Visual C++.Net.
> > I was thinking of compiling the code into a dll
> > for use in my program. HOw should I go about doing
> > that?
> > Couldn't find any info for Visual STudio.Net. Thanx
> >
> > Desmond
> >
> >
> >
> >
>_
> > Add photos to your e-mail with MSN 8. Get 2 months
> > FREE*.
> > http://join.msn.com/?page=features/featuredemail
> >
> >
>__
> > OpenSSL Project
> > http://www.openssl.org
> > User Support Mailing List
> > [EMAIL PROTECTED]
> > Automated List Manager
>[EMAIL PROTECTED]
>
>
>__
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
>http://mailplus.yahoo.com
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]


_
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]