Test app

Re: Test app

OpenSSL itself contains all sorts of apps that do it.  openssl (or
openssl.exe) implements all the programs in the apps/ directory.
Also, 'make test' runs all the internal self-tests.

If you need to verify interoperability with something, figure out what
protocol it's using -- pkcs8, pkcs12, and pkcs7 handle PKCS-formatted
files of the various types, s_client connects to a TLS/SSL3/SSL2
server, s_server runs as a server to accept client connections, req
will generate a certificate signing request, x509 will parse X.509
certificates...

...and if you need to perform some kind of actual crypto test, check
the 'enc' manpage (if you're on Windows,
http://openssl.org/docs/apps/enc.html is a pointer to the HTMLized
version of the manpage for your perusal) for information on how to do
it.

All of the source code for these is in the apps/ subdirectory of the
source distribution.  You can use them as a basis for your own
routines.

-Kyle H

On Mon, Sep 1, 2008 at 3:43 AM, Nanavati, Sitanshu
<sitanshu.nanavati <at> intel.com> wrote:
> Hi all,
>
>
>
> I am looking for some real world app or test app that could be used to run
> with OpenSSL and check crypto functionality.  Please send me the
> pointers/URLs.  Thanks in advance.
>
>
>
> -Sitanshu
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Fix VIA Padlock RNG support ?

Hi Michal,
Hi OpenSSL developers,

as part of my work for VIA, I am trying to find out what we can do to
make sure the VIA Padlock RNG is activated by default.

I have read the comments in the source code, referring that the RNG is not used
the way that VIA recommends for secure applications.

I have also read the padlock programming guides from 
http://linux.via.com.tw/support/beginDownload.action?eleid=181&fid=261
and
http://linux.via.com.tw/support/beginDownload.action?eleid=181&fid=281

So from what I can tell, Michal Ludvig originally included RNG support in his
patch, but it was deactivated by the OpenSSL maintainers due to security
concerns.

Can somebody please indicate what exactly those concerns were?  I would be
willing to put in some of my own time to come up with a patch to address
the concerns, and then have that patch reviewed by OpenSSL guys, Michal as well
as the respective Padlock security expert inside VIA.

I also have a question about Michal's SHA1/224/256 patch at
http://marc.info/?l=openssl-dev&m=115243758508970&w=2

It never received any feedback on the list, and it wasn't merged into mainline
OpenSSL.  Was this simply lost?  Can I (or VIA) do anything to help this along?

Thanks in advance,
--

-- 
- Harald Welte <laforge <at> gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

bn_mul_add_words cpu intensive can we optimize it

RE: Building openssl-0.9.8h under HP-UX 11.11 using gcc 4.2.3

Re: Building openssl-0.9.8h under HP-UX 11.11 using gcc 4.2.3

Opessl-devel

[openssl.org #1737] [PATCH openssl 0.9.8g] s_client: add sieve starttls protocol support

s_client: add sieve starttls protocol support

Similar to SMTP, IMAP, etc the ManageSieve protocol has a method to
start TLS communications after an initial cleartext connection.  This
patch adds support for that protocol to the s_client application.

---

 apps/s_client.c       |   31 +++++++++++++++++++++++++++++--
 doc/apps/s_client.pod |    3 +--
 2 files changed, 30 insertions(+), 4 deletions(-)

diff -up openssl-0.9.8g/apps/s_client.c.orig openssl-0.9.8g/apps/s_client.c
--- openssl-0.9.8g/apps/s_client.c.orig	2008-09-02 15:35:02.000000000 -0400
+++ openssl-0.9.8g/apps/s_client.c	2008-09-02 18:26:12.000000000 -0400
 <at>  <at>  -229,7 +229,8  <at>  <at>  static void sc_usage(void)
 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
-	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", and \"ftp\" are supported.\n");
+	BIO_printf(bio_err,"                 only \"smtp\", \"pop3\", \"imap\", \"ftp\", and \"sieve\"\n");
+	BIO_printf(bio_err,"                 are supported.\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 #endif
 <at>  <at>  -270,7 +271,8  <at>  <at>  enum
 	PROTO_SMTP,
 	PROTO_POP3,
 	PROTO_IMAP,
-	PROTO_FTP
+	PROTO_FTP,
+	PROTO_SIEVE
 };

