d2i_RSAPrivateKey not working with compiler optmization 01
Hi All, We upgraded our device to use OpenSSL 1.1.1k from OpenSSL 1.0.2h. Device is on an ARM processor. Embedded web server comes to ready state with compiler optimization set to -O0. With value -O1 we are seeing issues in d2i_RSAPrivateKey. I wrote a sample test program as below. The test program returns output of i2d_RSAPrivateKey as 1190 with optimization value -O0 and 1157 with optimization value -O1. Has anyone faced this issue? Please let me know your thoughts and inputs. Thanks and Regards, Jayalakshmi #define FALSE 0 #define ERROR -1 #define SSL_MAX_KEY_LEN 16342 #include #include #include #include #include #include int decodeBase64Data(char* base64Buf, char* decodeBuf, int dataLen, int bufLen, int newlineFlag) { BIO* bioBuf = NULL; BIO* base64BioBuf = NULL; int returnVal = ERROR; base64BioBuf = BIO_new(BIO_f_base64()); if (base64BioBuf == NULL) return returnVal; if (newlineFlag == FALSE) BIO_set_flags(base64BioBuf, BIO_FLAGS_BASE64_NO_NL); bioBuf = BIO_new_mem_buf(base64Buf, dataLen); if (bioBuf == NULL) returnVal = ERROR; else { bioBuf = BIO_push(base64BioBuf, bioBuf); if (bioBuf != NULL) { memset(decodeBuf, 0x0, bufLen); dataLen = BIO_read(base64BioBuf,decodeBuf, bufLen); returnVal = dataLen; } else { returnVal = ERROR; } } BIO_free_all(base64BioBuf); return returnVal; } void testCertKey() { int IDkeyLen; unsigned char *certBuf = NULL; int certLen = 1624; int i; unsigned char *cert_copy= NULL; EVP_PKEY *evp_key = NULL; RSA *rsa = NULL; unsigned char *IDkey = (unsigned char*)malloc(SSL_MAX_KEY_LEN); certBuf = (unsigned char*)malloc(SSL_MAX_KEY_LEN); strcpy(certBuf,"MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDJgN8Eq1gAd4ev8lq/Dwz68CBYWLyVQvQcAfTgR6PTsMCUL00q3NdEBXzkPEAG/15+IEEEypjO+SgJcmaHtsDk/oP7ggrOWu/7kj+x3RNcVotvOtJK1QdXUSViOgaldoJdtKSY2Y8RPFwcMWiqMM22JYCC7JDpSbAs4MwCiixTZogtwFiXQeCG3/v/qHt1MEQ4Fv821a9RVLwZ4MooSVy5KvIxt7qOZ+NKOBzin0FS/DF/79fPcbptg56Jv0J40l2xWgiPnRCmbz4TXrrChPGgXDhA2rUNZDLW+NUl7oRbqn4FwOWHGzn6a/27xiT+wmW+A1wRTi2V+u0AmFhGK79LAgMBAAECggEANFiPFwZwAQcML6/01QdS5ul0bZ73torDIXd8prrVm0uia5xyHn1qSphmXmAsfeTfJkK4wUbkNXhSZ0nZys22BIb9wFuC9SJ4j1DpzQnSWr180XNlZ905X/yLip3qVheYPEGONMrnuKGGiChpuTSebAAIB3rvFjt3UeE//jTo2O0moBuQZXWjsk8AcynTnJAcKJqSBtCCLPyS3dIVsGoaDCsAeZKQ5ZaTLxZ9vT3KbWrJi3+whU9Cx4HXRDe910Gq3E4cXjzhlDmxOPKVlGLX2cXWN4OhtRoXu7A3kUGxG/ZXxwYoXO8M5EoBA30LbUT7XpO9Lxzx+2hEBuYSHbA0qQKBgQDxYeptkl/XRP+vPxRRXtyANqm+iTpkOILv7PBMkEgJGOA8491GiylKpnF7KEmDhS2eSpsq7sDRg9ZuhPHMwkyouojUcVHvfNdXEbC2xYz0cIvzgqRCYhhWJGATdDq3Bt80GX6RX5hRO8EhJdFqP8uIG/cd2x2C113M70vshlBpHQKBgQDVtLip//7YGmTxOKhkZMr+9Csgct18LzKqkARciRtg2rlHTUveNvLcGXkev0JNzrDc8a1U2lGbFhXr8lo3s5zRCb+0rU3LNgZPaW+a9Qm6kJwL0uP0BNfL1Go+hZSrq1LVZdyo4oRHtiiA/WCqDOxrsQH5/gqEdLCH+AFbf5XFhwKBgAncGwxQv1N2wQ7yf6z3OACQuwxKZLU1TbvpLMOj3R1qA7bZA+/evVgMRnRmZ+JUbVGa8I2nZP7p6Ldo/MuFYEZAIFi1LEihC9bFpTdCCIjvk/flbTo88YuLPtVsmP1i7XkeVXowsnMXAsOM3On/IxwzMDvq+GCg1XcKi0plDiHNAoGATCMv63lGHU4CCqMJ84Kpg/4P42apHFZgcb4Pn7xFYdNrUUjrr8bZ7aqxqU+w2rG5922vOFzz2BIdS0uz8sZuJ1eW0lMwNScRRnelCIsmpS5iOiAvkL+s9nS+SXokBqlqQJci75SMVlRCx/n913f1P0T4FE37B0ffoQGt0iB5hr8CgYA5UpOkFs8rDu0xAQCqD3I2Yg35f77ATK2F3ZWdJOi7KnO67uz39QIYHao9iwJW1u6UXgAs18DAjmdd8EQSvr1ayhdSMfFnt/AWM0QbMIOrhytEd2KD7rPPeeZSFeCACFO9tPXasTVxPmiV0YhZueMAgwnmi3CLwm3pg8PF+3T5gQ=="); IDkeyLen = decodeBase64Data(certBuf, IDkey, certLen, SSL_MAX_KEY_LEN, FALSE); cert_copy = IDkey; evp_key = d2i_AutoPrivateKey(NULL,_copy,IDkeyLen); if (evp_key == NULL) { printf("OpenSSL11k %d, %d, %s\n",IDkeyLen,ERR_get_error(),ERR_error_string(ERR_get_error(), NULL)); } else { cert_copy = IDkey; rsa = EVP_PKEY_get1_RSA(evp_key); /*JEDI-11535 */ IDkeyLen = i2d_RSAPrivateKey(rsa,_copy); printf("OpenSSL11k: IDkeyLen %d %d \n",IDkeyLen,__LINE__); } } int main() { testCertKey(); }
Getting error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Hi All, We are trying to integrate OpenSSL 1.1.1i on our device that runs on the ARM platform. Device boots to ready state with OpenSSL 1.1.1i. However when we try to access the device EWS, we are getting below error error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch We have confirmed that there are no issues with certificate and private key by checking the certificate key hashes. Have any one encountered this issue when certificate and private key are properly installed. Any inputs are appreciated. Thank you Jayalakshmi
Compilation error using OpenSSL 1.1.1i
Hi All, We are trying to compile OpenSSL 1.1.1i on our system. It is a hybrid system. Compiler is arm -gcc for WinCE 6.0 and the module that compiles openssl is on Vxworks 5.0 abstraction. I am getting the below error. Does anyone have inputs. Any help would be appreciated. openssl/safestack.h(159) : error C2054: expected '(' to follow '__inline__' openssl/safestack.h(159) : error C2085: 'sk_OPENSSL_STRING_num' : not in formal parameter list Regards, Jaya
Question on RSA engine and Key strength
Hi All, We are writing a RSA engine for OpenSSL library to handle certificates up to 4096 bytes strength. We do support certificates up to 8k. How to we make engine to handle certificates only up to 4K and others handled by OpenSSL itself. Any help, inputs are appreciated. Thanks and Regards, Jayalakshmi
Query on engine support in OpenSSL 1.0.2h
Hi All, We currently use OpenSSL 1.0.2h, we are in the process of upgrading to OpenSSL 1.1.1. To address some legacy functionalities we are planning to write engines for OpenSSL 1.0.2h offload crypto operation to external components. We have few queries regarding the same 1. Can we offload all crypto operations (Digest, Encryption/decryption, RSA, ECDSA, DRBG etc) using Engines in OpenSSL 1.0.2h 2. If not, is it must to upgrade to OpenSSL 1.1.1 to achieve the same? Regards, Jayalakshmi
Re: [openssl-users] Building FIP enabled OpenSSL fails in Yocto-ARM build
Hi All, In addition to the my previous mail, this is additional info objdump -t libcrypto.so.1.0.0 | grep FIPS_signature 001ad8b0 l O .data 0014 FIPS_signature readelf -a libcrypto.so.1.0.0 | grep FIPS_signature 11812: 001ad8b020 OBJECT LOCAL DEFAULT 23 FIPS_signature Regards Jayalakshmi On Thu, May 3, 2018 at 7:39 PM, Jayalakshmi bhat <bhat.jayalaks...@gmail.com > wrote: > Hi All, > > I am building FIPS supported OpenSSL in yocto for ARM architecture. I > tried using openssl-fips-2.0.13 and openssl-fips-2.0.4 > > > I am building FIPS externally with the below environmental settings > > > PATH=/yocto/gcc/gcc-linaro-4.9-2016.02-x86_64_arm-linux- > gnueabihf/bin:$PATH > > export PATH > export FIPS_SIG=/yocto/openssl-fips-2.0.4/util/incore > export MACHINE=armv71 > export RELEASE=4.9.13 > export SYSTEM=Linux > export ARCH=arm > export CROSS_COMPILE=arm-linux-gnueabihf- > export HOSTCC=gcc > export FIPSDIR=/yocto/meta/recipes-connectivity/openssl/fips2.0 > > Build commands for FIPS library > > ./config -mfloat-abi=hard > make > make install > > > Then I am building OpenSSL 1.0.2h with the below environment settings > > export FIPSDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0" > export FIPSLIBDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0/lib/" > export FIPS_SIG="/yocto/meta/recipes-connectivity/openssl/fips2.0/ > bin/incore" > > Build command to build OpenSSL. > > perl ./Configure ${EXTRA_OECONF} fips shared --with-fipsdir=${FIPSDIR} > --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename > ${libdir}` $target > > Build is successful. without any error. But when I try executing > > export OPENSSL_FIPS=1 > openssl -v > > I am getting > > 3069334736:error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint > does not match:fips.c:244 > > I am not understand what could be going wrong. Any help is appreciated > > Regards > Jayalakshmi > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Building FIP enabled OpenSSL fails in Yocto-ARM build
Hi All, I am building FIPS supported OpenSSL in yocto for ARM architecture. I tried using openssl-fips-2.0.13 and openssl-fips-2.0.4 I am building FIPS externally with the below environmental settings PATH=/yocto/gcc/gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabihf/bin:$PATH export PATH export FIPS_SIG=/yocto/openssl-fips-2.0.4/util/incore export MACHINE=armv71 export RELEASE=4.9.13 export SYSTEM=Linux export ARCH=arm export CROSS_COMPILE=arm-linux-gnueabihf- export HOSTCC=gcc export FIPSDIR=/yocto/meta/recipes-connectivity/openssl/fips2.0 Build commands for FIPS library ./config -mfloat-abi=hard make make install Then I am building OpenSSL 1.0.2h with the below environment settings export FIPSDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0" export FIPSLIBDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0/lib/" export FIPS_SIG="/yocto/meta/recipes-connectivity/openssl/fips2.0/bin/incore" Build command to build OpenSSL. perl ./Configure ${EXTRA_OECONF} fips shared --with-fipsdir=${FIPSDIR} --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename ${libdir}` $target Build is successful. without any error. But when I try executing export OPENSSL_FIPS=1 openssl -v I am getting 3069334736:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:244 I am not understand what could be going wrong. Any help is appreciated Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to make OpenSSL engine usage application specific?
