Re: How to empty a BIO buffer?
2014-09-09 10:46 GMT+02:00 Richard Levitte rich...@levitte.org: And of course, I noticed this email after sending my own... sorry. :) Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why does OpenSSL own all the prefixes in the world?
2014-09-09 13:14 GMT+02:00 Michael Wojcik michael.woj...@microfocus.com: You'd have to include the standard C headers before including the OpenSSL ones, outside the namespace, so that their inclusion by the OpenSSL headers has no effect. I did that, but if a openssl header file includes standard C headers that I don't include, then the namespace declaration would affect them too, am I wrong? Mind you, I don't think it's worth the effort, for the reasons I outlined earlier. Sure, it was just a vague attempt. And indeed, lot of functions in OpenSSL are given as macros, so namespaces are of little help. Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why does OpenSSL own all the prefixes in the world?
2014-09-09 17:58 GMT+02:00 Michael Wojcik michael.woj...@microfocus.com: I did that, but if a openssl header file includes standard C headers that I don't include, then the namespace declaration would affect them too, am I wrong? It shouldn't. The C standard says that the second and subsequent inclusion of a standard header has no effect, and I believe the current C++ standard inherits that rule. All the implementations I know of (with maybe some special exceptions like Splint) implement that with inclusion guards - conditional-compilation directives around all the contents of the file. So if a standard header is included once outside any namespace, then if it's included again inside a namespace, it shouldn't declare anything in that namespace, because all its contents should be skipped. I believe namespaces don't affect macro identifiers, so the guards should work. I could be wrong about that, though. I haven't tried it myself, and I don't know the C++ standard nearly as well as the C one. May be I was not clear, but what I mean is: - Let's suppose openssl/foo.h has a #include stdlib.h. - In myproject.h I add: namespace myproject { #include openssl/foo.h } - And then in myproject.cpp I write: p = (char*)malloc(sizeof(char) * 100); Would this produce the malloc not found, may be you mean 'myproject::malloc'? error? PS: Note that I do NOT include sdtlib.h in myproject.*. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Why does OpenSSL own all the prefixes in the world?
The (bad) idea of using C++ namespaces was just targered for those integrating OpenSSL into their own C++ projects. El 09/09/2014 20:39, Larry Bugbee bug...@seanet.com escribió: In the FWIW column Please don't mangle names by forcing C++ namespaces. Some us call OpenSSL from Python (and other dynamic languages) and depend on the C naming convention. Adding a OSSL_ prefix is fine; mangling creates huge problems. -- Sent fm iTouch via Boxer
Re: Why does OpenSSL own all the prefixes in the world?
2014-09-08 0:04 GMT+02:00 Kyle Hamilton aerow...@gmail.com: To meet the goal of interoperability while enabling an alternate symbolic namespace, what would you suggest? Not a big expert in these subjects, but a workaround coming to my mind is the following: - Prefix ALL the OpenSSL symbols with the OPENSSL_ prefix. - Include a m4 replacement in the whole source code of openssl with a compiler --enable-global-prefix option to enable or disable it. This is, when disabled the OPENSSL_ prefix becomes an empty string and nothing changes. - By default the compiler option is disabled, but the project announces this feature and encourages people to enable it and update their projects. - At some time the option becomes enabled by default. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why does OpenSSL own all the prefixes in the world?
2014-09-08 1:15 GMT+02:00 Pierre DELAAGE delaage.pie...@free.fr: Switch strongly and definitely to C++ Not for fancy object programming, but for more practical syntaxES for things like this. I do code in C++, but I need some C libraries. Regardless my C++ code is properly namespaced I don't like to see so many global C symbols in it. As I said before, in my case I integrate openssl and libsrtp C libraries into my C++ project. It 's annoying for me to see that the macro SRTP_PROTECTION_PROFILE (which I need in my project) is defined by openssl rather than libsrtp. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why does OpenSSL own all the prefixes in the world?
2014-09-08 3:52 GMT+02:00 Jakob Bohm jb-open...@wisemo.com: And how would you do that without breaking compatibility with every program (in C, C++ or any other language) that already uses openssl and depends on the current API names? That's the show-stopper rationale. I expect that old projects relying on OpenSSL should be adapted at some time, otherwise OpenSSL may provide backward compatibility updates (as it does now). But at some point bugs must be fixed and, IMHO, the namespace/prefix pollution of OpenSSL is a bug. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to empty a BIO buffer?
