Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-09 Thread Mounir IDRASSI

 Hi,

Signature verification is done through a modular exponentiation (using 
public exponent and modulus) that always leads to a result even fur a 
bogus RSA modulus.
This result is checked against the PKCS#1 padding format. Since the RSA 
private key is invalid, the output of this exponentiation is different 
from DataToBeSigned used during certificate creation and thus the code 
doesn't find the PKCS#1 padding block header.

So, the signature is bad because the decrypted signature has a bad format!
I hope this clarifies things to you.

You say at the end of your message that the private key was generated by 
a python wrapper, certainly a wrapper of OpenSSL, but in a previous 
message you are saying that you generated the key yourself (pen and 
paper). Which statement is correct? Maybe your wrapper wraps something 
else...


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr



On 8/9/2010 7:44 AM, Georgi Guninski wrote:

is the certificate at http://marc.info/?l=openssl-devm=128118163216952w=2
(with the malformed key) *syntactically* correct modulo the bad self signature?

with 1.0.0a
~/local/bin/openssl verify -check_ss_sig -CAfile /tmp/CA-P.cert /tmp/CA-P.cert


/tmp/CA-P.cert: CN = CA
error 7 at 0 depth lookup:certificate signature failure
139828504536744:error:0407006A:rsa 
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139828504536744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding 
check failed:rsa_eay.c:699:
139828504536744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:184:

echo $?
0

i would expect an error about bad self signature, not format stuff.

the private key was generated by a python wrapper, the cert was generated with
ubuntu's 0.9.8k 25 Mar 2009


On Sun, Aug 08, 2010 at 03:21:34PM +0200, Mounir IDRASSI wrote:
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-09 Thread Georgi Guninski
hi,


On Mon, Aug 09, 2010 at 10:36:03AM +0200, Mounir IDRASSI wrote:
  Hi,
 
 Signature verification is done through a modular exponentiation
 (using public exponent and modulus) that always leads to a result
 even fur a bogus RSA modulus.
 This result is checked against the PKCS#1 padding format. Since the
 RSA private key is invalid, the output of this exponentiation is
 different from DataToBeSigned used during certificate creation and
 thus the code doesn't find the PKCS#1 padding block header.
 So, the signature is bad because the decrypted signature has a bad format!
 I hope this clarifies things to you.


ok. i expected a message bad number instead of bad signature format


 You say at the end of your message that the private key was
 generated by a python wrapper, certainly a wrapper of OpenSSL, but
 in a previous message you are saying that you generated the key
 yourself (pen and paper). Which statement is correct? Maybe your
 wrapper wraps something else...
 

lol. the pen/paper generation was just humour.

this key was generated with pycrypto + some other pure python code for export to
your format. (the small prime was included on purpose).

i don't know if pycrypto depends on openssl (though it is not a
 direct wrapper).

the cert was generated entirely by openssl.


the imports:

from Crypto.PublicKey import RSA
from Crypto.Util.number import inverse
import random
import sys
from Crypto.PublicKey import pubkey
from Crypto.Util import number
import crypto # utils
import Crypto
from fractions import gcd
from Crypto.Hash import MD5


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-09 Thread Mounir IDRASSI

 Hi,

A number can't be bad by itself. It is just a carrier of protocol 
information during the mathematical computations. What really matters is 
the sequence of bytes used by that protocol. This is why a bad format 
error is returned.


Concerning PyCrypto, it doesn't use OpenSSL at all : for public key 
algorithms like RSA and DSA, it uses LibTomCrypt internally in order to 
implement the algorithms by hand. So, there must be a bug in their code.


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 8/9/2010 11:26 AM, Georgi Guninski wrote:

hi,


On Mon, Aug 09, 2010 at 10:36:03AM +0200, Mounir IDRASSI wrote:

  Hi,

Signature verification is done through a modular exponentiation
(using public exponent and modulus) that always leads to a result
even fur a bogus RSA modulus.
This result is checked against the PKCS#1 padding format. Since the
RSA private key is invalid, the output of this exponentiation is
different from DataToBeSigned used during certificate creation and
thus the code doesn't find the PKCS#1 padding block header.
So, the signature is bad because the decrypted signature has a bad format!
I hope this clarifies things to you.


ok. i expected a message bad number instead of bad signature format



You say at the end of your message that the private key was
generated by a python wrapper, certainly a wrapper of OpenSSL, but
in a previous message you are saying that you generated the key
yourself (pen and paper). Which statement is correct? Maybe your
wrapper wraps something else...


lol. the pen/paper generation was just humour.

this key was generated with pycrypto + some other pure python code for export to
your format. (the small prime was included on purpose).

i don't know if pycrypto depends on openssl (though it is not a
  direct wrapper).

the cert was generated entirely by openssl.


the imports:

from Crypto.PublicKey import RSA
from Crypto.Util.number import inverse
import random
import sys
from Crypto.PublicKey import pubkey
from Crypto.Util import number
import crypto # utils
import Crypto
from fractions import gcd
from Crypto.Hash import MD5


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Georgi Guninski
i was pointing out this:

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or
corruption (fasttop): 0x00979300 ***

the glibc message means that the current heap operation is on invalid
pointer. the testcase crashed browser links on arch linux too (when
trying to connect to s_server -www).

btw, it seems *important* to use |s_server| from *1.0.0a*


On Sat, Aug 07, 2010 at 02:21:09PM +0300, Georgi Guninski wrote:
 openssl-1.0.0a on ubuntu, debian and arch.
 attached a private key and a cert.
 
