PKCS1_MGF1 bad implementation?
Hi,PKCS#1 v2.1 document showed the steps needed to implement a MGF1 on the section B.2.1.I don't think that 'PKCS1_MGF1' function in the rsa_oaep.c was properly implemented.The step #3 on the section said 'For counter from 0 to \lceil{l / hLen}\rceil-1, do the following...'
But in 'PKCS1_MGF1', they just wrote:for (i = 0; outlen len; i++){...}The 'len' variable is mask length, which in the document should be the mask length divided by seed length and then subtract one.
I think the loop should be something like this:for (i = 0; outlen len/seedlen - 1; i++)
{...}
I hope my question was clearly expressed here, and I want your help, any help.
Re: PKCS1_MGF1 bad implementation?
Sorry, I should take more time on code reading. The implementation is perfect.On 10/20/06, Jiyong Xu [EMAIL PROTECTED]
wrote:Hi,PKCS#1 v2.1 document showed the steps needed to implement a MGF1 on the section
B.2.1.I don't think that 'PKCS1_MGF1' function in the rsa_oaep.c was properly implemented.The step #3 on the section said 'For counter from 0 to \lceil{l / hLen}\rceil-1, do the following...'
But in 'PKCS1_MGF1', they just wrote:for (i = 0; outlen len; i++){...}The 'len' variable is mask length, which in the document should be the mask length divided by seed length and then subtract one.
I think the loop should be something like this:for (i = 0; outlen len/seedlen - 1; i++)
{...}
I hope my question was clearly expressed here, and I want your help, any help.
Re: openssl-valgrind-errors...
Anand Vasudevan [EMAIL PROTECTED] writes: Hi, am using libcurl(ver 7.15.4) which uses openssl libraries. When I ran my application with valgrind-3.1.0 in Fedora core 5, I observed some valgrind errors coming from open ssl library..any inputs? pls find the attached for the errors.. You probably want to build with -DPURIFY. [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Multithreading problem
I am very, very new to openssl. There is a good example (Example 5-16, Network Security with Openssl book)) for using nonblocking openssl. It is easy to understand. It uses one thread to handle 2 nonblocking socket. You may have to modify it to handle multithread. At least, you have example to follow. I am trying to modify this example, so one openssl socket is handled by one thread using select ( native API) to monitor socket. Thao Dinh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Thursday, October 19, 2006 20:54 To: openssl-users@openssl.org Subject: RE: Multithreading problem This problem was raised on this mailing list many times, but the clear solution (in my opinion) was not given. From OpenSSL FAQ: ...an SSL connection may not concurrently be used by multiple threads... This means that I can't have 2 threads, one reading and one writing at the same time from the same socket. My application is basic Jabber communicator (messager) I should to constantly listen on socket for incoming messages and at the same time send messages written by me.(this is not communication model like for example in http: request,response,request,response.etc.) If I use simple TCP connection I create 2 threads one reading, one writing. This is simple,fast and correct.(reding and writing are blocking). Actually, it's extremely complicated. For example, what do you do if you call 'write' and it doesn't return in a reasonable amount of time? But when have to SSL connection this is much more complicated. I'm using Delphi and Indy components. There are sugesstion on mailing list that concurrent socket usage can be avoided by creating non-blocking socket and mutex, which is locked when any thread is using socket. But non-blocking socket is more complex to implement and forces me to not use Indy component, since Indy components are desined to work only in blocking mode (for TCP sockets this is correct design, I've read that Indy 10 has an option in core to work in non-blocking mode but I don't known if this option is exposed to user the same way as in socet API (maybe it was added to other purposes), but I have Indy 9 and don't want to upgrade). So using nonblocking sockets forces me to implement everything in native socket API, using OpenSSL API (currently Indy does it internally) and deal with additional complexivity of nonblocking sockets. Doesn't this kind of prove that your assumption (that non-blocking sockets are more complicated) is wrong? Look at all the craziness you have to go through to get blocking sockets to work right. Is there any OpenSSL function similar to socket API 'select' (SSL_select) If yes, then I can use blocking sockets. One thread is waiting in blocking SSL_select for incoming messages, If massage will come then this thread will try to acquire mutex and then carry out blocking SSL_read which will not block because there is message on socket. I can't do this with socket API 'select' because it signals any data on socket not exactly data on which SSL_read will not block. (TLS renogotiation or something like this). I hope you known what I mean. (I have tried with SSL_pending but it return 0 even if there are data on socket) You cannot use 'select' with blocking sockets. If you do, and your 'write' blocks (say because only a few bytes could be written at that instant), you won't be able to call 'read'. Any suggestions? Can someone help me with this? If you want to use blocking sockets, you can. Just use BIO pairs. You would then have one thread that asks OpenSSL if it has any data that needs to be written, if so, you grab it from OpenSSL (using non-blocking operations), then block on the socket while you write it. You can keep a thread blocked on 'read' and when you get any data from the socket, you hand if to OpenSSL. Protect the whole BIO pair assembly with a mutex, which you only hold while you enter the non-blocking OpenSSL logic. So it works like this: 1) When you want to write plaintext data to the SSL layer, grab the SSL mutex, call a non-blocking write function. If you don't write it all, release the mutex and block on the SSL conditition variable. If you make any forward progress, broadcast the condition variable. 