Re: [openssl.org #3203] Normalize PFS key exchange labels

2014-01-02 Thread Ben Laurie 
On 20 December 2013 18:51, Stephen Henson via RT r...@openssl.org wrote:
 On Fri Dec 20 19:04:32 2013, d...@fifthhorseman.net wrote:

 I can do whatever you think is most useful, but i need a bit more
 guidance to be sure i'm giving you what will be most useful for you.


 I've pulled the update now, thanks.

 Well I have to admit to being far from a git expert. For me it's best if it's
 easy to get the patches with commit messages and authorship somewhere I can
 review them. If I manually have to apply multiple patches and add appropriate
 credit it's a pain.

Pull requests on Github are quite useful - that way they also get
tracked (so long as we remember to close them when applied, that is!).
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3206] Bug: EVP_PBE_alg_add() registers PBEs with incorrect cipher NIDs

2014-01-02 Thread Gibbons, Lee D via RT 
The following bug  has been reproduced on RedHat Enterprise Linux with OpenSSL 
1.0.1e.

When upgrading from 0.9.8e to 1.0.1e we noticed that a call to PKCS12_parse() 
would sometimes fail with the following:

3073869560:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad 
decrypt:evp_enc.c:535:
3073869560:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal 
error:p12_decr.c:97:
3073869560:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe 
crypt error:p12_decr.c:123:
3073869560:error:23076072:PKCS12 routines:PKCS12_parse:parse 
error:p12_kiss.c:129:

We determined that the cause was an existing PBE registration within our 
application via EVP_PBE_alg_add():

EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(), EVP_sha1(), 
PKCS12_PBE_keyivgen);

Under OpenSSL 1.0.0 and beyond, this causes a PBE to be added with a cipher NID 
of RC2-CBC instead of RC2-40-CBC. A change to this API uses an incorrect cipher 
NID returned by EVP_CIPHER_type(). The decryption of PKCS12 components that are 
encrypted with RC2-40-CBC  fails because RC2-CBC is used instead.

Enclosed is a modified version of demos/pkcs12/pkread.c. When linked against 
OpenSSL 1.x.x the code will fail to decrypt a PKCS12 file encrypted with 
RC2-40-CBC. The same code works fine when linked against 0.9.8*. The code can 
be made to work with 1.x.x by removing the call to EVP_PBE_alg_add(), allowing 
the builtin version of this PBE (with the correct cipher NID) to be used.

Thank you.

Doug Gibbons | Consulting Engineer | Avaya Inc. | 1300 W. 120th Ave | B3-C61 | 
Westminster, CO 80234 | 303-538-3538 | 
ldgibb...@avaya.commailto:ldgibb...@avaya.com



/* pkread.c */

#include stdio.h
#include stdlib.h
#include openssl/pem.h
#include openssl/err.h
#include openssl/pkcs12.h

/* Simple PKCS#12 file reader */

int main(int argc, char **argv)
{
FILE *fp;
EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *ca = NULL;
PKCS12 *p12;
int i;
if (argc != 4) {
fprintf(stderr, Usage: pkread p12file password opfile\n);
exit (1);
}
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
#if 1
/* With OpenSSL 1.x.x next line creates PBE with incorrect cipher NID */
EVP_PBE_alg_add(NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc(),
EVP_sha1(), PKCS12_PBE_keyivgen);
#endif
if (!(fp = fopen(argv[1], rb))) {
fprintf(stderr, Error opening file %s\n, argv[1]);
exit(1);
}
p12 = d2i_PKCS12_fp(fp, NULL);
fclose (fp);
if (!p12) {
fprintf(stderr, Error reading PKCS#12 file\n);
ERR_print_errors_fp(stderr);
exit (1);
}
if (!PKCS12_parse(p12, argv[2], pkey, cert, ca)) {
fprintf(stderr, Error parsing PKCS#12 file\n);
ERR_print_errors_fp(stderr);
exit (1);
}
PKCS12_free(p12);
if (!(fp = fopen(argv[3], w))) {
fprintf(stderr, Error opening file %s\n, argv[1]);
exit(1);
}
if (pkey) {
fprintf(fp, ***Private Key***\n);
PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL);
}
if (cert) {
fprintf(fp, ***User Certificate***\n);
PEM_write_X509_AUX(fp, cert);
}
if (ca  sk_X509_num(ca)) {
fprintf(fp, ***Other Certificates***\n);
for (i = 0; i  sk_X509_num(ca); i++) 
PEM_write_X509_AUX(fp, sk_X509_value(ca, i));
}
fclose(fp);
return 0;
}

Re: Safe ECC curves

2014-01-02 Thread Dr. Stephen Henson 
On Thu, Jan 02, 2014, Salz, Rich wrote:

  So Curve25519 needs a standard OID and some notes on the format to use for 
  ASN.1. Does such a thing exist?
 
