Regarding how to use symmetric key for an openssl engine
Hi, Here is question,can you help me out? Thanks. Background: I am working to write an openssl engine to use cryptographic algorithm in a hardware device. The hardware device support asymmetric/symmetric algorithm, for example:rsa/aes. Question: When I write openssl engine, I shall use ENGINE_load_private_key() function to load and use asymmetric private key in the hardware device. How to set and use symmetric key in the hardware device ? is there any example for my case? #/**本邮件及其附件含有小米公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from XIAOMI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!**/#
Re: nginx start and stop has issue for openssl engine
Hi, I am using openssl engine with nginx. openssl: OpenSSL_1_1_1f If the engine does not include rsa, everythings works well If the engine retister rsa, even the empty IMPLEMENT_DYNAMIC_BIND_FN(bind_fn) bind_fn ENGINE_set_destroy_function(e, destroy_fn); ENGINE_set_RSA(e, RSA_meth_new("rsa method", 0)); destroy_fn will NOT be called in nginx start and nginx -s quit. Have some debug If has rsa, engine_free_util e->struct_ref > 0, so not call e->destroy(e). engine_table_select fnd = lh_ENGINE_PILE_retrieve(&(*table)->piles, ); if (!fnd) goto end; if (fnd->funct && engine_unlocked_init(fnd->funct)) { If no rsa, engine_table_select funciton goto end. If rsa, engine_table_select call engine_unlocked_init, ref++, for two times. So at last, e->destroy(e will not be called in engine_free_util. Has anyone seen this issue? Thanks
Linking OpenSSL engine with a third party dynamic library
Hello, I have a custom OpenSSL engine and it is working fine with pthread. I was trying to use a third-party thread library <https://github.com/stonebuddha/uthread> by linking this library with my engine. However, upon linking and running the engine, I'm getting a Segmentation fault. I just could not figure out why. I have a hunch that my linking with the newly built dynamic library is not correct, Following is what I did 1. Compile the thread library as a dynamic library CC = gcc CFLAGS = -Wall -fPIC -g -O3 -MD LDFLAGS = -shared OBJ = uthread.o all: libuthread.so libuthread.so: $(OBJ) $(LD) -shared -o $(@) $(OBJ) clean: rm -f *.o *.d libuthread.so -include *.d %.o: %.c $(CC) $(CFLAGS) -o $@ -c $< 2. Copy this library to */lib/x86_64-linux-gnu/* 3. My Make file to compile my OpenSSL engine *gcc -g -fPIC -c -fomit-frame-pointer rsa-engine.c* *gcc -g -shared -o librsa_engine.so -L./libdune rsa-engine.o rsa/rsa.o rsa/bignum.o rsa/aes.o -Wl,-Bstatic -ldune -Wl,-Bdynamic -lcrypto -luthread* *mv librsa_engine.so rsa-engine-new.so* 4. After compilation, $*ldd rsa-engine-new.so* shows the following, linux-vdso.so.1 => (0x7ffded367000) libcrypto.so.1.1 => /opt/openssl/lib/libcrypto.so.1.1 (0x7f895c5fa000) libuthread.so => /lib/x86_64-linux-gnu/libuthread.so (0x7f895c3f4000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7f895c02a000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7f895be26000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x7f895bc09000) /lib64/ld-linux-x86-64.so.2 (0x7f895cd56000) I use gdb to find out what causes the segmentation fault, I find out that *uthread_join(), *is failing at some point. Can someone please tell me what I'm, doing wrong? N.B: I checked the library with a simple program and the library works fine. Thanks, Shariful
Re: Is it possible to use a global lock in the OpenSSL engine on each mod_ssl call?
OpenSSL doesn't have a global lock. You could implement a single lock in the engine. Grab it immediately on entry and release just before exit. Pauli On 11/11/21 8:24 am, Shariful Alam wrote: Hello, I understand this is a weird question. I have an OpenSSL engine only for RSA. And I have apache installed that uses this OpenSSL engine for the HTTPS connection. I was wondering if it is possible to use a global lock with the OpenSSL on mod_ssl call? So that, only one mod_ssl thread cal call the engine at a time? Thanks, Shariful
Is it possible to use a global lock in the OpenSSL engine on each mod_ssl call?
Hello, I understand this is a weird question. I have an OpenSSL engine only for RSA. And I have apache installed that uses this OpenSSL engine for the HTTPS connection. I was wondering if it is possible to use a global lock with the OpenSSL on mod_ssl call? So that, only one mod_ssl thread cal call the engine at a time? Thanks, Shariful
Re: Calling OpenSSL functions from custom openssl engine causing segmentation fault?
Hello, Usually you don't, and if you compile it against the same major release, no problems happen. I'd suggest you to look at the backtrace. On Mon, Sep 20, 2021 at 3:03 AM Shariful Alam wrote: > Hello, > I have installed OpenSSL 1.1.1c. I'm trying to make a custom OpenSSL > engine for RSA. The following sample code is copied from the engine > *e_dasync.c. * > > > Following is a sample code for my RSA engine (*rsa-engine.c*), > === > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > */* Engine Id and Name */static const char *engine_rsa_id = > "rsa-engine-new";static const char *engine_rsa_name = "RSA engine for > testing";// data encryption functionstatic int eng_rsa_pub_enc(int flen, > const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { > printf("RSA Engine is encrypting using public key\n");return > RSA_meth_get_pub_enc(RSA_PKCS1_OpenSSL()) > (flen,from,to,rsa,padding);}// signature verifystatic int > eng_rsa_pub_dec(int flen, const unsigned char *from, > unsigned char *to, RSA *rsa, int padding) {printf("Signature > verification\n");return 0;}// signaturestatic int eng_rsa_priv_enc(int > flen, const unsigned char *from, unsigned char *to, RSA *rsa, int > padding){printf("Signature method:\n");return 0;}// data > decryptionstatic int eng_rsa_priv_dec(int flen, const unsigned char *from, > unsigned char *to, RSA *rsa, int padding){ printf("decryption > method:\n"); return 0; }static RSA_METHOD *test_rsa_method = NULL;static > int bind_dasync(ENGINE *e){/* Setup RSA_METHOD */if > ((test_rsa_method = RSA_meth_new("Test RSA Engine", 0)) == NULL|| > RSA_meth_set_pub_enc(test_rsa_method, eng_rsa_pub_enc) == 0|| > RSA_meth_set_pub_dec(test_rsa_method, eng_rsa_pub_dec) == 0|| > RSA_meth_set_priv_enc(test_rsa_method, eng_rsa_priv_enc) == 0|| > RSA_meth_set_priv_dec(test_rsa_method, eng_rsa_priv_dec) == 0) > {return 0;}/* Ensure the dasync error handling is set up > */if (!ENGINE_set_id(e, engine_rsa_id)|| !ENGINE_set_name(e, > engine_rsa_name)|| !ENGINE_set_RSA(e, test_rsa_method)) > {return 0;}return 1;}static int bind_helper(ENGINE *e, > const char *id){if (!bind_dasync(e)){printf("2_Error: Inside > Bind helper\n");return 0;}return > 1;}IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)IMPLEMENT_DYNAMIC_CHECK_FN()* > === > > My *Makefile *looks like the following, > === > > > > > > > > *rsa-engine: gcc -g -fPIC -c rsa-engine.c gcc -g -shared -o > librsa_engine.so -L./libdune rsa-engine.o -Bdynamic -lcrypto -lpthread mv > librsa_engine.so rsa-engine-new.so sudo cp rsa-engine-new.so > /opt/openssl/lib/engines-1.1/clean: rm -f *.o *.d *.so rsa-engine* > === > > My code compiles. When I try to do encryption using the following command, > = > *openssl rsautl -encrypt -inkey public.pem -pubin -in msg.txt -out msg.enc > -engine rsa-engine-new* > = > > I get a segmentation fault, > > > > *engine "rsa-engine-new" set.RSA Engine is encrypting using public > keySegmentation fault (core dumped)* > > > Do I need to Compile this sample engine with the OpenSSL in order for it > to work? > > Regards, > Shariful Alam > > > -- SY, Dmitry Belyavsky
Calling OpenSSL functions from custom openssl engine causing segmentation fault?
Hello, I have installed OpenSSL 1.1.1c. I'm trying to make a custom OpenSSL engine for RSA. The following sample code is copied from the engine *e_dasync.c. * Following is a sample code for my RSA engine (*rsa-engine.c*), === */* Engine Id and Name */static const char *engine_rsa_id = "rsa-engine-new";static const char *engine_rsa_name = "RSA engine for testing";// data encryption functionstatic int eng_rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { printf("RSA Engine is encrypting using public key\n");return RSA_meth_get_pub_enc(RSA_PKCS1_OpenSSL()) (flen,from,to,rsa,padding);}// signature verifystatic int eng_rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) {printf("Signature verification\n");return 0;}// signaturestatic int eng_rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding){printf("Signature method:\n");return 0;}// data decryptionstatic int eng_rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding){ printf("decryption method:\n"); return 0; }static RSA_METHOD *test_rsa_method = NULL;static int bind_dasync(ENGINE *e){/* Setup RSA_METHOD */if ((test_rsa_method = RSA_meth_new("Test RSA Engine", 0)) == NULL|| RSA_meth_set_pub_enc(test_rsa_method, eng_rsa_pub_enc) == 0|| RSA_meth_set_pub_dec(test_rsa_method, eng_rsa_pub_dec) == 0|| RSA_meth_set_priv_enc(test_rsa_method, eng_rsa_priv_enc) == 0|| RSA_meth_set_priv_dec(test_rsa_method, eng_rsa_priv_dec) == 0) {return 0;}/* Ensure the dasync error handling is set up */if (!ENGINE_set_id(e, engine_rsa_id)|| !ENGINE_set_name(e, engine_rsa_name)|| !ENGINE_set_RSA(e, test_rsa_method)) {return 0;}return 1;}static int bind_helper(ENGINE *e, const char *id){if (!bind_dasync(e)){printf("2_Error: Inside Bind helper\n");return 0;}return 1;}IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)IMPLEMENT_DYNAMIC_CHECK_FN()* === My *Makefile *looks like the following, === *rsa-engine: gcc -g -fPIC -c rsa-engine.c gcc -g -shared -o librsa_engine.so -L./libdune rsa-engine.o -Bdynamic -lcrypto -lpthread mv librsa_engine.so rsa-engine-new.so sudo cp rsa-engine-new.so /opt/openssl/lib/engines-1.1/clean: rm -f *.o *.d *.so rsa-engine* === My code compiles. When I try to do encryption using the following command, = *openssl rsautl -encrypt -inkey public.pem -pubin -in msg.txt -out msg.enc -engine rsa-engine-new* = I get a segmentation fault, *engine "rsa-engine-new" set.RSA Engine is encrypting using public keySegmentation fault (core dumped)* Do I need to Compile this sample engine with the OpenSSL in order for it to work? Regards, Shariful Alam
How to load a custom OpenSSL engine automatically?
