RE: i2d_DSAPublicKey
I think you're right. Before the P,Q,G params, I see (0x02, 0x41, 0x00), (0x02, 0x15, 0x00), and (0x02, 0x41, 0x00) respectively. 0x41 and 0x15 appear to be 1 greater than the actual length of the params. Any idea why it is 1 greater than the actual length? But before the public key, I see (0x30, 0x81, 0xDF, 0x02, 0x40). Can you tell me what these values represent? The pubkey is 0x40 bytes. I assume 0x02 is the integer type. What are the first 3 bytes? -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl- [EMAIL PROTECTED] On Behalf Of jimmy bahuleyan Sent: Monday, July 30, 2007 6:55 AM To: openssl-users@openssl.org Subject: Re: i2d_DSAPublicKey Hi, Edward Chan wrote: When I call this function, I can see from the generated binary data that the format is the public key, followed by the P param, followed by 3 bytes which I don't know what they are, followed by the Q param, followed by the G param. You have got an ASN.1 DER encoding which is Tag || Length || Value Since P, Q, G are integers they'll encoded with the tag of an integer (0x2 i think), followed by a length and then the value bytes. I haven't tried generating more than one DSA pub/priv key pair yet using these params so I don't know if these 3 bytes are the same all the time, but does someone know off hand what those bytes are? If you can tell what those bytes are which are confusing you maybe someone can confirm that you are indeed seeing the ASN.1 tag|length. Is there some standard encoding for how a public key and private key are stored? i.e. do the params always come after the pub/priv key, or before? And do they always appear in the order of P,Q,G? Yes, it is a standard. Please refer to RFC 3279 for DSSParms. -jb -- Tact is the art of making a point without making an enemy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
nasm vs. masm
Anybody have any idea which assembler is preferred when building with VC8?
RE: nasm vs. masm
Cool. I figured you guys are mostly testing with nasm so that's what I'm using. But I was just curious if anybody has done any benchmark tests to see whether one assembler generated more efficient assembly than the other that would result in noticeably better performance. -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl- [EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Wednesday, July 25, 2007 4:22 AM To: openssl-users@openssl.org Subject: Re: nasm vs. masm On Wed, Jul 25, 2007, Edward Chan wrote: Anybody have any idea which assembler is preferred when building with VC8? Currently you can use either but in future nasm will be the only supported assembler. This is the case with 0.9.9-dev. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
building openssl with symbols
Hi there, Wondering if anybody has built debug version of openssl? I tried doing this, in the hopes that I could step into the code if I had the symbols. I recall doing this successfully back when I was using 0.9.7, but I just tried with 0.9.8e and I'm unable to step into any openssl functions. I'm building on VC8 with nasm assembler. Also, I notice that the debug libeay32.lib static lib is about 3.4MB, while the release is 3.6MB. Is that right? The debug is actually smaller than the release? I'm pretty sure I've followed the steps in the INSTALL.W32 doc. It even generates dirs named *.dbg. Any ideas? Thanks, Ed
memory managemtn with openssl
Hi there, Just curious if anybody has done any profiling of openssl's memory usage? Is there much heap contention? Has anybody tried plugging in a 3rd party memory manager such as Hoard, or SmartHeap to see if there is any performance improvement? Thanks, Ed
RE: BIGNUM library
Christophe, you're right. I just looked at my coe again, and I was not
checking the return value of DH_compute_key() for the size of the
computed shared secret; I was assuming it to be the same size as that
returned by DH_size(), which is obviously not a valid assumption. All
the other libs return the size as an in/out arg where on the way in, the
arg is set to the size of the output buffer used to store the secret,
and on the way out it is set to the size of the secret. So I had
overlooked that the size was actually returned via the return value.
Thanks for your help on this!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christophe Devine
Sent: Saturday, April 21, 2007 2:03 AM
To: openssl-users@openssl.org
Subject: Re: BIGNUM library
Edward Chan [EMAIL PROTECTED] wrote:
But I think this always returned me 128 bytes. So am I supposed to
bzero the output buffer first?
Here's how I fixed the bug (not very elegant, it was a quick hack)
int i, ret = DH_compute_key(secret, pkey, m_dh);
if( ret 0 ret 128 )
{
for(i = ret; i = 0; i--)
secret[i+1] = secret[i];
memset(secret, 0, 128 - ret);
}
ReverseBytes(secret, size);
Christophe
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
I thought I tried this, but let me try again.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Christophe Devine
Sent: Saturday, April 21, 2007 2:03 AM
To: openssl-users@openssl.org
Subject: Re: BIGNUM library
Edward Chan [EMAIL PROTECTED] wrote:
But I think this always returned me 128 bytes. So am I supposed to
bzero the output buffer first?
Here's how I fixed the bug (not very elegant, it was a quick hack)
int i, ret = DH_compute_key(secret, pkey, m_dh);
if( ret 0 ret 128 )
{
for(i = ret; i = 0; i--)
secret[i+1] = secret[i];
memset(secret, 0, 128 - ret);
}
ReverseBytes(secret, size);
Christophe
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
Excuse my ignorance, but isn't TLS a protocol, whereas DH an algorithm? Even if TLS is used, if it does a DH key exchange, I think I would still have the same interop problems. I'm basically testing interop of different crypto libs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Friday, April 20, 2007 9:31 PM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Fri, Apr 20, 2007 at 03:43:41PM -0700, Edward Chan wrote: I apologize for the confusion. I thought I had stated the problem before. I'm basically trying to do a DH key exchange between different crypto libraries. Why an explicit DH key exchange and not TLS, which is interoperable, and authenticates the DH exchange, ... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
I think the issue is with on the wire interoperability. Let me summarize my tests so far. Openssl to openssl - this works 100% CAP to CAPI - works 100% OpenSSL to CAPI - sporadic failures XySSL to CAPI - sporadic failures OpenSSL to XySSL - works 100% Because CAPI doesn't give you access to the computed shared secret, I can't say for sure that the computed shared secret is different from openssl/xyssl. But I'm 99% sure this is the reason for the failure. And because I got another crypto lib to work with openssl, which also failed with CAPI in the same manner, I assumed the problem lie with CAPI. But now, I just tried another commercial crypto lib, RSA's BSAFE Crypto-C ME. OpenSSL to BSAFE - sporadic failures BSAFE to CAPI - works 100% What are the chances that 2 commercial crypto libraries from heavy weights Microsoft and RSA have similar bugs? Maybe the chances are high :) But at this point, I'm starting to think, dare I say it, that there might possibly be a bug in OpenSSL? Anybody else have ideas? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Friday, April 20, 2007 7:53 AM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Fri, Apr 20, 2007 at 01:12:29PM +0530, jimmy wrote: Edward Chan wrote: I have more info on this now. I just tried openssl with bsafe crypto-c me. Again, I get sporadic failures. When I compare the 2 computed shared secrets, I see that they are actually the same, except that bsafe has some zero padded bytes at the beginning, even though it says it computed 128 bytes. So for example, openssl[0, 127] == bsafe[1, 128], where bsafe[0] == 0 or openssl[0, 127] == bsafe[2, 129], where bsafe[0] == bsafe[1] == 0 Anybody have any ideas. I haven't tried MS CAPI to BSAFE yet, but I have a feeling these 2 libs may work together. Can somebody point me to a spec on the ASN.1 format for BIGNUM's over the wire? Well the case with bsafe[0]==bsafe[1]==0 definitely cannot be ASN.1 integer compliant, because ASN.1 DER specifies that you must use the shortest possible encoding for a number. Having two leading 0s isn't definitely shortest (or unique), since you can get the same number with just a single leading 0. In case you want the spec for ASN.1 bignum, it should be the X.691 for Integer encoding. (i'm assuming DER here) Is an issue with on-the-wire interoperability of a standardized protocol, or an issue with out of band migration of key material between different systems? If the latter, there are no standards. The OP is still being fast and loose with the distinction between the private formats used internally by applications and libraries, and the public formats used on the wire... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
But I think this always returned me 128 bytes. So am I supposed to bzero the output buffer first? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christophe Devine Sent: Friday, April 20, 2007 12:00 PM To: openssl-users@openssl.org Subject: Re: BIGNUM library So the error was not in OpenSSL or CAPI, but rather in the incorrect use of the function DH_generate_key (the return value was not taken into account properly when setting up the shared secret). A simple fix is to add zero padding when the secret is less than 128 bytes. My mistake, it's the function DH_compute_key(). Christophe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
I have more info on this now. I just tried openssl with bsafe crypto-c me. Again, I get sporadic failures. When I compare the 2 computed shared secrets, I see that they are actually the same, except that bsafe has some zero padded bytes at the beginning, even though it says it computed 128 bytes. So for example, openssl[0, 127] == bsafe[1, 128], where bsafe[0] == 0 or openssl[0, 127] == bsafe[2, 129], where bsafe[0] == bsafe[1] == 0 Anybody have any ideas. I haven't tried MS CAPI to BSAFE yet, but I have a feeling these 2 libs may work together. Can somebody point me to a spec on the ASN.1 format for BIGNUM's over the wire? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, April 19, 2007 3:14 AM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Wed, Apr 18, 2007, Edward Chan wrote: I was talking to the MS support guy who wrote that article. He said he has spoken with the engineers and assures me that it is not possible with DH keys. But if someone knows otherwise, I'd really love some sample code. Well the alternative of using a known key still exists: either a symmetric or asymmetric one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
I was talking to the MS support guy who wrote that article. He said he has spoken with the engineers and assures me that it is not possible with DH keys. But if someone knows otherwise, I'd really love some sample code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, April 17, 2007 4:40 PM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Tue, Apr 17, 2007, Edward Chan wrote: The problem with CryptoAPI is that it doesn't give you direct access to the shared secret. But I suspect it is wrong since the encryption/decryption fails (I encrypt something, and decrypt it, to make sure it is the same as the original). It doesn't give you *direct* access to the shared secret or indeed other types of symmetric or asymmetric keys but there are back door ways of getting hold of the key anyway. One way is to encrypt the key using a public key to which you know the corresponsing private key and then obtaining the unencrypted result using OpenSSL. Another trick is in an MS KB article somewhere which relies on using a key with an exponent of 1. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
Thanks for the reply. So I'm a bit confused as to how different crypto packages interoperate. I've been having a problem with MS CryptoAPI doing a DH key exchange with OpenSSL. There are some quirks such as byte order, and a couple other things. But for the most part, I have it working. But occasionally, I get failures which I suspect is due to the BIGNUM format of the pubkey that is exchanged. Has anybody had success getting these 2 libs working together? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Tuesday, April 17, 2007 1:55 AM To: openssl-users@openssl.org Subject: RE: BIGNUM library Hello, Is there a specification on the format of a BIGNUM that someone can point me to? Probably headers files. Is there a standard encoding/format that everyone adheres to? Probably not. Or would different libraries have their own encodings? I hope not. Most bignum libraries use their own formats, in general they are very close (structure with words/limbs, some counters, sign variable ...). Sometimes APIs between libraries are almost the same. How easy or difficult would it be to extract just the BIGNUM library from OpenSSL? Are there any documents on how to do this? Very ease, but if you think about bignum library I think GMP is better than extract from OpenSSL. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
Right, I see what you're saying. I realize I'm not actually passing a BIGNUM. Let me clarify, this is what I'm doing. First I call DH_new() to get a new DH object. Then I fill in the p g members of the DH obj with pre-generated prime and generator. Then I call DH_generate_key() which generates the pub_key and priv_key pair. I then do a BN_bn2bin() on the pub_key member to get a byte array representation of the BIGNUM. This is then passed to CryptoAPI. What is the binary format returned by BN_bn2bin()? Is this ASN.1 formatted? It seems to work most of the time. But occasionally fails. Some times OpenSSL returns me an pubkey 128 bytes, whereas CryptoAPI seems to always expect 128 (and similarly, always returns me 128 bytes). So in cases where OpenSSL gives me 128, I front pad with zeros. And this also seems to work most of the time. But very rarely, I'll still get a failure. But even if OpenSSL gives me back 128 bytes, I still sporatically get failures. So I suspect there is some incompatibility with the binary representations of the BIGNUM. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, April 17, 2007 8:49 AM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Tue, Apr 17, 2007 at 08:42:12AM -0700, Edward Chan wrote: Thanks for the reply. So I'm a bit confused as to how different crypto packages interoperate. I've been having a problem with MS CryptoAPI doing a DH key exchange with OpenSSL. There are some quirks such as byte order, and a couple other things. But for the most part, I have it working. But occasionally, I get failures which I suspect is due to the BIGNUM format of the pubkey that is exchanged. Has anybody had success getting these 2 libs working together? You are confusing BIGNUM which is an internal library structure for performing high precision integer arithmetic, with ASN.1 which is an on the wire format for serialized data. The protocols that exchange public keys, ... are not sending BIGNUM structures around, OpenSSL serializes and de-deserializes BIGNUMs to/from appropriate ASN.1 structures. For example X.509v3 is an ASN.1 data structure that contains some large integers, but they are not in any sense BIGNUMs until OpenSSL parses the ASN.1 and constructs its own (X509 *) structure, in which some of the fields ultimately contain BIGNUM references. The serialized ASN.1 is standard, the in-memory (X509 *) is OpenSSL specific. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
The problem with CryptoAPI is that it doesn't give you direct access to the shared secret. But I suspect it is wrong since the encryption/decryption fails (I encrypt something, and decrypt it, to make sure it is the same as the original). I agree that a format difference is unlikely. That's why I suspect it may be related to padding. I checked the binary output from BN_bn2bin() and it does seem to be ASN.1 formatted. At least it matches the data from a call to BN_to_ASN1_INTEGER(). But like Dr. Steve said, it is not likely a format difference. The endian-ness is a problem. MS likes it in little-endian. That's why I have to reverse the bytes of the pubkey before passing it to CAPI. So what I do is, BN_bn2bin(dh-pub_key, buf); ReverseBytes(buf, size); // MS CAPI requires this in little-endian MS CAPI also seems to require that the pubkey always be 128 bytes. So here, I pad with zeros before reversing the byte order. This works almost all the time this works. But I do still get very infrequent failures. But more often, I get failures even when OpenSSL is giving me exactly 128 bytes. I think the sign seems to be a good place to investigate. I'll let you know what I find. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, April 17, 2007 11:03 AM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Tue, Apr 17, 2007, Edward Chan wrote: Right, I see what you're saying. I realize I'm not actually passing a BIGNUM. Let me clarify, this is what I'm doing. First I call DH_new() to get a new DH object. Then I fill in the p g members of the DH obj with pre-generated prime and generator. Then I call DH_generate_key() which generates the pub_key and priv_key pair. I then do a BN_bn2bin() on the pub_key member to get a byte array representation of the BIGNUM. This is then passed to CryptoAPI. What is the binary format returned by BN_bn2bin()? Is this ASN.1 formatted? It seems to work most of the time. But occasionally fails. Some times OpenSSL returns me an pubkey 128 bytes, whereas CryptoAPI seems to always expect 128 (and similarly, always returns me 128 bytes). So in cases where OpenSSL gives me 128, I front pad with zeros. And this also seems to work most of the time. But very rarely, I'll still get a failure. But even if OpenSSL gives me back 128 bytes, I still sporatically get failures. So I suspect there is some incompatibility with the binary representations of the BIGNUM. A format difference would be unlikely to cause problems only occasionally. BN_bn2bin() outputs in big endian format with no padding ignoring any sign. I suggest you log the key pairs of both sides in the case where you get a failure and the shared secrets from both implementations. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
