Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

[Jakob Bohm]

On 01/08/2018 15:42, Viktor Dukhovni wrote:



On Aug 1, 2018, at 9:31 AM, Michael Wojcik  
wrote:

CMS with an AEAD mode (such as AES128-GCM) ought to avoid the 
integrity-protection issue for the encrypted content, but not for the other 
parts of the message, I assume. (I'm no CMS expert so I may be missing 
something there.) And, of course, both sender and recipient would have to 
support that algorithm.

Not if you make it streaming.  A streaming implementing will emit almost
the entirety of the decrypted message before checking integrity at the
end and finding out that some part of it (already output) was wrong.


Which is entirely fine if all you do with the stream output before
integrity checking is to store it somewhere larger than process RAM,
such as in a (temporary) disk file (Or perform some other operation
which is safe with garbage input).

Consider the (logically equivalent) fact that most algorithms inside
OpenSSL stream their output to memory because it is rarely possible
to hold an entire message in CPU registers.

But I agree that blindly switching to AEAD modes does nothing to help
the "problem" of allowing a different level of the software stack to
see decrypted output before the integrity check has been completed.

OpenSSL should be an open toolkit, not a bondage-and-discipline
programming environment like NaCl.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] porting socket ssl python to c++

[Wim Lewis]

This pair of articles is quite old, so some of the API details have changed, 
but it has an overall description of how to use OpenSSL:
   https://www.linuxjournal.com/article/4822
   https://www.linuxjournal.com/article/5487

The link to the example code is broken, but you can find it here:
   https://github.com/Andersbakken/openssl-examples/

One thing to be aware of is that the check_cert() function is just a sketch of 
what a real check_cert() function would need to do (which depends on your 
application, to some extent). There are some functions that have been added to 
OpenSSL since then that, AIUI, can replace having to do those checks in your 
own check_cert():
https://www.openssl.org/docs/man1.1.0/crypto/X509_check_host.html


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Shutdown details

[Alex H]

[...] The other party MUST respond with a close_notify alert of its own and
close down the connection immediately, *discarding any pending writes*.

I've read this before, but I've also checked the sources of SSL_write and
they seem contradictory:

SSL_write does not return with error when SSL_RECEIVED_SHUTDOWN is set, but
does so when SSL_SENT_SHUTDOWN is set. Why is this? A minor bug? If the RFC
states the end who receives a close_notify should *discard any pending
writes* then it surely seems a bug to allow SSL_write for a connection
where SSL_RECEIVED_SHUTDOWN is set?



> If your question is whether you can still read any data that may have
been in flight when you send your close_notify, I believe the answer
is no.  Further data received from the peer is discarded after a
close_notify is sent.

I also believe so, especially since SSL_shutdown docs seem to hint that
once SSL_shutdown is called, it should be called again until fully done
(serving SSL_WANT_READ/WRITE as needed). In other words, SSL_shutdown
becomes the only function called until the SSL connection is fully closed,
no more SSL_read is called and thus it cannot report any received data.
SSL_shutdown does not return with any data.

Regarding the SSL_RECEIVED_SHUTDOWN - do you think this is a minor bug?

Den ons 1 aug. 2018 kl 21:16 skrev Viktor Dukhovni <
openssl-us...@dukhovni.org>:

>
>
> > On Aug 1, 2018, at 2:27 AM, Alex H  wrote:
> >
> > Is it possible to receive data after calling SSL_shutdown? Reading the
> specs and docs leaves this rather blurry.
>
> TLS *does not* support half-closed connections (RFC5246):
>
>close_notify
>   This message notifies the recipient that the sender will not send
>   any more messages on this connection.  Note that as of TLS 1.1,
>   failure to properly close a connection no longer requires that a
>   session not be resumed.  This is a change from TLS 1.0 to conform
>   with widespread implementation practice.
>
>Either party may initiate a close by sending a close_notify alert.
>Any data received after a closure alert is ignored.
>
>Unless some other fatal alert has been transmitted, each party is
>required to send a close_notify alert before closing the write side
>of the connection.  The other party MUST respond with a close_notify
>alert of its own and close down the connection immediately,
>discarding any pending writes.  It is not required for the initiator
>of the close to wait for the responding close_notify alert before
>closing the read side of the connection.
>
>If the application protocol using TLS provides that any data may be
>carried over the underlying transport after the TLS connection is
>closed, the TLS implementation must receive the responding
>close_notify alert before indicating to the application layer that
>the TLS connection has ended.  If the application protocol will not
>transfer any additional data, but will only close the underlying
>transport connection, then the implementation MAY choose to close the
>transport without waiting for the responding close_notify.  No part
>of this standard should be taken to dictate the manner in which a
>usage profile for TLS manages its data transport, including when
>connections are opened or closed.
>
>Note: It is assumed that closing a connection reliably delivers
>pending data before destroying the transport.
>
> If your question is whether you can still read any data that may have
> been in flight when you send your close_notify, I believe the answer
> is no.  Further data received from the peer is discarded after a
> close_notify is sent.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Shutdown details

[Viktor Dukhovni]

> On Aug 1, 2018, at 2:27 AM, Alex H  wrote:
> 
> Is it possible to receive data after calling SSL_shutdown? Reading the specs 
> and docs leaves this rather blurry.

TLS *does not* support half-closed connections (RFC5246):

   close_notify
  This message notifies the recipient that the sender will not send
  any more messages on this connection.  Note that as of TLS 1.1,
  failure to properly close a connection no longer requires that a
  session not be resumed.  This is a change from TLS 1.0 to conform
  with widespread implementation practice.

   Either party may initiate a close by sending a close_notify alert.
   Any data received after a closure alert is ignored.

   Unless some other fatal alert has been transmitted, each party is
   required to send a close_notify alert before closing the write side
   of the connection.  The other party MUST respond with a close_notify
   alert of its own and close down the connection immediately,
   discarding any pending writes.  It is not required for the initiator
   of the close to wait for the responding close_notify alert before
   closing the read side of the connection.

   If the application protocol using TLS provides that any data may be
   carried over the underlying transport after the TLS connection is
   closed, the TLS implementation must receive the responding
   close_notify alert before indicating to the application layer that
   the TLS connection has ended.  If the application protocol will not
   transfer any additional data, but will only close the underlying
   transport connection, then the implementation MAY choose to close the
   transport without waiting for the responding close_notify.  No part
   of this standard should be taken to dictate the manner in which a
   usage profile for TLS manages its data transport, including when
   connections are opened or closed.

   Note: It is assumed that closing a connection reliably delivers
   pending data before destroying the transport.

If your question is whether you can still read any data that may have
been in flight when you send your close_notify, I believe the answer
is no.  Further data received from the peer is discarded after a
close_notify is sent.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Shutdown details

[Alex H]

I would appreciate an answer to this question, it's holding me back and
should be a simple yes/no.

And yes, "client_notify" is a typo and should be "close_notify".