Hello, I have a custom OpenSSL engine for experiment purposes. I'm trying to load my engine automatically. I intend to use my custom engine instead of the default OpenSSL engine. I have installed *OpenSSL 1.1.1c *from the source code with, *./config --prefix=/opt/openssl -DOPENSSL_LOAD_CONF --openssldir=/opt/openssl/ssl * configuration. And add the following lines to my *openssl.cnf,* openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] rsa-engine-new = rsa_section [rsa_section] engine_id = rsa-engine-new #dynamic_path = /opt/openssl/lib/engines-1.1/rsa-engine-new.so <-- Uncomment this line cause segmentation fault after this, when I try to list available engine, I get the following error, ss@ss:/usr/local/lib$ openssl engine rsa-engine-new (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support (rsa-engine-new) engine for testing 1 140659701942016:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto/engine/eng_ctrl.c:255: 140659701942016:error:260BC066:engine routines:int_engine_configure:engine configuration error:crypto/engine/eng_cnf.c:141:section=rsa_section, name=oid_section, value=new_oids 140659701942016:error:0E07606D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:177:module=engines, value=engine_section, retcode=-1 My engine is loading automatically and it is used as a default engine, but why I'm seeing those errors? And how can I fix it? Sincerely, Shariful Alam
Re: Where to copy custom openssl engine library in openssl 1.1.0
You can ask the openssl app where it goes looking for engines by default. Here's what it looks like with the installed openssl on my machine: : ; openssl version -e ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1" Note that engines aren't agnostic to the OpenSSL version... Cheers, Richard On Thu, 25 Apr 2019 10:06:53 +0200, Swamy J-S wrote: > > > Am working in Ubuntu 18.04 with openssl 1.1.0g version. I built a custom > openssl engine and now i > want to use this engine instead of default openssl engine. > > My engine library name is libstoreengine.so and i copied this to > /usr/lib/x86_64-linux-gnu/ > openssl-1.0.0/engines/ path. > > When i run my application the it says Store Engine not found. There is path > issue here, am i > copying the library in right path? I copied my library in > /lib/x86_64-linux-gnu still am getting > same error. > > Please let me know the right path where i have to copy this engine? > > Thanks and Regards, > > SWAMY J S > > -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Re: Where to copy custom openssl engine library in openssl 1.1.0
Hello, On Thu, Apr 25, 2019 at 11:36 AM Swamy J-S wrote: > Hi, Thanks for reply. I have a doubt here. Which config file you are > referring too? Is there any file called “*config*” which is already > existing somewhere or should I create a dummy file called config? > > > > Just now I created a dummy file “*config*” and added the details you sent > in this file. > > > > Also added “*export OPENSSL_CONF=path_to_config*” in /etc/environment > file. And ran the command “*openssl engine store -t -c*”. > Did you specify the correct dynamic_path? Does the strace (in Linux) command report, that the config file and the engine is read? Still am getting same error as store not found when I run my application. > > > > Thanks and Regards, > > *SWAMY J S* > > > > *From:* Dmitry Belyavsky > *Sent:* Thursday, April 25, 2019 1:44 PM > *To:* Swamy J-S > *Cc:* openssl-users@openssl.org > *Subject:* Re: Where to copy custom openssl engine library in openssl > 1.1.0 > > > > *CAUTION:* This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > Hello, > > > > You should load your engine via config file. > > > > It may look like > > = > > openssl_conf = openssl_def > > > > [openssl_def] > > engines = engine_section > > > > [engine_section] > > storeengine = store_section > > > > [store_section] > > engine_id = store > > dynamic_path = /usr/local/lib/engines/storeengine.so > > > > > > Your application should load the config file, the way it works is > different for different versions. > > > > > > On Thu, Apr 25, 2019 at 11:07 AM Swamy J-S wrote: > > Am working in Ubuntu 18.04 with openssl 1.1.0g version. I built a custom > openssl engine and now i want to use this engine instead of default openssl > engine. > > My engine library name is libstoreengine.so and i copied this to > /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/ path. > > > > When i run my application the it says Store Engine not found. There is > path issue here, am i copying the library in right path? I copied my > library in /lib/x86_64-linux-gnu still am getting same error. > > Please let me know the right path where i have to copy this engine? > > > > Thanks and Regards, > > *SWAMY J S* > > > > > > > -- > > SY, Dmitry Belyavsky > -- SY, Dmitry Belyavsky
RE: Where to copy custom openssl engine library in openssl 1.1.0
Hi, Thanks for reply. I have a doubt here. Which config file you are referring too? Is there any file called “config” which is already existing somewhere or should I create a dummy file called config? Just now I created a dummy file “config” and added the details you sent in this file. Also added “export OPENSSL_CONF=path_to_config” in /etc/environment file. And ran the command “openssl engine store -t -c”. Still am getting same error as store not found when I run my application. Thanks and Regards, SWAMY J S From: Dmitry Belyavsky Sent: Thursday, April 25, 2019 1:44 PM To: Swamy J-S Cc: openssl-users@openssl.org Subject: Re: Where to copy custom openssl engine library in openssl 1.1.0 CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello, You should load your engine via config file. It may look like = openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] storeengine = store_section [store_section] engine_id = store dynamic_path = /usr/local/lib/engines/storeengine.so Your application should load the config file, the way it works is different for different versions. On Thu, Apr 25, 2019 at 11:07 AM Swamy J-S mailto:swamy@in.abb.com>> wrote: Am working in Ubuntu 18.04 with openssl 1.1.0g version. I built a custom openssl engine and now i want to use this engine instead of default openssl engine. My engine library name is libstoreengine.so and i copied this to /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/ path. When i run my application the it says Store Engine not found. There is path issue here, am i copying the library in right path? I copied my library in /lib/x86_64-linux-gnu still am getting same error. Please let me know the right path where i have to copy this engine? Thanks and Regards, SWAMY J S -- SY, Dmitry Belyavsky
Re: Where to copy custom openssl engine library in openssl 1.1.0
Hello, You should load your engine via config file. It may look like = openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] storeengine = store_section [store_section] engine_id = store dynamic_path = /usr/local/lib/engines/storeengine.so Your application should load the config file, the way it works is different for different versions. On Thu, Apr 25, 2019 at 11:07 AM Swamy J-S wrote: > Am working in Ubuntu 18.04 with openssl 1.1.0g version. I built a custom > openssl engine and now i want to use this engine instead of default openssl > engine. > > My engine library name is libstoreengine.so and i copied this to > /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/ path. > > > > When i run my application the it says Store Engine not found. There is > path issue here, am i copying the library in right path? I copied my > library in /lib/x86_64-linux-gnu still am getting same error. > > Please let me know the right path where i have to copy this engine? > > > > Thanks and Regards, > > *SWAMY J S* > > > -- SY, Dmitry Belyavsky
Where to copy custom openssl engine library in openssl 1.1.0
Am working in Ubuntu 18.04 with openssl 1.1.0g version. I built a custom openssl engine and now i want to use this engine instead of default openssl engine. My engine library name is libstoreengine.so and i copied this to /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/ path. When i run my application the it says Store Engine not found. There is path issue here, am i copying the library in right path? I copied my library in /lib/x86_64-linux-gnu still am getting same error. Please let me know the right path where i have to copy this engine? Thanks and Regards, SWAMY J S
Troubles using Openssl ENGINE
Hello all, I am currently having some trouble using an openssl engine with nginx. I was having no problems using it for loading private key through my engine. However after adding new capabilities about symmetric encryption (AES) to the engine, nginx is trying to use my engine instead of the default openssl implementation at some point. And so the handshake is failing, trying to use the symmetric encryption of my engine that I don't want him to use, here a debug log : 2019/04/09 09:34:37 [debug] 9414#0: epoll timer: 59601 2019/04/09 09:34:37 [debug] 9414#0: epoll: fd:3 ev:0001 d:B6973109 2019/04/09 09:34:37 [debug] 9414#0: *3 SSL handshake handler: 0 Init Cipher Key ... (Debug Log from the engine code) Cleaning up ... (Debug Log from the engine code) 2019/04/09 09:34:37 [debug] 9414#0: *3 SSL_do_handshake: -1 2019/04/09 09:34:37 [debug] 9414#0: *3 SSL_get_error: 1 2019/04/09 09:34:37 [crit] 9414#0: *3 SSL_do_handshake() failed (SSL: error:8009D064:tpm2-tss-engine:tpm2_cipher_init_key:Failed to read TPM2 data) while SSL handshaking, client: 192.168.13 2019/04/09 09:34:37 [debug] 9414#0: *3 close http connection: 3 2019/04/09 09:34:37 [debug] 9414#0: *3 event timer del: 3: 24375741 2019/04/09 09:34:37 [debug] 9414#0: *3 reusable connection: 0 My idea was to disable the symmetric functionality of the engine. And I have attempted to modify the file ngx_event_openssl.c by calling the function ENGINE_unregister_ciphers(...) or ENGINE_set_default(engine, ENGINE_METHOD_PKEY_METHS) or configuring the openssl.cnf with only RSA algo. I have succeeded to do it in a small c code of mine, but in nginx it is like some function are resetting my configuration like SSL_CTX_new(). Is someone has an idea on how to resolve my problems ? I would highly appreciate some help. Other information : ~$ sudo /usr/sbin/nginx -V nginx version: nginx/1.12.1 built with OpenSSL 1.1.0h 27 Mar 2018 TLS SNI support enabled configure arguments: --crossbuild=Linux:arm --with-endian=big --with-int=4 --with-long=4 --with-long-long=8 --with-ptr-size=4 --with-sig-atomic-t=4 --with-size-t=4 --with-off-t=4 --with-time-t=4 --with-sg Here a link to the engine : https://github.com/tpm2-software/tpm2-tss-engine Gael GUEGAN
Re: [openssl-users] ED25519 key with openssl engine
I had the same doubt. I have x-posed this question on the opensc mailing list as well. On 9/17/18, 3:37 PM, "openssl-users on behalf of Matt Caswell" wrote: Perhaps the pkcs11 engine does not support ed25519 keys? Matt On 17/09/18 22:05, Paras Shah (parashah) via openssl-users wrote: > I get the following error when I try to access the ed25519 key stored in > SoftHSM via the openssl engine interface using engine_pkcs11. > > > > []:~$ openssl pkey -in > "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%22%22;object=ed25519%20leaf%20key;type=private" > -inform ENGINE -engine pkcs11 -text > > engine "pkcs11" set. > > Enter PKCS#11 token PIN for token 2.5.0-rc1: > > Key not found. > > PKCS11_get_private_key returned NULL > > cannot load key from engine > > 140736065815424:error:80067065:pkcs11 engine:ctx_load_privkey:object not > found:eng_back.c:862: > > 140736065815424:error:26096080:engine > routines:ENGINE_load_private_key:failed loading private > key:crypto/engine/eng_pkey.c:78: > > unable to load key > > > > > > The openssl version used above is 1.1.1. which supports the ed25519 > keys. The softhsm is v2.5.0-rc1 which also support the ed25519 keys. > > > > > > -- > > Paras > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ED25519 key with openssl engine
Perhaps the pkcs11 engine does not support ed25519 keys? Matt On 17/09/18 22:05, Paras Shah (parashah) via openssl-users wrote: > I get the following error when I try to access the ed25519 key stored in > SoftHSM via the openssl engine interface using engine_pkcs11. > > > > []:~$ openssl pkey -in > "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%22%22;object=ed25519%20leaf%20key;type=private" > -inform ENGINE -engine pkcs11 -text > > engine "pkcs11" set. > > Enter PKCS#11 token PIN for token 2.5.0-rc1: > > Key not found. > > PKCS11_get_private_key returned NULL > > cannot load key from engine > > 140736065815424:error:80067065:pkcs11 engine:ctx_load_privkey:object not > found:eng_back.c:862: > > 140736065815424:error:26096080:engine > routines:ENGINE_load_private_key:failed loading private > key:crypto/engine/eng_pkey.c:78: > > unable to load key > > > > > > The openssl version used above is 1.1.1. which supports the ed25519 > keys. The softhsm is v2.5.0-rc1 which also support the ed25519 keys. > > > > > > -- > > Paras > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] ED25519 key with openssl engine
I get the following error when I try to access the ed25519 key stored in SoftHSM via the openssl engine interface using engine_pkcs11. []:~$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%22%22;object=ed25519%20leaf%20key;type=private" -inform ENGINE -engine pkcs11 -text engine "pkcs11" set. Enter PKCS#11 token PIN for token 2.5.0-rc1: Key not found. PKCS11_get_private_key returned NULL cannot load key from engine 140736065815424:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:862: 140736065815424:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:78: unable to load key The openssl version used above is 1.1.1. which supports the ed25519 keys. The softhsm is v2.5.0-rc1 which also support the ed25519 keys. -- Paras -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make OpenSSL engine usage application specific?
> On Mon, 19 Feb 2018 Jayalakshmi Bhat wrote: > > Engine usage is application specific.There are couple of applications > dependent on RSA TPM? engine. And are few applications dependent on > RSA smart card engine.? > > We wanted to know if there are any APIs provided by OpenSSL to make the > engine usage application specific? Is there any way we can make OpenSSL > chose specific engine for > > specific application. > I think but don't quote me that if your applications are using the openssl.cnf file to configure the engine you are going to use, then the OPENSSL_CONF environment variable will allow you to control the configuration file loaded by OpenSSL. This allows you to have application specific configuration files that load the engine you require and make it the default engine. This is dependent on your application having been built with OPENSSL_LOAD_CONF defined. You can also control the config file loaded programmatically via OPENSSL_config. The alternative is loading your engine programmatically such as nginx does: https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl.c#L4193-L4237 and use ENGINE_set_default to make the engine you require the default for that application. Of course that is only useful if you are in control of your applications source code. There are more details here: https://wiki.openssl.org/index.php/Library_Initialization https://www.openssl.org/docs/manmaster/man5/config.html Steve Linsell Intel Shannon DCG/CID Software Development Team stevenx.lins...@intel.com -- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make OpenSSL engine usage application specific?