Arg, I'm still getting failures even though the pubkey computed by openssl is not negative and padding is not required. Any other ideas? I'm desperate. A year's supply of Guinness for the person who can help here :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Chan Sent: Tuesday, April 17, 2007 11:15 AM To: openssl-users@openssl.org Subject: RE: BIGNUM library The problem with CryptoAPI is that it doesn't give you direct access to the shared secret. But I suspect it is wrong since the encryption/decryption fails (I encrypt something, and decrypt it, to make sure it is the same as the original). I agree that a format difference is unlikely. That's why I suspect it may be related to padding. I checked the binary output from BN_bn2bin() and it does seem to be ASN.1 formatted. At least it matches the data from a call to BN_to_ASN1_INTEGER(). But like Dr. Steve said, it is not likely a format difference. The endian-ness is a problem. MS likes it in little-endian. That's why I have to reverse the bytes of the pubkey before passing it to CAPI. So what I do is, BN_bn2bin(dh-pub_key, buf); ReverseBytes(buf, size); // MS CAPI requires this in little-endian MS CAPI also seems to require that the pubkey always be 128 bytes. So here, I pad with zeros before reversing the byte order. This works almost all the time this works. But I do still get very infrequent failures. But more often, I get failures even when OpenSSL is giving me exactly 128 bytes. I think the sign seems to be a good place to investigate. I'll let you know what I find. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, April 17, 2007 11:03 AM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Tue, Apr 17, 2007, Edward Chan wrote: Right, I see what you're saying. I realize I'm not actually passing a BIGNUM. Let me clarify, this is what I'm doing. First I call DH_new() to get a new DH object. Then I fill in the p g members of the DH obj with pre-generated prime and generator. Then I call DH_generate_key() which generates the pub_key and priv_key pair. I then do a BN_bn2bin() on the pub_key member to get a byte array representation of the BIGNUM. This is then passed to CryptoAPI. What is the binary format returned by BN_bn2bin()? Is this ASN.1 formatted? It seems to work most of the time. But occasionally fails. Some times OpenSSL returns me an pubkey 128 bytes, whereas CryptoAPI seems to always expect 128 (and similarly, always returns me 128 bytes). So in cases where OpenSSL gives me 128, I front pad with zeros. And this also seems to work most of the time. But very rarely, I'll still get a failure. But even if OpenSSL gives me back 128 bytes, I still sporatically get failures. So I suspect there is some incompatibility with the binary representations of the BIGNUM. A format difference would be unlikely to cause problems only occasionally. BN_bn2bin() outputs in big endian format with no padding ignoring any sign. I suggest you log the key pairs of both sides in the case where you get a failure and the shared secrets from both implementations. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
Hmm, that's interesting. Then why does this seem to work most of the time? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, April 17, 2007 11:32 AM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Tue, Apr 17, 2007 at 11:15:23AM -0700, Edward Chan wrote: BN_bn2bin(dh-pub_key, buf); ReverseBytes(buf, size); // MS CAPI requires this in little-endian Reversing the BER encoded bytes of a big endian integer does not yield the BER encoding of the correspoding little-endian integer. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
Honestly, I have no idea how CryptoAPI handles this stuff. And documentation is hard to come by. But I can say that in the failure cases I'm seeing, OpenSSL is indeed giving me back a positive BIGNUM. So at least on our side it doesn't not appear to be a signed/unsigned issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Duchovni Sent: Tuesday, April 17, 2007 11:38 AM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Tue, Apr 17, 2007 at 02:31:50PM -0400, Victor Duchovni wrote: On Tue, Apr 17, 2007 at 11:15:23AM -0700, Edward Chan wrote: BN_bn2bin(dh-pub_key, buf); ReverseBytes(buf, size); // MS CAPI requires this in little-endian Reversing the BER encoded bytes of a big endian integer does not yield the BER encoding of the correspoding little-endian integer. But of course BN_bn2bin() does not return BER encoded data (ASN.1), so the issue is elsewhere. How does CryptoAPI handle signs of little-endian numbers? Are they signed or unsigned? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BIGNUM library
How easy or difficult would it be to extract just the BIGNUM library from OpenSSL? Are there any documents on how to do this? Thanks, Ed
RE: BIGNUM library
Is there a specification on the format of a BIGNUM that someone can point me to? Is there a standard encoding/format that everyone adheres to? Or would different libraries have their own encodings? I hope not. Thanks, Ed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Chan Sent: Monday, April 16, 2007 4:27 PM To: openssl-users@openssl.org Subject: BIGNUM library How easy or difficult would it be to extract just the BIGNUM library from OpenSSL? Are there any documents on how to do this? Thanks, Ed
EVP_EncryptUpdate and in-buffer encryption
Is it ok to pass the same input buffer for the output buffer when using EVP_EncryptUpdate with RC4?
RE: SSL_CTX_load_verify_locations on linux
Ah, very interesting. I'll look into this one. Seems like this would be a very useful API for people. Is it undocumented because nobody got around to documenting it? Or is it not really meant for public consumption? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jens Doenhoff Sent: Sunday, January 14, 2007 12:48 AM To: openssl-users@openssl.org Subject: Re: SSL_CTX_load_verify_locations on linux Hi. --On Friday, January 12, 2007 11:24:42 PM -0800 Edward Chan [EMAIL PROTECTED] wrote: Does anybody know where the trusted root certificates can be found on linux? I think most often the default is /etc/ssl/certs/ But it might differ from distribution to distribution. Or is there a way I can use a default location without having to specify anything explicitly? There is the function int SSL_CTX_set_default_verify_paths(SSL_CTX*) which adds the system-wide default certs path to the verify CApath (just like SSL_CTX_load_verify_locations). Unfortunately it's again one of those undocumented features ;) Greetings, Jens __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Doing a DH key exchange between OpenSSL and MS CryptoAPI
I do call the OpenSSL DH crypto API's in my openssl client. But in my Microsoft CryptoAPI client, the way they show you how to do a DH key exchange seems like it only works between two MS CryptoAPI end points. CAPI to CAPI works. OpenSSL to OpenSSL works. I just can't get OpenSSL to CAPI to work. And I believe it has something to do with the Microsoft formatting of their keys when exported. So I was wondering if anybody here has had to develop an app that needs to interoperate with a CAPI client/server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of karthik kumar Sent: Thursday, January 11, 2007 1:50 AM To: openssl-users@openssl.org Subject: Re: Doing a DH key exchange between OpenSSL and MS CryptoAPI if you want to use different keys then u can implement a DH key exchange calling the openSSL DH crypto APIs. Bind , i think uses the OpenSSL crypto APIs. On 12/20/06, Edward Chan [EMAIL PROTECTED] wrote: Has anybody done this? I can get it to work when both ends are the same. But I can't do it when they are different. I also notice the public key computed by CryptoAPI is 16 bytes larger than that computed by OpenSSL which I assume is due to some hdr information in the KEYBLOB that MS generates? Does anyone have any experience with CryptoAPI and getting it to work with OpenSSL? Thanks in advance, Ed
RE: Doing a DH key exchange between OpenSSL and MS CryptoAPI
Thanks for the reply. I've read the various MSDN documents concerning this, and I don't really see anything helpful. The support guy at Microsoft seems clueless and I'm still waiting to hear back from him. So putting aside how to do the conversions, is there no standard format that most crypto libs use? I've written apps with RSA BSAFE Crypto-C ME, and Certicom libraries and they all can do a DH key exchange with each other and OpenSSL nicely; it's just CAPI that is the problem. I'd rather like to avoid having to convert to MS's stupid format since they seem to be the one not playing nice with everyone else and because the client can be either a CAPI client, or OpenSSL client, and I think it would be ugly to have to send additional info indicating the crypto lib being used and then have a special case in the server to handle different libs differently. At the risk of asking too much, could you point me to where I can find more info on converting to and from the two formats used by OpenSSL and CAPI? The only thing I've seen on MSDN talks about the BLOB headers and stuff. That's all fine, I've figured all that out. And I'm left with the modulus (excuse me if the terminology is wrong) which I believe is what is being exchanged. Then converting from big to little endian or vice versa still doesn't work. Excuse me if I'm sounding a little desperate, but I am. I've scoured the MSDN docs. I've searched thru the OpenSSL mail archives, and I can't seem to find anything that helps, but this is obviously something that people have done. I tried making an https connection using WinInet to my OpenSSL server to see if I can debug the DH key exchange, but seems like it is doing RSA instead. If I disable RSA, the SSL handshake seems to fail, I think because the client won't do a DH key exchange. So I'm pretty much F'd at this point as to what to do next. Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Saturday, January 13, 2007 11:05 AM To: openssl-users@openssl.org Subject: Re: Doing a DH key exchange between OpenSSL and MS CryptoAPI On Sat, Jan 13, 2007, Edward Chan wrote: I do call the OpenSSL DH crypto API's in my openssl client. But in my Microsoft CryptoAPI client, the way they show you how to do a DH key exchange seems like it only works between two MS CryptoAPI end points. CAPI to CAPI works. OpenSSL to OpenSSL works. I just can't get OpenSSL to CAPI to work. And I believe it has something to do with the Microsoft formatting of their keys when exported. So I was wondering if anybody here has had to develop an app that needs to interoperate with a CAPI client/server. I've done some CAPI/OpenSSL interop. It is just a case of reading the relevant documents and converting between the key formats. CryptoAPI generally uses little endian format while OpenSSL uses BIGNUMs which can be converted to big endian format and from that to little endian. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_CTX_load_verify_locations on linux
Hi there, Does anybody know where the trusted root certificates can be found on linux? I'm basically looking for the equivalent to the Windows certificate store on Linux so I can point SSL_CTX_load_verify_locations() to these trusted root ca certs. Or is there a way I can use a default location without having to specify anything explicitly? Thanks, Ed
RE: Question on how to use AES-128-CTR
Nevermind, I think I figured out my problem. Seems like the other
crypto libs I'm using assumes the counter is in the lower 64 bits of the
initialization vector. But OpenSSL looks like it was built with
L_ENDIAN defined which assumes the counter is in the upper 64 bits.
Does this sound right? After I copied the code from aes_ctr.c and
modified the AES_ctr128_inc to remove the L_ENDIAN code, things seem to
work as expected now.
Can somebody comment on why this is? I saw some discussion on the
openssl-dev list back in 2003. Is there no standard on where the
counter should reside? If it is different for different libs, how do
libs inter-operate with each other?
Thanks,
Ed
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Edward Chan
Sent: Friday, December 22, 2006 11:28 PM
To: openssl-users@openssl.org
Subject: Question on how to use AES-128-CTR
I'm playing with various crypto libraries to encrypt/decrypt in
AES-128-CTR. 2 of the 3 libs inter-operate fine with each other; i.e. I
can encrypt with one and decrypt with the other and vice versa.
However, when I use openssl with any of these libs, I am having
problems. It seems like up to the first 16 bytes is decrypted fine.
But after that, it's messed up. For example, if I use openssl to
encrypt the string, 12345678901234567890, the other end will only
decrypt 1234567890123456 followed by 4 bytes of garbage. And if the
other lib encrypts 12345678901234567890, openssl will only decrypt
1234567890123456 followed by 4 bytes of garbage. However, if both
ends is openssl, everything seems fine. But because the other 2 libs
seem to work well with each other, I guess I'm not using the openssl
api's correctly? Below is the code for my AES-128-CTR
encrypter/decrypter
class AES128CTR
{
protected:
boolm_bEncrypt; // indicates
if this is used to encrypt or decrypt
AES_KEY m_key;
U8 m_iv[AES_BLOCK_SIZE];
U8
m_ecount_buf[AES_BLOCK_SIZE];
U32 m_num;
public:
AES128CTR(const U8* key, U32 len, const U8* iv,
U32 ivlen, bool bEncrypt) : m_bEncrypt(bEncrypt), m_num(0)
{
assert(len = 16 ivlen = 16); //
if (len 16 || ivlen 16) return; //
key and iv need to be 128-bits
len = ivlen = 16;
memcpy(m_iv, iv, ivlen);
memset(m_ecount_buf, 0,
sizeof(m_ecount_buf));
int ret = AES_set_encrypt_key(key,
len*8/*bits*/, m_key); // returns 0 for success
assert(!ret);
}
virtual ~AES128CTR()
{
}
bool encrypt(const U8* in, U32 inlen, U8* out,
U32* outlen)
{
if (m_bEncrypt)
{
AES_ctr128_encrypt(in, out,
inlen, m_key, m_iv, m_ecount_buf, m_num);
*outlen = inlen;
return true;
}
return false;
}
bool decrypt(const U8* in, U32 inlen, U8* out,
U32* outlen)
{
if (!m_bEncrypt)
{
// NOTE: calling
AES_ctr128_encrypt to decrypt because AES_ctr128_encrypt is its own
inverse.
AES_ctr128_encrypt(in, out,
inlen, m_key, m_iv, m_ecount_buf, m_num);
*outlen = inlen;
return true;
}
return false;
}
};
// this is how I encrypt data
AES128CTR aesEncrypt;
const char* str = 12345678901234567890;
U8 ciphertext[1024];
U32 len = sizeof(ciphertext);
aesEncrypt.encrypt((U8*)str, strlen(str), ciphertext,
len);
...
// this is how I decrypt data
AES128CTR aesDecrypt;
U8 plaintext[1024];
U32 len = sizeof(plaintext);
aesDecrypt.decrypt(in, inlen, plaintext, len);
RE: SSL_use_certificate_chain_file error
Is the cert PEM or ASN1 encoded? I think SSL_use_certificate_chain_file() only works with PEM. Are you passing SSL_FILETYPE_ASN1 for the type parameter to SSL_use_certificate_file()? If so, that might explain why one works and the other doesn't. Ed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sendil kumar Sent: Sunday, December 24, 2006 10:39 PM To: openssl-users@openssl.org Subject: SSL_use_certificate_chain_file error Hi All, When I connect a SSL client from windows to SSL server in unix, the SSL_use_certificate_chain_file errors out and returns zero and when I see the error stack there were no errors in it but at that same time when I use SSL_use_certificate_file it runs fine. I was unable to trace the error. Could you please help me, this is a P1 bug reported in my application by the user and I need to solve this as quickly as possible. Thanks, Sendil Kumar, Software Engineer, Brooks Software, India. Inbox full of spam? http://us.rd.yahoo.com/mail/uk/taglines/default/nowyoucan/spam_1gb/*htt p://us.rd.yahoo.com/evt=40565/*http://uk.docs.yahoo.com/nowyoucan.html Get leading spam protection and 1GB storage with All New Yahoo! Mail.
Question on how to use AES-128-CTR
I'm playing with various crypto libraries to encrypt/decrypt in
AES-128-CTR. 2 of the 3 libs inter-operate fine with each other; i.e. I
can encrypt with one and decrypt with the other and vice versa.
However, when I use openssl with any of these libs, I am having
problems. It seems like up to the first 16 bytes is decrypted fine.
