[PATCH] ec/ec_pmeth.c: fix unsigned char issue
From: Marcelo Cerri mhce...@linux.vnet.ibm.com In some platforms, such as POWER, char is defined as unsigned. This patch fix a problem when comparing a char to -1. Signed-off-by: Marcelo Cerri mhce...@linux.vnet.ibm.com --- crypto/ec/ec_pmeth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index e477418..933bf43 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -319,7 +319,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: if (p1 == -2) { - if (dctx-cofactor_mode != -1) + if (dctx-cofactor_mode != ((char) -1)) return dctx-cofactor_mode; else { -- 1.8.4.rc3 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
PEAP-TLS session resumption issue with OpenSSL 0.9.8k
Hi, I am seeing an issue with the OpenSSL 0.9.8k version, in which the client fails PEAP-TLS session resumption when 'fast reconnect' is disabled on the IAS server. The issue is not happening with earlier versions of OpenSSL. Has anybody seen this issue? The issue happens when the client is established TLS session with the server. The client is receiving server hello and the client is immediately responding with Client TLS cert and the server sends an alert message rejecting the client certificate. Thanks, Vani _ Windows Live: Keep your friends up to date with what you do online. http://windowslive.com/Campaign/SocialNetworking?ocid=PID23285::T:WLMTAGL:ON:WL:en-US:SI_SB_online:082009
Code Submission to OpenSSL: A Few Number Theory Functions
,int *jacobi, BN_CTX *ctx); /* (**targeted for donation to OpenSSL**) BN_jacobi() computes the Jacobi symbol of A with respect to N. Hence, *jacobi = 1 when the jacobi symbol is unity and *jacobi = -1 when the jacobi symbol is -1. N must be odd and = 3. It is required that 0 = A N. When successful 0 is returned. -1 is returned on failure. This is an implementation of an iterative version of Algorithm 2.149 on page 73 of the book Handbook of Applied Cryptography by Menezes, Oorshot, Vanstone. Note that there is a typo in step 1. Step 1 should return the value 1. The algorithm has a running time of O((lg N)^2) bit operations. */ int BN_chinese_rem_thm(const BIGNUM *g1,const BIGNUM *p, const BIGNUM *g2,const BIGNUM *q,BIGNUM *g,BN_CTX *ctx); /* (**targeted for donation to OpenSSL**) BN_chinese_rem_thm(): This is an implementation of the Chinese Remainder Theorem. It Chinese remainders g1 mod p with g2 mod q to get g mod pq. It is assumed that gcd(p,q)=1, g1 is in Z_p^* and g2 is in Z_q^*. When successful this function returns 0. It returns -1 on failure. This algorithm was taken from Kenneth R. Rosen Elementary Number Theory and its Applications Theorem 8.21 on page 313. Note: Code for the Chinese Remainder Theorem could not be found in any of the OpenSSL C source files. This could be because in version 2.0 and later of PKCS#1, RSA decryption does not use the Chinese Remainder Theorem directly. A slighly more efficient algorithm is used. */ int BN_witness(const BIGNUM *a,const BIGNUM *n,const BIGNUM *nminus1, const BIGNUM *m,int k,BN_CTX *ctx,BN_MONT_CTX *mont); /* (**targeted for donation to OpenSSL**) BN_witness() assumes that n = (2^k) m + 1 and that m is odd. This function also assumes that nminus1 = n-1. It is taken directly from page 137 of Cryptography Theory and Practice by D. R. Stinson. It performs the Miller-Rabin probabilistic primality test on n. It returns the wrong answer with probability at most 1/4. It returns 1 if n is composite and 0 if it is a probable prime. The input a is a candidate witness of compositeness. This function was written and used in lieu of the static internal OpenSSL function witness() defined in bn_prime.c. The reason for this is that witness() defines an argument BIGNUM *w without using const for it. witness() changes this value, which is a potential witness for compositeness. The witness is used explicitly in the ensuing computations of the prime power test algorithm, and so Miller-Rabin should not modify it. That is why this routine uses the temporary variable b. A witness of compositeness is what proves that the number in question is