Re: How to free SSL_METHOD structure

[Dr. Stephen Henson]

On Mon, Jun 21, 2010, jeff wrote:

> Well that completely screwed up my plans. Am i glad i looked at this
> thread before creating a disaster.
> 
> So i was using SSL_METHOD struct to provide a custom implementation of
> rsa_mod_exp. And this implementation needed to be provided on a per-need
> basis. After your reply, I quickly ran a test and saw all my keys (RSA
> structs) been carrying the same change.
> 
> What's more disturbing is that I had thought that using "app_data" field
> of the struct I could make the method context aware so it knows where it
> was called from (and provide some thread safe mechanics in there).
> 
> Is there any way to create unique instances of this struct to possibly
> achieve some of the goals above? thanks
> jeff
> 

SSL_METHOD is the wrong place to put this kind of thing. You can develop an
RSA_METHOD structure in an ENGINE and assign that to individual RSA structures
when they are created. Then anything using that structure automatically ends
up calling the custom routines in the RSA_METHOD. This is typically used for
crypto accelerators and HSMs.

Some of the standard ENGINEs under engines/ should give some pointers.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: questions about RSASSA-PSS

[芦翔]

Dear Mounir IDRASSI,
I am sorry for the wrong title in the last email.
I read your code. I am not sure about the lower-level encoding method. For 
RSA_padding_add_PKCS1_PSS,what's the encoding method it use, RSASSA-PKCS1-V1_5 
or RSASSA-PSS? I found a email chain in the archive, 
http://www.mail-archive.com/openssl-users@openssl.org/msg40229.html, which said 
that RSASSA-PSS is not supported in the openssl at that time.
I really appreciate your help. Before referring your code, I would like to make 
sure the signature generation scheme. Thank you so much.
Regards,Xiang 
From: luxiang...@hotmail.com
To: openssl-users@openssl.org
Subject: RE: questions about RSASSA-PSS
Date: Tue, 22 Jun 2010 02:14:39 +








Dear Cheers,
Thank you for your help. I have downloaded your code. Thank you so much.
Regards,Xiang

> Date: Tue, 22 Jun 2010 03:46:51 +0200
> From: mounir.idra...@idrix.net
> To: openssl-users@openssl.org
> Subject: Re: questions about RSASSA-PSS
> 
> Hi,
> 
> The low-level functions RSA_padding_add_PKCS1_PSS and
> RSA_verify_PKCS1_PSS will get the job done.
> I have wrote last year a sample showing how they work. You can get it
> here : http://www.idrix.fr/Root/Samples/openssl_pss_signature.c .
> 
> For high-level function (maybe EVP interface), I will let other give
> their hints.
> 
> Cheers,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
> 
> On 6/22/2010 3:26 AM, 芦翔 wrote:
> > Hi all,
> > Could anybody please tell me the support status of RSASSA-PSS in openss
 l with the version after 0.9.8l. If there is the implementation, could you 
please tell me which functions I can call directly for my project purpose. 
Thank you so much.
> > Regards,Xiang 
> > _
> > MSN十年回馈，每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码，快来领取！
> > http://kaba.msn.com.cn/?k=1
> >   
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
  
聊天+搜索+邮箱 想要轻松出游,手机MSN帮你搞定! 立刻下载！  
_
一张照片的自白――Windows Live照片的可爱视频介绍
http://windowslivesky.spaces.live.com/blog/cns!5892B6048E2498BD!889.entry

RE: questions about RSASSA-PSS

[芦翔]

Dear Cheers,
Thank you for your help. I have downloaded your code. Thank you so much.
Regards,Xiang

> Date: Tue, 22 Jun 2010 03:46:51 +0200
> From: mounir.idra...@idrix.net
> To: openssl-users@openssl.org
> Subject: Re: questions about RSASSA-PSS
> 
> Hi,
> 
> The low-level functions RSA_padding_add_PKCS1_PSS and
> RSA_verify_PKCS1_PSS will get the job done.
> I have wrote last year a sample showing how they work. You can get it
> here : http://www.idrix.fr/Root/Samples/openssl_pss_signature.c .
> 
> For high-level function (maybe EVP interface), I will let other give
> their hints.
> 
> Cheers,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
> 
> On 6/22/2010 3:26 AM, 芦翔 wrote:
> > Hi all,
> > Could anybody please tell me the support status of RSASSA-PSS in openssl 
> > with the version after 0.9.8l. If there is the implementation, could you 
> > please tell me which functions I can call directly for my project purpose. 
> > Thank you so much.
> > Regards,Xiang 
> > _
> > MSN十年回馈，每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码，快来领取！
> > http://kaba.msn.com.cn/?k=1
> >   
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
  
_
SkyDrive电子画册，带你领略精彩照片，分享“美”时“美”刻!
http://www.windowslive.cn/campaigns/e-magazine/ngmchina/?a=c

Openssl-dtls Client session sends hello in response to server hello.