Hi, I'm trying to avoid a BIO_read() call given that it copies the BIO buffer data into a buffer I must provide to the function. I use a BIO memory pair. In my case it would be nice if I can get the pointer and length of the current BIO buffer and then tell the BIO to empty/clean it. So I want to replace this code: -- int read = BIO_read(sslBioToNetwork, (void*)myBuffer, MY_BUFFER_SIZE); // Use the read data -- with something like this: --- long read; char** data = (char**)myBuffer; read = BIO_get_mem_data(sslBioToNetwork, data); // Emtpy the BIO buffer data, HOW? // Use the read data --- But I do not know how to empty the already read BIO buffer data. BIO_flush() does nothing. How may I do this? Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to empty a BIO buffer?
2014-09-08 14:44 GMT+02:00 Iñaki Baz Castillo i...@aliax.net: -- int read = BIO_read(sslBioToNetwork, (void*)myBuffer, MY_BUFFER_SIZE); // Use the read data -- with something like this: --- long read; char** data = (char**)myBuffer; read = BIO_get_mem_data(sslBioToNetwork, data); // Emtpy the BIO buffer data, HOW? // Use the read data --- But I do not know how to empty the already read BIO buffer data. BIO_flush() does nothing. Sorry, BIO_flush() works. The problem is that calling BIO_eof() after BIO_flush() does not return 1 so I get a loop. Updated my code not to check BIO_eof() after BIO_flush(). -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to empty a BIO buffer?
2014-09-08 16:08 GMT+02:00 Richard Levitte rich...@levitte.org: Sorry, BIO_flush() isn't what you want (it doesn't reset the buffer to empty), BIO_reset() is. However, you need to be careful... if I were you, I would use the read data before resetting, as BIO_get_mem_data() gives you the pointer to the internal BIO_s_mem buffer, not to a duplicate of it. Thanks, it does work. However... I do not understand how... This works fine: --- long read; // myBuffer is an already allocated buffer. char** data = (char**)myBuffer; read = BIO_get_mem_data(bio, data); // Use data and read values. BIO_reset(bio); --- This crashes: --- long read; char** data = NULL; read = BIO_get_mem_data(bio, data); // Use data and read values. BIO_reset(bio); --- Why do I need to provide BIO_get_mem_data() with an already allocated buffer? I've checked the function and I do not understand what it does). The only I want is to get the pointer to the BIO's buffer in which SSL_write() wrote. Why should I provide an allocated buffer? The BIO already has a buffer and the data is already in there after calling SSL_write(). Why do I need to pass an allocated buffer? Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to empty a BIO buffer?
2014-09-08 18:19 GMT+02:00 Iñaki Baz Castillo i...@aliax.net: This works fine: --- long read; // myBuffer is an already allocated buffer. char** data = (char**)myBuffer; read = BIO_get_mem_data(bio, data); // Use data and read values. BIO_reset(bio); --- BTW I've realized that it also works by removing the BIO_reset() call. I assume that SSL_write() writes into the BIO and overrides the existing data (and the BIO buffer length gets updated with the most recent written data). -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to empty a BIO buffer?
2014-09-08 18:35 GMT+02:00 Kyle Hamilton aerow...@gmail.com: The allocated buffer needs to be sizeof(char *). What's happening is the address of the buffer (buffer[0]) gets written to the pointer-to-pointer-to-char, data. If data == NULL, you're asking to write the address of the buffer to unallocated memory. It's done this way because the return value of the function is the number of valid bytes you can read from that location, and the address must go somewhere for you to get the data from it. I'm sorry this is probably difficult to understand, I don't know if I can explain it more easily. It's clear. And my error was terrible, I was creating a char** data instead of char* data. The following updated code does work: - long read; char* data = NULL; read = BIO_get_mem_data(bio, data); // Use data and read values. - Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why does OpenSSL own all the prefixes in the world?
