Re: openssl-1.0.0a and glibc detected sthg ;)
Hi, A number can't be "bad" by itself. It is just a carrier of protocol information during the mathematical computations. What really matters is the sequence of bytes used by that protocol. This is why a "bad format" error is returned. Concerning PyCrypto, it doesn't use OpenSSL at all : for public key algorithms like RSA and DSA, it uses LibTomCrypt internally in order to implement the algorithms by hand. So, there must be a bug in their code. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 8/9/2010 11:26 AM, Georgi Guninski wrote: hi, On Mon, Aug 09, 2010 at 10:36:03AM +0200, Mounir IDRASSI wrote: Hi, Signature verification is done through a modular exponentiation (using public exponent and modulus) that always leads to a result even fur a bogus RSA modulus. This result is checked against the PKCS#1 padding format. Since the RSA private key is invalid, the output of this exponentiation is different from DataToBeSigned used during certificate creation and thus the code doesn't find the PKCS#1 padding block header. So, the signature is bad because the decrypted signature has a bad format! I hope this clarifies things to you. ok. i expected a message "bad number" instead of "bad signature format" You say at the end of your message that the private key was generated by a python wrapper, certainly a wrapper of OpenSSL, but in a previous message you are saying that you generated the key yourself (pen and paper). Which statement is correct? Maybe your wrapper wraps something else... lol. the "pen/paper generation" was just humour. this key was generated with pycrypto + some other pure python code for export to your format. (the small prime was included on purpose). i don't know if pycrypto depends on openssl (though it is not a direct wrapper). the cert was generated entirely by openssl. the imports: from Crypto.PublicKey import RSA from Crypto.Util.number import inverse import random import sys from Crypto.PublicKey import pubkey from Crypto.Util import number import crypto # utils import Crypto from fractions import gcd from Crypto.Hash import MD5 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-1.0.0a and glibc detected sthg ;)
hi, On Mon, Aug 09, 2010 at 10:36:03AM +0200, Mounir IDRASSI wrote: > Hi, > > Signature verification is done through a modular exponentiation > (using public exponent and modulus) that always leads to a result > even fur a bogus RSA modulus. > This result is checked against the PKCS#1 padding format. Since the > RSA private key is invalid, the output of this exponentiation is > different from DataToBeSigned used during certificate creation and > thus the code doesn't find the PKCS#1 padding block header. > So, the signature is bad because the decrypted signature has a bad format! > I hope this clarifies things to you. > ok. i expected a message "bad number" instead of "bad signature format" > You say at the end of your message that the private key was > generated by a python wrapper, certainly a wrapper of OpenSSL, but > in a previous message you are saying that you generated the key > yourself (pen and paper). Which statement is correct? Maybe your > wrapper wraps something else... > lol. the "pen/paper generation" was just humour. this key was generated with pycrypto + some other pure python code for export to your format. (the small prime was included on purpose). i don't know if pycrypto depends on openssl (though it is not a direct wrapper). the cert was generated entirely by openssl. the imports: from Crypto.PublicKey import RSA from Crypto.Util.number import inverse import random import sys from Crypto.PublicKey import pubkey from Crypto.Util import number import crypto # utils import Crypto from fractions import gcd from Crypto.Hash import MD5 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-1.0.0a and glibc detected sthg ;)
Hi, Signature verification is done through a modular exponentiation (using public exponent and modulus) that always leads to a result even fur a bogus RSA modulus. This result is checked against the PKCS#1 padding format. Since the RSA private key is invalid, the output of this exponentiation is different from DataToBeSigned used during certificate creation and thus the code doesn't find the PKCS#1 padding block header. So, the signature is bad because the decrypted signature has a bad format! I hope this clarifies things to you. You say at the end of your message that the private key was generated by a python wrapper, certainly a wrapper of OpenSSL, but in a previous message you are saying that you generated the key yourself (pen and paper). Which statement is correct? Maybe your wrapper wraps something else... Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 8/9/2010 7:44 AM, Georgi Guninski wrote: is the certificate at http://marc.info/?l=openssl-dev&m=128118163216952&w=2 (with the malformed key) *syntactically* correct modulo the bad self signature? with 1.0.0a ~/local/bin/openssl verify -check_ss_sig -CAfile /tmp/CA-P.cert /tmp/CA-P.cert /tmp/CA-P.cert: CN = CA error 7 at 0 depth lookup:certificate signature failure 139828504536744:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 139828504536744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:699: 139828504536744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:184: echo $? 0 i would expect an error about bad self signature, not format stuff. the private key was generated by a python wrapper, the cert was generated with ubuntu's 0.9.8k 25 Mar 2009 On Sun, Aug 08, 2010 at 03:21:34PM +0200, Mounir IDRASSI wrote: __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-1.0.0a and glibc detected sthg ;)
