Re: OpenSSL engine support in OpenSSL FIPS Object Module
On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) In this post I wanted to know to support an hardware accelerator that supports FIPS enabled algorithms implemented apart from supporting the hardware from OpenSSL side, do we need to make changes in FIPS module as well. If I understand you correctly, you wish to alter the FIPS canister to offload time-consuming operations to hardware acceleration. If this understanding is correct, I must regretfully inform you that it cannot legitimately be done. Oh, sure, you can technically do it -- but it would be a modification of the black box, and require a new validation. (I don't believe that such an implementation could in fact be validated, though I could be wrong. I am not an expert. But even if it can be, it cannot be validated with a private-label validation and would cost upwards of $200,000 to validate.) Remember, the FIPS canister *as written* is the only way to legitimately have FIPS mode from OpenSSL. Once FIPS mode is set, only cryptographic operations which are provided by the FIPS canister can be performed, and only by the unmodified code within the FIPS canister. It cannot be offloaded, because the FIPS canister cannot be modified to perform the offloading. Also, by offloading, you change the boundaries of the cryptographic provider to include additional, unverified, and quite possibly incorrect functionality. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi smime.p7s Description: S/MIME Cryptographic Signature
Re: OpenSSL engine support in OpenSSL FIPS Object Module
On 7/6/2014 10:44 AM, Kyle Hamilton wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) (In the case of OpenSSL, this actually wins you very little). Let me try to approach this from a different angle. LEGALLY: If you have the luxury of having more than one FIPS validated device available to you, you probably (ask a lawyer to be absolutely sure), can use all of them together. However to claim FIPS compliance of the resulting application, you must not do any cryptography outside those devices, and it must be impossible for the FIPS-mode variant of your application to fall back to any non-validated implementations in case of errors etc. Additionally you may or may not (really ask a lawyer) be legally (not technically) required to treat any keys, passwords etc. handed from one device to another AS IF those keys were traveling over an insecure connection even though they never leave your process address space on an EAL-whatever-level certified operating system on an EAL-whatever-level certified computer. TECHNICALLY: If you want to combine the use of multiple FIPS validated devices, one of which happens to be the OpenSSL FIPS cannister, and another one a piece of hardware accessed using an OpenSSL Engine, it is an open technical question if the FIPS-enabled OpenSSL (which is legally outside both devices and /can/ be changed) will correctly combine use of the OpenSSL FIPS canister with the ENGINE for accessing the hardware device, or if it will somehow fail to do so. For instance I am unsure what happens if the ENGINE plugin for the FIPS validated hardware device calls back to OpenSSL for cryptographic operations outside the scope of that device (it might do that because that piece of hardware is also used outside USGov and the ENGINE code was written for that case). Will OpenSSL pass the calls to the FIPS canister (if in FIPS mode) or use the non-validated software implementations? I am also unsure if the FIPS-enabled OpenSSL library allows use of Engines when (runtime) configured in FIPS mode? Finally /if/ it is legally required to go through additional gymnastics when transporting parameters from one FIPS device to another, I am unsure if the FIPS-enabled OpenSSL library will do so when the transport is internal to OpenSSL and its ENGINE plugins. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Kyle, Thanks a lot for detailed explaination, it helped me lots. Regards Jayalakshmi On Sun, Jul 6, 2014 at 2:44 AM, Kyle Hamilton aerow...@gmail.com wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) In this post I wanted to know to support an hardware accelerator that supports FIPS enabled algorithms implemented apart from supporting the hardware from OpenSSL side, do we need to make changes in FIPS module as well. If I understand you correctly, you wish to alter the FIPS canister to offload time-consuming operations to hardware acceleration. If this understanding is correct, I must regretfully inform you that it cannot legitimately be done. Oh, sure, you can technically do it -- but it would be a modification of the black box, and require a new validation. (I don't believe that such an implementation could in fact be validated, though I could be wrong. I am not an expert. But even if it can be, it cannot be validated with a private-label validation and would cost upwards of $200,000 to validate.) Remember, the FIPS canister *as written* is the only way to legitimately have FIPS mode from OpenSSL. Once FIPS mode is set, only cryptographic operations which are provided by the FIPS canister can be performed, and only by the unmodified code within the FIPS canister. It cannot be offloaded, because the FIPS canister cannot be modified to perform the offloading. Also, by offloading, you change the boundaries of the cryptographic provider to include additional, unverified, and quite possibly incorrect functionality. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Jakob, Thank you very much for detailed and helpful explanation. Regards Jayalakshmi On Sun, Jul 6, 2014 at 9:32 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 7/6/2014 10:44 AM, Kyle Hamilton wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) (In the case of OpenSSL, this actually wins you very little). Let me try to approach this from a different angle. LEGALLY: If you have the luxury of having more than one FIPS validated device available to you, you probably (ask a lawyer to be absolutely sure), can use all of them together. However to claim FIPS compliance of the resulting application, you must not do any cryptography outside those devices, and it must be impossible for the FIPS-mode variant of your application to fall back to any non-validated implementations in case of errors etc. Additionally you may or may not (really ask a lawyer) be legally (not technically) required to treat any keys, passwords etc. handed from one device to another AS IF those keys were traveling over an insecure connection even though they never leave your process address space on an EAL-whatever-level certified operating system on an EAL-whatever-level certified computer. TECHNICALLY: If you want to combine the use of multiple FIPS validated devices, one of which happens to be the OpenSSL FIPS cannister, and another one a piece of hardware accessed using an OpenSSL Engine, it is an open technical question if the FIPS-enabled OpenSSL (which is legally outside both devices and /can/ be changed) will correctly combine use of the OpenSSL FIPS canister with the ENGINE for accessing the hardware device, or if it will somehow fail to do so. For instance I am unsure what happens if the ENGINE plugin for the FIPS validated hardware device calls back to OpenSSL for cryptographic operations outside the scope of that device (it might do that because that piece of hardware is also used outside USGov and the ENGINE code was written for that case). Will OpenSSL pass the calls to the FIPS canister (if in FIPS mode) or use the non-validated software implementations? I am also unsure if the FIPS-enabled OpenSSL library allows use of Engines when (runtime) configured in FIPS mode? Finally /if/ it is legally required to go through additional gymnastics when transporting parameters from one FIPS device to another, I am unsure if the FIPS-enabled OpenSSL library will do so when the transport is internal to OpenSSL and its ENGINE plugins. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors.
Re: OpenSSL engine support in OpenSSL FIPS Object Module
On 07/05/2014 02:09 AM, Jayalakshmi bhat wrote: Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. I welcome all valuable inputs. First, please don't cross post to both lists. The openssl-users list would suffice. You've more or less asked this question already. The OpenSSL FIPS Object Module source code is available under an open source license, so subject to the very liberal terms of that license you can hack that code to your hearts content. However... The FIPS 140-2 Level 1 validation of that module (certificate #1747) is a different thing entirely. The instant you touch the code that validation no longer applies. The code without the validation is worthless (it does nothing regular OpenSSL doesn't do better, faster, more securely). A new validation will be necessary. You will find such a validation a significant challenge even without the source code mods you contemplate. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL engine support in OpenSSL FIPS Object Module
On Sat, Jul 05, 2014, Jayalakshmi bhat wrote: Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. If you literally mean adding ENGINE support to the OpenSSL FIPS Object module then you can but it would IMHO be a pointless exercise. The ENGINE code was stripped out to keep the number of dependencies down in the module. If you mean add ENGINE support to the FIPS capable OpenSSL then you don't need to as ENGINE support is already there. I suggest you explain exactly what you want to do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Steve, Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. In my previous post related to TPM like how to deal with Non-FIPS compliant TPM chips, does it need any change in FIPS module size etc? In this post I wanted to know to support an hardware accelerator that supports FIPS enabled algorithms implemented apart from supporting the hardware from OpenSSL side, do we need to make changes in FIPS module as well. Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi On Sat, Jul 5, 2014 at 10:46 PM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Jul 05, 2014, Jayalakshmi bhat wrote: Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. If you literally mean adding ENGINE support to the OpenSSL FIPS Object module then you can but it would IMHO be a pointless exercise. The ENGINE code was stripped out to keep the number of dependencies down in the module. If you mean add ENGINE support to the FIPS capable OpenSSL then you don't need to as ENGINE support is already there. I suggest you explain exactly what you want to do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl Engine for Utimaco CryptoServer