Hello All, We have 2 RSA OpenSSL engines in our product. Both the engines performs same RSA encyrpt/decrypt operations. For easy explaination I am naming engines as 1. RSA smart card engine 2. RSA TPM engine Engine usage is application specific.There are couple of applications dependent on RSA TPM engine. And are few applications dependent on RSA smart card engine. We wanted to know if there are any APIs provided by OpenSSL to make the engine usage application specific? Is there any way we can make OpenSSL chose specific engine for specific application. Regards Jayalakshmi. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] AES-CTR-256 test suite for FIPS
Hi All, We are using DRBG using AES-CTR-256 in FIPS mode. I could find test suite/file that takes CAVP test request and generating the response for DRBG using AES-CTR-256. However I am not finding any test suite/file that validates AES-CTR 128/192/256 bits. Please can any one let me know while test suite/file to validate AES-CTR. Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
Hi All, Thanks for the inputs, This gives me a good understanding on these ciphers usage. Thanks and Regards Jayalakshmi On Thu, Dec 7, 2017 at 10:31 PM, Jakob Bohmwrote: > On 07/12/2017 15:05, Michael Wojcik wrote: > >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >>> Of Jakob Bohm >>> Sent: Thursday, December 07, 2017 08:41 >>> To: openssl-users@openssl.org >>> >>> And I would still say that "consult a lawyer" is a useless answer, >>> especially as most OpenSSL users will be in the same legal situation, >>> and lawyers opinions on patent matters are frequently found by courts >>> to be wrong anyway. >>> >> Well, I suppose we'll have to disagree on that point. Speaking >> hypothetically, if I were the product owner for a commercial software >> product that used OpenSSL, I would most certainly be raising the question >> with corporate counsel. >> >> This is a complex and fraught area, and the OpenSSL Foundation is not >> able (and I'm sure not inclined to try) to indemnify OpenSSL users against >> infringement claims. To a large extent it doesn't matter what they say. A >> license file in the OpenSSL distribution is not likely to discourage an IP >> owner from claiming infringement if they're so inclined. At that point >> "local" lawyers will be involved whether you like it or not. >> > Of cause OpenSSL cannot indemnify users. This is why my actual > questions to the OpenSSL project were mostly about what 3rd party > assurances that the project had received and could pass on. For > example written patent license statements by Sun/Oracle (in > conjunction with their 2002 ECC contribution), waivers by > CertiCom etc. > > Even if some companies will want to run everything by their > corporate council, corporate council can make much more useful > statements if they can start from some legal documents and > statements rather than having the lawyers try to pour over C > code and published patents. > > I also don't believe that "most OpenSSL users will be in the same legal >> situation". Here again, patent law is complicated. And more importantly, >> well-heeled users are much more likely targets of actual infringement >> claims, which is a very different situation indeed. >> >> Point is, that in this global world, most producers are potentially > exposed in lots of "foreign" jurisdictions, and most corporate > counsel, while potentially well-heeled in general patent law, are > unlikely to have specific knowledge of the various patents, licenses > and waivers applicable to ECC crypto. > > Being able to say "we only ship to customers in China and outer Mongolia, > and under those local laws there is no risk" is a lot rarer than "we ship > globally except a few problematic destinations, we don't want to be > hauled to the Eastern district of Texas by Certicom, so we want to > know if we have contractual assurances that Certicom is OK with using > OpenSSL builds that have the ECC code enabled" > > That latter situation happens to also be the situation of the OpenSSL > project itself, except the degree of being a litigation magnet, thus the > likelihood that the project has obtained some legal documents that can > be passed on, making no independent promises other than those being true > and accurate copies of documents signed by their outside authors. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [openssl-dev] A question DH parameter generation and usage
Hi Rich, Thanks for the reply. We are planning to use DHE_RSA based ciphers. Regards Jaya On Wed, Dec 6, 2017 at 7:20 PM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > You can re-use the keys, but then you get no forward secrecy, and sessions > generated with one connection are vulnerable to another. > > > > Why are you using DH? Unless you have compelling reasons (interop with > legacy), you really should use ECDHE. > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [openssl-dev] A question DH parameter generation and usage
Hi Michael, Thanks for very detailed answers. This will surely help me to investigate further. Regards Jaya On Wed, Dec 6, 2017 at 7:37 PM, Michael Wojcik < michael.woj...@microfocus.com> wrote: > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Salz, Rich via openssl-users > > Sent: Wednesday, December 06, 2017 08:50 > > > You can re-use the keys, but then you get no forward secrecy, and > sessions generated with one connection are > > vulnerable to another. > > If you reuse keys, yes; but you still get PFS if you only reuse the same > group and generate ephemeral keys (assuming sufficient group strength, > where "sufficient" depends on the size of the group and its value to > well-resourced attackers). I thought that was what the original poster was > asking about. > > > Why are you using DH? Unless you have compelling reasons (interop with > legacy), you really should use ECDHE. > > Interop would be the usual reason. And since supporting DHE properly is a > small fixed cost (generate a group or pick one from RFC 7919, hard-code it, > and set it in each SSL_CTX), you might as well do it, no? > > But I agree that the ECDHE suites are generally preferable when the client > supports them. I know there's some NSA FUD around ECC since they pulled it > from the Suite B recommendations in 2015.[1] I still think the published > evidence supports using ECC, though. On the other hand, and per today's > other thread on the subject, there may be legal concerns around the use of > ECC. > > > [1] Matt Green has a nice discussion of this, including a link to the > great paper Koblitz and Menezes wrote about it, here: https://blog. > cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/ > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
Hi Michael Thanks for the input. Regards Jaya On Wed, Dec 6, 2017 at 7:21 PM, Michael Wojcik < michael.woj...@microfocus.com> wrote: > This probably should just have gone to openssl-users. Please don't copy > every question to openssl-dev. > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Jayalakshmi bhat > > Sent: Wednesday, December 06, 2017 01:07 > > > Does it mean to use ECC ciphers from OpenSSL does the end user needs to > get the license from Citricom? > > Consult a lawyer. Opinions on this topic differ wildly, it has a long and > vexed history, and legal advice from random people on the Internet isn't > worth what you pay for it. > > Certicom was purchased by Blackberry years ago; they are the current > holder of the ECC patents obtained by Certicom, to the best of my knowledge. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] A question DH parameter generation and usage
Hi Jakob and Paul, Thank you so much for the reply. We have the RSA certificates. I wanted to understand how generally DH parameters are generated. Thanks for the detailed answers. Regards Jayalakshmi On Wed, Dec 6, 2017 at 12:48 AM, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 06/12/2017 07:02, Jayalakshmi bhat wrote: > >> Hi, >> >> We are planning to use DHE_RSA TLS ciphers into our product. I have few >> questions on using DH parameter. We would like to use DH-2048. >> >> our product includes both TLS client and server applications. Thus any >> time there will be considerable number of active connectioons. >> >> I believe we can use same DH parameter for all the server connections. Is >> my understanding correct? Is there any risk in using same parameter for all >> the server connections. >> >> Another question is what is guidelines/document should be followed to >> derive DH parameter. >> >> Any input is appreciated. >> >> >> In TLS and SSL 3 (current versions, not sure about GoogleTLS 1.3), > DHE parameters are chosen exclusively by the server, so most rules > will be about servers. > > Current best practice on clients is to reject parameters of less > than 1000 bits, parameters with fewer bits than they pretend (e.g. > parameters claiming to be 1024 bits, but the most significant 32 > bits are all 0, making them really less than 993 bits), parameters > that are glaringly non-prime (e.g. even numbers) and parameters > that cause the DHE calculation to result in an unreasonably number > such as 1 (indicating rigged parameters). I hope that OpenSSL > client code already does such checks by default, otherwise someone > should point out how to make it do so. > > Current best practice on servers is to use DHE parameters such as > those generated by openssl dhparam, or the equivalent API function. > > Current best practice on general purpose servers is to use at least > 2048 bit DH parameters except when talking to clients that can't do > that, such as the TLS code in Oracle Java 6. Going above 2048 bits > is good, but some common clients don't work significantly above > that number (for example, some versions of the Mozilla NSS code > have a built in maximum of 2236 bits). > > Current best practice on servers is to use DHE parameters that are > used by few other servers, at least in a given timespan. Thus for > servers that will be deployed in small numbers, just generate your > own parameters at build time using >openssl dhparam -C > dh.inc > then include dh.inc in your source code. For servers that will > be deployed in large numbers, load the dh parameters from files in > the format generated by > openssl dhparam > dh.pem > and include scripts or other code that will replace the file > contents daily or weekly (overwriting the old parameters only after > the new ones are ready). The exim mail server does this if you > follow the instructions. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] ECC ciphers in OpenSSL and Citricom Patent/License terms
Hi, I have a question on ECC ciphers implementaion in OpenSSL. I do see README.ECC file in FIPS certfied OpenSSL crypto library. That says The OpenSSL Software Foundation has executed a sublicense agreement entitled "Elliptic Curve Cryptography Patent License Agreement" with the National Security Agency/ Central Security Service Commercial Solutions Center (NCSC) dated 2010-11-04. However OpenSSL library does not include this file. Does it mean to use ECC ciphers from OpenSSL does the end user needs to get the license from Citricom? Thanks and Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] A question DH parameter generation and usage
Hi, We are planning to use DHE_RSA TLS ciphers into our product. I have few questions on using DH parameter. We would like to use DH-2048. our product includes both TLS client and server applications. Thus any time there will be considerable number of active connectioons. I believe we can use same DH parameter for all the server connections. Is my understanding correct? Is there any risk in using same parameter for all the server connections. Another question is what is guidelines/document should be followed to derive DH parameter. Any input is appreciated. Thanks and Regards Jayalakshmi. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wanted details on ./config or Configure options
