RE: Query regarding EVP_PKEY_CTX_set_cb
Hi Bala, > Can you please help to understand the use of the callback function that can > be set during key generation ? AFAI remember, nothing special except provide a way to show work is still running (using a progress bar for example) and a mechanism to cancel the generation if it lasts too long. "If the callback returns 0 then the key generation operation is aborted and an error occurs. This might occur during a time consuming operation where a user clicks on a "cancel" button". (from https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_CTX_set_cb.html) > Is EVP_PKEY_CTX_set_cb API replacement for the deprecated BN_GENCB_set_old No, BN_GENCB_set[...] is a similar mechanism but for Big Number / Prime (not *Key*) generation. (https://www.openssl.org/docs/man3.0/man3/BN_GENCB_set_old.html) Hope it helps, Regards, Michel.
Re: Cross-project request... looking for input on a rewrite of Asterisk's res_crypto.c module
On Tue, Mar 29, 2022 at 3:40 PM Philip Prindeville wrote: > > Hi, > > I'm trying to develop a newer replacement module for Asterisk's res_crypto > that is (for now) 1.1.x compatible but can be easily updated to 3.0 (and > maybe even easily add provider support for TPM escrowed secrets, etc). Just an FYI to see if you're aware of the tpm2 provider: https://github.com/tpm2-software/tpm2-openssl > > I'm collecting requirements before I get started. > > https://wiki.asterisk.org/wiki/pages/viewpage.action?pageId=49153311 > > The modules in Asterisk that use res_crypto are: > > func/func_aes.c > chan/chan_iax2.c > pbx/pbx_dundi.c > pbx/dundi-parser.c > > as well as any independent third-party modules (but I'm not aware of what > they might be). > > The code is rife with assumptions, such as only AES128 and RSA1024 are to be > used, that only AES-EBC chaining is used, and that it's safe to block-cipher > with RSA. Signing digests, RSA padding and AES ciphers are hard-coded. As > are buffer sizes. (So you see why a rewrite is needed...) > > This is the tip of the proverbial iceberg. > > Anyway, more eyes on the problem are always a good thing. Godspeed > > Thanks, > > -Philip > >
Re: KDF_TLS1_PRF for TLS v1.0 and v1.1
On 29/03/2022 23:49, Kory Hamzeh wrote: Hi, I am using the TLS1_PRF KDF method to derive the master secret for TLS 1.0, 1.1, and 1.2. My code works with TLS 1.2, but for 1.0 and 1.1, the master secret is not correct. I have a snippet of the code below. From what I understand by reading RFC 2246 and RFC 5246, the input to the PRF function is the same for all three versions of TLS. In my input test vectors, the digest is SHA-1 for TLS 1.0/1.1 and SHA-256 for TLS 1.2. However looking at: openssl-3.0.0-src/providers/implementations/kdfs/tls1_prf.c it looks like the method used to determine TLS version type is if the digest is SN_md5_sha1. I tried passing “MD5-SHA1” as the digest, and EVP_KDF_dereive() returned an error. You don't mention it in your question, but you code snippet mentions FIPS. Are you attempting to do this with the FIPS provider? The FIPS provider does not support the "MD5-SHA1" digest. Consequently you cannot support TLSv1.0 or TLSv1.1 with the FIPS provider. Only TLSv1.2. Matt What am I missing? Here os the code snippet: label = "master secret"; kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); kctx = EVP_KDF_CTX_new(kdf); p = params; *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, (char *)digest, strlen(digest)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, preMasterSecret, preMasterSecretLen); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, label, strlen(label)); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, clientHelloRand, clientHelloRandLen); *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, serverHelloRand, serverHelloRandLen); *p = OSSL_PARAM_construct_end(); if (EVP_KDF_derive(kctx, masterSecret, masterSecretLen, params) <= 0) { fips_fatal("ERROR: EVP_KDF_derive failed\n"); } Thanks, Kory
OpenSSL Memory Allocation Functions Issue
Hi All, Experienced an issue with Kamailio which presented with the below error tls_pre_init(): Unable to set the memory allocation functions I have two servers CentOS8 and RHEL8. CentOS8 runs as expected, RHEL8 shows the errors This forum suggested this was related to an OpenSSL issue https://lists.kamailio.org/pipermail/sr-users/2013-August/079381.html The below script was compiled and run as suggested in order confirm the OpenSSL was present #include #include static void *myMalloc( size_t s ) { return NULL; } static void *myRealloc( void *p, size_t s ) { return NULL; } static void myFree( void *p ) {} int main() { if ( !CRYPTO_set_mem_functions( myMalloc, myRealloc, myFree) ) { fprintf( stderr, "Unable to set the memory allocation functions\n"); return -1; } return 0; } The output on each system was different CentOS – nothing outputted RHEL – “Unable to set the memory allocation functions” Though versions of OpenSSL installed appeared the same yum info openssl-libs openssl | grep 'Packages\|Name\|Version' CentOS: Installed Packages Name : openssl Version : 1.1.1k Name : openssl-libs Version : 1.1.1k RHEL: Installed Packages Name : openssl Version : 1.1.1k Name : openssl-libs Version : 1.1.1k strings /usr/lib64/libcrypto.so | grep "^OpenSSL" Both systems have the same output Would someone be able to confirm what is going on here? Does the above script suggest a problem with the OpenSSL-Libs? Am I looking in the right places to confirm a difference between the two VMs? Thanks, Chris
Query regarding EVP_PKEY_CTX_set_cb
Hi All, Can you please help to understand the use of the callback function that can be set during key generation? 1> For ex: In the OpenSSL 3.0 code, the callback "genrsa_cb" is defined in the file "apps/genrsa.c" : What exactly is being done in this callback function? What does EVP_PKEY_CTX_get_keygen_info() return in this case during RSA key generation? static int genrsa_cb(EVP_PKEY_CTX *ctx) { char c = '*'; BIO *b = EVP_PKEY_CTX_get_app_data(ctx); int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); if (!verbose) return 1; if (p == 0) c = '.'; if (p == 1) c = '+'; if (p == 2) c = '*'; if (p == 3) c = '\n'; BIO_write(b, , 1); (void)BIO_flush(b); return 1; } What can be done in these callback functions? 2> Is EVP_PKEY_CTX_set_cb API replacement for the deprecated BN_GENCB_set_old in OpenSSL 3.0 code ? Thanks Bala