[openssl.org #636] Example in man page for BIO_new_bio_pair incorrect?
The example in this man page shows the creation of a bio pair and then setting them as the io bios for an ssl object. It states that the internal bio is implicitly deallocated when SSL-free is called on the ssl object. This does not appear to be the case. In an application developed using this assumption it was found that bio buffer and the internal bio were leaked. The leak was cleaned up by manually deallocating the internal bio. Is this a implimentaion error or a documentaion bug? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #636] Example in man page for BIO_new_bio_pair incorrect?
On Thu, Jun 05, 2003 at 07:52:00PM +0200, via RT wrote: The example in this man page shows the creation of a bio pair and then setting them as the io bios for an ssl object. It states that the internal bio is implicitly deallocated when SSL-free is called on the ssl object. This does not appear to be the case. In an application developed using this assumption it was found that bio buffer and the internal bio were leaked. The leak was cleaned up by manually deallocating the internal bio. Is this a implimentaion error or a documentaion bug? Hmm. I wrote the manual page and I am somehow convinced that it is correct. Whenever SSL_free() is called, the underlying BIO is also free()ed. As a BIO pair consists of 2 BIOs, only one BIO is freed automatically, the other one has to be handled by the application. Are you sure that both BIO objects are left after SSL_free()? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #637] bug or error in openssl
Hi, My name is ram and I work as a programmer in usu and recently I came across this error in our apache server which users open ssl 0.9.7a. It was working fine since I installed open ssl but just stopped working suddenly since yesterday. It would be nice if anyone could help me on this. The exact error message:: [Wed Jun 04 13:53:01 2003] [error] mod_ssl: SSL handshake failed (server joey.hsg.usu.edu:443, client 129.123.104.5) (OpenSSL library error follows) [Wed Jun 04 13:53:01 2003] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Thanks, Rams 435 757 1797. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Blinding breaks engines?
Hi, On June 5, 2003 08:03 am, Joe Orton wrote: Hi, the changes to enable blinding by default in 0.9.7b appear to break when an ENGINE is in use (for all the ENGINEs I've tested), with an assertion failure: openssl: bn_lib.c:254: BN_num_bits: Assertion `l != 0' failed. and backtrace as follows: #4 0x080b97c7 in BN_num_bits (a=0x81e4fd4) at bn_lib.c:254 #5 0x080ce940 in ubsec_mod_exp (r=0x81e4fd4, a=0x81e4fd4, p=0x81cdde8, m=0x81cdfb8, ctx=0x81e4fd0) at hw_ubsec.c:578 #6 0x080cee37 in ubsec_mod_exp_mont (r=0x81e4fd4, a=0x81e4fd4, p=0x81cdde8, m=0x81cdfb8, ctx=0x81e4fd0, m_ctx=0x0) at hw_ubsec.c:722 #7 0x080bf6e6 in RSA_blinding_on (rsa=0x81cdf28, p_ctx=0x81e4fd0) at rsa_lib.c:354 #8 0x080bd1aa in rsa_eay_blinding (rsa=0x81cdf28, ctx=0x81e4fd0) at rsa_eay.c:202 #9 0x080bd574 in RSA_eay_private_encrypt (flen=36, etc I'm surfing this backtrace looking at the HEAD source, so it's possible that 0.9.7b has something different to HEAD that can explain this. Are you able to look through a couple of those stack frames? According to what I see (again, ignoring the faint possibility that 0.9.7b is different), BN_num_bits() should be getting called on the public modulus of the RSA key, and the assertion that is failing there is a sanity check on the BIGNUM data (checking the (a-top - 1)th BN_ULONG is the most significant word of the array). If this really does fail on every ENGINE but works in software, then something very quirky is going on and disabling blinding will only hide the bug you've found. I think the right solution to this problem is to identify *why* you're seeing what you are, fix it, and then disable blinding on hardware-support implementations anyway. :-) As I understand it, blinding is not needed when using a hardware accelerator. So, is the correct fix to set RSA_FLAG_NO_BLINDING on a per-engine basis, for example as below, or is there something more subtle that can be done? [snip] That is the correct way to turn off blinding - but I'd *really* appreciate if you could dig a little on what you were observing. I don't currently have hardware with which to test this out in the obvious fashion, and I'd like to know what is wrong with rsa-n when using the ENGINEs? (Or is BN_num_bits() being passed something other than rsa-n?) Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #638] Example in man page for BIO_new_bio_pair incorrect?
