[openssl-users] OpenSSL v1.1.1 static library size reduction

2018-12-20 Thread prithiraj das 
I am using OpenSSL 1.1.1 from OpenSSL's website and trying to build OpenSSL
on a Windows 64 bit machine using Perl 64 bit version and nasm v2.13.03. I
have used the *no-shared* option in the Perl Configure to only build the
static library and the resulting size of the *libcrypto.lib* file is almost
19 MB. The *.exe* file generated is 3173 KB. RSA functionality (keypair
generation, encryption, decryption) is what we all need and as per the
need, the goal is to reduce *libcrypto.lib *to less than 3 MB. Using the
generated .exe file is not an option.
Please suggest ways to reduce the libcrypto.lib size to less than 3 MB on
this 64 bit machine keeping only RSA functionality.
 And, is it possible by any chance that the size of libcrypto.lib will be
smaller if OpenSSL is being built on a Windows 32 bit machine using a
Windows 32 bit configuration option VC-WIN32?

Thanks and Regards,
Prithiraj
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_GET_SERVER_CERT_INDEX:internal error

2018-12-20 Thread Viktor Dukhovni 



> On Dec 20, 2018, at 6:43 PM, Jeremy Harris  wrote:
> 
> Thanks for the hint. You are correct, and a clear before that set
> of crypto operations gets me a far more reasonable message.

Makes sense.

> The error seems to be left around after SSL_accept(), and yet
> it does not appear in my SNI callback.  Worse, my verify callback
> (which I was expected to appear) does not seem to be being called.
> Yet the SSL_accept() succeeded.
> 
> Any ideas on that?

You provide much too little detail.  This particular "error"
happens when a TLS 1.2 ciphersuite does not correspond to any
any public key type for which OpenSSL might have a certificate.

Perhaps another ciphersuite is then selected, as OpenSSL is trying
to find one that works?  Not all "errors" are actual problems, some
are resolved by taking an alternative code path.

Before beginning a new high-level operation in the SSL library it
is good to (at least periodically) clear the error stack.  Like
"errno" it is not cleared on function entry, and persists until
simply cleared or iteratively consumed for reporting.

-- 
-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] EVP_DecryptUpdate: why is this failing when out == in?

2018-12-20 Thread Paul Smith 
I filed https://github.com/openssl/openssl/issues/7941 about this FYI.

Cheers!


On Wed, 2018-12-19 at 01:56 -0500, Paul Smith wrote:
> As I understand it, it's legal to provide the exact same input and
> output buffer to EVP_EncryptUpdate and EVP_DecryptUpdate, but it's not
> legal to provide pointers into different parts of the same buffer. 
> That's a good check.
> 
> However, my implementation is getting triggered by this code in
> EVP_DecryptUpdate():
> 
> if (ctx->final_used) {
> /* see comment about PTRDIFF_T comparison above */
> =>  if (((PTRDIFF_T)out == (PTRDIFF_T)in)
> || is_partially_overlapping(out, in, b)) {
> EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
> return 0;
> }
> 
> Can someone explain why, only in this specific situation where we're
> decrypting the final block, we require that OUT and IN not be the same
> buffer?  Everywhere else we check is_partially_overlapping() only,
> without equality.
> 
> I read the comment about PTRDIFF_T but I didn't come up with a reason
> for the equality check.  This check was added back in 2016 in SHA
> 5fc77684f1 FWIW.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_GET_SERVER_CERT_INDEX:internal error

2018-12-20 Thread Jeremy Harris 
On 20/12/2018 17:16, Viktor Dukhovni wrote:
>> "14142044:SSL routines:SSL_GET_SERVER_CERT_INDEX:internal error"
> 
> This is an SSL library error in your error stack.  Likely left
> over from an earlier function call, with no ERR_clear_error()
> before the new call.

Thanks for the hint. You are correct, and a clear before that set
of crypto operations gets me a far more reasonable message.


The error seems to be left around after SSL_accept(), and yet
it does not appear in my SNI callback.  Worse, my verify callback
(which I was expected to appear) does not seem to be being called.
Yet the SSL_accept() succeeded.

Any ideas on that?
-- 
Cheers,
  Jeremy
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_GET_SERVER_CERT_INDEX:internal error

2018-12-20 Thread Viktor Dukhovni 
> On Dec 20, 2018, at 8:00 AM, Jeremy Harris  wrote:
> 
> Library version: OpenSSL: Compile: OpenSSL 1.0.2k-fips  26 Jan 2017
>  Runtime: OpenSSL 1.0.2k-fips  26 Jan 2017
> built on: reproducible build, date unspecified CentOS 7.6.181
> 
> "14142044:SSL routines:SSL_GET_SERVER_CERT_INDEX:internal error"

This is an SSL library error in your error stack.  Likely left
over from an earlier function call, with no ERR_clear_error()
before the new call.

> What is the meaning of this error return from EVP_PKEY_verify() ?

It is not a crypto library error, and so cannot be a result of
a call to EVP_PKEY_verify().  The function that reports that
error is not reachable from libcrypto.

> The term "CERT" implies certificate, but there isn't one involved
> here.

Perhaps clear your error stack and try again.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] A script for hybrid encryption with openssl

2018-12-20 Thread Nick 
On 18/12/2018 18:04, Sam Roberts wrote:
> Maybe you should look at gpg directly, `gpg --symmetric` uses a passphrase,
> which doesn't sound fiddly.

Unfortunately that doesn't do what I want: I'm after something using public key
encryption (asymmetric, or a hybrid). This is so I don't need to deploy the
decryption key on the server.


N
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SSL_GET_SERVER_CERT_INDEX:internal error

2018-12-20 Thread Jeremy Harris 
Hi,

Library version: OpenSSL: Compile: OpenSSL 1.0.2k-fips  26 Jan 2017
  Runtime: OpenSSL 1.0.2k-fips  26 Jan 2017
 : built on: reproducible build, date
unspecified

CentOS 7.6.181



"14142044:SSL routines:SSL_GET_SERVER_CERT_INDEX:internal error"


What is the meaning of this error return from EVP_PKEY_verify() ?
The term "CERT" implies certificate, but there isn't one involved
here.
-- 
Thanks,
  Jeremy
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Celebrating 20 Years of OpenSSL

2018-12-20 Thread Mark J Cox 
Just about 20 years ago we released the first OpenSSL, but that wasn't the
original name for the project.

Read more in the blog post at
https://www.openssl.org/blog/blog/2018/12/20/20years/

Regards, Mark J Cox
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users