[Nivedita Melinkeri]

Hi All,

I am using openssl-0.9.8n with dtls-srtp extension. After upgrading to
openssl version 0.9.8n I see
a weird problem.

This happens only once in a few hundred dtls handshakes.

The dtls client sends client hello with 0 session id. The dtls server sends
server hello with valid session id.
Instead of responding to the server hello with ClientKeyExchange the client
sends back a client hello
message with 0 session id but some additional data (244 bytes) at the end of
the packet.

Here is the dump of the spurious client hello :

<355 bytes>
16 fe ff 00 00 00 00 00 00 00 01 00 60 01 00 00
54 00 00 00 00 00 00 00 54 fe ff 4c 19 5e 5b e2
da 29 22 22 c8 b3 ad 81 e2 33 1f e5 ec a0 1c 73
b8 ee a0 0f 0c 74 c0 ae 02 00 da 00 00 00 24 00
39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00
2f 00 07 00 15 00 12 00 09 00 14 00 11 00 08 00
06 00 ff 01 00 00 06 80 01 00 02 00 01 16 fe ff
00 00 00 00 00 00 00 02 00 8e 10 00 00 82 00 01
00 00 00 00 00 82 00 80 04 de 96 fd 46 62 1e 81
e8 41 30 ef 6d 73 34 f4 e5 cf 6e 50 3a a5 46 da
ce d3 5b 32 2d af 5e 2b f5 8a d0 68 a2 76 89 b2
e7 fd 09 ef ae 3d f8 d4 01 bc 64 21 ec cd 0a 10
0f 02 22 de 22 f0 7b 65 d4 c3 03 f7 2c f9 36 29
a5 0c d8 2c 1f aa 71 76 ed aa e3 8c 05 e0 ac 87
4d 6e 74 b4 b9 88 61 c6 f1 58 88 ac a1 a4 e2 d7
76 4a ac 9b 98 e9 bd a6 53 7a ff 5e 57 ef c3 0e
44 bd fc a5 d5 ae 0e 1d 14 fe ff 00 00 00 00 00
00 00 03 00 01 01 16 fe ff 00 01 00 00 00 00 00
00 00 40 9e f2 5e 8b df 59 06 b1 a8 8b 98 ff aa
30 a2 37 83 c5 a3 52 a7 63 5a 35 ad 93 d5 00 5d
c8 a7 e9 a3 cb 5b 5d 99 c0 29 bc 41 e7 73 3d ed
01 97 58 37 bb 05 7f 9e 36 45 67 92 7b 04 24 08
f4 f2 dc

On receiving this client hello the server assumes that we are resuming an
existing session and responds back
with ServerHello with Finished message.

Has anyone seen such a issue or know why this could happen with 0.9.8n.

Any help is greatly appreciated.

Regards,
Nivedita

Re: questions about RSASSA-PSS

[Mounir IDRASSI]

Hi,

The low-level functions RSA_padding_add_PKCS1_PSS and
RSA_verify_PKCS1_PSS will get the job done.
I have wrote last year a sample showing how they work. You can get it
here : http://www.idrix.fr/Root/Samples/openssl_pss_signature.c .

For high-level function (maybe EVP interface), I will let other give
their hints.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 6/22/2010 3:26 AM, 芦翔 wrote:
> Hi all,
> Could anybody please tell me the support status of RSASSA-PSS in openssl with 
> the version after 0.9.8l. If there is the implementation, could you please 
> tell me which functions I can call directly for my project purpose. Thank you 
> so much.
> Regards,Xiang   
> _
> MSN十年回馈，每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码，快来领取！
> http://kaba.msn.com.cn/?k=1
>   

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

questions about RSASSA-PSS

[芦翔]

Hi all,
Could anybody please tell me the support status of RSASSA-PSS in openssl with 
the version after 0.9.8l. If there is the implementation, could you please tell 
me which functions I can call directly for my project purpose. Thank you so 
much.
Regards,Xiang 
_
MSN十年回馈，每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码，快来领取！
http://kaba.msn.com.cn/?k=1

Re: How to free SSL_METHOD structure

[jeff]

Well that completely screwed up my plans. Am i glad i looked at this
thread before creating a disaster.

So i was using SSL_METHOD struct to provide a custom implementation of
rsa_mod_exp. And this implementation needed to be provided on a per-need
basis. After your reply, I quickly ran a test and saw all my keys (RSA
structs) been carrying the same change.

What's more disturbing is that I had thought that using "app_data" field
of the struct I could make the method context aware so it knows where it
was called from (and provide some thread safe mechanics in there).

Is there any way to create unique instances of this struct to possibly
achieve some of the goals above? thanks
jeff

> 
> There isn't one. It is a static structure.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.




This email contains Morega Systems Inc. Privileged and Confidential information.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Additional checks on peer certificate

[Marcel Fransen]

Hi,
 
I want to do some additional checks on the peer certificate, like a hostname 
check.
 