The example in this man page shows the creation of a bio pair and then setting them as the io bios for an ssl object. It states that the internal bio is implicitly deallocated when SSL-free is called on the ssl object. This does not appear to be the case. In an application developed using this assumption it was found that bio buffer and the internal bio were leaked. The leak was cleaned up by manually deallocating the internal bio. Is this a implimentaion error or a documentaion bug? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #329] Shared libraries on cross platform
Hi andy, I found your old message (shown below) about cross compile from internet because I am also blocked by the same problem when I try to compile a UPnP static library for Arm linux using the uclibc wrapper around arm-linux-gcc. I am a newer in Linux, and just learning now. Could you let me know a little bit detail about how you solve this problem? What is snapshot here? How to fetch it? Where is the following code put? DETECT_GNU_LD=${CC} -v 21 | grep '^gcc' /dev/null 21 \ my_ld=`gcc -print-prog-name=ld 21` \ [ -n $$my_ld ] \ $$my_ld -v 21 | grep 'GNU ld' /dev/null 21 Any advice and help is greatly appreciated. Thanks. Tim Xu a.. From: Andy Preston via RT b.. Subject: Re: [openssl.org #329] Shared libraries on cross platform c.. Date: Tue, 12 Nov 2002 19:42:45 -0800 On Wed, 2002-11-06 at 15:50, Richard Levitte via RT wrote: I assume you're talking about the following, which has a hard-coded call to gcc. DETECT_GNU_LD=${CC} -v 21 | grep '^gcc' /dev/null 21 \ my_ld=`gcc -print-prog-name=ld 21` \ [ -n $$my_ld ] \ $$my_ld -v 21 | grep 'GNU ld' /dev/null 21 I've just committed a change so gcc in the second line is replaced with ${CC}. Does that help? Sorry to take so long to reply. Using the snapshot from 20021109 it now builds the libraries correctly. thanks, Andy Preston __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #636] Example in man page for BIO_new_bio_pair incorrect?
Hmm. I wrote the manual page and I am somehow convinced that it is correct. Whenever SSL_free() is called, the underlying BIO is also free()ed. As a BIO pair consists of 2 BIOs, only one BIO is freed automatically, the other one has to be handled by the application. Are you sure that both BIO objects are left after SSL_free()? Best regards, Lutz I'm pretty sure that both BIO objects are left after the SSL_free(). I originally implimented the code just like the example in the man page. When we pluged our memory alocation/tracking code into openssl we found several leaks. At that time I was only deallocating the external bio as per the example. There were several leaks related to the bio pair. It appeared that the internal bio and its buffer were being leaked. This leak was cleaned up by adding a call to deallocate the internal bio. I do not get a segfault or anything to indicate that the block was already dealocated. To create and set the bio pair I do the following BIO_new_bio_pair(ConnInfo-internal_IO, buffsize, connInfo-external_IO, buffsize); SSL-set_bio(ConnInfo-ssl, ConnInfo-internal_IO, ConnInfo-internal_IO); I currently make the following calls every time I clean up a ssl object SSL_free(ConnInfo-ssl); BIO_free(ConnInfo-external_IO); BIO_free(ConnInfo-internal_IO); //added to clean up leak Seems very similar to the example except for the eallocation of the internal bio. Code handles multiple connections, the ConnInfo variable is retrieved from a table of connections when data is read or written to ssl object. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AES counter mode
Hello, I am trying to play with AES crypto in counter mode. Using the crypto library against reference vectors found in IPSec RFC fails until the incrementation function (AES_ctr128_inc()) is modified in order to get a +1 step instead of a +2^64 step. Where does the actual increment by 2^64 come from ? Thierry Boivin __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL connection
Hello, How Can I get two independent SSL structures on the same one connection ? Lukasz Wójcicki __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL connection
Hello, How Can I get two independent SSL structures on the same one connection ? The glib answer would be any way you want to. The detailed answer is that there is no standard way to do this, so you can choose any method you wish and do it that way. One way, for example, would be to prefix each block of encrypted data with which of the two SSL structures it's from/for (say by a 1 or 0 byte) and the length (say, as 4 bytes in network host order). When you receive the blocks, you grab the 5 byte header and figure out which SSL structure to route the next so many bytes from. DS __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL connection