composite, and this proof should not be modified by the testing algorithm. */ int test_perfectpower(void); /* (**targeted for donation to OpenSSL**) test_perfectpower() performs some rudimentary tests on the function BN_perfectpower(). Just like the OpenSSL BN testing routines. It returns 1 when successful and 0 on failure. */ int test_jacobi(void); /* (**targeted for donation to OpenSSL**) test_jacobi() performs some rudimentary tests on the function BN_jacobi(). It returns 1 when successful and 0 on failure. */ int test_primepower(void); /* (**targeted for donation to OpenSSL**) test_primepower() performs rudimentary tests on BN_primepower(). It returns 1 when successful and 0 on failure. */ int test_sqrtmodprime(void); /* (**targeted for donation to OpenSSL**) test_sqrtmodprime() performs rudimentary tests on the function BN_sqrtmodprime(). It returns 1 when successful and 0 on failure. */ int test_chinese_rem_thm(void); /* (**targeted for donation to OpenSSL**) test_chinese_rem_thm() performs some rudimenatary tests on the function BN_chinese_rem_thm(). It returns 1 when successful and 0 on failure. */ int test_core_number_theory_functions(void); /* (**targeted for donation to OpenSSL**) test_core_number_theory_functions tests the five functions: BN_perfectpower,BN_primepower, BN_jacobi,BN_chinese_rem_thm, and BN_sqrtmodprime. It prints the results to stdio. It returns 1 when successful and 0 on failure. The OpenSSL BN test functions return 1 on success and 0 on failure. */ /* ---Below are the Library Routines */ int main(int argc,char **argv) { int i,retval; for (i=0;i25;i++) { retval = test_core_number_theory_functions(); if (retval == 0) break; } return 0; } int BN_sqrtmodprime(BIGNUM *x,int *hasroot,const BIGNUM *a, const BIGNUM *p,BN_CTX *ctx) { int i,jacobi,error = 0; BIGNUM *two,*tmp2,*tmp,*minus1,*n,*s,*z,*b,*m; BIGNUM *rminusm,*rminusmminus1,*pminus1,*r,*y; /* (**targeted for donation to OpenSSL**) On successful completion, BN_sqrtmodprime() returns hasroot = 1 if a is a quadratic residue mod p, and 0 otherwise. The value -1 is returned if an error occurs. It is required that 1 = a p, and p = 2. If hasroot = 1, a square root of a is returned in x. It is assumed that p is prime. This is a Monte-Carlo
Re: [openssl.org #86] Bug in RSA_check_key
From: Geoff Thorpe [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [openssl.org #86] Bug in RSA_check_key Date: Thu, 20 Jun 2002 15:02:36 -0400 (EDT) . *Maybe* ... but even then it doesn't solve the case of public keys. Moreover, how do you actually test a public key? What does check actually mean in this case? . Cheers, Geoff I would suggest the following for checking RSA public keys: 1) that the public exponent e satisfies 3 = e n and that e is odd (PKCS#1) [this doesn't prevent low exponent attacks however] 2) that the modulus n is not a probable prime (e.g., apply 80 rounds of Miller-Rabin) 3) that n is not divisible by small primes 4) that n is not a perfect power 5) that n provides a suitable setting for the factoring problem (e.g., |n| 512 bits or 768 bits, etc.), and give a warning if it is not. I am working on some code which I hope to donate to OpenSSL that accomplishes (4) and more... Adam Young _ Send and receive Hotmail on your mobile device: http://mobile.msn.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Possible bug in openssl 0.9.6b
I think I found a bug in "openssl base64". When decoding anencoded base64 steam which contains 0A, the value0D is inserted before the 0A in the output base64decoded stream. This seems like a carriage return insertionproblem. This was found when I took a .p12 filethat had a 1024 bit RSA public key in it which contained0A in it. I converted the file to a .pem file using-nodes. I then extracted the base64 private key portion,and used "openssl base64" to decode this portion. Thiswas were I noticed the different public key (containingthe CR=0x0D). However, going straight to a .pem and backto a .p12 doesn't change the public key, so the samecode is not being used. If this were the case, it mostcertainly would have shown up in the openssl test scripts,since a 1024 bit modulus is 128 bytes, and 0A shows upwith probability about 1 in every 256 RSA modulus bytes. I used the program base64.exe fromhttp://www.fourmilab.ch/webtools/base64/base64.zipand it decodes the public modulus just fine. So the problem is not in thebase64 encoding implementation. Could this be an ANSI C cooked mode write to stdout??I hope thishelps. Adam Young Lead Systems Engineer Lockheed MartinGet your FREE download of MSN Explorer at http://explorer.msn.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Export version of openssl