Thanks

Den ons 1 aug. 2018 kl 08:27 skrev Alex H :

> Hi,
>
> I have trouble understanding the details of TLS shutdown. I get the basics
> but,
>
> Is it possible to receive data after calling SSL_shutdown? Reading the
> specs and docs leaves this rather blurry.
>
> That is, after sending a close_notify, can I receive data before getting
> my client_notify response?
>
> The sources of SSL_write checks for SSL_SENT_SHUTDOWN state and returns
> with error if set, but does not check for SSL_RECEIVED_SHUTDOWN. This
> indicates somehow I'm allowed to still send data after received a
> close_notify?
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] porting socket ssl python to c++

[Roberto Spadim]

hi guys, i'm with a newbie question


i have this piece of code, but i'm not finding something similar with c++,
could anyone help? thanks:


import socket
import ssl
import sys
if len(sys.argv) == 3:
   HOST = sys.argv[1] # IP
   PORT = int(sys.argv[2])  # Port
else:
   print "USAGE: $python client_ssl.py  "
   exit(1)
print 'Connecting...'
s = socket.create_connection((HOST, PORT))
s = ssl.wrap_socket(s)
print "Connected!\n"
while True:
   query = raw_input("Query: ")
   if ( query == "quit" ):
  break
   s.send(query)
   data = s.recv(16384)
   print 'Reply:', data
s.close()




-- 
Roberto Spadim
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

[Blumenthal, Uri - 0553 - MITLL]

Actually, it all works just fine. Viktor's point about adding terminating "\n" 
to the input text helped.

-BEGIN PRIVATE KEY-
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGlXflMDDD8kOP
TP5y06tSXe1g8G3uJAoGHT8NewYANIONuJEZveXnfL8+bJRIu8FDzeCc4SWsCISK
WMmX/VY+IzZxLvUlOzRaKmO3Su7A9ABSc/AtcEVcrXhr9qV3axZDMXRXsWTxFnhO
/lRK8RpfGoGIhgCKkuNswy/DUjka0x03HymD7HwWhaNgsuvon+zWlSNTIV3t/WU4
093DlykKgDwEPym3UXHIgAecEAsYvm/YeYtM8NsHF2tzr40dKxA460lO/P8Vr7rL
df+AF9sNyfNFR81KBtPp2aqvZVXabHQrIZEpoZLrkz6uCObmyPiFx2m59Y3nXQV2
Fac8DuATAgEDAoIBAQCEY6VDdXXX9te03f73N8eMPp5AoElJbVwEE39eUgQAIwJe
ewtmfplE/dTUSGLbJ9YtM+sTQMPIBa2xkIZlU47UF3mgyfjDfM2RcZfPh0nV+AA2
9/VzoC49yPrypG5PnLmCIPg6dkNLZFA0qY2HS2bqEauwWVWxt0JIgh/XjCYR4OYZ
y7unFj5XnW93cAfL9U8CZPonO6iHCB14unk/UyiIHNrR41at0+qwVJYXdTFx+m0C
3KiWAwleRdVy2LBj3Fq1R3/pW3tnYTadgOInRYF4hQuF+ttIzEiuimhd6blUdMlR
WWbw8xp2A8buS4DQUKz0u1OAAhDvsqfEDsWLIAq7AoGBAPHwbdW8aLN85Y3W1pYf
2ELIlV1422sH+MrKv/jqQFf9LVmiXzq2+EZiYQcSxUFp5/1OvnRIHfY2hiBtq4Ww
VBq9/0u/D8Rv9bKPOvpLxYZP9FIOo8/BaLp5VV3Vz4pxVort0xHr+DfWFWH7t0cC
m/3LtfC1Y7j0TKyL/soyDWzXAoGBANIf/7pM4msWM+5WtEoW17OKaE6fbHYbeG44
/C76WhRBJ5onCuz7m0tdoB9mGv+D3s8FcBojzlbDKIrZvv7XDG1rAL2x5AGKqDZP
+bH5ahKJDg/tq7Sba6xqtLBMtzVqZrtDSGTUPLNkeDJM4F6rs/dK+HvEjruLhF1E
ALS5UWMlAoGBAKFK8+PS8HeomQk55GQVOtcwY5Ol55yv+zHcf/tG1Y/+HjvBlNHP
UC7sQK9h2NZGmqjfKaLavqQkWWrzx651jWcpVN0qCoL1TncKJ1GH2QQ1TYwJwoqA
8HxQ45Pj37Gg5FyejLadUCU5Y5anz4SsZ/6HzqB47SX4Mx2yqdwhXkiPAoGBAIwV
VSbd7EdkIp7keDFkj80G8DRqSE68+vQl/XSm5rgrb7waB0invNzpFWpEEf+tPzSu
SrwX3uSCGwc71KnksvOcqykhQquxxXmKpnamRrcGCV/zx8288nLxzcrdz3jxmdIs
2u3i0yJC+swzQD8dIqTcpafYXyeyWD4tVc3Q4OzDAoGBAML1gJ2slF0egQmxKSJK
YktcRX4IP1rWlYClgcJ9OLAxZBFWPwW8+hsTfCDoa5WEk4+CFHZ37PyibzjGuASC
UQmOZj6tVnaRkB62ExArgjzyyIMEUAbfFw4vKHe8cyF8MFC6JbTYj0EDlQtkhK65
HE0xeJjwo/swhpkBItsH0cYJ
-END PRIVATE KEY-

-BEGIN PUBLIC KEY-
MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAxpV35TAww/JDj0z+ctOr
Ul3tYPBt7iQKBh0/DXsGADSDjbiRGb3l53y/PmyUSLvBQ83gnOElrAiEiljJl/1W
PiM2cS71JTs0Wipjt0ruwPQAUnPwLXBFXK14a/ald2sWQzF0V7Fk8RZ4Tv5USvEa
XxqBiIYAipLjbMMvw1I5GtMdNx8pg+x8FoWjYLLr6J/s1pUjUyFd7f1lONPdw5cp
CoA8BD8pt1FxyIAHnBALGL5v2HmLTPDbBxdrc6+NHSsQOOtJTvz/Fa+6y3X/gBfb
DcnzRUfNSgbT6dmqr2VV2mx0KyGRKaGS65M+rgjm5sj4hcdpufWN510FdhWnPA7g
EwIBAw==
-END PUBLIC KEY-

