Re: [Openca-Users] Which Version ?

[Xavier M. <xav...@li...>]

Massimiliano Pala wrote:
> 
> Xavier Maysonnave wrote:
> >
> > Hello All,
> 
> Hi,
> 
> > I try to evaluate OpenCA but I have several problems.
> > I have read some posts and I need to ask some questions.
> 
> Let us know... :-D
> 
> [openssl version]
> > But this is a problem as I run apache 1.3.20 who need
> > mod_ssl-2.8.4-1.3.20, this configuration can't run with the openssl
> > available on the openca ftp site.
> 
> You could simply do the following:
> 
>         o download the 0.9.6a.tar.gz from openssl
>         o compile and install it
>         o compile the mod_ssl and apache
>         o download the SNAP version of OpenSSL
>         o compile and install it

It is exactly my configuration and In that configuration apache work
very well.
Apache doesn't want to run If I use the openssl version available on the
openca ftp site under the tools directory. Here is the my current
libcrypto files.

-rw-r--r--    1 root     root      1583298 Jun 28 17:12
/usr/lib/libcrypto.a
lrwxrwxrwx    1 root     root           14 Jun 28 17:12
/usr/lib/libcrypto.so -> libcrypto.so.0
lrwxrwxrwx    1 root     root           18 Jun 28 17:12
/usr/lib/libcrypto.so.0 -> libcrypto.so.0.9.7
-rw-r--r--    1 root     root       900968 Jun 27 11:42
/usr/lib/libcrypto.so.0.9.6
-r-xr-xr-x    1 root     root      1087160 Jun 28 17:12
/usr/lib/libcrypto.so.0.9.7

> 
> This should be fine for you. Let me know. Check after all this that the
> openssl command is the SNAP one, try:
> 
>         $ openssl
>         OpenSSL> version
> 
> the result should not be 0.9.6a.

it is correct 

OpenSSL 0.9.7-dev 24 Sep 2000 

notice the strange date.

-rw-r--r--    1 root     root      2429021 Jun 28 13:52
openssl-SNAP-20010627.tar.gz 

I have this openssl snapshot. 

> 
> > if I use the 0.9.6a :
> >
> > - I can initialize the database.
> > - I can generate a secret key
> > - I can't generate a request, the nasty -subj argument
> 
> This command is needed to support correctly pkcs#10 malformed requests
> and ie reqs too.
> 
> > - I can initialize the database.
> > - I can't generate a secret key. the env:password is not propagated.

with the above configuration the env:password is not propagated. here is
the source of openssl who is not correct:

This program come from the openssl snapshot described above.
It comes from apps.c under the apps directory of openssl.
below the cb_data test, this program takes the password correctly.
As this password can come from stdin, a file or an environment variable.
The password is never propagated.
After that the ui is called everytime.
I have tried to patch the code.
 like 
buf = password and res = strlen(buf);
but the program crash later.
so I am a bit sticked.

**********
**********

int password_callback(char *buf, int bufsiz, int verify,
	PW_CB_DATA *cb_tmp)
	{
	UI *ui = NULL;
	int res = 0;
	const char *prompt_info = NULL;
	const char *password = NULL;
	PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;

	if (cb_data)
	{
	        if (cb_data->password)
			password = cb_data->password;
		if (cb_data->prompt_info)
			prompt_info = cb_data->prompt_info;
	}


        ui = UI_new_method(ui_method);
        if (ui) {
                int ok = 0;
                char *buff = NULL;
                int ui_flags = 0;
                char *prompt = NULL;

                prompt = UI_construct_prompt(ui, "pass phrase",
                        cb_data->prompt_info);

                ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
                UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);

                if (ok >= 0)
                        ok = UI_add_input_string(ui,prompt,ui_flags,buf,
                                PW_MIN_LENGTH,BUFSIZ-1);
                if (ok >= 0 && verify)
                        {
                        buff = (char *)OPENSSL_malloc(bufsiz);
                        ok =
UI_add_verify_string(ui,prompt,ui_flags,buff,
                                PW_MIN_LENGTH,BUFSIZ-1, buf);
                        }
                if (ok >= 0)
                        do
                                {
                                ok = UI_process(ui);
                                }
                        while (ok < 0 && UI_ctrl(ui,
UI_CTRL_IS_REDOABLE, 0, 0, 0));

                if (buff)
                        {
                        memset(buff,0,(unsigned int)bufsiz);
                        OPENSSL_free(buff);
                        }

                if (ok >= 0)
                        res = strlen(buf);
                if (ok == -1)
                        {
                        BIO_printf(bio_err, "User interface error\n");
                        ERR_print_errors(bio_err);
                        memset(buf,0,(unsigned int)bufsiz);
                        res = 0;
                        }
                if (ok == -2)
                        {
                        BIO_printf(bio_err,"aborted!\n");
                        memset(buf,0,(unsigned int)bufsiz);
                        res = 0;
                        }
                UI_free(ui);
                OPENSSL_free(prompt);
        }

	return res;
}

**********
**********

> 
> are you sure this is the problem ??? I'll check it, anyway on most installation
> this gives no problem -- can you post more info on OS/Software and version
> used ???
> 
> --


SuSE 7.1 based linux box. Kernel upgraded to 2.4.4
glibc 2.2-9 (SuSE RPM version).

I hope it is clear enough to understand the problem I have.


> 
> C'you,
> 
>         Massimiliano Pala
> 
> --o-------------------------------------------------------------------------
> Massimiliano Pala [OpenCA Project Manager]                ma...@op...
>                                                      ma...@ha...
> http://www.openca.org                            Tel.:   +39 (0)59  270  094
> http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365