This is not quite openssl related, but since I'll probably borrow code from it, here it goes... I'm planning to write a disk-level or partition-level encryption routine. I worry about known-plaintext attacks (encrypting every 512-byte block with RC4 and a fixed init state is probably not smart). In your opinion which is the best symmetric algorithm I can use, considering security and performance? begin:vcard n:Castro;Juan tel;work:55 (21) 540-9100 x-mozilla-html:FALSE url:http://www.appi.com.br/jcastro org:APPI Informática Ltda.;Desenvolvimento adr:;;Av. Ataulfo de Paiva, 135/1410;Rio de Janeiro;RJ;22449-900;Brazil version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor note:One man alone cannot fight the future. USE LINUX! x-mozilla-cpt:;28896 fn:Juan Carlos Castro y Castro end:vcard
Re: Can't compile without all ciphers
Bodo Moeller wrote: crypto/buildinf.h does not exist at that stage ... this should help (patch for crypto/Makefile.ssl): I visually explored the three files you suggested to patch and saw all changes are already on the repository. So I started again: 1) ./config --prefix=/usr no-asm no-bf no-cast no-des no-dh no-dsa no-hmac no-md2 no-mdc2 no-rc2 no-rc5 no-sha 2) make depend 3) make DIRS=crypto The two first commands work ok; when I try the third one I get this: making all in crypto... make[1]: Entering directory `/home/jcastro/openssl/work/crypto' make[1]: *** No rule to make target `all'. Stop. make[1]: Leaving directory `/home/jcastro/openssl/work/crypto' make: *** [all] Error 1 And yes, there is a Makefile pointing to Makefile.ssl in the crypto directory. Cya, begin:vcard n:Castro;Juan tel;work:55 21 540-9100 x-mozilla-html:FALSE url:http://www.appi.com.br/jcastro org:APPI Informatica version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor adr;quoted-printable:;;Av. Ataulfo de Paiva, 135/1410=0D=0ALeblon;Rio de Janeiro;RJ;22449-900;Brasil note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A -- The X Racer x-mozilla-cpt:;-5120 fn:Juan Carlos Castro y Castro end:vcard
Re: Can't compile without all ciphers
Bodo Moeller wrote: Juan Carlos Castro y Castro [EMAIL PROTECTED]: I'm in sync with the CVS tree. I'm trying to compile OpenSSL with ./configure no-asm no-dh no-bf no-many other ciphers make[2]: *** No rule to make target `../../include/openssl/dh.h', needed by `rsa_sign.o'. Stop. make[2]: Leaving directory `/home/jcastro/openssl/work/crypto/rsa' This is a make error message, not a compiler error message. Apparently you not only excluded Diffie-Hellman by using the no-dh option, but also deleted its source code directory (if the ../../include/openssl/dh.h file existed -- the include/openssl directory actually just has a symbolic link to the real (non-)file dh.h --, make would not look for a rule for creating it). By running "make depend" after configuring the source you can update the Makefiles to reference only those files that your configuration actually needs. Or just activate the commented-out line ### (system 'make depend') == 0 or exit $? if $depflags ne ""; in Configure. (It's commented out for two reasons: On some platforms, make depend does not work with the available standard tools; and if you use "cvs diff" in a checked-out directory where you've excluded ciphers and run "make depend", you get huge deltas that are not really informative.) Thanks man! I'll try that. So if I want to generate meaningful diiffs after that should I do a "make clean" or something? Or just a "cvs up" will do? begin:vcard n:Castro;Juan tel;work:540-9100 Ramal 46 x-mozilla-html:FALSE url:http://www.appi.com.br/jcastro org:APPI Informática;Desenvolvimento adr:;;Av. Ataulfo de Paiva, 135/1410 - Leblon;Rio de Janeiro;RJ;22499-900;Brasil version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A-- The X Racer=0D=0A=0D=0APGP Key ID 0xAAE4050C=0D=0A fn:Juan Carlos Castro y Castro end:vcard