$ cat rsa_tst1.java 
import java.security.KeyFactory;
import java.security.Signature;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;

public class rsa_tst1
{

public static void main(String[] args) throws Exception 
{
String input = "sample input\n";

final String strPk = 
"-BEGIN PRIVATE KEY-\n"
+ 
"MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGlXflMDDD8kOP\n"
+ 
"TP5y06tSXe1g8G3uJAoGHT8NewYANIONuJEZveXnfL8+bJRIu8FDzeCc4SWsCISK\n"
+ 
"WMmX/VY+IzZxLvUlOzRaKmO3Su7A9ABSc/AtcEVcrXhr9qV3axZDMXRXsWTxFnhO\n"
+ 
"/lRK8RpfGoGIhgCKkuNswy/DUjka0x03HymD7HwWhaNgsuvon+zWlSNTIV3t/WU4\n"
+ 
"093DlykKgDwEPym3UXHIgAecEAsYvm/YeYtM8NsHF2tzr40dKxA460lO/P8Vr7rL\n"
+ 
"df+AF9sNyfNFR81KBtPp2aqvZVXabHQrIZEpoZLrkz6uCObmyPiFx2m59Y3nXQV2\n"
+ 
"Fac8DuATAgEDAoIBAQCEY6VDdXXX9te03f73N8eMPp5AoElJbVwEE39eUgQAIwJe\n"
+ 
"ewtmfplE/dTUSGLbJ9YtM+sTQMPIBa2xkIZlU47UF3mgyfjDfM2RcZfPh0nV+AA2\n"
+ 
"9/VzoC49yPrypG5PnLmCIPg6dkNLZFA0qY2HS2bqEauwWVWxt0JIgh/XjCYR4OYZ\n"
+ 
"y7unFj5XnW93cAfL9U8CZPonO6iHCB14unk/UyiIHNrR41at0+qwVJYXdTFx+m0C\n"
+ 
"3KiWAwleRdVy2LBj3Fq1R3/pW3tnYTadgOInRYF4hQuF+ttIzEiuimhd6blUdMlR\n"
+ 
"WWbw8xp2A8buS4DQUKz0u1OAAhDvsqfEDsWLIAq7AoGBAPHwbdW8aLN85Y3W1pYf\n"
+ 
"2ELIlV1422sH+MrKv/jqQFf9LVmiXzq2+EZiYQcSxUFp5/1OvnRIHfY2hiBtq4Ww\n"
+ 
"VBq9/0u/D8Rv9bKPOvpLxYZP9FIOo8/BaLp5VV3Vz4pxVort0xHr+DfWFWH7t0cC\n"
+ 
"m/3LtfC1Y7j0TKyL/soyDWzXAoGBANIf/7pM4msWM+5WtEoW17OKaE6fbHYbeG44\n"
+ 
"/C76WhRBJ5onCuz7m0tdoB9mGv+D3s8FcBojzlbDKIrZvv7XDG1rAL2x5AGKqDZP\n"
+ 
"+bH5ahKJDg/tq7Sba6xqtLBMtzVqZrtDSGTUPLNkeDJM4F6rs/dK+HvEjruLhF1E\n"
+ 
"ALS5UWMlAoGBAKFK8+PS8HeomQk55GQVOtcwY5Ol55yv+zHcf/tG1Y/+HjvBlNHP\n"
+ 
"UC7sQK9h2NZGmqjfKaLavqQkWWrzx651jWcpVN0qCoL1TncKJ1GH2QQ1TYwJwoqA\n"
+ 
"8HxQ45Pj37Gg5FyejLadUCU5Y5anz4SsZ/6HzqB47SX4Mx2yqdwhXkiPAoGBAIwV\n"
+ 
"VSbd7EdkIp7keDFkj80G8DRqSE68+vQl/XSm5rgrb7waB0invNzpFWpEEf+tPzSu\n"
+ 
"SrwX3uSCGwc71KnksvOcqykhQquxxXmKpnamRrcGCV/zx8288nLxzcrdz3jxmdIs\n"
+ 
"2u3i0yJC+swzQD8dIqTcpafYXyeyWD4tVc3Q4OzDAoGBAML1gJ2slF0egQmxKSJK\n"
+ 
"YktcRX4IP1rWlYClgcJ9OLAxZBFWPwW8+hsTfCDoa5WEk4+CFHZ37PyibzjGuASC\n"
+ 
"UQmOZj6tVnaRkB62ExArgjzyyIMEUAbfFw4vKHe8cyF8MFC6JbTYj0EDlQtkhK65\n"
+ "HE0xeJjwo/swhpkBItsH0cYJ\n"
+ "-END PRIVATE KEY-\n";

String base64Signature = signSHA256RSA(input,strPk);
  

Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

[Viktor Dukhovni]

> On Aug 1, 2018, at 12:47 PM, timmy pony  wrote:
> 
> On Wed, Aug 1, 2018 at 4:28 PM Viktor Dukhovni  
> wrote:
> On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote:
> 
> > I have tried this
> >
> > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256 
> > codeTosign.txt
> 
> This produces raw binary output, no base64 encoding.  What is the
> content of the file "codeToSign.txt"?  Post the output of:
> 
> od -tx1 < /tmp/codeToSign.txt
> 
>  od -tx1 < codeToSign.txt
> 00073  61  6d  70  6c  65  20  69  6e  70  75  74  0a
> 015

As expected, the disk file has a newline ending (0x0a) after the
input string.

> > public class SHA256RSA {
> > 
> > public static void main(String[] args) throws Exception {
> > String input = "sample input";
> 
> This input has no newline ending, perhaps the disk file does.

The input string signed by the Java code does not.  The signatures
are therefore *expected* to be different.

Either include a newline in the Java string, or create an input
file with no newline ending.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

[timmy pony]

Hi Vicktor - I put a '\n' at end of java snippet

Both are now equal

Thank you for your help.

On Wed, Aug 1, 2018 at 5:47 PM timmy pony  wrote:

> Hi Vicktor,  Speed read the previous mail.
>
>
>
> On Wed, Aug 1, 2018 at 4:28 PM Viktor Dukhovni 
> wrote:
>
>> On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote:
>>
>> > I have tried this
>> >
>> > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256
>> codeTosign.txt
>>
>> This produces raw binary output, no base64 encoding.  What is the
>> content of the file "codeToSign.txt"?  Post the output of:
>>
>> od -tx1 < /tmp/codeToSign.txt
>>
>
>  od -tx1 < codeToSign.txt
>
> 00073  61  6d  70  6c  65  20  69  6e  70  75  74  0a
>
> 015
>
>
>>
>> > public class SHA256RSA {
>> >
>> > public static void main(String[] args) throws Exception {
>> > String input = "sample input";
>>
>> This input has no newline ending, perhaps the disk file does.
>>
>> > // Not a real private key! Replace with your private key!
>> > String strPk = "-BEGIN PRIVATE
>> KEY-\nMIIEvwIBADANBgkqhkiG9"
>> > + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG"
>> > +
>> ""
>> > + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n"
>> > + "-END PRIVATE KEY-\n";
>>
>> I sure hope your production code will *NOT* have the private key
>> embedded in the executable.
>>
>> > String base64Signature = signSHA256RSA(input,strPk);
>> > System.out.println("Signature="+base64Signature);
>>
>> This outputs a signature encoded in base64.
>>
>> --
>> Viktor.
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

[timmy pony]

Hi Vicktor,  Speed read the previous mail.



On Wed, Aug 1, 2018 at 4:28 PM Viktor Dukhovni 
wrote:

> On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote:
>
> > I have tried this
> >
> > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256
> codeTosign.txt
>
> This produces raw binary output, no base64 encoding.  What is the
> content of the file "codeToSign.txt"?  Post the output of:
>
> od -tx1 < /tmp/codeToSign.txt
>

 od -tx1 < codeToSign.txt

00073  61  6d  70  6c  65  20  69  6e  70  75  74  0a

015


>
> > public class SHA256RSA {
> >
> > public static void main(String[] args) throws Exception {
> > String input = "sample input";
>
> This input has no newline ending, perhaps the disk file does.
>
> > // Not a real private key! Replace with your private key!
> > String strPk = "-BEGIN PRIVATE
> KEY-\nMIIEvwIBADANBgkqhkiG9"
> > + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG"
> > +
> ""
> > + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n"
> > + "-END PRIVATE KEY-\n";
>
> I sure hope your production code will *NOT* have the private key
> embedded in the executable.
>
> > String base64Signature = signSHA256RSA(input,strPk);
> > System.out.println("Signature="+base64Signature);
>
> This outputs a signature encoded in base64.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

[Viktor Dukhovni]

> On Aug 1, 2018, at 12:14 PM, timmy pony  wrote:
> 
> Thanks Viktor, 
> for assistance .
> The embedded private key "skeleton" is only for visualisation purposes; No it 
> will not.
> 
> 
> the openssl command returns binary. 
> so i can do .But they are still coming out different.
> 
> openssl base64 -in /tmp/sign.sha256 -out 

Please re-read my previous post and respond to *all* the points.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

[timmy pony]

Thanks Viktor,
for assistance .
The embedded private key "skeleton" is only for visualisation purposes; No
it will not.


the openssl command returns binary.
so i can do .But they are still coming out different.

openssl base64 -in /tmp/sign.sha256 -out 

On Wed, Aug 1, 2018 at 4:28 PM Viktor Dukhovni 
wrote:

> On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote:
>
> > I have tried this
> >
> > openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256
> codeTosign.txt
>
> This produces raw binary output, no base64 encoding.  What is the
> content of the file "codeToSign.txt"?  Post the output of:
>
> od -tx1 < /tmp/codeToSign.txt
>
> > public class SHA256RSA {
> >
> > public static void main(String[] args) throws Exception {
> > String input = "sample input";
>
> This input has no newline ending, perhaps the disk file does.
>
> > // Not a real private key! Replace with your private key!
> > String strPk = "-BEGIN PRIVATE
> KEY-\nMIIEvwIBADANBgkqhkiG9"
> > + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG"
> > +
> ""
> > + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n"
> > + "-END PRIVATE KEY-\n";
>
> I sure hope your production code will *NOT* have the private key
> embedded in the executable.
>
> > String base64Signature = signSHA256RSA(input,strPk);
> > System.out.println("Signature="+base64Signature);
>
> This outputs a signature encoded in base64.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

[Viktor Dukhovni]

On Wed, Aug 01, 2018 at 09:24:38AM +0100, timmy pony wrote:

> I have tried this
>
> openssl dgst -sha256 -sign my_private.key -out /tmp/sign.sha256 codeTosign.txt

This produces raw binary output, no base64 encoding.  What is the
content of the file "codeToSign.txt"?  Post the output of:

od -tx1 < /tmp/codeToSign.txt

> public class SHA256RSA {
> 
> public static void main(String[] args) throws Exception {
> String input = "sample input";

This input has no newline ending, perhaps the disk file does.

> // Not a real private key! Replace with your private key!
> String strPk = "-BEGIN PRIVATE KEY-\nMIIEvwIBADANBgkqhkiG9"
> + "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG"
> + ""
> + "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n"
> + "-END PRIVATE KEY-\n";

I sure hope your production code will *NOT* have the private key
embedded in the executable.

> String base64Signature = signSHA256RSA(input,strPk);
> System.out.println("Signature="+base64Signature);

This outputs a signature encoded in base64.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] unknown cipher?

[Viktor Dukhovni]

> On Jul 31, 2018, at 5:08 PM, Henderson, Karl  wrote:
> 
> When I type:
>  
> openssl ciphers -tls1_3 -stdname -V
>  
> I see this as one of the results:
>  
>   0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384  
> TLSv1.3 Kx=any  Au=any Enc=AESGCM(256) Mac=AEAD

This is a TLS cipher-suite.

> However, when I try to do a speed test on this algorithm
>  
> openssl speed -evp TLS_AES_256_GCM_SHA384

This command tests the performance of basic cryptographic algorithms supported
by the libcrypto EVP layer, such as AES, SHA256, RSA, ...

> speed: TLS_AES_256_GCM_SHA384 is an unknown cipher or digest
>  
> What am I missing?

TLS cipher-suites are from libssl, and are not EVP-layer cryptographic
algorithms.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Support for EC key generation in engine interface

[Rony DM]

Hello,

Does the OpenSSL engine interface allow EC key generation to be offloaded
to the engine? We are able to find bindings for ECDSA and ECDH, but for not
for generating the key.

Thank you.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

[Viktor Dukhovni]

> On Jul 31, 2018, at 4:59 AM, Matt Caswell  wrote:
> 
> To be clear I can only think of one leak that we have at process exit
> (well technically its two instances of the same thing). And that leak is
> not the result of a *mistake*. It is a deliberate design decision to
> workaround around a problem on some platforms (i.e. anything that isn't
> Windows, Linux or Solaris, IIRC).

There's at least one more, we don't call X509_PURPOSE_cleanup(), without
which we leak memory allocated via X509_PURPOSE_add().  There may be other
static allocations that the test suite does not exercise.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

[Viktor Dukhovni]

> On Aug 1, 2018, at 9:31 AM, Michael Wojcik  
> wrote:
> 
> CMS with an AEAD mode (such as AES128-GCM) ought to avoid the 
> integrity-protection issue for the encrypted content, but not for the other 
> parts of the message, I assume. (I'm no CMS expert so I may be missing 
> something there.) And, of course, both sender and recipient would have to 
> support that algorithm.

Not if you make it streaming.  A streaming implementing will emit almost
the entirety of the decrypted message before checking integrity at the
end and finding out that some part of it (already output) was wrong.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-1.1.1 make test error on Red Hat Enterprise Linux 6.1.

[Viktor Dukhovni]

> On Aug 1, 2018, at 4:42 AM, Matt Caswell  wrote:
> 
> Please can you submit this problem as a github issue:
> 
> https://github.com/openssl/openssl/issues

We certainly need to raise the buffer size, for example on MacOS/X
and FreeBSD errno 47 has a (coincidentally) 47-byte long error message:

  $ perl -le '
for ($i = 0; $i < 256; ++$i) {
  $! = $i; $l = length("$!");
  if ($l > $m) { $m = $l; $n = $i; }
  last if ($i eq "$!");
}
$! = $n; print "$i: $n: $m: $!";
' 
  97[*]: 47: 47: Address family not supported by protocol family

This will also be affected by the locale.  I'd set the limit
generously at 128 bytes.