2014-09-08 16:29 GMT+02:00 Salz, Rich rs...@akamai.com: The extern C makes it difficult to put things into a namespace. You'd either have to write class declarations that used NO public openssl header files in their public declaration, or we'd have to change the extern C wrappers to be something like #if defined(__cplusplus) !defined(OPENSSL_NAMESPACED_API) I've tried the namespace openssl { #include openssl/.h } approach and it has been terrible. I've ended with compiler error messages like: openssl::malloc not found It makes sense given that the namespace is also affecting to any other include within the openssl header file. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Performance related queries for SSL based client server model
2014-09-08 19:46 GMT+02:00 Alok Sharma alokonm...@gmail.com: One thing I observerd by looking into scp code that it does not use SSL provided APIs (i.e.SSL_Read or SSL_Write) but they use it differenly i.e. might be directly calling encryption APIs and writing data to sockets. But I don't have much understanding what SSL_Write or SSL_read does internally. It has been already replied above. SSH is not SSL so don't look for SSL_ methods on openssh. Said that, AFAIK openssh uses the crypto library from openssl, but that is not SSL/TLS at all. So wanted to understand if there is any way to improve performance of SSL_Read or SSL_write to achive high performance. Following are my client server programmes. Here client writes file on server machine in hardcoded location and name. You have lot of errors in your program. I suggest that you first properly learn openssl, then measure your code if you need. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Why does OpenSSL own all the prefixes in the world?
Hi, RAND_xxx CRYPTO_xxx ERR_xxx ENGINE_xxx EVP_xxx sk_xxx X509_xxx BIGNUM_xxx RSA_xxx BN_xxx ASN1_xxx EC_xxx etc etc etc. May I understand why it was decided that OpenSSL can own all the prefixes or namespaces in the world? How is it possible that OpenSSL owns the ERR_ prefix (for example ERR_free_strings() and others)? OpenSSL is a library. I should be able to integrate OpenSSL into my own code and define my own prefixes without worrying about creating conflicts with the near 200 prefixes that OpenSSL owns. An example of a well designed C library is libuv [*], in which: * Public API functions and structs begin with uv_. * Private API functions begin with uv__. * Public macros begin UV_. That's a good design! PS: In my project I use both openssl and libsrtp. In which of them do you expect the following macro is defined?: SRTP_PROTECTION_PROFILE [*] https://github.com/joyent/libuv/ -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_MODE_ENABLE_PARTIAL_WRITE does not work in DTLS
It is sad to know that this question will never be replied by the OpenSSL developers. May I know what I should do? I am not sure whether this is a bug or not, should I report it as a bug? If so, how? The OpenSSL homepage provides NO WAY to report a bug. This project really annoys me. 2014-08-21 19:34 GMT+02:00 Iñaki Baz Castillo i...@aliax.net: Hi, I've a SSL in DTLS mode. Previously in its SSL_CTX I set the SSL_MODE_ENABLE_PARTIAL_WRITE option to enable SSL_write() to return less than the given data length. It does not work. I call SSL_write() by passing a very long data (65536) and it still returns -1. So, in case I want to write a big data over a DTLS UDP connection, how can I do that? I expected that SSL_MODE_ENABLE_PARTIAL_WRITE would work in a way that SSL_write() returns a value suitable for a UDP datagram so I send it and then call SS_write() again by passing the following chuck in my data buffer. Is it a bug? or am I missing something? Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_MODE_ENABLE_PARTIAL_WRITE does not work in DTLS
Found it, and mail sent to r...@openssl.org. 2014-08-31 14:34 GMT+02:00 Iñaki Baz Castillo i...@aliax.net: It is sad to know that this question will never be replied by the OpenSSL developers. May I know what I should do? I am not sure whether this is a bug or not, should I report it as a bug? If so, how? The OpenSSL homepage provides NO WAY to report a bug. This project really annoys me. 2014-08-21 19:34 GMT+02:00 Iñaki Baz Castillo i...@aliax.net: Hi, I've a SSL in DTLS mode. Previously in its SSL_CTX I set the SSL_MODE_ENABLE_PARTIAL_WRITE option to enable SSL_write() to return less than the given data length. It does not work. I call SSL_write() by passing a very long data (65536) and it still returns -1. So, in case I want to write a big data over a DTLS UDP connection, how can I do that? I expected that SSL_MODE_ENABLE_PARTIAL_WRITE would work in a way that SSL_write() returns a value suitable for a UDP datagram so I send it and then call SS_write() again by passing the following chuck in my data buffer. Is it a bug? or am I missing something? Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net -- Iñaki Baz Castillo i...@aliax.net -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_MODE_ENABLE_PARTIAL_WRITE does not work in DTLS
2014-08-22 14:43 GMT+02:00 Brian Hassink brian.hass...@oracle.com: We see the same problem with DTLS over SCTP. In our application, there are messages as large as 60K, so we are interested in knowing if there is a way to send them over DTLS. I assume you mean SCTP over DTLS. That's a good point. However I do not know too much about SCTP over DTLS. Does it impose a fixed SCTP packet size so it must fit into a UDP datagram? -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_MODE_ENABLE_PARTIAL_WRITE does not work in DTLS
2014-08-22 15:28 GMT+02:00 Brian Hassink brian.hass...@oracle.com: I do mean DTLS/SCTP (RFC6083). In our application, we have Diameter (RFC6733) traffic which can involve large messages. OK, got it. In my case is SCTP over DTLS (WebRTC DataChannel), but the underlying problem is the same (both UDP and SCTP are message based rather than stream based). It also happen during the DTLS handshake that the SSL_read() of the incoming ClientHello produces all the DTLS responses into a single step, so when I read from the network BIO I get a data buffer containing many DTLS response records all together. They usually fit into a single UDP datagram, but in case they do not I have no idea on how to get separate DTLS records in order to send them separately in different UDP datagrams. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_MODE_ENABLE_PARTIAL_WRITE does not work in DTLS
Hi, I've a SSL in DTLS mode. Previously in its SSL_CTX I set the SSL_MODE_ENABLE_PARTIAL_WRITE option to enable SSL_write() to return less than the given data length. It does not work. I call SSL_write() by passing a very long data (65536) and it still returns -1. So, in case I want to write a big data over a DTLS UDP connection, how can I do that? I expected that SSL_MODE_ENABLE_PARTIAL_WRITE would work in a way that SSL_write() returns a value suitable for a UDP datagram so I send it and then call SS_write() again by passing the following chuck in my data buffer. Is it a bug? or am I missing something? Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to know that received data is HelloClient over an already established SSL?
Hi, I have an established/connected SSL instance acting as server (it is DTLS but I hope that does not matter). In my experiment, at some point the client sends a new HelloClient (which belongs to a new SSL session in the client side). Since the server just handles a single SSL instance what it happens is that SSL_read() returns SSL_ERROR_WANT_READ and nothing else occurs (there is no data to be sent to the peer in the network_bio). My question: how could I know that the received data is a HelloClient? I would like to know that because in that case I want to reset my SSL instance at server side. Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
When does SSL_clear() fail after a failed handshake attempt?
Hi, I'm testing SSL_clear() which is supposed to reset the SSL status to allow a new connection (given that the client will set the same SSL parameters as in the previous handshake). And that is my case, I use the same client script to test this feature in a server. Scenario: - client sends DTLS ClientHello. - server sends ServerHello, Certificate and so on, but the client does not receive it. - client retransmits and server too. - client leaves up so the server's SSL gets in a uncompleted state. - I call SSL_clear() on the server and get this error: error:140A4044:SSL routines:SSL_clear:internal error - client is executed again and sends a new DTLS ClientHello (but same properties). - The handshake is never completed. This basically means that SSL_clear() cannot reset the status of the SSL instance if the previous handshake failed, is that true? Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Do I need to call BIO_free(network_bio) or not?
2014-07-18 8:44 GMT+02:00 Thulasi Goriparthi thulasi.goripar...@gmail.com: In the example, only internal_bio is set using SSL_set_bio as below. SSL_set_bio(ssl, internal_bio, internal_bio); network_bio is not linked to SSL session. So it has to be freed explicitly. Sorry, you are right. But, is it ok the example? does this really make sense?: - BIO *internal_bio, *network_bio; ... BIO_new_bio_pair(internal_bio, 0, network_bio, 0); SSL_set_bio(ssl, internal_bio, internal_bio); - what is network_bio used for? Anyhow I still insist that the example is broken: -- BIO *internal_bio, *network_bio; BIO_new_bio_pair(internal_bio, 0, network_bio, 0); -- It should be: -- BIO *internal_bio, *network_bio; BIO_new_bio_pair(internal_bio, 0, network_bio, 0); -- Well, I assume the doc example will NEVER be fixed, am I right? -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why fprintf(stder) within a *library*?
Thanks, will do. 2014-07-23 17:09 GMT+02:00 Bodo Moeller bmoel...@acm.org: Good point, this doesn't look right; this is not how OpenSSL normally reports details. The DTLS code hasn't received the same attention as the SSL/TLS code yet, because it's used a lot less. Filing a report to r...@openssl.org makes sense -- it doesn't look as if this has been reported before. Bodo -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Why fprintf(stder) within a *library*?
Hi, I've found this in ssl/d1_both.c: - int dtls1_retransmit_buffered_messages(SSL *s) { [...] for ( item = pqueue_next(iter); item != NULL; item = pqueue_next(iter)) { frag = (hm_fragment *)item-data; if ( dtls1_retransmit_message(s, (unsigned short)dtls1_get_queue_priority(frag-msg_header.seq, frag-msg_header.is_ccs), 0, found) = 0 found) { fprintf(stderr, dtls1_retransmit_message() failed\n); return -1; } } return 1; } -- Well, there are 748 calls to fprintf(sdterr) in the whole library. Why a fprintf? Please, OpenSSL is a *library*, why should it print errors to stderr at all? Please don't do that. It happens that, again, OpenSSL is a library so it should not force me how to print errors. In my case I have some custom logger functions that log to stderr (with a *custom* format) or syslog, why does OpenSSL decide by itself how to print errors? how is that supposed to be useful for *my* application? am I supposed to parse string errors printed into stderr? of course not. Would it make sense to send a bug/wish report asking for the removal of all those fprintf calls? (if somebody clarifies me that it is a WONT FIX I won't spent time on it). Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Within on_ssl_info callback SSL_RECEIVED_SHUTDOWN flag is not set
Hi, A server running DTLS in non-blocking accept mode. * The handshake is properly done. * The client then sends a close alert. * When I call SSL_read the on_ssl_info callback is called with where SSL_CB_ALERT. * Within the on_ssl_info callback, SSL_get_shutdown(ssl) SSL_RECEIVED_SHUTDOWN returns false. * But after the on_ssl_info callback returns the same check SSL_get_shutdown(ssl) SSL_RECEIVED_SHUTDOWN returns true. Would not make sense that the flag is set *before* invoking the on_ssl_info callback so I can handle the full SSL status in the on_ssl_info callback instead of splitting it into the callback and the return code of SSL_read() ? -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Do I need CRYPTO_set_locking_callback if each thread owns a single CTX with SSL_SESS_CACHE_OFF?
Hi, In case each thread manages a separate SSL_CTX and SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF) is set, do I still need to set CRYPTO_set_locking_callback and CRYPTO_THREADID_set_callback? I've read a lot about this, and I'm aware that locking is needed in case two threads use the same SSL_CTX or in case session cache is used, but what about in my usecase? Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Do I need CRYPTO_set_locking_callback if each thread owns a single CTX with SSL_SESS_CACHE_OFF?
2014-07-22 16:10 GMT+02:00 Dr. Stephen Henson st...@openssl.org: In a multithreaded application you should *always* set the callbacks. Among other things the error queue uses the locking callback: without that you'd get race conditions and bad things will happen. 100% clear. Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is BUF_MEM in BIO_s_mem automatically freed?
Hi, The doc [*] says: If the BIO_CLOSE flag is set when a memory BIO is freed then the underlying BUF_MEM structure is also freed. The only place to set such a BIO_CLOSE flag is in the c argument in function: BIO_set_mem_buf(BIO *b,BUF_MEM *bm,int c) So, must I understand that, in case I don't set a custom buffer (this is, I do not call to BIO_set_mem_buf(), then the internal buffer of my BIO will be freed when I call free(my_bio)? Thanks a lot. [*] http://linux.die.net/man/3/bio_s_mem -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is BUF_MEM in BIO_s_mem automatically freed?