 I don't think so.  Perhaps the TLS list is the place to discuss this?  Should 
 we (I?) start a thread there on a proposal to fit Curve25519 into common TLS 
 usage?
 
 Strawman proposal:
   The keys are OCTET STRING (or does BIGNUM fit better with existing 
 code?)
   Y is fixed at zero
   An OID is assigned from the IETF arc
 
 Anything else missing?
 

Well ideally it needs to be as close as possible to RFC5280 which is a PKIX
document and the group has now closed... great timing. But that ends up with
point compression rearing its ugly head.

It's not much use though if it takes a glacial time scale to get an OID
assigned (or preferably several OIDs AFAICS).

 I can ask djb but I bet he *really* doesn't care. :)
 

Well if he doesn't that's fine. I'd otherwise feel a bit guilty ats
appropriating his curve with an OID.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Safe ECC curves

2014-01-02 Thread Manuel Pégourié-Gonnard 
On 02/01/2014 01:44, Kyle Hamilton wrote:
 djb has a fixed-clock-cycle algorithm he wrote in GNU assembly for Athlon.
 I am unhappy with his insistence that nobody should try to implement it for
 other platforms, as though Athlon is the only platform anyone would ever
 need. I agree that a platform-independent optimized arithmetic would be a
 good thing.
 
 I would also like to see (since I know nothing about x86, x86_64, or Athlon
 assembly language) its translation to a 64-bit ABI.  But that's out of
 scope for this list.
 
You might want to look here: https://code.google.com/p/curve25519-donna/

There is also a fully portable C implementation in NaCl (directory
crypto_scalarmult/curve25519/ref): http://nacl.cr.yp.to/

Manuel.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Safe ECC curves

2014-01-02 Thread Dr. Stephen Henson 
On Thu, Jan 02, 2014, Daniel Kahn Gillmor wrote:

 On 01/02/2014 08:50 AM, Salz, Rich wrote:
  [Dr. Stephen Henson wrote:]
  So Curve25519 needs a standard OID and some notes on the format to use for 
  ASN.1. Does such a thing exist?
  
  I don't think so.
 
 yes, i mentioned it up-thread:
 
  https://tools.ietf.org/html/draft-josefsson-tls-curve25519-01
 
 this isn't formalized yet, and it raised discussion that wasn't yet
 resolved, but it's the document to work from, i think.
 

That's just TLS. To add more complete support to OpenSSL including storing
private keys in PEM files and public keys in case we ever use it in ECDH
certificates it needs an OID and some details on how the keys are encoded.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Safe ECC curves

2014-01-02 Thread Daniel Kahn Gillmor 
On 01/02/2014 12:35 PM, Dr. Stephen Henson wrote:
 That's just TLS. To add more complete support to OpenSSL including storing
 private keys in PEM files and public keys in case we ever use it in ECDH
 certificates it needs an OID and some details on how the keys are encoded.

But ECDHE doesn't need any of these trappings, as nice as they would be
to have.  The curves are known; implementations of them are known;
secret keys can be held in memory in any standard way, and public keys
can be transmitted on the wire for the key exchange as simply as
possible, without specifying PKCS encodings or SPKI or whatever.

Getting Curve25519 (and Curve3617?) functional for ECDHE would be a
demonstrably good thing on its own, and it would be a shame for that
functionality to wait until people could finally agree on how to use
PKCS encodings and EdDSA for X.509 certificates.

--dkg



signature.asc
Description: OpenPGP digital signature

Re: Safe ECC curves

2014-01-02 Thread Kurt Roeckx 
On Thu, Jan 02, 2014 at 12:59:39PM -0500, Daniel Kahn Gillmor wrote:
 On 01/02/2014 12:35 PM, Dr. Stephen Henson wrote:
  That's just TLS. To add more complete support to OpenSSL including storing
  private keys in PEM files and public keys in case we ever use it in ECDH
  certificates it needs an OID and some details on how the keys are encoded.
 