But after that, it's messed up. For example, if I use openssl to
encrypt the string, 12345678901234567890, the other end will only
decrypt 1234567890123456 followed by 4 bytes of garbage. And if the
other lib encrypts 12345678901234567890, openssl will only decrypt
1234567890123456 followed by 4 bytes of garbage. However, if both
ends is openssl, everything seems fine. But because the other 2 libs
seem to work well with each other, I guess I'm not using the openssl
api's correctly? Below is the code for my AES-128-CTR
encrypter/decrypter
class AES128CTR
{
protected:
boolm_bEncrypt; // indicates if this
is used to encrypt or decrypt
AES_KEY m_key;
U8 m_iv[AES_BLOCK_SIZE];
U8 m_ecount_buf[AES_BLOCK_SIZE];
U32 m_num;
public:
AES128CTR(const U8* key, U32 len, const U8* iv, U32
ivlen, bool bEncrypt) : m_bEncrypt(bEncrypt), m_num(0)
{
assert(len = 16 ivlen = 16); //
if (len 16 || ivlen 16) return; // key and
iv need to be 128-bits
len = ivlen = 16;
memcpy(m_iv, iv, ivlen);
memset(m_ecount_buf, 0, sizeof(m_ecount_buf));
int ret = AES_set_encrypt_key(key,
len*8/*bits*/, m_key); // returns 0 for success
assert(!ret);
}
virtual ~AES128CTR()
{
}
bool encrypt(const U8* in, U32 inlen, U8* out, U32*
outlen)
{
if (m_bEncrypt)
{
AES_ctr128_encrypt(in, out, inlen,
m_key, m_iv, m_ecount_buf, m_num);
*outlen = inlen;
return true;
}
return false;
}
bool decrypt(const U8* in, U32 inlen, U8* out, U32*
outlen)
{
if (!m_bEncrypt)
{
// NOTE: calling AES_ctr128_encrypt to
decrypt because AES_ctr128_encrypt is its own inverse.
AES_ctr128_encrypt(in, out, inlen,
m_key, m_iv, m_ecount_buf, m_num);
*outlen = inlen;
return true;
}
return false;
}
};
// this is how I encrypt data
AES128CTR aesEncrypt;
const char* str = 12345678901234567890;
U8 ciphertext[1024];
U32 len = sizeof(ciphertext);
aesEncrypt.encrypt((U8*)str, strlen(str), ciphertext, len);
...
// this is how I decrypt data
AES128CTR aesDecrypt;
U8 plaintext[1024];
U32 len = sizeof(plaintext);
aesDecrypt.decrypt(in, inlen, plaintext, len);
Doing a DH key exchange between OpenSSL and MS CryptoAPI
Has anybody done this? I can get it to work when both ends are the same. But I can't do it when they are different. I also notice the public key computed by CryptoAPI is 16 bytes larger than that computed by OpenSSL which I assume is due to some hdr information in the KEYBLOB that MS generates? Does anyone have any experience with CryptoAPI and getting it to work with OpenSSL? Thanks in advance, Ed
AES-128-CTR
Can anybody point me to some examples on how to use AES-128 in counter mode? Is this supported thru the EVP interface, or do I need to use the lower-level API's, such as AES_128ctr_encrypt/decrypt()? Also, looking at the signature of these API's in aes.h, I don't see a return code, or anything indicating successful encryption/decryption? Thanks, Ed
Questions about ECC
Is ECC only used where public key crytography would be used? As a replacement for DH, for example? Or can it be used where symmetric cryptography would be used? Also, are there any IP issues related to using it? I thought I read that many aspects of ECC has been patented by various people and companies around the world; Certicom holds like 130 patents around ECC. I also read that the NSA actually licensed Certicom's intellectual property in a restricted field of use. Does OpenSSL support ECC? And given the IP issues surrounding it, it is it ok for people to use it? Sorry, I know this is not directly related to OpenSSL. But I appreciate you taking the time to help me get my head around this. Thanks, Ed
BSafe vs. OpenSSL
Title: BSafe vs. OpenSSL Has anyone done any performance measurements with Bsafe vs. OpenSSL for AES encryption? Or even for general SSL performance? Would you recommend Bsafe over OpenSSL for some things and not others, or vice versa? I'm sure OpenSSL is faster :) But just curious what others experiences are. Thanks, Ed
RE: How to do client verification?
This helps. Thanks. Also, checking if the certificate is issued/signed by a certificate authority that I trust is done during the call to SSL_connect/accept right? At least it seems to be. I guess I should check the Apache configuration to see how they do it. I basically want to model my server like that. Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olaf Gellert Sent: Thursday, November 02, 2006 1:25 AM To: openssl-users@openssl.org Subject: Re: How to do client verification? Hi, Edward Chan wrote: I want to verify that whoever the client is claiming to be, is actually allowed to connect. However, I don't know where to find this information in the cert. Are there standard fields where this information can be found. For example, in the book, Network Security with OpenSSL, there is sample code for verifying that the server is actually who the client connected to. It first looks for the Subject Alternative Name field, then looks for the DNS field within that and checks if this matches the hostname being connected to. If the DNS field is not found, it then checks the Subject field for the Common Name field and checks if this matches the hostname being connected to. Is this the proper way to verify the server cert? And would this work for most, if not all, server certs the client might receive? Are these typically the fields that one would use to enter the server's identity? Well, this way of verifying the servers DNS name seems pretty reasonable. But the main check is not mentioned: You check if the certificate of the server was issued by a certification authority that you trust! It's easy to trick a client to connect to a wrong server (usually using some tricks on DNS), but it should be impossible for an attacker to forge a certificate in a way that it has a valid signature from a trusted certification authority. I'm looking for something similar for verifying the client? Is there some set of fields that are typically used to enter the client's identity? Would the same fields be used for a client cert? Well, client's are usually different. There is nothing that specifies what you (or a certification authority) writes in the certificates of a client. Usually it depends a lot of your application. So what are you doing: Do you authenticate client hosts (so maybe a DNS field or the subject field would contain a host name)? Or do you authenticate users (for example S/MIME email)? Then the subject field would usually contain the full name of a user (and maybe something more to identify a specific user, eg. a certain Adam Smith and not any Adam Smith that might exist...). For many secure applications you would just create an own certification authority and issue certificates yourself. Then you would simply just trust this single certification authority and you would not even need to check for the clients (or users) name that is in the certificate. If you trust some CAs that issued more certificates than the user certificates that you want to accept, you have to know what's in there and check for the fields in the certificates. A CA might issue certificates for your organization with the O field (organization) of your company, so this might be sufficient to be checked. So there is nothing that you can rely on for every certificate in the world, you have to know how the certificates that you want to accept look like. And not to forget: First check if the certificate is valid (valid signature from a CA that you trust, not expired, not revoked), then check the contents. Apache/ModSSL uses regular expressions to check the contents of the certificates, so you can configure Apache to check nearly any fields of the certificates DN (Organization, Organizational Unit, Subject, State, Location, Country, ...). Thanks in advance for taking the time to help out a rookie :) Well, hopefully this helps a bit. Cheers, Olaf -- Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET Senior Researcher, www.intrusion-lab.net PKI - and IDS - Services[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to do client verification?
Title: How to do client verification? Hi there, I'm wondering what is the usual criteria for doing client verification? I've got everything coded to ask the client for a cert, and I get the cert by calling SSL_get_peer_certificate(). But I don't know what to check for to verify the client's identity. Is there some standard field(s) that are always present in a client certificate that should be checked for? Any sample code to read these fields out of an X509* would also be greatly appreciated. Thanks, Ed
RE: How to do client verification?
I want to verify that whoever the client is claiming to be, is actually allowed to connect. However, I don't know where to find this information in the cert. Are there standard fields where this information can be found. For example, in the book, Network Security with OpenSSL, there is sample code for verifying that the server is actually who the client connected to. It first looks for the Subject Alternative Name field, then looks for the DNS field within that and checks if this matches the hostname being connected to. If the DNS field is not found, it then checks the Subject field for the Common Name field and checks if this matches the hostname being connected to. Is this the proper way to verify the server cert? And would this work for most, if not all, server certs the client might receive? Are these typically the fields that one would use to enter the server's identity? I'm looking for something similar for verifying the client? Is there some set of fields that are typically used to enter the client's identity? Would the same fields be used for a client cert? I guess put a different way, if a webserver such as Apache was configured to require client authentication, what would it do to verify the client? And is there a standard set of things to check? Or does Apache give the administrator a way to configure the criteria for client authentication? Thanks in advance for taking the time to help out a rookie :) Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Wednesday, November 01, 2006 8:12 PM To: openssl-users@openssl.org Subject: RE: How to do client verification? I'm wondering what is the usual criteria for doing client verification? I've got everything coded to ask the client for a cert, and I get the cert by calling SSL_get_peer_certificate(). But I don't know what to check for to verify the client's identity. Is there some standard field(s) that are always present in a client certificate that should be checked for? Any sample code to read these fields out of an X509* would also be greatly appreciated. The 95% answer to questions on this list applies to you -- what is your threat model? What are you trying to prevent? When you say verify the client's identity, what do you mean? Do you mean: 1) Verify that the client is some one particular person. 2) Verify that the client was authorized by some one particular agent. 3) Verify that we know who the client is, regardless of who specifically he is. Or what? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to do client verification?
For example, would something like this be the right way to verify a
client,
int postAcceptCheck(SSL_CTX* ssl, setchar* allowed_clients)
{
X509* cert = SSL_get_peer_certificate(ssl);
if (cert)
{
X509_NAME* name = X509_get_subject_name(cert);
if (name)
{
int count = X509_NAME_entry_count(name);
// check if any field under Subject field
matches a client in our allowed set
for (int i=0; icount; i++)
{
X509_NAME_ENTRY* entry =
X509_NAME_get_entry(name, i);
if (entry)
{
char value = new
char[entry-value-length + 1];
value[entry-value-length] = 0;
// null terminate string
strncpy(value,
entry-value-data, entry-value-length);
if (allowed_clients.find(value)
!= allowed_clients.end())
{
// client authenticated
X509_free(cert);
return
SSL_get_verify_result(ssl);
}
}
}
}
X509_free(cert);
}
return X509_V_ERR_APPLICATION_VERIFICATION;
}
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Edward Chan
Sent: Wednesday, November 01, 2006 9:27 PM
To: openssl-users@openssl.org
Subject: RE: How to do client verification?
I want to verify that whoever the client is claiming to be,
is actually allowed to connect. However, I don't know where
to find this information in the cert. Are there standard
fields where this information can be found. For example, in
the book, Network Security with OpenSSL, there is sample
code for verifying that the server is actually who the client
connected to. It first looks for the Subject Alternative
Name field, then looks for the DNS field within that and
checks if this matches the hostname being connected to. If the DNS
field is not found, it then checks the Subject field for
the Common Name field and checks if this matches the
hostname being connected to.
Is this the proper way to verify the server cert? And would
this work for most, if not all, server certs the client might
receive? Are these typically the fields that one would use
to enter the server's identity?
I'm looking for something similar for verifying the client?
Is there some set of fields that are typically used to enter
the client's identity? Would the same fields be used for a
client cert?
I guess put a different way, if a webserver such as Apache
was configured to require client authentication, what would
it do to verify the client? And is there a standard set of
things to check? Or does Apache give the administrator a way
to configure the criteria for client authentication?
Thanks in advance for taking the time to help out a rookie :)
Ed
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Wednesday, November 01, 2006 8:12 PM
To: openssl-users@openssl.org
Subject: RE: How to do client verification?
I'm wondering what is the usual criteria for doing client
verification? I've got everything coded to ask the client
for a cert,
and I get the cert by calling SSL_get_peer_certificate().
But I don't
know what to check for to verify the client's identity. Is
there some
standard
field(s) that are always present in a client certificate
that should
be checked for?
Any sample code to read these fields out of an X509*
would also be
greatly appreciated.
The 95% answer to questions on this list applies to you -- what is
your threat model? What are you trying to prevent?
When you say verify the client's identity, what do you
mean? Do you
mean:
1) Verify that the client is some one particular person.
2) Verify that the client was authorized by some one
particular agent.
3) Verify that we know who the client is, regardless of who
specifically he is.
Or what?
DS
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
openssl-users@openssl.org
Automated List Manager
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User
RE: How to share SSL session when using CreateProcess/execv
I think that would be a very useful feature to have! I could definitely benefit from this in my application. I look forward to when this becomes available :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Thursday, October 12, 2006 11:06 AM To: openssl-users@openssl.org Subject: RE: How to share SSL session when using CreateProcess/execv Agreed. If any object in shared memory contained a pointer to another object in shared memory this could cause a problem. You would have to ensure that the shared memory was mapped to the same address in all processes otherwise the pointers would not be valid. Cheers, Mark Since he's talking about a process that forks, there shouldn't be a problem. He just needs to create a shared mapping in the parent. After the 'fork', the address will still be the same. However, in general, I think OpenSSL really could benefit from the ability to serialize an SSL session (and everything else it might need from its parent context) into a chunk of bytes that can be read in and used to initialize a free-floating session (creating private copies of other associated objects if needed). This would be handy both for debug and to allow an SSL session to be handed off. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to get an X509* from a PEM encoded certificate file
Title: How to get an X509* from a PEM encoded certificate file I've got some questions about the following API's: SSL_CTX_use_certificate_chain_file() SSL_CTX_use_certificate_file() SSL_CTX_add_extra_chain_cert() If I have a single PEM encoded file that contains multiple certs, I should use SSL_CTX_use_certificate_chain_file(), correct? If I have multiple cert files, I should use SSL_CTX_use_certificate_file() to load my cert, then use SSL_CTX_add_extra_chain_cert() to load the intermediate CA certs and finally the root CA's cert, correct? If my certs are ASN.1 encoded, I can use d2i_X509_fp() to get an X509* to pass to SSL_CTX_add_extra_chain_cert(). But how do I get an X509* if I have a PEM encoded certificate file? Thanks, Ed
RE: Need help: Understanding SSL object in multi-threaded environment
I'm sure David will have more to say about how the locking callbacks are used in OpenSSL. But my understanding is that just because you implement these, you still cannot freely call SSL_read/SSL_write from different threads without the proper locking. The reason is because you have direct access to the SSL* obj passed to these 2 functions. The locking callbacks probably provide the library with the locks necessary for it to protect objects it uses internally that need syncrhonization. But the SSL object is used in your code and it is totally up to you to provide the necessary locking yourself. At least that I my understanding, which so far seems to work in my multi-threaded application. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sent: Thursday, October 05, 2006 3:24 AM To: openssl-users@openssl.org Subject: RE: Need help: Understanding SSL object in multi-threaded environment David, 1. Is OpenSSL thread-safe? Yes (with limitations: an SSL connection may not concurrently be used by multiple threads) This means exactly what it says. A single SSL connection may not be used concurrently by multiple threads. This means it is illegal for one thread to do a 'write' on the connection at the same time another thread might be doing, say, a 'read'. You can share an SSL connection object among threads, but you must protect it yourself with a mutex or similar lock. I assume this a reason why OpenSSL has the locking callback functions. As long as you use these it is safe to share the object AFAIK. Regards, Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Can SSL_accept() return SSL_ERROR_WANT_READ/WRITE for blocking sockets?
The problem is, this happened on a machine not my own, and I cannot
reproduce this. All I have to go by is the log, and unforutnately, I
didn't log the actual return value from SSL_accept(). All I know is
that it returned = 0. And that the error code returned by
ERR_get_error() was 0. So I'm trying to figure out under what
circumstances this might happen.
I'm pretty sure it is not a protocol error since the clients can retry
and successfully connect.
Should I always call SSL_accept() in a loop and retry if I get
SSL_ERROR_WANT_READ/WRITE error? Since I'm using a blocking socket, I
thought this is not required. But I'm not sure why SSL_accept() failed
with an error code of 0.