Hello, How Can I get two independent SSL structures on the same one connection ? The glib answer would be any way you want to. The detailed answer is that there is no standard way to do this, so you can choose any method you wish and do it that way. One way, for example, would be to prefix each block of encrypted data with which of the two SSL structures it's from/for (say by a 1 or 0 byte) and the length (say, as 4 bytes in network host order). When you receive the blocks, you grab the 5 byte header and figure out which SSL structure to route the next so many bytes from. But, I want to get independent SSL structure even if one SSL connection is still working, in optional moment. Example in sockets, will enough that I exchange descriptors. Lukasz Wójcicki e-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL connection
Hello, How Can I get two independent SSL structures on the same one connection ? The glib answer would be any way you want to. The detailed answer is that there is no standard way to do this, so you can choose any method you wish and do it that way. One way, for example, would be to prefix each block of encrypted data with which of the two SSL structures it's from/for (say by a 1 or 0 byte) and the length (say, as 4 bytes in network host order). When you receive the blocks, you grab the 5 byte header and figure out which SSL structure to route the next so many bytes from. But, I want to get independent SSL structure even if one SSL connection is still working, in optional moment. Example in sockets, will enough that I exchange descriptors. So do that then. Seriously, you can do this any way you want to. You may want an explicit acknowledgement, so you'll know the other side got the chunk. I'd define only a single protocol element. It would contain a sequence number, zero or more bytes of data and a range of sequence numbers to acknowledge. So when you need to send 30 logical bytes of data, you try the first link. If they're not acknowledged in a reasonable amount of time, you send them over the other link. Keep using a link until you timeout, switch links every time you timeout. If you don't like that scheme, pick another. You have a choice to layer your multi-link scheme above or below SSL. I think it's easiest to layer above SSL, so you have use the two links just as secrue byte streams. DS __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #640] bug: Makefile.ssl for do_srv3-shared and do_svr5-shared buggy
Hi, I have found that the grep $$obj allobjs in Makefile.ssl returns more entries than excepted. I am using 0.9.6j. For example when processing mem.o the grep will return 2 entries: ./crypto/bio/bss_mem.o and ./crypto/mem.o. That way unexcepted objects may end in the dynamic library. The fix I see it to extract the content of the *.a file in a temporary subdirectory and fill the dynamic library with those objects. Cheers Jean-frederic __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL connection
But, I want to get independent SSL structure even if one SSL connection is still working, in optional moment. Example in sockets, will enough that I exchange descriptors. You need to put a multiplexing protocol on top of straight TCP. Check out BEEP. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AES counter mode
Thierry Boivin wrote: Hello, I am trying to play with AES crypto in counter mode. Using the crypto library against reference vectors found in IPSec RFC fails until the incrementation function (AES_ctr128_inc()) is modified in order to get a +1 step instead of a +2^64 step. Where does the actual increment by 2^64 come from ? Read the documents on AES counter mode. The counter is a 64-bit counter but the blocksize is 128, and the convention is that the counter is a Big Endian number with only the MSW used. [from Lipmaa, Rogaway Wagner] In the recommended usage scenario, the party encrypting maintains an integer counter, nonce, initially 0, and produces the string ctr as the 128-bit string which encodes the number nonce * 2^64. Don't ask me *why* it's that way -- the choice of a mere 64 bits is clearly done in order to avoid a well-known attack against stream ciphers, since one can begin to distinguish a stream from random after 2^90 or so samples. Maybe the Big Endian choice is a subtle protest against Wintel? -- Well, Brahma said, even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred. - The Mahabharata __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Blinding breaks engines?