Try RSA_new_method when allocating the RSA_METHOD. It takes an engine argument which will be used for related operations. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Jayalakshmi bhat [mailto:bhat.jayalaks...@gmail.com] Sent: Monday, 19 February 2018 7:16 PM To: openssl-users@openssl.org Subject: [openssl-users] How to make OpenSSL engine usage application specific? Hello All, We have 2 RSA OpenSSL engines in our product. Both the engines performs same RSA encyrpt/decrypt operations. For easy explaination I am naming engines as 1. RSA smart card engine 2. RSA TPM engine Engine usage is application specific.There are couple of applications dependent on RSA TPM engine. And are few applications dependent on RSA smart card engine. We wanted to know if there are any APIs provided by OpenSSL to make the engine usage application specific? Is there any way we can make OpenSSL chose specific engine for specific application. Regards Jayalakshmi. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to make OpenSSL engine usage application specific?
Hello All, We have 2 RSA OpenSSL engines in our product. Both the engines performs same RSA encyrpt/decrypt operations. For easy explaination I am naming engines as 1. RSA smart card engine 2. RSA TPM engine Engine usage is application specific.There are couple of applications dependent on RSA TPM engine. And are few applications dependent on RSA smart card engine. We wanted to know if there are any APIs provided by OpenSSL to make the engine usage application specific? Is there any way we can make OpenSSL chose specific engine for specific application. Regards Jayalakshmi. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL engine and TPM usage.
Hi Jayalakshmi, Is your implementation OSS or intellectual property? If it is OSS can you please provide the URL? Regards, Freemon On Wed, Oct 25, 2017 at 1:06 PM, Jayalakshmi bhat < bhat.jayalaks...@gmail.com> wrote: > Hi All, > > Our device uses TPM to protect certificate private keys. We have written > engine interface to integrate TPM functionality into OpenSSL. Thus TPM gets > loaded as an engine instance. > Also we have mapped RSA operations to TPM APIS as like > encryption/decryption etc. > > Now we are into few issues. there are few applications that wants to use > application specific identity certificate. In such cases RSA APIs should > not get mapped to TPM APIs. > > I wanted to know when we use engine instance for encyrption/decryption > operation, can it be done selectively? > > Regards > Jayalakshmi > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL engine and TPM usage.
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Michael Richardson > Sent: Wednesday, October 25, 2017 18:37 > > Jakob Bohmwrote: > > > Please beware that many TPM chips were recently discovered to contain a > > broken RSA key generation algorithm, so public/private key pairs keys > > to be stored in the TPM should probably be generated off-chip (using > > the OpenSSL software key generator) and imported into the chip, > > contrary to what would have been best security practice without this > > firmware bug. > > wow, further evidence that everything needs an upgrade path. Specifically, it's devices using Infineon chips. AIUI, that includes most TPMs and many HSMs, but not, for example, the NitroKey HSM. The researchers who documented the problem, which they've named ROCA, have a site for it: https://crocs.fi.muni.cz/public/papers/rsa_ccs17 They aren't describing the exact nature of the issue yet (at least the last I checked), but it has something to do with the RSA primes having a structure that lets attackers greatly speed factoring. I can imagine a number of optimizations if you know enough about the structure of the primes. They've provided a Python program that can identify problematic keys with high probability, and it's available as a web service, etc. The program doesn't reveal what the mystery structural issues are; it seems to be a Bloom filter that's been trained to identify vulnerable keys (which is pretty interesting in itself). All that's just based on a pretty cursory look, though, so I may be wrong. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL engine and TPM usage.
On 10/26/2017 3:33 AM, Michael Ströder wrote: Michael Richardson wrote: Jakob Bohmwrote: wow, further evidence that everything needs an upgrade path. From the viewpoint of hardware vendors the upgrade path is selling new hardware. It's simply like that. Not very sustainable... All the TPMs I know of have the ability to do a "field upgrade". They can accept vendor signed firmware updates. In fact, the newer ones can switch between TPM 1.2 and the new TPM 2.0 API. No need to touch the hardware. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL engine and TPM usage.
In message
Re: [openssl-users] OpenSSL engine and TPM usage.
Michael Richardson wrote: > > Jakob Bohmwrote: > >> I wanted to know when we use engine instance for encyrption/decryption > >> operation, can it be done selectively? > > > Please beware that many TPM chips were recently discovered to contain a > > broken RSA key generation algorithm, so public/private key pairs keys > > to be stored in the TPM should probably be generated off-chip (using > > the OpenSSL software key generator) and imported into the chip, > > contrary to what would have been best security practice without this > > firmware bug. > > wow, further evidence that everything needs an upgrade path. From the viewpoint of hardware vendors the upgrade path is selling new hardware. It's simply like that. Not very sustainable... Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL engine and TPM usage.
Jakob Bohmwrote: >> I wanted to know when we use engine instance for encyrption/decryption >> operation, can it be done selectively? > Please beware that many TPM chips were recently discovered to contain a > broken RSA key generation algorithm, so public/private key pairs keys > to be stored in the TPM should probably be generated off-chip (using > the OpenSSL software key generator) and imported into the chip, > contrary to what would have been best security practice without this > firmware bug. wow, further evidence that everything needs an upgrade path. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL engine and TPM usage.
On 25/10/2017 19:06, Jayalakshmi bhat wrote: Hi All, Our device uses TPM to protect certificate private keys. We have written engine interface to integrate TPM functionality into OpenSSL. Thus TPM gets loaded as an engine instance. Also we have mapped RSA operations to TPM APIS as like encryption/decryption etc. Now we are into few issues. there are few applications that wants to use application specific identity certificate. In such cases RSA APIs should not get mapped to TPM APIs. I wanted to know when we use engine instance for encyrption/decryption operation, can it be done selectively? Please beware that many TPM chips were recently discovered to contain a broken RSA key generation algorithm, so public/private key pairs keys to be stored in the TPM should probably be generated off-chip (using the OpenSSL software key generator) and imported into the chip, contrary to what would have been best security practice without this firmware bug. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL engine and TPM usage.
Hi All, Our device uses TPM to protect certificate private keys. We have written engine interface to integrate TPM functionality into OpenSSL. Thus TPM gets loaded as an engine instance. Also we have mapped RSA operations to TPM APIS as like encryption/decryption etc. Now we are into few issues. there are few applications that wants to use application specific identity certificate. In such cases RSA APIs should not get mapped to TPM APIs. I wanted to know when we use engine instance for encyrption/decryption operation, can it be done selectively? Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL Engine for TPM
Agreed. I can't speak for the gentleman that originated this thread but in my context the use case would be to store the keys/certs within the TPM that's all. Regards, Freemon On Fri, Jul 7, 2017 at 12:03 PM, Blumenthal, Uri - 0553 - MITLL < u...@ll.mit.edu> wrote: > And in most cases (except those involving TPM-based platform attestation, > which I don’t think has anything to do with OpenSSL use cases), a separate > hardware token (like a smartcard, or an HSM) would IMHO be a much better > and more usable choice. PKCS#11 engine (libp11) to access those is quite > popular and work well. > > -- > Regards, > Uri Blumenthal > > On 7/7/17, 11:53, "openssl-users on behalf of Michael Wojcik" < > openssl-users-boun...@openssl.org on behalf of > michael.woj...@microfocus.com> wrote: > > > agreed, but this engine does not really put the keys inside the TPM > - instead it sets up a local repository that is encrypted > > using a key from the TPM. If you look at the way it is designed, it > is not really secure (as it's not impossible to find the > > password that was used to encrypt the keys with). > > "really secure" is not a useful phrase. Security is a set of > asymptotic trade-offs between attacker and defender work-factors under a > threat model. Nothing ever achieves "really secure". > > Even a hypothetical OpenSSL engine that performed all cryptographic > operations on the TPM wouldn't achieve specified security under the TPM > threat model unless the engine, all of OpenSSL, and whatever is invoking it > were part of the TCB. > > That said, there is certainly a case to be made that an OpenSSL engine > which performed at least some crypto operations on the TPM is of at least > academic interest. Someone might want to start with the Trousers engine and > try extending it. (Enhancing an existing engine generally isn't > particularly difficult, in my experience, though of course it depends on > what you're trying to do and what APIs are available.) Or try writing a > fresh TPM engine using, say, the Windows TPM API. > > It might help to know what your use case is. > > Michael Wojcik > Distinguished Engineer, Micro Focus > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL Engine for TPM
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Blumenthal, Uri - 0553 - MITLL > Sent: Friday, July 07, 2017 10:03 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] OpenSSL Engine for TPM > > And in most cases (except those involving TPM-based platform attestation, > which I don’t think has anything to do with OpenSSL use cases), a separate > hardware token (like a smartcard, or an HSM) would IMHO be a much better > and more usable choice. PKCS#11 engine (libp11) to access those is quite > popular and work well. Agreed. I've had good results with OpenSC-based devices such as the NitroKey HSM using the OpenSSL PKCS#11 engine. Requires installing the various prereqs and a bit of setup and experimentation, but it all works. On Windows, the CAPI engine can also generally be used to drive HSMs, if they don't have a suitable PKCS#11 driver. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL Engine for TPM
And in most cases (except those involving TPM-based platform attestation, which I don’t think has anything to do with OpenSSL use cases), a separate hardware token (like a smartcard, or an HSM) would IMHO be a much better and more usable choice. PKCS#11 engine (libp11) to access those is quite popular and work well. -- Regards, Uri Blumenthal On 7/7/17, 11:53, "openssl-users on behalf of Michael Wojcik" <openssl-users-boun...@openssl.org on behalf of michael.woj...@microfocus.com> wrote: > agreed, but this engine does not really put the keys inside the TPM - instead it sets up a local repository that is encrypted > using a key from the TPM. If you look at the way it is designed, it is not really secure (as it's not impossible to find the > password that was used to encrypt the keys with). "really secure" is not a useful phrase. Security is a set of asymptotic trade-offs between attacker and defender work-factors under a threat model. Nothing ever achieves "really secure". Even a hypothetical OpenSSL engine that performed all cryptographic operations on the TPM wouldn't achieve specified security under the TPM threat model unless the engine, all of OpenSSL, and whatever is invoking it were part of the TCB. That said, there is certainly a case to be made that an OpenSSL engine which performed at least some crypto operations on the TPM is of at least academic interest. Someone might want to start with the Trousers engine and try extending it. (Enhancing an existing engine generally isn't particularly difficult, in my experience, though of course it depends on what you're trying to do and what APIs are available.) Or try writing a fresh TPM engine using, say, the Windows TPM API. It might help to know what your use case is. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users smime.p7s Description: S/MIME cryptographic signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL Engine for TPM