Thanks,
Ed
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perry L. Jones
Sent: Tuesday, November 22, 2005 5:24 AM
To: openssl-users@openssl.org
Subject: Re: Can SSL_accept() return
SSL_ERROR_WANT_READ/WRITE for blocking sockets?
try this to find the error:
i=SSL_accept(con);
switch (SSL_get_error(con,i))
{
case SSL_ERROR_NONE:
break;
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_X509_LOOKUP:
continue;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
case SSL_ERROR_ZERO_RETURN:
ret=1;
goto err;
/* break; */
}
you can find the code in openssl_src/apps/s_server.c
Edward Chan wrote:
SSL_accept() is returning = 0. And when I trace out the err msg
using the following code
int iRet = SSL_accept(m_pSSL);
if (iRet = 0)
{// handshake failed
char buf[256];
ERR_error_string_n(ERR_get_error(), buf,
sizeof(buf));
printf(buf);
}
I get the following error string:
error::lib(0):func(0):reason(0)
Either I'm not getting the error string properly? Or SSL_accept()
failed with some valid error? Unfortunately, I don't know
whether 0
or -1 was returned. Would I be correct in assuming that if 0 was
returned, that ERR_get_error() would return 0, and that I should be
calling SSL_get_error() instead? In which case, I'm wondering what
the possible conditions are for this to happen. Could it be that
SSL_accept() is failing with an SSL_ERROR_WANT_READ/WRITE
error? The
socket is non-blocking. The client did not close its end
during the
handshake, and it should be capable of supporting all the
ciphers and
protocol versions that the server does.
Thanks,
Ed
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Can SSL_accept() return SSL_ERROR_WANT_READ/WRITE for blocking sockets?
Title: Can SSL_accept() return SSL_ERROR_WANT_READ/WRITE for blocking sockets?
SSL_accept() is returning = 0. And when I trace out the err msg using the following code
int iRet = SSL_accept(m_pSSL);
if (iRet = 0)
{// handshake failed
char buf[256];
ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
printf(buf);
}
I get the following error string:
error::lib(0):func(0):reason(0)
Either I'm not getting the error string properly? Or SSL_accept() failed with some valid error? Unfortunately, I don't know whether 0 or -1 was returned. Would I be correct in assuming that if 0 was returned, that ERR_get_error() would return 0, and that I should be calling SSL_get_error() instead? In which case, I'm wondering what the possible conditions are for this to happen. Could it be that SSL_accept() is failing with an SSL_ERROR_WANT_READ/WRITE error? The socket is non-blocking. The client did not close its end during the handshake, and it should be capable of supporting all the ciphers and protocol versions that the server does.
Thanks,
Ed
ERR_get_error() or SSL_get_error()?
Title: ERR_get_error() or SSL_get_error()?
If SSL_accept() returns = 0, and I want to see what the error is, should I be calling this to get a string description of the error:
int ret = SSL_accept();
if (ret = 0)
{
char buf[256];
ERR_error_string_n(ERR_get_error(), buf, sizeof(buf));
}
Or should I be doing this instead
int ret = SSL_accept();
if (ret = 0)
{
char buf[256];
ERR_error_string_n(SSL_get_error(), buf, sizeof(buf));
}
Under what circumstances do I use each of those API's?
Thanks,
Ed
Can OpenSSL be built as static libs?
Title: Can OpenSSL be built as static libs? I was wondering if OpenSSL can be built as static libs as I don't want people to be able to simply replace the dll's with their own. Thanks, Ed
Getting public key out of an X509 object
Title: Getting public key out of an X509 object Can someone point me to how I can get the public key out of an X509 object? Basically, what I am trying to achieve is to sign something using the EVP interface and either a DSA or RSA private key, where the associated public key is in the cert. So now I want to get the public key out of the cert to verify the signature, again using the EVP interface. Am I going about this the right way? Or is there another set of API's that I should use that deal directly with the X509* instead? Thanks, Ed
RE: Getting public key out of an X509 object
Title: RE: Getting public key out of an X509 object Before anybody blasts me, I just noticed a previous post on this subject :) EVP_PKEY *509_get_pubkey(cert) Looks like it will work. I'll try that. But my second question holds, is this the right way to do the sig verification, or is there another or better way? _ From: Edward Chan Sent: Saturday, July 23, 2005 10:25 AM To: 'openssl-users@openssl.org' Subject: Getting public key out of an X509 object Can someone point me to how I can get the public key out of an X509 object? Basically, what I am trying to achieve is to sign something using the EVP interface and either a DSA or RSA private key, where the associated public key is in the cert. So now I want to get the public key out of the cert to verify the signature, again using the EVP interface. Am I going about this the right way? Or is there another set of API's that I should use that deal directly with the X509* instead? Thanks, Ed
RE: d2i_RSAPublicKey doesn't work
The code is basically like this:
RSA* rsa = RSA_generate_key(2048, RSA_F4, 0, 0);
// check if RSA key is valid
if (rsa RSA_check_key(rsa) 0)
{
// find size of buffere required to encode public key
int len = i2d_RSAPublicKey(rsa, 0);
// allocate buffer
unsigned char* buf = new unsigned char[len];
// now call again to DER encode the public key
if (i2d_RSAPublicKey(rsa, buf) == len)
{
// now try to decode the buffer
unsigned char* tmp = buf;
RSA* public_key = d2i_RSAPublicKey(0, (const unsigned
char**)tmp, len);
if (public_key)
{
printf(yeah, we successfully DER decoded the
public key.\n);
}
else
{
char err[1024];
ERR_error_string(ERR_get_error(), err);
printf(Failed to DER decode public key : %s\n,
err);
}
}
}
I've also tried creating the RSA object first, and passing it into
d2i_RSAPublicKey() for it to fill in. It also returns me null back.
Does the code look right?
Thanks,
Ed
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr.
Stephen Henson
Sent: Thursday, July 21, 2005 4:12 AM
To: openssl-users@openssl.org
Subject: Re: d2i_RSAPublicKey doesn't work
On Wed, Jul 20, 2005, Edward Chan wrote:
Hmm, well, I guess I assumed i2d_RSAPublicKey() was ok
since the RSA
key seems fine (I ran RSA_check_key() on it and it says it
is ok). Is
there any reason why i2d_RSAPublicKey() would not be
returning me valid data?
Normally only if it is not called correctly.
int len = i2d_RSAPublicKey(rsa, 0);
returns me something 0, so I assumed that it is fine.
Wouldn't this
return -1 if it failed?
Currently most i2d functions will never return -1 though that
may change in future.
As for the usage of i2d_RSAPublicKey(), it is as the book says. I
call it once to find the size of the buffer required. Then
I allocate
the buffer. Then call it again to actually fill the
buffer. Is this
not correct?
What code are you using to fill the buffer?
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see
homepage OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: d2i_RSAPublicKey doesn't work
So I need to save buf to a tmp first like with d2i_RSAPublicKey?
Like this:
int len = i2d_RSAPublicKey(rsa, 0);
unsigned char* buf = new unsigned char[len];
unsigned char* tmp = buf;
i2d_RSAPublicKey(rsa, tmp);
// now use buf to decode
Is this correct?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr.
Stephen Henson
Sent: Thursday, July 21, 2005 10:23 AM
To: openssl-users@openssl.org
Subject: Re: d2i_RSAPublicKey doesn't work
On Thu, Jul 21, 2005, Edward Chan wrote:
The code is basically like this:
int len = i2d_RSAPublicKey(rsa, 0);
// allocate buffer
unsigned char* buf = new unsigned char[len];
// now call again to DER encode the public key
if (i2d_RSAPublicKey(rsa, buf) == len)
{
I've also tried creating the RSA object first, and passing it into
d2i_RSAPublicKey() for it to fill in. It also returns me null back.
Does the code look right?
No, this code is wrong for the reasons mentioned in the FAQ.
After this call 'buf' points to garbage and that's why
d2i_RSAPublicKey() is failing.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see
homepage OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: d2i_RSAPublicKey doesn't work
Horray...that is it. Thanks!!!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Edward Chan
Sent: Thursday, July 21, 2005 11:00 AM
To: openssl-users@openssl.org
Subject: RE: d2i_RSAPublicKey doesn't work
So I need to save buf to a tmp first like with d2i_RSAPublicKey?
Like this:
int len = i2d_RSAPublicKey(rsa, 0);
unsigned char* buf = new unsigned char[len]; unsigned char*
tmp = buf; i2d_RSAPublicKey(rsa, tmp);
// now use buf to decode
Is this correct?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr.
Stephen Henson
Sent: Thursday, July 21, 2005 10:23 AM
To: openssl-users@openssl.org
Subject: Re: d2i_RSAPublicKey doesn't work
On Thu, Jul 21, 2005, Edward Chan wrote:
The code is basically like this:
int len = i2d_RSAPublicKey(rsa, 0);
// allocate buffer
unsigned char* buf = new unsigned char[len];
// now call again to DER encode the public key
if (i2d_RSAPublicKey(rsa, buf) == len)
{
I've also tried creating the RSA object first, and passing it into
d2i_RSAPublicKey() for it to fill in. It also returns me
null back.
Does the code look right?
No, this code is wrong for the reasons mentioned in the FAQ.
After this call 'buf' points to garbage and that's why
d2i_RSAPublicKey() is failing.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see
homepage OpenSSL
project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
openssl-users@openssl.org
Automated List Manager
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: d2i_RSAPublicKey doesn't work
Hmm, well, I guess I assumed i2d_RSAPublicKey() was ok since the RSA key seems fine (I ran RSA_check_key() on it and it says it is ok). Is there any reason why i2d_RSAPublicKey() would not be returning me valid data? int len = i2d_RSAPublicKey(rsa, 0); returns me something 0, so I assumed that it is fine. Wouldn't this return -1 if it failed? I am using the RSA_public_encrypt and RSA_private_decrypt functions because that is what I found in the OpenSSL book I've been using as a reference. Should I be using something else? Is there an alternative to the i2d* methods for converting the public and private portions of the RSA key to some serializable form? As for the usage of i2d_RSAPublicKey(), it is as the book says. I call it once to find the size of the buffer required. Then I allocate the buffer. Then call it again to actually fill the buffer. Is this not correct? Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Wednesday, July 20, 2005 5:48 PM To: openssl-users@openssl.org Subject: Re: d2i_RSAPublicKey doesn't work On Tue, Jul 19, 2005, Edward Chan wrote: That part of the code remains the same, and continues to work fine. By the way, my last code snippet should have been: U8* tmp = buf; RSA* pub = d2i_RSAPublicKey(0, (const U8**)tmp, len); I mistakenly typed *len instead of len. Anyways, after I call i2d_RSAPublicKey, calling d2i_RSAPublicKey does not seem to work. It always returns me a null ptr. But I know the RSA object is fine. I can use it in RSA_public_encrypt() and RSA_private_decrypt(). What makes you think the way i2d_RSAPublicKey is being called is producing valid data? Try dumping the data in 'tmp' to a file and using: openssl asn1parse -inform DER -in whatever if the result is an error message or what looks like garbage then its a problem with the usage of i2d_RSAPublicKey. If it looks like the public key components then it is OK. BTW is there some reason you are using the RSAPublicKey functions? If you use the RSA_PUBKEY versions instead the OpenSSL utilities will be able to check the format directly. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: d2i_RSAPublicKey doesn't work
That part of the code remains the same, and continues to work fine. By the way, my last code snippet should have been: U8* tmp = buf; RSA* pub = d2i_RSAPublicKey(0, (const U8**)tmp, len); I mistakenly typed *len instead of len. Anyways, after I call i2d_RSAPublicKey, calling d2i_RSAPublicKey does not seem to work. It always returns me a null ptr. But I know the RSA object is fine. I can use it in RSA_public_encrypt() and RSA_private_decrypt(). Any ideas? Anybody else experiencing this problem? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch Sent: Tuesday, July 19, 2005 12:36 AM To: openssl-users@openssl.org Subject: Re: d2i_RSAPublicKey doesn't work Edward Chan wrote: If you're referring to http://www.openssl.org/support/faq.html 3. How do I read or write a DER encoded buffer using the ASN1 functions? ... The opposite assumes we already have len bytes in buf: unsigned char *p; p = buf; p7 = d2i_PKCS7(NULL, p, len); At this point p7 contains a valid PKCS7 structure of NULL if an error occurred. If an error occurred ERR_print_errors(bio) should give more information. The reason for the temporary variable 'p' is that the ASN1 functions increment the passed pointer so it is ready to read or write the next structure. This is often a cause of problems: without the temporary variable the buffer pointer is changed to point just after the data that has been read or written. This may well be uninitialized data and attempts to free the buffer will have unpredictable results because it no longer points to the same address. -- I see where it says you need to create the temp var. So changed my code to do that, but I still get a null ptr returned. Code is now: U8* tmp = buf; RSA* pub = d2i_RSAPublicKey(0, (const U8**)tmp, *len); and what about i2d_RSAPublicKey ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
d2i_RSAPublicKey doesn't work
Title: d2i_RSAPublicKey doesn't work
What am I doing wrong here? I generate an RSA key. Then I DER encode it. Then try to decode it, but the decode fails. The error says, error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
RSA* rsa = RSA_generate_key(2048, RSA_F4, 0, 0);
if (rsa)
{
if (RSA_check_key(rsa) 0)
{
int len = i2d_RSAPublicKey(rsa, 0);
U8* buf = new U8[len];
memset(buf, 0, len);
i2d_RSAPublicKey(rsa, buf);
// everything looks good up to here; I can see buf gets filled with len number of bytes
// but then I try to get the public key back by doing the following, and it fails.
RSA* public_key = d2i_RSAPublicKey(0, (const U8**)buf, len); // public_key is NULL; why???
if (!public_key)
{
char err[1024];
ERR_error_string(ERR_get_error(), err);
fprintf(stderr, Error : %s\n, err);
}
}
}
RE: d2i_RSAPublicKey doesn't work
If you're referring to http://www.openssl.org/support/faq.html
3. How do I read or write a DER encoded buffer using the ASN1 functions?
...
The opposite assumes we already have len bytes in buf:
unsigned char *p;
p = buf;
p7 = d2i_PKCS7(NULL, p, len);
At this point p7 contains a valid PKCS7 structure of NULL if an error
occurred. If an error occurred ERR_print_errors(bio) should give more
information.
The reason for the temporary variable 'p' is that the ASN1 functions
increment the passed pointer so it is ready to read or write the next
structure. This is often a cause of problems: without the temporary
variable the buffer pointer is changed to point just after the data that
has been read or written. This may well be uninitialized data and
attempts to free the buffer will have unpredictable results because it
no longer points to the same address.
--
I see where it says you need to create the temp var. So changed my code
to do that, but I still get a null ptr returned.
Code is now:
U8* tmp = buf;
RSA* pub = d2i_RSAPublicKey(0, (const U8**)tmp, *len);
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch
Sent: Monday, July 18, 2005 1:10 PM
To: openssl-users@openssl.org
Subject: Re: d2i_RSAPublicKey doesn't work
Edward Chan wrote:
What am I doing wrong here? I generate an RSA key. Then I
DER encode
it. Then try to decode it, but the decode fails. The error says,
error:0D07207B:asn1 encoding
routines:ASN1_get_object:header too long
RSA* rsa = RSA_generate_key(2048, RSA_F4, 0, 0); if (rsa) {
if (RSA_check_key(rsa) 0)
{
int len = i2d_RSAPublicKey(rsa, 0);
U8* buf = new U8[len];
memset(buf, 0, len);
i2d_RSAPublicKey(rsa, buf);
// everything looks good up to here; I can see buf
gets filled with len number of bytes
// but then I try to get the public key
back by doing
the following, and it fails.