Hi Rich, I am using OpenSSL 1.0.2h. And I am trying to strip off unused hardware support. I tried using the options mentioned for 1.0.1e which I have explained in the previous mail. They dont seems to work for 1.0.2h. Hence I wanted to know what would be the best way to remove the unsupported hardware like aep, chill, cswift etc from compilation. Regards Jayalakshmi On Thu, Nov 2, 2017 at 4:38 PM, Jayalakshmi bhat <bhat.jayalaks...@gmail.com > wrote: > Hi Matt, > > Thanks for the reply. We dont want to turn off the engine fully. We have > TPM chip, that is part of OpenSSL. I just want to turn off default > available hardware using > > no-hw-4758-cca no-hw-aep no-hw-atalla no-hw-chil no-hw- > cswift no-hw-ibmca no-hw-ncipher no-hw-nuron no-hw-padl > ock no-hw-sureware no-hw-ubsec no-hw-zencod. > > However as of now using the above values with ./Configure is not turning > off the compilation of the other hardware components. > > Regards > Jaya > > On Thu, Nov 2, 2017 at 3:56 PM, Matt Caswell <m...@openssl.org> wrote: > >> >> >> On 02/11/17 07:07, Jayalakshmi bhat wrote: >> > Hi Matt, >> > >> > Thanks a lot for the response. Sorry for the delayed reply. I was out of >> > office for a while. This helped me. However I am not seeing option to >> > remove unwanted engine files to go away from compilation. OpenSSL 1.01x >> > method >> > (no-hw no-hw-4758-cca no-hw-aep no-hw-atalla no-hw-chil no- >> hw-cswift no-hw-ibmca no-hw-ncipher no-hw-nuron no-hw-padl >> ock no-hw-sureware no-hw-ubsec no-hw-zencod) >> > does not seems to work. Is there any way to do it? >> >> Hmmm - that looks like a possible bug to me. I think that should work >> (Richard Levitte may be able to comment). >> >> You can also use no-engine which switches off engine support altogether >> >> Matt >> >> > >> > >> > Regards >> > Jayalakshmi >> > >> > On Thu, Oct 26, 2017 at 4:09 PM, Matt Caswell <m...@openssl.org >> > <mailto:m...@openssl.org>> wrote: >> > >> > >> > >> > On 25/10/17 18:02, Jayalakshmi bhat wrote: >> > > Hi Matt, >> > > >> > > Thanks a lot. This helps me. I had seen different options for >> OpenSSL >> > > 1.0.1e versions. Hence had some confusions. >> > > Does this means, options specified here only can be used for >> OpenSSL >> > > 1.0.2x releases. >> > >> > The INSTALL file is specific to a release. Many options are >> applicable >> > to both 1.0.1 and 1.0.2 but there may be some differences. We did >> quite >> > a bit of work on the INSTALL file in the latest 1.1.0 release to >> make >> > sure all options were documented properly. That happened after the >> 1.0.2 >> > release so it could be the case that there are some options that are >> > undocumented in 1.0.2. >> > >> > Matt >> > >> > > >> > > Regards >> > > Jayalakshmi >> > > >> > > On Tue, Oct 24, 2017 at 2:31 PM, Matt Caswell <m...@openssl.org >> <mailto:m...@openssl.org> >> > > <mailto:m...@openssl.org <mailto:m...@openssl.org>>> wrote: >> > > >> > > >> > > >> > > On 24/10/17 07:06, Jayalakshmi bhat wrote: >> > > > Hi All, >> > > > >> > > > I am looking for details on options used to disable or >> remove unwanted >> > > > ciphers, components while openssl building. This is for >> OpenSSL 1.0.2h. >> > > > I am seeing many things on internet. But most of them have >> minimum >> > > > explanation, please can you tell me is there any link that >> I can refer. >> > > >> > > Have you looked in INSTALL? >> > > >> > > https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stabl >> e/INSTALL >> > <https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stab >> le/INSTALL> >> > > <https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stab >> le/INSTALL >> > <https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stab >> le/INSTALL>> >> > > >> > > Matt >> > > >> > > -- >> > > openssl-users mailing list >> > > To unsubscribe: >> > > https://mta.openssl.org/mailman/listinfo/openssl-users >> > <https://mta.openssl.org/mailman/listinfo/openssl-users> >> > > <https://mta.openssl.org/mailman/listinfo/openssl-users >> > <https://mta.openssl.org/mailman/listinfo/openssl-users>> >> > > >> > > >> > > >> > > >> > -- >> > openssl-users mailing list >> > To unsubscribe: >> > https://mta.openssl.org/mailman/listinfo/openssl-users >> > <https://mta.openssl.org/mailman/listinfo/openssl-users> >> > >> > >> > >> > >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wanted details on ./config or Configure options
Hi Matt, Thanks for the reply. We dont want to turn off the engine fully. We have TPM chip, that is part of OpenSSL. I just want to turn off default available hardware using no-hw-4758-cca no-hw-aep no-hw-atalla no-hw-chil no-hw-cswift no-hw-ibmca no-hw-ncipher no-hw-nuron no-hw- padlock no-hw-sureware no-hw-ubsec no-hw-zencod. However as of now using the above values with ./Configure is not turning off the compilation of the other hardware components. Regards Jaya On Thu, Nov 2, 2017 at 3:56 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 02/11/17 07:07, Jayalakshmi bhat wrote: > > Hi Matt, > > > > Thanks a lot for the response. Sorry for the delayed reply. I was out of > > office for a while. This helped me. However I am not seeing option to > > remove unwanted engine files to go away from compilation. OpenSSL 1.01x > > method > > (no-hw no-hw-4758-cca no-hw-aep no-hw-atalla no-hw-chil > no-hw-cswift no-hw-ibmca no-hw-ncipher no-hw-nuron no-hw- > padlock no-hw-sureware no-hw-ubsec no-hw-zencod) > > does not seems to work. Is there any way to do it? > > Hmmm - that looks like a possible bug to me. I think that should work > (Richard Levitte may be able to comment). > > You can also use no-engine which switches off engine support altogether > > Matt > > > > > > > Regards > > Jayalakshmi > > > > On Thu, Oct 26, 2017 at 4:09 PM, Matt Caswell <m...@openssl.org > > <mailto:m...@openssl.org>> wrote: > > > > > > > > On 25/10/17 18:02, Jayalakshmi bhat wrote: > > > Hi Matt, > > > > > > Thanks a lot. This helps me. I had seen different options for > OpenSSL > > > 1.0.1e versions. Hence had some confusions. > > > Does this means, options specified here only can be used for > OpenSSL > > > 1.0.2x releases. > > > > The INSTALL file is specific to a release. Many options are > applicable > > to both 1.0.1 and 1.0.2 but there may be some differences. We did > quite > > a bit of work on the INSTALL file in the latest 1.1.0 release to make > > sure all options were documented properly. That happened after the > 1.0.2 > > release so it could be the case that there are some options that are > > undocumented in 1.0.2. > > > > Matt > > > > > > > > Regards > > > Jayalakshmi > > > > > > On Tue, Oct 24, 2017 at 2:31 PM, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org> > > > <mailto:m...@openssl.org <mailto:m...@openssl.org>>> wrote: > > > > > > > > > > > > On 24/10/17 07:06, Jayalakshmi bhat wrote: > > > > Hi All, > > > > > > > > I am looking for details on options used to disable or > remove unwanted > > > > ciphers, components while openssl building. This is for > OpenSSL 1.0.2h. > > > > I am seeing many things on internet. But most of them have > minimum > > > > explanation, please can you tell me is there any link that I > can refer. > > > > > > Have you looked in INSTALL? > > > > > > https://github.com/openssl/openssl/blob/OpenSSL_1_0_2- > stable/INSTALL > > <https://github.com/openssl/openssl/blob/OpenSSL_1_0_2- > stable/INSTALL> > > > <https://github.com/openssl/openssl/blob/OpenSSL_1_0_2- > stable/INSTALL > > <https://github.com/openssl/openssl/blob/OpenSSL_1_0_2- > stable/INSTALL>> > > > > > > Matt > > > > > > -- > > > openssl-users mailing list > > > To unsubscribe: > > > https://mta.openssl.org/mailman/listinfo/openssl-users > > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > > <https://mta.openssl.org/mailman/listinfo/openssl-users > > <https://mta.openssl.org/mailman/listinfo/openssl-users>> > > > > > > > > > > > > > > -- > > openssl-users mailing list > > To unsubscribe: > > https://mta.openssl.org/mailman/listinfo/openssl-users > > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > > > > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wanted details on ./config or Configure options
Hi Matt, Thanks a lot for the response. Sorry for the delayed reply. I was out of office for a while. This helped me. However I am not seeing option to remove unwanted engine files to go away from compilation. OpenSSL 1.01x method (no-hw no-hw-4758-cca no-hw-aep no-hw-atalla no-hw-chil no-hw-cswift no-hw-ibmca no-hw-ncipher no-hw-nuron no-hw-padlock no-hw-sureware no-hw-ubsec no-hw-zencod) does not seems to work. Is there any way to do it? Regards Jayalakshmi On Thu, Oct 26, 2017 at 4:09 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 25/10/17 18:02, Jayalakshmi bhat wrote: > > Hi Matt, > > > > Thanks a lot. This helps me. I had seen different options for OpenSSL > > 1.0.1e versions. Hence had some confusions. > > Does this means, options specified here only can be used for OpenSSL > > 1.0.2x releases. > > The INSTALL file is specific to a release. Many options are applicable > to both 1.0.1 and 1.0.2 but there may be some differences. We did quite > a bit of work on the INSTALL file in the latest 1.1.0 release to make > sure all options were documented properly. That happened after the 1.0.2 > release so it could be the case that there are some options that are > undocumented in 1.0.2. > > Matt > > > > > Regards > > Jayalakshmi > > > > On Tue, Oct 24, 2017 at 2:31 PM, Matt Caswell <m...@openssl.org > > <mailto:m...@openssl.org>> wrote: > > > > > > > > On 24/10/17 07:06, Jayalakshmi bhat wrote: > > > Hi All, > > > > > > I am looking for details on options used to disable or remove > unwanted > > > ciphers, components while openssl building. This is for OpenSSL > 1.0.2h. > > > I am seeing many things on internet. But most of them have minimum > > > explanation, please can you tell me is there any link that I can > refer. > > > > Have you looked in INSTALL? > > > > https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/INSTALL > > <https://github.com/openssl/openssl/blob/OpenSSL_1_0_2- > stable/INSTALL> > > > > Matt > > > > -- > > openssl-users mailing list > > To unsubscribe: > > https://mta.openssl.org/mailman/listinfo/openssl-users > > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > > > > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL engine and TPM usage.
Hi All, Our device uses TPM to protect certificate private keys. We have written engine interface to integrate TPM functionality into OpenSSL. Thus TPM gets loaded as an engine instance. Also we have mapped RSA operations to TPM APIS as like encryption/decryption etc. Now we are into few issues. there are few applications that wants to use application specific identity certificate. In such cases RSA APIs should not get mapped to TPM APIs. I wanted to know when we use engine instance for encyrption/decryption operation, can it be done selectively? Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Wanted details on ./config or Configure options
Hi Matt, Thanks a lot. This helps me. I had seen different options for OpenSSL 1.0.1e versions. Hence had some confusions. Does this means, options specified here only can be used for OpenSSL 1.0.2x releases. Regards Jayalakshmi On Tue, Oct 24, 2017 at 2:31 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 24/10/17 07:06, Jayalakshmi bhat wrote: > > Hi All, > > > > I am looking for details on options used to disable or remove unwanted > > ciphers, components while openssl building. This is for OpenSSL 1.0.2h. > > I am seeing many things on internet. But most of them have minimum > > explanation, please can you tell me is there any link that I can refer. > > Have you looked in INSTALL? > > https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/INSTALL > > Matt > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Wanted details on ./config or Configure options
Hi All, I am looking for details on options used to disable or remove unwanted ciphers, components while openssl building. This is for OpenSSL 1.0.2h. I am seeing many things on internet. But most of them have minimum explanation, please can you tell me is there any link that I can refer. Regards Jaya -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] how to compile out selected ciphers
Hi All, I am trying to build openssl. As part of that I want to remove some ciphers like md4, rc5 etc. I tried ./config no-md5, no-rc5 and ./Configure no-md5, no-rc5. In both the case MD4 and RC5 directories are still getting compiled. Please can you let me know what could be going wrong. Regards Jaya -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL FIPS CAVP tests throws an error iob_func while linking
Hi All, I am trying to build CAVP test executable for WinCE. Most of the executable are built except 1-2. I am facing iob_func unresolved error. Every thing seems to be proper. Any idea or help is well appreciated. Regards Jaya -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS CAVP tests for WinCE.