I would personally love to see an implementation of this as well for OpenSSL. However in the interim you can see how these libraries were referenced to insert keys into the TPM for OpenSSH. Our team here has also verified this works nicely. Perhaps this can be extended if you do not wish to work with Trousers. https://github.com/ThomasHabets/simple-tpm-pk11 On Fri, Jul 7, 2017 at 11:53 AM, Michael Wojcik < michael.woj...@microfocus.com> wrote: > > agreed, but this engine does not really put the keys inside the TPM - > instead it sets up a local repository that is encrypted > > using a key from the TPM. If you look at the way it is designed, it is > not really secure (as it's not impossible to find the > > password that was used to encrypt the keys with). > > "really secure" is not a useful phrase. Security is a set of asymptotic > trade-offs between attacker and defender work-factors under a threat model. > Nothing ever achieves "really secure". > > Even a hypothetical OpenSSL engine that performed all cryptographic > operations on the TPM wouldn't achieve specified security under the TPM > threat model unless the engine, all of OpenSSL, and whatever is invoking it > were part of the TCB. > > That said, there is certainly a case to be made that an OpenSSL engine > which performed at least some crypto operations on the TPM is of at least > academic interest. Someone might want to start with the Trousers engine and > try extending it. (Enhancing an existing engine generally isn't > particularly difficult, in my experience, though of course it depends on > what you're trying to do and what APIs are available.) Or try writing a > fresh TPM engine using, say, the Windows TPM API. > > It might help to know what your use case is. > > Michael Wojcik > Distinguished Engineer, Micro Focus > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL Engine for TPM
> agreed, but this engine does not really put the keys inside the TPM - > instead it sets up a local repository that is encrypted > using a key from the TPM. If you look at the way it is designed, it is not > really secure (as it's not impossible to find the > password that was used to encrypt the keys with). "really secure" is not a useful phrase. Security is a set of asymptotic trade-offs between attacker and defender work-factors under a threat model. Nothing ever achieves "really secure". Even a hypothetical OpenSSL engine that performed all cryptographic operations on the TPM wouldn't achieve specified security under the TPM threat model unless the engine, all of OpenSSL, and whatever is invoking it were part of the TCB. That said, there is certainly a case to be made that an OpenSSL engine which performed at least some crypto operations on the TPM is of at least academic interest. Someone might want to start with the Trousers engine and try extending it. (Enhancing an existing engine generally isn't particularly difficult, in my experience, though of course it depends on what you're trying to do and what APIs are available.) Or try writing a fresh TPM engine using, say, the Windows TPM API. It might help to know what your use case is. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL Engine for TPM
Hi, On 06/07/17 06:39, Christian Hohnstädt wrote: The trousers project has one. https://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/ agreed, but this engine does not really put the keys inside the TPM - instead it sets up a local repository that is encrypted using a key from the TPM. If you look at the way it is designed, it is not really secure (as it's not impossible to find the password that was used to encrypt the keys with). Am 5. Juli 2017 06:47:24 MESZ schrieb Devang Kubavat <devang.kuba...@in.abb.com>: Hi All, 1. Is there any built-in OpenSSL Engine to access the TPM ? 2. Is there any other OpenSSL Engine to access the TPM ? If Yes, How can we configure in OpenSSL libraries to use that engine ? Please guide me. Thanks. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL Engine for TPM
The trousers project has one. https://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/ Christian Am 5. Juli 2017 06:47:24 MESZ schrieb Devang Kubavat <devang.kuba...@in.abb.com>: >Hi All, > > 1. Is there any built-in OpenSSL Engine to access the TPM ? >2. Is there any other OpenSSL Engine to access the TPM ? If Yes, How >can we configure in OpenSSL libraries to use that engine ? > >Please guide me. Thanks. > >Best Regards, >Devang -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL Engine for TPM
> 1. Is there any built-in OpenSSL Engine to access the TPM ? No. > 2. Is there any other OpenSSL Engine to access the TPM ? If Yes, How can we >configure in OpenSSL libraries to use that engine ? If someone has written one, and can make it available, they should post here. I don't know of any, but there may be. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL Engine for TPM
Hi All, 1. Is there any built-in OpenSSL Engine to access the TPM ? 2. Is there any other OpenSSL Engine to access the TPM ? If Yes, How can we configure in OpenSSL libraries to use that engine ? Please guide me. Thanks. Best Regards, Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: OpenSSL engine support in OpenSSL FIPS Object Module
On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) In this post I wanted to know to support an hardware accelerator that supports FIPS enabled algorithms implemented apart from supporting the hardware from OpenSSL side, do we need to make changes in FIPS module as well. If I understand you correctly, you wish to alter the FIPS canister to offload time-consuming operations to hardware acceleration. If this understanding is correct, I must regretfully inform you that it cannot legitimately be done. Oh, sure, you can technically do it -- but it would be a modification of the black box, and require a new validation. (I don't believe that such an implementation could in fact be validated, though I could be wrong. I am not an expert. But even if it can be, it cannot be validated with a private-label validation and would cost upwards of $200,000 to validate.) Remember, the FIPS canister *as written* is the only way to legitimately have FIPS mode from OpenSSL. Once FIPS mode is set, only cryptographic operations which are provided by the FIPS canister can be performed, and only by the unmodified code within the FIPS canister. It cannot be offloaded, because the FIPS canister cannot be modified to perform the offloading. Also, by offloading, you change the boundaries of the cryptographic provider to include additional, unverified, and quite possibly incorrect functionality. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi smime.p7s Description: S/MIME Cryptographic Signature
Re: OpenSSL engine support in OpenSSL FIPS Object Module
On 7/6/2014 10:44 AM, Kyle Hamilton wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) (In the case of OpenSSL, this actually wins you very little). Let me try to approach this from a different angle. LEGALLY: If you have the luxury of having more than one FIPS validated device available to you, you probably (ask a lawyer to be absolutely sure), can use all of them together. However to claim FIPS compliance of the resulting application, you must not do any cryptography outside those devices, and it must be impossible for the FIPS-mode variant of your application to fall back to any non-validated implementations in case of errors etc. Additionally you may or may not (really ask a lawyer) be legally (not technically) required to treat any keys, passwords etc. handed from one device to another AS IF those keys were traveling over an insecure connection even though they never leave your process address space on an EAL-whatever-level certified operating system on an EAL-whatever-level certified computer. TECHNICALLY: If you want to combine the use of multiple FIPS validated devices, one of which happens to be the OpenSSL FIPS cannister, and another one a piece of hardware accessed using an OpenSSL Engine, it is an open technical question if the FIPS-enabled OpenSSL (which is legally outside both devices and /can/ be changed) will correctly combine use of the OpenSSL FIPS canister with the ENGINE for accessing the hardware device, or if it will somehow fail to do so. For instance I am unsure what happens if the ENGINE plugin for the FIPS validated hardware device calls back to OpenSSL for cryptographic operations outside the scope of that device (it might do that because that piece of hardware is also used outside USGov and the ENGINE code was written for that case). Will OpenSSL pass the calls to the FIPS canister (if in FIPS mode) or use the non-validated software implementations? I am also unsure if the FIPS-enabled OpenSSL library allows use of Engines when (runtime) configured in FIPS mode? Finally /if/ it is legally required to go through additional gymnastics when transporting parameters from one FIPS device to another, I am unsure if the FIPS-enabled OpenSSL library will do so when the transport is internal to OpenSSL and its ENGINE plugins. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Kyle, Thanks a lot for detailed explaination, it helped me lots. Regards Jayalakshmi On Sun, Jul 6, 2014 at 2:44 AM, Kyle Hamilton aerow...@gmail.com wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) In this post I wanted to know to support an hardware accelerator that supports FIPS enabled algorithms implemented apart from supporting the hardware from OpenSSL side, do we need to make changes in FIPS module as well. If I understand you correctly, you wish to alter the FIPS canister to offload time-consuming operations to hardware acceleration. If this understanding is correct, I must regretfully inform you that it cannot legitimately be done. Oh, sure, you can technically do it -- but it would be a modification of the black box, and require a new validation. (I don't believe that such an implementation could in fact be validated, though I could be wrong. I am not an expert. But even if it can be, it cannot be validated with a private-label validation and would cost upwards of $200,000 to validate.) Remember, the FIPS canister *as written* is the only way to legitimately have FIPS mode from OpenSSL. Once FIPS mode is set, only cryptographic operations which are provided by the FIPS canister can be performed, and only by the unmodified code within the FIPS canister. It cannot be offloaded, because the FIPS canister cannot be modified to perform the offloading. Also, by offloading, you change the boundaries of the cryptographic provider to include additional, unverified, and quite possibly incorrect functionality. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Jakob, Thank you very much for detailed and helpful explanation. Regards Jayalakshmi On Sun, Jul 6, 2014 at 9:32 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 7/6/2014 10:44 AM, Kyle Hamilton wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) (In the case of OpenSSL, this actually wins you very little). Let me try to approach this from a different angle. LEGALLY: If you have the luxury of having more than one FIPS validated device available to you, you probably (ask a lawyer to be absolutely sure), can use all of them together. However to claim FIPS compliance of the resulting application, you must not do any cryptography outside those devices, and it must be impossible for the FIPS-mode variant of your application to fall back to any non-validated implementations in case of errors etc. Additionally you may or may not (really ask a lawyer) be legally (not technically) required to treat any keys, passwords etc. handed from one device to another AS IF those keys were traveling over an insecure connection even though they never leave your process address space on an EAL-whatever-level certified operating system on an EAL-whatever-level certified computer. TECHNICALLY: If you want to combine the use of multiple FIPS validated devices, one of which happens to be the OpenSSL FIPS cannister, and another one a piece of hardware accessed using an OpenSSL Engine, it is an open technical question if the FIPS-enabled OpenSSL (which is legally outside both devices and /can/ be changed) will correctly combine use of the OpenSSL FIPS canister with the ENGINE for accessing the hardware device, or if it will somehow fail to do so. For instance I am unsure what happens if the ENGINE plugin for the FIPS validated hardware device calls back to OpenSSL for cryptographic operations outside the scope of that device (it might do that because that piece of hardware is also used outside USGov and the ENGINE code was written for that case). Will OpenSSL pass the calls to the FIPS canister (if in FIPS mode) or use the non-validated software implementations? I am also unsure if the FIPS-enabled OpenSSL library allows use of Engines when (runtime) configured in FIPS mode? Finally /if/ it is legally required to go through additional gymnastics when transporting parameters from one FIPS device to another, I am unsure if the FIPS-enabled OpenSSL library will do so when the transport is internal to OpenSSL and its ENGINE plugins. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors
OpenSSL engine support in OpenSSL FIPS Object Module
Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. I welcome all valuable inputs. Regards Jayalakshmi.