RSA* public_key = d2i_RSAPublicKey(0, (const
U8**)buf, len); // public_key is NULL; why???
if (!public_key)
{
char err[1024];
ERR_error_string(ERR_get_error(), err);
fprintf(stderr, Error : %s\n, err);
}
}
}
please read the FAQ
Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Question about BIO-num_read BIO-num_write
Title: Question about BIO-num_read BIO-num_write Just want to confirm that these are a running total of number of bytes read and written by this BIO, and not the number of bytes last read or written. Is that correct? Thanks, Ed
Compile error in n_pkey.c with 0.9.7g on Win32 using ntdll.mak and nasm
Title: Compile error in n_pkey.c with 0.9.7g on Win32 using ntdll.mak and nasm I get the following compile error: cl /Fotmp32dll\f_string.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDI AN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_ NO_KRB5 -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\asn1\f_string.c f_string.c cl /Fotmp32dll\n_pkey.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /O b2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO _KRB5 -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\asn1\n_pkey.c n_pkey.c .\crypto\asn1\n_pkey.c(96) : error C2370: 'NETSCAPE_ENCRYPTED_PKEY_it' : redefin ition; different storage class .\crypto\asn1\n_pkey.c(93) : see declaration of 'NETSCAPE_ENCRYPTED_PKEY _it' .\crypto\asn1\n_pkey.c(106) : error C2370: 'NETSCAPE_PKEY_it' : redefinition; di fferent storage class .\crypto\asn1\n_pkey.c(103) : see declaration of 'NETSCAPE_PKEY_it' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Anybody know anything about this? I followed the steps in INSTALL.W32 like I have with previous versions of OpenSSL which I was able to build fine. Ed
RE: Compile error in n_pkey.c with 0.9.7g on Win32 using ntdll.mak and nasm
Title: Compile error in n_pkey.c with 0.9.7g on Win32 using ntdll.mak and nasm Crap. Nevermind. I forgot to run perl Configure VC-WIN32 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward ChanSent: Wednesday, June 08, 2005 1:51 PMTo: openssl-users@openssl.orgSubject: Compile error in n_pkey.c with 0.9.7g on Win32 using ntdll.mak and nasm I get the following compile error: cl /Fotmp32dll\f_string.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDI AN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_ NO_KRB5 -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\asn1\f_string.c f_string.c cl /Fotmp32dll\n_pkey.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /O b2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DBN_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll -DOPENSSL_NO _KRB5 -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\asn1\n_pkey.c n_pkey.c .\crypto\asn1\n_pkey.c(96) : error C2370: 'NETSCAPE_ENCRYPTED_PKEY_it' : redefin ition; different storage class .\crypto\asn1\n_pkey.c(93) : see declaration of 'NETSCAPE_ENCRYPTED_PKEY _it' .\crypto\asn1\n_pkey.c(106) : error C2370: 'NETSCAPE_PKEY_it' : redefinition; di fferent storage class .\crypto\asn1\n_pkey.c(103) : see declaration of 'NETSCAPE_PKEY_it' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Anybody know anything about this? I followed the steps in INSTALL.W32 like I have with previous versions of OpenSSL which I was able to build fine. Ed
RE: Building with VC6
For what it's worth, I've built OpenSSL several times (using VC6), each time just following the instructions in INSTALL.W32 with NASM and it built fine. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Monday, May 09, 2005 4:30 PM To: openssl-users@openssl.org Subject: Re: Building with VC6 On Mon, May 09, 2005, Milan Tomic wrote: Hi, No, that doesn't help. :( My VC6 starts building OpenSSL and when compiles 100+ files, it fails for this file (n_pkey.c). From the error message I got I would say something is wrong in the source code of OpenSSL (n_pkey.c file). I use VC++ 6 to compile OpenSSL and I've never seen that error. Did you do: perl Configure VC-WIN32 first? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Does nFast800 work with OpenSSL on Windows?
Title: Does nFast800 work with OpenSSL on Windows? Looking at their website, they say that software support for this card includes OpenSSL on Linux. But on Windows, they only mention CryptoAPI. Does anybody know if this means it doesn't work with OpenSSL on Windows? I've sent them an email asking about this, but thought somebody on this list might know. Thanks, Ed
Anybody using SafeNet Luna PCI crypto acclerator card?
Title: Anybody using SafeNet Luna PCI crypto acclerator card? I've got a C program that uses OpenSSL and I'm trying to use the SafeNet Luna card with it. I've downloaded a modified version of OpenSSL from them which includes support for this LunaCA3 engine, but am still having trouble getting it to run. Has anybody used this board before? And if so, do you have any tips or hints to get it working? Thanks, Ed
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Thanks for the info. One last question :) So if I am using blocking sockets, than would I ever get a WANT_WRITE error? I'm guessing no? But if I am using BIO pairs, and blocking sockets, is it possible to get a WANT_WRITE error? Sorry, that was two more questions. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, April 17, 2005 11:01 PM To: openssl-users@openssl.org Subject: Re: Confusion about SSL_ERROR_WANT_READ/WRITE If all that was sent was the protocol data that the write was waiting for to satisfy the ssl state machine, and no application data was sent, would SSL_read return the number of bytes actually read off the socket (which is just protocol data), or would it read that transparently and return 0 indicating that no application data was read? Ah. Key question! SSL_read will return a positive number indicating the number of APPLICATION DATA bytes written into your buffer. A ZERO indicates a closed connection. A negative result indicates an error (or rather, that your request could not be satisfied). In the case of a WANT_READ or WANT_WRITE, that some action in the BIO needs to occur to satisfy the request. The important thing to keep in mind is that the SSL objects are not inherently tied to sockets. You might be trying to read SSL decrypted data from your own internal buffer. In which case, a WANT_READ means that you need to move a few more bytes into the BIO's buffer. Check out the man page for the SSL_get_error function yet once again. Skip down to the section titled SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE in the context of these discussions, keeping in mind the idea that an SSL object might not be necessarily connected to a socket. (What really frustrated me when I was learning how this worked was that the examples and discussions in the O'Reilly OpenSSL book were wrong on this topic.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Yes, I think I understand what you are saying. If I get a WANT_READ from a call to SSL_write, that means I need to read some data before I can send. Not quite, it means the OpenSSL engine must read some data (from the socket) before you can perform the 'write' logical operation on the connection state machine. But like you said, there may not be any data to read since the other end may not have sent anything. There may not be any application data, but there should be data sent over the SSL connection. Protocol data? Like an ack for some previous data sent? But I think my problem was that I was thinking in terms of application data. What I failed to realize was that there may not be any application data to read, but if the other end is a valid ssl client, there should have been some ssl protocol data that was sent, that my end needs to read before my call to SSL_write will succeed. Does that sound right? If by your end, you mean your end of the SSL connection, yes. If by your end, you mean the application, no. The purpose of the SSL_read function is to read application data from the SSL connection state machine. You should call it if and only if that is what you want to do. Since I'm using socket BIO, I am letting SSL_read/SSL_write handle all my socket I/O. So I am not explicitly reading from the socket and feeding it to OpenSSL (I just call SSL_read). So when I say your end, I mean the other end of the socket. And since an SSL_read may write as well as read, and SSL_write may read as well as write, then either of these calls would read the required protocol data such that a retry of the call that resulted in the error should now succeed. There you go. Since you're using socket BIOs, the state machine will access the socket when it needs to, so you just need to retry the operation later. If you want, you can use 'select' to tell when it's enough later. So eventhough my call to SSL_write resulted in the WANT_READ error, if my read thread happened to do an SSL_read first, it still would have read the protocol data, and my retry of SSL_write should succeed. Am I right? Close? Way off? If either an SSL_write or an SSL_read results in a WANT_READ error, it means that neither call can progress until some data is read from the socket. You can retry the operation later, try another operation, or whatever you want to do. You can take the hint that 'select'ing on the socket for readability will likely tell you when the operation is going to succeed. I do select on the socket. Basically, I have a thread pool that I use for I/O. Writes are synchronous, so I expect to finish writing all the data before I exit my write function. But since I don't want to tie up a thread blocking on the read waiting for data to arrive (since I have no idea when data will arrive), I add it to a list of sockets that I am select'ing on. Since my write is synchronous, and if I get a WANT_READ error, then that means I need to read some ssl data before I can continue. So I will select on the socket until data arrives. I'm assuming that the data WILL arrive. There is no chance that I could be blocked here indefinitely is there? I'm assuming that the data is some SSL protocol data that is SHOULD have been sent by the other end of the connection (assuming it is a valid SSL client). Now, I also have a read thread that was select'ing on the socket waiting for data to arrive. So either of these 2 threads may read data. Both threads are select'ing on the socket. So if the read thread wakes up first and acquires the lock, then it will do an SSL_read before the write thread wakes up and retries an SSL_write (which was the operation that caused the WANT_READ error in the first place). So my question is, is this ok? If it was an SSL_write that caused the WANT_READ error, do I HAVE to retry the SSL_write before I can do an SSL_read? The SSL_read should read whatever data the ssl state machine was expecting, and the next try of SSL_write should then succeed right? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
First of all, I want to thank everyone for all the information, especially David with his excellent explanations. I know this thread is getting long, but I really think I'm getting it now :) Just a few more questions and comments... There may not be any application data, but there should be data sent over the SSL connection. Protocol data? Like an ack for some previous data sent? Well, remember no data at all can be sent until a key is negotiated. So if you immediately call SSL_write, it will be unable to do anything. Of course :) If either an SSL_write or an SSL_read results in a WANT_READ error, it means that neither call can progress until some data is read from the socket. You can retry the operation later, try another operation, or whatever you want to do. You can take the hint that 'select'ing on the socket for readability will likely tell you when the operation is going to succeed. I do select on the socket. Basically, I have a thread pool that I use for I/O. Writes are synchronous, so I expect to finish writing all the data before I exit my write function. But since I don't want to tie up a thread blocking on the read waiting for data to arrive (since I have no idea when data will arrive), I add it to a list of sockets that I am select'ing on. Since my write is synchronous, and if I get a WANT_READ error, then that means I need to read some ssl data before I can continue. So I will select on the socket until data arrives. I'm assuming that the data WILL arrive. There is no chance that I could be blocked here indefinitely is there? I'm assuming that the data is some SSL protocol data that is SHOULD have been sent by the other end of the connection (assuming it is a valid SSL client). You can impose timeouts if you want. You have this same issue for TCP. If the other side doesn't read any data, eventually your 'write' will block forever. You have to handle this yourself. Of course. But what I mean is, if I get a WANT_READ from an SSL_write, than I assume that means I am waiting for some protocol data to satisfy the ssl state machine, right? After all, SSL_write should not be waiting for any application data. So if that is the case, does that mean that the protocol data that I am waiting for SHOULD have been sent by the other end of the connection? Now, I also have a read thread that was select'ing on the socket waiting for data to arrive. So either of these 2 threads may read data. Both threads are select'ing on the socket. So if the read thread wakes up first and acquires the lock, then it will do an SSL_read before the write thread wakes up and retries an SSL_write (which was the operation that caused the WANT_READ error in the first place). So my question is, is this ok? Yes. Just understand that it's not unusual to see data on the socket (in a call to 'select') and then not get any *application* data from SSL_read. If it was an SSL_write that caused the WANT_READ error, do I HAVE to retry the SSL_write before I can do an SSL_read? No. You will likely need to enable SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER and will probably want to enable SSL_MODE_ENABLE_PARTIAL_WRITE as well. Read up on these and make sure you understand the implications and especially the very unusual default of net accepting moving write buffers! The SSL_read should read whatever data the ssl state machine was expecting, and the next try of SSL_write should then succeed right? Yes. Just remember that there are two weird cases that could happen -- expect them. 1) You get a read hit from 'select', but before you can call SSL_read, your write thread calls SSL_write, which reads the data. So now when you call SSL_read, nothing at all happens. Will SSL_read return 0 bytes read, or will I get a WANT_READ error indicating there was nothing to be read since the data was already read off the socket? 2) You get a read hit from 'select', but it's all protocol data, no application data. So you call SSL_read and no application data is returned. Does SSL_read always return the number of bytes of application data read? If so, that means that SSL_read could return 0, and that this should not be construed as an error. And, of course, remember that you need a mutex for the connection to prevent a concurrent SSL_read and SSL_write. Of course. That was my first mistake. But I know better now :) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Right, but let's say I'm doing an SSL_write, and I get a WANT_READ error. I then select on the socket until data is available for reading. I then call SSL_read. If all that was sent was the protocol data that the write was waiting for to satisfy the ssl state machine, and no application data was sent, would SSL_read return the number of bytes actually read off the socket (which is just protocol data), or would it read that transparently and return 0 indicating that no application data was read? Or would it just read the required protocol data and return an error of WANT_READ to indicate that I should retry the SSL_read when more data arrives? Now that I think about it, I'm guessing the latter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, April 17, 2005 9:48 PM To: openssl-users@openssl.org Subject: Re: Confusion about SSL_ERROR_WANT_READ/WRITE A return result of 0 typically means the other side closed the connection. Here is the section from SSL_read's man page with regards to a 0 return: 0 The read operation was not successful. The reason may either be a clean shutdown due to a close notify alert sent by the peer (in which case the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set (see SSL_shutdown(3), SSL_set_shutdown(3)). It is also pos- sible, that the peer simply shut down the underlying transport and the shutdown is incomplete. Call SSL_get_error() with the return value ret to find out, whether an error occurred or the connection was shut down cleanly (SSL_ERROR_ZERO_RETURN). -Joe On Apr 17, 2005, at 9:12 PM, Edward Chan wrote: Does SSL_read always return the number of bytes of application data read? If so, that means that SSL_read could return 0, and that this should not be construed as an error. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Ok, this is getting much clearer. Last question (hopefully)...so if an SSL_write gets a WANT_READ, is it ok for the read thread to do an SSL_read before I retry the SSL_write? Does it matter who does the requested operation as long as it is done? Or does the read thread have to wait until the write thread retries the SSL_write when there is data available before it can read anymore data? And similarly, if the read thread gets a WANT_WRITE, can the write thread do an SSL_write before the read thread retries the SSL_read? If the write thread does an SSL_write before the read thread retries the SSL_read (assuming socket is writable), will it have written whatever data the SSL_read needed to have written? In other words, can the operation specified the WANT_READ/WRITE have to be done by retrying the operation that caused it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, April 16, 2005 3:02 AM To: openssl-users@openssl.org Subject: RE: Confusion about SSL_ERROR_WANT_READ/WRITE Thanks for this explanation. As I read more, I think I am getting a better understanding of this. So unlike normal tcp connections, where a read juts reads, and a write just writes, SSL_read may write, and SSL_write may read. This is all done under the hood, so I don't need to be concerned with that, except to reissue the call when I get a WANT_READ or WANT_WRITE error. And when I get one of these, I basically just have to wait (select/poll or whatever) until the socket is readable/writable, then reissue the call. Does that sound right? Yes, that's it. If you use socket BIOs, then it all takes place under the hood. You don't have to worry about it, but you do have to know that the semantics of SSL_read and SSL_write are not the same as read and write. And regarding the use of multiple threads, if I protect the SSL object with a lock, that should be fine right? But it sounds like a single thread for both read and writes is the norm. Is this true? And if so, other than the fact that I need to co-ordinate access to the SSL obj with a mutex, is there any draw back to using multiple threads? Neither is the norm. Some I/O strategies use a single thread both reading and writing, where that thread may handle only one connection or dozens. Some I/O strategies use one thread for all reads to all connections and one for all writes to all connections. Some use a pool of threads, any one of which may do a read or write to any connection at any time. What is best depends upon the specifics of a given project, primarily the scalability requirements and the complexity that can be tolerated. One common I/O strategy called 'speculative write' allows whatever thread generated data for a connection to try to write it immediately. If the write fails with a 'would block' error, then the connection is added to a poll or select set to try the write later from an I/O thread. In this case, you would need a lock because one thread might try to write to the connection while an I/O thread is reading from it. The SSL state machine is not protected against concurrent accesses to the same connection. So if you have a situation where you might try to access the same connection from two threads (the typical case being a read and a write, but one could imagine others), you will need to associate a mutex with the connection. Semantically, an SSL connection is a single engine and SSL_read and SSL_write are entry points to that single engine. This is different from a TCP connection which is semantically two unrelated byte streams, one in each direction. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Yes, I think I understand what you are saying. If I get a WANT_READ from a call to SSL_write, that means I need to read some data before I can send. But like you said, there may not be any data to read since the other end may not have sent anything. But I think my problem was that I was thinking in terms of application data. What I failed to realize was that there may not be any application data to read, but if the other end is a valid ssl client, there should have been some ssl protocol data that was sent, that my end needs to read before my call to SSL_write will succeed. Does that sound right? And since an SSL_read may write as well as read, and SSL_write may read as well as write, then either of these calls would read the required protocol data such that a retry of the call that resulted in the error should now succeed. So eventhough my call to SSL_write resulted in the WANT_READ error, if my read thread happened to do an SSL_read first, it still would have read the protocol data, and my retry of SSL_write should succeed. Am I right? Close? Way off? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, April 16, 2005 10:43 AM To: openssl-users@openssl.org Subject: Re: Confusion about SSL_ERROR_WANT_READ/WRITE You're on the money. This confused me, too. I had a program that needed to see if there was incoming data, and so I performed an SSL_read(). I received back a WANT_READ, because there was no data yet to read. (I'm using non-blocking I/O). But then some time later I needed to send data. The logic of the program was such that I could expect nothing on the READ side anyway until I had sent something first (query/response). At first, I thought I was stuck having to endlessly perform only the SSL_read even though there was no data available before I would be able to perform my SSL_write. I realized that when you receive a WANT_READ or a WANT_WRITE, you just need to perform the same operation again with the same parameters, but that does not exclude you from performing the other operation elsewhere. Just make sure that two threads aren't trying to do this at the same time on the same connection. On Apr 16, 2005, at 10:22 AM, Edward Chan wrote: Ok, this is getting much clearer. Last question (hopefully)...so if an SSL_write gets a WANT_READ, is it ok for the read thread to do an SSL_read before I retry the SSL_write? Does it matter who does the requested operation as long as it is done? Or does the read thread have to wait until the write thread retries the SSL_write when there is data available before it can read anymore data? And similarly, if the read thread gets a WANT_WRITE, can the write thread do an SSL_write before the read thread retries the SSL_read? If the write thread does an SSL_write before the read thread retries the SSL_read (assuming socket is writable), will it have written whatever data the SSL_read needed to have written? In other words, can the operation specified the WANT_READ/WRITE have to be done by retrying the operation that caused it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, April 16, 2005 3:02 AM To: openssl-users@openssl.org Subject: RE: Confusion about SSL_ERROR_WANT_READ/WRITE Thanks for this explanation. As I read more, I think I am getting a better understanding of this. So unlike normal tcp connections, where a read juts reads, and a write just writes, SSL_read may write, and SSL_write may read. This is all done under the hood, so I don't need to be concerned with that, except to reissue the call when I get a WANT_READ or WANT_WRITE error. And when I get one of these, I basically just have to wait (select/poll or whatever) until the socket is readable/writable, then reissue the call. Does that sound right? Yes, that's it. If you use socket BIOs, then it all takes place under the hood. You don't have to worry about it, but you do have to know that the semantics of SSL_read and SSL_write are not the same as read and write. And regarding the use of multiple threads, if I protect the SSL object with a lock, that should be fine right? But it sounds like a single thread for both read and writes is the norm. Is this true? And if so, other than the fact that I need to co-ordinate access to the SSL obj with a mutex, is there any draw back to using multiple threads? Neither is the norm. Some I/O strategies use a single thread both reading and writing, where that thread may handle only one connection or dozens. Some I/O strategies use one thread for all reads to all connections and one for all writes to all connections. Some use a pool of threads, any one of which may do a read or write to any connection at any time. What is best depends upon
Confusion about SSL_ERROR_WANT_READ/WRITE
Title: Confusion about SSL_ERROR_WANT_READ/WRITE I have an app where reads and writes happen from different threads. Now, ideally, one would envision that I just replace the reads/writes with SSL_read/SSL_write. Now I know it is not as simple as that. What exactly is the meaning of the SSL_ERROR_WANT_READ/WRITE errors? If I get I get a WANT_READ from an SSL_read, I guess that means I need to read more data but no data is available on the socket yet. So I basically poll/select waiting for more data to arrive before I can reissue the SSL_read. Is that right? If I get a WANT_WRITE from an SSL_read, does that mean that I need to do an SSL_write before I can reissue the SSL_read? And if so, what if I have no data to write? Can I just do an SSL_write() with an empty buffer? I'm assuming it is not application data that needs to be written, but some data contained in some internal ssl buffer? If I get a WANT_WRITE from an SSL_write, does that mean the network buffer is full and I cannot write to the socket yet? In which case, I would just poll/select until the socket becomes writable and retry the SSL_write? What if I get a WANT_READ from an SSL_write? Does that mean that I need to do an SSL_read before I can reissue the SSL_write? Again, I'm assuming the data that needs to be read is not application data. So can I just do an SSL_read giving it a 0 length buffer? Will this cause whatever data that is stored in the ssl buffers to be processed without reading data off the network (since I have a separate thread for reading and processing application data)? Ed
RE: Confusion about SSL_ERROR_WANT_READ/WRITE
Thanks for this explanation. As I read more, I think I am getting a better
understanding of this. So unlike normal tcp connections, where a read juts
reads, and a write just writes, SSL_read may write, and SSL_write may read.
This is all done under the hood, so I don't need to be concerned with that,
except to reissue the call when I get a WANT_READ or WANT_WRITE error. And
when I get one of these, I basically just have to wait (select/poll or
whatever) until the socket is readable/writable, then reissue the call.
Does that sound right?
And regarding the use of multiple threads, if I protect the SSL object with
a lock, that should be fine right? But it sounds like a single thread for
both read and writes is the norm. Is this true? And if so, other than the
fact that I need to co-ordinate access to the SSL obj with a mutex, is there
any draw back to using multiple threads?
So if I had the following:
/* Read thread */
bool ok = false;
while (!ok)
{
mutex.lock(); // protect ssl
int ret = SSL_read(ssl, buf, len);
int err = SSL_get_error(ssl, ret);
mutex.unlock();
if (err == SSL_ERROR_NONE)
{
ok = true;
}
else if (err == SSL_ERROR_WANT_READ)
{
fd_set read_fds;
FD_ZERO(read_fds);
FD_SET(m_sock, read_fds);
// wait for socket to be readable
if (select(1, read_fds, 0, 0, 0) = 0)
return 0; // error
continue; // re-issue the read
}
else if (err == SSL_ERROR_WANT_WRITE)
{
fd_set write_fds;
FD_ZERO(write_fds);
FD_SET(m_sock, write_fds);
// wait for socket to be wriable
if (select(1, 0, write_fds, 0, 0) = 0)
return 0; // error
continue; // re-issue the read
}
else
{
return 0; // error
}
}
/* write thread */
int offset = 0;
while (len)
{
mutex.lock();
int ret = SSL_write(ssl, buf+offset, len);
int err = SSL_get_error(ssl, ret);
mutex.unlock();
if (err == SSL_ERROR_NONE)
{
offset += ret;
len -= ret;
}
else if (err == SSL_ERROR_WANT_READ)
{
fd_set read_fds;
FD_ZERO(read_fds);
FD_SET(m_sock, read_fds);
// wait for socket to be readable
if (select(1, read_fds, 0, 0, 0) = 0)
return 0; // error
continue; // re-issue the write
}
else if (err == SSL_ERROR_WANT_WRITE)
{
fd_set write_fds;
FD_ZERO(write_fds);
FD_SET(m_sock, write_fds);
// wait for socket to be writable
if (select(1, 0, write_fds, 0, 0) = 0)
return 0; // error
continue; // re-issue the write
}
else
{
return 0; // error
}
}
Does that look ok?
Since these the read and writes may be done in different threads, than it
could happen that the write thread got a WANT_READ and was waiting for data
to arrive. But the read thread may also be waiting for data to arrive. One
of these threads will wake up first. If the read thread wakes up, it will
do SSL_read. If the write thread wakes up, it will try a SSL_write. Only
one will happen first because they are protected by a lock. But if the read
thread was able to read first. Then when the write thread acquires the lock
and retries the SSL_write, it will still succeed because whatever data it
was waiting to read was read by the read thread. Does that make sense?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Friday, April 15, 2005 4:58 PM
To: openssl-users@openssl.org
Subject: RE: Confusion about SSL_ERROR_WANT_READ/WRITE
I have an app where reads and writes happen from different threads.
Now, ideally, one would envision that I just replace the
reads/writes
with SSL_read/SSL_write. Now I know it is not as simple as that.
You need to wrap each SSL connection with a lock and
hold that lock when you call SSL_read or SSL_write. This will
prevent concurrent accesses to the same connection from
different threads, which is not supported.
What exactly is the meaning of the SSL_ERROR_WANT_READ/WRITE errors?
[snip]
The OpenSSL connection does not have exactly the same
semantics as a TCP connection. Say you try to send data
before the handshaking is finished.
OpenSSL cannot send any data over the socket until it reads
the handshake from the other side.So a 'WANT_READ' error
means that OpenSSL needs to read some encrypted data from the
other side before it can write the application data you want to send.
RE: Use of Engines
Are there docs on this? I was just going by the example in Network Security with OpenSSL. It looked so simple. ENGINE* e = ENGINE_by_id(ubsec); ENGINE_set_default(e, ENGINE_METHOD_ALL); And that is the way it looks in most other examples I've seen. Apache, Stunnel, etc. If someone could point me to some decent docs and examples, I'll be forever in your debt. Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, April 07, 2005 5:42 PM To: openssl-users@openssl.org Subject: Re: Use of Engines Hi Edward, I am guesing that you need to call ENGINE_ctrl() to set the right parameters. These are control commands and each engine has a set of these; to see what control commands are available for the ubsec engine: $ openssl engine ubsec - Or you could just look into the ubsec engine codes for the definitions. -Tan Eng Ten Edward Chan wrote: Is it required to call ENGINE_init()? Or is this sufficient ENGINE* e = ENGINE_by_id(id); ENGINE_set_default(e, ENGINE_METHOD_ALL); I have looked in various code, and I mostly see the latter. But in the stunnel code, I see them doing ENGINE* e = ENGINE_by_id(id); ENGINE_init(e); ENGINE_set_default(e, ENGINE_METHOD_ALL); Also, I tried using a card from nCipher. But when I specify ENGINE_METHOD_ALL, it seems to be failing in the call to ENGINE_set_default_RSA(). When I dig deeper, it looks like it is trying to load ubsec.dll which is missing. I've installed all the drivers that came with the card. Does that mean OpenSSL does not support that card? Or does it mean the card doesn't support RSA operations? What am I doing wrong? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Use of Engines
So what are the purpose of the ENGINE_ctrl_* functions? Assuming I don't use the auto-config file, what steps would I need to do to get the crypto card working? I already have a configuration file so I don't want to have another one. I'd like to keep my app flexible enough that I can use whatever crypt accelerator card the user has. Thanks for all the help. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 4:23 AM To: openssl-users@openssl.org Subject: Re: Use of Engines On Thu, Apr 07, 2005, Edward Chan wrote: Are there docs on this? I was just going by the example in Network Security with OpenSSL. It looked so simple. ENGINE* e = ENGINE_by_id(ubsec); ENGINE_set_default(e, ENGINE_METHOD_ALL); And that is the way it looks in most other examples I've seen. Apache, Stunnel, etc. If someone could point me to some decent docs and examples, I'll be forever in your debt. You might want to look into the use of the auto config mechanism. This will allow simple use of ENGINEs (and possibly more advanced in future) by placing appropriate parameters in openssl.cnf or some other config file. The 'openssl' application already supports autoconfig so you can use that to see if you've got the openssl.cnf configuration right. For the config file format see: http://www.openssl.org/docs/apps/config.html#OPENSSL_LIBRARY_C ONFIGURATION For the functions an application needs to call see: http://www.openssl.org/docs/crypto/OPENSSL_config.html Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: RAND_seed()
I don't know if /dev/random is available on all linux machines. But I think it is. But as for Windows, which does not have /dev/random, I believe OpenSSL seeds the PRNG on Windows automatically using a variety of clever ideas and sources of entropy. It is probably better than what you could come up with on your own (I would guess). For details, either dig into the OpenSSL src, or maybe one of the OpenSSL gurus can elaborate more on what is done on Win32. BTW, I experimented with EGADS at one point...it's a total memory hog. And since I only need it once (when my app starts up) to seed the OpenSSL PRNG, I'd have to install the EGADS service, start it, seed the PRNG, then stop it (because it was hogging to much memory if I left it running). Too much work and not very elegant if you ask me. Then I found out that I didn't have to do anything on Win32 because OpenSSL did it for me. I hope I'm correct in my statements. I'm also a relative newbie to OpenSSL. Ed -Original Message- From: [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: 4/7/2005 12:08 AM Subject: Re: RAND_seed() Layla wrote: In addition to RAND_screen(), you can use: RAND_event(...,...,...); but you must know that use of both functions is highly discouraged, in other words they should be your last resort. As you can see from the construction I used, RAND_screen() was only called, if RAND_status() returned 0 And as I also stated, this I have never seen RAND_status() return 0 on Win XP. OpenSSL is doing a good job already seeding the PRNG and only if for some reason it is not seeded already, the RAND_screen is called. And I would say that RAND_screen is fairly much more random than time(). If you like, you could add an additional line to check if the PRNG was seeded after the RAND_screen and if not, seed it with time() or simply abort, which would probably be better than believe in something to be random, but really relies on time(). I wouldn't do much cruptography based on PRNG seeded with time() PS On windows I use the prebuild package from http://www.slproweb.com/products/Win32OpenSSL.html And I also use OpenSSL on Linux, but without this RAND_status/RAND_screen stuff ;-) Best regards Egon Andersen -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Use of Engines
Title: Use of Engines Is it required to call ENGINE_init()? Or is this sufficient ENGINE* e = ENGINE_by_id(id); ENGINE_set_default(e, ENGINE_METHOD_ALL); I have looked in various code, and I mostly see the latter. But in the stunnel code, I see them doing ENGINE* e = ENGINE_by_id(id); ENGINE_init(e); ENGINE_set_default(e, ENGINE_METHOD_ALL); Also, I tried using a card from nCipher. But when I specify ENGINE_METHOD_ALL, it seems to be failing in the call to ENGINE_set_default_RSA(). When I dig deeper, it looks like it is trying to load ubsec.dll which is missing. I've installed all the drivers that came with the card. Does that mean OpenSSL does not support that card? Or does it mean the card doesn't support RSA operations? What am I doing wrong? Thanks, Ed
SSL_read()
Title: SSL_read() I have a question about SSL_read(). Am I correct in my understanding that SSL_read() will not read from the socket as long as there is data in the ssl buffers available for processing? And if there is data in the ssl buffer but it cannot be processed because we don't have a complete record, then I will get an SSL_ERROR_WANT_READ/WRITE, in which case, I need to issue SSL_read() again to read more data from the socket? Thanks, Ed
RE: SSL_read()
Thanks for your reply. I read that, and I think I understand what it is
saying. I'm just trying to get confirmation on my understanding of it. Put
in a different way, if I have the following code where I do SSL_read() in a
do-while loop,
int iBytesRead = 0;
do
{
int ret = SSL_read(ssl, buf, sizeof(buf));
int err = SSL_get_error(ssl, ret);
if (err == SSL_ERROR_NONE)
{
iBytesRead += ret;
}
else if (err == SSL_ERROR_ZERO_RETURN)
{
return 0; // ssl connection was closed
}
else if (err == SSL_ERROR_WANT_READ || err == SSL_ERROR_WANT_WRITE)
{
break; // need more data; break loop and add fd back to poll
// and do another SSL_read() when there is more
data
// available on the socket.