 But ECDHE doesn't need any of these trappings, as nice as they would be
 to have.  The curves are known; implementations of them are known;
 secret keys can be held in memory in any standard way, and public keys
 can be transmitted on the wire for the key exchange as simply as
 possible, without specifying PKCS encodings or SPKI or whatever.
 
 Getting Curve25519 (and Curve3617?) functional for ECDHE would be a
 demonstrably good thing on its own, and it would be a shame for that
 functionality to wait until people could finally agree on how to use
 PKCS encodings and EdDSA for X.509 certificates.

I also think that ECDHE really is currently the priority, to have
an alternative to the NIST P curves at least some people think are
backdoored by the NSA and as result want to avoid.

Most people seem want to do PFS now, but some want ECDHE for speed
and the other DHE to avoid the NIST P curves.  I think having
something like Curve25519 could make both sides agree on using
ECDHE.


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3203] Normalize PFS key exchange labels

2014-01-02 Thread Daniel Kahn Gillmor 
On 01/02/2014 03:32 PM, Ben Laurie wrote:
 On 1 January 2014 21:39, Daniel Kahn Gillmor d...@fifthhorseman.net wrote:
 On 01/01/2014 12:48 PM, Ben Laurie wrote:
 Pull requests on Github are quite useful - that way they also get
 tracked (so long as we remember to close them when applied, that is!).

 OK, i've rebased the series against the current master, and submitted a
 github-specific pull request:

  https://github.com/openssl/openssl/pull/37
 
 Cool, tho didn't I read that Steve already pulled it?

I read that as well, but I assumed that just meant that he now has
access to the changesets in his local copy.  I don't think he's applied
them to his master branch, or if he has, he hasn't pushed that master
branch to the canonical repository.  or maybe i'm not looking at the
correct repository?

i don't see them applied to the master branch at
https://github.com/openssl/openssl, and i don't see them at
http://git.openssl.org/gitweb/?p=openssl.git;a=summary should i be
looking somewhere else?

--dkg



signature.asc
Description: OpenPGP digital signature

Re: [openssl.org #3203] Normalize PFS key exchange labels

2014-01-02 Thread Daniel Kahn Gillmor via RT 
On 01/02/2014 03:32 PM, Ben Laurie wrote:
 On 1 January 2014 21:39, Daniel Kahn Gillmor d...@fifthhorseman.net wrote:
 On 01/01/2014 12:48 PM, Ben Laurie wrote:
 Pull requests on Github are quite useful - that way they also get
 tracked (so long as we remember to close them when applied, that is!).

 OK, i've rebased the series against the current master, and submitted a
 github-specific pull request:

  https://github.com/openssl/openssl/pull/37
 
 Cool, tho didn't I read that Steve already pulled it?

I read that as well, but I assumed that just meant that he now has
access to the changesets in his local copy.  I don't think he's applied
them to his master branch, or if he has, he hasn't pushed that master
branch to the canonical repository.  or maybe i'm not looking at the
correct repository?

i don't see them applied to the master branch at
https://github.com/openssl/openssl, and i don't see them at
http://git.openssl.org/gitweb/?p=openssl.git;a=summary should i be
looking somewhere else?

--dkg




signature.asc
Description: PGP signature

Re: [openssl.org #3203] Normalize PFS key exchange labels

2014-01-02 Thread Ben Laurie via RT 
On 1 January 2014 21:39, Daniel Kahn Gillmor d...@fifthhorseman.net wrote:
 On 01/01/2014 12:48 PM, Ben Laurie wrote:
 Pull requests on Github are quite useful - that way they also get
 tracked (so long as we remember to close them when applied, that is!).

 OK, i've rebased the series against the current master, and submitted a
 github-specific pull request:

  https://github.com/openssl/openssl/pull/37

Cool, tho didn't I read that Steve already pulled it?


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3203] Normalize PFS key exchange labels

2014-01-02 Thread Stephen Henson via RT 
On Mon Dec 30 22:47:32 2013, d...@fifthhorseman.net wrote:

 I don't mean to be impatient -- if it's just a matter of playing catchup
 over the close of the winter holiday, i can wait :)


Yes that's pretty much it. I'll be looking reviewing the patches in the next
few days.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2480] ... 3 recipients: generation error

2014-01-02 Thread Barry Allard via RT 
I just encountered this issue with precisely the same error.  It appears with 
all configurations including 'no-des'.

1.0.1e tarball
OSX 10.9.1
XCode 5.0.2


# minimal test-case 
./Configure no-des
make depend
make
make test
—
Sent from Mailbox for iPhone
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org