Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
And attached a better patch, with updated documentation and some test data. -Message d'origine- De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Michel via RT Envoyé : samedi 26 mars 2016 17:21 Cc : openssl-dev@openssl.org Objet : Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command Hi, Here is an updated patch which prevents 'unstreamable' modes (Wrap only for the moment) to be streamed, while still allowing them to be encrypted or decrypted if the internal buffer size is greater than the total data size. Looks to work just fine to me, but I can still try to improve it if some other issue arises. Regards, Michel. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted enc-fixes_v2-1.1.0.patch Description: Binary data 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 testwrapstream.cmds Description: Binary data -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
Hi, Here is an updated patch which prevents 'unstreamable' modes (Wrap only for the moment) to be streamed, while still allowing them to be encrypted or decrypted if the internal buffer size is greater than the total data size. Looks to work just fine to me, but I can still try to improve it if some other issue arises. Regards, Michel. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted enc-fixes_v2-1.1.0.patch Description: Binary data -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
To be sure I understand you well (again, excuse my laborious english), do you think everything will work fine as expected, even using a BIO chain if, for Wrap and CCM modes only, we use a buffer as big as the data size to encrypt (with an upper limit), and we do not loop reading data (lines 604-612), and only work with 'regular' files (disable the use of stdin) ? Michel. -Message d'origine- De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Michel via RT Envoyé : vendredi 25 mars 2016 17:49 Cc : openssl-dev@openssl.org Objet : Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command Thank's Steve. So, if I understand you correctly, we can assume that for files whose data size is lower than the buffer size - which we can adjust - it will always work. Right ? If yes, it looks to me still better than not being able to use it at all. And for big files, we could warn about this in the documentation. Can I expect my patch to be applied as this anyway ? Would you prefered I remove the part concerning the wrap mode ? Thanks again for any advice, Regards, Michel -Message d'origine- De : Stephen Henson via RT [mailto:r...@openssl.org] Envoy� : vendredi 25 mars 2016 14:15 � : michel.sa...@free.fr Cc : openssl-dev@openssl.org Objet : [openssl.org #4472] [PATCH] alllowing wrap mode using enc command The enc command uses a cipher BIO chain which requires that a cipher is able to stream. That means the output doesn't depend on how the input is presented: e.g. all in one piece or one byte at a time. The wrap modes by their very nature cannot stream and so cannot work easily with the enc command. It may work for some cases but if buffers fill and you end up getting data in more than one piece the result is different. There are other modes which have problem with streaming too such as CCM. I think supporting wrap modes in the 'enc' utility is a good idea but it unfortunately requires rather more significant changes to bypass the cipher BIO mechanism and present the data in a single operation where required. That would also mean things like chaining (base64 operations) cannot work. We support tests already in evptests.txt: some additions in there would be welcome. Steve. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
Thank's Steve. So, if I understand you correctly, we can assume that for files whose data size is lower than the buffer size - which we can adjust - it will always work. Right ? If yes, it looks to me still better than not being able to use it at all. And for big files, we could warn about this in the documentation. Can I expect my patch to be applied as this anyway ? Would you prefered I remove the part concerning the wrap mode ? Thanks again for any advice, Regards, Michel -Message d'origine- De : Stephen Henson via RT [mailto:r...@openssl.org] Envoyé : vendredi 25 mars 2016 14:15 À : michel.sa...@free.fr Cc : openssl-dev@openssl.org Objet : [openssl.org #4472] [PATCH] alllowing wrap mode using enc command The enc command uses a cipher BIO chain which requires that a cipher is able to stream. That means the output doesn't depend on how the input is presented: e.g. all in one piece or one byte at a time. The wrap modes by their very nature cannot stream and so cannot work easily with the enc command. It may work for some cases but if buffers fill and you end up getting data in more than one piece the result is different. There are other modes which have problem with streaming too such as CCM. I think supporting wrap modes in the 'enc' utility is a good idea but it unfortunately requires rather more significant changes to bypass the cipher BIO mechanism and present the data in a single operation where required. That would also mean things like chaining (base64 operations) cannot work. We support tests already in evptests.txt: some additions in there would be welcome. Steve. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
