openssl-1.0.0a and glibc detected sthg ;)

2010-08-07 Thread Georgi Guninski
openssl-1.0.0a on ubuntu, debian and arch.
attached a private key and a cert.

~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
/tmp/CA.key

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or corruption 
(fasttop): 0x00979300 ***

 ~/local/bin/openssl rsa -check -in /tmp/CA.key |more
writing RSA key
RSA key error: q not prime # definitely


CA.key
Description: application/pgp-keys
-BEGIN CERTIFICATE-
MIIE9DCCAuegAwIBAgIJAM0Vp3F9zD86MA0GCSqGSIb3DQEBBQUAMA0xCzAJBgNV
BAMTAkNBMB4XDTEwMDgwNzA5MTQxMFoXDTExMDgwNzA5MTQxMFowDTELMAkGA1UE
AxMCQ0EwggIWMA0GCSqGSIb3DQEBAQUAA4ICAwAwggH+AoIB9TX4Eo4zvnzt6RIG
+EleSA89D6zfHzPx2L9jsZPxZcJ01lYDGiOAuFW09lloJ6iLMSS2GlA8pB5/1E8u
75vubs0w4L1QPrMRxQdUjp/j9yWwCxvYraL2tfyJVxTmMn6vUcZ5nuU7O3f6VBP1
hD4LeKII9H0sp5PzWaoXy/gBQKdAn7dV7dlCS/8V4AjF/HCqY/mwjkjdB37WEqQj
j/vYICARw7hdOKOW3D86uN4g209Kwc1wf34TUZCYVdP77o0xXHgaz9L10+j5cBSz
viC2Z7nOJ0mneAJSlEC892nvMoIvMhYwYr/twZjudNNc4tIXyfeQqM34AlwHYn3y
Jo560YpzX2IF1cs6wFdDqJxpyW1VuYlZAFbufn9A86wsFBr0QxppDjcaxZqBVOdz
t7bi8nXJE+JWpIDDrAW4T2ihqZENNbM7gkNL8+bjg3LcG2jbUOr3H5zVK+Q0x9+6
tLdIG5iRQCu8OI4Rd8nl8SqBAqjAXgniqRFqEzTKMEXN/9hzwl+jL2PrUfHOUxh3
J3IgAlqmlwVh+1gJl9VJf1DEn3Yn3ffMSLl/2L2dTVDxvoHnsjPEgtIAg6QzZR71
SQWeAHaZE3bJQAz1X9nWIxhw7bnRRj/EhwHJMQEalRRu2jIq+WN3aovrAMKEJeeL
U5i9LzVW8lLX7QIDAQABo24wbDAdBgNVHQ4EFgQUOod0n0f3AaUF0Tf9ttbmA3Fc
EjowPQYDVR0jBDYwNIAUOod0n0f3AaUF0Tf9ttbmA3FcEjqhEaQPMA0xCzAJBgNV
BAMTAkNBggkAzRWncX3MPzowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOC
AfYAHKLWDAa/aR62Xi2jAOGOBtcoYYdttizIkMtEnxd2QivssVBn156sIbMIsXgi
emUWhm35E4LKYfoK9aEorsfno8aMrzeYCuL0Zbbn67C2dUT61B2T5XN8eru8HYAa
nVxvHNj92auUjeAy7yWc7Kyx+RWXtkLG9BJ6fJVHzOwifEgfhS1ngjBe3MuviXOy
2h7BfaNQ3IOvAhSnjlWNoPcBFoOoRIVjfRSViD5X8jj47ab2JTKVFAH4bXf2eXUp
shcG77QeANoGFvmTpiPuUhmuZSXG4dyKmSqeq9SgouKZkq7aT24fNAqdwJp+ZJWH
2wP8LLvfSoyFZICMZU3AFfa5r3BOom8YCSwmeGhk9QVfLMD3TDvnV0aGEwz5BGjA
obLckVV2/VzbwublODRPtdr92ZAygRwDaUlqlDdfTcwajcUhlEpl8GtU+qmTgLe7
mT9Diich73DTsowN83p8v0s2waNVgpW3cxmCEonwD+1f1qiFM2uaTNYNMFVdBLyP
Kl9IFqC3v7Wt8VYuMbPnjNezhr7enpfa4eB1CeF+pdCdq3FK03UsFzBMZ63Vt8ia
NVlc3+esFSiea9hL+ROA4tfGjhQZcbHn/yZ8gL3dyyzoz2JV5pKWHV4+7nkq2h6A
QdRYHN8MDeQlxKw9nGSmpyzoQrqDyepn
-END CERTIFICATE-