 ~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
 /tmp/CA.key
 
 ~/local/bin/openssl s_client -connect localhost:
 
 depth=0 CN = CA
 verify return:1
 *** glibc detected *** /home/build/local/bin/openssl: double free or 
 corruption (fasttop): 0x00979300 ***
 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Mounir IDRASSI

 Hi,

You are right : there is a double free bug in the function 
*ssl3_get_key_exchange* which leads to crash if an error occurs.
The bug is in line 1510 of s3_clnt.c where we forget to set the variable 
bn_ctx to NULL after freeing it and this leads to the double free error 
when BN_CTX_free is called a second time on line 1650.


I'm attaching a patch against the latest source that corrects this. I'll 
also send to RT.

Thanks for the report.

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 8/8/2010 3:04 PM, Georgi Guninski wrote:

i was pointing out this:

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or
corruption (fasttop): 0x00979300 ***

the glibc message means that the current heap operation is on invalid
pointer. the testcase crashed browser links on arch linux too (when
trying to connect to s_server -www).

btw, it seems *important* to use |s_server| from *1.0.0a*


On Sat, Aug 07, 2010 at 02:21:09PM +0300, Georgi Guninski wrote:

openssl-1.0.0a on ubuntu, debian and arch.
attached a private key and a cert.

~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
/tmp/CA.key

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or corruption 
(fasttop): 0x00979300 ***


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


--- E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c.original  Sun Feb 28 
01:24:24 2010
+++ E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c   Sun Aug  8 14:49:30 2010
@@ -1508,6 +1508,7 @@
s-session-sess_cert-peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+   bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Georgi Guninski
is the certificate at http://marc.info/?l=openssl-devm=128118163216952w=2
(with the malformed key) *syntactically* correct modulo the bad self signature?

with 1.0.0a
~/local/bin/openssl verify -check_ss_sig -CAfile /tmp/CA-P.cert /tmp/CA-P.cert 


/tmp/CA-P.cert: CN = CA
error 7 at 0 depth lookup:certificate signature failure
139828504536744:error:0407006A:rsa 
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139828504536744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding 
check failed:rsa_eay.c:699:
139828504536744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:184:

echo $?
0

i would expect an error about bad self signature, not format stuff.

the private key was generated by a python wrapper, the cert was generated with 
ubuntu's 0.9.8k 25 Mar 2009


On Sun, Aug 08, 2010 at 03:21:34PM +0200, Mounir IDRASSI wrote:
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-07 Thread Mounir IDRASSI

 Hi,

I checked the parameters of your 4008 bits key and it is indeed invalid 
(q is not prime).
How did you generate it? It would be surprising if it was done through 
OpenSSL.

Anyway, you must generate a new RSA key.

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 8/7/2010 1:21 PM, Georgi Guninski wrote:

openssl-1.0.0a on ubuntu, debian and arch.
attached a private key and a cert.

~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
/tmp/CA.key

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or corruption 
(fasttop): 0x00979300 ***

  ~/local/bin/openssl rsa -check -in /tmp/CA.key |more
writing RSA key
RSA key error: q not prime # definitely


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-07 Thread Georgi Guninski
On Sun, Aug 08, 2010 at 02:46:33AM +0200, Mounir IDRASSI wrote:
  Hi,
 

hi,

10x for your reply.

i have no complaints about the openssl key generation process for rsa
keys of this size. and don't expect vanilla openssl to do correct math
with this key.


 I checked the parameters of your 4008 bits key and it is indeed
 invalid (q is not prime).

agreed. (though the *public* key seems fine, even with the weak factor)

 How did you generate it? It would be surprising if it was done
 through OpenSSL.

pen and paper ;-) first trial factoring, then (optionally) a few
elliptic curves, then fermat's little theorem. i know a deterministic
primality test would be more scientific, but it is a bit slower on paper
;-)


 Anyway, you must generate a new RSA key.
 

yeah, i am generating a new key. sorry for the composite miztake.

 --
 Mounir IDRASSI
 IDRIX
 http://www.idrix.fr
 
 On 8/7/2010 1:21 PM, Georgi Guninski wrote:
 openssl-1.0.0a on ubuntu, debian and arch.
 attached a private key and a cert.
 
 ~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
 /tmp/CA.key
 
 ~/local/bin/openssl s_client -connect localhost:
 
 depth=0 CN = CA
 verify return:1
 *** glibc detected *** /home/build/local/bin/openssl: double free or 
 corruption (fasttop): 0x00979300 ***
 
   ~/local/bin/openssl rsa -check -in /tmp/CA.key |more
 writing RSA key
 RSA key error: q not prime # definitely
 
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-dev@openssl.org
 Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org