Hi All, I am using OpenSSL-FIPS-2.0.4 library on ARM7 + WinCE 6.0 with "user affirm" the validation for Y per I.G. G.5. We want to run latest CAVP test suites. We have built the *build_algvs and other executable* for the above product/build environment. However when we are trying to execute the executable with req file and resp file parameters, example fips_drbgvs CTR_DRBG.req CTR_DRBG.resp we end up in receiving error "error opening the input file". Later we found that WinCE environment cannot read simple character file name, it needs some windows specific conversion like WideCharToMultiByte. We have the below questions, 1. Is there any way to build the test suites on WinCE environment. User guide says it is incomplete? 2. As these are test files, is it OK to modify them? Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.1.1 release timeframe
Hi Matt, I do understand. Thanks a lot for the reply. Regards Jayalakshmi On Thu, May 18, 2017 at 2:47 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 18/05/17 06:32, Jayalakshmi bhat wrote: > > Please can any one let me know the release date or time line for OpenSSL > > 1.1.1? > > We have not set a date as yet. At the very least we will not be able to > release until the IETF takes TLSv1.3 out of draft status - which is not > in our control. > > Matt > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL 1.1.1 release timeframe
Hi All, Please can any one let me know the release date or time line for OpenSSL 1.1.1? Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL DRBG in FIPS mode confusion.
Hi All, OpenSSL uses 256 bit AES-CTR DRBG as default DRBG in FIPS mode. I have question associated with this. 1. OpenSSL wiki says : Default DRBG is 256-bit CTR AES *using a derivation function* 2. Where as the document http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf mentions "no derivation function" in one place and in another sections mentions both *Section 4 Modes of Operation and Cryptographic Functionality* Random Number Generation;[SP 80090] DRBG5 Hash DRBG Symmetric key generationPrediction resistance HMAC DRBG, no reseed supported for all variations CTR DRBG (AES), no derivation function *Section 6 Selftest * DRBG KAT CTR_DRBG: AES, 256 bit with and without derivation function Please can any one let me know what is the default behavior? Is there any way to toggle between using and not using derivation function. Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Certificates generated using 3k/4k CSR generated with OpenSSL fails on Windows 2008R2
Hi All, I am generating 1k/2k/3k/4k CSR's on our device using OpenSSL library. I am generating these CSR on our device. We have windows 2008 R2 servers and I am signing these CSR using certificate authority on windows server. I am setting only client and server authentication bits in the CSR since these are simple end entity certificates. Once certificates are generated , I am able to install the certificates on our device. These certificates are working well with 802.1x (EAP-TLS) setup on the same windows 2008 R2 server. However when I was trying to test IPsec with certificate based authentication, authentication is failing.Enabling the IPsec event viewer shows error in accepting the certificate and generates a ?invalid signature? message which looks to be generic. Failures are seen only with 3k and 4k certificates. Later I refered to a link http://blog.gentilkiwi.com/tag/bag-attributes added -LMK -CSP "xxx" -name options, certificate worked well. I wanted to know is any one having similar experience with 3k and 4k ID certificates that does not have these fields on windows system. Any help is appreciated. Regards Jayalakshmi -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi All, 1. With compiler optimization disabled, OpenSSL 1.0.2d function worked as it is. 2. Looks like in the below functions, typecast to unsigned char to is not going well when compiler optimization is enabled. Hence functions are modified to assign the return value to a volatile unsigned char and then return the volatile value. Things worked fine. static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b) static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b) static inline unsigned char constant_time_is_zero_8(unsigned int a) static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b) static inline unsigned char constant_time_eq_int_8(int a, int b) static inline unsigned char constant_time_select_8(unsigned char mask, Matt, Jakob, Andy your explanations were really useful to route cause the issue to compiler specific. Thanks every one for the valuable time and fruitful discussion. Regards Jaya On Sun, Dec 13, 2015 at 11:13 AM, Jayalakshmi bhat < bhat.jayalaks...@gmail.com> wrote: > Hi All, > > > > Thanks for all the responses. As mentioned by Matt in the discussion > thread,constant_time_msb performs the copy the msb of the input to all of > the other bits so the return value should either be one of 0x or > 0x. > > > > I found another interesting thing,constant_time_msb worked as it is > without any changes, after I added a printf in constant_time_is_zero_8 test > routine to print the return value. I added the printf just before comparing > the return value with the expected value. > > > > I have confirmed the failures by removing the printf and printing any > thing else other than the returned value. > > > > Now based on the discussions here and print results I am thinking, after > constant_time_msb operation probably overflow bit is set in case of > 0x. And it is not cleared before comparing, hence compare fails. > When I add a printf to print the return value probably overflow flag got > cleared and things worked. > > > > I am planning to attach the debugger to check the flags. I will get back > with debugger results. > > > > I have attached the test file. > > > > Regards > > Jaya > > > > On Fri, Dec 11, 2015 at 11:30 AM, Jeffrey Walton <noloa...@gmail.com> > wrote: > >> > 3. The compiler wasn't written by a fanatic who put >> > the "right shift of negative signed values is >> > undefined" rule above common sense. >> > >> > This is only implementation-defined behavior, not undefined behavior. >> It is >> > not permitted to crash the system or launch the missiles. (n1256.pdf >> 6.5.7 >> > paragraph 5.) >> >> The potential problem with implementation defined is its not >> guaranteed to produce consistent results. Different compilers or >> different versions of the same compiler may arrive at different >> results. >> >> In this light, the crash might be welcomed to make it easy to find the >> trouble spot :) >> ___ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi All, Thanks for all the responses. As mentioned by Matt in the discussion thread,constant_time_msb performs the copy the msb of the input to all of the other bits so the return value should either be one of 0x or 0x. I found another interesting thing,constant_time_msb worked as it is without any changes, after I added a printf in constant_time_is_zero_8 test routine to print the return value. I added the printf just before comparing the return value with the expected value. I have confirmed the failures by removing the printf and printing any thing else other than the returned value. Now based on the discussions here and print results I am thinking, after constant_time_msb operation probably overflow bit is set in case of 0x. And it is not cleared before comparing, hence compare fails. When I add a printf to print the return value probably overflow flag got cleared and things worked. I am planning to attach the debugger to check the flags. I will get back with debugger results. I have attached the test file. Regards Jaya On Fri, Dec 11, 2015 at 11:30 AM, Jeffrey Waltonwrote: > > 3. The compiler wasn't written by a fanatic who put > > the "right shift of negative signed values is > > undefined" rule above common sense. > > > > This is only implementation-defined behavior, not undefined behavior. > It is > > not permitted to crash the system or launch the missiles. (n1256.pdf > 6.5.7 > > paragraph 5.) > > The potential problem with implementation defined is its not > guaranteed to produce consistent results. Different compilers or > different versions of the same compiler may arrive at different > results. > > In this light, the crash might be welcomed to make it easy to find the > trouble spot :) > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > constant_time_test.7z Description: Binary data ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi Matt, Thanks for the patch. Unfortunately patch did not work. I continued debugging and found that issue was in constant_time_msb. static inline unsigned int constant_time_msb(unsigned int a) { -*return 0 - (a >> (sizeof(a) * 8 - 1));* + return (((unsigned)((int)(a) >> (sizeof(int) * 8 - 1; } Changed constant_time_msb implementation as shown above. All the tests passed. I have attached the dis-assembly of the code for both successful case and failure case. This was requested by Jakob. Regards Jaya On Thu, Dec 10, 2015 at 2:48 AM, Matt Caswell <m...@openssl.org> wrote: > > > On 09/12/15 23:13, Benjamin Kaduk wrote: > > On 12/09/2015 05:04 PM, Matt Caswell wrote: > >> > >> On 09/12/15 11:44, Jayalakshmi bhat wrote: > >>> Hi Matt, > >>> > >>> I could build and execute the constant_time_test. I have attached the > .c > >>> file and test results. 34 tests have failed. All failures are > >>> around constant_time_eq_8. This is the function I had mentioned in the > >>> earlier mails. > >> Not quite all. There is also a failure right at the beginning of your > >> log in constant_time_is_zero_8. Although it looks very similar to the > >> constant_time_eq_8 failure. > >> > >> As to the failure it is very strange. This is the function doing the > test: > >> > >> int test_binary_op_8(unsigned > >> char (*op) (unsigned int a, unsigned int b), > >> const char *op_name, unsigned int a, > >> unsigned int b, int is_true) > >> { > >> unsigned char c = op(a, b); > >> if (is_true && c != CONSTTIME_TRUE_8) { > >> printf( "Test failed for %s(%du, %du): expected %u " > >> "(TRUE), got %u at line %d\n", op_name, a, b, > >> CONSTTIME_TRUE_8, c,__LINE__); > >> return 1; > >> } else if (!is_true && c != CONSTTIME_FALSE_8) { > >> printf( "Test failed for %s(%du, %du): expected %u " > >> "(FALSE), got %u at line %d\n", op_name, a, b, > >> CONSTTIME_FALSE_8, c,__LINE__); > >> return 1; > >> } > >> printf( "Test passed for %s(%du, %du): expected %u got %u at line > %d > >> with %s\n", op_name, a, b, CONSTTIME_TRUE_8, > >> c,__LINE__,is_true?"TRUE":"FALSE"); > >> return 0; > >> } > >> > >> > >> and the output we see in the log file is: > >> > >> Test failed for constant_time_eq_8(0u, 0u): expected 255 (TRUE), got > >> 4294967295 at line 85 > >> > >> That big number in the output is actually 0x7FFF in hex. The > >> variable that it is printing here is "c" which is declared as an > >> "unsigned char". > >> > >> Please someone correct me if I'm wrong but doesn't the C spec guarantee > >> that a "char" is 8 bits? In which case how can the value of "c" be > >> greater than 255? > > > > C does not make such a guarantee, though recent-ish POSIX does. (This > > system is a windows one, thought, right?) > > > > In any case, due to C's type promotion rules, it's very difficult to > > actually use types narrower than 'int', since integers get auto-promoted > > to int at integer conversion time. This has extra-fun interactions with > > varargs functions, depending on the platform ABI in use. (Always cast > > NULL to a pointer type when passing to a varargs function; this does > > cause real bugs.) Since c is unsigned, it is odd to see it get promoted > > to (int)-1, since C type conversions are supposed to be > > value-preserving, but it is certainly possible that the windows ABI is > > doing something I don't expect. Adjusting things so that the format > > specifier and the type passed to printf match (whether by casting c to > > int or qualifying the format specifier) might help. > > Thanks Ben. > > It's not 100% clear to me that we are dealing with a system where a char > has more than 8 bits, but it certainly seems like a plausible > explanation for what is going on. Especially when you look at the > implementation of constant_time_eq_8: > > static inline unsigned char constant_time_eq_8(unsigned int a, unsigned > int b) > { > return (unsigned char)(constant_time_eq(a, b)); > } > > The function "constant_time_eq" here returns an "unsigned int". The > whole purpose of "constant_time_eq_8" is to provide a convenience > function to create an 8 bit mask. If the number of bits in an unsigned > char > 8 then this code is going to fail! > > Jaya - please could you try the attached patch to see if that resolves > the problem. Please try re-executing both your SSL/TLS tests and the > constant_time test. Let me know how you get on. > > Thanks > > Matt > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > changes.7z Description: Binary data ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi Jakob, Here are more details, OS WinCE 6.0 CPU ARMARCH4. Family ARM Compiler ARM CC VersionMicrosoft (R) C/C++ Optimizing Compiler Version 14.01.60511 for ARM Regards Jaya On Fri, Dec 4, 2015 at 5:35 AM, Jakob Bohm <jb-open...