-- 
-- 
Viktor.

[*] FreeBSD has 96 error strings, while running the same Perl script on
MacOS/X demonstrates 106 error strings.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Wednesday, August 01, 2018 06:56
>
> On Tue, Jul 31, 2018 at 06:14:18PM +0200, Jakob Bohm wrote:
>
> > Actually, the CMS format itself is clearly designed for streamed decoding.
>
> It is not, because there is no integrity protection until you reach
> the end of the message.  In a packetized format designed for
> streaming, each chunk and their sequencing is integrity protected,
> streaming extractors are only exposed to (tamper-evident) truncation
> attacks.

And thus falling foul of Moxie Marlinspike's Cryptographic Doom Principle: If 
you don't verify integrity first, sooner or later you'll be in trouble.

While CMS has been updated, its roots are long - PKCS#7 is 20 years old, after 
all, and RFC 5652 is nearing the end of its first decade. Back then, deferring 
the integrity check to the end wasn't seen as a problem. Today we know better - 
which is why many people prefer AEAD modes.

CMS with an AEAD mode (such as AES128-GCM) ought to avoid the 
integrity-protection issue for the encrypted content, but not for the other 
parts of the message, I assume. (I'm no CMS expert so I may be missing 
something there.) And, of course, both sender and recipient would have to 
support that algorithm.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

[Viktor Dukhovni]

On Tue, Jul 31, 2018 at 06:14:18PM +0200, Jakob Bohm wrote:

> > CMS works fine for small messages, and could even be used to construct
> > the integrity-protected chunks in a higher-level protocol.  CMS is
> > not appropriate for multi-gigabyte or terabyte, ... datasets.
>
> Actually, the CMS format itself is clearly designed for streamed decoding.

It is not, because there is no integrity protection until you reach
the end of the message.  In a packetized format designed for
streaming, each chunk and their sequencing is integrity protected,
streaming extractors are only exposed to (tamper-evident) truncation
attacks.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Christian Böhme
> Sent: Tuesday, July 31, 2018 10:16
>
> On 30.07.2018 20:12, Michael Wojcik wrote:
>
> > FWIW, SUS Issue 5 defines RLIMIT_AS as applying to both malloc and mmap, 
> > but RLIMIT_DATA as
> > applying only to malloc. (That is, mmap'd pages do not count against the 
> > data limit.)
>
> mmap() , by defninition, populates the process' virtual address space, and if 
>  that
> is limited in size, artificially or not, then the call is going to fail, 
> eventually.

That's irrelevant to the statement you quoted, which was about the SUS 
process-limit mechanism (setrusage et al.), not the process address space.

> > Agreed. And I'm not endorsing the mmap approach for this problem anyway - 
> > I'd use a streaming
> > approach, so I'm not limited by address space.
>
> This structure, if held in a regular file, can be processed quite 
> non-linearly,
> and without  mmap()'ing  its entire contents.

Indeed. I still don't see any compelling reason to mmap it at all.

> The pure streaming approach may be appropriate for file descriptors that are 
> not
> seekable like sockets, pipes, tty ends etcpp., whereas with egular files, 
> random
> access schemes using either  pread(v)(2)  or  lseek(2)  in combination with
> read(v)(2)  can be employed.

Or regular files could also be processed sequentially. What's the advantage of 
making seekable sources a special case?

In any case, the OpenSSL apps are a convenience and a set of samples. You can 
always write your own version of the cms app.

--
Michael Wojcik
Distinguished Engineer, Micro Focus



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Help : TLS 1.3 Server is not listening on the default port

[Chakrapani Reddy]

Hello,

Wanted to try to capture the TLS1.3 message flow using openssl-1.1.1-pre7
and used the below command to run the server.
[root@vm bin]# pwd
/opt/build/openssl-1.1.1-pre7/bin

*[root@vm bin]# ./openssl s_server -cert server.crt -key server1.key*

But it is throwing the below error :

Using default temp DH parameters

*47306412798048:error:02004061:system
library:socket:unknown:crypto/bio/b_sock2.c:49:47306412798048:error:2008C076:BIO
routines:BIO_socket:unable to create socket:crypto/bio/b_sock2.c:50:*
   0 items in the session cache
   0 client connects (SSL_connect())
   0 client renegotiates (SSL_connect())
   0 client connects that finished
   0 server accepts (SSL_accept())
   0 server renegotiates (SSL_accept())
   0 server accepts that finished
   0 session cache hits
   0 session cache misses
   0 session cache timeouts
   0 callback cache hits
   0 cache full overflows (128 allowed)


 ldd ./openssl
linux-vdso.so.1 =>  (0x7fff6c9fd000)
libdl.so.2 => /lib64/libdl.so.2 (0x003fc220)
libpthread.so.0 => /lib64/libpthread.so.0 (0x003fc2a0)
libc.so.6 => /lib64/libc.so.6 (0x003fc1e0)
/lib64/ld-linux-x86-64.so.2 (0x003fc160)

Shall we know how to make it working?

Best Regards,
Chakrapani
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Chinese remainder algorithm

[Thulasi Goriparthi]

Hello Jan,

Decide on what your public exponent(e) should be, and either use
RSA_X931_derive_ex() if you are using an older openssl which supports
this function or follow rsa_builtin_keygen() from crypto/rsa/rsa_gen.c
on how to derive private exponent(d) and modulus(n).

By the way, technically, you do not need private exponent(d) for
signing, as you already have CRT components.

What is the function that complained about missing d?

Thanks,
Thulasi.

On 31 July 2018 at 16:19, Jan Bilek  wrote:
> Hi all,
>
> I need to reconstruct public and private keys for data signing operation
> from p, q, dmp1, dmq1 and iqmp. When I fill values in as per below then
> OpenSSL complains about missing d.
>
> RSA* pkey = RSA_new();
> pkey->n = NULL;
> pkey->e = NULL;
> pkey->d = NULL;
>
> pkey->p= BN_bin2bn(secureP.data(), secureP.size(), NULL);
> pkey->q= BN_bin2bn(secureQ.data(), secureQ.size(), NULL);
> pkey->dmp1 = BN_bin2bn(secureDmp1.data(), secureDmp1.size(), NULL);
> pkey->dmq1 = BN_bin2bn(secureDmq1.data(), secureDmq1.size(), NULL);
> pkey->iqmp = BN_bin2bn(secureIqmp.data(), secureIqmp.size(), NULL);
>
> I did my homework on Google/Stackoverflow/OpenSSL docu, but I haven't been
> able to find out any good way to do this, while it is obvious that openssl
> needs to know this by deafult for its internals.
> Would you have any hint on where next with this?
>
> Thank you,
> Jan
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-1.1.1 make test error on Red Hat Enterprise Linux 6.1.