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-07 Thread Mounir IDRASSI

 Hi,

I checked the parameters of your 4008 bits key and it is indeed invalid 
(q is not prime).
How did you generate it? It would be surprising if it was done through 
OpenSSL.

Anyway, you must generate a new RSA key.

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 8/7/2010 1:21 PM, Georgi Guninski wrote:

openssl-1.0.0a on ubuntu, debian and arch.
attached a private key and a cert.

~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
/tmp/CA.key

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or corruption 
(fasttop): 0x00979300 ***

  ~/local/bin/openssl rsa -check -in /tmp/CA.key |more
writing RSA key
RSA key error: q not prime # definitely


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-07 Thread Georgi Guninski
On Sun, Aug 08, 2010 at 02:46:33AM +0200, Mounir IDRASSI wrote:
>  Hi,
> 

hi,

10x for your reply.

i have no complaints about the openssl key generation process for rsa
keys of this size. and don't expect vanilla openssl to do correct math
with this key.


> I checked the parameters of your 4008 bits key and it is indeed
> invalid (q is not prime).

agreed. (though the *public* key seems fine, even with the weak factor)

> How did you generate it? It would be surprising if it was done
> through OpenSSL.

pen and paper ;-) first trial factoring, then (optionally) a few
elliptic curves, then fermat's little theorem. i know a deterministic
primality test would be more scientific, but it is a bit slower on paper
;-)


> Anyway, you must generate a new RSA key.
> 

yeah, i am generating a new key. sorry for the composite miztake.

> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
> 
> On 8/7/2010 1:21 PM, Georgi Guninski wrote:
> >openssl-1.0.0a on ubuntu, debian and arch.
> >attached a private key and a cert.
> >
> >~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
> >/tmp/CA.key
> >
> >~/local/bin/openssl s_client -connect localhost:
> >
> >depth=0 CN = CA
> >verify return:1
> >*** glibc detected *** /home/build/local/bin/openssl: double free or 
> >corruption (fasttop): 0x00979300 ***
> >
> >  ~/local/bin/openssl rsa -check -in /tmp/CA.key |more
> >writing RSA key
> >RSA key error: q not prime # definitely
> 
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Georgi Guninski
i was pointing out this:

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or
corruption (fasttop): 0x00979300 ***

the glibc message means that the current heap operation is on invalid
pointer. the testcase crashed browser links on arch linux too (when
trying to connect to s_server -www).

btw, it seems *important* to use |s_server| from *1.0.0a*


On Sat, Aug 07, 2010 at 02:21:09PM +0300, Georgi Guninski wrote:
> openssl-1.0.0a on ubuntu, debian and arch.
> attached a private key and a cert.
> 
> ~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
> /tmp/CA.key
> 
> ~/local/bin/openssl s_client -connect localhost:
> 
> depth=0 CN = CA
> verify return:1
> *** glibc detected *** /home/build/local/bin/openssl: double free or 
> corruption (fasttop): 0x00979300 ***
> 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Mounir IDRASSI

 Hi,

You are right : there is a double free bug in the function 
*ssl3_get_key_exchange* which leads to crash if an error occurs.
The bug is in line 1510 of s3_clnt.c where we forget to set the variable 
bn_ctx to NULL after freeing it and this leads to the double free error 
when BN_CTX_free is called a second time on line 1650.