@wisemo.com> wrote: > For clarity, which version of WinCE, and which CPU (Arm, > MIPS, PPC, x86, SH3, SH4, ...)? > > Which Microsoft Compiler version (EVC3, EVC4, one of the > Visual Studio projects, 3rd party compiler) and which > exact compiler version (reported by running the compiler > executable (named according to CPU) with no arguments. > > I ask because your proposed fix may be affected by compiler and/or CPU > quirks. > > On 04/12/2015 12:31, Jayalakshmi bhat wrote: > > Hi Matt, > > Thanks a lot for the response. > > Is your application a client or a server? Are both ends using OpenSSL 1.0.2d? > If not, what is the other end using? > >>Our device has both TLS client,server apps. As client, device > communicates with radius server, LDAP server etc.As server device is > accessed using various web browsers. > Hence both the end will not be OpenSSL 1.0.2d. > > How exactly are you doing that? Which specific cipher are you seeing fail? > >> We have provided user option to select TLS protocol versions similar to > the browsers. Depending upon the user configurations we set the protocol > flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL > context using SSL_CTX_clear_options/SSL_CTX_set_options. > >> We have provided user option to chose ciphers as well. > All these are in the application space,no changes have been done and they > have been working good with OpenSSL 1.0.1c. Only the library is upgraded to > OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers and with > both the ciphers issue is seen. > > Are you able to provide a packet capture? > >> Please find the attached traces for server mode. > What O/S is this on? > >>This is built for WinCE and Vxworks > > Regards > Jaya > > > > On Fri, Dec 4, 2015 at 3:02 PM, Matt Caswell <m...@openssl.org> wrote: > >> Hello Jaya >> >> We're going to need some more information. There isn't a generic problem >> with CBC ciphers and TLS1.0 in 1.0.2d (it's working fine for me) - so >> there is something specific about your environment that is causing the >> issue. Comments inserted below. >> >> On 04/12/15 06:53, Jayalakshmi bhat wrote: >> > Hi All, >> > >> > >> > >> > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except >> > the below explained issue. >> >> Is your application a client or a server? Are both ends using OpenSSL >> 1.0.2d? If not, what is the other end using? >> >> >> > When we enable only TLS 1.0 protocol and select CBC ciphers, >> >> How exactly are you doing that? Which specific cipher are you seeing fail? >> >> >> > Now my question is whatever I did is it correct? >> >> That would not be a recommended solution >> >> > Or Do need to replace >> > complete s3_cbc.c with OpenSSL 1.0.1e? >> >> No. You cannot just copy and paste stuff from 1.0.1 to 1.0.2. >> >> Some other questions: >> >> Are you able to provide a packet capture? >> How did you build OpenSSL...i.e. what "Configure" options did you use? >> What O/S is this on? >> >> Matt >> ___ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi All, Is there inputs or suggestions. Thanks and Regards Jaya On Fri, Dec 4, 2015 at 11:37 AM, Jayalakshmi bhat < bhat.jayalaks...@gmail.com> wrote: > Hi Matt, > > s3_cbc.c uses the function constant_time_eq_8. I pulled only this > function definition from OpenSSL 1.0.1e into OpenSSL 1.0.2d. I renamed > this function as constant_time_eq_8_local and used it in s3_cbc.c instead > of constant_time_eq_8. This renaming was just to avoid > multiple definitions. > > OpenSSL 1.0.1e has the function constant_time_eq_8 defined as below: > > *#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> > (sizeof(int)*8-1) ) )#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned > char)(DUPLICATE_MSB_TO_ALL(x)))* > > *static unsigned char constant_time_eq_8(unsigned a, unsigned b)* > * {* > * unsigned c = a ^ b;* > * c--;* > * return DUPLICATE_MSB_TO_ALL_8(c);* > * }* > > OpenSSL 1.0.2d has the function constant_time_eq_8 defined as below. > > static inline unsigned int constant_time_msb(unsigned int a) > { > return 0 - (a >> (sizeof(a) * 8 - 1)); > } > > static inline unsigned int constant_time_is_zero(unsigned int a) > { > return constant_time_msb(~a & (a - 1)); > } > > static inline unsigned int constant_time_eq(unsigned int a, unsigned int b) > { > return constant_time_is_zero(a ^ b); > } > > static inline unsigned char constant_time_eq_8(unsigned int a, unsigned > int b) > { > return (unsigned char)(constant_time_eq(a, b)); > } > > > Regards > Jaya > > On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <m...@openssl.org> wrote: > >> >> >> On 04/12/15 11:31, Jayalakshmi bhat wrote: >> > Hi Matt, >> > >> > Thanks a lot for the response. >> > >> > Is your application a client or a server? Are both ends using >> > OpenSSL 1.0.2d? If not, what is the other end using? >> >>>Our device has both TLS client,server apps. As client, device >> communicates with radius server, LDAP server etc.As >> > server device is accessed using various web browsers. >> > Hence both the end will not be OpenSSL 1.0.2d. >> > >> > How exactly are you doing that? Which specific cipher are you seeing >> fail? >> >>> We have provided user option to select TLS protocol versions similar >> to the browsers. Depending upon the user configurations we set the protocol >> flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL >> context using SSL_CTX_clear_options/SSL_CTX_set_options. >> >>> We have provided user option to chose ciphers as well. >> > All these are in the application space,no changes have been done and >> > they have been working good with OpenSSL 1.0.1c. Only the library is >> > upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers >> > and with both the ciphers issue is seen. >> > >> > Are you able to provide a packet capture? >> >>> Please find the attached traces for server mode. >> > What O/S is this on? >> >>>This is built for WinCE and Vxworks >> >> Thanks. Please could you also send the exact patch that you applied that >> resolved the issue? >> >> Matt >> ___ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi Matt, Thanks a lot for the response. Is your application a client or a server? Are both ends using OpenSSL 1.0.2d? If not, what is the other end using? >>Our device has both TLS client,server apps. As client, device communicates with radius server, LDAP server etc.As server device is accessed using various web browsers. Hence both the end will not be OpenSSL 1.0.2d. How exactly are you doing that? Which specific cipher are you seeing fail? >> We have provided user option to select TLS protocol versions similar to the browsers. Depending upon the user configurations we set the protocol flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL context using SSL_CTX_clear_options/SSL_CTX_set_options. >> We have provided user option to chose ciphers as well. All these are in the application space,no changes have been done and they have been working good with OpenSSL 1.0.1c. Only the library is upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers and with both the ciphers issue is seen. Are you able to provide a packet capture? >> Please find the attached traces for server mode. What O/S is this on? >>This is built for WinCE and Vxworks Regards Jaya On Fri, Dec 4, 2015 at 3:02 PM, Matt Caswell <m...@openssl.org> wrote: > Hello Jaya > > We're going to need some more information. There isn't a generic problem > with CBC ciphers and TLS1.0 in 1.0.2d (it's working fine for me) - so > there is something specific about your environment that is causing the > issue. Comments inserted below. > > On 04/12/15 06:53, Jayalakshmi bhat wrote: > > Hi All, > > > > > > > > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except > > the below explained issue. > > Is your application a client or a server? Are both ends using OpenSSL > 1.0.2d? If not, what is the other end using? > > > > When we enable only TLS 1.0 protocol and select CBC ciphers, > > How exactly are you doing that? Which specific cipher are you seeing fail? > > > > Now my question is whatever I did is it correct? > > That would not be a recommended solution > > > Or Do need to replace > > complete s3_cbc.c with OpenSSL 1.0.1e? > > No. You cannot just copy and paste stuff from 1.0.1 to 1.0.2. > > Some other questions: > > Are you able to provide a packet capture? > How did you build OpenSSL...i.e. what "Configure" options did you use? > What O/S is this on? > > Matt > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > server.pcapng Description: Binary data ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi Matt, I replaced constant_time_eq_8 usage in s3_cbc.c with the implementation available in OpenSSL 1.0.1e. Things worked fine. Regards Jaya On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 04/12/15 11:31, Jayalakshmi bhat wrote: > > Hi Matt, > > > > Thanks a lot for the response. > > > > Is your application a client or a server? Are both ends using > > OpenSSL 1.0.2d? If not, what is the other end using? > >>>Our device has both TLS client,server apps. As client, device > communicates with radius server, LDAP server etc.As > > server device is accessed using various web browsers. > > Hence both the end will not be OpenSSL 1.0.2d. > > > > How exactly are you doing that? Which specific cipher are you seeing > fail? > >>> We have provided user option to select TLS protocol versions similar > to the browsers. Depending upon the user configurations we set the protocol > flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL > context using SSL_CTX_clear_options/SSL_CTX_set_options. > >>> We have provided user option to chose ciphers as well. > > All these are in the application space,no changes have been done and > > they have been working good with OpenSSL 1.0.1c. Only the library is > > upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers > > and with both the ciphers issue is seen. > > > > Are you able to provide a packet capture? > >>> Please find the attached traces for server mode. > > What O/S is this on? > >>>This is built for WinCE and Vxworks > > Thanks. Please could you also send the exact patch that you applied that > resolved the issue? > > Matt > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi Matt, s3_cbc.c uses the function constant_time_eq_8. I pulled only this function definition from OpenSSL 1.0.1e into OpenSSL 1.0.2d. I renamed this function as constant_time_eq_8_local and used it in s3_cbc.c instead of constant_time_eq_8. This renaming was just to avoid multiple definitions. OpenSSL 1.0.1e has the function constant_time_eq_8 defined as below: *#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))* *static unsigned char constant_time_eq_8(unsigned a, unsigned b)* * {* * unsigned c = a ^ b;* * c--;* * return DUPLICATE_MSB_TO_ALL_8(c);* * }* OpenSSL 1.0.2d has the function constant_time_eq_8 defined as below. static inline unsigned int constant_time_msb(unsigned int a) { return 0 - (a >> (sizeof(a) * 8 - 1)); } static inline unsigned int constant_time_is_zero(unsigned int a) { return constant_time_msb(~a & (a - 1)); } static inline unsigned int constant_time_eq(unsigned int a, unsigned int b) { return constant_time_is_zero(a ^ b); } static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b) { return (unsigned char)(constant_time_eq(a, b)); } Regards Jaya On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 04/12/15 11:31, Jayalakshmi bhat wrote: > > Hi Matt, > > > > Thanks a lot for the response. > > > > Is your application a client or a server? Are both ends using > > OpenSSL 1.0.2d? If not, what is the other end using? > >>>Our device has both TLS client,server apps. As client, device > communicates with radius server, LDAP server etc.As > > server device is accessed using various web browsers. > > Hence both the end will not be OpenSSL 1.0.2d. > > > > How exactly are you doing that? Which specific cipher are you seeing > fail? > >>> We have provided user option to select TLS protocol versions similar > to the browsers. Depending upon the user configurations we set the protocol > flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL > context using SSL_CTX_clear_options/SSL_CTX_set_options. > >>> We have provided user option to chose ciphers as well. > > All these are in the application space,no changes have been done and > > they have been working good with OpenSSL 1.0.1c. Only the library is > > upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers > > and with both the ciphers issue is seen. > > > > Are you able to provide a packet capture? > >>> Please find the attached traces for server mode. > > What O/S is this on? > >>>This is built for WinCE and Vxworks > > Thanks. Please could you also send the exact patch that you applied that > resolved the issue? > > Matt > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi Jakob CPU is ARMARCH4. WinCE version is 6.0. I will get the compiler details shortly. Regards Jaya On Fri, Dec 4, 2015 at 6:05 PM, Jakob Bohm <jb-open...