[Matt Caswell]

Please can you submit this problem as a github issue:

https://github.com/openssl/openssl/issues

Thanks

Matt

On 01/08/18 09:14, 市來敏 / ICHIKI，BIN wrote:
> Hello, everyone. My name is Bin Ichiki.
> 
> I'm trying to install openssl-1.1.1-pre8 on Red Hat Enterprise Linux 
> 6.1(RHEL6.1).
> 
> But when I ran “make test”, test failed as following log:
> 
> Test Summary Report
> ---
> ../test/recipes/04-test_err.t(Wstat: 256 Tests: 1 Failed: 
> 1)
>   Failed test:  1
>   Non-zero exit status: 1
> Files=148, Tests=1340, 270 wallclock secs ( 1.70 usr  0.17 sys + 239.19 cusr 
> 20.62 csys = 261.68 CPU)
> Result: FAIL
> 
> 
> I think, if an errno is changed other than EINVAL after the function 
> ERR_get_error was executed, this test will fail.
> 
> Therefore I investigated the place where an errno is changed.
> 
> The follows are back trace from the processes that changed the errno.
> 
> 
> (gdb) bt
> #0  0x0081b505 in __xpg_strerror_r () from /lib/libc.so.6
> #1  0x002e2ec0 in openssl_strerror_r (errnum=11, buf=0x3d4d00 "", buflen=32) 
> at crypto/o_str.c:234
> #2  0x002b0460 in build_SYS_str_reasons () at crypto/err/err.c:217
> #3  0x002b07a5 in ERR_load_ERR_strings () at crypto/err/err.c:327
> #4  0x002b1ba3 in err_load_crypto_strings_int () at crypto/err/err_all.c:46
> #5  0x002d2fcc in ossl_init_load_crypto_strings () at crypto/init.c:182
> #6  0x002d2fa2 in ossl_init_load_crypto_strings_ossl_ () at crypto/init.c:170
> #7  0x003e3920 in pthread_once () from /lib/libpthread.so.0
> #8  0x0033597b in CRYPTO_THREAD_run_once (once=0x3d5cc4, init=0x2d2f8b 
> ) at crypto/threads_pthread.c:113
> #9  0x002d36b6 in OPENSSL_init_crypto (opts=2, settings=0x0) at 
> crypto/init.c:584
> #10 0x002b156b in ERR_get_state () at crypto/err/err.c:702
> #11 0x002b0d95 in get_error_values (inc=1, top=0, file=0x0, line=0x0, 
> data=0x0, flags=0x0) at crypto/err/err.c:483
> #12 0x002b0ba7 in ERR_get_error () at crypto/err/err.c:429
> 
> 
> A version of glibc in RHEL6 is 2.12.
> 
> The strerror_r function (XSI-compliant) in glibc 2.12 changes errno.
> 
> When errnum parameter is 11, the error description string is "Resource 
> temporarily unavailable".
> 
> The area size for this string is 33. but buflen parameter is 32. The buffer 
> area is insufficient.
> 
> So errno is set to ERANGE and  04-test_err.t fails.
> 
> Will be this problem fixed until OpenSSL 1.1.1 is released?
> 
> 
> Thank you.
> 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Java Snippet output is not equal to command line openssl command output , Why ?

[timmy pony]

Hi,

Could some openssl expert please advise  ?

Trying to get the equivalent Openssl command-line version of the following
java snippet.

I have tried this  openssl dgst -sha256 -sign my_private.key -out
/tmp/sign.sha256 codeTosign.txt

But the  the results do not match ?

```
From: "tim.fortinbras" 
To: openssl-users@openssl.org
Cc:
Bcc:
Date: Tue, 31 Jul 2018 06:48:59 -0700 (MST)
Subject: Looking for exact openssl commands to do the following from
command line ?
import java.security.KeyFactory;
import java.security.Signature;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;

public class SHA256RSA {

public static void main(String[] args) throws Exception {
String input = "sample input";

// Not a real private key! Replace with your private key!
String strPk = "-BEGIN PRIVATE KEY-\nMIIEvwIBADANBgkqhkiG9"
+ "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG"
+ ""
+ "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n"
+ "-END PRIVATE KEY-\n";

String base64Signature = signSHA256RSA(input,strPk);
System.out.println("Signature="+base64Signature);
}

// Create base64 encoded signature using SHA256/RSA.
private static String signSHA256RSA(String input, String strPk) throws
Exception {
// Remove markers and new line characters in private key
String realPK = strPk.replaceAll("-END PRIVATE KEY-", "")
 .replaceAll("-BEGIN PRIVATE KEY-", "")
 .replaceAll("\n", "");

byte[] b1 = Base64.getDecoder().decode(realPK);
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(b1);
KeyFactory kf = KeyFactory.getInstance("RSA");

Signature privateSignature = Signature.getInstance("SHA256withRSA");
privateSignature.initSign(kf.generatePrivate(spec));
privateSignature.update(input.getBytes("UTF-8"));
byte[] s = privateSignature.sign();
return Base64.getEncoder().encodeToString(s);
}
}
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] (no subject)

[timmy pony]

Hi,

Trying to get the Openssl command line version of the following snippet.

I have tried this  openssl dgst -sha256 -sign my_private.key -out
/tmp/sign.sha256 codeTosign.txt

But the  the results do not match ?

```
From: "tim.fortinbras" 
To: openssl-users@openssl.org
Cc:
Bcc:
Date: Tue, 31 Jul 2018 06:48:59 -0700 (MST)
Subject: Looking for exact openssl commands to do the following from
command line ?
import java.security.KeyFactory;
import java.security.Signature;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;

public class SHA256RSA {

public static void main(String[] args) throws Exception {
String input = "sample input";

// Not a real private key! Replace with your private key!
String strPk = "-BEGIN PRIVATE KEY-\nMIIEvwIBADANBgkqhkiG9"
+ "w0BAQEFAASCBKkwggSlAgEAAoIBAQDJUGqaRB11KjxQ\nKHDeG"
+ ""
+ "Ldt0hAPNl4QKYWCfJm\nNf7Afqaa/RZq0+y/36v83NGENQ==\n"
+ "-END PRIVATE KEY-\n";

String base64Signature = signSHA256RSA(input,strPk);
System.out.println("Signature="+base64Signature);
}

// Create base64 encoded signature using SHA256/RSA.
private static String signSHA256RSA(String input, String strPk) throws
Exception {
// Remove markers and new line characters in private key
String realPK = strPk.replaceAll("-END PRIVATE KEY-", "")
 .replaceAll("-BEGIN PRIVATE KEY-", "")
 .replaceAll("\n", "");

byte[] b1 = Base64.getDecoder().decode(realPK);
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(b1);
KeyFactory kf = KeyFactory.getInstance("RSA");