is the certificate at http://marc.info/?l=openssl-dev&m=128118163216952&w=2 (with the malformed key) *syntactically* correct modulo the bad self signature? with 1.0.0a ~/local/bin/openssl verify -check_ss_sig -CAfile /tmp/CA-P.cert /tmp/CA-P.cert /tmp/CA-P.cert: CN = CA error 7 at 0 depth lookup:certificate signature failure 139828504536744:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 139828504536744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:699: 139828504536744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:184: echo $? 0 i would expect an error about bad self signature, not format stuff. the private key was generated by a python wrapper, the cert was generated with ubuntu's 0.9.8k 25 Mar 2009 On Sun, Aug 08, 2010 at 03:21:34PM +0200, Mounir IDRASSI wrote: __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-1.0.0a and glibc detected sthg ;)
Hi, You are right : there is a double free bug in the function *ssl3_get_key_exchange* which leads to crash if an error occurs. The bug is in line 1510 of s3_clnt.c where we forget to set the variable bn_ctx to NULL after freeing it and this leads to the double free error when BN_CTX_free is called a second time on line 1650. I'm attaching a patch against the latest source that corrects this. I'll also send to RT. Thanks for the report. -- Mounir IDRASSI IDRIX http://www.idrix.fr On 8/8/2010 3:04 PM, Georgi Guninski wrote: i was pointing out this: ~/local/bin/openssl s_client -connect localhost: depth=0 CN = CA verify return:1 *** glibc detected *** /home/build/local/bin/openssl: double free or corruption (fasttop): 0x00979300 *** the glibc message means that the current heap operation is on invalid pointer. the testcase crashed browser links on arch linux too (when trying to connect to s_server -www). btw, it seems *important* to use |s_server| from *1.0.0a* On Sat, Aug 07, 2010 at 02:21:09PM +0300, Georgi Guninski wrote: openssl-1.0.0a on ubuntu, debian and arch. attached a private key and a cert. ~/local/bin/openssl s_server -www -accept -cert /tmp/CA.cert -key /tmp/CA.key ~/local/bin/openssl s_client -connect localhost: depth=0 CN = CA verify return:1 *** glibc detected *** /home/build/local/bin/openssl: double free or corruption (fasttop): 0x00979300 *** __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org --- E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c.original Sun Feb 28 01:24:24 2010 +++ E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c Sun Aug 8 14:49:30 2010 @@ -1508,6 +1508,7 @@ s->session->sess_cert->peer_ecdh_tmp=ecdh; ecdh=NULL; BN_CTX_free(bn_ctx); + bn_ctx = NULL; EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; }
Re: openssl-1.0.0a and glibc detected sthg ;)
i was pointing out this: ~/local/bin/openssl s_client -connect localhost: depth=0 CN = CA verify return:1 *** glibc detected *** /home/build/local/bin/openssl: double free or corruption (fasttop): 0x00979300 *** the glibc message means that the current heap operation is on invalid pointer. the testcase crashed browser links on arch linux too (when trying to connect to s_server -www). btw, it seems *important* to use |s_server| from *1.0.0a* On Sat, Aug 07, 2010 at 02:21:09PM +0300, Georgi Guninski wrote: > openssl-1.0.0a on ubuntu, debian and arch. > attached a private key and a cert. > > ~/local/bin/openssl s_server -www -accept -cert /tmp/CA.cert -key > /tmp/CA.key > > ~/local/bin/openssl s_client -connect localhost: > > depth=0 CN = CA > verify return:1 > *** glibc detected *** /home/build/local/bin/openssl: double free or > corruption (fasttop): 0x00979300 *** > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-1.0.0a and glibc detected sthg ;)
On Sun, Aug 08, 2010 at 02:46:33AM +0200, Mounir IDRASSI wrote: > Hi, > hi, 10x for your reply. i have no complaints about the openssl key generation process for rsa keys of this size. and don't expect vanilla openssl to do correct math with this key. > I checked the parameters of your 4008 bits key and it is indeed > invalid (q is not prime). agreed. (though the *public* key seems fine, even with the weak factor) > How did you generate it? It would be surprising if it was done > through OpenSSL. pen and paper ;-) first trial factoring, then (optionally) a few elliptic curves, then fermat's little theorem. i know a deterministic primality test would be more scientific, but it is a bit slower on paper ;-) > Anyway, you must generate a new RSA key. > yeah, i am generating a new key. sorry for the composite miztake. > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On 8/7/2010 1:21 PM, Georgi Guninski wrote: > >openssl-1.0.0a on ubuntu, debian and arch. > >attached a private key and a cert. > > > >~/local/bin/openssl s_server -www -accept -cert /tmp/CA.cert -key > >/tmp/CA.key > > > >~/local/bin/openssl s_client -connect localhost: > > > >depth=0 CN = CA > >verify return:1 > >*** glibc detected *** /home/build/local/bin/openssl: double free or > >corruption (fasttop): 0x00979300 *** > > > > ~/local/bin/openssl rsa -check -in /tmp/CA.key |more > >writing RSA key > >RSA key error: q not prime # definitely > > __ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-1.0.0a and glibc detected sthg ;)
Hi, I checked the parameters of your 4008 bits key and it is indeed invalid (q is not prime). How did you generate it? It would be surprising if it was done through OpenSSL. Anyway, you must generate a new RSA key. -- Mounir IDRASSI IDRIX http://www.idrix.fr On 8/7/2010 1:21 PM, Georgi Guninski wrote: openssl-1.0.0a on ubuntu, debian and arch. attached a private key and a cert. ~/local/bin/openssl s_server -www -accept -cert /tmp/CA.cert -key /tmp/CA.key ~/local/bin/openssl s_client -connect localhost: depth=0 CN = CA verify return:1 *** glibc detected *** /home/build/local/bin/openssl: double free or corruption (fasttop): 0x00979300 *** ~/local/bin/openssl rsa -check -in /tmp/CA.key |more writing RSA key RSA key error: q not prime # definitely __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org