OPENSSL_armcap_P, OPENSSL_ia32_P, OPENSSL_ppccap_P
Hi, I'm using openssl on a platform/OS that supports multiple CPU architectures. The context switching does not save SIMD registers unless the thread has a special options set. This creates some challenges when using openssl, which use SIMD registers in several assembler optimizations. I would like to ensure that no assembler optimization can be used if the special option is not set. If the appropriate bits in OPENSSL_armcap_P/OPENSSL_ia32_P/OPENSSL_ppccap_P is disabled, will that guarantee that no instructions using SIMD registers are executed? There is some OPENSSL_XXXcap_P code within #ifndef __KERNEL__ which indicates that openssl is used in the linux kernel. I believe the linux kernel would have a similar situation regarding SIMD registers. Floating point operations and operations SIMD registers cannot be used in the linux kernel. But I am unable to find any information that confirms that this would cover all code paths. Regards Roger
OPENSSL_armcap_P, OPENSSL_ia32_P, OPENSSL_ppccap_P
Hi, I'm using openssl on a platform/OS that supports multiple CPU architectures. The context switching does not save SIMD registers unless the thread has a special options set. This creates some challenges when using openssl, which use SIMD registers in several assembler optimizations. I would like to ensure that no assembler optimization can be used if the special option is not set. If the appropriate bits in OPENSSL_armcap_P/OPENSSL_ia32_P/OPENSSL_ppccap_P is disabled, will that guarantee that no instructions using SIMD registers are executed? There is some OPENSSL_XXXcap_P code within #ifndef __KERNEL__ which indicates that openssl is used in the linux kernel. I believe the linux kernel would have a similar situation regarding SIMD registers. Floating point operations and operations SIMD registers cannot be used in the linux kernel. But I am unable to find any information that confirms that this would cover all code paths. Regards Roger
OPENSSL_armcap_P, OPENSSL_ia32_P, OPENSSL_ppccap_P
Hi, I'm using openssl on a platform/OS that supports multiple CPU architectures. The context switching does not save SIMD registers unless the thread has a special options set. This creates some challenges when using openssl, which use SIMD registers in several assembler optimizations. I would like to ensure that no assembler optimization can be used if the special option is not set. If the appropriate bits in OPENSSL_armcap_P/OPENSSL_ia32_P/OPENSSL_ppccap_P is disabled, will that guarantee that no instructions using SIMD registers are executed? There is some code within #ifndef __KERNEL__ which indicates that openssl is used in the linux kernel. I believe the linux kernel would have a similar situation regarding SIMD registers. Floating point operations and operations SIMD registers cannot be used in the linux kernel. But I am unable to find any information that confirms that this would cover all code paths. Regards Roger
[openssl-users] openssl-tpm-engine
Hi, I'm experimenting a bit with the tpm engine (openssl_tpm_engine-0.4.2). My objective is to see how easy it is use this engine with openssl-1.0.1. Since the README file states that openssl-0.9.8 is a requirement I started using that openssl version. However, I have tried to use the tpm engine with three different openssl-0.9.8 versions, but all three crashes with different call stacks, when using the basic example from the README file (Create a self-signed cert using the TPM engine). I'm starting to suspect that I have overseen something fundamental. Is the openssl-tpm-engine supposed to work on 64 bit machines? Or is there something else I need to consider? Below is some additional info on the crashes I'm seeing. All crashes are for step 2, openssl req -keyform engine -engine tpm -key keyfilename -new -x509 -days 365 -out certfilename openssl-0.9.8zb: 0 in BN_num_bits of bn_lib.c:232 1 in bn_i2c of x_bignum.c:117 2 in asn1_ex_i2c of tasn_enc.c:582 3 in asn1_i2d_ex_primitive of tasn_enc.c:523 4 in ASN1_item_ex_i2d of tasn_enc.c:154 5 in asn1_template_ex_i2d of tasn_enc.c:413 6 in ASN1_item_ex_i2d of tasn_enc.c:231 7 in asn1_item_flags_i2d of tasn_enc.c:122 8 in ASN1_item_i2d of tasn_enc.c:91 9 in i2d_RSAPublicKey of rsa_asn1.c:111 10 in i2d_PublicKey of i2d_pu.c:80 11 in X509_PUBKEY_set of x_pubkey.c:223 12 in X509_REQ_set_pubkey of x509rset.c:81 13 in make_REQ of req.c:1257 14 in req_main of req.c:914 15 in do_cmd of openssl.c:400 16 in main of openssl.c:318 openssl-0.9.8x: 0 in raise of /lib/x86_64-linux-gnu/libc.so.6 1 in abort of /lib/x86_64-linux-gnu/libc.so.6 2 in ?? of /lib/x86_64-linux-gnu/libc.so.6 3 in ?? of /lib/x86_64-linux-gnu/libc.so.6 4 in CRYPTO_free of mem.c:406 5 in asn1_item_combine_free of tasn_fre.c:176 6 in ASN1_item_free of tasn_fre.c:71 7 in X509_ATTRIBUTE_free of x_attrib.c:96 8 in sk_pop_free of stack.c:290 9 in EVP_PKEY_free of p_lib.c:468 10 in req_main of req.c:1183 11 in do_cmd of openssl.c:400 12 in main of openssl.c:318 I also tried openssl-0.9.8, but I didn't save the call stack of that crash. I'm using ubuntu 14.04. Regards Roger ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
RSA padding