2) When you want to read plaintext data from the SSL layer, grab the SSL mutex, call a non-blocking read function. If you get no data, release the mutex and block on the condition variable. If you make any forward progress, broadcast the condition variable. 3) In your read thread, when you get data from the socket, grab the SSL mutex, give the data to a non-blocking write function on the SSL BIO. If you wrote it all, release the mutex and signal the condition variable. If not, block on the condition variable until you write it all. 4) In your write thread, grab the mutex and block on the condition variable. When woken, get any data
Re: RE: Multithreading problem
First... sorry for trash in my post's subjects. I'm using www interface on my email provider site for sending emails and there is no option to change this. (I don't known if this is my mailbox or this mailing list server problem). Actually, it's extremely complicated. For example, what do you do if you call 'write' and it doesn't return in a reasonable amount of time? You cannot use 'select' with blocking sockets. If you do, and your 'write' blocks (say because only a few bytes could be written at that instant), you won't be able to call 'read'. I don't known if it was your exact intention but you have suggested me some problem - that delay in sending packet could cause incoming buffer overflow due to not reading data by a long time, hence data loss. But this is the not problem of idea of blocking as a such but rather using mutexes with blocking sockets. In native socket API delaying in writing blocking socket has no impact on reading one. It is only problem with using mutexes for serializing data which should be done due to openssl non multithreading. I can use 'select' with blocking sockets, it will not block on incoming data even if there are not writing data. Of course, as you have said, a can't use it for reading because it will block. Using 'select' for signaling possible data is not prohibited.(it should be clarifying for other readers) So it works like this: Well... this is not exactly solution to my problem. I have asked about blocking sockets in special context. I'm using opessl by delphi component which is intrinsic designed to work in true blocking mode (which is fine for native socket API, encrypted connection is additional option for it). What you have suggested is some kind of emulation which is rather usless in my case (SSL_read and SSL_write are hardcoded in component code in blocking mode - I thought rather about doing some openSSL API calls before invoking component socket read method, ensuring that the method will be invoked if there are some data on the socket causing it to not block). Doesn't this kind of prove that your assumption (that non-blocking sockets are more complicated) is wrong? Look at all the craziness you have to go through to get blocking sockets to work right. Eeee I'm little bit surprising about your interpretation. I thought all the craziness that i have to deal with is due the fact that OpenSSL is not supporting multithreading. I don't blame anyone for this, maybe it is not as easy as someone who did't implemented this may think. I'm only trying to show my problem and find most suitable and easiest solution. I gain an impression (correct me if I'm wrong) that you are trying to compromise the idea of blocking sockets only because openSSL doesn't support it. Many people (like me) are using native socket API (in which blocking socket are natural and correct working) and suppose that openSSL API would be the same - that's why there are many problems with that.(additionaly, just like in my case, it is not only to change my thinking about using socket but also to change third party libraries). Anyway, thanks for your help David. Lucas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RE: Multithreading problem
I am very, very new to openssl. There is a good example (Example 5-16, Network Security with Openssl book)) for using nonblocking openssl. It is easy to understand. It uses one thread to handle 2 nonblocking socket. You may have to modify it to handle multithread. At least, you have example to follow. I am trying to modify this example, so one openssl socket is handled by one thread using select ( native API) to monitor socket. Thao Dinh Thanks Thao for suggestion. It is not only problems with writing correct code but also wish to use some components (which I have used for communication without encryption) forces me to raise this problem on this mailing list. But of course examples given by you should be useful for me (if i will implement this(probably i will heve to)). Lucas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
indirectCRLs
Hello, I have created a CA and want to generate CRLs for another CA, i.e. an indirectCRL. How can this be done with the command line? I also want to add a CRL extensions to it. How is the syntax for the IssuingDistributionPoint extension in openssl.cnf? Regards, Karsten __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_CTX_set_quiet_shutdown func OpenSSL only?