Re: Can't compile without all ciphers
Juan Carlos Castro y Castro wrote: Bodo Moeller wrote: By running "make depend" after configuring the source you can update the Makefiles to reference only those files that your configuration actually needs. Or just activate the commented-out line ### (system 'make depend') == 0 or exit $? if $depflags ne ""; in Configure. (It's commented out for two reasons: On some platforms, make depend does not work with the available standard tools; and if you use "cvs diff" in a checked-out directory where you've excluded ciphers and run "make depend", you get huge deltas that are not really informative.) Thanks man! I'll try that. So if I want to generate meaningful diiffs after that should I do a "make clean" or something? Or just a "cvs up" will do? Well, here what happened: 1) I started with a clean, just-checked-out tree. 2) ./config --prefix=/usr no-asm no-bf no-cast no-des no-dh no-dsa no-hmac no-md2 no-mdc2 no-rc2 no-rc5 no-sha 3) The output of the previous command is in makedepend.out.gz. I got lots of warnings about cipher.h missing, but the first one is about some "buildinf.h" which worries me. Well, let's go to "make". 4) Yikes! No make! All I got is this: making all in crypto... make[1]: Entering directory `/home/jcastro/openssl/work/crypto' make[1]: *** No rule to make target `all'. Stop. make[1]: Leaving directory `/home/jcastro/openssl/work/crypto' make: *** [all] Error 1 Aw-right, what did I do wrong now? :( makedepend.out.gz begin:vcard n:Castro;Juan tel;work:55 21 540-9100 x-mozilla-html:FALSE url:http://www.appi.com.br/jcastro org:APPI Informatica version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor adr;quoted-printable:;;Av. Ataulfo de Paiva, 135/1410=0D=0ALeblon;Rio de Janeiro;RJ;22449-900;Brasil note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A -- The X Racer x-mozilla-cpt:;-5120 fn:Juan Carlos Castro y Castro end:vcard
Can't compile without all ciphers
I'm in sync with the CVS tree. I'm trying to compile OpenSSL with ./configure no-asm no-dh no-bf no-many other ciphers It seems somewhere in the code there are #includes which are not surrounded by the proper NO_XXX check, because I get the following: (If I include bf, the error happens again with cast. If I include cast, it happens with des. And on and on.) make[2]: *** No rule to make target `../../include/openssl/dh.h', needed by `rsa_sign.o'. Stop. make[2]: Leaving directory `/home/jcastro/openssl/work/crypto/rsa' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/home/jcastro/openssl/work/crypto' make: *** [all] Error 1 begin:vcard n:Castro;Juan tel;work:55 21 540-9100 x-mozilla-html:FALSE url:http://www.appi.com.br/jcastro org:APPI Informatica version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor adr;quoted-printable:;;Av. Ataulfo de Paiva, 135/1410=0D=0ALeblon;Rio de Janeiro;RJ;22449-900;Brasil note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A -- The X Racer x-mozilla-cpt:;-5120 fn:Juan Carlos Castro y Castro end:vcard
No X509
I need to implement a poor man's SSL client which ignores the server certificate. I want to get rid of everythimg x509-related in the sources. Can someone please give me some directions as to where do I apply the scalpel first? Thanx, begin:vcard n:Castro;Juan tel;work:540-9100 Ramal 46 x-mozilla-html:FALSE url:http://www.appi.com.br/~jcastro org:APPI Informática;Desenvolvimento adr:;;Av. Ataulfo de Paiva, 135/1410 - Leblon;Rio de Janeiro;RJ;22499-900;Brasil version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A-- The X Racer fn:Juan Carlos Castro y Castro end:vcard
Re: Cypher Suites supported (more) (some more)