Hi, I need to do RSA encryption/decryption using OAEP according to rfc 3447/PKCS#1 v2.1. The documentation for RSA_public_encrypt states that with the RSA_PKCS1_OAEP_PADDING padding flag you get 'EME-OAEP as defined in PKCS #1 v2.0 with SHA-1, MGF1 and an empty encoding parameter'. This is what I want to do, expect that according to my spec I should use PKCS #1 v2.1. What is the difference between PKCS #1 v2.0 and v2.1? Is it possible to do PKCS #1 v2.1 in openssl? I'm using the openssl-0.9.8 branch. Regards Roger
openssl 1.0.1 and FIPS 140-2
Hi, I would like to have a look at the new FIPS 140-2 module. From what I've been able to find out, it is targeting openssl-1.0.1. I've downloaded openssl-1.0.1 and a fips snapshot (openssl-fips-2.0-test-20120331.tar.gz). Is there a how-to or similar description of how to configure and build these releases? The README.FIPS file of the fips snapshot is quite straight forward, but I'm unable to figure out how to configure and build the openssl-1.0.1 release for FIPS 140-2. Any help is much appreciated. -- R
openssl and rfc 5280
Hi, I'm trying to understand if openssl is a good base when implementing a system that is to be compliant with rfc 5280. Are there any limitations or missing parts in openssl? Regards Roger
RE: openssl and rfc 5280
I should perhaps mention that the title of rfc 5280 is PKIX Certificate and CRL Profile. The system we are implementing is an 'end entity'. Regards Roger From: roger_no_s...@hotmail.com To: openssl-users@openssl.org Subject: openssl and rfc 5280 Date: Thu, 22 Sep 2011 16:10:12 +0200 Hi, I'm trying to understand if openssl is a good base when implementing a system that is to be compliant with rfc 5280. Are there any limitations or missing parts in openssl? Regards Roger
RE: Using self-signed certificates with openssl
From: dthomp...@prinpay.com To: openssl-users@openssl.org Subject: RE: Using self-signed certificates with openssl Date: Fri, 13 May 2011 22:06:55 -0400 From: owner-openssl-us...@openssl.org On Behalf Of Roger No-Spam Sent: Friday, 13 May, 2011 04:15 We have decided to use openssl to protect a connection in our system with TLS. Clients will be authenticated using X509 certificates. To cut a long story short, a decision has been taken to use self-signed certificates. On the server, each client's self-signed cert will be loaded by a call to SSL_CTX_load_verify_locations(). This is pretty much working as expected, To be exact: you can't be doing a load_verify_locations for each of multiple certs -- unless you do it dynamically one per SSL_accept(). To statically accept multiple certs, you can put them all in one file, or in one directory with hashlinks (or hashnames), and use that file or that directory (or possibly one of each) for load_verify_locations. We put all client's certs in one file, that is loaded by a call to SSL_CTX_load_verify_locations(). apart from one thing. If we modify the client's private key (modified a bit in the privateExponent), the TLS connection is still successfully established. I had expected the signature verification (certificate verify message) of the handshake to fail in this case. Are there any gotchas with self-signed certs? Or is there something else we have missed that explains why the signature verification is successful with the modified key? It's not the cert; the same thing happens with just keys in rsautl. OpenSSL normally stores and uses RSA privatekey in Chinese Remainder Theorem format, which is quite a bit faster. If you damage only the privateExponent 'd' it doesn't affect the private key operation. If you damage a CRT component it (silently!) falls back to modexp-d instead, so if you damage *both* a CRT component *and* d *then* you get a bad signature, and a handshake failure. I *think* this works for any bit in any CRT component, but I didn't try to work out the math (and certainly didn't test completely). Thanks, that explains it! What is your threat (model) here? If an attacker can get at your clear privatekey file, I can't imagine why they would only flip one bit; and if they can get at an encrypted privatekey file, any tampering including a bit flip should be detected and refuse to load the key at all. This was just something I quickly did as informal testing, to trigger a signature validation failure. It is not a valid test case. But the result had me worried that I had misunderstood how self-signed certs can be used in openssl. But I think everything is explained now. Thanks for your help. Regards Roger
Using self-signed certificates with openssl
Hello, We have decided to use openssl to protect a connection in our system with TLS. Clients will be authenticated using X509 certificates. To cut a long story short, a decision has been taken to use self-signed certificates. On the server, each client's self-signed cert will be loaded by a call to SSL_CTX_load_verify_locations(). This is pretty much working as expected, apart from one thing. If we modify the client's private key (modified a bit in the privateExponent), the TLS connection is still successfully established. I had expected the signature verification (certificate verify message) of the handshake to fail in this case. Are there any gotchas with self-signed certs? Or is there something else we have missed that explains why the signature verification is successful with the modified key? We are using openssl-0.9.8o. Regards Roger
