Re: Real MTU problems with BIO pair
On 2020-08-21 19:48, Benjamin Kaduk wrote: On Fri, Aug 21, 2020 at 05:05:51PM +0200, Detlef Vollmann wrote: On 2020-08-20 21:44, Detlef Vollmann wrote: Is there any way to set the maximum fragment size for DTLS handshake with a BIO pair? One solution is to set the MTU and the int_bio size to exactly the same value. Another option would be to use BIO_set_callback_ex() and send the data to the socket after each BIO_write() into int_bio, but the problem here is that BIO_set_data() cannot be used as the ptr is already used for the peer address. There's always EX_DATA... Thanks for the pointer. Using my own hash table would also be an option. But in the meantime I found that I can define my own BIO_METHOD, so this is probably my preferred option. Detlef
Re: Checking if a key can sign / verify in 3.0
No comments on my question? Should there not be a way to know if an EVP_PKEY is valid for verification besides attempting the verify operation and getting a weird error code? Doesn't seem like too much to expect since we already have EVP_PKEY_can_sign(). I'm happy to implement EVP_PKEY_can_verify() with some assurance such a PR would be accepted. Norm Green On 8/18/2020 6:01 PM, Norm Green wrote: In 3.0 I see this new function in evp.h : int EVP_PKEY_can_sign(const EVP_PKEY *pkey); Is there an equivalent way to check if a key can verify? I'm not seeing an obvious way to do that. Previously I used EVP_PKEY_meth_get_verifyctx() but that call is now deprecated in 3.0. thanks, Norm Green
Re: Real MTU problems with BIO pair
On Fri, Aug 21, 2020 at 05:05:51PM +0200, Detlef Vollmann wrote: > On 2020-08-20 21:44, Detlef Vollmann wrote: > > > > Is there any way to set the maximum fragment size for > > DTLS handshake with a BIO pair? > One solution is to set the MTU and the int_bio size to > exactly the same value. > Another option would be to use BIO_set_callback_ex() and send > the data to the socket after each BIO_write() into int_bio, > but the problem here is that BIO_set_data() cannot be used > as the ptr is already used for the peer address. There's always EX_DATA... -Ben
Re: Real MTU problems with BIO pair
On 2020-08-20 21:44, Detlef Vollmann wrote: if I create a BIO pair with BIO_new_bio_pair(_bio, 0, _bio_, 0); then I tried to use SSL_set_mtu(), DTLS_set_link_mtu() and SSL_CTX_set_max_send_fragment(ctx, 1000). None of them gave me an error, but also none of them worked: the ServerHello was still sent as a single packet (>1500 bytes). It turned out that this was not true: it actually were two packets but written to the BIO together before SSL_accept() returned, so my side of the bio pair got on a BIO_read() one single big packet and sent it to the socket and the wire as one UDP packet. If I create the BIO pair using BIO_new_bio_pair(_bio, 1000, _bio_, 1000); then the ServerHello is fragmented, but not into DTLS handshake fragments, but just into separate UDP packets, that neither s_client nor my own client can work with. Is there any way to set the maximum fragment size for DTLS handshake with a BIO pair? One solution is to set the MTU and the int_bio size to exactly the same value. Another option would be to use BIO_set_callback_ex() and send the data to the socket after each BIO_write() into int_bio, but the problem here is that BIO_set_data() cannot be used as the ptr is already used for the peer address. Detlef
Re: query on dns resolver
On Thu, Aug 20, 2020 at 11:56:45PM +0200, David von Oheimb wrote: > OpenSSL has one function, namely BIO_lookup_ex(), that uses DNS lookup > functions. Since commit 28a0841bf58e3813b2e07ad22f19484308e2f70a of > 02 Feb 2016 it uses getaddrinfo(). Right, but even this is not "DNS lookup". It is hostname + service name resolution via the operating system's mechanisms for resolving hostnames and service names. This may, or may not, involve DNS lookups. There is no code in OpenSSL that *directly* performs DNS lookups. -- Viktor.