 int MAIN(int, char **);
 <at>  <at>  -537,6 +539,8  <at>  <at>  int MAIN(int argc, char **argv)
 				starttls_proto = PROTO_IMAP;
 			else if (strcmp(*argv,"ftp") == 0)
 				starttls_proto = PROTO_FTP;
+			else if (strcmp(*argv,"sieve") == 0)
+				starttls_proto = PROTO_SIEVE;
 			else
 				goto bad;
 			}
 <at>  <at>  -933,6 +937,29  <at>  <at>  re_start:
 		BIO_printf(sbio,"AUTH TLS\r\n");
 		BIO_read(sbio,sbuf,BUFSIZZ);
 		}
+	else if (starttls_proto == PROTO_SIEVE)
+		{
+		int foundit=0;
+		BIO *fbio = BIO_new(BIO_f_buffer());
+		BIO_push(fbio, sbio);
+		/* wait for multi-line CAPABILITY response */
+		do
+			{
+			mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
+			if (strstr(mbuf,"\"STARTTLS\""))
+				foundit=1;
+			}
+		while (mbuf_len>4 && strncmp(mbuf, "OK", 2));
+		(void)BIO_flush(fbio);
+		BIO_pop(fbio);
+		BIO_free(fbio);
+		if (!foundit)
+			BIO_printf(bio_err,
+				   "didn't found STARTTLS in server response,"
+				   " try anyway...\n");
+		BIO_printf(sbio,"STARTTLS\r\n");
+		BIO_read(sbio,sbuf,BUFSIZZ);
+		}

 	for (;;)
 		{
diff -up openssl-0.9.8g/doc/apps/s_client.pod.orig openssl-0.9.8g/doc/apps/s_client.pod
--- openssl-0.9.8g/doc/apps/s_client.pod.orig	2008-09-02 15:35:02.000000000 -0400
+++ openssl-0.9.8g/doc/apps/s_client.pod	2008-09-02 15:35:07.000000000 -0400
 <at>  <at>  -188,7 +188,7  <at>  <at>  command for more information.

 send the protocol-specific message(s) to switch to TLS for communication.
 B<protocol> is a keyword for the intended protocol.  Currently, the only
-supported keywords are "smtp", "pop3", "imap", and "ftp".
+supported keywords are "smtp", "pop3", "imap", "ftp", and "sieve".

 =item B<-tlsextdebug>

--

-- 
John W. Linville
linville <at> tuxdriver.com

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

[openssl.org #1738] New feature request

In openssl/ssl/ssl_sess.c, ssl_get_new_session function

These  is a callback function to set session ID after session object is initialized. It's is a very good
feature but currently only applied to server side.
If a client want to reuse a session ID in a cross process scenario (which means session object can't be
reused), a callback to set session id for client will be very nice.  

int ssl_get_new_session(SSL *s, int session)
......
	if (session)
		{
.......
 		/* Choose which callback will set the session ID */
		CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
		if(s->generate_session_id)
			cb = s->generate_session_id;
		else if(s->ctx->generate_session_id)
			cb = s->ctx->generate_session_id;
.......

Best Regards,

James Ding
_________________________________________________________________

[openssl.org #1739] [PATCH] [openssl 0.9.8c] Using a private key in an engine to timestamp.

