Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree?
REMOTE LOGIN PROTOCOLS A client/server model can create a mechanism that allows a user to establish a session on the remote machine and then run its applications. This application is known as remote login. This can be done by a client/server application program for the desired service. Two remote login protocols are TELNET and SSH. TELNET Protocol TELNET (terminal network) is a TCP/IP standard for establishing a connection to a remote system. TELNET allows a user to log in to a remote machine across the Internet by first making a TCP connection and then pass the detail of the application from the user to the remote machine.. You do this to many Sent from Mail for Windows 10 From: Blumenthal, Uri - 0553 - MITLL Sent: Friday, April 28, 2017 4:33 PM To: openssl-users@openssl.org Subject: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree? I’m playing with RSA-PSS signatures, and stumbled upon a few problems. I tried the OpenSSL manual pages, but still coming short of complete understanding. :-) This is how I initialize the contexts (error handlers removed for brevity): ctx = EVP_PKEY_CTX_new(privkey, NULL); md_ctx = EVP_MD_CTX_create(); const EVP_MD *md = EVP_sha256(); rv = EVP_DigestInit_ex(md_ctx, md, NULL); rv = EVP_DigestSignInit(md_ctx, , md, NULL, privkey); First question: do I need EVP_DigestInit_ex() there? Second question: do I have to specify hash-function (EVP_MD*) twice? First when initializing EVP_MD_CTX, and second for EVP_DigestSignInit()? At the end I need to dispose of both ctx and md_ctx. That leads to my third question/problem. The code I tried (based on what the man page says: to avoid memory leak, I need to do EVP_MD_CTX_destroy(md_ctx) crashes with SIGV: EVP_MD_CTX_destroy(md_ctx); // this succeeds EVP_PKEY_CTX_free(ctx); // but here the code crashes Same happens when I reverse the above order: EVP_PKEY_CTX_free(ctx); // this succeeds EVP_MD_CTX_destroy(md_ctx); // but then this one causes crash So what’s the correct way of freeing both of them? Or is it that because they’re sort of “bound together” by EVP_DigestSignInit(md_ctx, , md, NULL, privkey); freeing one frees the other? Thanks! — Regards, Uri -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree?
Maybe this should have been run in a virtual enviroment Sent from Mail for Windows 10 From: Blumenthal, Uri - 0553 - MITLL Sent: Friday, April 28, 2017 4:33 PM To: openssl-users@openssl.org Subject: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree? I’m playing with RSA-PSS signatures, and stumbled upon a few problems. I tried the OpenSSL manual pages, but still coming short of complete understanding. :-) This is how I initialize the contexts (error handlers removed for brevity): ctx = EVP_PKEY_CTX_new(privkey, NULL); md_ctx = EVP_MD_CTX_create(); const EVP_MD *md = EVP_sha256(); rv = EVP_DigestInit_ex(md_ctx, md, NULL); rv = EVP_DigestSignInit(md_ctx, , md, NULL, privkey); First question: do I need EVP_DigestInit_ex() there? Second question: do I have to specify hash-function (EVP_MD*) twice? First when initializing EVP_MD_CTX, and second for EVP_DigestSignInit()? At the end I need to dispose of both ctx and md_ctx. That leads to my third question/problem. The code I tried (based on what the man page says: to avoid memory leak, I need to do EVP_MD_CTX_destroy(md_ctx) crashes with SIGV: EVP_MD_CTX_destroy(md_ctx); // this succeeds EVP_PKEY_CTX_free(ctx); // but here the code crashes Same happens when I reverse the above order: EVP_PKEY_CTX_free(ctx); // this succeeds EVP_MD_CTX_destroy(md_ctx); // but then this one causes crash So what’s the correct way of freeing both of them? Or is it that because they’re sort of “bound together” by EVP_DigestSignInit(md_ctx, , md, NULL, privkey); freeing one frees the other? Thanks! — Regards, Uri -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write
Great article. Who is the author? Sent from Mail for Windows 10 From: Viktor Dukhovni Sent: Thursday, April 27, 2017 11:54 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write On Thu, Apr 27, 2017 at 12:32:42PM +, Salz, Rich via openssl-users wrote: > > Does openssl provide any way to set MSG_NOSIGNAL on sendmsg (Underlying > > TCP/IP socket layer) ? > > No. You will have to modify the code yourself. Actually, it is possible to do the I/O in application code, using any "write some data down a socket" API of the application's choice. https://www.openssl.org/docs/man1.0.2/crypto/BIO_s_bio.html In particular, the OP could use sendmsg() to move data between the SSL layer and the network. For a complete example, see network_biopair_interop() function in Postfix 2.3 (recent Postfix releases no longer use this approach). https://github.com/vdukhovni/postfix/blob/postfix-2.3/postfix/src/tls/tls_bio_ops.c -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RFC2818 and subjectAltName
