Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree?

2017-04-28 Thread Ryan Murray 

 
 REMOTE LOGIN PROTOCOLS  
A client/server model can create a mechanism that allows a user to establish a 
session  on the remote machine and then run its applications. This application 
is known as  remote login. This can be done by a client/server application 
program for the desired  service. Two remote login protocols are TELNET and 
SSH.  TELNET Protocol  TELNET (terminal network) is a TCP/IP standard for 
establishing a connection to a  remote system. TELNET allows a user to log in 
to a remote machine across the  Internet by first making a TCP connection and 
then pass the detail of the application  
 from the user to the remote machine.. You do this to many

Sent from Mail for Windows 10

From: Blumenthal, Uri - 0553 - MITLL
Sent: Friday, April 28, 2017 4:33 PM
To: openssl-users@openssl.org
Subject: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree?

I’m playing with RSA-PSS signatures, and stumbled upon a few problems. I tried 
the OpenSSL manual pages, but still coming short of complete understanding. :-)

This is how I initialize the contexts (error handlers removed for brevity):

  ctx = EVP_PKEY_CTX_new(privkey, NULL);
  md_ctx = EVP_MD_CTX_create();
  const EVP_MD *md = EVP_sha256();
  rv = EVP_DigestInit_ex(md_ctx, md, NULL);
  rv = EVP_DigestSignInit(md_ctx, , md, NULL, privkey);

First question: do I need EVP_DigestInit_ex() there?

Second question: do I have to specify hash-function (EVP_MD*) twice? First when 
initializing EVP_MD_CTX, and second for EVP_DigestSignInit()?

At the end I need to dispose of both ctx and md_ctx. That leads to my third 
question/problem. The code I tried (based on what the man page says: to avoid 
memory leak, I need to do EVP_MD_CTX_destroy(md_ctx) crashes with SIGV:

  EVP_MD_CTX_destroy(md_ctx); // this succeeds
  EVP_PKEY_CTX_free(ctx);  // but here the code crashes

Same happens when I reverse the above order:

  EVP_PKEY_CTX_free(ctx); // this succeeds
  EVP_MD_CTX_destroy(md_ctx); // but then this one causes crash

So what’s the correct way of freeing both of them? Or is it that because 
they’re sort of “bound together” by EVP_DigestSignInit(md_ctx, , md, NULL, 
privkey); freeing one frees the other?

Thanks!
— 
Regards,
Uri


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree?

2017-04-28 Thread Ryan Murray 
Maybe this should have been run in a virtual enviroment

Sent from Mail for Windows 10

From: Blumenthal, Uri - 0553 - MITLL
Sent: Friday, April 28, 2017 4:33 PM
To: openssl-users@openssl.org
Subject: [openssl-users] EVP_MD_CTX and EVP_PKEY_CTX? How to init? How tofree?

I’m playing with RSA-PSS signatures, and stumbled upon a few problems. I tried 
the OpenSSL manual pages, but still coming short of complete understanding. :-)

This is how I initialize the contexts (error handlers removed for brevity):

  ctx = EVP_PKEY_CTX_new(privkey, NULL);
  md_ctx = EVP_MD_CTX_create();
  const EVP_MD *md = EVP_sha256();
  rv = EVP_DigestInit_ex(md_ctx, md, NULL);
  rv = EVP_DigestSignInit(md_ctx, , md, NULL, privkey);

First question: do I need EVP_DigestInit_ex() there?

Second question: do I have to specify hash-function (EVP_MD*) twice? First when 
initializing EVP_MD_CTX, and second for EVP_DigestSignInit()?

At the end I need to dispose of both ctx and md_ctx. That leads to my third 
question/problem. The code I tried (based on what the man page says: to avoid 
memory leak, I need to do EVP_MD_CTX_destroy(md_ctx) crashes with SIGV:

  EVP_MD_CTX_destroy(md_ctx); // this succeeds
  EVP_PKEY_CTX_free(ctx);  // but here the code crashes

Same happens when I reverse the above order:

  EVP_PKEY_CTX_free(ctx); // this succeeds
  EVP_MD_CTX_destroy(md_ctx); // but then this one causes crash

So what’s the correct way of freeing both of them? Or is it that because 
they’re sort of “bound together” by EVP_DigestSignInit(md_ctx, , md, NULL, 
privkey); freeing one frees the other?

Thanks!
— 
Regards,
Uri


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

2017-04-27 Thread Ryan Murray 
Great article. Who is the author?

Sent from Mail for Windows 10

From: Viktor Dukhovni
Sent: Thursday, April 27, 2017 11:54 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Query regarding MSG_NOSIGNAL with SSL_Write

On Thu, Apr 27, 2017 at 12:32:42PM +, Salz, Rich via openssl-users wrote:

> > Does openssl  provide any way to set MSG_NOSIGNAL on sendmsg (Underlying 
> > TCP/IP socket layer) ?
> 
> No.  You will have to modify the code yourself.