Re: OpenSSL engine support in OpenSSL FIPS Object Module
On 07/05/2014 02:09 AM, Jayalakshmi bhat wrote: Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. I welcome all valuable inputs. First, please don't cross post to both lists. The openssl-users list would suffice. You've more or less asked this question already. The OpenSSL FIPS Object Module source code is available under an open source license, so subject to the very liberal terms of that license you can hack that code to your hearts content. However... The FIPS 140-2 Level 1 validation of that module (certificate #1747) is a different thing entirely. The instant you touch the code that validation no longer applies. The code without the validation is worthless (it does nothing regular OpenSSL doesn't do better, faster, more securely). A new validation will be necessary. You will find such a validation a significant challenge even without the source code mods you contemplate. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL engine support in OpenSSL FIPS Object Module
On Sat, Jul 05, 2014, Jayalakshmi bhat wrote: Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. If you literally mean adding ENGINE support to the OpenSSL FIPS Object module then you can but it would IMHO be a pointless exercise. The ENGINE code was stripped out to keep the number of dependencies down in the module. If you mean add ENGINE support to the FIPS capable OpenSSL then you don't need to as ENGINE support is already there. I suggest you explain exactly what you want to do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Steve, Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. In my previous post related to TPM like how to deal with Non-FIPS compliant TPM chips, does it need any change in FIPS module size etc? In this post I wanted to know to support an hardware accelerator that supports FIPS enabled algorithms implemented apart from supporting the hardware from OpenSSL side, do we need to make changes in FIPS module as well. Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi On Sat, Jul 5, 2014 at 10:46 PM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Jul 05, 2014, Jayalakshmi bhat wrote: Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. If you literally mean adding ENGINE support to the OpenSSL FIPS Object module then you can but it would IMHO be a pointless exercise. The ENGINE code was stripped out to keep the number of dependencies down in the module. If you mean add ENGINE support to the FIPS capable OpenSSL then you don't need to as ENGINE support is already there. I suggest you explain exactly what you want to do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: HSM used as OpenSSL engine
Thank you for your reply Stephen. In that is the case, then how would you explain the following phenomenon- 1. Start a SSL connection using private key stored on a HSM, protected using a smart-card, 2. Let the SSL connection run for a bit 3. Unplug the smart card from HSM, 4. SSL connection stops after a couple of minutes. In my understanding, the pre-master secret is only negotiated at the beginning of the connection, and the private key shouldn't be used for any other operation during the course of the connection. I'm interfacing the HSM to OpenSSL through the CAPI engine. Is that doing some magic under the covers? Thank you, Sunjeet On 2012-04-13, at 6:23 PM, Dr. Stephen Henson wrote: On Fri, Apr 13, 2012, Sunjeet Singh wrote: Hi, Stupid question- If I use a HSM to store private key used for SSL connections using the CryptoAPI engine for OpenSSL, is all data to be encrypted/decrypted going through my HSM? I'm- 1. Registering my HSM as a Cryptographic Service Provider, and 2. Setting my application code to initialize structural and functional references to the CAPI engine and bringing up a connection using the private key stored in the HSM. Rest of the code just uses OpenSSL functions like SSL_write() and SSL_read(). Since the key resides on the HSM, is data going to my HSM to get encrypted/decrypted, or is there a session key being made on the HSM for each SSL session that is being passed to the OS and is the OS encrypting/decrypting data in memory? The CryptoAPI ENGINE only handles private key operations so your HSM is only used to either decrypt the premaster secret (RSA key exchange ciphersuites) or used to sign a DH or ECDH public key (ephemeral ciphersuites). The rest is handled in software using OpenSSLs cryptographic algorithm implementations. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
HSM used as OpenSSL engine
Hi, Stupid question- If I use a HSM to store private key used for SSL connections using the CryptoAPI engine for OpenSSL, is all data to be encrypted/decrypted going through my HSM? I'm- 1. Registering my HSM as a Cryptographic Service Provider, and 2. Setting my application code to initialize structural and functional references to the CAPI engine and bringing up a connection using the private key stored in the HSM. Rest of the code just uses OpenSSL functions like SSL_write() and SSL_read(). Since the key resides on the HSM, is data going to my HSM to get encrypted/decrypted, or is there a session key being made on the HSM for each SSL session that is being passed to the OS and is the OS encrypting/decrypting data in memory? Thank you, Sunjeet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: HSM used as OpenSSL engine
On Fri, Apr 13, 2012, Sunjeet Singh wrote: Hi, Stupid question- If I use a HSM to store private key used for SSL connections using the CryptoAPI engine for OpenSSL, is all data to be encrypted/decrypted going through my HSM? I'm- 1. Registering my HSM as a Cryptographic Service Provider, and 2. Setting my application code to initialize structural and functional references to the CAPI engine and bringing up a connection using the private key stored in the HSM. Rest of the code just uses OpenSSL functions like SSL_write() and SSL_read(). Since the key resides on the HSM, is data going to my HSM to get encrypted/decrypted, or is there a session key being made on the HSM for each SSL session that is being passed to the OS and is the OS encrypting/decrypting data in memory? The CryptoAPI ENGINE only handles private key operations so your HSM is only used to either decrypt the premaster secret (RSA key exchange ciphersuites) or used to sign a DH or ECDH public key (ephemeral ciphersuites). The rest is handled in software using OpenSSLs cryptographic algorithm implementations. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Looking for information on creating an openssl engine
Is there any sort of a guide as to what is needed to create an openssl engine? It's not clear to me what interface needs to be provided nor exactly what functionality can be moved to an engine. I have an idea I'd like to experiment with for an approach to parallelising encryption/decryption (using existing algorithms, such as the various sizes of AES). I'm thinking about how I could multi-thread the encryption, but I don't know if it's possible to do what I'm thinking about as a pluggable option, For example, assuming I wanted to use AES-256 CBC or CFB, I'd like to use the existing openssl code as much as possible without changes, so establishment of sessions, key agreement, etc, use the existing code. I'd want to only supply the block level encryption/decryption once the keys and cipher had been agreed, at which point, block encrypt/decrypt would pass through code I'd supply via the engine. Things such as re-negotiation of keys, message authentication, seesion termination, etc I'd want to use the existing code rather than attempt to roll my own, particularly since I'm thinking of doing a proof-of-concept and it's not impossible that my somewhat hazy ideas arem't actully workable. Can the pluggable engine be used to provide such a limited interface/extention to openssl? I'd only handle the IV and supply block encrypt/decrypt. Does this actually fit the engine interface or is an engine expected at a minimum to provide more than just this rather limited functionality? For anyone who is curious, my interest was sparked by seeing performance problems on some hardware - Sun T52xx servers for example, which have rather limited CPU power, but compensate by having lots of CPUs with support for lots of threads. I've been musing over an idea how to get the block encryption/decryption broken out so that individual blocks can be en/decrypted in separate threads, then marshalled back into a single stream again. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Engine - configurable ciphers/digests
Hi, I need some help with a special case: a dynamic engine with non-static or configureable ciphers. While I do not use cryptodev, the code provides a good example of the intial problem: http://cvs.openssl.org/fileview?f=openssl/crypto/engine/eng_cryptodev.cv=1.23 I basically have it working, but there is a problem, during the first call to af_alg_ciphers() I have to list all ciphers the engine *could* support or none, as af_alg_ctrl() gets called later. If I respond with all ciphers, OpenSSL will assume I support all of them, and bail out unfriendly if told later on a given cipher is not supported in af_alg_ciphers(). If I claim there are no supported ciphers during this initital call to af_alg_ciphers(), the auto-engine loading feature via openssl.cnf does not work and software using openssl may require modifications to use the engine. The code and instructions for my engine is available here: http://src.carnivore.it/users/common/af_alg/ The comments for cryptodev_usable_ciphers and cryptodev_usable_digests show there is a demand for a way to configure the ciphers/digests run by the particular engine. How to do it properly? I want this to be a runtime option, not a compile time option. MfG Markus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl Engine for Utimaco CryptoServer
Ralf Hornik Mailings r...@best.homeunix.org wrote: [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Failure]: MODULE_PATH:/opt/cserver/lib/libcs2_pkcs11.so 7104:error:260AC089:engine routines:INT_CTRL_HELPER:invalid cmd name:eng_ctrl.c:134: 7104:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid What does INT_CTRL_HELPER:invalid cmd name mean? As mentioned in documentation the cmd_name has to be set to SO_PATH. So cmd_name set to MODULE_NAME will always fail. Is that a bug? Regards Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl Engine for Utimaco CryptoServer
Hello List, is there any working engine for Utimaco CryptoServer? Using Utimacos libcs2_pkcs11.so and OpenSCs pkcs11-tool it is possible to import and/or generate keys on the HSM but trying the openSC's engine for openssl I get: modrow:~# openssl engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre MODULE_PATH:/opt/cserver/lib/libcs2_pkcs11.so -pre LIST_ADD:1 -pre LOAD (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Failure]: MODULE_PATH:/opt/cserver/lib/libcs2_pkcs11.so 7104:error:260AC089:engine routines:INT_CTRL_HELPER:invalid cmd name:eng_ctrl.c:134: 7104:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:eng_ctrl.c:316: [Success]: LIST_ADD:1 [Success]: LOAD Loaded: (pkcs11) pkcs11 engine unable to load module (null) [ unavailable ] Has anybody a working openssl-engine for CryptoServer? Thanks and best regards Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl Engine Performance Benchmarks
Hi, I have a question regarding the openssl speed command. When I use this command to test the crypto offload engine performance what is the right command to use? Is it openssl speed -evp aes-128-cbc -engine xx -elapsed or openssl speed -evp aes-128-cbc -engine xx I have seen examples with both of them on the internet and I get different results with each of them. What exactly does elapsed option add here? Thanks, Shasi
RE: Openssl Engine Performance Benchmarks
Is it openssl speed -evp aes-128-cbc -engine xx -elapsed or openssl speed -evp aes-128-cbc -engine xx It depends what you want to measure. I have seen examples with both of them on the internet and I get different results with each of them. What exactly does elapsed option add here? -elapsedmeasure time in real time instead of CPU user time. So, do you want to know which one is faster or which one uses less CPU? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl Engine Performance Benchmarks
On Tuesday 31 March 2009 23:16:10 Shasi Thati wrote: Hi, I have a question regarding the openssl speed command. When I use this command to test the crypto offload engine performance what is the right command to use? Is it openssl speed -evp aes-128-cbc -engine xx -elapsed or openssl speed -evp aes-128-cbc -engine xx I have seen examples with both of them on the internet and I get different results with each of them. What exactly does elapsed option add here? It means elapsed. :-) Ie. how much time elapsed during the benchmark. The normal measurement is cpu usage, which is something less than or equal to the elapsed time - if the benchmark used half the available cpu cycles during the elapsed period (according to scheduler stats, accurate or otherwise), the time given would be half the elapsed time. The usefulness of using cpu-time (instead of -elapsed) is to eliminate; (a) skewed statistics due to the system running other tasks while the benchmark was in progress (ie. you're only billed for what you use), and (b) to eliminate time the s/w (and driver) spent waiting for the crypto accelerator to respond to crypto operations. The value of (b) is to interpolate certain theoretical limits. Ie. if 80% of the time is spent waiting on the accelerator, the cpu-time for the benchmark run would be 1/5 of the elapsed time and so the calculated number of crypto ops per second would be 5 times what actually happened in real/elapsed time. If the latency of the accelerator is roughly constant but it can process multiple things at once due to having multiple execution units, then this inflated number is a useful estimate of how much you could theoretically process if you had multiple threads/processes keeping the cpu busy rather than waiting. In this example you'd need at least 5 threads to achieve such a performance level. (Which also assumes the accelerator performance would continue to scale up that far.) Cheers, Geoff -- Un terrien, c'est un singe avec des clefs de char... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FYI: OpenSSL engine. Cell / Playstation 3.
Hi all, I was asked to forward this to the list. I've been working on an OpenSSL engine to support the Cell processor's (Playstation 3 etc.) vector processors (SPU's) I've (finally!) got a rough version glued together using the IBM multi-precision library from the Cell SDK. You may be interested in the results of version ***0.001. bottom line is 47 * 4096bit RSA sign/sec as opposed to 11 per without. ./apps/openssl speed rsa4096 -engine cellspumpm -elapsed -multi 15 (see [2] below for openssl build options) This is with 15 Multi processes and elapsed time. The choice of 15 is random. with SPU engine : - signverifysign/s verify/s rsa 4096 bits 0.020915s 0.000546s 47.8 1832.2 'raw' OpenSSL (same build) signverifysign/s verify/s rsa 4096 bits 0.091103s 0.001213s 11.0824.7 Without the -multi option. with SPU engine : - signverifysign/s verify/s rsa 4096 bits 0.098480s 0.001725s 10.2579.7 'raw' OpenSSL (same build) signverifysign/s verify/s rsa 4096 bits 0.108516s 0.001742s 9.2574.1 Note: - Results are from a 3.2 GHz Playstation 3 with 7 SPUs running yellow dog linux 5.0. [1] A server/blade Cell system would have up to 16 SPUs. - I'm using elapsed time on a relatively quite machine. It still has SSH and X server connections running. I'll be able to get this down later. The multi-threaded nature of the system messes up the CPU timing option. - This is first cut with a basic a mod_exp(). Further optimisations maybe possible with pre-computation and different window sizes. - There are overheads with the current DMA transfer of parameters that will be erased as I optimise the big number conversion code and introduce double buffering techniques. But overheads are pretty small compared to the mod_exp(). I'm also pretty hopeful that a MIRACL version I am working on will be even faster. - I still have an intermittent PKCS#1 padding problems. (arrraggg) - See http://en.wikipedia.org/wiki/Cell_microprocessor for more details on the Cell - The Cell PPU is a PowerPC G5. OpenSSL is configured for PPC/G5 ASM at 64-bit. - The Cell SPU can be viewed as a co-processor with 270K RAM with restricted I/O but enhancements for accelerated multimedia or number crunching. It does not directly interact with the main system memory. - The engine is based upon the GMP engine shipped with OpenSSL but uses the vector optimised IBM MPM multi-precision library on the SPUs for the big number operations. The speed gains are attributed to the SPU's 128bit registers and specialist vector operations allowing for multiple 32bit integer operations in fewer clock cycles I'd like to thank Augusto Jun Devegili (DCU/Ireland unicamp, Brazil), Dr Mike Scott (DCU, Ireland) , and Dr Stephen Henson (OpenSSL) for their assistance and patience. I hope to announce a public/release version later this month. Any comments, questions, etc. to neil.costigan[at]computing.dcu.ie Regards, Neil Costigan School of Computing, Dublin City University, Dublin, IRELAND. http://www.computing.dcu.ie/~ncostiga __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
FYI: OpenSSL engine. Cell / Playstation 3.