On Tue Mar 22 21:51:05 2016, michel.sa...@free.fr wrote: > Hi, > > Here attached is some test data files and a patch against today's git repo > to allow for the use of wrap mode using the OpenSSL 'enc' command. > > The 'raw*.dat' files contains the NIST test vectors, and the '*.ok.enc' the > expected encrypted result (base64 encoded with equivalent hexa value). > The testwrap.cmds file is a small Windows script (.bat) with tests commands. > > As mentioned in a previous post, It may not be the best way to achieve this, > in which case I would be happy to learn how to do it better. > The enc command uses a cipher BIO chain which requires that a cipher is able to stream. That means the output doesn't depend on how the input is presented: e.g. all in one piece or one byte at a time. The wrap modes by their very nature cannot stream and so cannot work easily with the enc command. It may work for some cases but if buffers fill and you end up getting data in more than one piece the result is different. There are other modes which have problem with streaming too such as CCM. I think supporting wrap modes in the 'enc' utility is a good idea but it unfortunately requires rather more significant changes to bypass the cipher BIO mechanism and present the data in a single operation where required. That would also mean things like chaining (base64 operations) cannot work. We support tests already in evptests.txt: some additions in there would be welcome. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
> I will make this work with our perl-based test framework. Whao, I will feel like a member of your gang now ! ;-) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
> I will make this work with our perl-based test framework. Whao, I will feel like a member of your gang now ! ;-) -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
> the 3 'raw128*.dec' should be the same as 'raw128.dat' > the 2 'raw192*.dec' should be the same as 'raw192.dat' > and finally, 'raw256-256.dec' should be the same as 'raw256.dat'. And not surprisingly, all the tests pass :) I will make this work with our perl-based test framework. > FYI I will soon report a new/updated patch with other bugs and oddities fixes > for the enc command. > I am still testing them, but in a few hours it should be ready. Open a new ticket. Or better yet a GitHub pull request if you can do that :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
Hi Rich, Thanks for your interest in this matter. the 3 'raw128*.dec' should be the same as 'raw128.dat' the 2 'raw192*.dec' should be the same as 'raw192.dat' and finally, 'raw256-256.dec' should be the same as 'raw256.dat'. FYI I will soon report a new/updated patch with other bugs and oddities fixes for the enc command. I am still testing them, but in a few hours it should be ready. Regards, Michel. -Message d'origine- De : Rich Salz via RT [mailto:r...@openssl.org] Envoyé : jeudi 24 mars 2016 15:53 À : michel.sa...@free.fr Cc : openssl-dev@openssl.org Objet : [openssl.org #4472] [PATCH] alllowing wrap mode using enc command I did the trivial conversion to Unix shell and run the script. At the end, which files are supposed to compare to be identical? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
Hi Rich, Thanks for your interest in this matter. the 3 'raw128*.dec' should be the same as 'raw128.dat' the 2 'raw192*.dec' should be the same as 'raw192.dat' and finally, 'raw256-256.dec' should be the same as 'raw256.dat'. FYI I will soon report a new/updated patch with other bugs and oddities fixes for the enc command. I am still testing them, but in a few hours it should be ready. Regards, Michel. -Message d'origine- De : Rich Salz via RT [mailto:r...@openssl.org] Envoyé : jeudi 24 mars 2016 15:53 À : michel.sa...@free.fr Cc : openssl-dev@openssl.org Objet : [openssl.org #4472] [PATCH] alllowing wrap mode using enc command I did the trivial conversion to Unix shell and run the script. At the end, which files are supposed to compare to be identical? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
I did the trivial conversion to Unix shell and run the script. At the end, which files are supposed to compare to be identical? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command
Hi, Here attached is some test data files and a patch against today's git repo to allow for the use of wrap mode using the OpenSSL 'enc' command. The 'raw*.dat' files contains the NIST test vectors, and the '*.ok.enc' the expected encrypted result (base64 encoded with equivalent hexa value). The testwrap.cmds file is a small Windows script (.bat) with tests commands. As mentioned in a previous post, It may not be the best way to achieve this, in which case I would be happy to learn how to do it better. Meanwhile, It is usefull (at least for me :-) to decrypt wrapped symetric keys using OpenSSL 1.1. Regards, Michel. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted raw128.dat Description: Binary data raw192.dat Description: Binary data raw256.dat Description: Binary data wrap-128-128.ok.enc Description: Binary data wrap-128-192.ok.enc Description: Binary data wrap-128-256.ok.enc Description: Binary data wrap-192-192.ok.enc Description: Binary data wrap-192-256.ok.enc Description: Binary data wrap-256-256.ok.enc Description: Binary data enc-wrap-1.1.0.patch Description: Binary data testwrap.cmds Description: Binary data -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev