Re: [openssl-users] Two questions on OpenSSL EVP API

[Paul Smith]

On Wed, 2018-12-19 at 08:57 +0300, Dmitry Belyavsky wrote:
> > I would have thought that the true maximum would be round-up(inl,
> > cipher_block_size); that is, for inl values 1-15 you'd get 16
> > bytes, and for inl values 16-31 you'd get 32 bytes, etc. (I'm not
> > actually sure whether inl of 16 gets you 16 or 32 bytes...)
> > 
> > Am I wrong about that?  Would some ciphers/modes write beyond the
> > end of the current "block" and into the next one?
> 
> When you use a block cipher and pass data less than block size, it is
> stored in the internal buffer.  In this case you do not get encrypted
> data until there is enough plain text to encrypt the full block.
> 
> When you add more data, if you pass enough data to finalize a
> previously unfinished block, you get more long ciphertext than
> plaintext passed in a particular call of CipherUpdate.

I see.  So you potentially need enough for an almost full previous
block, plus the current data.  That makes sense.

Thanks!

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] EVP_DecryptUpdate: why is this failing when out == in?

[Paul Smith]

As I understand it, it's legal to provide the exact same input and
output buffer to EVP_EncryptUpdate and EVP_DecryptUpdate, but it's not
legal to provide pointers into different parts of the same buffer. 
That's a good check.

However, my implementation is getting triggered by this code in
EVP_DecryptUpdate():

if (ctx->final_used) {
/* see comment about PTRDIFF_T comparison above */
=>  if (((PTRDIFF_T)out == (PTRDIFF_T)in)
|| is_partially_overlapping(out, in, b)) {
EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
return 0;
}

Can someone explain why, only in this specific situation where we're
decrypting the final block, we require that OUT and IN not be the same
buffer?  Everywhere else we check is_partially_overlapping() only,
without equality.

I read the comment about PTRDIFF_T but I didn't come up with a reason
for the equality check.  This check was added back in 2016 in SHA
5fc77684f1 FWIW.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Two questions on OpenSSL EVP API

[Dmitry Belyavsky]

Hello Paul,

On Wed, Dec 19, 2018 at 6:02 AM Paul Smith  wrote:

> Hi all; I'm working with OpenSSL 1.1.1a, using the EVP interface to
> encrypt/decrypt with various ciphers/modes.
>
> I had a couple of questions:
>
>
> First, the encrypt update docs say:
>
> > the amount of data written may be anything from zero bytes to
> > (inl + cipher_block_size - 1)
>
> Is that really true?  For example if my block size is 16 and my input
> length is 4, could the encrypt step really write as many as 19 bytes
> (4 + 16 - 1)?
>
> I would have thought that the true maximum would be round-up(inl,
> cipher_block_size); that is, for inl values 1-15 you'd get 16 bytes,
> and for inl values 16-31 you'd get 32 bytes, etc. (I'm not actually
> sure whether inl of 16 gets you 16 or 32 bytes...)
>
> Am I wrong about that?  Would some ciphers/modes write beyond the end
> of the current "block" and into the next one?
>

When you use a block cipher and pass data less than block size, it is
stored in the internal buffer.
In this case you do not get encrypted data until there is enough plain text
to encrypt the full block.

When you add more data, if you pass enough data to finalize a previously
unfinished block,
you get more long ciphertext than plaintext passed in a particular call of
CipherUpdate.


>
>
> Second, the type of the outl parameter on EVP encrypt update is "int",
> rather than (as I would have expected) "unsigned int".  Is there a
> possibility that EVP would set  to a negative value and if so,
> what would that mean?  Do I need to check for this in my code?  Same
> with inl; why isn't it "unsigned int"?  Is there ever a reason to pass
> in a negative value?
>

I strongly suspect just historical reasons here.

-- 
SY, Dmitry Belyavsky
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Two questions on OpenSSL EVP API

[Paul Smith]

Hi all; I'm working with OpenSSL 1.1.1a, using the EVP interface to
encrypt/decrypt with various ciphers/modes.

I had a couple of questions:


First, the encrypt update docs say:

> the amount of data written may be anything from zero bytes to
> (inl + cipher_block_size - 1)

Is that really true?  For example if my block size is 16 and my input
length is 4, could the encrypt step really write as many as 19 bytes
(4 + 16 - 1)?

I would have thought that the true maximum would be round-up(inl,
cipher_block_size); that is, for inl values 1-15 you'd get 16 bytes,
and for inl values 16-31 you'd get 32 bytes, etc. (I'm not actually
sure whether inl of 16 gets you 16 or 32 bytes...)

Am I wrong about that?  Would some ciphers/modes write beyond the end
of the current "block" and into the next one?


Second, the type of the outl parameter on EVP encrypt update is "int",
rather than (as I would have expected) "unsigned int".  Is there a
possibility that EVP would set  to a negative value and if so,
what would that mean?  Do I need to check for this in my code?  Same
with inl; why isn't it "unsigned int"?  Is there ever a reason to pass
in a negative value?

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl async support

[Paul Yang]

Read this: https://www.openssl.org/docs/man1.1.0/crypto/ASYNC_start_job.html 


Usually async operations happen in engines when they need to talk to hardware 
but you can still utilize async mechanism in pure software if you have the 
scenario

> On Dec 18, 2018, at 18:36, ASHIQUE CK  wrote:
> 
> Hi all,
> 
> I truly understand that everyone might be busy with your work and didn't 
> found time to reply. That's okay, but incase you have accidendly forgot to 
> reply, please accept this as a gentle reminder.
> 
> 
> 
> 
> 
> On Mon, Dec 17, 2018 at 6:11 PM ASHIQUE CK  > wrote:
> Hi all,
> 
>   I have some queries regarding OpenSSL async operation.
> 
> Current setup
> -
>   I have one OpenSSL dynamic engine (with RSA and AES-GCM support) and 
> linked it with Nginx server. Multiple WGET commands on the client side.
> 
> Current issue
> -
>   Since OpenSSL do_cipher call (the function in which actual AES-GCM 
> encryption/decryption happening) comes from one client at a time which is 
> reducing file downloading performance. So we need an asynchronous operation 
> in OpenSSL ie. we need multiple do_cipher calls at the same time from which 
> we should submit requests to HW without affecting the incoming requests and 
> should wait for HW output.
> 
> Queries
> 
>  1) Is there is any other scheme for multiple do_cipher calls at a time?. 
>  2) Any method to enable asynchronous call from OpenSSL?   
> 
> Versions
> -
> Openssl - 1.1.0h
> Nginx1.11.10
> Wget 1.17.1
> 
>  Kindly support me. Please inform me if any more inputs needed. Thanks in 
> advance.
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Support for CAdES Basic Electronic Signatures (CAdES-BES)

[Antonio Iacono]

Hi everyone,

the patch discussed in this pull request
https://github.com/openssl/openssl/pull/7893 adds support for adding ESS
signing-certificate[-v2] attributes
to CMS signedData.
Although it implements only a small part of the RFC 5126 - CMS Advanced
Electronic Signatures (CAdES), it is sufficient many cases to enable
the openssl
cms app to create signatures which comply with legal requirements of some
European States (e.g Italy).
Feedback are welcome,

thanks,
Antonio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS module v3

[Paul Dale]

There are no committed to dates of any kind at present.
The project is underway but it is too early to set a schedule, yet alone a 
completion date.


Pauli
-- 
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia

From: Alibek Jorajev via openssl-users [mailto:openssl-users@openssl.org] 
Sent: Tuesday, 18 December 2018 8:10 PM
To: openssl-users@openssl.org
Subject: [openssl-users] FIPS module v3

Hi everyone,

I have been following OpenSSL blog and know that work on new OpenSSL FIPS 
module has started. Current FIPS module (v.2) has end of life (December 2019) 
and I assume that new FIPS module will be by that time.  but can someone tell 
me - is there are approximate dates -  will it be available earlier?

thanks,
Alibek


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Fwd: SSL_free Segmentation Fault

[N Jain]

Hi,

I am using openssl for ARM based target and I have cross compiled
OpenSSLv1.0.2l from sources with FIPS.
I have implemented the DTLSv1.2 based Server using OpenSSL APIs and able to
run it on my target.

Issue I am facing is when there is network failure I try to clean up the
current DTLS session but I always get segmentation fault during SSL_free.
If I remove SSL_free the segmentation fault goes away but I need to call it
in order to free up the ssl session memory.

While further debugging using GDB I found

(gdb) bt
#0  0xb6e3cc10 in dtls1_get_record () from /usr/lib/libssl.so.1.0.0
#1  0xb6e3d928 in dtls1_read_bytes () from /usr/lib/libssl.so.1.0.0
#2  0xb6e28264 in ssl3_read () from /usr/lib/libssl.so.1.0.0
#3  0x000a7180 in ?? ()


Code snippet:

 SSL_set_shutdown(p_cinfo->m_pssl, SSL_SENT_SHUTDOWN |
SSL_RECEIVED_SHUTDOWN);
 stat = SSL_shutdown(p_cinfo->m_pssl);
 switch(stat)
 {
   case 1:
   printf("Shutdown successfull\n");
   break;
case 0:
case -1:
default:
   printf("Error Shutting down \n");
   print_ssl_err(p_cinfo->m_pssl, stat);
}
*SSL_free(p_cinfo->m_pssl);
*

Any clues for above issue will be very helpful.

Also I would like to know how to identify the long term release for 1.0.2
series with most of the bug fixes which I could use for my project.

Thanks
NJ




--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] A script for hybrid encryption with openssl

[Sam Roberts]

On Tue, Dec 18, 2018 at 3:18 AM Nick  wrote:

> I should add that I don't really care about the format, or even the use of 
> openssl - just the ability to tackle large files with the benefits of public 
> key encryption, in a self-contained way without needing fiddly work deploying 
> the keys (as GnuPG seems to require for its keyring, judging from my 
> experience deploying Backup-Ninja / Duplicity using Ansible.)

Maybe you should look at gpg directly, `gpg --symmetric` uses a
passphrase, which doesn't sound fiddly.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] does -subj suppress challenge Password prompt

[Michael Richardson]

From my colleague Peter.
Peter is attempting to generate a variety of CSR requests for use in
examples for an IETF ACE WG on coap-est.

Below my problem:
the standard openssl.cnf file is attached.
The openssl version is 1.0.1f.

When I do the following shell script:

countryName="/C=US"
stateOrProvinceName="/ST=CA"
localityName="/L=Oak Park"
organizationName="/O=Example Inc"
organizationalUnitName="/OU=Acme"
emailAddress="/emailAddress=p...@example.com"
commonName="/CN=Root CA"
DN=$countryName$stateOrProvinceName$localityName
DN=$DN$organizationName$organizationalUnitName$commonName
echo $DN

{ above from Bob's PKI document}

openssl req -config ./openssl.cnf  \
-new -sha256 -key test.key -out test.csr
__

I get prompts for the subject names 
Subject: C=au, ST=ddd, L=ddd, O=, OU=, CN=/emailAddress=a
and a prompt for challengePssword

When I change openssl command to:
openssl req -config ./openssl.cnf\
-subj "$DN"\
-new -sha256 -key test.key -out test.csr

no more prompts, but the challengePassword has disappeared from the
attibutes section.

How can I define the challengePassword while still using -subj

thanks for an answer,

Peter

-- 
Peter van der Stok
vanderstok consultancy
mailto: consulta...@vanderstok.org, stokc...@bbhmail.nl
www: www.vanderstok.org
tel NL: +31(0)492474673 F: +33(0)966015248

Below is his openssl.cnf:

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME= .
RANDFILE= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file   = $ENV::HOME/.oid
oid_section = new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7


[ ca ]
default_ca  = CA_default# The default ca section


[ CA_default ]

dir = ./demoCA  # Where everything is kept
certs   = $dir/certs# Where the issued certs are kept
crl_dir = $dir/crl  # Where the issued crl are kept
database= $dir/index.txt# database index file.
#unique_subject = no# Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir   = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem   # The CA certificate
serial  = $dir/serial   # The current serial number
crlnumber   = $dir/crlnumber# the current crl number
# must be commented out to leave a V1 
CRL
crl = $dir/crl.pem  # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE= $dir/private/.rand# private random number file

x509_extensions = usr_cert  # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt= ca_default# Subject Name options
cert_opt= ca_default# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions= crl_ext

default_days= 365   # how long to certify for
default_crl_days= 30# how long before next CRL
default_md  = default   # use public key default MD
preserve= no# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy  = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName  = optional
commonName  = supplied
emailAddress= optional

# For the 'anything' 

Re: [openssl-users] A script for hybrid encryption with openssl

[Nick]

On 17/12/2018 22:02, Jakob Bohm via openssl-users wrote:
> A simpler way is to realize that the formats used by SMIME/CMS (specifically
> the PKCS#7 formats) allow almost unlimited file size, and any 2GiB limit is
> probably an artifact of either the openssl command line tool or some of the
> underlying OpenSSL libraries.


Yes. I started using openssl's smime implementation, then backed out when I
realised there were indeed limits - apparently in the underlying libraries.

On decrypting I got the same kind of errors described in this bug report thread
(and elsewhere if you search, but this is the most recent discussion I could 
find).

