Re: [openssl-users] i2d_X509_SIG() in FIPS mode
On Mon, Feb 02, 2015 at 07:15:12PM +0530, Gayathri Manoj wrote: unsigned char *ptr, *tmp=NULL; X509_SIG sig; How is sig initialized? len=i2d_X509_SIG(sig,NULL); tmp = (unsigned char*) malloc(513); Why 513 and not len? What is the value of len? ptr=tmp; i2d_X509_SIG(sig, ptr); // here causing problem. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] ECDSA private key load error
Hello Openssl users, Am facing following issue while am loading ECDSA private key using EVP_PKCS82PKEY(). I hope am missing some initialization in this regard. Can you please point me what am i doing wrong. Steps followed : Have generated CSR and signed using openssl commans. Following are the parameters updated in the certificate. Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ecdsa Validity Not Before: Feb 2 06:00:29 2015 GMT Not After : Feb 2 06:00:29 2016 GMT Subject: CN=eccert Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: ASN1 OID: prime256v1 X509v3 extensions: X509v3 Subject Key Identifier: X509v3 Authority Key Identifier: X509v3 Key Usage: critical Digital Signature Signature Algorithm: ecdsa-with-SHA256 Step 2 : Tried to convert the private key in to PKCS8 format. Step 3 : Tried to call EVP_PKCS82PKEY(pkey). This function is always returning NULL. When further checked on the return types, i could see following. As part of PKCS8_pkey_get0(algoid, NULL, NULL, NULL, p8), the type is of V_ASN1_OCTET_STRING. (i.e. p8-pkey-type == V_ASN1_OCTET_STRING). But OBJ_obj2nid(algoid) returning the nid value as 0 i.e. NID_undef. Due to this, EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid)) always returns NULL. Can you help me to get out of this error. Thanks, Rajeswari. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_X509_SIG() in FIPS mode
Hi All, Please let me know shall I need to take care the memory separately for the fips mode. Only in FIPS mode i am getting the below error while calling i2d_x509_sig(). Program received signal SIGSEGV, Segmentation fault. 0x00d9d045 in __memcpy_ssse3_rep () from /lib/libc.so.6 Thanks, Gayathri On Fri, Jan 30, 2015 at 7:09 PM, Gayathri Manoj gayathri.an...@gmail.com wrote: Hi All, I am getting segfault while using i2d_X509_SIG() in FIPS mode. (gdb) bt #0 0x01f95045 in __memcpy_ssse3_rep () from /lib/libc.so.6 #1 0x00466837 in asn1_ex_i2c () from /usr/local/cm/lib/libcrypto.so.1.0.1 #2 0x00466a36 in asn1_i2d_ex_primitive () from /usr/local/cm/lib/libcrypto.so.1.0.1 #3 0x00466c4c in ASN1_item_ex_i2d () from /usr/local/cm/lib/libcrypto.so.1.0.1 #4 0x0046727a in asn1_template_ex_i2d () from /usr/local/cm/lib/libcrypto.so.1.0.1 #5 0x00466eb3 in ASN1_item_ex_i2d () from /usr/local/cm/lib/libcrypto.so.1.0.1 #6 0x004675f3 in ASN1_item_i2d () from /usr/local/cm/lib/libcrypto.so.1.0.1 #7 0x0045fb3e in i2d_X509_SIG () from /usr/local/cm/lib/libcrypto.so.1.0.1 unsigned char *ptr, *tmp=NULL; len=i2d_X509_SIG(sig,NULL); -- No issue sig.algor-algorithm=OBJ_nid2obj(NID_sha1); tmp = (unsigned char*) malloc(512+1); ptr=tmp; i2d_X509_SIG(sig, p); --while calling secod time gettign core file. Its working fine in nonfips mode. But in FIPS getting core files. Please let me know how can i solve this issue. Thanks, Gayathri ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_X509_SIG() in FIPS mode
On Mon, Feb 02, 2015, Gayathri Manoj wrote: Hi All, Please let me know shall I need to take care the memory separately for the fips mode. Only in FIPS mode i am getting the below error while calling i2d_x509_sig(). I'm not sure how that can happen. The function i2d_X509_SIG isn't part of the FIPS module so shouldn't be affected. How are you calling i2d_X509_SIG? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Specify algorithm for openssl smime decrypt
On 06/01/2015 12:38, Dr. Stephen Henson wrote: On Tue, Jan 06, 2015, Fred wrote: I need to decrypt some S/MIME content with an invalid key length for the AlgOID specified in the PCKS7 content. AES-256 is specified as the AlgOID, but a key length of 192 bits is being used. Is there anyway to get openssl to decrypt this using the openssl smime command? i.e. override the cipher used so that is uses aes-192-cbc ? Not using the smime command no. There are ways to handle this either with a short program or by using a binary cut+paste using asn1parse. Another alternative is to use a modified version of OpenSSL which detects this and works around the problem. (snip) I take it this kind of behaviour is non-standard, which is why OpenSSL has a problem? Does this behaviour (AlgID mismatch) explicitly contravene some RFC or is it that this is simply undefined and openssl is just being sensible? It would be useful to know if the software used to create the encrypted software is broken (it would seem it is). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_X509_SIG() in FIPS mode
Hi Steve, unsigned char *ptr, *tmp=NULL; X509_SIG sig; len=i2d_X509_SIG(sig,NULL); tmp = (unsigned char*) malloc(513); ptr=tmp; i2d_X509_SIG(sig, ptr); // here causing problem. Thanks, Gayathri On Mon, Feb 2, 2015 at 6:38 PM, Dr. Stephen Henson st...@openssl.org wrote: On Mon, Feb 02, 2015, Gayathri Manoj wrote: Hi All, Please let me know shall I need to take care the memory separately for the fips mode. Only in FIPS mode i am getting the below error while calling i2d_x509_sig(). I'm not sure how that can happen. The function i2d_X509_SIG isn't part of the FIPS module so shouldn't be affected. How are you calling i2d_X509_SIG? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What is the best practise for shutdown SSL connections?