}
else
{
return 0; // read failed
}
} while (SSL_pending(ssl)); // ssl buffer has been completely drained
Assuming client is continuously sending me data, will I ever exit this loop?
I assume that once the ssl buffer has been emptied, SSL_pending() will
return 0 and I break the loop, or the ssl buffer can no longer be processed
without more data, in which case I get an SSL_ERROR_WANT_READ/WRITE and
break the loop, at which time I will add fd back to poll and wait for more
data on the socket (which could be immediate).
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Monday, March 28, 2005 4:04 PM
To: openssl-users@openssl.org
Subject: Re: SSL_read()
Straight from the man pages ..
SSL_read() works based on the SSL/TLS records. The
data are received in records (with a maximum record size of
16kB for SSLv3/TLSv1). Only when a
record has been completely received, it can be
processed (decryption and check of integrity). Therefore data
that was not retrieved at the last call of
SSL_read() can still be buffered inside the SSL layer
and will be retrieved on the next call to SSL_read(). If num
is higher than the number of bytes
buffered, SSL_read() will return with the bytes
buffered. If no more bytes are in the buffer, SSL_read()
will trigger the processing of the next
record. Only when the record has been received and
processed completely, SSL_read() will return reporting
success. At most the contents of the record
will be returned. As the size of an SSL/TLS record may
exceed the maximum packet size of the underlying transport
(e.g. TCP), it may be necessary to
read several packets from the transport layer before
the record is complete and SSL_read() can succeed.
it speaks to what you are inquiring about
Edward Chan wrote:
I have a question about SSL_read(). Am I correct in my
understanding
that SSL_read() will not read from the socket as long as
there is data
in the ssl buffers available for processing? And if there
is data in
the ssl buffer but it cannot be processed because we don't have a
complete record, then I will get an SSL_ERROR_WANT_READ/WRITE, in
which case, I need to issue SSL_read() again to read more data from
the socket?
Thanks,
Ed
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Support for CryptoSwift PCI cards
Title: Support for CryptoSwift PCI cards I was told that the CryptoSwift card from SafeNet is no longer being marketed and has been replaced with something called Luna PCI. Does OpenSSL 0.9.7d support this card? And if so, do you use the same engine string as used for the CryptoSwift card? Thanks, Ed
Question about bio pairs
Title: Question about bio pairs I know it's been talked about many times before, and I've read thru the archives, but I still don't quite get it. If I want to use I/O completion ports on Windows, I can perform the I/O as I normally would. But after reading the encrypted data off the socket, I write it to one end of the bio pair (the external bio), and then read from the other end (internal) which will give me unencrypted data. Similarly, if I want to write, I write to the unencrypted data to internal end of the bio pair, then read from the external end to get the encrypted data which is then written out to the socket. Does that sound right? Would the pseudo-code for this look something like this (on the read end): BIO* internal_bio = 0; BIO* network_bio = 0; BIO_new_bio_pair(internal_bio, 4096, network_bio, 4096); SSL_set_bio(ssl, internal_bio, internal_bio); SSL_set_connect_state(ssl); BIO_set_ssl(internal_bio, ssl, BIO_NOCLOSE); unsigned char readbuf[4096]; // buffer to hold encrypted data read off the socket int iRead = recv(sock, readbuf, sizeof(readbuf), 0); // read the encrypted data off the socket BIO_write(network_bio, readbuf, iRead); // write the encrypted data to the external end of the bio pair cnsigned char unencrypted[4096]; // buffer to hold unencrypted data read off the internal bio BIO_read(internal_bio, unencrypted, sizeof(unencrypted)); // read from the internal end to get the data unencrypted
Using CryptoAPI to verify a cert
Title: Using CryptoAPI to verify a cert Does anybody know how to use the Microsoft Crypto API's to verify a cert. Given an X509 object, I've created a CERT_CONTEXT using the Crypto API, CertCreateCertificateContext(). And I've got a handle to the Windows certificate store, using CertOpenSystemStore(). But I have no idea how to verify the cert. Can anyone help? Examples, documentation? Thanks, Ed
RE: What does the subject name's hash mean?
And do what length is it truncated? Thanks. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch Sent: Saturday, March 05, 2005 1:48 AM To: openssl-users@openssl.org Subject: Re: What does the subject name's hash mean? Edward Chan wrote: Sorry for all the questions today. But I'm looking at the SSL_CTX_load_verify_locations() API and the 3rd arg. This specifies, The name of a directory containing CA certificates. Each file in the directory must contain only a single CA certificate, and the files must be named by the subject name's hash and an extension of .0. That was taken from the O'Reilly book. What exactly is the subject name's hash? a truncated md5 hash value of the der encoded subject dn (it's used to easier locate the issuer of a certificate) Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: What does the subject name's hash mean?
Ah, cool. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nils Larsch Sent: Saturday, March 05, 2005 11:10 AM To: openssl-users@openssl.org Subject: Re: What does the subject name's hash mean? Edward Chan wrote: And do what length is it truncated? Thanks. to the length of an unsigned long, have a look at X509_NAME_hash() in crypto/x509/x509_cmp.c Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Questions about cert verification
Thanks for the info. I think I understand now. A plain old digital signature will not have the cert info, but a PKCS7 container does. I think that is what I have, if I followed the example correctly. Am I correct in saying that a PKCS7 container contains a digital signature + certificate information? In the verification process, it only verifies that the certificate was signed by a trusted CA. But I would like to know who this trusted CA is. The reason is, this...I have a piece of data that I want to sign. I give this piece of data along with my application to someone else. When this person runs the app, I want to verify that he is using the data that I gave him. So I want to make sure the data he uses is signed by me. To do that, I run the verification on the signed data (the PCKS7 container). But the certificate validation only tells me if it was signed by a trusted CA. But there is nothing to prevent this person from creating their own CA, making it a trusted CA on their system, creating their own data file, and signing it. That's why I want to make sure the data was signed by a certificate that was issued to me, and that the root CA is the well known, trusted CA that I had sign my cert; not his own CA that he made trusted on his system. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Friday, March 04, 2005 12:31 AM To: openssl-users@openssl.org Subject: Re: Questions about cert verification Edward Chan wrote: I've been trying to follow the examples in Network Security with OpenSSL. But I just don't get it. I know, I'm an idiot. Can somebody point me in the right direction with the appropriate API's to use for doing the following: I have a digital signature that I want to verify. As part of my verification, I want to 1. get the certificate information from the signature. I want to know who created the signature (so I want to look at the cert that was used to create the signature). I also want to know the the root CA who signed this cert. 2. how do I get an X509* to these certs? 3. how do I verify that the root cert is that of a specific CA. For this, can I simply compare the public key in this root cert with the public key that is known for the CA of interest. Is that enough to determine identity of the root cert? Nobody else can create a self signed cert with the same public key can they? Does this make any sense? I'm not sure if I'm explaining myself correctly, so this may seem like jibberish. If so, please let me know. And thanks for any help you can give. Thanks, Ed I'm giving this a try, but I'm not very sure of myself in this area. If something sounds not plausible (or you know that it's wrong) please correct me. The digital signature in a technical sense (like it is used in Chapter 8 of the O'Reilly book) consists of the encrypted checksum of the data. So it does not contain a certificate or even an ID of the key used to generate it. You have to know the key in advance before you can check the signature. Applications which digitally sign data (like S/MIME) usually transfer additional information to specify the used key and its certificates. In the case of S/MIME a PKCS#7 container is used to this effect. So you cannot verify a naked signature without knowing the public key. On the other hand, if you have a PKCS#7 container you can use the approach described in the book's Chapter 10 (PKCS7_verify) or use other PKCS7 APIs to extract public key and certificate from the container. To be sure a certificate is issued by a specific CA you should use this CA's certificate as the only trusted CA in the verification process. If you don't trust the CA for issuing Sub-CA-certs you can additionally check the length of the certificat chain. This should take care of the issue in the most appropriate way. Comparing public keys may also work, but why to repeat the job that has already be done by OpenSSL in the verification process? Hope it helps Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Does anybody know where certs are installed on Windows?
Does anybody know off hand what the API is to call to find the location? How are people calling SSL_CTX_load_verify_locations() on Windows? Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, March 03, 2005 1:09 PM To: openssl-users@openssl.org Subject: Re: Does anybody know where certs are installed on Windows? On Thu, Mar 03, 2005, Edward Chan wrote: Is there a Win32 API or something that can tell me where certs get installed on Windows? They are installed in the registry. The precise location isn't officially documented. It is possible to search and access them using CryptoAPI. The relevant functions all being with Cert. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Does anybody know where certs are installed on Windows?
I understand the usage of the API. What I mean is, how do you know what directory or file to specify, if this is not easily known? Dr. Henson said that the certs are stored in the Windows registry but that the location is retrievable using certain Cert* Win32 API's. Just wondering if anybody knew off hand what API's I should use since this must be a common thing that people do for Windows to use SSL_CTX_load_verify_locations() , right? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darya Mazandarany Sent: Friday, March 04, 2005 11:38 AM To: openssl-users@openssl.org Subject: RE: Does anybody know where certs are installed on Windows? You would call SSL_CTX_load_verify_locations(SSL_CTX*, path to cert file, path to directory containing public keys) with either the 2nd or 3rd param optionally NULL, but not both. The file would contain one or more CA public keys and the directory is ca public keys with the name of the file being a hash of the ca name with a .0 extension. Darya -Original Message- From: Edward Chan [mailto:[EMAIL PROTECTED] Sent: Friday, March 04, 2005 11:23 AM To: openssl-users@openssl.org Subject: RE: Does anybody know where certs are installed on Windows? Does anybody know off hand what the API is to call to find the location? How are people calling SSL_CTX_load_verify_locations() on Windows? Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, March 03, 2005 1:09 PM To: openssl-users@openssl.org Subject: Re: Does anybody know where certs are installed on Windows? On Thu, Mar 03, 2005, Edward Chan wrote: Is there a Win32 API or something that can tell me where certs get installed on Windows? They are installed in the registry. The precise location isn't officially documented. It is possible to search and access them using CryptoAPI. The relevant functions all being with Cert. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Does anybody know where certs are installed on Windows?
Oh man. So what do people do for Windows? Is there an example out there to follow? Or does everyone just write their own stuff using the MS CryptoAPI's? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Adams Sent: Friday, March 04, 2005 12:46 PM To: openssl-users@openssl.org Subject: RE: Does anybody know where certs are installed on Windows? SSL_CTX_load_verify_locations() is called to tell Openssl where your application has stored your .0 root cert files. Windows does not keep its root certs in a directory, or in .0 format. So Openssl cannot verify directly against Windows' certs. You can retrieve Windows' certs using the Crypto API (functions beginning with Cert, such as CertOpenSystemStore(). You can convert them to a form that Openssl can use, but it takes a little work. So, you could retrieve all of the Windows certs from their trusted root store and write them out to .0 files in the directory you supplied to Openssl via SSL_CTX_load_verify_locations(). But this is anything but automatic. CryptoAPI and Openssl can share info via compatible structures, but that is about as far as it goes. The rest is up to you. Jim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Chan Sent: Friday, March 04, 2005 2:58 PM To: openssl-users@openssl.org Subject: RE: Does anybody know where certs are installed on Windows? I understand the usage of the API. What I mean is, how do you know what directory or file to specify, if this is not easily known? Dr. Henson said that the certs are stored in the Windows registry but that the location is retrievable using certain Cert* Win32 API's. Just wondering if anybody knew off hand what API's I should use since this must be a common thing that people do for Windows to use SSL_CTX_load_verify_locations() , right? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darya Mazandarany Sent: Friday, March 04, 2005 11:38 AM To: openssl-users@openssl.org Subject: RE: Does anybody know where certs are installed on Windows? You would call SSL_CTX_load_verify_locations(SSL_CTX*, path to cert file, path to directory containing public keys) with either the 2nd or 3rd param optionally NULL, but not both. The file would contain one or more CA public keys and the directory is ca public keys with the name of the file being a hash of the ca name with a .0 extension. Darya -Original Message- From: Edward Chan [mailto:[EMAIL PROTECTED] Sent: Friday, March 04, 2005 11:23 AM To: openssl-users@openssl.org Subject: RE: Does anybody know where certs are installed on Windows? Does anybody know off hand what the API is to call to find the location? How are people calling SSL_CTX_load_verify_locations() on Windows? Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Thursday, March 03, 2005 1:09 PM To: openssl-users@openssl.org Subject: Re: Does anybody know where certs are installed on Windows? On Thu, Mar 03, 2005, Edward Chan wrote: Is there a Win32 API or something that can tell me where certs get installed on Windows? They are installed in the registry. The precise location isn't officially documented. It is possible to search and access them using CryptoAPI. The relevant functions all being with Cert. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated
RE: Does anybody know where certs are installed on Windows?
I see. So current OpenSSL users on Windows either have to convert all the certs to the correct format and store than in a directly accessible by OpenSSL, or they have to go with the Microsoft Cert* API's. Is that a correct statement? There is no way I can use the certs that come pre-installed with Windows, and feed that into OpenSSL without converting each cert to a file that can be understood by OpenSSL? Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Friday, March 04, 2005 1:44 PM To: openssl-users@openssl.org Subject: Re: Does anybody know where certs are installed on Windows? Edward Chan wrote: I understand the usage of the API. What I mean is, how do you know what directory or file to specify, if this is not easily known? Dr. Henson said that the certs are stored in the Windows registry but that the location is retrievable using certain Cert* Win32 API's. No, not the location is retrievable but the certs. I'm not even sure if the certs live in the registry or somewhere in active directory or in some Jet database hidden in the Windows directory. If you want to use the windows certificate storage with OpenSSL you'll have to extract the certificates, possible convert them into correct format and stuff them into OpenSSL. Have a look at http://msdn.microsoft.com/library/default.asp?url=/library/en- us/seccrypto/security/cryptography_functions.asp Sorry, there is no such function like SSL_CTX_load_verify_locations(CertGetSecretCertificateStorage( )). If you have to use the Windows cert storage it's probably less work to use MS Crypto-API... Just wondering if anybody knew off hand what API's I should use since this must be a common thing that people do for Windows to use SSL_CTX_load_verify_locations() , right? Ed Ted ;) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
What does the subject name's hash mean?