Hi all, I was asked to forward this to the list. I've been working on an OpenSSL engine to support the Cell processor's (Playstation 3 etc.) vector processors (SPU's) I've (finally!) got a rough version glued together using the IBM multi-precision library from the Cell SDK. You may be interested in the results of version ***0.001. bottom line is 47 * 4096bit RSA sign/sec as opposed to 11 per without. ./apps/openssl speed rsa4096 -engine cellspumpm -elapsed -multi 15 (see [2] below for openssl build options) This is with 15 Multi processes and elapsed time. The choice of 15 is random. with SPU engine : - signverifysign/s verify/s rsa 4096 bits 0.020915s 0.000546s 47.8 1832.2 'raw' OpenSSL (same build) signverifysign/s verify/s rsa 4096 bits 0.091103s 0.001213s 11.0824.7 Without the -multi option. with SPU engine : - signverifysign/s verify/s rsa 4096 bits 0.098480s 0.001725s 10.2579.7 'raw' OpenSSL (same build) signverifysign/s verify/s rsa 4096 bits 0.108516s 0.001742s 9.2574.1 Note: - Results are from a 3.2 GHz Playstation 3 with 7 SPUs running yellow dog linux 5.0. [1] A server/blade Cell system would have up to 16 SPUs. - I'm using elapsed time on a relatively quite machine. It still has SSH and X server connections running. I'll be able to get this down later. The multi-threaded nature of the system messes up the CPU timing option. - This is first cut with a basic a mod_exp(). Further optimisations maybe possible with pre-computation and different window sizes. - There are overheads with the current DMA transfer of parameters that will be erased as I optimise the big number conversion code and introduce double buffering techniques. But overheads are pretty small compared to the mod_exp(). I'm also pretty hopeful that a MIRACL version I am working on will be even faster. - I still have an intermittent PKCS#1 padding problems. (arrraggg) - See http://en.wikipedia.org/wiki/Cell_microprocessor for more details on the Cell - The Cell PPU is a PowerPC G5. OpenSSL is configured for PPC/G5 ASM at 64-bit. - The Cell SPU can be viewed as a co-processor with 270K RAM with restricted I/O but enhancements for accelerated multimedia or number crunching. It does not directly interact with the main system memory. - The engine is based upon the GMP engine shipped with OpenSSL but uses the vector optimised IBM MPM multi-precision library on the SPUs for the big number operations. The speed gains are attributed to the SPU's 128bit registers and specialist vector operations allowing for multiple 32bit integer operations in fewer clock cycles I'd like to thank Augusto Jun Devegili (DCU/Ireland unicamp, Brazil), Dr Mike Scott (DCU, Ireland) , and Dr Stephen Henson (OpenSSL) for their assistance and patience. I hope to announce a public/release version later this month. Any comments, questions, etc. to neil.costigan[at]computing.dcu.ie Regards, Neil Costigan School of Computing, Dublin City University, Dublin, IRELAND. http://www.computing.dcu.ie/~ncostiga __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems with OpenSSL Engine and hashing.
Hello everybody, I have a problem in making our OpenSSL Engine that drives our HW accelerator work fine for hash (SHA1 in particular). The problem seems to be related to my Digest_Copy or (less likely) Digest_Cleanup implementation (I'll explain this further on). The Engine works fine for the Cipher algorithms (both just operating on a file and using s_client/s_server), and works fine for SHA1 when operating on a file. Trying to run an s_client / s_server session, I noticed that multiple context are used and the calls to Digest_Update function are mixed, so I have to maintain coherency in some way. - 1 - The easiest (and quickest) way to do this is to buffer the data that I receive at each call to Digest_Update, for each context, and ask for a real hash operation only when I receive the Digest_Final for that context. Doing in this way, everything is ok, both operating on a single file (here only one context is used) and using s_client / s_server (multiple contexts). In this scenario, in the Digest_Copy function I make a memcopy of the EVP_MD_CTX-md_data field where our data structure sits, and moreover I manually allocate and copy the buffer in which I am keeping the stored data. In the Digest_Cleanup I make a free of the buffer in which I keep the data (it is dynamically allocated) and I set to zero the counters used to keep track of its size and actual occupation. In this way, as I said, everything works. - 2 - The previous solution is mainly a workaround and has a big disadvantage if you want to hash large files or amount of data. So I decided to use the capability of our HW accelerator to save and restore the current context of the hash block. Here I have some problem, when using s_client/ s_server. Even if I implement it in the most trivial and inefficient way (RESTORE/UPDATE/SAVE at *each* call to update) it does not work. In this scenario, we have a buffer for the context in our data structure. I allocate this buffer at the first call to Digest_Update, obviously not setting the RESTORE flag for this first call. I call free for this buffer and put it to NULL in the Digest_Cleanup function and, if this buffer is valid (not null) I copy it in the Digest_Copy function, by allocating a proper memory area in the to context. If I use this solution on a single file, it works, so the SAVE/RESTORE mechanism works fine (and it has been proved elsewhere). But it fails in the s_client/s_server test. As the main difference is that here the Digest_Copy and Digest_Cleanup function are called, I suppose the problem is here, even if I do not see many differences with the scenario number -1- What am I missing? Could you help me? Can someone point me to some useful resource or describe me exactly what has to be implemented in the Digest_Copy (and Digest_Cleanup) function? Or do you know another way to avoid the problem of mixed context? I mean: sha1_init(ctx_A) sha1_update(ctx_A) sha1_init(ctx_B) sha1_update(ctx_B) sha1_update(ctx_A) Thank you very much and best regards, Marco Grella __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl Engine calling code (soft pkcs11) also written in openssl conflict
Christopher Nebergall wrote: I've been working with some patches to curl I found on the curl mailing list to support openssl and opensc's engine_pkcs11. Basically it consists of Curl 7.14 + patch which adds dynamic engine support - opensc-20050826 [engine_pkcs11.so] - soft-pkcs11 1.2 on Ubuntu Linux (5.04) Kernel 2.6.10-5-386 actually the openssl version would be more interesting The problem is that engine_pkcs11 from opensc registers custom rsa functions for its purposes. They dlopen a pkcs11 library in my case soft-pkcs11 which is also implemented using openssl. The problem is that the soft token seems to be calling the rsa functions registered by opensc and not the original versions. I need some advice or background on overriding crypto implementations to figure out how to make soft-pkcs11 not inherit the opensc's overridden functions. you could use RSA_set_method with RSA_PKCS1_SSLeay for example I would have thought since soft-pkcs11 was dlopened that this wouldn't have inherited the modified functions. the default engine is a global parameter Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl Engine calling code (soft pkcs11) also written in openssl conflict
I've been working with some patches to curl I found on the curl mailing list to support openssl and opensc's engine_pkcs11. Basically it consists of Curl 7.14 + patch which adds dynamic engine support - opensc-20050826 [engine_pkcs11.so] - soft-pkcs11 1.2 on Ubuntu Linux (5.04) Kernel 2.6.10-5-386 The problem is that engine_pkcs11 from opensc registers custom rsa functions for its purposes. They dlopen a pkcs11 library in my case soft-pkcs11 which is also implemented using openssl. The problem is that the soft token seems to be calling the rsa functions registered by opensc and not the original versions. I need some advice or background on overriding crypto implementations to figure out how to make soft-pkcs11 not inherit the opensc's overridden functions. I would have thought since soft-pkcs11 was dlopened that this wouldn't have inherited the modified functions. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
what's the default openssl engine
Hi, I always heard that the openssl uses the default openssl engine if the engine is not specified. I would like to know what's the default openssl engine. In another word, how could I tell which is the default openssl engine when I use openssl? thanks hao Best Regard __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl / engine / atalla
hi, does someone have an example of an openssl.cnf file to configure an SSL accelerator like an ATALLA board ? JPV __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Triple-des with openssl engine and ncypher hardware.
Hi, We (Zencod) have written some code for symetric crypto use with openssl 0.9.7. You may look at our contribution on openssl web site or in th demo subdirectory. Hope it will help. Fred -Original Message- From: sebastien Labrune [mailto:[EMAIL PROTECTED]] Sent: Wed 11/20/2002 5:56 PM To: [EMAIL PROTECTED] Cc: Subject:Triple-des with openssl engine and ncypher hardware. Hi, I'm trying to integrate ncipher hardware (nshield) with openssl. I want to implement triple-des with internal keys. I've seen that we can access the chil engine with the new openssl engine. How can i use it to encrypt data with triple-des algorithm and keys stored in hardware? Is it possible to perform it with internal keys? How? The only functions i've seen in C API, are using des_key_schedule structure type that is to say that we must have an access to the keys. Regards. winmail.dat
Triple-des with openssl engine and ncypher hardware.
Hi, I'm trying to integrate ncipher hardware (nshield) with openssl.I want to implement triple-des with internal keys. I've seen that we can access the "chil" engine with the new openssl engine. How can i use it to encrypt data with triple-des algorithm and keys stored in hardware? Is it possible to perform it with internal keys? How?The only functions i've seen in C API, are using des_key_schedule structure type that is to say that we must have an access to the keys. Regards.
OpenSSL engine NFast
Hi, I'm trying to uderstand how the engine object is working with openssl-engine. I'm using a NFast crypto device (chil) and when I look into hw_ncipher.c I found three interristing functions: static int hwcrhk_insert_card(const char *prompt_info, const char *wrong_info, HWCryptoHook_PassphraseContext *ppctx, HWCryptoHook_CallerContext *cactx); static int hwcrhk_get_pass(const char *prompt_info, int *len_io, char *buf, HWCryptoHook_PassphraseContext *ppctx, HWCryptoHook_CallerContext *cactx); static void hwcrhk_log_message(void *logstr, const char *message); How can I use them ? They are all static. I found that they are in the HWCryptoHook_InitInfo hwcrhk_globals structure but how can I have access to this structure ? Is the process of the engine call them automatically or do I have to specify somewhere when I want the user to enter a physical token ? Thanks for your help, Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl Engine
In message [EMAIL PROTECTED] on Tue, 24 Sep 2002 14:55:53 +0200, Michiels Olivier [EMAIL PROTECTED] said: olivier.michiels Hi, olivier.michiels Currently I've an application that creates keys, certificate requests olivier.michiels and certificates using NFast and openssl-0.9.5. olivier.michiels I've updated my code to use the openssl-engine. olivier.michiels Everything works perferctly with some modifications. olivier.michiels Now, I would like to use the ENGINE concept with my NFast. olivier.michiels I've already understood that the identifier of my ENGINE is chil and olivier.michiels I've wrote some code to test if I can have a new pointer to a ENGINE olivier.michiels structure. olivier.michiels What I would like to know is how to use this ENGINE pointer with my olivier.michiels existing code, for example, what are the commands available for the olivier.michiels NFAST. I've tried this little code but it doesn't work. olivier.michiels olivier.michiels #include openssl/engine.h olivier.michiels #include openssl/bio.h olivier.michiels olivier.michiels int main(int argc,char* argv[]) olivier.michiels { olivier.michiels ENGINE *e; olivier.michiels BIO *err; olivier.michiels It would be a good thing to insert a call to ERR_load_crypto_strings() here, so the errors get displayed with humanly readable reasons instead of all those numbers. olivier.michiels ENGINE_load_builtin_engines(); olivier.michiels if ((e = ENGINE_by_id(argv[1])) == NULL) olivier.michiels { olivier.michiels fprintf(stderr,Error for: %s\n,argv[1]); olivier.michiels return -1; olivier.michiels } olivier.michiels olivier.michiels err = BIO_new_fp(stderr,BIO_NOCLOSE); olivier.michiels if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) olivier.michiels { olivier.michiels BIO_printf(err,can't use that engine\n); olivier.michiels ERR_print_errors(err); olivier.michiels ENGINE_free(e); olivier.michiels return -1; olivier.michiels } olivier.michiels BIO_printf(err,engine \%s\ set.\n, ENGINE_get_id(e)); olivier.michiels olivier.michiels olivier.michiels if (ENGINE_ctrl_cmd_string(e,get_passphrase,Password:,0) == 0) olivier.michiels { olivier.michiels ERR_print_errors(err); olivier.michiels ENGINE_free(e); olivier.michiels return -1; olivier.michiels } And exactly what was that supposed to accomplish? olivier.michiels olivier.michiels /* Free our structural reference. */ olivier.michiels ENGINE_free(e); olivier.michiels olivier.michiels return 0; olivier.michiels } olivier.michiels olivier.michiels The output is has follows: olivier.michiels engine chil set. olivier.michiels 25983:error:260AC089:engine routines:func(172):reason(137):eng_ctrl.c:136: olivier.michiels 25983:error:260AB089:engine routines:func(171):reason(137):eng_ctrl.c:314: olivier.michiels olivier.michiels I need to ask passwords in order to have my NFast working. olivier.michiels How can I do that ? No, you don't need to ask for passwords at the OpenSSL level. They will be prompted for automatically when needed. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Openssl Engine
Hi, Currently I've an application that creates keys, certificate requests and certificates using NFast and openssl-0.9.5. I've updated my code to use the openssl-engine. Everything works perferctly with some modifications. Now, I would like to use the ENGINE concept with my NFast. I've already understood that the identifier of my ENGINE is chil and I've wrote some code to test if I can have a new pointer to a ENGINE structure. What I would like to know is how to use this ENGINE pointer with my existing code, for example, what are the commands available for the NFAST. I've tried this little code but it doesn't work. #include openssl/engine.h #include openssl/bio.h int main(int argc,char* argv[]) { ENGINE *e; BIO *err; ENGINE_load_builtin_engines(); if ((e = ENGINE_by_id(argv[1])) == NULL) { fprintf(stderr,Error for: %s\n,argv[1]); return -1; } err = BIO_new_fp(stderr,BIO_NOCLOSE); if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { BIO_printf(err,can't use that engine\n); ERR_print_errors(err); ENGINE_free(e); return -1; } BIO_printf(err,engine \%s\ set.\n, ENGINE_get_id(e)); if (ENGINE_ctrl_cmd_string(e,get_passphrase,Password:,0) == 0) { ERR_print_errors(err); ENGINE_free(e); return -1; } /* Free our structural reference. */ ENGINE_free(e); return 0; } The output is has follows: engine chil set. 25983:error:260AC089:engine routines:func(172):reason(137):eng_ctrl.c:136: 25983:error:260AB089:engine routines:func(171):reason(137):eng_ctrl.c:314: I need to ask passwords in order to have my NFast working. How can I do that ? Thanks Michiels Olivier __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Using ENGINE in openssl-engine-0.9.6g
I ran the openssl speed test with OpenSSL 0.9.6g with the CryptoSwift engine on Windows, and found that it worked OK; I didn't test further than speed -engine cswift rsa1024. Lynn Gazis -Original Message- From: Edward Chan [mailto:[EMAIL PROTECTED]] Sent: Monday, August 19, 2002 10:34 PM To: [EMAIL PROTECTED] Subject: Using ENGINE in openssl-engine-0.9.6g Hi there, Has anybody had any problems using the ENGINE API's in openssl-engine-0.9.6g on Windows. I downloaded openssl-engine-0.9.6g and built it. No errors were encountered during build. I have the following dll's built, libeay32.dll and ssleay32.dll. In my code, I try to call ENGINE_by_id(). But a dialog pops up that says The ordinal 2493 could not be located in the dynamic link library LIBEAY32.dll. When I right click on the LIBEAY32.dll and choose view dependencies, I do see the ordinal 2493 (which corresponds to ENGINE_by_id()). Does anybody know what's up? Other stuff works though. My client is able to connect to my server. The SSL handshaking appears to be ok. Data is read and written ok. But if I enable the ENGINE code, then I get this error. Ed __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : openssl engine use
Hey there, On Thu, 25 Jul 2002, Frederic DONNAT wrote: A sample of programming with engine is mod-ssl (initialize ENGINE before everything else). You can also see apps directory of OpenSSL s_client, s_server ... files Be also carefull between openssl-engine-0.9.6x and openssl-0.9.7 there is some diff for engine use. [snip] -Message d'origine- De : Rob McMonigal [mailto:[EMAIL PROTECTED]] [snip] I like to know how difficult it would be to have an existing application that uses openssl to be converted over to use the engine version openssl and the hardware accelerator functions. I cannot find any information on programming openssl with hardware accelerators. Any help would be appreciated. [snip] I'm also in the process of rejigging mistakes in the 0.9.7-dev documentation (it wasn't adjusted to constification and ENGINEification changes for RSA/DSA/DH/etc...) and at the same time have a monster engine.pod in progress that I intend to include before the next 0.9.7 beta. That man page may sound terrifying (and no, I haven't split it out to provide API documentation per-function), but at least it'll be better than zero documentation. Hopefully. Failing that - take a read of engine.h (it's relatively well self-documented) and check out the source that Frederic suggested. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
rsa GenerateKey in openssl engine
Hello everybody,We are implementing an new engine (based on openssl 0.9.6c) to use the RSAPKCS11 interface of our crypto hardware (Bull Trustway CC2000).We would like to access our C_GenerateKeyPair PKCS11 function through theopenssl RSA_generate_key.So we are adding a new entry gen_key in the RSA method to call our trustwayengine to do that.That way the genrsa command will call the hardware to generate rsapublic/private key pair.Is it the good way? If yes, do you plan to add this functionality in the0.9.7 release.Thanks and RegardsafchineBull Trustway R D[EMAIL PROTECTED]
Re: openssl openssl-engine
[EMAIL PROTECTED] wrote: I write from Italy, and I'd like to use openssl and I would want to know which differences are between openssl and openssl-engine. The openssl-engine version contains support for hardware crypto devices. You can use either version for regular SSL functionality. Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math Computing Technology \ [EMAIL PROTECTED] POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group S/MIME Cryptographic Signature
openssl engine?
Hi, can anybody tell me the difference between openssl and openssl-engine. Couldn't find anything about that in the FAQ. I am not subscribed. Please give me a cc. Regards __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl engine?
At 20:33 12.10.2001 +0200, Helmut Heilig wrote: can anybody tell me the difference between openssl and openssl-engine. Couldn't find anything about that in the FAQ. See: http://www.openssl.org/support/faq.html [MISC] 6. What is an 'engine' version? Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 Phone/Fax: +49-89-636-47852 / 47655 E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: How I can use Cryptoswitf device with openssl engine 0.9.6 ?
Are you at OpenSSL engine 0.9.6 or 0.9.6b? There were some fixes to the engine code between 0.9.6 and 0.9.6b which will be relevant to you if you are on FreeBSD, AIX, or HP UX (particularly HP UX, but FreeBSD and AIX do require some extra options to be passed to config, at version 0.9.6, for the engine DSO code to work properly). I have some instructions which I can email you, but, due to the fixes I mentioned, I have slightly different versions of the instructions depending on whether you are using 0.9.6 or 0.9.6a/0.9.6b (the fixes got applied in 0.9.6a, so there is no change in what you need to do between 0.9.6a and 0.9.6b). You can also email our Technical Support in France ([EMAIL PROTECTED]) for assistance from someone in your own time zone in getting your CryptoSwift device working with OpenSSL. Lynn Gazis Rainbow Technologies -Original Message-From: Patrick FRAIZ [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 22, 2001 3:10 AMTo: [EMAIL PROTECTED]Subject: How I can use Cryptoswitf device with openssl engine 0.9.6 ? Thanks, Patrick FRAIZPhone 33 (0)1 55 63 42 28Fax 33 (0)1 55 63 54 01ADP-GSI 148, rue Anatole France92688 Levallois-Perret Cedex - France
openssl-engine+cryptoswift
Hello, I would like if anybody have a patch for cryptosiwft HSM with openssl-engine like load-private-key Thanks Bahram BASSIRI OMNICERTIS 3 bis rue cité Bergère 75009 Paris Tél direct + 33 1 44 83 88 25 Tél général + 33 1 44 83 88 10 Fax + 33 1 44 83 88 29 mailto:[EMAIL PROTECTED] http://www.omnicertis.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Does openSSL-Engine offload both the Handshake and Bulk crypto tasks
Hi: Could you help me answer this question? I was not able to conclude one way or the other by browsing the source (crypto/engine/vendor-defns). Which piece of code would I look to see how the offload is performed? Thanks, ganesh. ___ Ganesh Venkatesan LAN Access Division/Platform Networking Group Intel Corp. M/S JF3-410 ' 503.264.0637 2111 NE 25th Avenue Fax 503.264.9903 Hillsboro, OR 97124-6497* [EMAIL PROTECTED] __ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: n-cipher does not work with openssl-engine-0.9.6a
Hello, after I grep the whole include/ssl directory in the source-tree I had found it. Thankyou Use chil instead of ncipher. The reason for this is that the interface used is called CHIL (C{something} Hardware Interface Library, IIRC, but nCipher folks will most probably have to correct me), which nCipher has tried to deploy as a standard interface for hadware access. -- -- Ralf Schwiete Dresdner Global IT Services Tel.: +49 69 263 52224 e-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
NT-build of OpenSSL engine 0.9.6a
Hi, I've stumbled over two problems with building the OpenSSL engine 0.9.6a for Windows-NT: 1) It automatically adds the advapi32-library to the libs. While this is probably fine when building a DLL, you'll get problems (dupliate symbols) when using a statically linked OpenSSL. Fix: remove it from the perl script in util/pl/VC_32.pl: 115c115 $ex =' '; --- $ex =' advapi32.lib'; 2) the file crypto/bio/b_print.c has a too naive view about the availability of 64-bit integral data types. It first has the rather good idea of letting bn.h decide whether 64-bit longs are supported (line 75), but if BN_LLONG is defined, it automatically assumes that "long long" is the correct type instead of special-casing for NT's __int64 (yuck!) like bn.h does. I don't know whether b_print.c actually needs the type to be signed, but if an unsigned will do, I'd suggest simply using the BN_ULLONG type. Anyone knows this ? If b_print.c insists on having a signed data type, what about not just defining BN_LLONG without a value, but with the value "long long" or, in the case of NT, with "__int64", so that b_print.c can use that one. Would there be any side effects ? Anyway it'd be nice if these problems would be fixed in an upcoming release... :-) cheers, Wolfgang -- Wolfgang Bachmann E-Mail: [EMAIL PROTECTED] ZOSO Forschungsges.m.b.H. Phone: (++43) 3127 20900 Friesachstrasse 15 Fax: (++43) 3127 20900-24 A-8114 Stuebing - Austria http://www.zoso.at __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What is OpenSSL Engine ?