I'm attaching a patch against the latest source that corrects this. I'll 
also send to RT.

Thanks for the report.

--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 8/8/2010 3:04 PM, Georgi Guninski wrote:

i was pointing out this:

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or
corruption (fasttop): 0x00979300 ***

the glibc message means that the current heap operation is on invalid
pointer. the testcase crashed browser links on arch linux too (when
trying to connect to s_server -www).

btw, it seems *important* to use |s_server| from *1.0.0a*


On Sat, Aug 07, 2010 at 02:21:09PM +0300, Georgi Guninski wrote:

openssl-1.0.0a on ubuntu, debian and arch.
attached a private key and a cert.

~/local/bin/openssl s_server -www -accept  -cert /tmp/CA.cert  -key 
/tmp/CA.key

~/local/bin/openssl s_client -connect localhost:

depth=0 CN = CA
verify return:1
*** glibc detected *** /home/build/local/bin/openssl: double free or corruption 
(fasttop): 0x00979300 ***


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


--- E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c.original  Sun Feb 28 
01:24:24 2010
+++ E:/dev/libraries/openssl-1.0.latest/ssl/s3_clnt.c   Sun Aug  8 14:49:30 2010
@@ -1508,6 +1508,7 @@
s->session->sess_cert->peer_ecdh_tmp=ecdh;
ecdh=NULL;
BN_CTX_free(bn_ctx);
+   bn_ctx = NULL;
EC_POINT_free(srvr_ecpoint);
srvr_ecpoint = NULL;
}


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-08 Thread Georgi Guninski
is the certificate at http://marc.info/?l=openssl-dev&m=128118163216952&w=2
(with the malformed key) *syntactically* correct modulo the bad self signature?

with 1.0.0a
~/local/bin/openssl verify -check_ss_sig -CAfile /tmp/CA-P.cert /tmp/CA-P.cert 


/tmp/CA-P.cert: CN = CA
error 7 at 0 depth lookup:certificate signature failure
139828504536744:error:0407006A:rsa 
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139828504536744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding 
check failed:rsa_eay.c:699:
139828504536744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:184:

echo $?
0

i would expect an error about bad self signature, not format stuff.

the private key was generated by a python wrapper, the cert was generated with 
ubuntu's 0.9.8k 25 Mar 2009


On Sun, Aug 08, 2010 at 03:21:34PM +0200, Mounir IDRASSI wrote:
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-09 Thread Mounir IDRASSI

 Hi,

Signature verification is done through a modular exponentiation (using 
public exponent and modulus) that always leads to a result even fur a 
bogus RSA modulus.
This result is checked against the PKCS#1 padding format. Since the RSA 
private key is invalid, the output of this exponentiation is different 
from DataToBeSigned used during certificate creation and thus the code 
doesn't find the PKCS#1 padding block header.

So, the signature is bad because the decrypted signature has a bad format!
I hope this clarifies things to you.

You say at the end of your message that the private key was generated by 
a python wrapper, certainly a wrapper of OpenSSL, but in a previous 
message you are saying that you generated the key yourself (pen and 
paper). Which statement is correct? Maybe your wrapper wraps something 
else...


