Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC
On Mon, Feb 19, 2018 at 01:45:26PM -0800, Norm Green wrote: > # ASN1_LONG_DATA: > # success: TRUE > t@1 (l@1) signal BUS (invalid address alignment) in asn1_item_print_ctx at > line 155 in file "tasn_prn.c" > 155 || (it->utype != V_ASN1_BOOLEAN)) && *fld == NULL) { Perhaps aligning the item buffer (by using malloc) will help, does the patch below address the problem? diff --git a/test/asn1_encode_test.c b/test/asn1_encode_test.c index e9f459ad65..77fa9b5954 100644 --- a/test/asn1_encode_test.c +++ b/test/asn1_encode_test.c @@ -709,15 +709,19 @@ static int do_encode_custom(EXPECTED *input, static int do_print_item(const TEST_PACKAGE *package) { #define DATA_BUF_SIZE 256 -unsigned char buf[DATA_BUF_SIZE]; const ASN1_ITEM *i = ASN1_ITEM_ptr(package->asn1_type); -ASN1_VALUE *o = (ASN1_VALUE *) +ASN1_VALUE *o = OPENSSL_malloc(DATA_BUF_SIZE); int ret; OPENSSL_assert(package->encode_expectations_elem_size <= DATA_BUF_SIZE); -(void)RAND_bytes(buf, (int)package->encode_expectations_elem_size); +if (o == NULL) +return 0; + +(void)RAND_bytes((unsigned char *)o, + (int)package->encode_expectations_elem_size); ret = ASN1_item_print(bio_err, o, 0, i, NULL); +OPENSSL_free(o); return ret; } -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make OpenSSL engine usage application specific?
Try RSA_new_method when allocating the RSA_METHOD. It takes an engine argument which will be used for related operations. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Jayalakshmi bhat [mailto:bhat.jayalaks...@gmail.com] Sent: Monday, 19 February 2018 7:16 PM To: openssl-users@openssl.org Subject: [openssl-users] How to make OpenSSL engine usage application specific? Hello All, We have 2 RSA OpenSSL engines in our product. Both the engines performs same RSA encyrpt/decrypt operations. For easy explaination I am naming engines as 1. RSA smart card engine 2. RSA TPM engine Engine usage is application specific.There are couple of applications dependent on RSA TPM engine. And are few applications dependent on RSA smart card engine. We wanted to know if there are any APIs provided by OpenSSL to make the engine usage application specific? Is there any way we can make OpenSSL chose specific engine for specific application. Regards Jayalakshmi. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC
For the failure in secmemtst, it appears that secure memory is not enabled per this code in ./crypto/mem_sec.c 23 /* e_os.h includes unistd.h, which defines _POSIX_VERSION */ 24 #if !defined(OPENSSL_NO_SECURE_MEMORY) && defined(OPENSSL_SYS_UNIX) \ 25 && defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L 26 # define IMPLEMENTED 27 # include 28 # include 29 # include 30 # include 31 # include 32 # if defined(OPENSSL_SYS_LINUX) 33 # include 34 # include 35 # include 36 # endif 37 # include 38 # include 39 # include 40 #endif Solaris has this in sys/unistd.h #ifndef _POSIX_VERSION #ifdef _XPG6 #define _POSIX_VERSION 200112L /* Supports IEEE Std 1003.1-2001 */ #else #define _POSIX_VERSION 199506L /* Supports POSIX-1c DIS */ #endif #endif /* _POSIX_VERSION */ I'm building with the native Oracle Solaris compiler which apparently does not define these macros. Nornm On 2/19/2018 1:20 PM, Norm Green wrote: The output is not too long. /export/localnew/sparc.Solaris/bin/gmake depend && /export/localnew/sparc.Solaris/bin/gmake _tests gmake[1]: Entering directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' gmake[1]: Leaving directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' gmake[1]: Entering directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' ( cd test; \ mkdir -p test-runs; \ SRCTOP=../. \ BLDTOP=../. \ RESULT_D=test-runs \ PERL="/opt/perl-5.24.0/bin/perl" \ EXE_EXT= \ OPENSSL_ENGINES=`cd .././engines; pwd` \ OPENSSL_DEBUG_MEMORY=on \ /opt/perl-5.24.0/bin/perl .././test/run_tests.pl test_asn1_encode test_secmem ) ../test/recipes/04-test_asn1_encode.t .. 1..1 # Subtest: ../../test/asn1_encode_test 1..6 ok 1 - test_long_32bit # ASN1_LONG_DATA: # success: TRUE ../../util/shlib_wrap.sh ../../test/asn1_encode_test => 138 not ok 1 - running asn1_encode_test # Failed test 'running asn1_encode_test' # at /hamburg4/users/normg/gs64trunk/slow10/openssl_1.1/test/../util/perl/OpenSSL/Test/Simple.pm line 77. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/90-test_secmem.t ... 