the engine is a design architecture to allow the use of hardware crypto devices On Thu, Mar 15, 2001 at 10:10:20AM -0500, Aslam wrote: Hi, What exactly is the difference between a OpenSSL and OpenSSL Engine ? Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Steven A. Bade AIX E-Commerce/Network Security Cryptographic Strategy and Development Architecture [EMAIL PROTECTED] T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Sol aris 2.7,CryptoSwift accelerator board
Thanks for the diagnostic program. With the delivery by Sun an other program called cstest located in /opt/SUNWconn/sunsecure/vts/bin. This program has other options, but finally returns similar output. csdiag showed that when running openssl speed rsa1024 -engine cswift, the card processed 1440 requests. During the test it comes up with an error : # openssl speed rsa1024 -engine cswift engine "cswift" set. Doing 1024 bit private rsa's for 10s: RSA sign failure 17338:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:request failed:hw_cswift .c:524:CryptoSwift error number is -10004 1 1024 bit private RSA's in 0.29s Doing 1024 bit public rsa's for 10s: RSA verify failure 17338:error:26066072:engine routines:CSWIFT_MOD_EXP:request failed:hw_cswift.c:4 13:CryptoSwift error number is -10004 1 1024 bit public RSA's in 0.67s OpenSSL 0.9.6 [engine] 24 Sep 2000 built on: Wed Feb 21 15:15:24 MET 2001 options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfis h(ptr) compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultr asparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_A SM signverifysign/s verify/s rsa 1024 bits 0.2900s 0.6700s 3.4 1.5 For this problem I had opened an other contact. When installing openssl and configuring Apache.1.3.17, all seems to be OK. Thanks to you all for the prompt support in trying to solve my problem. Best regards, Herman De Taeye Unisys Belgium. -Original Message- From: lgazis [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 21, 2001 4:30 PM To: '[EMAIL PROTECTED]'; De Taeye, Herman Subject: RE: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Sol aris 2.7,CryptoSwift accelerator board 1) csdiag -a 0 2) Run your test. 3) csdiag -a 0 If the interrupts haven't gone up by more than a couple, then the card isn't being accessed (in which case, I'd suggest following John Airey's advice about SSL_EXPERIMENTAL and SSLCryptoDevice, or you can email [EMAIL PROTECTED] for help). Lynn Gazis -Original Message- From: adrien mistretta [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 21, 2001 5:29 AM To: [EMAIL PROTECTED]; De Taeye, Herman Subject: Re: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Solaris 2.7,CryptoSwift accelerator board 3. How can I really test that the board is used and not the internal engine? you can use the csdiag command to see if request are made to the crypto card, but I don't remember the option. Adrien __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Sol aris 2.7,CryptoSwift accelerator board
There's a known issue with the openssl speed test when running the OpenSSL 0.9.6 engine version with Cryptoswift on Solaris; it will be addressed in a future release. The situation which is causing a routine in the speed test to be interrupted does not occur in Apache, so you should still be able to use Cryptoswift with Solaris, OpenSSL 0.9.6 engine version, and Apache without difficulty. Let me know if you have any further questions or issues. Lynn Gazis Rainbow Technologies -Original Message- From: De Taeye, Herman [mailto:[EMAIL PROTECTED]] Sent: Friday, February 23, 2001 6:30 AM To: 'lgazis'; '[EMAIL PROTECTED]'; De Taeye, Herman; Gyutani (E-mail) Subject: RE: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Sol aris 2.7,CryptoSwift accelerator board Thanks for the diagnostic program. With the delivery by Sun an other program called cstest located in /opt/SUNWconn/sunsecure/vts/bin. This program has other options, but finally returns similar output. csdiag showed that when running openssl speed rsa1024 -engine cswift, the card processed 1440 requests. During the test it comes up with an error : # openssl speed rsa1024 -engine cswift engine "cswift" set. Doing 1024 bit private rsa's for 10s: RSA sign failure 17338:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:request failed:hw_cswift .c:524:CryptoSwift error number is -10004 1 1024 bit private RSA's in 0.29s Doing 1024 bit public rsa's for 10s: RSA verify failure 17338:error:26066072:engine routines:CSWIFT_MOD_EXP:request failed:hw_cswift.c:4 13:CryptoSwift error number is -10004 1 1024 bit public RSA's in 0.67s OpenSSL 0.9.6 [engine] 24 Sep 2000 built on: Wed Feb 21 15:15:24 MET 2001 options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfis h(ptr) compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultr asparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_A SM signverifysign/s verify/s rsa 1024 bits 0.2900s 0.6700s 3.4 1.5 For this problem I had opened an other contact. When installing openssl and configuring Apache.1.3.17, all seems to be OK. Thanks to you all for the prompt support in trying to solve my problem. Best regards, Herman De Taeye Unisys Belgium. -Original Message- From: lgazis [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 21, 2001 4:30 PM To: '[EMAIL PROTECTED]'; De Taeye, Herman Subject: RE: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Sol aris 2.7,CryptoSwift accelerator board 1) csdiag -a 0 2) Run your test. 3) csdiag -a 0 If the interrupts haven't gone up by more than a couple, then the card isn't being accessed (in which case, I'd suggest following John Airey's advice about SSL_EXPERIMENTAL and SSLCryptoDevice, or you can email [EMAIL PROTECTED] for help). Lynn Gazis -Original Message- From: adrien mistretta [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 21, 2001 5:29 AM To: [EMAIL PROTECTED]; De Taeye, Herman Subject: Re: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Solaris 2.7,CryptoSwift accelerator board 3. How can I really test that the board is used and not the internal engine? you can use the csdiag command to see if request are made to the crypto card, but I don't remember the option. Adrien __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Solaris 2.7,CryptoSwift accelerator board
3. How can I really test that the board is used and not the internal engine? you can use the csdiag command to see if request are made to the crypto card, but I don't remember the option. Adrien __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Solaris 2.7,CryptoSwift accelerator board
1) csdiag -a 0 2) Run your test. 3) csdiag -a 0 If the interrupts haven't gone up by more than a couple, then the card isn't being accessed (in which case, I'd suggest following John Airey's advice about SSL_EXPERIMENTAL and SSLCryptoDevice, or you can email [EMAIL PROTECTED] for help). Lynn Gazis -Original Message- From: adrien mistretta [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 21, 2001 5:29 AM To: [EMAIL PROTECTED]; De Taeye, Herman Subject: Re: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Solaris 2.7,CryptoSwift accelerator board 3. How can I really test that the board is used and not the internal engine? you can use the csdiag command to see if request are made to the crypto card, but I don't remember the option. Adrien __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-engine has some problem with profiling
Has anybody ever used profiling(CFLAGS=-pg) to analyze the amount of time spent in each routine in openssl? I tried it in openssl-engine-0.9.6. But the option -pg seemed to conflict with the option of -fomit-frame-pointer, so I got rid of the latter. But when I tried to do speed test(apps/openssl speed -engine cswift), it failed. THe following is the error message: can't use that engine 6653:error:25067066:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:157: 6653:error:25072066:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:230: 6653:error:26065068:engine routines:CSWIFT_INIT:DSO failure:hw_cswift.c:271: 6653:error:2607E06D:engine routines:ENGINE_SET_DEFAULT_TYPE:init failed:engine_lib.c:399: error in speed I'm using FreeBSD 4.1. I did add -DDSO_DLFCN -DHAVE_DLFCN_H when I did config, and there was no problem when I didn't use profiling. Only when I added -pg and got rid of -formit-frame-pointer did this problem exist. Does anybody has such experience? Please give me some hint. Thanks a lot, Jennifer _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
using nCipher nFast w/ openssl-engine-0.9.6-beta2 ?
I've compiled and installed the latest Apache / mod_ssl and openssl-engine-0.9.6-beta2 on a solaris 7/sparc system. Everything works fine until I try to use the engine part, eg: OpenSSL speed -engine chil can't use that engine 29176:error:25067066:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:157: 29176:error:25072066:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:230: 29176:error:26088068:engine routines:HWCRHK_INIT:DSO failure:hw_ncipher.c:400: 29176:error:2607E06D:engine routines:ENGINE_SET_DEFAULT_TYPE:init failed:engine_lib.c:399: error in speed Are there any docs on getting this to work? I've got the software that came w/ the nCipher nFast card in /opt/nfast , and it is logging connections whenever I use the patched old version of OpenSSL it came with, but not for anything related to the openssl-engine stuff I've built. -pete __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using nCipher nFast w/ openssl-engine-0.9.6-beta2 ?
From: Peter Clark [EMAIL PROTECTED] pclark OpenSSL speed -engine chil pclark can't use that engine pclark 29176:error:25067066:DSO support routines:DLFCN_LOAD:could not load the pclark shared library:dso_dlfcn.c:157: pclark 29176:error:25072066:DSO support routines:DSO_load:could not load the shared pclark library:dso_lib.c:230: pclark 29176:error:26088068:engine routines:HWCRHK_INIT:DSO pclark failure:hw_ncipher.c:400: pclark 29176:error:2607E06D:engine routines:ENGINE_SET_DEFAULT_TYPE:init pclark failed:engine_lib.c:399: pclark error in speed It attempts to load libhwcrhk.so, which is ni /opt/tools/hwcrhk, if memory serves me righ (I don't have a machine to look at for the moment). What you need to do is make sure that you have that directory as part of the value of the environment variable LD_LIBRARY_PATH. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl engine version beta2 compilation problems
I've had the same problem and discovered the following patch: http://marc.theaimsgroup.com/?l=openssl-devm=96923042325868w=2 The functions are loaded dynamically, so it is necessary to check whether they loaded or not (or your executable will crash on all machines which don't provide the NetStatisticsGet-Function). The patch above includes theses tests which are missing in the plain beta2-tree. Additionally, I couldn't compile with VC60 because LMSTR was an unknown type. I had to replace these definitions by LPWSTR: typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*); typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); Regards, David Maurus Lin Geng wrote: However, the file rand_win.c compiles if you make the following changes: 1. comment out the two typedefs typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) (LMSTR, LMSTR, DWORD, DWORD, LPBYTE*); typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); 2. add two defines #define NETSTATGET FARPROC #define NETFREE FARPROC The build should go through. David Maurus __ equinux Aktiengesellschaft Informationstechnologien Gabelsbergerstr. 30 80333 München - Germany Tel. 089/520465-0 Fax. 089/520465-299 mailto:[EMAIL PROTECTED] http://www.equinux.de MyJack - Das innovative Messagingsystem der equinux AG http://www.myjack.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem compiling openssl engine beta2 on NT
I tried to compile on a Win32 platforom openssl engine beta2, and the OpenSSL beta2, and I recieve in both case this error: cl /Fotmp32dll\rand_win.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN3 2_LEAN_AND_MEAN -DL_ENDIAN /Fdout32dll /GD -D_WINDLL -D_DLL -c .\crypto\rand\rand_win.c rand_win.c .\crypto\rand\rand_win.c(175) : error C2143: syntax error : missing ')' before '*' .\crypto\rand\rand_win.c(175) : error C2143: syntax error : missing '{' before '*' .\crypto\rand\rand_win.c(175) : error C2059: syntax error : ')' .\crypto\rand\rand_win.c(175) : error C2059: syntax error : ';' .\crypto\rand\rand_win.c(190) : error C2065: 'NETSTATGET' : undeclared identifier .\crypto\rand\rand_win.c(190) : error C2146: syntax error : missing ';' before identifier 'netstatget' .\crypto\rand\rand_win.c(190) : error C2065: 'netstatget' : undeclared identifier .\crypto\rand\rand_win.c(191) : error C2275: 'NETFREE' : illegal use of this type as an expression .\crypto\rand\rand_win.c(176) : see declaration of 'NETFREE' .\crypto\rand\rand_win.c(191) : error C2146: syntax error : missing ';' before identifier 'netfree' .\crypto\rand\rand_win.c(191) : error C2065: 'netfree' : undeclared identifier .\crypto\rand\rand_win.c(201) : error C2146: syntax error : missing ';' before identifier 'GetProcAddress' .\crypto\rand\rand_win.c(202) : warning C4047: '=' : 'int ' differs in levels of indirection from 'unsigned long (__stdc all *)(unsigned char *)' .\crypto\rand\rand_win.c(209) : error C2063: 'netstatget' : not a function .\crypto\rand\rand_win.c(212) : error C2063: 'netfree' : not a function .\crypto\rand\rand_win.c(214) : error C2063: 'netstatget' : not a function .\crypto\rand\rand_win.c(217) : error C2063: 'netfree' : not a function NMAKE : fatal error U1077: 'cl' : return code '0x2' Is there a solution to this problem? Thanks, ERIC __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem compiling openssl engine beta2 on NT
Try replacing LMSTR with LPWSTR in crypto/rand/rand_win.c I tried to compile on a Win32 platforom openssl engine beta2, and the OpenSSL beta2, and I recieve in both case this error: cl /Fotmp32dll\rand_win.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN3 2_LEAN_AND_MEAN -DL_ENDIAN /Fdout32dll /GD -D_WINDLL -D_DLL -c .\crypto\rand\rand_win.c rand_win.c .\crypto\rand\rand_win.c(175) : error C2143: syntax error : missing ')' before '*' .\crypto\rand\rand_win.c(175) : error C2143: syntax error : missing '{' before '*' .\crypto\rand\rand_win.c(175) : error C2059: syntax error : ')' .\crypto\rand\rand_win.c(175) : error C2059: syntax error : ';' .\crypto\rand\rand_win.c(190) : error C2065: 'NETSTATGET' : undeclared identifier .\crypto\rand\rand_win.c(190) : error C2146: syntax error : missing ';' before identifier 'netstatget' .\crypto\rand\rand_win.c(190) : error C2065: 'netstatget' : undeclared identifier .\crypto\rand\rand_win.c(191) : error C2275: 'NETFREE' : illegal use of this type as an expression .\crypto\rand\rand_win.c(176) : see declaration of 'NETFREE' .\crypto\rand\rand_win.c(191) : error C2146: syntax error : missing ';' before identifier 'netfree' .\crypto\rand\rand_win.c(191) : error C2065: 'netfree' : undeclared identifier .\crypto\rand\rand_win.c(201) : error C2146: syntax error : missing ';' before identifier 'GetProcAddress' .\crypto\rand\rand_win.c(202) : warning C4047: '=' : 'int ' differs in levels of indirection from 'unsigned long (__stdc all *)(unsigned char *)' .\crypto\rand\rand_win.c(209) : error C2063: 'netstatget' : not a function .\crypto\rand\rand_win.c(212) : error C2063: 'netfree' : not a function .\crypto\rand\rand_win.c(214) : error C2063: 'netstatget' : not a function .\crypto\rand\rand_win.c(217) : error C2063: 'netfree' : not a function NMAKE : fatal error U1077: 'cl' : return code '0x2' Is there a solution to this problem? Thanks, ERIC __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Jeffrey Altman * Sr.Software Designer The Kermit Project * Columbia University 612 West 115th St * New York, NY * 10025 * USA http://www.kermit-project.org/ * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]