@wisemo.com> wrote: > For clarity, which version of WinCE, and which CPU (Arm, > MIPS, PPC, x86, SH3, SH4, ...)? > > Which Microsoft Compiler version (EVC3, EVC4, one of the > Visual Studio projects, 3rd party compiler) and which > exact compiler version (reported by running the compiler > executable (named according to CPU) with no arguments. > > I ask because your proposed fix may be affected by compiler and/or CPU > quirks. > > On 04/12/2015 12:31, Jayalakshmi bhat wrote: > > Hi Matt, > > Thanks a lot for the response. > > Is your application a client or a server? Are both ends using OpenSSL 1.0.2d? > If not, what is the other end using? > >>Our device has both TLS client,server apps. As client, device > communicates with radius server, LDAP server etc.As server device is > accessed using various web browsers. > Hence both the end will not be OpenSSL 1.0.2d. > > How exactly are you doing that? Which specific cipher are you seeing fail? > >> We have provided user option to select TLS protocol versions similar to > the browsers. Depending upon the user configurations we set the protocol > flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL > context using SSL_CTX_clear_options/SSL_CTX_set_options. > >> We have provided user option to chose ciphers as well. > All these are in the application space,no changes have been done and they > have been working good with OpenSSL 1.0.1c. Only the library is upgraded to > OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers and with > both the ciphers issue is seen. > > Are you able to provide a packet capture? > >> Please find the attached traces for server mode. > What O/S is this on? > >>This is built for WinCE and Vxworks > > Regards > Jaya > > > > On Fri, Dec 4, 2015 at 3:02 PM, Matt Caswell <m...@openssl.org> wrote: > >> Hello Jaya >> >> We're going to need some more information. There isn't a generic problem >> with CBC ciphers and TLS1.0 in 1.0.2d (it's working fine for me) - so >> there is something specific about your environment that is causing the >> issue. Comments inserted below. >> >> On 04/12/15 06:53, Jayalakshmi bhat wrote: >> > Hi All, >> > >> > >> > >> > Recently we have ported OpenSSL 1.0.2d. Everything works perfect except >> > the below explained issue. >> >> Is your application a client or a server? Are both ends using OpenSSL >> 1.0.2d? If not, what is the other end using? >> >> >> > When we enable only TLS 1.0 protocol and select CBC ciphers, >> >> How exactly are you doing that? Which specific cipher are you seeing fail? >> >> >> > Now my question is whatever I did is it correct? >> >> That would not be a recommended solution >> >> > Or Do need to replace >> > complete s3_cbc.c with OpenSSL 1.0.1e? >> >> No. You cannot just copy and paste stuff from 1.0.1 to 1.0.2. >> >> Some other questions: >> >> Are you able to provide a packet capture? >> How did you build OpenSSL...i.e. what "Configure" options did you use? >> What O/S is this on? >> >> Matt >> ___ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d
Hi All, Recently we have ported OpenSSL 1.0.2d. Everything works perfect except the below explained issue. When we enable only TLS 1.0 protocol and select CBC ciphers, TLS handshake fails with the error "bad record mac". Error is in function static int ssl3_get_record(SSL *s). Error happens at if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0). CRYPTO_memcmp is failing. I debugged further. I replaced constant_time_eq_8 usage in s3_cbc.c with the implementation available in OpenSSL 1.0.1e. Things worked fine. OpenSSL 1.0.2d has this implementation in constant_time_locl.h. OpenSSL 1.0.1e has this implementation local to s3_cbc.c Now my question is whatever I did is it correct? Or Do need to replace complete s3_cbc.c with OpenSSL 1.0.1e? Regards Jaya ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
Hi Matt, Thank you for the response. I have attached the certificates details. My apology I am not supposed to share the certificates. We are not using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with the device. 1. Root CA- Baltimore CyberTrust Root 2. Intermediate CA-1 - Microsoft Internet Authority 3. Intermediate CA-2 - Microsoft IT SSL SHA2 4. ID certificate - *.sharepoint.com Intermediate CAs are issued by the above Root CA. Issue is seen when all 4 certificates are installed. Error happens with the intermediate CA-2. check_trust returns X509_TRUST_UNTRUSTED. However if I do not install intermediate CA-2 things works fine. Any help is well appreciated. Regards Jayalakshmi On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <m...@openssl.org> wrote: > > > On 16/11/15 06:52, Jayalakshmi bhat wrote: > > Hi Victor, > > > > Thanks a lot for details explanation. > > > > Our device acts as TLS/SSL client. The device receives chain of > > certificates as part of SSL handshake, when it is trying to get > > connected to TLS/SSL server like sharepoint 365. > > > > While validating the certificate chain from server, "*check_trust" > > *fails with X509_V_ERR_CERT_UNTRUSTED. > > > > This had been working fine with OpenSSL 1.0.1c. > > > > When I checked the code execution, check_trust was not being called in > > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied. > > > > That is why I wanted to know is it mandatory for the applications to > > set X509_VERIFY_PARAM in X509_STORE_CTX > > > Are you able to share the certificates that the server provides you > with? Also the root certificate you are using. > > It is not mandatory to set X509_VERIFY_PARAMs (but typically you at > least want to verify the hostname through a call to > "X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this? > > Matt > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ID CERTIFICATE Version 3 Serial Number 4F 5D 8E A9 00 01 00 00 D8 6F Signature Algorithm sha1RSA Issuer DC=com DC=microsoft DC=corp DC=redmond CN=MSIT Machine Auth CA 2 Valid From 4/14/2014 10:01:07 PM UTC Valid To4/13/2016 10:01:07 PM UTC Subject C=US S=WA L=Redmond O=Microsoft CN=*.sharepoint.com Public Key Public Key AlgorithmRSA Public Key Length 2048 bits Exponent65537 (10001) Extensions Authority Key IdentifierKeyID=EB DB 11 5E F8 09 9E D8 D6 62 9C FD 62 9D E3 84 4A 28 E1 27 Subject Key Identifier F5 D0 5C 03 01 C3 D9 31 56 24 3F BF 26 4F 04 A7 D8 3C B3 CE Basic Constraints Key Usage Data Encipherment (b0), Digital Signature, Key Encipherment (a0) Extended Key Usage Client Authentication, Server Authentication Additional Extensions Subject Alternative Name, CRL Distribution Points Subject Alternative Name*.sharepoint.com *.sharepoint.apac.microsoftonline.com *.sharepoint.emea.microsoftonline.com *.sharepoint.microsoftonline.com Thumbprint 3D A0 FF 58 AF 96 A0 BE 01 BB 7E 05 65 7C D7 89 27 F9 52 98 INTERMEDIATE CA-1 Version 3 Serial Number 07 27 6F AE Signature Algorithm sha1RSA Issuer C=IE O=Baltimore OU=CyberTrust CN=Baltimore CyberTrust Root Valid From 4/25/2012 5:41:36 PM UTC Valid To4/25/2020 5:40:55 PM UTC Subject CN=Microsoft Internet Authority Public Key Public Key AlgorithmRSA Public Key Length 4096 bits Exponent65537 (10001) Extensions Authority Key IdentifierKeyID=E5 9D 59 30 82 47 58 CC AC FA 08 54 36 8
[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
Hi All, In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a check * if (params->trust >0)* before invoking check_trust function. This has been removed in OpenSSL 1.0.2d. Does it mean applications are expected to set the X509_VERIFY_PARAM properly? Our application works fine in OpenSSL 1.0.1c. In OpenSSL 1.0.2d app fails with X509_TRUST_UNTRUSTED error. I added the check *if (params->trust >0) *before invoking the check_trust API and functionality worked fine. Any help on this well appreciated. Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
Hi Viktor, Thank you for the response. This is the code snippet from OpenSSL 1.0.2d. int X509_verify_cert(X509_STORE_CTX *ctx) { /* we now have our chain, lets check it... */ i = check_trust(ctx); /* If explicitly rejected error */ if (i == X509_TRUST_REJECTED) goto end; } This is code snippet from OpenSSL 1.0.1c int X509_verify_cert(X509_STORE_CTX *ctx) { /* The chain extensions are OK: check trust */ *if (param->trust > 0)* ok = check_trust(ctx); } I am talking about "*if (param->trust > 0)" *that seems to removed in OpenSSL 1.0.2d. Regards Jayalakshmi On Mon, Nov 16, 2015 at 1:26 AM, Viktor Dukhovni <openssl-us...@dukhovni.org > wrote: > On Sun, Nov 15, 2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote: > > > In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert > had a > > check * if (params->trust >0)* before invoking check_trust function. > > The OpenSSL source code is available via git: > > https://github.com/openssl/openssl.git > > The branch containing 1.0.2c and 1.0.2d is "OpenSSL_1_0_2-stable". > > Can you point to the commit that makes the change in question? > > > This has been removed in OpenSSL 1.0.2d. Does it mean applications are > > expected to set the X509_VERIFY_PARAM properly? > > I don't see any changes that match your description. > > -- > Viktor. > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
Hi Victor, Thanks a lot for details explanation. Our device acts as TLS/SSL client. The device receives chain of certificates as part of SSL handshake, when it is trying to get connected to TLS/SSL server like sharepoint 365. While validating the certificate chain from server, "*check_trust" *fails with X509_V_ERR_CERT_UNTRUSTED. This had been working fine with OpenSSL 1.0.1c. When I checked the code execution, check_trust was not being called in OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied. That is why I wanted to know is it mandatory for the applications to set X509_VERIFY_PARAM in X509_STORE_CTX Regards Jayalakshmi On Mon, Nov 16, 2015 at 11:40 AM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > > > On Nov 16, 2015, at 12:14 AM, Jayalakshmi bhat < > bhat.jayalaks...@gmail.com> wrote: > > > > This is code snippet from OpenSSL 1.0.1c > > > > int X509_verify_cert(X509_STORE_CTX *ctx) { > > > > > > > > > > /* The chain extensions are OK: check trust */ > > > > if (param->trust > 0) ok = check_trust(ctx); > > } > > > > I am talking about "if (param->trust > 0)" that seems to removed in > OpenSSL 1.0.2d. > > Well this code was removed in 1.0.2d, rather the code in question was > removed via > > commit d65b8b2162f33ac0d53dace588a0847ed827626c > Author: Ben Laurie <b...@openssl.org> > Date: Fri Dec 14 12:53:53 2012 + > > Backport OCSP fixes. > > More than 2 years before the first OpenSSL 1.0.2 release: > > commit 4ac0329582829f5378d8078c8d314ad37db87736 > Author: Matt Caswell <m...@openssl.org> > Date: Thu Jan 22 16:12:26 2015 + > > Prepare for 1.0.2 release > > Reviewed-by: Stephen Henson <st...@openssl.org> > > http://openssl.org/news/newslog.html > > DateItem > 09-Jul-2015 Security Advisory: one security fix > 09-Jul-2015 OpenSSL 1.0.2d is now available, including bug and > security fixes > 09-Jul-2015 OpenSSL 1.0.1p is now available, including bug and > security fixes > 06-Jul-2015 OpenSSL 1.0.2d and 1.0.1p security releases due 9th July > 2015 > 12-Jun-2015 New releases to resolve ABI compatibility problems: > 12-Jun-2015 OpenSSL 1.0.2c is now available, including bug fixes > 12-Jun-2015 OpenSSL 1.0.1o is now available, including bug fixes > 11-Jun-2015 Security Advisory: five security fixes > 11-Jun-2015 OpenSSL 1.0.2b is now available, including bug and > security fixes > 11-Jun-2015 OpenSSL 1.0.1n is now available, including bug and > security fixes > 11-Jun-2015 OpenSSL 1.0.0s is now available, including bug and > security fixes > 11-Jun-2015 OpenSSL 0.9.8zg is now available, including bug and > security fixes > 19-Mar-2015 Security Advisory: twelve security fixes > 19-Mar-2015 OpenSSL 1.0.2a is now available, including bug and > security fixes > 19-Mar-2015 OpenSSL 1.0.1m is now available, including bug and > security fixes > 19-Mar-2015 OpenSSL 1.0.0r is now available, including bug and > security fixes > 19-Mar-2015 OpenSSL 0.9.8zf is now available, including bug and > security fixes > 22-Jan-2015 OpenSSL 1.0.2 is now available, a major release > > You should probably explain what you're doing, and in what way OpenSSL > 1.0.2 > (all upstream versions) is not working the way you expect. > > -- > Viktor. > > > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