My first question is how should I get access to the peer certificate in the 
verify callback:
The documentation for  X509_STORE_CTX_get_current_cert(ctx);
states that in case of no error this may return NULL so I guess I should not 
just call this one at depth 0, as the certificate does not need to be in an 
error state (although that seems to work). 
I guess using SSL_CTX_set_verify(ssl) is also a bad idea and should only be 
called after the verify (so not from the callback), although I did not test 
this.
I now use X509_STORE_CTX_get_chain when at depth 0 and use the certificate at 
entry 0 in this stack. Is the correct way to get access to the peer certificate?
 
My second question is on when to do this check in the callback. 
I now do it when at depth 0 and preverify_ok was 1. This used to work ok until 
I added an "accept an expired certificate" option in the callback (when a 
certain command line option is set). In case of the expired certificate (the 
initial preverify_ok is 0 in this case) I do the check and return 1.
What I now see that after this return the callback now gets called another time 
for the same certificate but with preverify_ok is 1. So now the additional 
verification is done twice (still works but is not what I had in mind ;-). So 
now I guess that I should change the code to only do the additional check when 
the INITIAL preverify_ok was 1, is this correct? And it is intended behaviour 
that it works like this (calling the callback again for a certificate that was 
originally not ok but is made ok by the return code of the callback) so my 
changes won't break in a future version?
 
Kind regards,
 
Marcel Fransen

Re: How to free SSL_METHOD structure

[Dr. Stephen Henson]

On Mon, Jun 21, 2010, Arunkumar Manickam wrote:

> Hi,
> 
> What is the function to be called to free SSL_METHOD * created using
> SSLv23_client_method or other similar methods.
> 

There isn't one. It is a static structure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Auto Reply: How to free SSL_METHOD structure

[wellen . lau]

I am on PTO from 6/21 - 6/25. I will get back to your questions and concerns 
when I am back. If this is an critical issue, please contact Rahul J 
oshi[rahul.x.jo...@oracle.com] for immediate assistance.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How to free SSL_METHOD structure

[Arunkumar Manickam]

Hi,

What is the function to be called to free SSL_METHOD * created using
SSLv23_client_method or other similar methods.

Thanks,
Arun

Auto Reply: Re: How to attach source code in a debug build(Win32 Visual C++)?

[wellen . lau]

I am on PTO from 6/21 - 6/25. I will get back to your questions and concerns 
when I am back. If this is an critical issue, please contact Rahul J 
oshi[rahul.x.jo...@oracle.com] for immediate assistance.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to attach source code in a debug build(Win32 Visual C++)?

[Jakob Bohm]

On 19-06-2010 01:49, Dave Thompson wrote:

From: owner-openssl-us...@openssl.org On Behalf Of William A. Rowe Jr.
Sent: Friday, 18 June, 2010 00:59
 
   

On 6/17/2010 10:10 PM, Dave Thompson wrote:
 

(MSVC++ build)
   

2. Even if you have symbols, I believe they use relative pathnames,
and the IDE has to be told where to find them. In the old VS/VC++6
I have, this is in Tools / Options / Directories / SourceFiles .
In newer versions it's probably different but should be similar.
   

More to the point, sources are never embedded into the
obj/dll/exe.  They
must be distributed/available alongside a binary distribution
(not really
a problem for open 'source' - heh).

 

That latter part is true everywhere. Unix objects/executables
with -g contain the linenumbers and name of the sourcefile(s),
but not the actual source, and if you debug on a different system
where the sourcefiles are not present, or on the same system but
the sourcefiles have been deleted (or changed!) it won't work.
If the sourcefiles are present but in a different location,
some debuggers can be persuaded to find them.

However, for MS* there is another difference to know about:
the debug info goes in a separate PDB file -- e.g. libeay32.dll
and libeay32.pdb -- and to debug you need BOTH, PLUS the source.
(* since about 2000; you might find some *really* old progams
that don't have separate PDB, but good luck using them.)


   


The older formats/alternatives are:

.DBG in place of (or in addition to) .PDB: Option with all pre-2000
MS Compilers, still understood by the free (as in beer) WinDbg/SD/KD
debugger.  Anything that is in .DBG could have been inside the
.EXE/.DLL, but putting it in its own file saves disk space and memory
when not debugging that process.  In closed-source software it also
allows shipping the .EXE/.DLL and keeping the .DBG in the support
department.

.TDS in place of .PDB: Option with Borland/Turbo compilers.
Understood only by Borlands Turbo Debugger of the same version
as the program was compiled with.  Anything that is in .TDS could
have been inside the .EXE/.DLL, but putting it in its own file saves
disk space and memory when not debugging that process.

.SYM in place of .PDB: Used by Microsoft tools with 16 bit executables
and some non-Win32 EXE/DLL formats (VxDs and such).  These were
understood by Microsoft debuggers old enough to actually step through
this code and by the SoftICE debugger.

.NMS in addition to other file types: Used by some NuMega/Compuware
debuggers, including SoftICE.  Unlike other formats, .NMS files may
actually contain the source code itself, to allow debugging with the
file system and disk drivers stopped inside the debugger.  Note that
SoftICE is no longer available due to mismanagement.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org