On Mon, Feb 02, 2015 at 09:23:19AM +0300, Serj wrote: http://tools.ietf.org/html/rfc5246#section-7.2.1 I read RFC. Have read 7.2.1. Closure Alerts once again. But this is the normative document. I ask: what in practise in terms of OpenSSL API? As I already said some servers don't send close_notify and just close the connection. If you close first, that's OK. Also OK, if there's an application-level end-of-data indication. For example, with SMTP client sends QUITCRLF and server sends 221 Goodbye, there's no need to explicitly perform an SSL_shutdown(). However, Postfix does it by the book per TLSv1.0: if (SSL_shutdown() == 0) SSL_shutdown() with appropriate handling of WANT_READ/WANT_WRITE, timeouts, ... And what about the best practice for shutdown of connection on the server side? Is it mandatory to wait close_notify from client to be able to save valid session for this client or not? If server close the connection after all data has been sent to the client and don't receive close_notify, will be the session kept? http://tools.ietf.org/html/rfc5246#section-7.2.1 I ask: what in practise in terms of OpenSSL API? If SERVER close the connection after all data has been sent to the client and will not wait for close_notify alert from CLIENT, will be the session kept and valid in OpenSLL API? It should be sufficient for the server to send its close notify without waiting for a client response. If the server destroys the SSL connection without calling SSL_shutdown() I am not sure whether the session remains cached. I mean, can CLIENT then reuse this session, if it doesn't send close_notify alert? Or this session will be invalid? Try it, see what happens. The client is certainly free to *try* to the reuse the session, worst-case the server will perform a full handshake anyway. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_X509_SIG() in FIPS mode
On Mon, Feb 02, 2015, Gayathri Manoj wrote: Hi Steve, unsigned char *ptr, *tmp=NULL; X509_SIG sig; len=i2d_X509_SIG(sig,NULL); tmp = (unsigned char*) malloc(513); ptr=tmp; i2d_X509_SIG(sig, ptr); // here causing problem. Well you should really malloc 'len' bytes as it could theoretically exceed 513 (in practice it's unlikely). How are you setting up sig? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_X509_SIG() in FIPS mode
On Mon, Feb 02, 2015 at 07:15:12PM +0530, Gayathri Manoj wrote: unsigned char *ptr, *tmp=NULL; X509_SIG sig; How is sig initialized? len=i2d_X509_SIG(sig,NULL); tmp = (unsigned char*) malloc(513); Why 513 and not len? What is the value of len? ptr=tmp; i2d_X509_SIG(sig, ptr); // here causing problem. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error
From: openssl-users On Behalf Of Rajeswari K Sent: Sunday, February 01, 2015 21:18 Am facing an issue of no shared cipher error during SSL Handshake, when tried to negotiate ECDHE cipher suite. snip *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines: SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381: Have updated with temporary ECDH callback during SSL Server initialization. ECDSA certificate is being signed using openssl commands. How was the keypair and CSR generated? In particular, check the publickey in the CSR, and thus in the cert, has the curve encoded in named form (as an OID) not explicit form (with all the details of prime or polynomial, equation coefficients, base point, and cofactor). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error
Hello Dave, Thanks for responding. Following is the output printed by openssl ./openssl req -in csr.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: CN=eccert/unstructuredName= Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: ASN1 OID: prime256v1 Attributes: Requested Extensions: X509v3 Key Usage: critical Digital Signature Signature Algorithm: ecdsa-with-SHA256 Please share is there any issue with these parameters? Thanks, Rajeswari. On Tue, Feb 3, 2015 at 8:28 AM, Dave Thompson dthomp...@prinpay.com wrote: From: openssl-users On Behalf Of Rajeswari K Sent: Sunday, February 01, 2015 21:18 Am facing an issue of no shared cipher error during SSL Handshake, when tried to negotiate ECDHE cipher suite. snip *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines: SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381: Have updated with temporary ECDH callback during SSL Server initialization. ECDSA certificate is being signed using openssl commands. How was the keypair and CSR generated? In particular, check the publickey in the CSR, and thus in the cert, has the curve encoded in named form (as an OID) not explicit form (with all the details of prime or polynomial, equation coefficients, base point, and cofactor). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_X509_SIG() in FIPS mode
Hi Steve, Viktor, I have tried with len also, But this also causing seg fault. my requiremnt is to store max 2048 bit keys. Hence I used length as 512 +1. currently i ma getting len value = 28514. X509_SIG sig; X509_ALGOR algor; ASN1_OCTET_STRING digest; ASN1_TYPE parameter; ASN1_item_digest() // to get digest details sig.algor = algor; sig.algor-algorithm=OBJ_nid2obj(NID_md5); parameter.type=V_ASN1_NULL; parameter.value.ptr=NULL; sig.algor-parameter = parameter; sig.digest = digest; sig.digest-data=(unsigned char*)msg; sig.digest-length=datalen; len = i2d_X509_SIG(sig,NULL); Thanks, Gayathri On Mon, Feb 2, 2015 at 9:31 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Mon, Feb 02, 2015 at 07:15:12PM +0530, Gayathri Manoj wrote: unsigned char *ptr, *tmp=NULL; X509_SIG sig; How is sig initialized? len=i2d_X509_SIG(sig,NULL); tmp = (unsigned char*) malloc(513); Why 513 and not len? What is the value of len? ptr=tmp; i2d_X509_SIG(sig, ptr); // here causing problem. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