2008/5/12 Isaias Punktin:
 > Hi all.
 >
 > I have been reading the code of openssl/apps/ts.c and there is no
 > possible for the TSA to sign using a private key stored in a
 > token/SmartCard/engine. I think this is interesting because it makes
 > possible to make a TSA compliant with RFC 3628 ("Requirements for
 > Time-Stamping Authorities"). Is somebody working on this?
 >
 > Thanks for all.
 >
 > Punkto
 >

I have been looking for a solution for the problem about using ts with 
private keys placed into engines. I have made a patch for ts, in the 
bottom of this mail, that solves the problem for me.

You can see that I had to create a new option called "keyform" where the 
user selects a PEM key or an ENGINE key. I use load_key function in 
order to load the private key wherever it is.

With this patch there is no need to change any application that uses ts 
because the key format is PEM if the option is not specified. The id of 
the engine can be written in the same formats that OpenSSL uses. So, in 
my tests i use commands like this:

ts -config CAtsa.cnf -reply -section tsa_config1 -queryfile req.tsq -out 
res.tsr -engine pkcs11 -keyform ENGINE -inkey id_50

Please, can you see if this patch can be added to OpenSSL source? Maybe 
you don't have any SmartCards to play with and make tests. But, at 
least, you can check using the tests you have in order to see if ts 
works well with no engines using this patch.

As you can see below, I have only changed ts.c. The diff was applied 
OpenSSL patched with OpenTSA. I know that OpenTSA is included in OpenSSL 
0.9.9, should i submit the patch against that version?

Thanks in advance.

Jorge Muñoz

--- ./ts.c.orig 2008-07-18 16:05:17.000000000 +0200
+++ ./ts.c      2008-07-21 12:44:09.000000000 +0200
 <at>  <at>  -93,13 +93,13  <at>  <at> 
static ASN1_INTEGER *create_nonce(int bits);

/* Reply related functions. */
-static int reply_command(CONF *conf, char *section, char *engine,
+static int reply_command(CONF *conf, char *section, char *engine, int 
keyform,
                     char *queryfile, char *passin, char *inkey,
                     char *signer, char *chain, const char *policy,
                     char *in, int token_in, char *out, int token_out,
                     int text);
static TS_RESP *read_PKCS7(BIO *in_bio);
-static TS_RESP *create_response(CONF *conf, const char *section, char 
*engine,
+static TS_RESP *create_response(CONF *conf, const char *section, char 
*engine, int keyform,
                            char *queryfile, char *passin, char *inkey,
                            char *signer, char *chain, const char *policy);
static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data);
 <at>  <at>  -348,7 +348,7  <at>  <at> 
                    if (ret) goto usage;
                    }

-               ret = !reply_command(conf, section, engine, queryfile,
+               ret = !reply_command(conf, section, engine, keyform, 
queryfile,
                                 password, inkey, signer, chain, policy,
                                 in, token_in, out, token_out, text);
            break;
 <at>  <at>  -670,7 +670,7  <at>  <at> 
* Reply-related method definitions.
*/

-static int reply_command(CONF *conf, char *section, char *engine,
+static int reply_command(CONF *conf, char *section, char *engine, int 
keyform,
                     char *queryfile, char *passin, char *inkey,
                     char *signer, char *chain, const char *policy,
                     char *in, int token_in,
 <at>  <at>  -702,7 +702,7  <at>  <at> 
            }
    else
            {
-               response = create_response(conf, section, engine, 
queryfile,
+               response = create_response(conf, section, engine, 
keyform, queryfile,
                                       passin, inkey, signer, chain,
                                       policy);
            if (response)
 <at>  <at>  -797,7 +797,7  <at>  <at> 
    return resp;
    }

-static TS_RESP *create_response(CONF *conf, const char *section, char 
*engine,
+static TS_RESP *create_response(CONF *conf, const char *section, char 
*engine, int keyform,
                            char *queryfile, char *passin, char *inkey,
                            char *signer, char *chain, const char *policy)
    {
 <at>  <at>  -805,6 +805,8  <at>  <at> 
    TS_RESP *response = NULL;
    BIO *query_bio = NULL;
    TS_RESP_CTX *resp_ctx = NULL;
+       EVP_PKEY *sigkey = NULL;
+       ENGINE *e = NULL;

    if (!(query_bio = BIO_new_file(queryfile, "rb")))
            goto end;
 <at>  <at>  -829,8 +831,26  <at>  <at> 
    if (!TS_CONF_set_certs(conf, section, chain, resp_ctx)) goto end;