Please don't get upset because this is kinda a Java question. Does anyone know if SSL_CTX_set_quiet_shutdown can only be done using the OpenSSL API or can it be done using Java? I have a OpenSSL server and a Java client. The server is not expecting to see the shutdown but the Java client sends it to me anyway. I realy need a way to set this option in Java if there is one? Thanks, Perry -- Perry L. Jones (Software Engineer) E-mail: [EMAIL PROTECTED] Phone: (315) 838-7038 Fax: (315) 838-7196 Dolphin Technology Inc. 474 Phoenix Drive Rome, NY 13441-4911 smime.p7s Description: S/MIME Cryptographic Signature
Re: HP-UX installation (was: Solaris installation: Text relocation remains...)
Hello 'ViSolve Security', ViSolve Security Consulting Group [EMAIL PROTECTED] writes: Try OpenSSL compilation with the following configure options. # ./Configure --prefix=/vob/tools_HP-UX zlib shared hpux-parisc2-cc Thanks for your reply, and sorry for not following up faster. Your suggestion was twofold: 1. switching from 'config' to 'Configure' 2. dropping the options telling where to find the headers and libraries, in particular for zlib. I tried, and got the expected errors related to #2. I admit however that these are likely to show a difference between my environment on HP-UX and -say- on Solaris, so the ball is in my camp. And my way of passing the information was more of a hack than a clean solution. I don't understand well the issue #1. I'd believe there is no difference. How is it one determines whether the CPU is a risc1 or a risc2? I got from HP a copy of the makefile used to build OpenSSL into a depot (which I cannot use as such), but this is where I'll be working now. Marc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
TLS Client Helo, cipher suites
Hello, How to force negotiation of AES256-SHA without disabling the AES128-SHA at the server-side when a client sends AES128-SHA as its first preference and AES256-SHA as second? Thanks, Arno Garrels __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: TLS Client Helo, cipher suites
On Fri, Oct 20, 2006 at 08:44:25PM +0200, Arno Garrels wrote: Hello, How to force negotiation of AES256-SHA without disabling the AES128-SHA at the server-side when a client sends AES128-SHA as its first preference and AES256-SHA as second? Please have a look into SSL_OP_CIPHER_SERVER_PREFERENCE available via SSL_CTX_set_options(). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: TLS Client Helo, cipher suites
Lutz Jaenicke wrote: Please have a look into SSL_OP_CIPHER_SERVER_PREFERENCE available via SSL_CTX_set_options(). Thank you very much! Arno Garrels __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: BN_bin2bn problem
Olga Kornievskaia wrote: ... Ok. Thanks. I was hoping that a leading zero was the answer to my real problem which is. I'm using the above p and a generator g = 2 (both are well-known group 2 DH parameters described in the RFC 2412). I initialize the DH structure with them and the then call DH_check() which returns with an error code of 8 which is the g value is not a generator. I'm puzzled as to why the library doesn't like the well-known DH parameters. simply because 2 is not a generator of the group (have a look at the last paragraph of the introduction of appendix E). Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Source for entropy on Windows platforms with CryptoAPI installed
It just occurred to me that the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed (type REG_BINARY) contains the latest seeded value from everything that CryptoAPI takes into account when generating its random seed. CryptoAPI permutes it with RC4 to come up with a pseudo-random stream, but I wonder if it might make sense to try to make use of it the same way OpenSSL on UNIX uses /dev/urandom? No. /dev/urandom returns unique chunk for every read, while accessing the key in question does not change its value. Therefore it is not appropriate to use as if it was /dev/urandom. The value is changed upon calls to CryptoAPI, but then you get random data by CryptoAPI means and don't need to read the key value. BTW, I fail to understand why does the seed have to be exposed world-readable. I mean how do we know that exposing the seed to non-privileged adversary application does not compromise prng generator for other applications? For reference tightening ACL to limit access to privileged users does not seem to have side effects on non-privileged users. A. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: indirectCRLs
On Fri, Oct 20, 2006, Karsten Ohme wrote: I have created a CA and want to generate CRLs for another CA, i.e. an indirectCRL. How can this be done with the command line? I also want to add a CRL extensions to it. How is the syntax for the IssuingDistributionPoint extension in openssl.cnf? Currently OpenSSL CRL generation is only possible through the 'ca' utility so you need to setup (or generate) files in the appropriate format for it. You'd have to configure it so that the CRL issuer certificate is set up as the CA for the ca utility. IDP has only been recently added to OpenSSL so you need the 0.9.9-dev version to use it. Documentation is available though the website didn't update it for some reason. Check the docs with 0.9.9-dev or: http://www.openssl.org/docs/apps/x509v3_config.html#Issuing_Distribution_Point Note that currently OpenSSL will not verify such a CRL properly though it can be made to issue one. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