Hi Geoff, On Thu, Jun 05, 2003 at 03:47:28PM -0400, Geoff Thorpe wrote: On June 5, 2003 08:03 am, Joe Orton wrote: Hi, the changes to enable blinding by default in 0.9.7b appear to break when an ENGINE is in use (for all the ENGINEs I've tested), with an assertion failure: openssl: bn_lib.c:254: BN_num_bits: Assertion `l != 0' failed. and backtrace as follows: #4 0x080b97c7 in BN_num_bits (a=0x81e4fd4) at bn_lib.c:254 #5 0x080ce940 in ubsec_mod_exp (r=0x81e4fd4, a=0x81e4fd4, p=0x81cdde8, m=0x81cdfb8, ctx=0x81e4fd0) at hw_ubsec.c:578 #6 0x080cee37 in ubsec_mod_exp_mont (r=0x81e4fd4, a=0x81e4fd4, p=0x81cdde8, m=0x81cdfb8, ctx=0x81e4fd0, m_ctx=0x0) at hw_ubsec.c:722 #7 0x080bf6e6 in RSA_blinding_on (rsa=0x81cdf28, p_ctx=0x81e4fd0) at rsa_lib.c:354 #8 0x080bd1aa in rsa_eay_blinding (rsa=0x81cdf28, ctx=0x81e4fd0) at rsa_eay.c:202 #9 0x080bd574 in RSA_eay_private_encrypt (flen=36, etc I'm surfing this backtrace looking at the HEAD source, so it's possible that 0.9.7b has something different to HEAD that can explain this. Are you able to look through a couple of those stack frames? According to what I see (again, ignoring the faint possibility that 0.9.7b is different), BN_num_bits() should be getting called on the public modulus of the RSA key, and the assertion that is failing there is a sanity check on the BIGNUM data (checking the (a-top - 1)th BN_ULONG is the most significant word of the array). If this really does fail on every ENGINE but works in software, then something very quirky is going on and disabling blinding will only hide the bug you've found. Ah, firstly, my apologies, I was out of my tree, I can only get the ubsec engine to fail like this in 0.9.7b. The other engines I've tried with 0.9.7b work fine. I think Jonathan Hersch has just answered your question about why this fail on openssl-users - does this make sense to you? I don't know why this memset is needed in the first place, though. His suggested fix below works for me too, without having to set the RSA_FLAG_NO_BLINDING flag. --- ./hw_ubsec.c.blind Thu Jun 5 12:49:08 2003 +++ ./hw_ubsec.cFri Jun 6 15:32:29 2003 @@ -561,7 +561,6 @@ UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL); return 0; } - memset(r-d, 0, BN_num_bytes(m)); if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) = 0) { fd = 0; __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Blinding breaks engines?
Hi, On June 6, 2003 10:34 am, Joe Orton wrote: Ah, firstly, my apologies, I was out of my tree, I can only get the ubsec engine to fail like this in 0.9.7b. The other engines I've tried with 0.9.7b work fine. Ah, ok - that seems less uncool then. I think Jonathan Hersch has just answered your question about why this Before I forget - Jonathan, I've just taken a search through the request tracker and I can't find any bug corresponding to this - can you remember anything about the ticket? fail on openssl-users - does this make sense to you? I don't know why this memset is needed in the first place, though. His suggested fix below works for me too, without having to set the RSA_FLAG_NO_BLINDING flag. --- ./hw_ubsec.c.blindThu Jun 5 12:49:08 2003 +++ ./hw_ubsec.c Fri Jun 6 15:32:29 2003 @@ -561,7 +561,6 @@ UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL); return 0; } - memset(r-d, 0, BN_num_bytes(m)); if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) = 0) { fd = 0; Yeah, I took a scan over this again and can't see why this was needed, though I can certainly see why it's coming unstuck. I think we need to note that BN_mod_exp_*** functions are expected to be robust when the result BIGNUM is also the input BIGNUM, because it is the case sometimes (eg. RSA blinding) and it functions ok with the builtin implementation (which is what essentially defines the interface anyway). Even if blinding is turned off for ubsec and others, that doesn't guarantee that its handlers will never be called with 'r'=='a' again so I'd like to fix this and get it tested *before* disabling blinding. I'll remove this memset() because it clearly breaks this rule, and if that in turn leaves anything screwy with ubsec (which could be the only explanation for why that memset was there in the first place) then it'll have to be fixed locally to use temporary storage or something. If either of you are able to run tests on the result, I would be very grateful - I think we should eventually turn off blinding for these ENGINEs but I'd like to check how the resulting code holds up first in case there are other bugs or behavioural problems lurking that might have required the memset in the first place. Should be in CVS shortly, and so the next nightly snapshots too. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
a new command in openssl
Hi all, I have added a new command in openssl but the problem is that the prompt openssl does not see it. In fact, everything is going well:during the ./config command the directories that i added are configured and with the make command everything is compiled.Furthermore, progs.h includes the entry associated to my command. However, when i try to execute it i have the error message indicating that it is an invalid command???:( Please anyone who has a suggestion send it to me. Thank you in advance. ___ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]