openssl and Intel compiler
Hello, We are currently using openssl-0.9.8l and the gnu compiler on Intel CPUs. We only use the source code from openssl and have our proprietary build system. We are now considering switching to the Intel C compiler. Is openssl and Intel C compiler a combination that works well, or are there known issues or is this simply unchartered territory? Regards Roger _ Nya Windows 7 - Hitta en dator som passar dig! Mer information. http://windows.microsoft.com/shop
FIPS 14-2 vs MD5
Hello, When building openssl in FIPS 140-2 mode, the MD5 algorithm is not available for use. There are, however, several RFCs that mandate the use of MD5. Would it be possible to partition a system into a FIPS 140-2 part (more security critical parts, e.g SSL) and one other part that can include support for RFCs that mandate MD5 (e.g. TCP MD5 checksum option, PPP CHAP, etc.). Would it be possible to FIPS 140-2 validate such a system? What would the requirements be regarding the partitioning? Any pointers to where I can find more info on this topic would be much appreciated. /Roger _ Med Windows Live kan du ordna, redigera och dela med dig av dina foton. http://www.microsoft.com/sverige/windows/windowslive/products/photo-gallery-edit.aspx
Is Openssl vulnerable to Null-Prefix Attacks?
Recently there has been some discussion on the Internet regarding so called null-prefix attacks, see http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf. Is openssl vulnerable to this attack? /Roger _ Med Windows Live kan du ordna, redigera och dela med dig av dina foton. http://www.microsoft.com/sverige/windows/windowslive/products/photo-gallery-edit.aspx
openssl 0.9.8 FIPS questions
Hi,We have included openssl in our product, a proprietary OS and development environment. Customers have requested that we include the FIPS validated version of openssl. We have included the openssl 0.9.8 base line and I am now trying to clarify what the implications are of including the 0.9.8 FIPS module. As understand it, the 0.9.8 FIPS module have been submitted for validation but when the validation will be completed is unknown. This is based on the following email from Steve Marquess http://markmail.org/message/56dmutf7gkdhy7ib#query:OpenSSL%20FIPS%20Object%20Module%20v1.2%20order%3Adate-backward+page:1+mid:fsqhbhzfg2nkpeot+state:results Furthermore, there seems to be FIPS changes required in openssl outside the FIPS module. This is my conclusion after having studied the FIPS_098_TEST_8 branch in openssl's cvs server. When are these changes scheduled to be merged into the main 0.9.8 branch and be released? We make some minor modifications to openssl in order to port it to our enviroment. It may not be necessary to modify the FIPS module files. And we use proprietary makefiles to build all openssl files. As I understand it, these changes compared to the openssl FIPS tar ball, would void the FIPS validation in our case. In this FAQ (http://oss-institute.org/fips-faq.html#a26) a cost figure (USD 10-50K) is stated for a re-validation for an additional OS. Would that cost figure be applicable in our case. What steps are required in order to re-validate for an additional OS? To summarize, these are the steps needed: - wait for FIPS validation for openssl 0.9.8 - wait for new openssl-0.9.8 release that includes FIPS changes - FIPS re-validate our product Is this summary correct? Am I missing anything? /Roger _ Hetaste modetipsen härligaste skönhetstesterna! http://salongk.msn.se/
FIPS and new releases of openssl
Hello, In appendix B of the openssl FIPS security policy it is stated that the module must be built with a particular tar file (openssl-fips-1.1.2.tar.gz) and a hmac hash value for the tar file is specified. Furthermore it is stated that there shall be no additions, deletions, or alterations of the set of files in the tar file as used during module build. The way I read this is that if you modify for instance the ASN.1 or SSL code (in order to fix a bug), then the FIPS validation is canceled. This does not make sense to me. Why can't higher level code be bug fixed without FIPS validation being canceled? /Roger _ Var sommaren för kort? Här hittar du solen! http://resor.se.msn.com/__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Certificate chain utilities
Hello, I need to create a certificate chain. The inputs are my own certificate, a list of root certificates, a list of intermediate certificates and the distinguished name of the root CA the peer trusts. The certificate chain I need to create shall start with my own cert, and end with the root CA the peer trusts. Are there any utility functions in openssl that do this? When browsing through the code and header files I found that X509_STORE and X509_STORE_CTX seem to do similar things to what I am searching for. However, I have not been able to find any documentation for these functions. Is there any documentation available somewhere that I have missed? Regards Roger _ Trött på jobbet? Hitta nya utmaningar här! http://msn.jobbguiden.se/jobseeker/resumes/postresumenew/postresumestart.aspx?sc_cmp2=JS_INT_SEMSN_NLPCV__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]