Hi Victor, First thing kindly note that I am talking about *OpenSSL-1.0.1c* not about OpenSSL 1.0.2c. So far we were using *OpenSSL-1.0.1c* and server validation was working fine. Recently we upgraded the OpenSSL library to *OpenSSL-1.0.2d. * Also we have not done any modification to the SSL client application that is using the OpenSSL library. We started seeing server certificate validation failures only for chain of certificate i.e. roota->intermediate ca->id certificate. We are not seeing any issues when only rootca->cerificate is used. Regards Jayalakshmi Regards Jayalakshmi On Mon, Nov 16, 2015 at 12:35 PM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote: > > > > You should probably explain what you're doing, and in what way OpenSSL > 1.0.2 > > > (all upstream versions) is not working the way you expect. > > On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote: > > > Our device acts as TLS/SSL client. The device receives chain of > > certificates as part of SSL handshake, when it is trying to get connected > > to TLS/SSL server like sharepoint 365. > > This is not a plausibly detailed explanation of how you're using > OpenSSL in your device. > > > While validating the certificate chain from server, "*check_trust" *fails > > with X509_V_ERR_CERT_UNTRUSTED. > > OpenSSL 1.0.2 is broadly used, with no similar problem reports. > You're probably doing something atypical, and need to explain in > technical detail how you're configuring certificate verification. > > > This had been working fine with OpenSSL 1.0.1c. > > You can download http://openssl.org/source/old/1.0.2/openssl-1.0.2c.tar.gz > for yourself and check that the code you claim to make the difference > is simply not there. If 1.0.2c is working and 1.0.2d is not, either > you're using a modified 1.0.2c (seek support from whoever made the > changes) or the problem lies elsewhere. > > > When I checked the code execution, check_trust was not being called in > > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied. > > This is simply irrelevant, the change in question predates the > 1.0.2 base version. > > > That is why I wanted to know is it mandatory for the applications to > > set X509_VERIFY_PARAM in X509_STORE_CTX > > The question has a false premise and so makes no sense. Rather > you need to forget about (param->trust) and focus on why your > application is failing to verify the peer certificate. > > -- > Viktor. > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CBC mode is not working in OpenSSL 1.0.2d
Hi All, I have ported OpenSSL 1.0.2d on our product. After that CBC mode is not working. Handshakes are failing with bad mac alert failure. When I checked the code mac retrieved from ssl3_cbc_copy_mac does not match with the calculated mac. Any help on this is appreciated. Thanks and Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CBC mode does not work on OpenSSL 1.0.2d
Hi All, I have ported OpenSSL 1.0.2d on out device. When I am using any cipher (AES,3DES) in CBC mode I am ending with the result SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC in SSL_F_SSL3_GET_RECORD function. TLS 1.2 with working fine with AES_GCM ciphers. Has any one faced this issue?. Any help is appreciated. Thanks and Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).
Hello all, I have a question on FIPS. We have OpenSSL FIPS module integrated with our product. We have an option to enable/disable FIPS at run time. We are executing the following openSSL API's every time when FIPS status changes. { We have mapped OpenSSL crypto locks to mutex intenally. Hence we delete it and create it every time when FIPS status changes. ERR_free_strings() ERR_remove_state(0); EVP_cleanup(); SSL_library_init() SSLeay_add_all_algorithms() } Without executing this we are hitting the error, error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our approach is correct? Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).
Hi Tom, Thanks a lot for clarifying the doubt. Regards Jayalakshmi On Thu, Sep 10, 2015 at 8:44 AM, Tom Francis <thomas.francis...@pobox.com> wrote: > > > On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat < > bhat.jayalaks...@gmail.com> wrote: > > > > Hello all, > > > > I have a question on FIPS. We have OpenSSL FIPS module integrated with > our product. We have an option to enable/disable FIPS at run time. We are > executing the following openSSL API's every time when FIPS status changes. > > Typically, this is not allowed; you must restart your application in order > to switch in or out of FIPS approved mode. Your customer’s auditor (or > your auditor) may believe differently, but my former employer had auditors > make it very clear that an application must never switch into or out of > FIPS approved mode without restarting the application (and most of the > auditors wanted us to require the user to reboot their entire system to > make the switch; fortunately they were willing to allow the application > with just an extra note recommending the user reboot after modifying the > setting). > > > { > > We have mapped OpenSSL crypto locks to mutex intenally. Hence we > delete it and create it every time when FIPS status changes. > > ERR_free_strings() > > ERR_remove_state(0); > > EVP_cleanup(); > > SSL_library_init() > > SSLeay_add_all_algorithms() > > } > > > > Without executing this we are hitting the error, > error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our > approach is correct? > > IIRC you should be able to switch in and out of FIPS appoved mode by > simply calling FIPS_mode_set() with the appropriate argument. I know this > worked with the FIPS 1.2 module, but I never bothered to try it with the > 2.0 module (see above about allowed uses). I wouldn’t recommend trying to > uninitialize and re-initialize OpenSSL, though — while probably safe, it > seems like a bad idea. If this is a long-running program that can do > multiple things at a time, it’s definitely a bad idea to allow a toggle > like that — someone might’ve started a task, then turned on FIPS approved > mode — if the task hasn’t done anything with OpenSSL yet, it’ll probably be > done with FIPS approved mode, but was that the user’s intent? I’d > recommend that when a user changes the setting, you store the setting and > inform the user that the new setting will take affect only after restarting > the application. > > I really doubt you’ll be allowed to switch FIPS approved mode on and off > with just a simple toggle (even if it works technically). > > > > Regards > > Jayalakshmi > > ___ > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > ___ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] question on Alternative chains certificate forgery (CVE-2015-1793)
Hi All, Does *a**lternative chains certificate forgery** issue* affects the OpenSSL stacks earlier than 1.0.1n releases Why I am asking this question is affected code seems to be available in earlier versions as well. Thanks and Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158)
Hi Steve, Thanks a lot for the response. We are not using SSL 3.0. It is completely disabled in the stack. This issue is happening in TLS 1.0/ TLS 1.2 both. We are using OpenSSL 1.0.1c. I did not try using s_client. However I found the issue is fixed with the latest release of OpenSSL 1.0.2d. API's changed are EVP_MD_flags from evp_lib.c and pkey_fips_check_ctx from rsa_pmeth.c Regards Jayalakshmi On Fri, Jul 17, 2015 at 4:20 AM, Dr. Stephen Henson st...@openssl.org wrote: On Thu, Jul 16, 2015, Jayalakshmi bhat wrote: Hi All, I am using OpenSSL library for a SSL client performing mutual authentication. RSA certificate used is signed with SHA512 digest. When I switch to FIPS mode and perform re-authentication, I am hitting an error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA. Can any one tell me what could be the possible issue? A bit more information would be helpful. When you say SSL client do you mean using SSL v3.0 or TLS? SSL 3.0 isn't allowed in FIPS mode but I'd expect a different error. Which version of OpenSSL are you using? Can you reproduce the error using s_client? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158)
Hi All, I am using OpenSSL library for a SSL client performing mutual authentication. RSA certificate used is signed with SHA512 digest. When I switch to FIPS mode and perform re-authentication, I am hitting an error :0409A09E:lib(4):func(154):reason(158). Cipher used is AES128-SHA. Can any one tell me what could be the possible issue? Thanks and Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] a question on SSL_MAX_BUF_FREELIST_LEN_DEFAULT
Hi All, We are using OpenSSL on a multihome device. Device has 4 interfaces. Each network interface creates one SSL context (SSL_CTX) and supports 16 connections. As per OpenSSL implementation Each SSL context can maintain a free buffer list of 32. And this retained till SSL context (SSL_CTX) is deleted. I wanted to know is there any reason behind defining #define SSL_MAX_BUF_FREELIST_LEN_DEFAULT 32 . Can I reduce it to say 4 or some smaller value. Also can I use OpenSSL_malloc/OpenSSL_free instead of freelist_extract/freelist_insert in ssl3_setup_read_buffer/ssl3_setup_write_buffer. Are there any side effects? Any help is appreciated. Thanks in advance. Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Encryption and Decryption using ECC based certificate private/public key pair
Hi Jeff, Thanks a lot for the detailed explanation. Since I have a requirement to use the certificate public/private keys for encryption/decryption I believe I should be able to use ECDHE based approach. Regards Jayalakshmi On Sun, Apr 26, 2015 at 11:41 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Apr 27, 2015 at 12:54 AM, Jayalakshmi bhat bhat.jayalaks...@gmail.com wrote: Hello All, I am working on a project where there is need to encrypt and decrypt certain data using certificate public/private key pair. So far we were using RSA based certificates. OpenSSL provides good number of API's for RSA based encryption/decryption operation. Now we are planning to support ECDSA based certificates also. I am not able to find any encryption/decryption API's in EC context. I wanted to know are there any encryption/decryption API's using ECDSA based public/private key pair. Or is there any sample code I can look into. ECDSA is a signing algorithm used for authentication. If you want to encrypt/decrypt, then you need something else. In the case of SSL/TLS, the something else is ECDHE. A shared secret drops out of the ECDHE key exchange, and that's used to key a channel for bulk encryption. The ECDSA signature authenticates ECDHE parameters so you know they are authentic (i.e., from the party who you expect, and not an adversary). In addition to ECDHE, another choice is the MQV family of key exchanges. Its a family now because MQV leaked some information about the private exponent, so Krawczyk provided Hashed MQV (HMWV). HMQV was later improved by Sarr, Elbaz–Vincent, and Bajard with Fully Hashed MQV (FHMQV). As far as encryption systems outside of SSL/TLS, check out Elliptic Curve Integrated Encryption Scheme (ECIES). You can do bulk encryption and decryption with it also. But it does not use an ECDSA key per se; rather, its just a ecPublicKey ASN.1 type. ECIES a Diffie-Hellman based integrated scheme that combines a Key Encapsulation Mechanism (KEM) with a Data Encapsulation Mechanism (DEM). The output is a 3-tuple {K,C,T}, where K is a encrypted shared secret (lots of hand waiving), C is the cipher text and T is an authentication tag. In ECIES, K is really half of a ECDHE exchange with an ephemeral key. To recover the encrypted shared secret, the person doing the decryption uses their long term static key to perform the other half of the key exchange, and that's the shared secret. The shared secret is then digested with a KDF and used to key a stream cipher and a HMAC. Jeff ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Encryption and Decryption using ECC based certificate private/public key pair