2014-07-19 17:53 GMT+02:00 Matt Caswell m...@openssl.org: So, must I understand that, in case I don't set a custom buffer (this is, I do not call to BIO_set_mem_buf(), then the internal buffer of my BIO will be freed when I call free(my_bio)? You should not call free directly. Instead you should use BIO_free. Yes sorry, it was a typo in my text. As long as you do that and as long as you haven't called BIO_set_close with BIO_NOCLOSE (or BIO_set_mem_buf as above), then the internal buffer will be freed. Thanks to both. It is clear now. Thanks! -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to tell SSL_read() to discard app data?
Hi, In my application OpenSSL is used for establishing DTLS connections but there is no application data (I mean: there should NOT be). This is: just the DTLS handshake is needed (and the use_srtp extension to negotiate a SRTP session key pair). Anyhow I need to call SSL_read() for the incoming data (stored in a BIO_mem) to be processed and the handshake performed. And thus, I MUST be ready to receive encrypted application data (regardless I don't expect it and would just ignore it if received). How could I tell OpenSSL do SSL_read but please don't ask me for a buffer to store received application data? Of course I could use a static buffer for that purpose. Just wondering. Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Do I need to call BIO_free(network_bio) or not?
May somebody please answer this question? The documentation is confusing and contradictory, and the issue is important (memory leak or crash if the bad choice is made). Thanks. 2014-07-15 14:01 GMT+02:00 Iñaki Baz Castillo i...@aliax.net: Hi, I'm a bit confused about how to free a BIO pair associated to a SSL. The doc at https://www.openssl.org/docs/crypto/BIO_s_bio.html clearly says: Both halves of a BIO pair should be freed. That is even if one half is implicit freed due to a BIO_free_all() or SSL_free() call the other half needs to be freed. EXAMPLE BIO *internal_bio, *network_bio; BIO_new_bio_pair(internal_bio, 0, network_bio, 0); SSL_set_bio(ssl, internal_bio, internal_bio); ... SSL_free(ssl);/* implicitly frees internal_bio */ BIO_free(network_bio); Is it true that I must call to BIO_free(network_bio)? The SSL_free() code seems to do it by itself!: -- void SSL_free(SSL *s) { ... if (s-rbio != NULL) BIO_free_all(s-rbio); if ((s-wbio != NULL) (s-wbio != s-rbio)) BIO_free_all(s-wbio); -- In my code I get an obvious crash if I call BIO_free(internal_bio) after SSL_free(ssl), but I do NOT get a crash if I call BIO_free(network_bio). Anyhow in my code I do not use BIO_new_bio_pair() but instead: BIO* internal_bio = BIO_new(BIO_s_mem()); BIO* network_bio = BIO_new(BIO_s_mem()); SSL_set_bio(ssl, internal_bio, network_bio); void destroy() { if (ssl) { SSL_free(ssl); } // This does NOT crash but, should I do it or not? leak otherwise? if (write_bio) { BIO_free(write_bio); } } Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Do I need to call BIO_free(network_bio) or not?
2014-07-17 14:29 GMT+02:00 Dr. Stephen Henson st...@openssl.org: Your code uses a doesn't use BIO pairs but the same rule applies. The call to SSL_free() will call BIO_free_all on the BIO or BIOs passed to SSL_set_bio() internal_bio and network_bio in this example. Thanks. Then the example in the documentation is really wrong and may cause a crash, right? I mean the BIO_free(network_bio); line at the end. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Do I need to call BIO_free(network_bio) or not?