    /* Setting TSA signer private key. */
-       if (!TS_CONF_set_signer_key(conf, section, inkey, passin, 
resp_ctx))
+#ifndef OPENSSL_NO_ENGINE
+        e = setup_engine(bio_err, engine, 0);
+#endif
+       if (!inkey)
+               inkey = NCONF_get_string(conf, section, "signer_key");
+       if (!inkey)
+       {
+               BIO_printf(bio_err, "variable lookup failed for 
section::signer_key\n");
+               goto end;
+       }
+
+
+       sigkey = load_key(bio_err, inkey, keyform, 0, passin, e, "key 
file");
+       if (!sigkey)
+       {
+               /* load_key() has already printed an appropriate message */
            goto end;
+       }
+       if (!TS_RESP_CTX_set_signer_key(resp_ctx, sigkey)) goto end;
+

    /* Setting default policy OID. */
    if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end;
 <at>  <at>  -869,6 +889,7  <at>  <at> 
            response = NULL;
            }
    TS_RESP_CTX_free(resp_ctx);
+       EVP_PKEY_free(sigkey);
    BIO_free_all(query_bio);

    return response;

-- 

Jorge Muñoz Castañer

e-mail: jorgem(en)det.uvigo.es

Departamento de Ingeniería Telemática

Universidad de Vigo

ETSI Telecomunicación
Campus 36310 Vigo SPAIN 

Jorge Muñoz Castañer escribió:
> Hi, list
>
> 2008/5/12 Isaias Punktin:
> > Hi all.
> >
> > I have been reading the code of openssl/apps/ts.c and there is no
> > possible for the TSA to sign using a private key stored in a
> > token/SmartCard/engine. I think this is interesting because it makes
> > possible to make a TSA compliant with RFC 3628 ("Requirements for
> > Time-Stamping Authorities"). Is somebody working on this?
> >
> > Thanks for all.
> >
> > Punkto
> >
>
> I have been looking for a solution for the problem about using ts with 
> private keys placed into engines. I have made a patch for ts, in the 
> bottom of this mail, that solves the problem for me.
>
> You can see that I had to create a new option called "keyform" where 
> the user selects a PEM key or an ENGINE key. I use load_key function 
> in order to load the private key wherever it is.
>
> With this patch there is no need to change any application that uses 
> ts because the key format is PEM if the option is not specified. The 
> id of the engine can be written in the same formats that OpenSSL uses. 
> So, in my tests i use commands like this:
>
> ts -config CAtsa.cnf -reply -section tsa_config1 -queryfile req.tsq 
> -out res.tsr -engine pkcs11 -keyform ENGINE -inkey id_50
>
>
> Please, can you see if this patch can be added to OpenSSL source? 
> Maybe you don't have any SmartCards to play with and make tests. But, 
> at least, you can check using the tests you have in order to see if ts 
> works well with no engines using this patch.
>
>
> Thanks in advance.
>
> Jorge Muñoz
>
> PS: As you can see, I have only changed ts.c. The diff was applied to 
> the OpenTSA patch for OpenSSL version 0.9.8c.
Mmm not really. The patch has been applied to OpenSSL patched with OpenTSA.