1..1 # Subtest: ../../test/secmemtest 1..1 # ERROR: (bool) 'CRYPTO_secure_malloc_init(4096, 32) == true' failed @ test/secmemtest.c:28 # false not ok 1 - test_sec_mem ../../util/shlib_wrap.sh ../../test/secmemtest => 1 not ok 1 - running secmemtest # Failed test 'running secmemtest' # at /hamburg4/users/normg/gs64trunk/slow10/openssl_1.1/test/../util/perl/OpenSSL/Test/Simple.pm line 77. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests Test Summary Report --- ../test/recipes/04-test_asn1_encode.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/90-test_secmem.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=2, Tests=2, 2 wallclock secs ( 0.04 usr 0.01 sys + 0.38 cusr 0.16 csys = 0.59 CPU) Result: FAIL Makefile:169: recipe for target '_tests' failed gmake[1]: *** [_tests] Error 1 gmake[1]: Leaving directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' Makefile:167: recipe for target 'tests' failed gmake: *** [tests] Error 2 slow test failed On 2/19/2018 12:50 PM, Benjamin Kaduk wrote: On 02/19/2018 02:06 PM, Norm Green wrote: Not sure if this is expected on this platform? Test Summary Report --- ../test/recipes/04-test_asn1_encode.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/90-test_secmem.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=141, Tests=1313, 370 wallclock secs ( 3.42 usr 0.94 sys + 266.48 cusr 40.30 csys = 311.14 CPU) Result: FAIL Makefile:169: recipe for target '_tests' failed I do not think it is expected. Could you capture the output of 'make V=1 TESTS="test_asn1_encode test_secmem"' and make it available? (Probably via posting it on the web and linking; the output may be long.) -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC
You are correct, we are getting a SIGBUS. Solaris SPARC does not allow unaligned data access: (dbx) run Running: asn1_encode_test (process id 11159) Reading libc_psr.so.1 Reading libscf.so.1 Reading libdoor.so.1 Reading libuutil.so.1 Reading libgen.so.1 Reading libmd.so.1 Reading libmp.so.2 1..6 ok 1 - test_long_32bit # ASN1_LONG_DATA: # success: TRUE t@1 (l@1) signal BUS (invalid address alignment) in asn1_item_print_ctx at line 155 in file "tasn_prn.c" 155 || (it->utype != V_ASN1_BOOLEAN)) && *fld == NULL) { (dbx) where current thread: t@1 =>[1] asn1_item_print_ctx(out = 0x1001453c0, fld = 0x7fffd6dc, indent = 2, it = 0x7f3a29f0, fname = 0x100033ad8 "test_long", sname = (nil), nohdr = 0, pctx = 0x7f39e8f8), line 155 in "tasn_prn.c" [2] asn1_template_print_ctx(out = 0x1001453c0, fld = 0x7fffd6dc, indent = 2, tt = 0x100137808, pctx = 0x7f39e8f8), line 328 in "tasn_prn.c" [3] asn1_item_print_ctx(out = 0x1001453c0, fld = 0x7fffd5e0, indent = 0, it = 0x1001376c8, fname = (nil), sname = 0x100033af8 "ASN1_LONG_DATA", nohdr = 0, pctx = 0x7f39e8f8), line 241 in "tasn_prn.c" [4] ASN1_item_print(out = 0x1001453c0, ifld = 0x7fffd6d4, indent = 0, it = 0x1001376c8, pctx = 0x7f39e8f8), line 131 in "tasn_prn.c" [5] do_print_item(package = 0x100135e68), line 720 in "asn1_encode_test.c" [6] test_intern(package = 0x100135e68), line 815 in "asn1_encode_test.c" [7] test_long_64bit(), line 832 in "asn1_encode_test.c" [8] run_tests(test_prog_name = 0x7fffef88 "/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1/test/asn1_encode_test"), line 205 in "driver.c" [9] main(argc = 1, argv = 0x7fffec08), line 51 in "main.c" (dbx) On 2/19/2018 1:30 PM, Viktor Dukhovni wrote: On Feb 19, 2018, at 4:20 PM, Norm Greenwrote: /export/localnew/sparc.Solaris/bin/gmake depend && /export/localnew/sparc.Solaris/bin/gmake _tests gmake[1]: Entering directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' gmake[1]: Leaving directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' gmake[1]: Entering directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' ( cd test; \ mkdir -p test-runs; \ SRCTOP=../. \ BLDTOP=../. \ RESULT_D=test-runs \ PERL="/opt/perl-5.24.0/bin/perl" \ EXE_EXT= \ OPENSSL_ENGINES=`cd .././engines; pwd` \ OPENSSL_DEBUG_MEMORY=on \ /opt/perl-5.24.0/bin/perl .././test/run_tests.pl test_asn1_encode test_secmem ) ../test/recipes/04-test_asn1_encode.t .. 1..1 # Subtest: ../../test/asn1_encode_test 1..6 ok 1 - test_long_32bit # ASN1_LONG_DATA: # success: TRUE ../../util/shlib_wrap.sh ../../test/asn1_encode_test => 138 On FreeBSD signal 10 (128 + 10 == 138) is SIGBUS, which could be a result of unaligned data access (please report "kill -l" output to confirm the signal numbers). Could you run this test under gdb, or enable core dumps, and report the stack trace? You may need a build with debugging symbols. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC
> On Feb 19, 2018, at 4:20 PM, Norm Greenwrote: > > /export/localnew/sparc.Solaris/bin/gmake depend && > /export/localnew/sparc.Solaris/bin/gmake _tests > gmake[1]: Entering directory > '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' > gmake[1]: Leaving directory > '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' > gmake[1]: Entering directory > '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' > ( cd test; \ > mkdir -p test-runs; \ > SRCTOP=../. \ > BLDTOP=../. \ > RESULT_D=test-runs \ > PERL="/opt/perl-5.24.0/bin/perl" \ > EXE_EXT= \ > OPENSSL_ENGINES=`cd .././engines; pwd` \ > OPENSSL_DEBUG_MEMORY=on \ > /opt/perl-5.24.0/bin/perl .././test/run_tests.pl test_asn1_encode > test_secmem ) > ../test/recipes/04-test_asn1_encode.t .. > 1..1 > # Subtest: ../../test/asn1_encode_test > 1..6 > ok 1 - test_long_32bit > # ASN1_LONG_DATA: > # success: TRUE > ../../util/shlib_wrap.sh ../../test/asn1_encode_test => 138 On FreeBSD signal 10 (128 + 10 == 138) is SIGBUS, which could be a result of unaligned data access (please report "kill -l" output to confirm the signal numbers). Could you run this test under gdb, or enable core dumps, and report the stack trace? You may need a build with debugging symbols. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC
The output is not too long. /export/localnew/sparc.Solaris/bin/gmake depend && /export/localnew/sparc.Solaris/bin/gmake _tests gmake[1]: Entering directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' gmake[1]: Leaving directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' gmake[1]: Entering directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' ( cd test; \ mkdir -p test-runs; \ SRCTOP=../. \ BLDTOP=../. \ RESULT_D=test-runs \ PERL="/opt/perl-5.24.0/bin/perl" \ EXE_EXT= \ OPENSSL_ENGINES=`cd .././engines; pwd` \ OPENSSL_DEBUG_MEMORY=on \ /opt/perl-5.24.0/bin/perl .././test/run_tests.pl test_asn1_encode test_secmem ) ../test/recipes/04-test_asn1_encode.t .. 1..1 # Subtest: ../../test/asn1_encode_test 1..6 ok 1 - test_long_32bit # ASN1_LONG_DATA: # success: TRUE ../../util/shlib_wrap.sh ../../test/asn1_encode_test => 138 not ok 1 - running asn1_encode_test # Failed test 'running asn1_encode_test' # at /hamburg4/users/normg/gs64trunk/slow10/openssl_1.1/test/../util/perl/OpenSSL/Test/Simple.pm line 77. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/90-test_secmem.t ... 1..1 # Subtest: ../../test/secmemtest 1..1 # ERROR: (bool) 'CRYPTO_secure_malloc_init(4096, 32) == true' failed @ test/secmemtest.c:28 # false not ok 1 - test_sec_mem ../../util/shlib_wrap.sh ../../test/secmemtest => 1 not ok 1 - running secmemtest # Failed test 'running secmemtest' # at /hamburg4/users/normg/gs64trunk/slow10/openssl_1.1/test/../util/perl/OpenSSL/Test/Simple.pm line 77. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests Test Summary Report --- ../test/recipes/04-test_asn1_encode.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/90-test_secmem.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=2, Tests=2, 2 wallclock secs ( 0.04 usr 0.01 sys + 0.38 cusr 0.16 csys = 0.59 CPU) Result: FAIL Makefile:169: recipe for target '_tests' failed gmake[1]: *** [_tests] Error 1 gmake[1]: Leaving directory '/hamburg4/users/normg/gs64trunk/slow10/openssl_1.1' Makefile:167: recipe for target 'tests' failed gmake: *** [tests] Error 2 slow test failed On 2/19/2018 12:50 PM, Benjamin Kaduk wrote: On 02/19/2018 02:06 PM, Norm Green wrote: Not sure if this is expected on this platform? Test Summary Report --- ../test/recipes/04-test_asn1_encode.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/90-test_secmem.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=141, Tests=1313, 370 wallclock secs ( 3.42 usr 0.94 sys + 266.48 cusr 40.30 csys = 311.14 CPU) Result: FAIL Makefile:169: recipe for target '_tests' failed I do not think it is expected. Could you capture the output of 'make V=1 TESTS="test_asn1_encode test_secmem"' and make it available? (Probably via posting it on the web and linking; the output may be long.) -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC
On 02/19/2018 02:06 PM, Norm Green wrote: > Not sure if this is expected on this platform? > > Test Summary Report > --- > ../test/recipes/04-test_asn1_encode.t (Wstat: 256 Tests: 1 > Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > ../test/recipes/90-test_secmem.t (Wstat: 256 Tests: 1 > Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > Files=141, Tests=1313, 370 wallclock secs ( 3.42 usr 0.94 sys + > 266.48 cusr 40.30 csys = 311.14 CPU) > Result: FAIL > Makefile:169: recipe for target '_tests' failed I do not think it is expected. Could you capture the output of 'make V=1 TESTS="test_asn1_encode test_secmem"' and make it available? (Probably via posting it on the web and linking; the output may be long.) -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] 1.1.1 pre1 tests failing on Solaris SPARC
Not sure if this is expected on this platform? Test Summary Report --- ../test/recipes/04-test_asn1_encode.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/90-test_secmem.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=141, Tests=1313, 370 wallclock secs ( 3.42 usr 0.94 sys + 266.48 cusr 40.30 csys = 311.14 CPU) Result: FAIL Makefile:169: recipe for target '_tests' failed -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DTLS over UDP
Niveditawrote: >> Nivedita wrote: >>> I am trying to establish DTLS over UDP connection by using >>> DTLSv1_listen method . >>> I have followed the below steps - 1. Created a server socket >>> and using >>> this socket created bio and ssl object. bio = >>> BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio >>> (ssl,VP_bio,VP_bio); >>> 2. Enable cookie exchange on SSL object. SSL_set_options(ssl, >>> SSL_OP_COOKIE_EXCHANGE); >>> 3. Then started listening using dtlsv1_listen for the new >>> client >>> connections. Once dtlsv1_listen is successful and i got the >>> peer >>> address. mcr> okay. >> Nivedita- All the above mentioned steps i am doing on server >> side . On the >> client side i have already initiated ssl_connect. >> On the server side when i am listening using dtlsv1_listen >> method - >>> 4. Once i got the peer address , i am creating one more socket >>> 5. With the new socket i tried to connect to peer address. > Then once i got the client address from the dtlsv1_listen method, > i am creating one more socket and trying to connect to this client > address. I think that I see what is wrong with your flow... you haven't taken the packet off the original socket, so SSL_accept is still looking for it. The flow is supposed to be: 1) client sends ClientHello 2) DTLSv1_listen() sees it, and sends a HelloVerifyRequest (I assume you have filled in the cookie callbacks. I think that perhaps there should be good cryptographic defaults available in the library. Maybe there are, and I'm ignorant of them) 3) Client sends ClientHello w/cookie. DTLSv1_listen() then sees that and tweaks the SSL* to indicate that the cookie has been accepted. Note that the packet is *LEFT* on the incoming socket so that SSL_accept() can process it. This is one the places where the DTLSv1_listen() API is rather hard to use in my opinion. 4) You make up new sockets, etc. 5) But, you need to call SSL_accept() once with the **old socket** to process packet that listen() left on it, and then you can switch the FD over! Of course, you probably want to make sure that SSL_accept() sends the reply correctly. What I do in my proposed DTLSv1_accept() API is that I move the data From the incoming socket to the new BIO's incoming queue: https://github.com/mcr/openssl/blob/dtls-listen-refactor/ssl/d1_lib.c#L964 /* At this point, there is a real ClientHello in serv->init_buf */ memcpy(rb->buf, serv->init_buf->data, serv->init_num); rb->offset = 0; rb->left = serv->init_num; and then remove the packet from the incoming socket. The situation is then returned like this so that the new sockets can be setup, but the incoming SSL_accept() BIO is stuffed with the correct (cookie-full) ClientHello, and replies will go to the right place with the right source address. I hope to get these patches accepted for the March 11 freeze, but you might not want to depend upon it. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to make OpenSSL engine usage application specific?
Hello All, We have 2 RSA OpenSSL engines in our product. Both the engines performs same RSA encyrpt/decrypt operations. For easy explaination I am naming engines as 1. RSA smart card engine 2. RSA TPM engine Engine usage is application specific.There are couple of applications dependent on RSA TPM engine. And are few applications dependent on RSA smart card engine. We wanted to know if there are any APIs provided by OpenSSL to make the engine usage application specific? Is there any way we can make OpenSSL chose specific engine for specific application. Regards Jayalakshmi. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users