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr



On 8/9/2010 7:44 AM, Georgi Guninski wrote:

is the certificate at http://marc.info/?l=openssl-dev&m=128118163216952&w=2
(with the malformed key) *syntactically* correct modulo the bad self signature?

with 1.0.0a
~/local/bin/openssl verify -check_ss_sig -CAfile /tmp/CA-P.cert /tmp/CA-P.cert


/tmp/CA-P.cert: CN = CA
error 7 at 0 depth lookup:certificate signature failure
139828504536744:error:0407006A:rsa 
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
139828504536744:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding 
check failed:rsa_eay.c:699:
139828504536744:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:184:

echo $?
0

i would expect an error about bad self signature, not format stuff.

the private key was generated by a python wrapper, the cert was generated with
ubuntu's 0.9.8k 25 Mar 2009


On Sun, Aug 08, 2010 at 03:21:34PM +0200, Mounir IDRASSI wrote:
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-09 Thread Georgi Guninski
hi,


On Mon, Aug 09, 2010 at 10:36:03AM +0200, Mounir IDRASSI wrote:
>  Hi,
> 
> Signature verification is done through a modular exponentiation
> (using public exponent and modulus) that always leads to a result
> even fur a bogus RSA modulus.
> This result is checked against the PKCS#1 padding format. Since the
> RSA private key is invalid, the output of this exponentiation is
> different from DataToBeSigned used during certificate creation and
> thus the code doesn't find the PKCS#1 padding block header.
> So, the signature is bad because the decrypted signature has a bad format!
> I hope this clarifies things to you.
>

ok. i expected a message "bad number" instead of "bad signature format"


> You say at the end of your message that the private key was
> generated by a python wrapper, certainly a wrapper of OpenSSL, but
> in a previous message you are saying that you generated the key
> yourself (pen and paper). Which statement is correct? Maybe your
> wrapper wraps something else...
> 

lol. the "pen/paper generation" was just humour.

this key was generated with pycrypto + some other pure python code for export to
your format. (the small prime was included on purpose).

i don't know if pycrypto depends on openssl (though it is not a
 direct wrapper).

the cert was generated entirely by openssl.


the imports:

from Crypto.PublicKey import RSA
from Crypto.Util.number import inverse
import random
import sys
from Crypto.PublicKey import pubkey
from Crypto.Util import number
import crypto # utils
import Crypto
from fractions import gcd
from Crypto.Hash import MD5


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: openssl-1.0.0a and glibc detected sthg ;)

2010-08-09 Thread Mounir IDRASSI

 Hi,

A number can't be "bad" by itself. It is just a carrier of protocol 
information during the mathematical computations. What really matters is 
the sequence of bytes used by that protocol. This is why a "bad format" 
error is returned.


Concerning PyCrypto, it doesn't use OpenSSL at all : for public key 
algorithms like RSA and DSA, it uses LibTomCrypt internally in order to 
implement the algorithms by hand. So, there must be a bug in their code.


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 8/9/2010 11:26 AM, Georgi Guninski wrote:

hi,


On Mon, Aug 09, 2010 at 10:36:03AM +0200, Mounir IDRASSI wrote:

  Hi,

Signature verification is done through a modular exponentiation
(using public exponent and modulus) that always leads to a result
even fur a bogus RSA modulus.
This result is checked against the PKCS#1 padding format. Since the
RSA private key is invalid, the output of this exponentiation is
different from DataToBeSigned used during certificate creation and
thus the code doesn't find the PKCS#1 padding block header.
So, the signature is bad because the decrypted signature has a bad format!
I hope this clarifies things to you.


ok. i expected a message "bad number" instead of "bad signature format"



You say at the end of your message that the private key was
generated by a python wrapper, certainly a wrapper of OpenSSL, but
in a previous message you are saying that you generated the key
yourself (pen and paper). Which statement is correct? Maybe your
wrapper wraps something else...


lol. the "pen/paper generation" was just humour.

this key was generated with pycrypto + some other pure python code for export to
your format. (the small prime was included on purpose).

i don't know if pycrypto depends on openssl (though it is not a
  direct wrapper).

the cert was generated entirely by openssl.


the imports:

from Crypto.PublicKey import RSA
from Crypto.Util.number import inverse
import random
import sys
from Crypto.PublicKey import pubkey
from Crypto.Util import number
import crypto # utils
import Crypto
from fractions import gcd
from Crypto.Hash import MD5


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org