--- ./ts.c.orig 2008-07-18 16:05:17.000000000 +0200
+++ ./ts.c      2008-07-21 12:44:09.000000000 +0200
 <at>  <at>  -93,13 +93,13  <at>  <at> 
static ASN1_INTEGER *create_nonce(int bits);

/* Reply related functions. */
-static int reply_command(CONF *conf, char *section, char *engine,
+static int reply_command(CONF *conf, char *section, char *engine, int 
keyform,
                      char *queryfile, char *passin, char *inkey,
                      char *signer, char *chain, const char *policy,
                      char *in, int token_in, char *out, int token_out,
                      int text);
static TS_RESP *read_PKCS7(BIO *in_bio);
-static TS_RESP *create_response(CONF *conf, const char *section, char 
*engine,
+static TS_RESP *create_response(CONF *conf, const char *section, char 
*engine, int keyform,
                             char *queryfile, char *passin, char *inkey,
                             char *signer, char *chain, const char *policy);
static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data);
 <at>  <at>  -348,7 +348,7  <at>  <at> 
                     if (ret) goto usage;
                     }

-               ret = !reply_command(conf, section, engine, queryfile,
+               ret = !reply_command(conf, section, engine, keyform, 
queryfile,
                                  password, inkey, signer, chain, policy,
                                  in, token_in, out, token_out, text);
             break;
 <at>  <at>  -670,7 +670,7  <at>  <at> 
* Reply-related method definitions.
*/

-static int reply_command(CONF *conf, char *section, char *engine,
+static int reply_command(CONF *conf, char *section, char *engine, int 
keyform,
                      char *queryfile, char *passin, char *inkey,
                      char *signer, char *chain, const char *policy,
                      char *in, int token_in,
 <at>  <at>  -702,7 +702,7  <at>  <at> 
             }
     else
             {
-               response = create_response(conf, section, engine, queryfile,
+               response = create_response(conf, section, engine, 
keyform, queryfile,
                                        passin, inkey, signer, chain,
                                        policy);
             if (response)
 <at>  <at>  -797,7 +797,7  <at>  <at> 
     return resp;
     }

-static TS_RESP *create_response(CONF *conf, const char *section, char 
*engine,
+static TS_RESP *create_response(CONF *conf, const char *section, char 
*engine, int keyform,
                             char *queryfile, char *passin, char *inkey,
                             char *signer, char *chain, const char *policy)
     {
 <at>  <at>  -805,6 +805,8  <at>  <at> 
     TS_RESP *response = NULL;
     BIO *query_bio = NULL;
     TS_RESP_CTX *resp_ctx = NULL;
+       EVP_PKEY *sigkey = NULL;
+       ENGINE *e = NULL;

     if (!(query_bio = BIO_new_file(queryfile, "rb")))
             goto end;
 <at>  <at>  -829,8 +831,26  <at>  <at> 
     if (!TS_CONF_set_certs(conf, section, chain, resp_ctx)) goto end;

     /* Setting TSA signer private key. */
-       if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
+#ifndef OPENSSL_NO_ENGINE
+        e = setup_engine(bio_err, engine, 0);
+#endif
+       if (!inkey)
+               inkey = NCONF_get_string(conf, section, "signer_key");
+       if (!inkey)
+       {
+               BIO_printf(bio_err, "variable lookup failed for 
section::signer_key\n");
+               goto end;
+       }
+
+
+       sigkey = load_key(bio_err, inkey, keyform, 0, passin, e, "key 
file");
+       if (!sigkey)
+       {
+               /* load_key() has already printed an appropriate message */
             goto end;
+       }
+       if (!TS_RESP_CTX_set_signer_key(resp_ctx, sigkey)) goto end;
+

     /* Setting default policy OID. */
     if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) goto end;
 <at>  <at>  -869,6 +889,7  <at>  <at> 
             response = NULL;
             }
     TS_RESP_CTX_free(resp_ctx);
+       EVP_PKEY_free(sigkey);
     BIO_free_all(query_bio);

     return response;

--

-- 

Jorge Muñoz Castañer

e-mail: jorgem(en)det.uvigo.es

Departamento de Ingeniería Telemática

Universidad de Vigo

ETSI Telecomunicación
Campus 36310 Vigo SPAIN