Title: What does the subject name's hash mean? Sorry for all the questions today. But I'm looking at the SSL_CTX_load_verify_locations() API and the 3rd arg. This specifies, The name of a directory containing CA certificates. Each file in the directory must contain only a single CA certificate, and the files must be named by the subject name's hash and an extension of .0. That was taken from the O'Reilly book. What exactly is the subject name's hash? Thanks, Ed
Does anybody know where certs are installed on Windows?
Title: Does anybody know where certs are installed on Windows? Is there a Win32 API or something that can tell me where certs get installed on Windows? Thanks, Ed
Questions about digital signatures
Title: Questions about digital signatures
Below is code that I got from the Network Security with OpenSSL book to sign a piece of data using a certificate generated and signed by a CA I created (error checking left out). It seems to work. But I'm curious about what sort of information goes into the resulting signature. I'm a little confused at how the verification process seems to work without requiring the cert that was used to sign the data. How is that possible? I thought it would require the public key from the cert to verify the signature to determine if it was signed using the private key associated with the public key in the cert.
From the signature, can I get information about each cert in the chain up to the root cert?
void sign()
{
const char* data = "" is the data to be signed.;
FILE* fpPrivateKey = fopen(private.pem, r); // assumes priv key file is in PEM format
EVP_PKEY* pkey = PEM_read_PrivateKey(fpPrivateKey, 0, 0, 0);
fclose(fpPrivateKey);
// read the signer certificate
FILE* fpCert = fopen(cert.pem, r);
X509* cert = PEM_read_X509(fpCert, 0, 0, 0);
BIO* in = BIO_new_mem_buf((void*)data, -1); // TO DO:
STACK_OF(X509)* chain = sk_X509_new_null();
fclose(fpCert);
FILE* fpRoot = fopen(root.cer, r); // TO DO:
X509* tmp = PEM_read_X509(fpRoot, 0, 0, 0);
sk_X509_push(chain, tmp);
fclose(fpRoot);
PKCS7* pkcs7 = PKCS7_sign(cert, pkey, chain, in, 0);
FILE* fpSignature = fopen(signature, wb); // open file to write signature
BIO* out = BIO_new_fp(fpSignature, BIO_NOCLOSE); // TO DO:
SMIME_write_PKCS7(out, pkcs7, in, 0);
fclose(fpSignature);
}
void verify()
{
X509_STORE* store = create_store(CA_FILE, 0);
FILE* fp = fopen(signature, rb);
BIO* in = BIO_new_fp(fp, BIO_NOCLOSE);; // TO DO:
BIO* pkcs7_bio = 0;
PKCS7* pkcs7 = SMIME_read_PKCS7(in, pkcs7_bio);
BIO* out = BIO_new_fp(stdout, BIO_NOCLOSE);; // TO DO:
if (PKCS7_verify(pkcs7, 0, store, pkcs7_bio, out, 0) == 1)
{
fprintf(stderr, verified\n);
}
fclose(fp);
}
Questions about cert verification
Title: Questions about cert verification I've been trying to follow the examples in Network Security with OpenSSL. But I just don't get it. I know, I'm an idiot. Can somebody point me in the right direction with the appropriate API's to use for doing the following: I have a digital signature that I want to verify. As part of my verification, I want to 1. get the certificate information from the signature. I want to know who created the signature (so I want to look at the cert that was used to create the signature). I also want to know the the root CA who signed this cert. 2. how do I get an X509* to these certs? 3. how do I verify that the root cert is that of a specific CA. For this, can I simply compare the public key in this root cert with the public key that is known for the CA of interest. Is that enough to determine identity of the root cert? Nobody else can create a self signed cert with the same public key can they? Does this make any sense? I'm not sure if I'm explaining myself correctly, so this may seem like jibberish. If so, please let me know. And thanks for any help you can give. Thanks, Ed
Using SSL_read with Windows Overlapped I/O
Title: Using SSL_read with Windows Overlapped I/O Can somebody describe how, if possible, to use OpenSSL with Windows overlapped I/O?
RE: Using SSL_read with Windows Overlapped I/O
Title: Using SSL_read with Windows Overlapped I/O Nevermind, I found some info in the acrhives. Again, I should have looked before I posted.My apologies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward ChanSent: Sunday, February 13, 2005 12:22 AMTo: openssl-users@openssl.orgSubject: Using SSL_read with Windows Overlapped I/O Can somebody describe how, if possible, to use OpenSSL with Windows overlapped I/O?
RE: Renegotiation with reader and writer threads.
I was also having some problems with SSL_read() and SSL_write(). My application does read and write from different threads. My problems seem to have gone away after reading David's comment that 2 threads can't be reading and writing at the same time on the same SSL connection. So I've added a mutex to the read and write methods, and this seem to fix my problem. Now, the only errors I get are SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE (as expected) whereas before I was also getting other errors. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kumar, Sunil Sent: Tuesday, February 08, 2005 6:30 AM To: openssl-users@openssl.org Subject: RE: Renegotiation with reader and writer threads. I'm not sure what you mean by reader and writer, but if you mean that both threads call OpenSSL functions, you will need to associate a mutex with each connection to ensure that the reader thread and writer thread are not trying to manipulate that SSL connection at the same time. The reader thread's whole purpose in life is to read(SSL_read() etc) incoming bytes, make sense out of them and hand it over to the main() (through queues) and the writer thread does the exact opposite, it takes messages from main() and writes it to the socket (through SSL_write()). Earlier my socket was blocking type, I read somewhere that it needs to be non-blocking when renegotiation is done(or I should have interpreted it incorrectly), so I changed it to non-blocking and handled the reads and writes appropriately. Everything works except when I start to renegotiate and that too works but fails occasionally (in other words it doesn't work). Now coming to the first part of your comment. As I understand it, the manipulation of SSL connection needs mutex, but can the SSL_read(s) and SSL_write(s) be done from two threads independently? By manipulation do you mean only renegotiation and kind or will SSL_read and SSL_write also fall under that category? If it is so then how come I never encountered problems till now for reading and writing through the two threads (interleaved execution)? The problems came up when I started doing renegotiation. Thank you. My client and server has two threads each: a reader thread and a writer thread. I have put the renegotiation code in the reader thread. It works for most of the time but occasionally the client gets an Encrypted Alert message ( I suspect that this happens when the application data somehow gets in-between). How can I do renegotiation if both my client and server communicate on a duplex channel with reader and writer threads? I'm not sure what you mean by reader and writer, but if you mean that both threads call OpenSSL functions, you will need to associate a mutex with each connection to ensure that the reader thread and writer thread are not trying to manipulate that SSL connection at the same time. Unlike a TCP connection as presented by the kernel to user space, an SSL connection is *NOT* two independent directions. It is a single state machine. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PEM_write_DSA_PUBKEY
Title: PEM_write_DSA_PUBKEY I'm trying to write the public/private keys to a PEM file. I'm using the book Network Security with OpenSSL as a reference which says I need to use PEM_write_DSA_PUBKEY, but I can't find this anywhere in the openssl source. I'm using 0.9.7d. I see PEM_write_DSAPrivateKey, but nothing for public key. Am I missing something? Anybody know what function should I be using? Thanks, Ed
Cryptographic accelerators
Title: Cryptographic accelerators Hi there, Of the accelerator's that OpenSSL supports, which are the more popular? And what are people's experiences with these cards? I want to get 1 or 2 to test with and was wondering which ones you would recommend to get. Thanks, Ed
SSL_read SSL_write and retry
Title: SSL_read SSL_write and retry Hi there, I've been trying to figure out the correct way to use SSL_read and SSL_write with retry and auto retry mode, etc. I'm a little confused. I've got a program that uses blocking sockets, and select (I only use select to check for readability of sockets). When select wakes up indicating there is data to be read, I pull a thread from a thread pool and call SSL_read. Am I correct in assuming that each time SSL_read succeeds (return value 0), then the data read is application data? And if SSL_read returns 0, it is an error? And if 0, check if SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE is the error, in which case I need to retry the read? And if I do get one of these errors, should I immediately reissue the SSL_read, or should I do a select again and wait until there is actual data to be read? I'm guessing the latter since the former may result in the call blocking, and the thread would be tied up which could eventually lead to all my threads in the pool being blocked. Does this sounds right? If I get SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE after a call to SSL_write(), can I simply reissue the SSL_write() immediately? Is there any harm in this? It wouldn't block like SSL_read() might, would it? Also, I've set the SSL_MODE_AUTO_RETRY flag on the SSL_CTX, but when I call SSL_write(), I still seem to get the SSL_ERROR_WANT_WRITE error. I thought that if I used this flag, that I wouldn't have to worry about retrying? And if I use this flag, I would still be susceptable to blocking indefinitely in SSL_read() wouldn't I? Sorry for all the questions. I hope I was clear in explaining what I'm unclear of. Thanks for any info or help you can provide me. Regards, Ed
RE: SSL_read() on blocking I/O
My understanding is that SSL_read is similar to the regular read() call in its semantics. That means the m_length arg you supplied is the max number of bytes to read (so this obviously should be = size of the buffer supplied). It will read what ever is available, up to a max of m_length. So if you have less data, it will only read that much and return. If you have more data, it will read up to m_length and return, and you will have to issue another read to continue reading the rest of the data. If you don't want to continue until you have read m_length amount of data, it sounds like you would want to do that in application logic. But I'm a newbie to OpenSSL, so I may not understand the correct semantics of the API. Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 11:46 PM To: openssl-users@openssl.org Subject: SSL_read() on blocking I/O On a blocking TCP socket, I create a blocking BIO using : sbio=BIO_new_socket(sockfd,BIO_CLOSE)) SSL_set_bio(ssl,sbio,sbio); BIO_set_nbio(sbio,0); SSL_connect(ssl); When receiving a message that is longer than 16k, SSL_read(ssl, buffer, m_length) returns SSL_ERROR_NONE when exactly 16k are read from the SSL connection. I expected (and I would like) SSL_read() to return only when m_length bytes are read. Where am I wrong ? Cheers, Thierry -- Thierry Wouters Alcatel Bell n.v. Bld Comte de Smet de Nayer 14 Belgium - 5000 Namur [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Seed PRNG on Windows
Thanks. I guess I should have did that first. My apologies. But I couldn't find the answer to my next question. If the PRNG is already seeded using the Crypto API, how many bits of entropy are used to seed it? On linux, I make it configurable thru a call to RAND_load_file(/dev/random/, iEntropy); // iEntroy = # bytes of entropy to use Is this correct for linux? Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Sunday, January 30, 2005 2:46 AM To: openssl-users@openssl.org Subject: Re: Seed PRNG on Windows Edward Chan wrote: Hi there, Just wondering what people typically use to seed the PRNG on Windows. On linux, there is /dev/random. But there is no such device for Windows. I've heard of EGADS, but when I installed the EGADS service, I found it to be a huge memory hog. Are there any other options? Note that I can't really use anything that depends on mouse and cursor movements since my app is run on a server. Ed On Windows the PRNG is automatically seeded using the RNG provided by MS Crypto API. For more Infos please search the archives... ;) Ted ;) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Seed PRNG on Windows
Great. Thanks for the info.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Bernhard Froehlich
Sent: Monday, January 31, 2005 11:39 PM
To: openssl-users@openssl.org
Subject: Re: Seed PRNG on Windows
Edward Chan wrote:
Thanks. I guess I should have did that first. My apologies. But I
couldn't find the answer to my next question. If the PRNG
is already
seeded using the Crypto API, how many bits of entropy are
used to seed it?
The following code is in crypto/rand/rand_win.c:
BYTE buf[64];
.
.
.
if (acquire(hProvider, 0, 0, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
{
if (gen(hProvider, sizeof(buf), buf) != 0)
{
RAND_add(buf, sizeof(buf), 0); #if 0
printf(randomness from PROV_RSA_FULL\n); #endif
}
release(hProvider, 0);
}
So IMHO there are at least 64 Bytes (or 512 Bits) of added
entropy on each call of RAND_poll.
In adition some network statistics as well as memory status,
current cursor position and several other things are added to
the random pool if they can be acquired (which should be the
case on a Win2000+ machine).
Hard to guess the entropy from that, but I think it might be
an additional 32 to 64 Bytes.
Note that on Windows CE it might be considerably less since I
do not know if the Crypto API is available on every platform.
So the added entropy per call is fix, if you need more you
can use additional calls to RAND_poll. And of course you can
still use RAND_add yourself if you have a reliable source of
randomness.
On linux, I make it configurable thru a call to
RAND_load_file(/dev/random/, iEntropy); // iEntroy = # bytes of
entropy to use
Is this correct for linux?
It sounds correct, but my knowledge in this area on Linux is
considerably lower... ;)
Thanks,
Ed
Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Seed PRNG on Windows
Title: Seed PRNG on Windows Hi there, Just wondering what people typically use to seed the PRNG on Windows. On linux, there is /dev/random. But there is no such device for Windows. I've heard of EGADS, but when I installed the EGADS service, I found it to be a huge memory hog. Are there any other options? Note that I can't really use anything that depends on mouse and cursor movements since my app is run on a server. Ed
Does anyone use egads?
Title: Does anyone use egads? Hi there, Just wondering if anyone uses Entropy Gathering And Distribution System (EGADS)? I'm using it on Windows. But I just noticed, it is a HUGE memory hog. Just starting up the egads service, it immediately takes up almost 150Mb of RAM. Does that sound right? Just wanted to here other people's experience with it, and if there are other options for gathering entropy on windows; something that doesn't require user interaction such as mouse clicks, etc. since the machine is a server. Thanks, Ed
RE: Certificate expired error
It says 2005, and my system clock is fine. But it seems to expire after 30 days. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni Sent: Wednesday, September 08, 2004 3:54 PM To: [EMAIL PROTECTED] Subject: Re: Certificate expired error Use the openssl x509 -dates option to view the actual dates in the certificate. Also check your system clock. On Sep 7, 2004, at 5:09 PM, Edward Chan wrote: Hi there, I had created a certificate to test with using OpenSSL. It is supposed to expire in Aug. 2005. I have been using it for the past few weeks. Then all of a sudden, I'm getting sslv3 alert certificate expired from SSL_accept(). What's going on? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate expired error
Title: Certificate expired error Hi there, I had created a certificate to test with using OpenSSL. It is supposed to expire in Aug. 2005. I have been using it for the past few weeks. Then all of a sudden, I'm getting sslv3 alert certificate expired from SSL_accept(). What's going on? Thanks, Ed
Few general questions
Title: Few general questions Is it possible to do gather writes with OpenSSL? For example, instead of SSL_write(), is there something like SSL_writev()? When doing SSL_read(), the bytes read have already been unencrypted. Is there a way to figure out how much data was read before decrypting? Similarly, is there a way to figure out how much data is written out with SSL_write() after encrypting? I want to keep track of bytes being transferred over the wire, but the numbers I have now are pre-encryption and post-decryption so it is not an accurate number. Has anybody used OpenSSL on Windows, but with Windows native Async I/O? I'm currently using SSL_read() and SSL_write(), so I can't take advantage of true async i/o. Instead, I've created my own by using my own thread pool and select. But I'd like to use native async i/o cuz it's much faster. Thanks, Ed