"Attempting to decrypt/decode a large smime encoded file created with openssl
fails regardless of the amount of OS memory available".
https://mta.openssl.org/pipermail/openssl-dev/2016-August/008237.html

The key points are:

- streaming smime *encryption* has been implemented, but
- smime *decryption* is done in memory, consequentially you can't decrypt
anything over 1.5G
- possibly this is related to the BUF_MEM structure's dependency on the size of
an int

There's an RT ticket but I could not log in to read this.  But it appears to
have been migrated to Git-hub:

https://github.com/openssl/openssl/issues/2515

It's closed - I infer as "won't fix" (yet?) and this is still an issue as my
experience suggests, at least in the versions distributed for systems I will be
using.


I was using openssl 1.0.2g-1ubuntu4.14 (Xenial) and I've verified it with
openssl 1.1.0g-2ubuntu4.3 (Bionic, the latest LTS release fro Ubuntu):

$ openssl version -a
OpenSSL 1.1.0g  2 Nov 2017
built on: reproducible build, date unspecified
platform: debian-amd64
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS
-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM
-DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM
-DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\""
-DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-1.1\""
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"

$ dd if=/dev/zero of=sample.txt count=2M bs=1024
$ openssl req -x509 -nodes -newkey rsa:2048 -keyout
mysqldump-secure.priv.pem -out mysqldump-secure.pub.pem
$ openssl smime -encrypt -binary -text -aes256 -in sample.txt -out
sample.txt.enc -outform DER -stream mysqldump-secure.pub.pem
$ openssl smime -decrypt -binary -inkey mysqldump-secure.priv.pem -inform
DEM -in sample.txt.enc -out sample.txt.restored

Error reading S/MIME message
139742630175168:error:07069041:memory buffer
routines:BUF_MEM_grow_clean:malloc failure:../crypto/buffer/buffer.c:138:
139742630175168:error:0D06B041:asn1 encoding
routines:asn1_d2i_read_bio:malloc failure:../crypto/asn1/a_d2i_fp.c:191



> Anyway, setting up an alternative data format might be suitable if combined
> with other functionality requiring chunking, such as recovery from
> lost/corrupted data "blocks" (where each block is much much larger than
> a 1K "disk block"). 


I should add that I don't really care about the format, or even the use of
openssl - just the ability to tackle large files with the benefits of public key
encryption, in a self-contained way without needing fiddly work deploying the
keys (as GnuPG seems to require for its keyring, judging from my experience
deploying Backup-Ninja / Duplicity using Ansible.)  So other solutions, if tried
and tested, might work for me.

Cheers,


Nick

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl async support

[ASHIQUE CK]

Hi all,

I truly understand that everyone might be busy with your work and didn't
found time to reply. That's okay, but incase you have accidendly forgot to
reply, please accept this as a gentle reminder.





On Mon, Dec 17, 2018 at 6:11 PM ASHIQUE CK  wrote:

> Hi all,
>
> I have some queries regarding OpenSSL async operation.
>
> Current setup
> -
> I have one* OpenSSL dynamic engine (with RSA and AES-GCM support) *and
> linked it with *Nginx* server. Multiple *WGET* commands on the client
> side.
>
> Current issue
> -
>   Since OpenSSL *do_cipher call *(the function in which actual AES-GCM
> encryption/decryption happening) comes from one client at a time which is
> reducing file downloading performance. So we need an *asynchronous
> operation in OpenSSL* ie. we need multiple do_cipher calls at the same
> time from which we should submit requests to HW without affecting the
> incoming requests and should wait for HW output.
>
> Queries
> 
>  1) Is there is any other scheme for multiple do_cipher calls at a time?.
>  2) Any method to enable asynchronous call from OpenSSL?
>
> Versions
> -
> Openssl - 1.1.0h
> Nginx1.11.10
> Wget 1.17.1
>
>  Kindly support me. Please inform me if any more inputs needed. Thanks in
> advance.
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS module v3

[Alibek Jorajev via openssl-users]

Hi everyone,
I have been following OpenSSL blog and know that work on new OpenSSL FIPS 
module has started. Current FIPS module (v.2) has end of life (December 2019) 
and I assume that new FIPS module will be by that time.  but can someone tell 
me - is there are approximate dates -  will it be available earlier?
thanks,Alibek



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Sending empty renegotiaion_info

[Dmitry Belyavsky]

Hello,

Is it possible to send empty renegotiation_info extension instead of
TLS_EMPTY_RENEGOTIATION_INFO_SCSV using openssl s_client?

If yes, is it possible to test secure renegotiation afterward?

Thank you!

-- 
SY, Dmitry Belyavsky
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users