Signature privateSignature = Signature.getInstance("SHA256withRSA");
privateSignature.initSign(kf.generatePrivate(spec));
privateSignature.update(input.getBytes("UTF-8"));
byte[] s = privateSignature.sign();
return Base64.getEncoder().encodeToString(s);
}
}
```
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl-1.1.1 make test error on Red Hat Enterprise Linux 6.1.

[市來敏 / ICHIKI，BIN]

Hello, everyone. My name is Bin Ichiki.

I'm trying to install openssl-1.1.1-pre8 on Red Hat Enterprise Linux 
6.1(RHEL6.1).

But when I ran “make test”, test failed as following log:

Test Summary Report
---
../test/recipes/04-test_err.t(Wstat: 256 Tests: 1 Failed: 1)
  Failed test:  1
  Non-zero exit status: 1
Files=148, Tests=1340, 270 wallclock secs ( 1.70 usr  0.17 sys + 239.19 cusr 
20.62 csys = 261.68 CPU)
Result: FAIL


I think, if an errno is changed other than EINVAL after the function 
ERR_get_error was executed, this test will fail.

Therefore I investigated the place where an errno is changed.

The follows are back trace from the processes that changed the errno.


(gdb) bt
#0  0x0081b505 in __xpg_strerror_r () from /lib/libc.so.6
#1  0x002e2ec0 in openssl_strerror_r (errnum=11, buf=0x3d4d00 "", buflen=32) at 
crypto/o_str.c:234
#2  0x002b0460 in build_SYS_str_reasons () at crypto/err/err.c:217
#3  0x002b07a5 in ERR_load_ERR_strings () at crypto/err/err.c:327
#4  0x002b1ba3 in err_load_crypto_strings_int () at crypto/err/err_all.c:46
#5  0x002d2fcc in ossl_init_load_crypto_strings () at crypto/init.c:182
#6  0x002d2fa2 in ossl_init_load_crypto_strings_ossl_ () at crypto/init.c:170
#7  0x003e3920 in pthread_once () from /lib/libpthread.so.0
#8  0x0033597b in CRYPTO_THREAD_run_once (once=0x3d5cc4, init=0x2d2f8b 
) at crypto/threads_pthread.c:113
#9  0x002d36b6 in OPENSSL_init_crypto (opts=2, settings=0x0) at 
crypto/init.c:584
#10 0x002b156b in ERR_get_state () at crypto/err/err.c:702
#11 0x002b0d95 in get_error_values (inc=1, top=0, file=0x0, line=0x0, data=0x0, 
flags=0x0) at crypto/err/err.c:483
#12 0x002b0ba7 in ERR_get_error () at crypto/err/err.c:429


A version of glibc in RHEL6 is 2.12.

The strerror_r function (XSI-compliant) in glibc 2.12 changes errno.

When errnum parameter is 11, the error description string is "Resource 
temporarily unavailable".

The area size for this string is 33. but buflen parameter is 32. The buffer 
area is insufficient.

So errno is set to ERANGE and  04-test_err.t fails.

Will be this problem fixed until OpenSSL 1.1.1 is released?


Thank you.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] unknown cipher?

[Henderson, Karl]

Hi All,

I’m a bit confused. We’re trying to get some number of the relative efficiency 
of different cypher algorithms using the openssl tool.

When I type:

openssl ciphers -tls1_3 -stdname -V

I see this as one of the results:


  0x13,0x02 - TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384  TLSv1.3 
Kx=any  Au=any  Enc=AESGCM(256) Mac=AEAD

However, when I try to do a speed test on this algorithm


openssl speed -evp TLS_AES_256_GCM_SHA384

speed: TLS_AES_256_GCM_SHA384 is an unknown cipher or digest

What am I missing?

Thanks,
Karl
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

[Jakob Bohm]

On 31/07/2018 01:10, Jordan Brown wrote:

On 7/30/2018 12:27 PM, Viktor Dukhovni wrote:
The only time such "leaks" come into play is process exit and library 
unload.


Process exit is not the only time that libraries get unloaded.  I 
don't happen to remember any details, but I know we've had problems 
with libraries that got unloaded because they were dependencies of 
other shared objects that are intended to be used on a "load, call, 
unload" basis.



And *this* is the reason why having a common library like OpenSSL
or libc refuse to get unloaded on the fly is such a horrible idea.
I still recall the problems when (decades ago) Borland added such
anti-unload code to some of their compiler-bundled libraries.

There are processes that naturally run for a lot longer than the
library-format plugins inside them, and it is highly valuable to
end users to be able to upgrade those plugins on the fly without
restarting the long-lived container, with all the other state it
holds.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Chinese remainder algorithm

[Jan Bilek]

Hi all,

I need to reconstruct public and private keys for data signing operation
from p, q, dmp1, dmq1 and iqmp. When I fill values in as per below then
OpenSSL complains about missing d.

RSA* pkey = RSA_new();
pkey->n = NULL;
pkey->e = NULL;
pkey->d = NULL;

pkey->p= BN_bin2bn(secureP.data(), secureP.size(), NULL);
pkey->q= BN_bin2bn(secureQ.data(), secureQ.size(), NULL);
pkey->dmp1 = BN_bin2bn(secureDmp1.data(), secureDmp1.size(), NULL);
pkey->dmq1 = BN_bin2bn(secureDmq1.data(), secureDmq1.size(), NULL);
pkey->iqmp = BN_bin2bn(secureIqmp.data(), secureIqmp.size(), NULL);

I did my homework on Google/Stackoverflow/OpenSSL docu, but I haven't been
able to find out any good way to do this, while it is obvious that openssl
needs to know this by deafult for its internals.
Would you have any hint on where next with this?

Thank you,
Jan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Shutdown details

[Alex H]

Hi,

I have trouble understanding the details of TLS shutdown. I get the basics
but,

Is it possible to receive data after calling SSL_shutdown? Reading the
specs and docs leaves this rather blurry.

That is, after sending a close_notify, can I receive data before getting my
client_notify response?

The sources of SSL_write checks for SSL_SENT_SHUTDOWN state and returns
with error if set, but does not check for SSL_RECEIVED_SHUTDOWN. This
indicates somehow I'm allowed to still send data after received a
close_notify?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

[Christian Böhme]

On 30.07.2018 20:12, Michael Wojcik wrote:

>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
>> Jordan Brown
>> Sent: Monday, July 30, 2018 10:46
[…]
> FWIW, SUS Issue 5 defines RLIMIT_AS as applying to both malloc and mmap, but 
> RLIMIT_DATA as
> applying only to malloc. (That is, mmap'd pages do not count against the data 
> limit.)

mmap() , by defninition, populates the process' virtual address space, and if 
that
is limited in size, artificially or not, then the call is going to fail, 
eventually.

>> If you're a 32-bit process, then malloc'ing or mmap'ing a 2GB object will be 
>> difficult at best.
> 
> Agreed. And I'm not endorsing the mmap approach for this problem anyway - I'd 
> use a streaming
> approach, so I'm not limited by address space.