Actually, it is possible to do the I/O in application code, using
any "write some data down a socket" API of the application's choice.

https://www.openssl.org/docs/man1.0.2/crypto/BIO_s_bio.html

In particular, the OP could use sendmsg() to move data between the
SSL layer and the network.

For a complete example, see network_biopair_interop() function in
Postfix 2.3 (recent Postfix releases no longer use this approach).


https://github.com/vdukhovni/postfix/blob/postfix-2.3/postfix/src/tls/tls_bio_ops.c

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] RFC2818 and subjectAltName

2017-04-26 Thread Ryan Murray 
yes

Sent from Mail for Windows 10

From: Murray, Ronald-1 (ANF)
Sent: Wednesday, April 26, 2017 1:25 PM
To: 'openssl-users@openssl.org'
Subject: [openssl-users] RFC2818 and subjectAltName

We had an issue a few days ago when people with the newest version of Chrome 
were seeing security errors on our internal sites which were using SSL 
certificates signed with our internal CA. This turned out to be caused by 
Google adhering to RFC2818, which says:

If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.

Our certificates, of course, only contained the Common Name (CN), with no 
subjectAltName (SAN). I solved the problem by creating new certificates and 
hacking openssl.cnf to request a SAN in the CSR.

Now, our CA isn’t openssl-based (it’s Microsoft), but it’s occurred to me that 
openssl-created certificates should really include the site ID in a SAN as well 
as in the CN. RFC2818 has been out since May, 2000, so I’m rather surprised 
that this hasn’t been widely implemented before now. I note that certificates 
we get from Symantec have lately included a SAN, but I think that’s quite 
recent.

Is there any chance of this being included in openssl?



This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this mail in error please notify the postmaster at 
dor.state.ma.us.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] RFC2818 and subjectAltName

2017-04-26 Thread Ryan Murray 
If you are asking me, by all means yes. Thanks for asking, I respect the value 
of honesty in world that has so very few people left.

Sent from Mail for Windows 10

From: Viktor Dukhovni
Sent: Wednesday, April 26, 2017 1:55 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] RFC2818 and subjectAltName


> On Apr 26, 2017, at 11:55 AM, Murray, Ronald-1 (ANF) 
>  wrote:
> 
> Our certificates, of course, only contained the Common Name (CN), with no 
> subjectAltName (SAN). I solved the problem by creating new certificates and 
> hacking openssl.cnf to request a SAN in the CSR.

An appropriate openssl.cnf is the supported way to populate DNS altnames
into certificates created with the req(1), x509(1) and ca(1) utilities.

> Is there any chance of this being included in openssl?

It is already included, via the openssl.cnf interface.  You can
also create openssl.cnf sections on the fly, without creating
any persistent files, with "bash" or similar shells.  See, for
example:

   https://github.com/openssl/openssl/blob/master/test/certs/mkcert.sh

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ssl_pending returns 0 despite having data to read

2017-01-11 Thread Ryan Murray 
Situation maybe a security issue

Ryan Murray

On Jan 11, 2017 4:14 PM, "Ryan Murray" <rjkmurra...@gmail.com> wrote:

> Could you give me a hand on a issue I've seem to of picked up with my
> device . You and the colleagues if possible. My SamsungGalaxy s2 tablet not
> responding.  Power button and display goes black and does not turn on for a
> period of time.  I believe the programs running in background or in a
> rooted format has been making the device malfunction. Is there a remote
> interface we could link up and establish what the heck is happening.  Lol
> Your truly
> Ryan
>
> Ryan Murray
>
> On Jan 11, 2017 4:08 PM, "Nadia Lapkovskaya" <na...@yaymedia.com> wrote:
>
>> Hi,
>>
>> We are using openssl-1.0.2j. Noticed, that for http protocol everything
>> is working fine, but when we are using our own binary protocol ssl_pending
>> returns 0 all the time. We are using blocking socket. Tried with
>> SSL_CTX_set_read_ahead set and unset.
>>
>> Out test server sends back any info received from the client.
>>
>> Test code looks like this:
>> bool write(const uint64_t* data, int count)
>> {
>>   int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
>>   return rc > 0 ? true : false;
>> }
>>
>> bool read(uint64_t* data, int count)
>> {
>>   do {
>>   int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
>>   if (rc <= 0) {
>>   int err = SSL_get_error(_ssl, rc);
>>   std::string errs = ERR_error_string(err, nullptr);
>>   return false;
>>   }
>>   } while (SSL_pending(_ssl));
>>   return true;
>> }
>>
>> During first ssl_read we received eight bytes, and after that ssl_pending
>> returns 0. If we continue reading despite having no pending data, ssl_read
>> returns the rest of the data.
>> Could you please suggest what is wrong here.
>>
>>
>> Best regards,
>> Nadia.
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ssl_pending returns 0 despite having data to read

2017-01-11 Thread Ryan Murray 
Could you give me a hand on a issue I've seem to of picked up with my
device . You and the colleagues if possible. My SamsungGalaxy s2 tablet not
responding.  Power button and display goes black and does not turn on for a
period of time.  I believe the programs running in background or in a
rooted format has been making the device malfunction. Is there a remote
interface we could link up and establish what the heck is happening.  Lol
Your truly
Ryan

Ryan Murray

On Jan 11, 2017 4:08 PM, "Nadia Lapkovskaya" <na...@yaymedia.com> wrote:

> Hi,
>
> We are using openssl-1.0.2j. Noticed, that for http protocol everything is
> working fine, but when we are using our own binary protocol ssl_pending
> returns 0 all the time. We are using blocking socket. Tried with
> SSL_CTX_set_read_ahead set and unset.
>
> Out test server sends back any info received from the client.
>
> Test code looks like this:
> bool write(const uint64_t* data, int count)
> {
>   int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
>   return rc > 0 ? true : false;
> }
>
> bool read(uint64_t* data, int count)
> {
>   do {
>   int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
>   if (rc <= 0) {
>   int err = SSL_get_error(_ssl, rc);
>   std::string errs = ERR_error_string(err, nullptr);
>   return false;
>   }
>   } while (SSL_pending(_ssl));
>   return true;
> }
>
> During first ssl_read we received eight bytes, and after that ssl_pending
> returns 0. If we continue reading despite having no pending data, ssl_read
> returns the rest of the data.
> Could you please suggest what is wrong here.
>
>
> Best regards,
> Nadia.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl static build linked in DLL does not unload on win32

2017-01-06 Thread Ryan Murray 
Do you have a moment to edit or review my error

Ryan Murray

On Jan 6, 2017 10:55 AM, "Matt Caswell" <m...@openssl.org> wrote:

>
>
> On 06/01/17 14:36, Dan Heinz wrote:
> >>> On 04/01/17 23:11, Dan Heinz wrote: Using openssl 1.1.0c.
> >>>
> >>> I have a test application that is a win32 console app that calls
> >>> a win32 DLL which has the openssl libraries linked in
> >>> statically.
> >>>
> >>> The test applications uses late-binding to the DLL and calls
> >>> LoadLibrary for the DLL, one test function in the DLL, and then
> >>> FreeLibrary on the DLL.
> >>>
> >>>
> >>>
> >>> The test function in the DLL does the following:
> >>>
> >>> RSA*rsa = NULL;
> >>>
> >>> rsa = RSA_new();
> >>>
> >>> RSA_free(rsa);
> >>>
> >>> OPENSSL_thread_stop();
> >>>
> >>> OPENSSL_cleanup();
> >>>
> >>> return0;
> >>>
> >>> When FreeLibrary is called on the DLL, dllmain in never called
> >>> with any messages.  A subsequent call to LoadLibrary also fails
> >>> to call dllmain and when the test function is called RSA_new()
> >>> fails.  This leads me to believe the DLL is never freed.
> >>>
> >>> I have tried building openssl with and without no-threads with
> >>> the same results.  My build parameters are: perl Configure
> >>> *%TEMP_ARCHITECTURE%*
> >>> --prefix=*%RootPath_ThirdParty%*\*%OPENSSL_VERSION%* -DPURIFY
> >>> -DOPENSSL_NO_COMP -D_USING_V110_SDK71_ no-shared no-threads
> >>> no-asm no-idea no-mdc2 no-rc5  no-ssl3 no-zlib no-comp
> >>>
> >>> What am I missing?
> >>
> >>
> >> OpenSSL does its cleanup at *process* exit. Don't call
> >> OPENSSL_cleanup() explicitly - this is >discouraged.
> >>
> >> From this manpage:
> >>
> >> https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html
> >>
> >>
> >>
> "Typically there should be no need to call this function directly as it
> is initiated >automatically on application exit..
> >>
> >> Once OPENSSL_cleanup() has been called the library cannot be
> >> reinitialised."
> >>
> >> This last sentence is the reason why RSA_new() will fail after you
> >> have previously called >OPENSSL_cleanup().
> >>
> >> Because cleanup happens on process exit, OpenSSL will keep itself
> >> in memory until that time >(otherwise crashes will occur because
> >> the cleanup routines have been unloaded).
> >>
> >> If you want to dynamically load and unload your DLL then don't
> >> statically link it to OpenSSL - >otherwise OpenSSL will keep your
> >> DLL around until process exit too.
> >>
> >> Matt
> >
> > That is very disappointing.  As a library vendor we have no control
> > over how our users load and unload our libraries.  We will just have
> > to roll back to 1.0.x and wait to see if this will be addressed.
> > Also, as Jakob stated in another post, it really seems like this
> > design will be problematic.
>
> Can you not link against the OpenSSL DLLs rather than statically link?
> That would avoid the problem.
>
> Matt
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users