Hi, I'm a bit confused about how to free a BIO pair associated to a SSL. The doc at https://www.openssl.org/docs/crypto/BIO_s_bio.html clearly says: Both halves of a BIO pair should be freed. That is even if one half is implicit freed due to a BIO_free_all() or SSL_free() call the other half needs to be freed. EXAMPLE BIO *internal_bio, *network_bio; BIO_new_bio_pair(internal_bio, 0, network_bio, 0); SSL_set_bio(ssl, internal_bio, internal_bio); ... SSL_free(ssl);/* implicitly frees internal_bio */ BIO_free(network_bio); Is it true that I must call to BIO_free(network_bio)? The SSL_free() code seems to do it by itself!: -- void SSL_free(SSL *s) { ... if (s-rbio != NULL) BIO_free_all(s-rbio); if ((s-wbio != NULL) (s-wbio != s-rbio)) BIO_free_all(s-wbio); -- In my code I get an obvious crash if I call BIO_free(internal_bio) after SSL_free(ssl), but I do NOT get a crash if I call BIO_free(network_bio). Anyhow in my code I do not use BIO_new_bio_pair() but instead: BIO* internal_bio = BIO_new(BIO_s_mem()); BIO* network_bio = BIO_new(BIO_s_mem()); SSL_set_bio(ssl, internal_bio, network_bio); void destroy() { if (ssl) { SSL_free(ssl); } // This does NOT crash but, should I do it or not? leak otherwise? if (write_bio) { BIO_free(write_bio); } } Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Do I need to call BIO_free(network_bio) or not?
some new comments: First of all the example in the doc is wrong: -- BIO *internal_bio, *network_bio; BIO_new_bio_pair(internal_bio, 0, network_bio, 0); -- It should be: -- BIO *internal_bio, *network_bio; BIO_new_bio_pair(internal_bio, 0, network_bio, 0); -- Second: I'm now using BIO_new_bio_pair() by following the steps of the doc. If I call to BIO_free(network_bio) after SSL_free(ssl) (as the documentation clearly states) then I get a funny crash. So it seems that SSL_free does, in fact, free both BIOs, am I right? 2014-07-15 14:01 GMT+02:00 Iñaki Baz Castillo i...@aliax.net: Hi, I'm a bit confused about how to free a BIO pair associated to a SSL. The doc at https://www.openssl.org/docs/crypto/BIO_s_bio.html clearly says: Both halves of a BIO pair should be freed. That is even if one half is implicit freed due to a BIO_free_all() or SSL_free() call the other half needs to be freed. EXAMPLE BIO *internal_bio, *network_bio; BIO_new_bio_pair(internal_bio, 0, network_bio, 0); SSL_set_bio(ssl, internal_bio, internal_bio); ... SSL_free(ssl);/* implicitly frees internal_bio */ BIO_free(network_bio); Is it true that I must call to BIO_free(network_bio)? The SSL_free() code seems to do it by itself!: -- void SSL_free(SSL *s) { ... if (s-rbio != NULL) BIO_free_all(s-rbio); if ((s-wbio != NULL) (s-wbio != s-rbio)) BIO_free_all(s-wbio); -- In my code I get an obvious crash if I call BIO_free(internal_bio) after SSL_free(ssl), but I do NOT get a crash if I call BIO_free(network_bio). Anyhow in my code I do not use BIO_new_bio_pair() but instead: BIO* internal_bio = BIO_new(BIO_s_mem()); BIO* network_bio = BIO_new(BIO_s_mem()); SSL_set_bio(ssl, internal_bio, network_bio); void destroy() { if (ssl) { SSL_free(ssl); } // This does NOT crash but, should I do it or not? leak otherwise? if (write_bio) { BIO_free(write_bio); } } Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to get the peer certificate(s) in PEM format
Hi, after the SSL/TLS handshake from a client I want to get the client's certificate(s) in PEM format (so I get a string I can print somewhere). So I do: X509 *client_cert; if ((client_cert = SSL_get_peer_certificate(ssl))) { # Printf got cert in PEM format } Now my question is: how can I get the PEM string of the client's certificate(s)? Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to get the peer certificate(s) in PEM format
012/2/16 Iñaki Baz Castillo i...@aliax.net: Hi, after the SSL/TLS handshake from a client I want to get the client's certificate(s) in PEM format (so I get a string I can print somewhere). So I do: X509 *client_cert; if ((client_cert = SSL_get_peer_certificate(ssl))) { # Printf got cert in PEM format } Now my question is: how can I get the PEM string of the client's certificate(s)? It's solved, sorry: PEM_write_X509() -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to get the peer certificate(s) in PEM format
2012/2/16 Jakob Bohm jb-open...@wisemo.com: I think the PEM formatting (a line with dashes, the Base64 lines and another line with dashes) is currently tied to writing and reading files via the BIO layer. So you would have to set up a memory BIO handle, then tell the X509 routines to save the certificate in PEM format to your memory BIO handle. Of cause if you just want to print it to stdout or another real file handle, you could just use a BIO pointing to that file handle. Thanks, indeed what I need is to store the PEM format in a C string, so I expect that I need to know the length of the resulting PEM format in order to malloc for the char pointer. I will check the memory BIO handle. Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to get the peer certificate(s) in PEM format
2012/2/16 rober...@mail.uni-paderborn.de: well, I think the certificate is coded in base64. so write it to file, run openssl base64 -d -in file -out newfile and read the newfile in. or start parsing it an pipe the output to your application. Well, this is to run within a server application so I cannot write to a file neither use openssl in command line :) However I've already got it: X509 *client_X509; unsigned char client_PEM_string[10*1024]; size_t client_PEM_string_len = sizeof(client_PEM_string); BIO *bio; int res; if ((client_X509 = SSL_get_peer_certificate(ctx))) { bio = BIO_new (BIO_s_mem()); res = PEM_write_bio_X509(bio, client_X509); res = BIO_read(bio, client_PEM_string, (int)client_PEM_string_len); client_PEM_string[res]='\0'; X509_free(client_X509); printf(CERT:\n%s\n, client_PEM_string); } -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to get the peer certificate(s) in PEM format
2012/2/16 Iñaki Baz Castillo i...@aliax.net: However I've already got it: X509 *client_X509; unsigned char client_PEM_string[10*1024]; size_t client_PEM_string_len = sizeof(client_PEM_string); BIO *bio; int res; if ((client_X509 = SSL_get_peer_certificate(ctx))) { bio = BIO_new (BIO_s_mem()); res = PEM_write_bio_X509(bio, client_X509); res = BIO_read(bio, client_PEM_string, (int)client_PEM_string_len); client_PEM_string[res]='\0'; X509_free(client_X509); printf(CERT:\n%s\n, client_PEM_string); } Now I've realized that in case the client presents a chain of public certificates (rather than a single certificate) the function SSL_get_peer_certificate (or maybe the functions PEM_write_bio_X509 or BIO_read) just takes the first certificate in the chain. How could I get all the certificates in the chain together? I've found: STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); but I don't find the STACK_OF(X509) definition so I don't know what it is. Thanks for any help. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to get the peer certificate(s) in PEM format
2012/2/16 Iñaki Baz Castillo i...@aliax.net: Now I've realized that in case the client presents a chain of public certificates (rather than a single certificate) the function SSL_get_peer_certificate (or maybe the functions PEM_write_bio_X509 or BIO_read) just takes the first certificate in the chain. How could I get all the certificates in the chain together? I've found: STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); but I don't find the STACK_OF(X509) definition so I don't know what it is. Thanks for any help. As far as I see, SSL_get_peer_cert_chain(ssl) does never return NULL, regardless the client presented a single certificate, a certificate + chain of certificates, or no certificate at all. Am I miss something? SSL_get_peer_cert(ssl) does return NULL in case of no client's certificate. Thanks a lot. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to get the peer certificate(s) in PEM format
2012/2/16 Iñaki Baz Castillo i...@aliax.net: As far as I see, SSL_get_peer_cert_chain(ssl) does never return NULL, regardless the client presented a single certificate, a certificate + chain of certificates, or no certificate at all. Am I miss something? SSL_get_peer_cert(ssl) does return NULL in case of no client's certificate. The doc about SSL_get_peer_cert_chain(ssl) must be wrong, sure: --- RETURN VALUES The following return values can occur: NULL No certificate was presented by the peer or no connection was established or the certificate chain is no longer available when a session is reused. Pointer to a STACKOF(X509) The return value points to the certificate chain presented by the peer. --- That's not true. Regardless there is peer certificate or not, and regardless there is peer chain of certificates or not, the function returns a pointer to STACK_OF(X509) (rather than STACKOF). Then I can do sk_X509_num(sk) to get the numbers of certs in the chain, which can be zero. -- Iñaki Baz Castillo i...@aliax.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org