Hello All, I am working on a project where there is need to encrypt and decrypt certain data using certificate public/private key pair. So far we were using RSA based certificates. OpenSSL provides good number of API's for RSA based encryption/decryption operation. Now we are planning to support ECDSA based certificates also. I am not able to find any encryption/decryption API's in EC context. I wanted to know are there any encryption/decryption API's using ECDSA based public/private key pair. Or is there any sample code I can look into. Thanks and Regards Jayalakshmi ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Kyle, Thanks a lot for detailed explaination, it helped me lots. Regards Jayalakshmi On Sun, Jul 6, 2014 at 2:44 AM, Kyle Hamilton aerow...@gmail.com wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) In this post I wanted to know to support an hardware accelerator that supports FIPS enabled algorithms implemented apart from supporting the hardware from OpenSSL side, do we need to make changes in FIPS module as well. If I understand you correctly, you wish to alter the FIPS canister to offload time-consuming operations to hardware acceleration. If this understanding is correct, I must regretfully inform you that it cannot legitimately be done. Oh, sure, you can technically do it -- but it would be a modification of the black box, and require a new validation. (I don't believe that such an implementation could in fact be validated, though I could be wrong. I am not an expert. But even if it can be, it cannot be validated with a private-label validation and would cost upwards of $200,000 to validate.) Remember, the FIPS canister *as written* is the only way to legitimately have FIPS mode from OpenSSL. Once FIPS mode is set, only cryptographic operations which are provided by the FIPS canister can be performed, and only by the unmodified code within the FIPS canister. It cannot be offloaded, because the FIPS canister cannot be modified to perform the offloading. Also, by offloading, you change the boundaries of the cryptographic provider to include additional, unverified, and quite possibly incorrect functionality. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Jakob, Thank you very much for detailed and helpful explanation. Regards Jayalakshmi On Sun, Jul 6, 2014 at 9:32 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 7/6/2014 10:44 AM, Kyle Hamilton wrote: On 7/5/2014 10:51 AM, Jayalakshmi bhat wrote: Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. I'm going to guess that you are grouping these into class 1 (related to the TPM) and class 2 (related to offloading). Since you already have a thread for class 1, I'll only respond to your class 2 questions here. For background, FIPS is basically a specific mode of operation for US Federal agencies, and is targeted specifically to Federal procurement mandates. In government systems which are actually required to use FIPS mode, you are not allowed to use any crypto services (whether from OpenSSL or from any other device) that don't use an approved FIPS mode of operation. No other people actually *need* FIPS mode. (I tend to use it whenever I can because it tends to reduce crypto container information leakage, and also makes it more likely that the cryptography is correct and interoperable.) (In the case of OpenSSL, this actually wins you very little). Let me try to approach this from a different angle. LEGALLY: If you have the luxury of having more than one FIPS validated device available to you, you probably (ask a lawyer to be absolutely sure), can use all of them together. However to claim FIPS compliance of the resulting application, you must not do any cryptography outside those devices, and it must be impossible for the FIPS-mode variant of your application to fall back to any non-validated implementations in case of errors etc. Additionally you may or may not (really ask a lawyer) be legally (not technically) required to treat any keys, passwords etc. handed from one device to another AS IF those keys were traveling over an insecure connection even though they never leave your process address space on an EAL-whatever-level certified operating system on an EAL-whatever-level certified computer. TECHNICALLY: If you want to combine the use of multiple FIPS validated devices, one of which happens to be the OpenSSL FIPS cannister, and another one a piece of hardware accessed using an OpenSSL Engine, it is an open technical question if the FIPS-enabled OpenSSL (which is legally outside both devices and /can/ be changed) will correctly combine use of the OpenSSL FIPS canister with the ENGINE for accessing the hardware device, or if it will somehow fail to do so. For instance I am unsure what happens if the ENGINE plugin for the FIPS validated hardware device calls back to OpenSSL for cryptographic operations outside the scope of that device (it might do that because that piece of hardware is also used outside USGov and the ENGINE code was written for that case). Will OpenSSL pass the calls to the FIPS canister (if in FIPS mode) or use the non-validated software implementations? I am also unsure if the FIPS-enabled OpenSSL library allows use of Engines when (runtime) configured in FIPS mode? Finally /if/ it is legally required to go through additional gymnastics when transporting parameters from one FIPS device to another, I am unsure if the FIPS-enabled OpenSSL library will do so when the transport is internal to OpenSSL and its ENGINE plugins. To see the requirements of FIPS 140-2, I recommend you download the five pieces of the specification itself from http://csrc.nist.gov/publications/PubsFIPS.html . It is written in bureaucratese, and you'll likely need several servings of alcohol to get through it. You should also read FIPS 200, which describes the minimum security requirements for federal information and the systems used to process federal information. You'll probably want to budget several servings of alcohol for this one, too. Once you read these, you'll have a much stronger understanding of how incredibly foreign the US federal government's policy on cryptography is to the rest of society. And remember: for US federal procurement, these are law, and the law cannot be ignored or violated just because it would make things faster or easier. US government doesn't really care about how long it takes, US government cares that it is done correctly. -Kyle H Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors
OpenSSL engine support in OpenSSL FIPS Object Module
Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. I welcome all valuable inputs. Regards Jayalakshmi.
Re: OpenSSL engine support in OpenSSL FIPS Object Module
Hi Steve, Thanks a lot for the explanation. We have range of products that provides network connectivity. 1. On these we would be using TPM to provide additional security. 2. On the products that are bit slow in software cryptographic operation, we also would be using hardware acceleration chips, that would do crypto operations. In my previous post related to TPM like how to deal with Non-FIPS compliant TPM chips, does it need any change in FIPS module size etc? In this post I wanted to know to support an hardware accelerator that supports FIPS enabled algorithms implemented apart from supporting the hardware from OpenSSL side, do we need to make changes in FIPS module as well. Both posts looks similar. I apologize I should have clearly mentioned these 2 posts are in different contexts. Thanks a lot. Regards Jayalakshmi On Sat, Jul 5, 2014 at 10:46 PM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Jul 05, 2014, Jayalakshmi bhat wrote: Hi All, We want to support a hardware accelerator on our device. We are using OpenSSL with OpenSSL FIPS Object module. I wanted to know if we can add engine support in OpenSSL FIPS Object module. If you literally mean adding ENGINE support to the OpenSSL FIPS Object module then you can but it would IMHO be a pointless exercise. The ENGINE code was stripped out to keep the number of dependencies down in the module. If you mean add ENGINE support to the FIPS capable OpenSSL then you don't need to as ENGINE support is already there. I suggest you explain exactly what you want to do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
TPM support with OpenSSL FIPS Object Module
Hi All, We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our product. Recently we have added TPM support. TPM chip is not FIPS compliant. Hence in FIPS mode none of the SSL applications are working. I wanted inputs on the following questions. I would be grateful to receive any help. 1. According to FIPS user guide *OpenSSL FIPS 140-2 User Guide : 2.6.2 Algorithms Available in FIPS Mode, *with the current TPM chip we cannot make the device FIPS complaint. Is my understanding correct? 2. Say if we move to FIPS compliant TPM chip, do we have to add engine support in OpenSSL FIPS object Module? 3. What are the alternative methods to support TPM in FIPS mode. Thanks and Regards Jayalakshmi
Re: TPM support with OpenSSL FIPS Object Module
Hi Steve, Thank you very much for the response. I have one more question. In order use a FIPS 140-2 certified TPM hardware in OpenSSL FIPS enabled environment, do I have to add engine support in OpenSSL FIPS Object Module and go for private label? Regards Jayalakshmi On Fri, Jul 4, 2014 at 8:36 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 07/04/2014 10:44 AM, Dr. Stephen Henson wrote: On Fri, Jul 04, 2014, Jayalakshmi bhat wrote: Hi All, We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our product. Recently we have added TPM support. TPM chip is not FIPS compliant. Hence in FIPS mode none of the SSL applications are working. I wanted inputs on the following questions. I would be grateful to receive any help. 1. According to FIPS user guide *OpenSSL FIPS 140-2 User Guide : 2.6.2 Algorithms Available in FIPS Mode, *with the current TPM chip we cannot make the device FIPS complaint. Is my understanding correct? If the TPM chip is not FIPS compliant then nothing you can do will change that. Keep in mind that at Level 1 it isn't the device that is FIPS 140-2 validated, but rather the cryptography that it uses (in the form of one or more FIPS 140-2 validated cryptographic modules). You meet the USG/DoD procurement requirements for FIPS 140-2 validated crypto when *all* of the crypto your device/product/application uses is FIPS 140-2 validated. As a *practical* matter you may gain some advantage with *some* USG/DoD customers if only *some* of the crypto used by your device/product/application is validated, but you aren't truly in compliance with those procurement requirements and don't want to represent yourself as such. Note that this partial use of validated crypto does appear to be rather common, albeit improper. For instance, any vendor who ships a turnkey product based on Linux or Android is probably not using FIPS 140-2 validated crypto exclusively as there are (at present) no open source based validated implementations of kernel crypto as used by the kernel itself and by protocols like IPsec. So you really need to let your marketing and senior management folks make the call. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TPM support with OpenSSL FIPS Object Module
Hi Steve, Thanks a lot for the reply. I have one more question. In order use a FIPS 140-2 certified TPM hardware in OpenSSL FIPS enabled environment, do I have to add engine support in OpenSSL FIPS Object Module and go for private label? Regards Jayalakshmi On Fri, Jul 4, 2014 at 8:14 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Jul 04, 2014, Jayalakshmi bhat wrote: Hi All, We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our product. Recently we have added TPM support. TPM chip is not FIPS compliant. Hence in FIPS mode none of the SSL applications are working. I wanted inputs on the following questions. I would be grateful to receive any help. 1. According to FIPS user guide *OpenSSL FIPS 140-2 User Guide : 2.6.2 Algorithms Available in FIPS Mode, *with the current TPM chip we cannot make the device FIPS complaint. Is my understanding correct? If the TPM chip is not FIPS compliant then nothing you can do will change that. If you consider it acceptable to use non-FIPS compliant algorithms in FIPS mode then there are ways to override the non-FIPS algorithm blocking. In the case of private keys you can set appropriate flags for example. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TPM support with OpenSSL FIPS Object Module
Thanks a lot Steve for the quick response. On Fri, Jul 4, 2014 at 10:21 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 07/04/2014 12:06 PM, Jayalakshmi bhat wrote: Hi Steve, Thank you very much for the response. I have one more question. In order use a FIPS 140-2 certified TPM hardware in OpenSSL FIPS enabled environment, do I have to add engine support in OpenSSL FIPS Object Module and go for private label? I don't know enough about TPM to say for sure. If you have to make *any* changes to the FIPS module code (which is likely) then you would need a new validation (e.g. a private label one). That gets you into a new level of hurt as the #1747 module (the OpenSSL FIPS Object Module v2.0) is no longer usable as-is for copycat validations. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS support on a multi-home device
Hi All, We have a product that has 2 network interfaces i.e. wired and wireless. Both interfaces uses separate OpenSSL library. However FIPS validated OpenSSL crypto module is common for both interfaces as shown below. FIPS validated openSSL crypto module |---| | | \|/ \|/ - --- OpenSSL library for OpenSSL library for wired interface wireless interface -- My questions are as below 1. I don't support FIPS on wireless interface, still can I call my device as FIPS compliance? 2. Is FIPS device specific? 3. Is it ok to use 2 FIPS crypto module to enable FIPS on both wired and wireless. Regards Jayalakshmi