Ralf Hornik Mailings r...@best.homeunix.org wrote: [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Failure]: MODULE_PATH:/opt/cserver/lib/libcs2_pkcs11.so 7104:error:260AC089:engine routines:INT_CTRL_HELPER:invalid cmd name:eng_ctrl.c:134: 7104:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid What does INT_CTRL_HELPER:invalid cmd name mean? As mentioned in documentation the cmd_name has to be set to SO_PATH. So cmd_name set to MODULE_NAME will always fail. Is that a bug? Regards Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl Engine Performance Benchmarks
Is it openssl speed -evp aes-128-cbc -engine xx -elapsed or openssl speed -evp aes-128-cbc -engine xx It depends what you want to measure. I have seen examples with both of them on the internet and I get different results with each of them. What exactly does elapsed option add here? -elapsedmeasure time in real time instead of CPU user time. So, do you want to know which one is faster or which one uses less CPU? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl Engine Performance Benchmarks
On Tuesday 31 March 2009 23:16:10 Shasi Thati wrote: Hi, I have a question regarding the openssl speed command. When I use this command to test the crypto offload engine performance what is the right command to use? Is it openssl speed -evp aes-128-cbc -engine xx -elapsed or openssl speed -evp aes-128-cbc -engine xx I have seen examples with both of them on the internet and I get different results with each of them. What exactly does elapsed option add here? It means elapsed. :-) Ie. how much time elapsed during the benchmark. The normal measurement is cpu usage, which is something less than or equal to the elapsed time - if the benchmark used half the available cpu cycles during the elapsed period (according to scheduler stats, accurate or otherwise), the time given would be half the elapsed time. The usefulness of using cpu-time (instead of -elapsed) is to eliminate; (a) skewed statistics due to the system running other tasks while the benchmark was in progress (ie. you're only billed for what you use), and (b) to eliminate time the s/w (and driver) spent waiting for the crypto accelerator to respond to crypto operations. The value of (b) is to interpolate certain theoretical limits. Ie. if 80% of the time is spent waiting on the accelerator, the cpu-time for the benchmark run would be 1/5 of the elapsed time and so the calculated number of crypto ops per second would be 5 times what actually happened in real/elapsed time. If the latency of the accelerator is roughly constant but it can process multiple things at once due to having multiple execution units, then this inflated number is a useful estimate of how much you could theoretically process if you had multiple threads/processes keeping the cpu busy rather than waiting. In this example you'd need at least 5 threads to achieve such a performance level. (Which also assumes the accelerator performance would continue to scale up that far.) Cheers, Geoff -- Un terrien, c'est un singe avec des clefs de char... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl Engine calling code (soft pkcs11) also written in openssl conflict
Christopher Nebergall wrote: I've been working with some patches to curl I found on the curl mailing list to support openssl and opensc's engine_pkcs11. Basically it consists of Curl 7.14 + patch which adds dynamic engine support - opensc-20050826 [engine_pkcs11.so] - soft-pkcs11 1.2 on Ubuntu Linux (5.04) Kernel 2.6.10-5-386 actually the openssl version would be more interesting The problem is that engine_pkcs11 from opensc registers custom rsa functions for its purposes. They dlopen a pkcs11 library in my case soft-pkcs11 which is also implemented using openssl. The problem is that the soft token seems to be calling the rsa functions registered by opensc and not the original versions. I need some advice or background on overriding crypto implementations to figure out how to make soft-pkcs11 not inherit the opensc's overridden functions. you could use RSA_set_method with RSA_PKCS1_SSLeay for example I would have thought since soft-pkcs11 was dlopened that this wouldn't have inherited the modified functions. the default engine is a global parameter Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl Engine
In message [EMAIL PROTECTED] on Tue, 24 Sep 2002 14:55:53 +0200, Michiels Olivier [EMAIL PROTECTED] said: olivier.michiels Hi, olivier.michiels Currently I've an application that creates keys, certificate requests olivier.michiels and certificates using NFast and openssl-0.9.5. olivier.michiels I've updated my code to use the openssl-engine. olivier.michiels Everything works perferctly with some modifications. olivier.michiels Now, I would like to use the ENGINE concept with my NFast. olivier.michiels I've already understood that the identifier of my ENGINE is chil and olivier.michiels I've wrote some code to test if I can have a new pointer to a ENGINE olivier.michiels structure. olivier.michiels What I would like to know is how to use this ENGINE pointer with my olivier.michiels existing code, for example, what are the commands available for the olivier.michiels NFAST. I've tried this little code but it doesn't work. olivier.michiels olivier.michiels #include openssl/engine.h olivier.michiels #include openssl/bio.h olivier.michiels olivier.michiels int main(int argc,char* argv[]) olivier.michiels { olivier.michiels ENGINE *e; olivier.michiels BIO *err; olivier.michiels It would be a good thing to insert a call to ERR_load_crypto_strings() here, so the errors get displayed with humanly readable reasons instead of all those numbers. olivier.michiels ENGINE_load_builtin_engines(); olivier.michiels if ((e = ENGINE_by_id(argv[1])) == NULL) olivier.michiels { olivier.michiels fprintf(stderr,Error for: %s\n,argv[1]); olivier.michiels return -1; olivier.michiels } olivier.michiels olivier.michiels err = BIO_new_fp(stderr,BIO_NOCLOSE); olivier.michiels if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) olivier.michiels { olivier.michiels BIO_printf(err,can't use that engine\n); olivier.michiels ERR_print_errors(err); olivier.michiels ENGINE_free(e); olivier.michiels return -1; olivier.michiels } olivier.michiels BIO_printf(err,engine \%s\ set.\n, ENGINE_get_id(e)); olivier.michiels olivier.michiels olivier.michiels if (ENGINE_ctrl_cmd_string(e,get_passphrase,Password:,0) == 0) olivier.michiels { olivier.michiels ERR_print_errors(err); olivier.michiels ENGINE_free(e); olivier.michiels return -1; olivier.michiels } And exactly what was that supposed to accomplish? olivier.michiels olivier.michiels /* Free our structural reference. */ olivier.michiels ENGINE_free(e); olivier.michiels olivier.michiels return 0; olivier.michiels } olivier.michiels olivier.michiels The output is has follows: olivier.michiels engine chil set. olivier.michiels 25983:error:260AC089:engine routines:func(172):reason(137):eng_ctrl.c:136: olivier.michiels 25983:error:260AB089:engine routines:func(171):reason(137):eng_ctrl.c:314: olivier.michiels olivier.michiels I need to ask passwords in order to have my NFast working. olivier.michiels How can I do that ? No, you don't need to ask for passwords at the OpenSSL level. They will be prompted for automatically when needed. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : openssl engine use
Hey there, On Thu, 25 Jul 2002, Frederic DONNAT wrote: A sample of programming with engine is mod-ssl (initialize ENGINE before everything else). You can also see apps directory of OpenSSL s_client, s_server ... files Be also carefull between openssl-engine-0.9.6x and openssl-0.9.7 there is some diff for engine use. [snip] -Message d'origine- De : Rob McMonigal [mailto:[EMAIL PROTECTED]] [snip] I like to know how difficult it would be to have an existing application that uses openssl to be converted over to use the engine version openssl and the hardware accelerator functions. I cannot find any information on programming openssl with hardware accelerators. Any help would be appreciated. [snip] I'm also in the process of rejigging mistakes in the 0.9.7-dev documentation (it wasn't adjusted to constification and ENGINEification changes for RSA/DSA/DH/etc...) and at the same time have a monster engine.pod in progress that I intend to include before the next 0.9.7 beta. That man page may sound terrifying (and no, I haven't split it out to provide API documentation per-function), but at least it'll be better than zero documentation. Hopefully. Failing that - take a read of engine.h (it's relatively well self-documented) and check out the source that Frederic suggested. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl engine?
At 20:33 12.10.2001 +0200, Helmut Heilig wrote: can anybody tell me the difference between openssl and openssl-engine. Couldn't find anything about that in the FAQ. See: http://www.openssl.org/support/faq.html [MISC] 6. What is an 'engine' version? Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 Phone/Fax: +49-89-636-47852 / 47655 E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl engine version beta2 compilation problems
I've had the same problem and discovered the following patch: http://marc.theaimsgroup.com/?l=openssl-devm=96923042325868w=2 The functions are loaded dynamically, so it is necessary to check whether they loaded or not (or your executable will crash on all machines which don't provide the NetStatisticsGet-Function). The patch above includes theses tests which are missing in the plain beta2-tree. Additionally, I couldn't compile with VC60 because LMSTR was an unknown type. I had to replace these definitions by LPWSTR: typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) (LPWSTR, LPWSTR, DWORD, DWORD, LPBYTE*); typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); Regards, David Maurus Lin Geng wrote: However, the file rand_win.c compiles if you make the following changes: 1. comment out the two typedefs typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) (LMSTR, LMSTR, DWORD, DWORD, LPBYTE*); typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); 2. add two defines #define NETSTATGET FARPROC #define NETFREE FARPROC The build should go through. David Maurus __ equinux Aktiengesellschaft Informationstechnologien Gabelsbergerstr. 30 80333 München - Germany Tel. 089/520465-0 Fax. 089/520465-299 mailto:[EMAIL PROTECTED] http://www.equinux.de MyJack - Das innovative Messagingsystem der equinux AG http://www.myjack.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]