Let's look at the following message that was produced by symmetrically 
encrypting
757 plaintext octets using the Camellia cipher in CBC mode with a 256 bit key 
derived
from a passphrase:

$ cat ciphertext.pem | openssl asn1parse -i -inform PEM
0:d=0  hl=4 l= 978 cons: SEQUENCE
4:d=1  hl=2 l=   9 prim:  OBJECT:pkcs7-envelopedData
   15:d=1  hl=4 l= 963 cons:  cont [ 0 ]
   19:d=2  hl=4 l= 959 cons:   SEQUENCE
   23:d=3  hl=2 l=   1 prim:INTEGER   :03
   26:d=3  hl=3 l= 133 cons:SET
   29:d=4  hl=3 l= 130 cons: cont [ 3 ]
   32:d=5  hl=2 l=   1 prim:  INTEGER   :00
   35:d=5  hl=2 l=  27 cons:  cont [ 0 ]
   37:d=6  hl=2 l=   9 prim:   OBJECT:PBKDF2
   48:d=6  hl=2 l=  14 cons:   SEQUENCE
   50:d=7  hl=2 l=   8 prim:OCTET STRING  [HEX 
DUMP]:948BAC4CEDB23DE2
   60:d=7  hl=2 l=   2 prim:INTEGER   :0800
   64:d=5  hl=2 l=  46 cons:  SEQUENCE
   66:d=6  hl=2 l=  11 prim:   OBJECT:id-alg-PWRI-KEK
   79:d=6  hl=2 l=  31 cons:   SEQUENCE
   81:d=7  hl=2 l=  11 prim:OBJECT:camellia-256-cbc
   94:d=7  hl=2 l=  16 prim:OCTET STRING  [HEX 
DUMP]:D7A2F88C99A1881C1B8B6AA9E2BDD002
  112:d=5  hl=2 l=  48 prim:  OCTET STRING  [HEX 
DUMP]:445771F0EA6BAA64CAF35BFC2DA546845C…
  162:d=3  hl=4 l= 816 cons:SEQUENCE
  166:d=4  hl=2 l=   9 prim: OBJECT:pkcs7-data
  177:d=4  hl=2 l=  31 cons: SEQUENCE
  179:d=5  hl=2 l=  11 prim:  OBJECT:camellia-256-cbc
  192:d=5  hl=2 l=  16 prim:  OCTET STRING  [HEX 
DUMP]:4F8DAFF8EE165FD78C35A644735CD082
  210:d=4  hl=4 l= 768 prim: cont [ 0 ]

This structure, if held in a regular file, can be processed quite non-linearly,
and without  mmap()'ing  its entire contents.  The only parts that are going to
grow as the plaintext grows are the ciphertext (index 192 above) and, to a 
lesser
extend, the ones that depend on key sizes in the  recipientInfos  and the length
components.  Once the overall structure of the message is understood, sequential
processing of the ciphertext should pose no problem, whichever way implemented.

The pure streaming approach may be appropriate for file descriptors that are not
seekable like sockets, pipes, tty ends etcpp., whereas with egular files, random
access schemes using either  pread(v)(2)  or  lseek(2)  in combination with
read(v)(2)  can be employed.  Portability is certainly an issue, but isn't
this what the  configure  scripts are for to figure out?

I also do not quite get why CMS should not lend itself to "large" data, given 
the
above.  It would seem that the whole point of the definite TLV structures is to 
be
able to learn the type and size requirements of the data to come in the stream
/before/ processing it, allowing the "processor" to take appropriate measures,
and not necessarily in RAM alone.


Thanks,
Christian

-- 
*Christian Böhme*

Developer System Integration

CLOUD

*CLOUD & HEAT Technologies GmbH*
Königsbrücker Str. 96 (Halle 15) | 01099 Dresden
Tel: +49 351 479 3670 - 100
Fax: +49 351 479 3670 - 110
E-Mail: christian.boe...@cloudandheat.com 

Web: https://www.cloudandheat.com 

Handelsregister: Amtsgericht Dresden
Registernummer: HRB 30549
USt.-Ident.-Nr.: DE281093504
Geschäftsführer: Nicolas Röhrs




signature.asc
Description: OpenPGP digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

[Jakob Bohm]

On 30/07/2018 20:07, Viktor Dukhovni wrote:



On Jul 30, 2018, at 12:46 PM, Jordan Brown  wrote:

If you can't malloc the space, you probably can't mmap it either.  I have never 
heard of a malloc implementation that has artificial limits; if it's failing 
it's because it can't find that much contiguous virtual address space, and mmap 
won't be able to find it either.

If you're a 32-bit process, then malloc'ing or mmap'ing a 2GB object will be 
difficult at best.

Getting out of the weeds, the core issue is that CMS message input processing
doesn't stream.  The entire CMS message has to fit into memory.  A different
data format is required for streaming large payloads.  The data would need
to be chunked with integrity protection and protection applied to each
chunk (packet) and appropriate sequence number integrity in place to
prevent reordering, insertion or deletion of chunks.

CMS works fine for small messages, and could even be used to construct
the integrity-protected chunks in a higher-level protocol.  CMS is
not appropriate for multi-gigabyte or terabyte, ... datasets.


Actually, the CMS format itself is clearly designed for streamed decoding.

For example, it requires the AlgorithmIdentifier of the hash algorithm(s)
to precede the signed data, so a streaming implementation can set up the
input hashing before knowing the full specification of the signature
algorithm(s).

A streaming encoder will often need to use the indefinite BER encoding of
some of the outer length fields to cope with unknown input length and
variably sized fields after the data.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

[Matt Caswell]

On 30/07/18 19:08, Marty G wrote:
> On 07/30/2018 01:27 PM, Salz, Rich via openssl-users wrote:
> 
>> > I never thought I'd see the day that someone would have to defend
>> not leaking memory in pivotal security code like openssl however
>>
>>  
>>
>> To be accurate, it was a couple of people saying that memory leaks *on
>> process exit* aren’t be a big deal.
>>
>>  
>>
>>
> Fair enough, but it is my understanding that some RTOSes do not
> necessarily dealloc all memory alloc'd by a proc on proc exit.  So why
> not just have a rule "don't litter" instead of having complicated rules
> of when it is "probably ok to litter"?  Exploits nearly always leverage
> something programmers didn't anticipate or happens in a layer they are
> relying on but not directly coding so it seems fairly clear that the
> best path is to reduce those unknowns by explicitly cleaning up.  Taking
> the time to track down a memory leak rarely results in merely fixing a
> memory leak; usually another programming misstep is also found in
> conjunction with the leak.  Just my $0.02
> 
> 

To be clear I can only think of one leak that we have at process exit
(well technically its two instances of the same thing). And that leak is
not the result of a *mistake*. It is a deliberate design decision to
workaround around a problem on some platforms (i.e. anything that isn't
Windows, Linux or Solaris, IIRC). See:

https://github.com/openssl/openssl/blob/43a0f2733a943799060ea275516fcce00d89eb38/crypto/init.c#L145-L168

https://github.com/openssl/openssl/blob/43a0f2733a943799060ea275516fcce00d89eb38/crypto/init.c#L720-L739


Any other leaks should hopefully be being caught by our mem leak testing.

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users