Theodore Hope wrote: I'll elaborate on my previous post. What I want is to implement a poor man's SSL client which doesn't know what a certificate is but is capable to connect to any secure Web server out there (Apache, IIS, Netscape). I see it has to support Diffie-Hellman, Triple-DES and SHA1 (goodbye to RC4 and MD5). Is it correct? What about "s_client"? I use the SSLeay s_client (haven't moved up to openssl yet!) to connect to ssl web servers; it dumps the cert into that the server sends, and ignores it. After that you can do sophisticated things like "HEAD / HTTP/1.0\n\n" ;-) Ok, there's a little detail I forgot to mention: the thing I'm programming for is a specialized machine, not a PC. I don't have anything even remotely resembling Unix. It's a custom OS, the PC is only for development. I do have TCP/IP connectivity and a BSD Sockets C interface, though. I tried to compile OpenSSL in its entirety for the new platform (or at least the interesting ciphersuites, like RSA, MD5, RC4). But I couldn't do that whitout including things like asn1 and x509. The compiler coughed at the size of some sources (it's DOS-based :( ). Now I researched and learned (correct me if I'm wrong please) that I can't ignore the server certificate if I'm using RSA as the key exchanger. I'll have to use DH if I want a "thin" SSL client. Another thing: I used "openssl s_client -connect XXX:xx -cipher NNN" against an Apache/OpenSSL I installed myself (with the default options). It refuses any cipher that has DH in it. I don't want my thin client not to be able to connect to the vast majority of the https servers out there. Also, I don't want to mess with the certificate data sent by the server (for the planned applications, it's O.K. to ignore it altogether). I don't want to deal with ASN1 more than strictly necessary, either. Do I want too much? Can somebody shed some light on this subject? L8R, begin:vcard n:Castro;Juan tel;work:540-9100 Ramal 46 x-mozilla-html:FALSE url:http://www.appi.com.br/~jcastro org:APPI Informática;Desenvolvimento adr:;;Av. Ataulfo de Paiva, 135/1410 - Leblon;Rio de Janeiro;RJ;22499-900;Brasil version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A -- The X Racer fn:Juan Carlos Castro y Castro end:vcard
Dismemberment in progress, Herr Doktor!
Well, I finally was able to build a subset of OpenSSL with only RSA encryption (no communications, just an encryption library). In adition to Bignumbers and Random, I had to throw a few things in, e.g. MD5 for random number generation and lotsa things from ASN1 (What's ASN1?). The complete lists of .c's I had to include in the build is as follows: a_bitstr.c a_bytes.c a_enum.c a_gentm.c a_int.c a_object.c a_octet.c a_print.c a_set.c a_type.c a_utctm.c a_utf8.c a_vis.c asn1_lib.c bio_lib.c bn_add.c bn_asm.c bn_blind.c bn_comba.c bn_div.c bn_err.c bn_exp.c bn_exp2.c bn_gcd.c bn_lib.c bn_mont.c bn_mpi.c bn_mul.c bn_prime.c bn_print.c bn_rand.c bn_recp.c bn_shift.c bn_sqr.c bn_word.c bss_file.c buffer.c cryptlib.c err.c ex_data.c lhash.c md5_dgst.c md5_one.c md_rand.c mem.c obj_dat.c obj_lib.c rand_lib.c rsa_eay.c rsa_err.c rsa_gen.c rsa_lib.c rsa_none.c rsa_pk1.c rsa_sign.c rsa_ssl.c stack.c x_algor.c x_sig.c Is there something else I could get rid of? I was able to exclude the SHA modules by defining NO_SHA and NO_SHA1. begin:vcard n:Castro;Juan tel;work:540-9100 Ramal 46 x-mozilla-html:FALSE url:http://www.appi.com.br/~jcastro org:APPI Informática;Desenvolvimento adr:;;Av. Ataulfo de Paiva, 135/1410 - Leblon;Rio de Janeiro;RJ;22499-900;Brasil version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A-- The X Racer fn:Juan Carlos Castro y Castro end:vcard
bn_m.c
What's the function of the bn_m.c module? It calls BN_mul() with a wrong number of parameters. It's a recursive routine, but I couldn't figure out what it's supposed to do. begin:vcard n:Castro;Juan tel;work:540-9100 Ramal 46 x-mozilla-html:FALSE url:http://www.appi.com.br/~jcastro org:APPI Informática;Desenvolvimento adr:;;Av. Ataulfo de Paiva, 135/1410 - Leblon;Rio de Janeiro;RJ;22499-900;Brasil version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A-- The X Racer fn:Juan Carlos Castro y Castro end:vcard