yes Sent from Mail for Windows 10 From: Murray, Ronald-1 (ANF) Sent: Wednesday, April 26, 2017 1:25 PM To: 'openssl-users@openssl.org' Subject: [openssl-users] RFC2818 and subjectAltName We had an issue a few days ago when people with the newest version of Chrome were seeing security errors on our internal sites which were using SSL certificates signed with our internal CA. This turned out to be caused by Google adhering to RFC2818, which says: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Our certificates, of course, only contained the Common Name (CN), with no subjectAltName (SAN). I solved the problem by creating new certificates and hacking openssl.cnf to request a SAN in the CSR. Now, our CA isn’t openssl-based (it’s Microsoft), but it’s occurred to me that openssl-created certificates should really include the site ID in a SAN as well as in the CN. RFC2818 has been out since May, 2000, so I’m rather surprised that this hasn’t been widely implemented before now. I note that certificates we get from Symantec have lately included a SAN, but I think that’s quite recent. Is there any chance of this being included in openssl? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this mail in error please notify the postmaster at dor.state.ma.us. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] RFC2818 and subjectAltName
If you are asking me, by all means yes. Thanks for asking, I respect the value of honesty in world that has so very few people left. Sent from Mail for Windows 10 From: Viktor Dukhovni Sent: Wednesday, April 26, 2017 1:55 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] RFC2818 and subjectAltName > On Apr 26, 2017, at 11:55 AM, Murray, Ronald-1 (ANF) >wrote: > > Our certificates, of course, only contained the Common Name (CN), with no > subjectAltName (SAN). I solved the problem by creating new certificates and > hacking openssl.cnf to request a SAN in the CSR. An appropriate openssl.cnf is the supported way to populate DNS altnames into certificates created with the req(1), x509(1) and ca(1) utilities. > Is there any chance of this being included in openssl? It is already included, via the openssl.cnf interface. You can also create openssl.cnf sections on the fly, without creating any persistent files, with "bash" or similar shells. See, for example: https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ssl_pending returns 0 despite having data to read
Situation maybe a security issue Ryan Murray On Jan 11, 2017 4:14 PM, "Ryan Murray" <rjkmurra...@gmail.com> wrote: > Could you give me a hand on a issue I've seem to of picked up with my > device . You and the colleagues if possible. My SamsungGalaxy s2 tablet not > responding. Power button and display goes black and does not turn on for a > period of time. I believe the programs running in background or in a > rooted format has been making the device malfunction. Is there a remote > interface we could link up and establish what the heck is happening. Lol > Your truly > Ryan > > Ryan Murray > > On Jan 11, 2017 4:08 PM, "Nadia Lapkovskaya" <na...@yaymedia.com> wrote: > >> Hi, >> >> We are using openssl-1.0.2j. Noticed, that for http protocol everything >> is working fine, but when we are using our own binary protocol ssl_pending >> returns 0 all the time. We are using blocking socket. Tried with >> SSL_CTX_set_read_ahead set and unset. >> >> Out test server sends back any info received from the client. >> >> Test code looks like this: >> bool write(const uint64_t* data, int count) >> { >> int rc = SSL_write(_ssl, data, count * sizeof(uint64_t)); >> return rc > 0 ? true : false; >> } >> >> bool read(uint64_t* data, int count) >> { >> do { >> int rc = SSL_read(_ssl, data, count * sizeof(uint64_t)); >> if (rc <= 0) { >> int err = SSL_get_error(_ssl, rc); >> std::string errs = ERR_error_string(err, nullptr); >> return false; >> } >> } while (SSL_pending(_ssl)); >> return true; >> } >> >> During first ssl_read we received eight bytes, and after that ssl_pending >> returns 0. If we continue reading despite having no pending data, ssl_read >> returns the rest of the data. >> Could you please suggest what is wrong here. >> >> >> Best regards, >> Nadia. >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ssl_pending returns 0 despite having data to read
Could you give me a hand on a issue I've seem to of picked up with my device . You and the colleagues if possible. My SamsungGalaxy s2 tablet not responding. Power button and display goes black and does not turn on for a period of time. I believe the programs running in background or in a rooted format has been making the device malfunction. Is there a remote interface we could link up and establish what the heck is happening. Lol Your truly Ryan Ryan Murray On Jan 11, 2017 4:08 PM, "Nadia Lapkovskaya" <na...@yaymedia.com> wrote: > Hi, > > We are using openssl-1.0.2j. Noticed, that for http protocol everything is > working fine, but when we are using our own binary protocol ssl_pending > returns 0 all the time. We are using blocking socket. Tried with > SSL_CTX_set_read_ahead set and unset. > > Out test server sends back any info received from the client. > > Test code looks like this: > bool write(const uint64_t* data, int count) > { > int rc = SSL_write(_ssl, data, count * sizeof(uint64_t)); > return rc > 0 ? true : false; > } > > bool read(uint64_t* data, int count) > { > do { > int rc = SSL_read(_ssl, data, count * sizeof(uint64_t)); > if (rc <= 0) { > int err = SSL_get_error(_ssl, rc); > std::string errs = ERR_error_string(err, nullptr); > return false; > } > } while (SSL_pending(_ssl)); > return true; > } > > During first ssl_read we received eight bytes, and after that ssl_pending > returns 0. If we continue reading despite having no pending data, ssl_read > returns the rest of the data. > Could you please suggest what is wrong here. > > > Best regards, > Nadia. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl static build linked in DLL does not unload on win32
Do you have a moment to edit or review my error Ryan Murray On Jan 6, 2017 10:55 AM, "Matt Caswell" <m...@openssl.org> wrote: > > > On 06/01/17 14:36, Dan Heinz wrote: > >>> On 04/01/17 23:11, Dan Heinz wrote: Using openssl 1.1.0c. > >>> > >>> I have a test application that is a win32 console app that calls > >>> a win32 DLL which has the openssl libraries linked in > >>> statically. > >>> > >>> The test applications uses late-binding to the DLL and calls > >>> LoadLibrary for the DLL, one test function in the DLL, and then > >>> FreeLibrary on the DLL. > >>> > >>> > >>> > >>> The test function in the DLL does the following: > >>> > >>> RSA*rsa = NULL; > >>> > >>> rsa = RSA_new(); > >>> > >>> RSA_free(rsa); > >>> > >>> OPENSSL_thread_stop(); > >>> > >>> OPENSSL_cleanup(); > >>> > >>> return0; > >>> > >>> When FreeLibrary is called on the DLL, dllmain in never called > >>> with any messages. A subsequent call to LoadLibrary also fails > >>> to call dllmain and when the test function is called RSA_new() > >>> fails. This leads me to believe the DLL is never freed. > >>> > >>> I have tried building openssl with and without no-threads with > >>> the same results. My build parameters are: perl Configure > >>> *%TEMP_ARCHITECTURE%* > >>> --prefix=*%RootPath_ThirdParty%*\*%OPENSSL_VERSION%* -DPURIFY > >>> -DOPENSSL_NO_COMP -D_USING_V110_SDK71_ no-shared no-threads > >>> no-asm no-idea no-mdc2 no-rc5 no-ssl3 no-zlib no-comp > >>> > >>> What am I missing? > >> > >> > >> OpenSSL does its cleanup at *process* exit. Don't call > >> OPENSSL_cleanup() explicitly - this is >discouraged. > >> > >> From this manpage: > >> > >> https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html > >> > >> > >> > "Typically there should be no need to call this function directly as it > is initiated >automatically on application exit.. > >> > >> Once OPENSSL_cleanup() has been called the library cannot be > >> reinitialised." > >> > >> This last sentence is the reason why RSA_new() will fail after you > >> have previously called >OPENSSL_cleanup(). > >> > >> Because cleanup happens on process exit, OpenSSL will keep itself > >> in memory until that time >(otherwise crashes will occur because > >> the cleanup routines have been unloaded). > >> > >> If you want to dynamically load and unload your DLL then don't > >> statically link it to OpenSSL - >otherwise OpenSSL will keep your > >> DLL around until process exit too. > >> > >> Matt > > > > That is very disappointing. As a library vendor we have no control > > over how our users load and unload our libraries. We will just have > > to roll back to 1.0.x and wait to see if this will be addressed. > > Also, as Jakob stated in another post, it really seems like this > > design will be problematic. > > Can you not link against the OpenSSL DLLs rather than statically link? > That would avoid the problem. > > Matt > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users